Skip to comments.
Exclusive: Hackers breached U.S. contractors (SecureID compromise)
Reuters ^
| 5/27/11
Posted on 05/27/2011 3:09:17 PM PDT by markomalley
Unknown hackers have broken into the security networks of Lockheed Martin Corp (LMT.N) and several other U.S. military contractors, a source with direct knowledge of the attacks told Reuters.
They breached security systems designed to keep out intruders by creating duplicates to "SecurID" electronic keys from EMC Corp's (EMC.N) RSA security division, said the person who was not authorized to publicly discuss the matter.
(Excerpt) Read more at reuters.com ...
TOPICS: Business/Economy; Crime/Corruption; Extended News
KEYWORDS:
To: markomalley
‘said the person who was not authorized to publicly discuss the matter.”
When I was doing this stuff they put people who talked without authorization behind bars.
2
posted on
05/27/2011 3:10:39 PM PDT
by
driftdiver
(I could eat it raw, but why do that when I have a fire.)
To: hiredhand; CodeToad; archy; Tijeras_Slim
3
posted on
05/27/2011 3:16:11 PM PDT
by
Squantos
(Be polite. Be professional. But have a plan to kill everyone you meet)
To: markomalley
Anyone think it was NOT China?
If they smack around the peasants to farm gold on Warcraft, God only knows what they’ve been doing to the folks with actual skills to get this job done.
To: markomalley
The internal private keys got compromised. There was a good discussion of it on the Security Now! podcast.
5
posted on
05/27/2011 3:20:46 PM PDT
by
glorgau
To: markomalley
...with the bowing clown in charge and his incompetent Czar circus...what’s new?
6
posted on
05/27/2011 3:21:46 PM PDT
by
Doogle
((USAF.68-73..8th TFW Ubon Thailand..never store a threat you should have eliminated))
To: driftdiver
Agreed. The last paragraph of the article:
It briefed individual customers on how to secure their systems. In a bid to ensure secrecy, the company required them to sign nondisclosure agreements promising not to discuss the advice that it provided in those sessions, according .
Great. Now the hackers know their exploits have been compromised, preventing counter intelligence a chance to go after them.
7
posted on
05/27/2011 3:21:52 PM PDT
by
PA Engineer
(SP12: Time to beat the swords of government tyranny into the plowshares of freedom.)
To: markomalley
8
posted on
05/27/2011 3:28:28 PM PDT
by
Daaave
(This user does not condone illegal internet behavior.)
To: Squantos
SecurID has never been approved on my projects.
9
posted on
05/27/2011 3:33:40 PM PDT
by
CodeToad
(Islam needs to be banned in the US and treated as a criminal enterprise.)
To: Squantos
No kidding.
I don’t travel much, so I never went that route.
To: markomalley
A little late. This happened ten days ago. Most companies are issuing new tokens right now.
To: markomalley
Big Bro and Big Sis want your medical records in their database. Yeah right; they’ll be secure NOT.
To: markomalley
The hackers learned how to copy the security keys with data stolen from RSA during a sophisticated attack that EMC disclosed in March, according to the source.
...
The RSA breach did raise concerns about any security tokens that had been compromised, and EMC now faced tough questions about whether "they can repair that product line or whether they need to ditch it and start over again," he said. That's bad.
13
posted on
05/28/2011 6:13:25 AM PDT
by
snowsislander
(The Nigerian 419 scammers must be envious of what this Kenyan fraud has accomplished.)
To: markomalley
They breached security systems designed to keep out intruders Sounds like what "hackers" did to our Constitution.
To: Squantos
Without going into a lot of boring details here, somebody had to get up close to somebody else and steal “something” in order to pull this off. Most people keep SecureID tokens on their key rings. Now matter how they did it, you’re right. It’s NOT good news.
To: CodeToad
I know it's an issue of semantics... but to say that they broke in to the network using copied SecureID tokens and the "other" required information is like me stealing your house key and then breaking in to your house. :-)
SecureID is one of those things I've always had misgivings with for high security needs simply because it's "obvious". It's like the wonks I used to work with who would keep STU-III keys on their keyring and they would be viewable "sometimes" when they pulled things out of their pockets at various places. IF somebody knows what the item is for, and they can get the rest of the required information, then the security is defeated.
If you compare this to IPSEC and a shared key, it's a lot more trouble even determining that IPSEC is using a shared key (at least for Phase-I). But SecureID is "visible". Somebody SEES it, and this tells them that the holder has access to information that somebody thinks is worth protecting. SecureID markets their product on the premise of high security, but no SCIF I ever worked in would have ever even permitted the token through the door simply based on what it does. :-)
Disclaimer:
Opinions posted on Free Republic are those of the individual
posters and do not necessarily represent the opinion of Free Republic or its
management. All materials posted herein are protected by copyright law and the
exemption for fair use of copyrighted works.
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson