And The Hits Keep Coming
In case you missed this over the long weekend, a few more notable names were compromised in recent weeks. A few weeks ago I wrote about how the Big Attacks are Back and it sure seems like the hits keep coming. First, last Friday, Lockheed Martin said that earlier in the week, they detected that someone was trying to break into their network through the VPN. Lockheed is a huge military contractor providing fighter jets, spy satellites and other military and intelligence equipment for the US and other government entities. They are also known for Skunk Works or their Advanced Development Program projects. These are highly classified assignments with the SR-71 Blackbird and F-117 Nighthawk (Stealth) as examples over the years. I live very close the Skunk Works facility and I can say that I’ve seen some interesting craft flying over at various times.
Anyway, there is some indication that this attempted breach is tied to the security tokens issued to the workers. Reports have indicated that it was RSA tokens and this incident might be directly tied to the RSA breach earlier this year. Lockheed quickly shut the remote access doors and issued new tokens and passwords to the entire workforce. They do say that their systems are secure and nothing notable, like customer/employee/program data, was taken. While defense contractors like Lockheed get probed daily, this is significant since the ‘sources’ are saying that there is a connection between the RSA breach and Lockheed’s. The intruder seemed to have knowledge of some critical information (possibly algorithm, seed, serial, cloned soft key, key gen time) for the current tokens and dropped a key logger on an internal computer. After RSA’s initial announcement, Lockheed did take additional protective measures, like an additional password for remote users but a key logger probably would have sniffed that. Lockheed was fortunate to have caught it quickly but this might be the beginning of the token breach fallout.
Lockheed is not the only defense contractor that has been specifically targeted using compromised tokens . L-3 Communications has also been fending off penetration attempts according to reports. In both cases, it appears that the intruders are using both phishing and cloned soft keys to try to attack SecurID systems. Installed malware or phishing campaigns are being used in an attempt to link end-users with tokens. Many companies are increasing PIN lengths and lowering the number of failed attempts before accounts are locked out. Even McAfee is talking about how employees are being approached by strangers in public places looking to gain information.
Another breach this past weekend involved PBS. This time, C is for Compromise…and not good enough for anyone. While, according to PBS, no internal networks were exposed, the malicious hackers were able to break into the website and posted a bogus story about Tupac being alive and well in New Zealand. They also posted credentials for PBS’s internal media and affiliate station portals. This was a response to a Frontline story about WikiLeaks called WikiSecrets. Apparently the group that claimed the attack was less than impressed by the program.
2011 started out *relatively* quiet but is now tuning into a banner year for breaches.
ps
Resources:
- Data Breach at Security Firm Linked to Attack on Lockheed
- Lockheed Martin Suffers Massive Cyber attack
- InsecureID: No more secrets? (Cringely broke the Lockheed story)
- Second Defense Contractor L-3 ‘Actively Targeted’ With RSA SecurID Hacks
- Unknown hackers have broken into the security networks of Lockheed Martin Corp and several other U.S. military contractors
- Hackers breached U.S. defense contractors
- Cyber attack shows constant threat to key intel
- FRONTLINE statement on PBS hacking
- PBS Website Hacked
- Social hackers target McAfee staff in church, at car parks
- The Big Attacks are Back…Not That They Ever Stopped
- 3 Billion Malware Attacks and Counting
- Technology Can Only Do So Much
- Unplug Everything!