Back in March, RSA revealed that its systems had come under a “very sophisticated cyber attack” and that as a results “certain information” related to its SecurID product was taken. Then last week Lockheed Martin, the US defense contractor and manufacturer of a variety of military products including the Trident missile and F-16, disclosed that its IT systems had come under “a significant and tenacious attack.” What connects these two events? Lockheed Martin uses SecurID.
In the post about the Lockheed Martin attack I wrote that “RSA need to be more public about how they are dealing with the theft of the information relating to SecurID. If this attack is a direct result of that theft, then no user of SecurID is safe. Have RSA been replacing the SecurID tokens and changing the keys and seeds?”
RSA have finally spoken up and have confirmed that the information taken from RSA in March was used during the attack on Lockheed Martin. As a result RSA will expand its “security remediation program to reinforce customers’ trust in SecurID tokens” and it will offer to replace SecurID tokens.
But – and the fact that there is a but is a very bad for of RSA – only for “customers with concentrated user bases typically focused on protecting intellectual property and corporate networks.”
I have read that phrase “customers with concentrated user bases typically focused on protecting intellectual property and corporate networks” a dozen times and to be honest I have no idea what it means practically. It is probably a polite way of saying, “if you are a big customer we will give you new SecurID tokens, if you aren’t, forget it.”
The result is that Lockheed Martin will get new SecurID tokens as will any other defense contractor or big corporate. The rest of its customers get nothing, but then RSA don’t think you have anything worth stealing.