credit: Ludovic Rembert (https://privacycanada.net/)
Update — Though I chose to keep secret the identity of the defense contractor to limit the damage it was subsequently revealed by Reuters to be Lockheed-Martin. There was one additional detail presented at the end of a story in Saturday’s New York Times.
Back in March I heard from an old friend whose job it is to protect his company’s network from attack. “Any word on just what was compromised at RSA?” he asked, referring to how the RSA Data Security division of EMC had been hacked. “I suspect it was no more than a serial number, a seed, and possibly the key generation time. The algorithm has been known for years but unless they can match a seed to an account it is like having a key without knowing what lock it fits. That might simplify a brute force attack but first the attacker would need something to brute force…”
Well it didn’t take long for whoever cracked RSA to find a lock to fit that key.
Last weekend was bad for a very large U. S. defense contractor that uses SecureID tokens from RSA to provide two-factor authentication for remote VPN access to their corporate networks. Late on Sunday all remote access to the internal corporate network was disabled. All workers were told was that it would be down for at least a week. Folks who regularly telecommute were asked to come into nearby offices to work. Then earlier today (Wednesday) came word that everybody with RSA SecureID tokens would be getting new tokens over the next several weeks. Also, everybody on the network (over 100,000 people) would be asked to reset their passwords, which means admin files have probably been compromised.
It seems likely that whoever hacked the RSA network got the algorithm for the current tokens and then managed to get a key-logger installed on one or more computers used to access the intranet at this company. With those two pieces of information they were then able to get access to the internal network.
The contractor’s data security folks saw this coming, though not well enough to stop it. Shortly after the RSA breach they began requiring a second password for remote logins. But that wouldn’t help against a key-logger attack.
The good news here is that the contractor was able to detect an intrusion then did the right things to deal with it. A breach like this is very subtle and not easy to spot. There will be many aftershocks in the IT world from this incident.
But is this the only such instance of a major corporate network break-in? The very fact that we haven’t heard anything about this (I hadn’t, had you?) makes me think this probably ISN’T the first such network penetration from the recent RSA hack… or the last.
What if every RSA token has been compromised, everywhere?
“I have not seen anyone abandoning their investment yet,” said my friend back in March. “Most networks exchange token values over an encrypted channel anyway so the facade of security is still there. Until an attack succeeds (and how would you know?) the lemmings are complacent.”
Well an attack has succeeded, laying open who knows what national secrets?
The lemmings are now upset, or would be if they knew what you know now.
I guess now they do.
The easiest way to crack the VPN would be to break into the RSA server itself within the perimeter network. I have to wonder how well protected it was.
I also have to wonder if the PLA was involved in the RSA hack. It’s a piece that fits.
There is something very fishy that it is a defense contractor that got hacked this way. I suspect that a hostile foreign power is involved, and this is an attempt at industrial espionage. This attack is subtle and elegant, and took some planning.
I was trying to recall where I’d heard that ‘No more secrets’ line.
Robert Redford’s character in Sneakers: http://movieclips.com/sifU-sneakers-movie-no-more-secrets/
That’s where I stole the line from, yes. I met Robert Redford once — he’s completely covered in freckles.
And those freckles are covered in wrinkles.
And those freckles that are covered in wrinkles, are covered in freckles.
I thought the line was an anagram of Setec Astronomy — “Too Many Secrets”
I’ll be darned. It’s right after the scrabble game, thanks for the video clip.
More useful facts: The author’s surname is an anagram of glycerin; sweet tasting and of low toxicity.
Given the ubiquity of cameras built into laptop computers, don’t companies, like defense contractors with secret information on their systems, incorporate a little biometric validation with their VPN logins? Such a check could be repeated for each inquiry into sensitive files, recording and validating the person making the inquiry.
Defense Contractors do not keep Secret (or higher) information on *anything* that even *remotely* touches the internet.
Unless they happen to *like* Jail Time.
More likely it was “Competition Sensitive” stuff that was taken … or their Employees Vital Information (hey, your SSN is not a national secret).
I’d also like to point out that this was a “Security Paranoid” Defense Contractor — most DCs don’t use (or can’t afford) such high-tech options.
Celebrate your braveness and common sense.
@Agent Smith. No. It’s a defense contractor that *noticed* the hack. Perhaps a lot of other companies were also hacked, in less security-conscious industries, but they have not realized, or not admitted it.
That’s my feeling, too.
Otherwise you wouldn’t have anything to write about ! And a way to pay your bills !
Bob – I personally don’t think that RSA works this way. It is my understanding that the the RSA server at each customer just has the serial number of the fobs to accept and it uses the serial number (printed on the back of the fob) and the time to calculate the password. Maybe there is a table in the RSA server that is encrypted that converts the serial number to an algorithm key and that was what was hacked…but if that is the case, there is no need to replace the fobs.
The fobs are not customized by RSA for each customer, they are generic and can be bought off ebay! Maybe the bad guys hacked EMC’s accounting system and found a list of the fob serial numbers associated with the customer which would be a huge breech of smarts to maintain that information. I would be shocked if EMC did that.
Curiouser and curiouser! Then we have a mystery on our hands, gang! Why would the enormous defense contractor need to replace all those fobs? Let’s split up and look for clues!
I was wondering about that, too.
It would seem to me that the reason to replace the fobs would be to replace the PRNG. If that’s the case, that’s a very, very big deal, for multiple reasons.
This is entirely speculation, of course.
I am not clear whether you have specific information of a breach at this contractor or whether you are assuming it because they are closing down and replacing all the SecurID tokens. Can you clarify?
Just as I wrote, there was a breach. How is that not clear? It has since been reported by Reuters, Bloomberg, and the New York Times. Reuters identified the company as Lockheed-Martin, which was correct.
I don’t see that as “what you wrote”. You wrote that remote access was disabled. This can be for any number of reasons, one of which is a breach or attempted breach. The breach attempt was confirmed elsewhere.
You can get them on eBay for less than $15 . . . very interesting . . .
Are they replacing the tokens with SecureID tokens from RSA, or with tokens from another vendor?
Remember, there’s a difference between what the security experts recommend and what management decides to do.
Check out:
https://groups.google.com/group/comp.security.misc/browse_thread/thread/e00fa564dc6aba5a?hl=en&pli=1
3rd post down from Vin McLellan. (Thanks to http://paulsparrows.wordpress.com/2011/04/10/some-random-thoughts-on-rsa-breach/ for the pointer).
It would SEEM that maybe said defense contractor is just finally getting around to upgrading to 128 bit AES keys from the previous 64 bit ones.
Dug Song below has a very probably attack vector however….
RSA tokens (and other similar devices) all have a secret ‘seed’ stored in the device; the seed is the value actually used – along with the time – to generate codes. The seed should be known only to the token and the authentication server.
The seed is not the same as the serial number. This is important. With the algorithm known, all you need to generate codes is the seed. You wouldn’t want an attacker to be able to compromise your token just by discreetly snapping a photo of it. Then, your token would be little better than a password written on a scrap of paper in your pocket.
However, as mentioned, some speculate that EMC may have kept a database mapping every serial number to its secret seed, and that this database may have been stolen. By itself, this would not be enough to gain access to anyone’s account, but it opens up many avenues of attack. As mentioned, figuring out a user’s serial number would be much easier than getting his/her seed, because the serial number is not designed to be “secret” information. Worse, If RSA sends out tokens in sequentially-numbered batches, compromising one user’s serial number might make it much easier to guess the rest.
For anyone sufficiently paranoid, this would be reason enough to replace tokens with new ones (whose seeds, presumably, have not been stolen).
Of course, all this is speculation.
Do you mean to tell us that EVERY RSA radius server has a database of every serial number and every seed ever made and ones to be made in the future?? If I buy a token on eBay, all I need to do (to my recollection – it has been 10 years since I admined one of these) is tell the server the serial number of the fob. Does the server then get the seed from the mother ship? I don’t seem to remember that happening.
Furthermore, even if the bad guys have the seeds, do they have the serial numbers in use too? If they can get the serial number off the fob in my pocket, they can steal the fob too. I still don’t understand.
Perhaps they are switching from RSA to a provider who hasn’t been hacked yet?
The seed values and corresponding serial numbers must have been compromised. Replacing all the fobs with new ones that were created with post-breach non-compromised seed values would address this.
Bob: You are my friend, no matter what.
[…] X Cringeley believes that SecurID has been compromised at an unnamed US defense contractor. SecurID is a little keyfob that generates a pseudorandom […]
[…] I, Cringely » Blog Archive » InsecureID: No more secrets? – Cringely on technology – Last weekend was bad for a very large U. S. defense contractor that uses SecureID tokens from RSA to provide two-factor authentication for remote VPN access to their corporate networks. Late on Sunday all remote access to the internal corporate network was disabled. All workers were told was that it would be down for at least a week. Folks who regularly telecommute were asked to come into nearby offices to work. Then earlier today (Wednesday) came word that everybody with RSA SecureID tokens would be getting new tokens over the next several weeks. Also, everybody on the network (over 100,000 people) would be asked to reset their passwords, which means admin files have probably been compromised. […]
Perhaps the Chinese or Russians or ??? that hacked the defense contractor were themselves compromised by the NSA or CIA or DIA.
Once these guys found out that the contractor was hacked they were the ones that let them know.
Good guys hacking bad guys who are hacking good guys, shades of Spy vs. Spy!
I’ve personally always suspected (I have no proof) collaboration or at least collusion between hackers and security experts. Or some who where both hats – Dr. Jekyll and Mr. Hyde as it were. If a lock is ever created that can’t be picked, locksmiths have lost their livelihood . . .
[…] bolt from the blue! Source report some details of the alleged first attack to a very large U. S. Defense contractor perpetrated by mean of compromised RSA […]
This blog entry is nothing but speculation. Nothing, absolutely nothing, of this can be verified in any way. Someone heard something from…….blah blah.
It may well be speculation, but what would you prefer, to have heard a security system has been compromised or to go on with your life willfully ignorant?
That’s not what I heard…
You have to be joking, right? It was Lockheed –
https://www.reuters.com/article/2011/05/26/lockheed-network-idUSN2613783420110526
Bob, how do you like the way the Reuters article implies that this very blog has identified Lockheed as the victimized contractor ? Let us know if we need to start raising a Cringely Legal Defense Fund 🙂
It WAS Lockheed. I already had that from two sources (enough to publish but I had atypically restrained myself) when Reuters called with their single source. So I confirmed their information. But I don’t think any defense fund is required: I’ve been covering this stuff for three decades now and my hands are clean (and perfectly legal) here. The public has a right to know.
Other likely attack vectors include a compromise of the SecureID server (stolen token secrets are a big deal, but the software behind their validation, and any bugs in it would be even more valuable), or a pre-auth vuln in the VPN system (there’s at least one reported but unpublished remotely exploitable bug in one of the top market-leading products right now).
Matching the correct token serial/seed with an arbitrary hacked user account sounds hard, but not if the user is simply phished to give up the serial along with their password (“For security verification, please enter the serial number on the back of your token”).
RSA customers are under NDA, but there have already been replacements (and not on the usual 3 year schedule!). Expect to see more of this soon…
Full disclosure: Our company, Duo Security, offers a competing product to RSA. With or without tokens. 😉
I am so glad we decided to move away from RSA after the hack, the whole concealing of what had happened, what was stolen sat uneasy with me so we evaluated the market for a replacement.
What we actually got was more of an upgrade than a replacement – http://bit.ly/llReKD not only COULD we use the RSA tokens we already have, but their replacement tokens are the lowest priced on the market, and one has a replaceable battery ! coupled with SMS, Twitter, Mobile phone, iPad, Grid, and more as OTP “soft” tokens and the deal was almost done.
What sealed it ? the price, it was less than the renewal/support price on my RSA, !!
YES, you read it right, I paid less that the renewal on my RSA to swap over to Deepnet DualShield and support is in the future 20% of that price (20% of my old RSA support renewal)
I would really recommend taking a look.
Jo Jo.
If something seems better than you can image, you can bet it is. Good luck!
It’s fun to speculate. There is no reason to exclude the NSA from the perpetration when we remember that no arm of the executive branch is allowed to freely spy on us all yet. The US Patriot Act only removes some but not all restrictions. To get around any remaining restrictions, the NSA’s nearly unlimited budget gives it the capability, the means, and the opportunity to break into nearly any secure network, from American and British private contractors to the companies owned by the PLA.
I say the NSA, this, especially since it and our other spy agencies work day and night to deflect the blame toward our competitors also needing tax dollars for the lucrative war on terror.
When you begin a paragraph with “It seems likely…” it seems likely that there is actually no hard evidence that there really was a breach in the first place. It seems likely that adding details about, say, key-loggers, significantly reduces the likelihood and yet increases the chances that people will believe it.
It seems likely to me that this is all pure speculation. Please provide confirmation that a breach actually occurred and that you are not operating solely under the auspices of a replacement of RSA key fobs (which happens periodically for administrative purposes) as the evidence.
I’d say at this point with the story having been picked-up by major news organizations, that your question has been answered. I don’t make things up.
I have been covering these stories longer than most readers have been adults. Reputation is everything in these things and I am relying on it here. You are essentially asking, “why should I believe Cringely?” I don’t care if you do or don’t, but the stories I write are correct, as this one has now been shown to be.
Wouldn’t you prefer to know about an event like this earlier, rather than later? I’m quite confident, for example, that most organizations doing business with Lockheed-Martin didn’t hear about this from the company. They got it here or from one of the many news stories that started solely with what you read, above. That’s my function.
It seems likely that Pete didn’t know much about Bob Cringely or his reputation.
Actually, I’ve been reading Cringely for some time. Quite enjoyed one of his earlier books, and the TV piece on it. What on earth does that have to do with his knowledge of a breach?
The real problem here is that you started it all with speculation in the “it seems likely” paragraph. Now we are clear that LM was compromised and what action they took, but not much else.
I am surprised that you won’t reiterate that the “it seems likely” paragraph is clearly speculative or you wouldn’t have started it like that. Many have used this as ‘proof’ that it happened this way.
A person with your reputation would want to set the record straight, right?
This breach required TWO, not one big failure.
1. RSA token algorithm hack is concerning but is not by itself enough to allow access.
2. Physical access failure. Look, if you can’t secure the access to your network or hardware or software installation you can’t complain when there’s a security breach. This is IT security 101. Who lets a keylogger get installed AND go undetected?
Nothing new here. Move along.
Quoting the article: “What if every RSA token has been compromised, everywhere?”
Nobody seems either aware or quite ready to take the leap here, so I’ll do it:
Yes. Every RSA token, everywhere, is compromised and worthless. Every token shipped and registered, before the RSA breach took place.
(Ostensibly, newly manufactured tokens would be okay…but I’m sure these will have to have a new form-factor or other rebranding, as users need to be able to readily discriminate between safe new tokens and previously shipped tokens now compromised. You would definitely NOT want to reuse one of these broken tokens with an alternate service. (By this I mean, well this token was broken at my defense contractor job, but I can take it home and register it for use on my Paypal account. No. Don’t.))
Pull the transcripts of these two “SecurityNow! with Steve Gibson” episodes and find the text “SecurID” to quickly zoom into the relevant bits:
https://www.grc.com/sn/sn-293.htm (initial reporting)
https://www.grc.com/sn/sn-294.htm (followup news)
Given RSA’s very carefully worded statements, we can infer that the only reason they can claim that no SecurID customer’s security was necessarily breached as a result of the attack on RSA, was because all the tokens were used as part of multifactor authentication systems…and, well, you’d still have the factor of the normal password. But the fancy RSA token is buying you nothing extra other than an obfuscatory false sense of security.
It’s clear from above that the PRNG seeds leaked from RSA. As a result, these attackers now have the ability to know what numbers will pop-up on the shipped RSA tokens, and can share this with other attackers. Any system using the tokens has been compromised by one factor. Systems with only token+password are now really only as secure as the password part.
If it were not this bad, provably not, there would be no reason for any large customer of RSA’s tokens to suddenly scrap them all.
The breached defense contractor might not have known or understood that one of their authentication factors was compromised, but once they were breached they certainly realized. The tokens, if secure, would be effective protection at least from authentication breaches, even if keyloggers were present on client machines. Knowing that they still suffered a breach, their IT would have known that something was wrong with their 2nd factor.
If it happened to me, I might be tempted to dump the token provider as a knee-jerk reaction, rather than accept new tokens from that provider, unless the provider could prove either the integrity of existing tokens, or the restored security necessary to protect the integrity of new ones to be issued.
They didn’t satisfy this defense contractor, and that says, indirectly but strongly, that RSA could not provably defend the integrity of the tokens provided to this customer.
Perhaps RSA is playing things tight-lipped in the interim. If whole customer base woke up to this and understood the issue, they would demand provably secure new tokens, or leave for another provider. I’m sure that would be a pulse of product RSA would not be immediately equipped to handle. Expect though, soon enough RSA will release new tokens with a fresh new look to users.
Episode 293 was recorded on March 23 (over two months ago) and mentions the RSA security breach. It should be interesting to see what Steve has to say in today’s podcast (#302) about this new development.
I’m sorry…reading this article I thought I recalled in the recent past that Steve Gibson was able to report that RSA lost control of the “keys to the kingdom” regarding the SecurID tokens. I searched the transcripts and located two past episodes I posted above which aired in March that talked about the breach at RSA, and speculated about whether the installed tokenbase was now compromised, as we’ve been doing here. But I thought Steve had called the tokens’ usefulness caput…
…well yes he did, but it happened a one more episode later, after RSA released more detail to the public about the specifics of the breach. And that _very_ interesting report can be found here:
https://www.grc.com/sn/sn-295.htm
Search the transcript for “SecurID” or download and listen to the MP3 for the full impact.
(I remembered the talk, but the title threw me off the scent, as the RSA news was part of Steve’s news update section, preceding the main topic for the show. These podcasts allruntogetherinmybrain.)
My only point was that this column discusses something that happened this past weekend, so Steve’s next podcast, yesterday, may mention it again. As it turns out I was wrong since the word “RSA” is not in yesterday’s transcript. Bob does say in this column “Last weekend was bad for a very large U. S. defense contractor that uses SecureID tokens from RSA”. So Steve has yet to comment on last weekend’s event.
Sorry, a little extra bit here.
https://www.grc.com/sn/sn-295.htm (more followup)
Episodes 293, and 294 aired in March, shortly after the RSA breach. This transcript is from April, after new details were published by RSA.
If you are in the security business or need to know about it as a diligent user or journalist, you really need to be following Steve’s show.
http://twit.tv/sn
https://www.grc.com/securitynow.htm
“If Windows 8 is a bust, then, what’s a Microsoft to do? That’s my next column….”
This is the next column, right?
So are you suggesting Microsoft should break into RSA? I don’t see how that will help them.
Why don’t MS just keep doing what it always has? Keep on the lookout for good ideas developed by other people. Then jump in when the idea starts to take off. It doesn’t take much of a genius to be a copycat.
Whoops. Forgot to talk about security. What you do is hunt down the most accomplished group of crackers and give them A hundred million dollars (or whatever it takes) to develop a good security system.
Breaking news got in the way, Mr. Smartypants. I’ll post the second Microsoft column later today (Saturday).
So “Setec Astronomy” finally strikes back eh? I guess there were just “too many secrets”.
All in all very interesting analysis.
So the “algorithm has been known for years”? That’s a good thing in my book, as there is no security through obscurity. A well known algorithm is more likely to be cryptographically sounds as it’s peer reviewed.
It’s the nature of a one time token protocol that “all you need to know” is the seed – in RSA’s case the seed is the serial number, which makes sense. Whatever it is the seed needs to be stored on the company servers somewhere. That’s a requirement for any OTT system.
In the end, the hackers were able to breach security by hacking into the server holding this information, and installing keyloggers to get the secondary password.
There are no implications for RSA, or the system used.
Nothing to see here, move along!
Cain has been able to generate the codes since 2007. All you needed were the token serial numbers and seeds (which only RSA and the purchaser should have known). Now that the serial numbers associated with their seeds are known, all you need to have is one code and the time it was used and you know exactly what token it was (working the math backwards – think rainbow dictionary).
https://www.oxid.it/ca_um/topics/rsa_securid_token_calculator.htm
FYI… CSC (Old Computer Sciences Corp) is quickly replacing all RSA tokens. Have no idea if there was a intrusion. Guessing they’re worried.
[…] security-consultant Mark Stephens, die blogt onder de naam Robert X. Cringely, kampt defensie- en vliegtuiggigant Lockheed Martin met interne beveiligingsproblemen. Afgelopen zondag […]
[…] consultant Robert Cringely says that a vital counterclaim executive is arising new RSA SecurID to all employees regulating them for […]
This has got to be Lockheed Martin. This is bad because the VPN not only allows e-mail access, it also allows access to personnel records, internal proprietary information, and lots of other corporate sensitive stuff. Bad news for those guys… Glad I don’t have to deal with those SecureIDs any more. What a pain in the neck.
[…] who said it was “affecting a lot of people.” Security consultant Robert Cringely says in a blog that a major defense contractor is issuing new RSA SecurID to all employees using them for remote […]
This incident seems completely plausible, but this phrase has faulty logic:
“The very fact that we haven’t heard anything about this (I hadn’t, had you?) makes me think this probably ISN’T the first such network penetration from the recent RSA hack… or the last.”
To paraphase, “because we haven’t heard about this type of event prior to this incident proves that events of this type have been happening all along.” lolwut
[…] https://www.cringely.com/2011/05/insecureid-no-more-secrets/ […]
[…] meaning that anyone who routinely worked remotely had to go instead into the nearest office. The way he tells it, the incident was followed by word that all employees using the tokens would be issued new ones and […]
[…] other who said it was “affecting a lot of people.”Security consultant Robert Cringely says in a blog that a major defense contractor is issuing new RSA SecurID to all employees using them for remote […]
[…] […]
[…] to bring the cloud to its gates. In response to the breach, Robert X Cringely, the blogger who first broke news of the breach, reports that Lockheed Martin had […]
You have never confirmed whether your “it seems likely” paragraph was confirmed by anyone or that you were speculating when you wrote/published it.
[…] Robert Cringely: Well an attack has succeeded, laying open who knows what national secrets? […]
[…] has a strange article which continues the RSA SecureID attack mystery: InsecureID: No more secrets?. I can’t say I’ve ever read Cringely before, so maybe he’s just some tech […]
[…] this week’s Lockheed Martin network breach story intervened, I wrote a column about the strategic dilemma faced by Microsoft from downward trends in […]
[…] rescued an penetration to a network, according to a May 26 Reuters story that cited record blogger Robert Cringley. Cringley claimed a crack concerned RSA SecurID tokens that Lockheed employees use to entrance a […]
[…] Robert Cringely claimed that Lockheed Martin first detected the security breach last Sunday. In response the firm promptly […]
[…] to bring the cloud to its gates. In response to the breach, Robert X Cringely, the blogger who first broke news of the breach, reports that Lockheed Martin had […]
Given the timing, I don’t see how 1) Lockheed could have confirmed that nature of a breach; 2) RSA could have shipped 100k key fobs.
Given that you started your breach assertion with “it seems likely” it is now clear that you have no substantiation. All further substantiation has been using this source as the “evidence” and there isn’t any here.
Now that this “breach” has been not only “confirmed” using your blog post as “evidence” but now multiple attacks are being asserted as well, it is irresponsible of you not to step up and re-substantiate your claims or admit that you were speculating to begin with.
[…] this front, the last two days were quite turbulent, and what seemed initially a simple speculation of an attack using compromised SecureID seeds targeted to “a very large U. S. defense […]
[…] to bring the cloud to its gates. In response to the breach, Robert X Cringely, the blogger who first broke news of the breach, reports that Lockheed Martin had […]
[…] security-consultant Mark Stephens, die blogt onder de naam Robert X. Cringely, kampt defensie- en vliegtuiggigant Lockheed Martin met interne beveiligingsproblemen. Afgelopen zondag […]
[…] Robert Cringely claimed that Lockheed Martin first detected the security breach last weekend (a fact later confirmed by […]
[…] Robert Cringely claimed that Lockheed Martin first detected the security breach last weekend (a fact later confirmed by […]
[…] is about the RSA breach. On friday evidence that the rsa token keys were compromised surface: http://bit.ly/jtCbSm On Saturday, Lockheed Marting acknowledge being under attacks. Anonynous source report that the […]
[…] to bring the cloud to its gates. In response to the breach, Robert X Cringely, the blogger who first broke news of the breach, reports that Lockheed Martin had […]
[…] quoted technology blogger Robert Cringely as saying the intrusion may have involved the use of RSA’s SecurID tokens, which Lockheed Martin employees use when logging into their network from outside the […]
[…] what the Lockheed Martin press release fails to mention is that the company uses SecureID tokens from RSA to provide two-factor authentication for remote VPN access to their corporate […]
[…] Luego hackeas Lockheed Martin (contractor del Departamento de Defensa de EEUU, fabricante de aviones, misiles, y muchas cosas más): […]
[…] detected a network intrusion, according to the Reuters story, which cited technology blogger Robert Cringley. Cringley claimed the breach involved RSA SecurID tokens that Lockheed employees use to access the […]
The old rules still apply from the dawn of the computing era (or from any other era), quite simply if you want to keep something secret don’t store it on a computer unless you have “one-time-pad” security in place and even then it’s only as safe as the “other person”.
So called security experts operating RSA type encryption are asking for trouble! And in fact this has been the case now for some time.
And those that store “delicate data” in any type of recent databases need their head examining, they’re all USA backdoor enabled under the “USA homeland security” debacle/legislation.
There is no such thing as a secure data transfer or password using computers.
Steve Gibson suggests PIE (pre-internet encryption).
Security=LAN. If you need to secure data keep it out of any noded network. Nothing is ever 100% secure but this off-line measure removes 95-98% of the issue. The rest is human hacking and more advanced technologies. It’s impossible to do this remotely.
[…] quoted technology blogger Robert Cringely as saying the intrusion may have involved the use of RSA’s SecurID tokens, which Lockheed Martin employees use when logging into their network from outside the […]
The only secure network is a standalone network which is in an electromagnetic sheilded environment. But even then its only as secure as the people using it
Yeah. I saw “Enemy of the People”, too.
Tokens, not the encryption was comprimised. Smart cards are a better solution for strong authentication.
The APT attacked RSA specifically to get into Northrup. This is an act of war.
Wow, I see a LOT of “assumptions” and guesswork, but no real information or confirmation from LM. For example; It seems likely that whoever hacked the RSA network got the algorithm for the current tokens and then managed to get a key-logger installed on one or more computers used to access the intranet at this company.
Really? Based on what information? It may simple be that they’re concerned about the RSA hack and have shut down remote access as a precautionary measure while they issue new tokens. Is there REALLY a story here?
[…] Robert X. Cringely reported on the attack early on, without naming the specific company, and wrote that countermeasures were taken, namely in requiring another level of authentication: It seems likely that whoever hacked the RSA network got the algorithm for the current tokens and then managed to get a key-logger installed on one or more computers used to access the intranet at this company. With those two pieces of information they were then able to get access to the internal network. […]
You seem to be missing the point of a forum. You are supposed to state your opinion about something, not just randomly quote passages from the original article.
We got rid of our RSA Keys three years ago and went to a different two factor authentification process that also includes a challange authentication.
[…] Włamanie do Lockheed Martin, producenta m.in. samolotów F-22, jest wiązane z wcześniejszym włamaniem do RSA. Przypomnijmy, że w wyniku ataku na RSA ciągle nieznani włamywacze wykradli najprawdopodobniej bazę seedów do tokentów SecurID. Mając seed i numer tokenu można stworzyć klon tokena danego pracownika i obejść mechanizmy podwójnego uwierzytelnienia. Taki scenariusz ataku na Lockheed Martin jest obstawiany jako najbardziej prawdopodobny. […]
How’s the weather in Warsaw?
At least one good thing will come of this, the end of the critics of privacy concerns. For sometime I’ve gotten flack about my hesitation to just go with the flow and put my personal info (and my families) out onto the digital domain. Being called anti-technology simply because one doesn’t but into the line that the debate about security is over will now be a tougher sell with the RSA incursion.
[…] InsecureID: No more secrets? (Cringely broke the Lockheed story) […]
[…] fallout from the March attack on RSA has arrived. Per the news agencies—and the excellent blog post by Bob Cringely—several large defense contractors (Lockheed Martin, L-3, and potentially Northrop […]
[…] fallout from the March attack on RSA has arrived. Per the news agencies—and the excellent blog post by Bob Cringely—several large defense contractors (Lockheed Martin, L-3, and potentially Northrop […]
[…] back in March. The manufacturer of F-22 and F-35 fighter planes confirmed the attempted hack, first reported by tech blogger Robert Cringely, which took place on or around the weekend on 21 May. In a […]
[…] was detected. The first details, although the target was not immediately revealed, were given few days after, on May, the […]
[…] blogger Robert Cringely said the network disruption at Lockheed began Sunday and that the SecurID tokens were at the center of […]
Security firm RSA has offered to replace the SecurID tokens used by its customers to log into company systems and banks.
https://www.bbc.co.uk/news/technology-13681566
[…] day hackers demonstrate how weak the security of our corporate and government resources are. Stealing millions of credit cards occurs on a […]
[…] day hackers demonstrate how weak the security of our corporate and government resources are. Stealing millions of credit cards occurs on a […]
[…] day hackers demonstrate how weak the security of our corporate and government resources are. Stealing millions of credit cards occurs on a […]
I’m pleased that I am not a News Corp, shareholder! With all the on going problems it is facing in the UK with the now shut down, News of the World. Rupert Murdoch’s News Corp based in Delaware; is also facing a legal challenge from its shareholders. Shareholders, as well as investment funds, labor and municipal pension funds are accusing Murdoch of misusing News Corp. assets, by treating the company like a family candy jar, which he raids whenever his appetite strikes. It looks like the trouble are just starting!
[…] consultant Robert Cringely says that a major defence contractor is issuing new RSA SecurID to all employees using them for remote […]
Shareholders, as well as investment funds, labor and municipal pension funds are accusing Murdoch of misusing News Corp. assets, by treating the company like a family candy jar
[…] day hackers denote how weak a security of a corporate and supervision resources are. Stealing millions of credit cards occurs on a […]
A piece of edrtuiion unlike any other!
hTo8Yh xueltherfusq
isAmNg exgypqbnqyma
Fantastic web site. Plenty of helpful information here. I?m sending it to several buddies ans also sharing in delicious. And certainly, thanks on your effort!
magnificent post, very informative. I wonder why the opposite experts of this sector don’t notice this. You should continue your writing. I am sure, you’ve a huge readers’ base already!
kosten schutting plaatsen…
[…]I, Cringely » Blog Archive » InsecureID: No more secrets? – Cringely on technology[…]…
offerte…
[…]I, Cringely » Blog Archive » InsecureID: No more secrets? – Cringely on technology[…]…
Schilderwerk laag BTW tarief…
[…]I, Cringely » Blog Archive » InsecureID: No more secrets? – Cringely on technology[…]…
Hey Cringely,
Along the same lines,, The news media is usually pretty negative and focused on the worst things happening in our society — because that’s what sells. Likewise, on a personal level, it’s much easier for your mind to fall into a trap of negative thinking, self-doubt, fear and low self esteem than it is to focus on optimism, success and self-confidence. However, the most successful people among us focus on the bright side of life and what it has to offer. They recognize that bad things do happen, but they consider these to be challenges that they must overcome to achieve their goals.
Regards
panasonic sd257 breadmaker…
[…]I, Cringely » Blog Archive » InsecureID: No more secrets? – Cringely on technology[…]…
program…
[…]I, Cringely » Blog Archive » InsecureID: No more secrets? – Cringely on technology[…]…
easy to install and use and will…
keep the sitemap up to date.now comes the hard part, you can’t just let your blog sit and hope it’ll take up. start adding more content whether that be articles you write, or products or whatever. i’d recommend to put up…
what structure they use and see how…
you can use this with your site. remember you can always edit your blog, and change things around, nothing is set in stone. once you start a blog keep all the posts a consistent style, this will keep the blog looking…
[…] day hackers demonstrate how weak the security of our corporate and government resources are. Stealing millions of credit cards occurs on a […]
to protect psychological well-being as well as…
physical.firstly, have a blogging culture. encourage all your staff to blog – add staff blogs to your business website. all the research shows that when your business blogs prolifically it leads to more business. so blogging will help you and your…
I am extremely inspired with your writing skills and also with the layout in your blog. Is that this a paid topic or did you customize it your self? Either way stay up the nice quality writing, it’s rare to peer a nice blog like this one these days..
more or understanding more.Naoma Chatmon[url=www.iotterbox.com
]Naoma Chatmon[/url]