How much can RSA's SecurID tokens be to be blame for the Lockheed Martin hack?
Both Lockheed Martin and RSA have been blamed for the hack on the defence contractor's network last week.
Writing on the Digital Dao blog, founder and CEO of Taia Global Jeffrey Carr claimed that the extent of the RSA SecurID breach was worse than EMC reported.
Analysing the language used by Lockheed Martin in its statement, Carr pointed at the use of the word ‘tenacious' saying that this means ‘not easily dispelled' and ‘persisting in existence'.
He said: “An attack cannot be ‘swiftly' dealt with and ‘persistent' at the same time. Further ‘almost immediately' doesn't reconcile with the timeline provided by the above publicly available data, which implies that the attackers had up to 24 hrs of access to Lockheed's network before VPN access was shut off.
“Finally, while Lockheed claimed that no customer, program or employee data had been compromised, it was significant enough for President Obama to receive a personal briefing on it, and for Department of Homeland Security and Department of Defence (and presumably NSA) to offer their assistance on Lockheed's investigation.”
Carr also said that Lockheed Martin had slightly over two months from the time that EMC notified them and other RSA SecurID customers about their breach and at that time, at least one prime defence contractor (not Lockheed Martin) made the decision to stop using RSA SecurIDs for its senior staff and found a completely different vendor to supply their security tokens.
“Based upon their remediation actions for this breach, Lockheed Martin's senior executives chose to do very little about the compromised SecurID token technology in spite of many warnings issued by security specialists about the potential after effects of the RSA attack,” said Carr.
“Of particular note is the warning issued by ICANN's Whitfield Diffie, a crytographic expert who told John Markoff of the New York Times that ‘a worst case scenario would be that the intruder could produce cards that duplicate the ones supplied by RSA, making it possible to gain access to corporate networks and computer systems'.”
Steve Watts, co-founder of SecurEnvoy, said that the blame for the breach should be laid at Lockheed Martin's own IT security review procedures.
He said: “The RSA Security breach occurred in mid-March, which has given its users more than two months to review their reliance on RSA Security's technology on their systems. So the question here is: what has Lockheed Martin's IT department been doing for the last ten weeks?
“That entire affair should have triggered alarm bells ringing in any corporate IT security office, especially given RSA's deafening silence at the time. For Lockheed Martin's IT security managers to blame an apparent successful incursion into their systems on a ten-week old widely-reported breach of one of their key IT suppliers is diverting publicity from its own security process failings.”