18 March 2011, NYT: SecurID Company Suffers a Breach of Data Security
http://www.nytimes.com/2011/06/04/technology/04security.html
June 3, 2011
Stolen Data Is Tracked to Hacking at Lockheed
By CHRISTOPHER DREW
Lockheed Martin said Friday that it had proof that hackers breached its network two weeks ago partly by using data stolen from a vendor that supplies coded security tokens to tens of millions of computer users.
Lockheed's finding confirmed the fears of security experts about the safety of the SecurID tokens and heightened concerns that other companies or government agencies could be vulnerable to hacking attacks.
The tokens, which are used to protect remote access to computer networks, are sold by the RSA Security Division of the EMC Corporation. RSA officials said Friday that they accepted Lockheed's findings and were working with customers to offset the risks through other measures.
RSA disclosed in March that hackers had stolen data that could compromise a company's SecurID system in a broader attack, and the breach of Lockheed, the nation's largest defense contractor, is the first time that is known to have occurred.
A rash of prominent breaches has brought new attention to an increase in the frequency and sophistication of computer hacking. Google said this week that it believed an effort to steal hundreds of Gmail passwords for accounts of prominent people, including senior American government officials, had originated in China.
The Pentagon, which has long been concerned about efforts by China and Russia to obtain military secrets, announced separately that it would soon view serious computer attacks from foreign nations as acts of war that could result in a military response.
RSA officials noted that Lockheed said it planned to continue using the SecurID tokens, and they said they believed other customers would as well. But security experts said RSA's reputation had most likely been seriously damaged, and many of its 25,000 customers, including Fortune 500 companies and government agencies around the world, could face difficult decisions about what to do next.
RSA's prospects for holding on to some of those customers "certainly seems bleak," said Harry Sverdlove, the chief technology officer at Bit9, a firm that provides other types of security products and does not compete with RSA.
He and other experts said RSA might need to reprogram many of its security tokens or create an upgraded version to rebuild confidence in its systems.
In response to questions on Friday, Lockheed said in an e-mail that its computer experts had concluded that the breach at RSA in March was "a direct contributing factor" in the attack on its network. Government and industry officials said the hackers had used some of the RSA data and other techniques to piece together the coded password of a Lockheed contractor who had access to Lockheed's system.
Lockheed, which makes fighter planes, spy satellites and other confidential equipment, said it had detected the attack quickly and blocked it before any important data was compromised.
Lockheed said it was replacing 45,000 SecurID tokens held by workers who need to log into its system from customer offices, hotels or their homes. It also required its employees to change their passwords, and it added a step to its sign-on process.
One top RSA official, who would speak only on the condition of anonymity on Friday because of customer relationships, acknowledged that some customers would lose confidence in the devices. "It's certainly going to have an initial impact," he said.
He said the company would discuss reprogramming tokens with companies. But, he said, in some cases that may require more work than other measures they could take to beef up different parts of their security systems.
RSA, based in Bedford, Mass., has declined to specify what data was stolen in March. It has also said that it detected the attack as the hackers were removing the data and that the attack was only partly successful.
But independent security experts have speculated that the hackers obtained at least part of the databases holding serial numbers and other critical data for the tens of millions of tokens, and Lockheed's confirmation that the stolen data played a role in its attack supported that theory.
The RSA tokens provide security beyond a user name or password by requiring users to enter a unique number generated by the token each time they connect to their networks.
But to make use of the data stolen from RSA, security experts said, the hackers would also have needed the passwords of one or more users on Lockheed's network. RSA has said that in its own breach, the hackers accomplished this by sending "phishing" e-mails to small groups of employees, including one worker who opened an attached spreadsheet that contained a previously unknown bug.
This let the hacker monitor the worker's passwords. Security specialists suspect that something similar happened in the Lockheed attack, with the hackers using the data stolen from RSA to predict the security codes that the token would generate.
Mr. Sverdlove said that in mounting attacks, many hackers now studied Facebook and other social media for information to personalize their phishing e-mails and increase the odds they will be opened. He said that over the last two years, there had been "an exponential increase" in these attacks.
Security experts said that the alternatives to the tokens, including computerized smart cards and biometric tools, tended to be more expensive. They said Northrop, another giant military contractor, was shifting from SecurID tokens to smart cards.