Exclusive: Hackers breached U.S. contractors (SecureID compromise)

Reuters ^ | 5/27/11

[markomalley]

Unknown hackers have broken into the security networks of Lockheed Martin Corp (LMT.N) and several other U.S. military contractors, a source with direct knowledge of the attacks told Reuters.

They breached security systems designed to keep out intruders by creating duplicates to "SecurID" electronic keys from EMC Corp's (EMC.N) RSA security division, said the person who was not authorized to publicly discuss the matter.

[driftdiver]

‘said the person who was not authorized to publicly discuss the matter.”

When I was doing this stuff they put people who talked without authorization behind bars.

[Squantos]

Not good .... FYI !

[wheresmyusa]

Anyone think it was NOT China?

If they smack around the peasants to farm gold on Warcraft, God only knows what they’ve been doing to the folks with actual skills to get this job done.

[glorgau]

The internal private keys got compromised. There was a good discussion of it on the Security Now! podcast.

[Doogle]

...with the bowing clown in charge and his incompetent Czar circus...what’s new?

[PA Engineer]

Agreed. The last paragraph of the article:

It briefed individual customers on how to secure their systems. In a bid to ensure secrecy, the company required them to sign nondisclosure agreements promising not to discuss the advice that it provided in those sessions, according .

Great. Now the hackers know their exploits have been compromised, preventing counter intelligence a chance to go after them.

[Daaave]

[CodeToad]

SecurID has never been approved on my projects.

[Tijeras_Slim]

No kidding.

I don’t travel much, so I never went that route.

[ImJustAnotherOkie]

A little late. This happened ten days ago. Most companies are issuing new tokens right now.

[ExTexasRedhead]

Big Bro and Big Sis want your medical records in their database. Yeah right; they’ll be secure NOT.

[snowsislander]

The hackers learned how to copy the security keys with data stolen from RSA during a sophisticated attack that EMC disclosed in March, according to the source.
...

The RSA breach did raise concerns about any security tokens that had been compromised, and EMC now faced tough questions about whether "they can repair that product line or whether they need to ditch it and start over again," he said.

That's bad.

[liberalh8ter]

They breached security systems designed to keep out intruders

Sounds like what "hackers" did to our Constitution.

[hiredhand]

Without going into a lot of boring details here, somebody had to get up close to somebody else and steal “something” in order to pull this off. Most people keep SecureID tokens on their key rings. Now matter how they did it, you’re right. It’s NOT good news.

[hiredhand]

I know it's an issue of semantics... but to say that they broke in to the network using copied SecureID tokens and the "other" required information is like me stealing your house key and then breaking in to your house. :-)

SecureID is one of those things I've always had misgivings with for high security needs simply because it's "obvious". It's like the wonks I used to work with who would keep STU-III keys on their keyring and they would be viewable "sometimes" when they pulled things out of their pockets at various places. IF somebody knows what the item is for, and they can get the rest of the required information, then the security is defeated.

If you compare this to IPSEC and a shared key, it's a lot more trouble even determining that IPSEC is using a shared key (at least for Phase-I). But SecureID is "visible". Somebody SEES it, and this tells them that the holder has access to information that somebody thinks is worth protecting. SecureID markets their product on the premise of high security, but no SCIF I ever worked in would have ever even permitted the token through the door simply based on what it does. :-)