Lockheed Martin Discloses 'Significant And Tenacious' Cyber Attack5:43 PM EST Tue. May. 31, 2011
Lockheed Martin publicly acknowledged Saturday that it had been the victim of a "significant and tenacious" cyber attack on its computer systems, most likely related to a security flaw in RSA SecureID tokens, used for two-factor authentication purposes by some of its employees.
Thus far, the Pentagon defense contractor has given few details on the breach, but said no customer or employee personal data had been compromised.
Lockheed Martin said in a statement that the company's information security team had "detected the attack almost immediately, and took aggressive actions to protect all systems and data. As a result of the swift and deliberate actions taken to protect the network and increase IT security, our systems remain secure; no customer, program or employee personal data has been compromised."
Lockheed Martin said that the company continued to apprise the appropriate U.S. government agencies on the developments of the breach, while working "around the clock to restore employee access to the network."
News of the Lockheed breach, first reported by security expert Robert Cringely, publicly emerged after the global weapons manufacturer experienced a system disruption related to an external network intrusion . The Bethesda, Md.,-based company then required a password reset for its more than 120,000 employees on the network, and embarked on the process of re-issuing tokens for employees using RSA's Secure ID two-factor authentication tokens.
Subsequently, some security experts said the Lockheed Martin breach may have stemmed from a recent exploit of a security vulnerability in RSA's SecureID tokens, a two-factor authentication solution for remote VPN access to corporate networks.
"It seems likely that whoever hacked the RSA network got the algorithm for the current tokens and then managed to get a key-logger installed on one or more computers used to access the intranet at this company [Lockheed Martin] . With those two pieces of information they were then able to get access to the internal network," Cringely said in a blog post.
Johannes Ullrich, SANS Institute researcher, echoed that RSA SecureID tokens could effectively allow hackers to emulate the exploited tokens' number. While an exploit might be easy to address by re-issuing new tokens, the recent breach might lead the security industry in general to re-evaluate the effectiveness of two-factor authentication, he said.
"All RSA (or its customers) have to do is to obtain new tokens. The basic idea of two factor authentication still stands. But the way the tokens have been used in the past may need to be adjusted," Ullrich said."Different forms of two factor authentication may have to be evaluated. One problem with RSA tokens is that as the breach shows, the technology doesn't actually prove that you 'have' the token in your possession. It rather proves that you are in the possession of the respective algorithm and secrets, which may be considered something 'you know,' less something 'you have.'"
RSA didn't immediately respond to requests for comment for CRN.
Next: Partners Weigh In On Two Factor Authentication
Ullrich said that RSA's recent SecureID exploit wouldn't likely result in widespread attacks, but could possibly emerge in targeted attacks on organizations -- such as weapons manufacturers -- of geo-political interest.
"It is generally assumed that the attack against RSA was conducted by China, and the Chinese government is in the possession of the information. As a result, I would expect the information to be used against specified targets that are of importance to China," he said.
RSA, the Security Division of EMC, became the focal point of public scrutiny in March after its SecureID tokens were subjected to a sophisticated and targeted attack known as an Advanced Persistent Threat .
Art Coviello, RSA executive chairman, publicly disclosed that the company had detected the cyber attack in progress, appearing to be an attempt to extract intellectual property and other sensitive information from corporate networks. The cyber criminals could potentially use the stolen information to emulate a token and essentially get around the SecureID security measures.
Meanwhile, RSA channel partners contend that the breach doesn't imply any kind of failing with two–factor authentication as a security measure. 'No one could look at RSA's security precautions and say they were inadequate," said Ken Phelan, chief technology officer of Montvale, N.J.-based Gotham Technology Group. he said. "I don't think a lot of people are saying 'it's important not to go two-factor.'"
Instead, Phelan said that recent Lockheed breach indicated the need for high-profile targets, such as Lockheed Martin, to diversify their security infrastructure and step up their response to cyber attacks.
"It's a wake-up call to a lot of people because they thought they were safe because of this one particular thing, and there's no one thing that makes you safe," Phelan said. "If you're the kind of company that's going to be targeted, you need to raise your game."