Defense contractor Lockheed Martin has confirmed that a recent attack on its network was aided by the theft of confidential data relating to RSA SecurID tokens employees use to access sensitive corporate and government computer systems. According to an email the company sent to reporters, theft of the data for the RSA tokens …
Raped and Buggered
I think it's pretty clear by now that they got the complete seed keys.
I've heard a rumor that the next generation of RSA SecurID tokens will incorporate a bottle opener at one end so that they will be reusable when this happens again.
RSA and IronKey?
Does this mean that my IronKey secure USB device could also be affected? https://www.ironkey.com/rsa
I dunno but I can check for you if you give me your name, password and the network the key gave access to...
It's not really the RSA tokens which are affected per se; rather the codes they produce are now weakened in light of the RSA breach. The RSA app in the control panel of your IronKey device is just a software version of a physical token and so is affected in this manner.
Your IronKey device itself remains secure since its own security is nothing to do with RSA.
Thanks, that is very kind of you. You are a real gent to go out of your way to check this for me.
My username is; bill.gates, network; microsoft .com and password; hugeballbag
If you could let me know asap if I have any security issues with my IronKey, it would be very much appreciated.
maybe it was planned
Maybe they have an insider and needed some way to stimulate a wide-scale replacement of tokens with the new secret back-door flawed tokens that might be made as a result of the insiders work?
What I don't understand is how the compromise of RSA tokens resulted in network breaches. The purpose of two factors is to prevent problems if somehow one factor is compromised. It shouldn't be feasible for both to be had.
And two becomes one, one becomes none
Consider the possibility that with RSA compromised, one-factor authentication became zero-factor authentication.
Step One: identify target(s), compromise passwords
Step Two: compromise RSA
Then the one week of delay between breech of RSA and public notification opens a huge window of opportunity.
"Stolen RSA data used to hack war profiteer"
There, fixed it for ya'.
SecurID is now snake-oil.
If they can't tell us *everything* about it, then it cannot be trusted at all. QED.
Why does anyone trust rsa any more.
The whole remote working solution at the bank is worked for revolved around SecureID.
If I was the CIO I'd be replacing them with another vendor solution ASAP.
How RSA have any credibility left it's beyond me.
Jesus Frickin' Christ.....
(Sorry for breaking that commandment, big guy!!)
I'm beginning to think that the end of civilization will not come through global warming, asteroid impacts, the mutation of some virulent bacteria or whatnot--but through the complete collapse of any and all IT security that results in our world becoming a cyber version of "Lord of the Flies".
So RSA gets broken into (one of the top security vendors gets hacked--first sign of the apocalypse) one of their top products gets compromised as a result (second sign) and now their Fortune 100 worlds-top-defense-contractor client gets hacked using the now-compromised product. So I guess we are one or two proportionate steps away from someone hacking the Federal Reserve open market system or getting access to launch codes for the U.S. and U.K.s nuclear deterrent??
We are at the end of days, or maybe I am just at the end of my faith in our collective ability to secure IT.
"So I guess we are one or two proportionate steps away from someone hacking the Federal Reserve open market system or getting access to launch codes for the U.S. and U.K.s nuclear deterrent?"
Depends. Do you think they use Windows+Adobe software for said systems? Do you think they are doing anything serious about the no-longer-SecureID tokens?
You meant "Lord of the Files", didnt' you?
I think we might be better off having a few drinks and listening to "Don't Worry, Be Happy" rather than explore what is really protecting the keys to the kingdom of critical infrastructure these days.....
This is were big product branding labels on kit comes in handy
This is were big product branding labels on kit comes in handy as you can now easily identify what is secure and not.
Either way leason here is this: Don't depend upon one door/solution when you can pick two alternatives. Compliment with some other level of login ontop of the RSA ID, restrict IP's albiet not greatest can at least add another level though best to be used to detect anomolies. Bottom rule is whatever is secure today is not secure tomorrow. Just having two layers of firewall from different manufactures or in this case authentification system would mean that once one is in it's shortterm 0day out in the wild period the other probably isn't. What the issue becomes is to set these up you require technical skils beyond being able to use one package after being on there coarse, got the teeshirt and the rest of the marketing initiatives to get you sold onto there brand of cola so to speak. Most things tend not to want to play well in partnership and whilst that can be accomodated SSH2 based VPN to get onto the network to use yoru RSA ID would be easy to setup, but from a users persepctive they need a simple click/run/enter my football team name password and thats it, anything else and alot have problems. It's this stage you have to ask yourself what level of idiots do you wish to secure yourself against.
Still with the push towards cload based services and the garner of large user bases then any breach at the technical secrity level or exposed flaw would be a rather bad weak link to have as seen by Sony. Then you need not only machines but humans monitoring things. Why else do we have security guards looking at video camera's, whilst the technology to identify people and indeed I'd say agression/most crimes the cost and indeed reliability isn't that 100%. If machines were perfect then nobody would wait at a traffic light, see the problem there. Only real secure system is one physicaly secured and network isolated, least you can see the issues as they can only be physical.
Allowing people to work remotely using RSA tags on uber secret milatary projects when said attached device can be in a non secure location in itself raises some questions. But it was probably the use of different IP's that were monitored, flagged and allowed this to be caught early. So we are told.
As mentioned, relying on one product/system is a bad idea, in particular when it is one that is very popular and lots of black-hat skills are available to break it.
But the bigger issue is the one you raised here - RSA kept the keys to *everyone's* kingdom, so when they got hacked is resulted in all players losing most (if not all) of the SecureID's supposed advantages.
RSA wanted to make more money you see, so rather than make a product that YOU, the customer, would set up and operate, they wanted to keep themselves in the loop. For a fee, of course...
Had they done so, then Joe Bloggs Ltd would have thier own seed database and on being hacked it just screws the one organisation. Everyone else are OK (until they get directly hacked of course).
But no, a proprietary key design with them holding YOUR data. You could argue that a top security company would be much better at doing that than Joe Bloggs Ltd, of course, but the evidence says otherwise.
Why are they still not coming clean on exactly how it happened and what was taken?
- Product round-up Ten excellent FREE PC apps to brighten your Windows
- Review Tough Banana Pi: a Raspberry Pi for colour-blind diehards
- Product round-up Ten Mac freeware apps for your new Apple baby
- Analysis Pity the poor Windows developer: The tools for desktop development are in disarray
- Chromecast video on UK, Euro TVs hertz so badly it makes us judder – but Google 'won't fix'