This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

How much can RSA's SecurID tokens be to be blame for the Lockheed Martin hack?

Share this article:

Both Lockheed Martin and RSA have been blamed for the hack on the defence contractor's network last week.

Writing on the Digital Dao blog, founder and CEO of Taia Global Jeffrey Carr claimed that the extent of the RSA SecurID breach was worse than EMC reported.

Analysing the language used by Lockheed Martin in its statement, Carr pointed at the use of the word ‘tenacious' saying that this means ‘not easily dispelled' and ‘persisting in existence'.

He said: “An attack cannot be ‘swiftly' dealt with and ‘persistent' at the same time. Further ‘almost immediately' doesn't reconcile with the timeline provided by the above publicly available data, which implies that the attackers had up to 24 hrs of access to Lockheed's network before VPN access was shut off.

“Finally, while Lockheed claimed that no customer, program or employee data had been compromised, it was significant enough for President Obama to receive a personal briefing on it, and for Department of Homeland Security and Department of Defence (and presumably NSA) to offer their assistance on Lockheed's investigation.”

Carr also said that Lockheed Martin had slightly over two months from the time that EMC notified them and other RSA SecurID customers about their breach and at that time, at least one prime defence contractor (not Lockheed Martin) made the decision to stop using RSA SecurIDs for its senior staff and found a completely different vendor to supply their security tokens.

“Based upon their remediation actions for this breach, Lockheed Martin's senior executives chose to do very little about the compromised SecurID token technology in spite of many warnings issued by security specialists about the potential after effects of the RSA attack,” said Carr.

“Of particular note is the warning issued by ICANN's Whitfield Diffie, a crytographic expert who told John Markoff of the New York Times that ‘a worst case scenario would be that the intruder could produce cards that duplicate the ones supplied by RSA, making it possible to gain access to corporate networks and computer systems'.”

Steve Watts, co-founder of SecurEnvoy, said that the blame for the breach should be laid at Lockheed Martin's own IT security review procedures.

He said: “The RSA Security breach occurred in mid-March, which has given its users more than two months to review their reliance on RSA Security's technology on their systems. So the question here is: what has Lockheed Martin's IT department been doing for the last ten weeks?

“That entire affair should have triggered alarm bells ringing in any corporate IT security office, especially given RSA's deafening silence at the time. For Lockheed Martin's IT security managers to blame an apparent successful incursion into their systems on a ten-week old widely-reported breach of one of their key IT suppliers is diverting publicity from its own security process failings.”

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

SharePoint users break own security rules

SharePoint users break own security rules

Privilege controls can work, but cannot cater for all eventualities, says Quocirca analyst Rob Bamforth.

Heartbleed slows down the internet

Heartbleed slows down the internet

As Hearbleed slows down the internet, experts say that two-factor authentication may the way forward to protect our web sessions.

Biometric data collection sparks privacy debate

Biometric data collection sparks privacy debate

You could be implicated as a criminal suspect, just by virtue of having that image in the non-criminal file, says the Electronic Frontier Foundation (EFF).