RSA’s INsecurID

It looks like the other shoe has dropped in the RSA (the security division of EMC) data breach fiasco.

It looks like the other shoe has dropped in the RSA (the security division of EMC) data breach fiasco (see “RSA risk mitigation” and “Accentuate the positive, obfuscate the negative“). Hitachi ID’s Idan Shoham was the first of a number of you to point me to the recent stories about a data breach at Lockheed Martin, one of the largest U.S. military contractors.

While Lockheed (like RSA) is giving out few details of the attack, what the do say (and what they don’t say) is very revealing.

DETAILS: Lockheed Martin acknowledges ‘significant’ cyberattack

According to a story in CRN, Lockheed said that “our systems remain secure; no customer, program or employee personal data has been compromised.” But they didn’t give the same assurance for proprietary data — or data about military systems.

CRN went on to say that “The Bethesda, Md.,-based company then required a password reset for its more than 120,000 employees on the network, and embarked on the process of re-issuing tokens for employees using RSA’s Secure ID [sic] two-factor authentication tokens.”

Almost everyone assessing the breach believes it was a remote attack which compromised authentication methods — exactly the sort of attack predicted when the RSA breach was first announced. Lockheed’s sudden move to re-issue RSA SecurID tokens reinforces this belief.

There was further speculation (but only speculation) that the Chinese government was behind the attack at Lockheed but may not have been directly involved in the attack at RSA — they merely purchased the ill-gotten goods from that breach. A leaked look at an upcoming U.S. Defense Department document reinforces the belief that it was a nation-state leading the Lockheed breach. As reported by The Christian Science Monitor, the DOD document states: “Any computer-based attack by an adversary nation that damages US critical infrastructure or US military readiness could be an ‘act of war,’ according to new Defense Department cyberwarfare policies that have yet to be officially unveiled.”

Just as we went to press I saw an unconfirmed report in The Register that another U.S. defense contractor, L3 Communications Stratus group, “… had been actively targeted with attacks based on ‘leveraging compromised information’ from the SecurID keyfob two-factor authentication system.”

There is now a breaking story that Northrup Grumman, yet another U.S. defense contractor, may have been hit with a similar attack.

I must reiterate what I said before: SecurID can no longer be trusted, whether or not its algorithm was compromised. The risk is far too great. But be careful what you replace it with — don’t jump from the frying pan into the fire.

Shoham had a good suggestion, though: “Heck, going back to just passwords, but making them strong ones and authenticating the endpoint (i.e., is this the same PC that my user usually signs on from?) would be better than the RSA tokens at this point. More convenient for end users too.”