With the recent news Lockheed Martin Hacked – Rumoured To Be Linked to RSA SecurID Breach and another US Military sub-contractor compromised through SecurID tokens – RSA have FINALLY come clean about it.

They basically have to replace all 40 million SecurID tokens out there, imagine how much of a headache that is going to be – and how much is it going to cost? This is going to end up as one hell of a costly hack for RSA.

RSA Security is to replace virtually every one of the 40 million SecurID tokens currently in use as a result of the hacking attack the company disclosed back in March. The EMC subsidiary issued a letter to customers acknowledging that SecurID failed to protect defense contractor Lockheed Martin, which last month reported a hack attempt.

SecurID tokens are used in two-factor authentication systems. Each user account is linked to a token, and each token generates a pseudo-random number that changes periodically, typically every 30 or 60 seconds. To log in, the user enters a username, password, and the number shown on their token. The authentication server knows what number a particular token should be showing, and so uses this number to prove that the user is in possession of their token.

The exact sequence of numbers that a token generates is determined by a secret RSA-developed algorthm, and a seed value used to initialize the token. Each token has a different seed, and it’s this seed that is linked to each user account. If the algorithm and seed are disclosed, the token itself becomes worthless; the numbers can be calculated in just the same way that the authentication server calculates them.

What bothers me, from a cryptography stand-point at least, is that RSA should not know or even be able regenerate the seed and associated token value for their clients.

And along side that, surely SecurID is used as a part of a two or three factor authentication system, so what happened to the other factors in these hacks? Why were they so easily compromised once the hackers could generate the token values?

It just amazes me how these security related companies (with military information) can be so lax on security. Even if the token failed – no one should have been able to get in!

This admission puts paid to RSA’s initial claims that the hack would not allow any “direct attack” on SecurID tokens; wholesale replacement of the tokens can only mean that the tokens currently in the wild do not offer the security that they are supposed to. Sources close to RSA tell Ars that the March breach did indeed result in seeds being compromised. The algorithm is already public knowledge.

As a result, SecurID offered no defense against the hackers that broke into RSA in March. For those hackers, SecurID was rendered equivalent to basic password authentication, with all the vulnerability to keyloggers and password reuse that entails.

RSA Security Chairman Art Coviello said that the reason RSA had not disclosed the full extent of the vulnerability because doing so would have revealed to the hackers how to perform further attacks. RSA’s customers might question this reasoning; the Lockheed Martin incident suggests that the RSA hackers knew what to do anyway—failing to properly disclose the true nature of the attack served only to mislead RSA’s customers about the risks they faced.

I’m fairly sure we’re going to hear more about this, and I wouldn’t be surprised if we start seeing some lawsuits from disgruntled clients of RSA popping up. It seems like RSA went the security through obscurity route – rather than responsible disclosure and letting everyone what was going on.

They thought they could protect against hackers…by not saying anything?

Seriously RSA, is that the best you’ve got? The recent compromises of US military contractors proves that that tactic didn’t work at all (unsurprisingly).

Source: ars technica

The latest news linked to the above breach is that Lockheed Martin has been compromised and it could possibly be linked to the SecurID tokens. Now this is a BIG deal as they are a US Military contractor and probably have some pretty juicy secrets in their network.

Lockheed Martin Saturday night acknowledged that it its information systems network had been the target of a “significant and tenacious attack,” but said that its security team detected the intrusion “almost immediately and took aggressive actions to protect all systems and data.”

No data from customers, programs or employees was compromised, the top U.S. defense contractor said in a brief statement.

The company said that it has kept U.S. government agencies informed of its investigation as it “continues to work around the clock to restore employee access to the network.”

The attack was first reported last Thursday by Reuters, which cited a defense official and two unnamed sources familiar with the situation. The news agency reported that the cyberattack was affecting many employees at Lockheed Martin, which is based in Bethesda, Maryland, and makes fighter planes and other weapons systems.

Bruce Schneier mentioned it here – Lockheed Martin Hack Linked to RSA’s SecurID Breach

And a lot of people have been sayings it’s just speculation, yah the hack is real – but does it have anything to do with SecurID really? We have no idea.

There’s some interesting thoughts on it here – Weekly Intelligence Summary:2011-05-27

On Saturday, an official with the U.S. Department of Homeland Security confirmed the attack to the news agency. However, Lockheed Martin continued to decline comment.

The intrusion reported involves the use of RSA SecurID tokens, used by Lockheed Martin employees to access the company network remotely. Security analysts have urged that companies using the tokens review authentication procedures.

Lockheed Martin did not divulge how its systems were attacked. The company faces “constant threats from adversaries around the world” and regularly acts to heighten security of its systems, it said in the statement.

Homeland Security have confirmed the compromise but as of now, Lockheed Martin has no made statement regarding what has happened or what data has been accessed.

There some thoughts from SANS ISC Diary here on how to stay secure even if you do use SecurID – Lockheed Martin and RSA Tokens.

It’ll be interesting to see what other news comes out about this and if any actual details are revealed. We shall be keeping an eye on it.

Source: Network World

To summarise, they basically said “Recently, our security systems identified an extremely sophisticated cyber attack in progress being mounted against RSA. [...] Our investigation also revealed that the attack resulted in certain information being extracted from RSA’s systems. Some of that information is specifically related to RSA’s SecurID two-factor authentication products.“.

And well that’s about it, they’ve been totally tight lipped since then. There is a link to some ‘updated info for SecurID customers’ – but it’s behind a customer login.

It’s been a week since RSA dropped a vaguely worded bombshell on 30,000 customers that the soundness of the SecurID system they used to secure their corporate and governmental networks was compromised after hackers stole confidential information concerning the two-factor authentication product.

For seven days, reporters, researchers, and customers have called on RSA, and its parent corporation EMC, to specify what data was lifted – or at the very least to say if it included details that could allow government or corporate spies to predict the one-time passwords that SecurID tokens generate every 60 seconds. And for seven days, the company has resolutely refused to answer. Instead, RSA has parroted Security 101 how-tos about strong passwords, support-desk best practices, and the dangers of clicking on email attachments.

Officials from RSA and EMC have steadfastly refused to give yes or no answers to two questions that have profound consequences for the 40 million or so accounts that are protected by SecurID: Were the individual seed values used to generate a new pseudo-random number exposed and, similarly, was the mechanism that maps a token’s serial number to its seed leaked?

Without the answers to those two basic questions, RSA customers can’t make educated decisions about whether to continue relying on SecurID to prevent unauthorized logins to their sensitive networks. After all, if the breach on RSA’s servers exposed the seeds and the mapping mechanism, SecurID customers have lost one of the factors offered by the two-factor authentication product.

An RSA spokesman released an updated statement earlier this week that said in part: “Our investigation to date has revealed that the attack resulted in certain information being extracted from RSA’s systems. Even with this information being extracted, RSA SecurID technology continues to be an effective authentication solution for customers.” (Notice the statement didn’t say “an effective two-factor authentication solution.”)

And well seen as though RSA isn’t exactly forthcoming with a detailed statement or at least exactly what has been compromised – people are going to start assuming. The first logical assumption is that SecurID is broken or has been compromised in some way.

This may not be the case, and if so – RSA really needs to clarify that. This is really not the way in which an industry leader should be acting. There are approximately 40 million accounts protected by SecurID and for the past 7 days RSA has refused to answer the two most important questions.

• Can you specifcy what data was lifted?
• And did it include details that could break SecurID?

As to breaking SecurID, well did the attackers steal enough data to allow someone to predict the one-time passwords that SecurID tokens generate?

The latest example of these so-called advanced persistent threats came Wednesday when digital certificate authority Comodo disclosed its private encryption keys were used to generate counterfeit credentials for Google Mail and six other sensitive addresses. The CEO has claimed that the attack, which was perpetrated on an unnamed SSL certificate reseller of Comodo, had the hallmarks of state-sponsored hackers, most likely from Iran, although he provided no convincing proof.

“The security companies who are providing authentication are being directly attacked by the government,” CEO Melih Abdulhayoglu said.

This is precisely the assumption being taken by a security administrator who was in the process of helping a financial institution set up a SecurID system when RSA made last week’s announcement. He told The Reg on Thursday that he’s spent the past week trying to pry meaningful details out of RSA, so far without success.

“If they don’t give me an answer by the end of tomorrow about whether the seeds were taken, I’m returning the product,” said the admin, who asked not to be named because he wasn’t authorized to speak publicly. “Their integrity is just shot. Yes, they got hacked but their response is what’s so troubling. The silence is deafening.”

SecurID’s two-factor authentication may not be broken, but until RSA comes clean and provides some yes or no answers to two simple questions, it’s better to assume it is. The network security you preserve may be your own.

As per usual, don’t trust 3rd party solutions, don’t trust proprietary solutions – if you want to maintain total security – you better manage everything yourself. I think this could really hurt sales for RSA and it’s just about destroying their integrity.

Fine if you don’t want to give explicit details, at least clarify in black and white that SecurID is still totally safe to use.

We’ll be waiting for more news from RSA, hopefully their clarifications will come soon and explain everything properly. Until then, be careful.

Source: The Register

Well this is a first for me and this blog, Darknet has been nominated for a blogging award and selected as a finalist! There’s some heavy-weights in our category too like SANS ISC and Evil Bytes from Dark Reading.

If you don’t know about SBN (Security Bloggers Network) it’s a VERY good collection of RSS feeds in the security arena, blogs rather than news sites hence the name.

It started out way back as a Feedburner group consolidating all the security related blog feeds on the Feedburner network into one feed. You can find the current RSS feed here:

Security Bloggers Network

With our contributions here:

Darknet – Security Bloggers Network

If you’re interested do check out the members (you’ve probably already subscribed to quite a few) and some of the stronger ones are amongst the nominations below.

Obviously being in the same category as SANS ISC I won’t be wasting any time writing an acceptance speech. It is an honor to be in the same list as blogs like Bruce Schneier’s and Tao Security even if it’s in a different category.

You can find a complete listing of the finalists here:

Best Technical Security Blog

SANS Internet Storm Center
Evil Bytes by John Sawyer
Praetorian Prefect
Darknet.org
Frequency X ISS blog

Best Non-Technical Security Blog

Security Uncorked
Schneier on Security
Krebs on Security
ThreatPost
TaoSecurity

Best Security Podcast

PaulDotCom
SANS ISC Stormcast
An Information Security Place
CSO Security Insights
Security Catalyst

Best Corporate Security Blog

Jeremiah Grossman (White Hat Security)
Sophos Graham Cluley Blog
Microsoft Security Response Center
Fortiguard Blog
Cisco Security Blog

Most Entertaining Security Blog

Rational Survivability by Chris Hoff
Security Incite by Mike Rothman
Uncommon Sense Security by Jack Daniel
SecBarbie by Erin Jacobs
Emergent Chaos by Adam Shostack and ensemble

Good luck to everyone and may the best blog win.

If you’re also a member of the SBN you can place your vote here:

2010 Social Security Bloggers Awards Voting

You can find the original post on the RSA Conference blog by Alan Shimel here:

Let the voting begin . . .

Switchback? For the worst? Aww Microsoft would never compromise our security for the sake of convenience or their profit line right?

Microsoft has shelved plans to include native support for RSA’s SecurID tokens in Windows Vista, even though the company has been trialling the technology for almost two years.

In February 2004, Microsoft chairman Bill Gates announced that Windows would be able to support easy integration with RSA Security’s ubiquitous SecurID tokens, which meant that enterprises would find it far easier to deploy a two-factor authentication system for logging on to networks and applications.

However, almost two years after the SecurID beta programme kicked off, the chief executive of RSA Security Art Coviello has revealed that Windows Vista will not natively support the technology.

Yeah, you read it right, Vista will not support SecurID. Shame really it opened up a whole load of new capabilities.

Microsoft had said they would include the ability to support all kinds of One Time Password (OTP) and challenge response type authentication in Vista but they were unable to get it in with all the other issues they have had — so it is going to take longer

Seems like they may retrofit it some time in the future.

Source: Zdnet

SAN JOSE, California — Identity theft and online bank fraud were the unofficial themes of the 2006 RSA Conference, a massive security confab where Bill Gates came to announce the imminent death of the password and vendors filled the exhibition halls with iPod giveaways and promises that their product could stop everything from spam and malware to hackers and typos.

Thanks to a California law known as SB 1386 that requires companies to disclose sensitive data leaks to California consumers, companies like ChoicePoint and shoe retailer DSW became poster children for corporate negligence last year after mishandling sensitive data.

As mentioned previously, Phishing is getting to be a big issue now, and password only measures are failing.

Perhaps the biggest change this year will be in online banking, as financial institutions move to comply with federal oversight agencies that are directing banks (.pdf) to secure their sites with more than just user logins and passwords.

These extra fraud profiling and authentication measures are necessary, according to Callas, since the threats on the internet have changed.

“Now we are not dealing with kids having fun,” Callas said. “We are dealing with criminals — the Russian mafia. And online banking risks are there if your bank offers it, even if you don’t use it.”

E-trade, for instance, already offers free RSA security tokens to its most active users. Those battery-powered devices work by using a using a seed number and the current time to cryptographically generate a secure one-time code to complement the normal user login and password.

Source: Wired News