Hackers might have skeleton key to defense contractor systems

Information taken in a data breach at EMC’s RSA Security division earlier this year is believed to have been used against contractor L-3 Communications, and that attack follows a similar recent one against contracting giant Lockheed Martin.

The L-3 attack was reported May 27 by Reuters, which said attackers reportedly were able to spoof the pass code from an RSA SecurID token.

Similar data is believed to have been used in an attempt May 21 to access Lockheed Martin, which the company described as a “significant and tenacious attack on its information systems network.” A third defense contractor, Northrop Grumman, may also have been attacked. Fox News reported that the company shut down remote access to its network May 26. Northrop hasn't commented on the report.


Related stories:

'Significant' attack shuts down Lockheed network

Hackers gain access to RSA's SecurID security tokens


The RSA breach, reported in March, was described by the company as an advanced persistent threat that targeted information related to the SecurID two-factor authentication product. Although details of that attack still have not been released, it is believed that information about the seed numbers used by an algorithm to generate one-time pass codes on the token was taken.

In a letter to customers, RSA Executive Chairman Art Coviello said that although “the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack.”

The broader attack appears to be what has happened at Lockheed Martin and L-3, according to industry observers.

Harry Sverdlove, chief technology officer at Bit9, an end-point security company, said the Lockheed Martin attack apparently began with the compromise and installation of key-logger malware on a computer that remotely connected to the corporation’s network. That would let the attacker collect a log-in password and probably several one-time SecurID pass codes.

The pass codes cannot be reused and by themselves are useless. Likewise, the algorithm used to generate them is well known but is useless without a seed number that is used to determine what codes are generated. But if the attacker had access to several pass codes, it would be easy to work through a database of seed numbers to determine which value was used to create the codes, Sverdlove said. The attacker could then use that value to generate viable pass codes that could be used with the password to log in to the system.

“Whoever attacked Lockheed Martin was the same as attacked RSA or had access to information from the RSA breach,” Sverdlove said.

He said the exploit that delivered the key logger to the remote computer likely came through a targeted phishing e-mail, the same technique that was used in the initial RSA attack and that also was used to break into systems at the Oak Ridge National Laboratory in April. The series of attacks illustrates how vulnerable the most sophisticated defenses can be to a well-engineered phishing attack.

“It only took one infiltration vector to steal everything needed to defeat two-factor authentication,” Sverdlove said.

The attackers are not “one-trick ponies,” Sverdlove said. “They are raising the bar” by building on initial successes to develop additional attacks.

Sverdlove said hardening passwords used with two-factor authentication or using additional passwords provides no additional security in a system that has been compromised because attackers are able to collect password data.

Ronald Rivest, professor of computer science at the Massachusetts Institute of Technology and originally the “R” in RSA, said there is no end in sight in the battle between attackers and defenders.

“It is not a problem you can solve,” Rivest said. “We will continue to see attacks and we will continue to see successful attacks.”

He compared cybersecurity to health care, in which new drugs and treatments are continually developed to improve health, though new germs and diseases continue to appear. Success is not determined by the ability to completely eliminate problems.

“There is no silver bullet,” Rivest said. “We must aim for steady progress, not perfection.”

2014 Rising Star Awards

Help us find the next generation of leaders in federal IT.

Reader comments

Thu, Jun 2, 2011

Hmm, advanced persistent threat...unclassified environment...collection of all federal US agency known vulnerabilities...cyber scope...maybe we should recategorize the system to classified? People will use the information obtained to exploit other systems contained within this system.

Thu, Jun 2, 2011 Doug Finley

Any attack that relies on the installation of software on the victim machine, as these apparently did, can be stopped by an effective whitelisting solution, such as Naknan's Security Assistant. Whitelist maintenance (think: every Patch Tuesday plus other patches and updates) is no longer the nightmare it once was. Whitelisting actually works.

Thu, Jun 2, 2011

it will only get worse as we put all of the eggs in one basket of the cloud.

Thu, Jun 2, 2011 RayW

I have the solution to this problem. I read it here on FCW. Go with the CLOUD, it is more secure! (I am also trying to sell a Golden Bridge for which I have a piece of paper saying I own it.)

The more we put stuff on the web, centralize important functions, make web access mandatory to do the simplest personnel issues, the more lucrative it is for the bigger and better funded groups to access it. And the easier you make access to data at anytime from anyplace, the easier it is for unwanted folks to get to it also.

Not wanting to sound like a Luddite, but you have no control over your information, despite all the "encryption" schemes in use and the 'promises' made, once you push the send button (or just typing it in on certain real time entry systems) and it is placed on an externally accessible system. Relying on folks who get paid to study this issue, if this one made the news, then there are a lot more (number given was stated as "20 or more, who knows?") incidents that did not make the news or were not even discovered.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above