September 2, 2014

20 Percent of Fortune 100 Companies Were Hit by the RSA Attackers

(LiveHacking.Com) - Brian Krebs, who was until just a couple of years ago a reported for The Washington Post, has revealed that over 760 other companies have been hit by the same attackers which targeted RSA earlier this year.

In his blog post, Brian says that “more than 760 other organizations had networks that were compromised with some of the same resources used to hit RSA. Almost 20 percent of the current Fortune 100 companies are on this list.”

Brian does, however, give some caveats:

  1. Many of the network owners listed are Internet service providers, and are likely included because some of their subscribers were hit.
  2. It is not clear how many systems in each of these companies or networks were compromised.
  3. Some of these organizations (there are several antivirus firms mentioned  below) may be represented because they  intentionally compromised internal systems in an effort to reverse engineer malware used in these attacks.
The most interesting name on the list include:
  • The Alabama Supercomputer Network
  • Cisco Systems
  • eBay
  • The European Space Agency
  • Facebook,
  • Google
  • IBM
  • Intel Corp
  • the Internal Revenue Service (IRS)
  • MIT
  • Motorola Inc.
  • Northrop Grumman
  • Novell
  • PriceWaterhouseCoopers
  • Research in Motion (RIM) Ltd.
  • Seagate Technology
  • VMWare

RSA to Replace SecurID Tokens – But Not For Everyone

Back in March, RSA revealed that its systems had come under a “very sophisticated cyber attack” and that as a results “certain information” related to its SecurID product was taken. Then last week Lockheed Martin, the US defense contractor and manufacturer of a variety of military products including the Trident missile and F-16, disclosed that its IT systems had come under “a significant and tenacious attack.” What connects these two events? Lockheed Martin uses SecurID.

In the post about the Lockheed Martin attack I wrote that “RSA need to be more public about how they are dealing with the theft of the information relating to SecurID. If this attack is a direct result of that theft, then no user of SecurID is safe. Have RSA been replacing the SecurID tokens and changing the keys and seeds?”

RSA have finally spoken up and have confirmed that the information taken from RSA in March was used during the attack on Lockheed Martin. As a result RSA will expand its “security remediation program to reinforce customers’ trust in SecurID tokens” and it will offer to replace SecurID tokens.

But - and the fact that there is a but is a very bad  for of RSA - only for “customers with concentrated user bases typically focused on protecting intellectual property and corporate networks.”

I have read that phrase “customers with concentrated user bases typically focused on protecting intellectual property and corporate networks” a dozen times and to be honest I have no idea what it means practically. It is probably a polite way of saying, “if you are a big customer we will give you new SecurID tokens, if you aren’t, forget it.”

The result is that Lockheed Martin will get new SecurID tokens as will any other defense contractor or big corporate. The rest of its customers get nothing, but then RSA don’t think you have anything worth stealing.

Lockheed Martin Thwarts IT Breach

Lockheed Martin, the US defense contractor and manufacturer of a variety of military products including the Trident missile and F-16, has acknowledged that its IT systems came under “a significant and tenacious attack” last week, but that due to the fast work of its security team it was able to protect all systems and data.

According to the press release, “as a result of the swift and deliberate actions taken to protect the network and increase IT security, our systems remain secure; no customer, program or employee personal data has been compromised.”

However what the Lockheed Martin press release fails to mention is that the company uses SecureID tokens from RSA to provide two-factor authentication for remote VPN access to their corporate networks.

Two months ago RSA revealed in an open letter to its customers that its servers where compromised by an extremely sophisticated cyber attack and as a result “certain” information was extracted from RSA’s systems.

That “certain” information turns out to be information about RSA’s SecurID two-factor authentication products, which has now been used to reduce the effectiveness of a SecurID.

Analysis
Lockheed Martin are to be congratulated on their speed and efficiency in dealing with this attack. However this attack marks a significant turning point in the nature and makeup of cyber attacks. First, RSA need to be more public about how they are dealing with the theft of the information relating to SecureID. If this attack is a direct result of that theft, then no user of SecurID is safe. Have RSA been replacing the SecurID tokens and changing the keys and seeds? Second, the nature of this attack, in that is was planned and premeditated, starting with an attack on RSA and then an attack on Lockheed Martin is a significant and disturbing event.

RSA’s Servers Hacked – Reduces Effectiveness of SecurID

RSA has revealed in an open letter to its customers that its servers where compromised last week by an extremely sophisticated cyber attack and as a result certain information was extracted from RSA’s systems.

RSA go on to say that some of the stolen information relates to RSA’s SecurID two-factor authentication products which could potentially be used to reduce the effectiveness of a SecurID.

RSA’s SecurID two-factor authentication mechanism consists of a “token” (either hardware or software) that generates an authentication code at fixed intervals (usually 30 or 60 seconds) using a built-in clock and the card’s unique factory-encoded seed. To authenticate a user needs to enter a PIN and the number generate by the token.

Although unclear, it is supposed that the hackers have managed to get hold of a list of the seeds assigned to various tokens.

SecurityWeek got in contact with Kenneth Weiss, the original inventor of the SecurID: “The SecurID technology I designed and patented has never been breached in 25 years of use. This unfortunate breach of security at RSA speaks to the quality of their internal security not the security of the SecurID token. The possession of 40,000,000 random SecurID seeds is meaningless unless a subset can be associated with a particular one of 30,000 worldwide clients and then intern directly associated with a particular client user. Even if such identification were possible, an attacker would also have to know the particular user’s PIN. This information is not stored on RSA computers.”