As more companies with national security interests come forward with admission of breaches related to the hacking of RSA’s SecurID technology, one wonders if it is time for RSA to break its stubborn refusal to tell the public what exactly was stolen or when the breach actually occurred. At this stage, it is not just enough to tell the public that it had been hit by a phishing email exploiting a zero-day vulnerability in Adobe Reader.
Most of us will recall that on March 17 2011, RSA Security admitted that cyber-attackers had breached its network and obtained “information relating to the SecurID technology.” SecurID generates security tokens by requiring users to enter a secret code number displayed on a keyfob, or in software, in addition to their password (a process commonly known as two-factor authentication in access control systems).
Since that RSA announcement, several Department of Defense contractors or their subsidiaries have disclosed that their networks were targets of cyber-attacks apparently using information stolen from RSA.
Big players in the military industrial complex like Northrop Grumman Corp, Lockheed Martin, L-3 Communications pretty much have the military technology secrets of the United States. They provide command-and-control, communications, intelligence, surveillance and reconnaissance (C3ISR) technology to the Pentagon and intelligence agencies.
Since the RSA breach, they have all reported intrusion attacks that involved the use of information stolen from remote-access security tokens which according to RSA executive chairman Art Coviello, “could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack.”
That broader attack seem to be under way because on of the seemingly random but targeted attacks against contractors with ties to the nation’s defense systems:
- On May 21, it was reported that Lockheed Martin shut down remote access to its internal network after a “significant and tenacious attack on its information network”.
- On May 26, Northrop Grumman shut down remote access to its network without warning, forcing the company to go through a domain name and password reset across the entire organization.
- On May 27, an attack on L-3 Communications Holdings using spoofed pass codes from a cloned RSA SecurID token was reported by Reuters.
There are speculations that the RSA breach may have occurred through a remote device or VPN client or with the help of an insider since an attacker would need at least one employee’s user name and pass code as well as have some idea of which services that employee had access to in order to break into a SecurID-protected network.
Anush Gosh, a former scientist with the Defense Advanced Research Projects Agency (DARPA) argues that the RSA attack was very sophisticated, and was probably executed by people who had plans for what to do with the keys.
Wired goes further to opine that “the attacks suggest the RSA intruders obtained crucial information — possibly the encryption seeds for SecurID tokens — that they’re using in targeted intelligence-gathering missions against sensitive U.S. targets”.
Even RSA characterized the breach as an “advanced persistent threat,” or APT – an unusually sophisticated attack in which intruders use social engineering coupled with undisclosed or so-called zero-day vulnerabilities to infiltrate a target network at a weak point, and then spread out carefully to steal source code and other intellectual property.
Now that those plans seem to be in full motion, the big question is, is it time for RSA to break its silence on the matter and tell the American public what actually happened. It may not be pretty, but at least we will know what is coming. After all, most IT security folks have a thing or two against security by obscurity.
If you own a small business in the Austin area and have less than 20 employees, see how you can secure your network and data without upfront or out-of-pocket cost here.