This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

How much can RSA's SecurID tokens be to be blame for the Lockheed Martin hack?

Share this article:

Both Lockheed Martin and RSA have been blamed for the hack on the defence contractor's network last week.

Writing on the Digital Dao blog, founder and CEO of Taia Global Jeffrey Carr claimed that the extent of the RSA SecurID breach was worse than EMC reported.

Analysing the language used by Lockheed Martin in its statement, Carr pointed at the use of the word ‘tenacious' saying that this means ‘not easily dispelled' and ‘persisting in existence'.

He said: “An attack cannot be ‘swiftly' dealt with and ‘persistent' at the same time. Further ‘almost immediately' doesn't reconcile with the timeline provided by the above publicly available data, which implies that the attackers had up to 24 hrs of access to Lockheed's network before VPN access was shut off.

“Finally, while Lockheed claimed that no customer, program or employee data had been compromised, it was significant enough for President Obama to receive a personal briefing on it, and for Department of Homeland Security and Department of Defence (and presumably NSA) to offer their assistance on Lockheed's investigation.”

Carr also said that Lockheed Martin had slightly over two months from the time that EMC notified them and other RSA SecurID customers about their breach and at that time, at least one prime defence contractor (not Lockheed Martin) made the decision to stop using RSA SecurIDs for its senior staff and found a completely different vendor to supply their security tokens.

“Based upon their remediation actions for this breach, Lockheed Martin's senior executives chose to do very little about the compromised SecurID token technology in spite of many warnings issued by security specialists about the potential after effects of the RSA attack,” said Carr.

“Of particular note is the warning issued by ICANN's Whitfield Diffie, a crytographic expert who told John Markoff of the New York Times that ‘a worst case scenario would be that the intruder could produce cards that duplicate the ones supplied by RSA, making it possible to gain access to corporate networks and computer systems'.”

Steve Watts, co-founder of SecurEnvoy, said that the blame for the breach should be laid at Lockheed Martin's own IT security review procedures.

He said: “The RSA Security breach occurred in mid-March, which has given its users more than two months to review their reliance on RSA Security's technology on their systems. So the question here is: what has Lockheed Martin's IT department been doing for the last ten weeks?

“That entire affair should have triggered alarm bells ringing in any corporate IT security office, especially given RSA's deafening silence at the time. For Lockheed Martin's IT security managers to blame an apparent successful incursion into their systems on a ten-week old widely-reported breach of one of their key IT suppliers is diverting publicity from its own security process failings.”

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

WordPress: a new security flaw revealed

WordPress: a new security flaw revealed

Updating of WordPress versions advised to avoid exposure to new vulnerability

57% of UK adults want a Digital Bill of Rights

57% of UK adults want a Digital Bill ...

While there is now dissatisfaction with web security and calls, led by Sir Tim Berners-Lee, for a Digital Bill of Rights in the UK, commentators do not believe it would ...

US DoJ arrests four men - charges them in connection with $100m worth of hacking IP losses

US DoJ arrests four men - charges them ...

Third-party vendor route for hackers grants access to US government, Microsoft and games manufacturers.