RSA Offers SecurID Token Replacement For Customers In Wake Of Lockheed Hack

  /     /     /  
Publicated : 22/11/2024   Category : security


RSA Offers SecurID Token Replacement For Customers In Wake Of Lockheed Hack


Lockheed Martin, RSA link Defense contractors breach to hack of RSAs SecurID



Lockheed Martin and RSA today each separately confirmed that the breach that compromised RSAs SecurID authentication technology helped lead to the recent targeted attack aimed at the defense contractor. And RSA late today said it will offer to replace its customers SecurID tokens.
RSA executive chairman Art Coviello said in an open letter on EMC RSAs website that the company would offer to replace SecurID tokens for customers with concentrated user bases typically focused on protecting intellectual property and corporate networks and provide risk-based authentication strategies for consumer-focused customers with a large, dispersed user base, typically focused on protecting web-based financial transactions.
In
an interview with
The Wall Street Journal
Coviello elaborated on the token recall, saying that RSA will offer token replacements for virtually every customer we have and offer transaction monitoring and intrusion detection for its customers—namely financial institutions, according to the article.
Coviello says
in his post
that the attackers who hit RSA back in March were after security information in order to target Defense intelligence and intellectual property, not for monetary purposes or for pilfering personal information. For this reason, we worked with government agencies and companies in the defense sector to replace their tokens on an accelerated timetable as an additional precautionary measure. We will continue these efforts, he says.
On June 2, RSA confirmed that data stolen from the company back in March was used as an element of an attempted broader attack on Lockheed Martin, he says -- an attack that Lockheed Martin says it stopped in its tracks.
It is important for customers to understand that the attack on Lockheed Martin does not reflect a new threat or vulnerability in RSA SecurID technology. Indeed, the fact that the only confirmed use to date of the extracted RSA product information involved a major U.S. defense contractor only reinforces our view on the motive of this attacker, he says.
Lockheed Martin first confirmed the RSA connection earlier today. Our investigation into the attack on our system concluded that the RSA breach was a direct contributing factor, a Lockheed spokesperson said in a statement today. Based on our early actions to replace all RSA SecurID tokens and add new layers of security to our remote access processes, we remain confident in the integrity of our robust, multi-layered information systems security.
RSAs and Lockheeds revelations came on the heels of much speculation over whether
an apparent wave of targeted attacks leveled against U.S. defense contractors this past few weeks
was in any way tied to the breach of RSAs SecurID token database earlier this year. The company is in the process of giving 45,000 of its employees brand-new SecurID tokens to replace the potentially compromised ones.
L-3 Communications
reportedly
was also among the victimized contractors whose networks were compromised using stolen SecurID token information, as well as Northrop Grumman, according to
post
today on
Fox News
. An unnamed source said to be from inside Northrop Grumman said the company reset passwords and suddenly shut down remote access to its corporate network on May 26. That was about five days after Lockheed detected its breach.
We do not comment on whether or not Northrop Grumman is or has been a target for cyber intrusions. As a leader in cybersecurity, Northrop Grumman continuously monitors and proactively strengthens the security of our networks, and is vigilant to protect our employee, customer and program data and systems, a Northrop Grumman spokesperson said in response to inquiries about the reported breach.
Lockheed Martin late last month revealed that it had detected a significant and tenacious attack on its network, but that no customer, employee, or program data was compromised.
But even with Lockheeds latest comment, the devils still in the details, security experts say. Marcus Carey, community manager at Rapid7, says the big question is just how the attackers were able to acquire the passwords, user names, PINS, and even certificate files. They are saying the RSA breach was just one factor. What were the other factors? Carey says. We dont know what other techniques were used to get inside Lockheed, he says.
To get VPN access, you need a PIN, a certificate with your VPN client, and the IP address that the VPN concentrator is connected to, Carey says. The main thing I want to emphasize is that this was a multi-factor attack … people are emphasizing the RSA token piece, but whats a lot more interesting to me is … the other techniques that were used, he says.
Carey says even if Lockheeds statement means that stolen SecurID tokens were used to hack it, that doesnt necessarily mean all RSA SecurID customers will also automatically be hacked that way as well. And being able to synchronize RSA tokens is nothing new—its been available for a long time, he says, with tools such as Cain and Abel.
Richard Stiennon, chief research analyst at IT-Harvest, earlier today predicted that RSA would perform a massive recall of SecurID tokens to protect its customers and restore confidence in the multi-factor authentication technology. That would be the biggest [recall] in the security industry ever, he says.
Stiennon says RSA also must offer a new model where Defense contractors can generate their own seeds. In the meantime, one-time password tokens have lost a lot of luster and companies are going to start the search for better solutions that are out-of-band, for instance, he says.
Next page: RSAs miscalculation?
RSA still has not provided details on exactly what the attackers who targeted RSA made off with. Stiennon says RSA didnt give its customers enough information about what was stolen from its servers, thus leaving them insufficiently informed to protect themselves. RSA was banking on that not being a targeted attack, he says.
Meanwhile, Lockheed will complete the replacement of 45,000 SecurID tokens by next week. The new tokens are in the mail today, the Lockheed spokesperson says. These are [for] employees with a business need to regularly connect to Lockheed Martin through a remote access server. Additional employees may be provided access based on the business need.
The company also reset all user passwords and added an additional layer of security to its remote log-in process. Access to the VPN network was restored to employees as the security upgrades were complete – which began almost immediately and will conclude this week, the spokesperson said.
Lockheed Martin has made significant investments in countering the advanced persistent threat. We have placed special emphasis on intelligence analysis, characterization and prediction in order to ensure agile response to attack and enhanced resilience of our systems, the spokesperson said. Our actions allowed the Lockheed Martin Security Intelligence Center to detect and stop the recent intrusion attempt. As a result, we prevented any compromise of customer, program or employee personal data.
Lockheed also shared information about the attack with its fellow firms in the industry as well as with the Defense Department.
Meanwhile, RSAs Coviello says the company will add extra factors for strong authentication to SecurID. We will continue to invest heavily in both our SecurID and our risk-based authentication technologies. We will provide additional factors for strong authentication. We will integrate these solutions with our cybercrime intelligence to better identify suspicious behavior targeted at networks, transactions and user sessions. We will ensure that these technologies provide trusted access to virtual and cloud computing resources, leveraging our Cloud Trust Authority. And we will help customers more effectively create the kinds of layered defense capabilities essential to combat todays advanced threats by drawing on our broad portfolio of data loss prevention, security event management, deep packet inspection technologies, and our extensive services expertise, he says.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
RSA Offers SecurID Token Replacement For Customers In Wake Of Lockheed Hack