back to article Stolen RSA data used to hack defense contractor

Defense contractor Lockheed Martin has confirmed that a recent attack on its network was aided by the theft of confidential data relating to RSA SecurID tokens employees use to access sensitive corporate and government computer systems. According to an email the company sent to reporters, theft of the data for the RSA tokens …


This topic is closed for new posts.
  1. Version 1.0 Silver badge

    Raped and Buggered

    I think it's pretty clear by now that they got the complete seed keys.

    I've heard a rumor that the next generation of RSA SecurID tokens will incorporate a bottle opener at one end so that they will be reusable when this happens again.

  2. Anonymous Coward

    RSA and IronKey?

    Does this mean that my IronKey secure USB device could also be affected?

    1. ElReg!comments!Pierre

      Re: IronKey

      I dunno but I can check for you if you give me your name, password and the network the key gave access to...

    2. Anonymous Coward
      Anonymous Coward


      It's not really the RSA tokens which are affected per se; rather the codes they produce are now weakened in light of the RSA breach. The RSA app in the control panel of your IronKey device is just a software version of a physical token and so is affected in this manner.

      Your IronKey device itself remains secure since its own security is nothing to do with RSA.

  3. Anonymous Coward
    Anonymous Coward

    Re: IronKey

    Thanks, that is very kind of you. You are a real gent to go out of your way to check this for me.

    My username is; bill.gates, network; microsoft .com and password; hugeballbag

    If you could let me know asap if I have any security issues with my IronKey, it would be very much appreciated.


  4. Sam Liddicott

    maybe it was planned

    Maybe they have an insider and needed some way to stimulate a wide-scale replacement of tokens with the new secret back-door flawed tokens that might be made as a result of the insiders work?

  5. trarch

    TWO-Factor Authentication

    What I don't understand is how the compromise of RSA tokens resulted in network breaches. The purpose of two factors is to prevent problems if somehow one factor is compromised. It shouldn't be feasible for both to be had.

    1. Chris 244

      And two becomes one, one becomes none

      Consider the possibility that with RSA compromised, one-factor authentication became zero-factor authentication.

      Step One: identify target(s), compromise passwords

      Step Two: compromise RSA

      Then the one week of delay between breech of RSA and public notification opens a huge window of opportunity.

  6. Mike Flugennock

    Headline Error?

    "Stolen RSA data used to hack war profiteer"

    There, fixed it for ya'.

  7. Anonymous Coward

    SecurID is now snake-oil.

    If they can't tell us *everything* about it, then it cannot be trusted at all. QED.

  8. Gordon 10

    Why does anyone trust rsa any more.

    The whole remote working solution at the bank is worked for revolved around SecureID.

    If I was the CIO I'd be replacing them with another vendor solution ASAP.

    How RSA have any credibility left it's beyond me.

  9. Anonymous Coward

    Jesus Frickin' Christ.....

    (Sorry for breaking that commandment, big guy!!)

    I'm beginning to think that the end of civilization will not come through global warming, asteroid impacts, the mutation of some virulent bacteria or whatnot--but through the complete collapse of any and all IT security that results in our world becoming a cyber version of "Lord of the Flies".

    So RSA gets broken into (one of the top security vendors gets hacked--first sign of the apocalypse) one of their top products gets compromised as a result (second sign) and now their Fortune 100 worlds-top-defense-contractor client gets hacked using the now-compromised product. So I guess we are one or two proportionate steps away from someone hacking the Federal Reserve open market system or getting access to launch codes for the U.S. and U.K.s nuclear deterrent??

    We are at the end of days, or maybe I am just at the end of my faith in our collective ability to secure IT.

    1. Paul Crawford Silver badge

      @Marketing Hack

      "So I guess we are one or two proportionate steps away from someone hacking the Federal Reserve open market system or getting access to launch codes for the U.S. and U.K.s nuclear deterrent?"

      Depends. Do you think they use Windows+Adobe software for said systems? Do you think they are doing anything serious about the no-longer-SecureID tokens?

      Oh dear...

      1. Anonymous Coward

        @Paul Crawford

        I think we might be better off having a few drinks and listening to "Don't Worry, Be Happy" rather than explore what is really protecting the keys to the kingdom of critical infrastructure these days.....

    2. Roger 11


      You meant "Lord of the Files", didnt' you?

  10. Anonymous Coward
    Anonymous Coward

    This is were big product branding labels on kit comes in handy

    This is were big product branding labels on kit comes in handy as you can now easily identify what is secure and not.

    Either way leason here is this: Don't depend upon one door/solution when you can pick two alternatives. Compliment with some other level of login ontop of the RSA ID, restrict IP's albiet not greatest can at least add another level though best to be used to detect anomolies. Bottom rule is whatever is secure today is not secure tomorrow. Just having two layers of firewall from different manufactures or in this case authentification system would mean that once one is in it's shortterm 0day out in the wild period the other probably isn't. What the issue becomes is to set these up you require technical skils beyond being able to use one package after being on there coarse, got the teeshirt and the rest of the marketing initiatives to get you sold onto there brand of cola so to speak. Most things tend not to want to play well in partnership and whilst that can be accomodated SSH2 based VPN to get onto the network to use yoru RSA ID would be easy to setup, but from a users persepctive they need a simple click/run/enter my football team name password and thats it, anything else and alot have problems. It's this stage you have to ask yourself what level of idiots do you wish to secure yourself against.

    Still with the push towards cload based services and the garner of large user bases then any breach at the technical secrity level or exposed flaw would be a rather bad weak link to have as seen by Sony. Then you need not only machines but humans monitoring things. Why else do we have security guards looking at video camera's, whilst the technology to identify people and indeed I'd say agression/most crimes the cost and indeed reliability isn't that 100%. If machines were perfect then nobody would wait at a traffic light, see the problem there. Only real secure system is one physicaly secured and network isolated, least you can see the issues as they can only be physical.

    Allowing people to work remotely using RSA tags on uber secret milatary projects when said attached device can be in a non secure location in itself raises some questions. But it was probably the use of different IP's that were monitored, flagged and allowed this to be caught early. So we are told.

  11. This post has been deleted by its author

    1. Paul Crawford Silver badge


      As mentioned, relying on one product/system is a bad idea, in particular when it is one that is very popular and lots of black-hat skills are available to break it.

      But the bigger issue is the one you raised here - RSA kept the keys to *everyone's* kingdom, so when they got hacked is resulted in all players losing most (if not all) of the SecureID's supposed advantages.

      RSA wanted to make more money you see, so rather than make a product that YOU, the customer, would set up and operate, they wanted to keep themselves in the loop. For a fee, of course...

      Had they done so, then Joe Bloggs Ltd would have thier own seed database and on being hacked it just screws the one organisation. Everyone else are OK (until they get directly hacked of course).

      But no, a proprietary key design with them holding YOUR data. You could argue that a top security company would be much better at doing that than Joe Bloggs Ltd, of course, but the evidence says otherwise.

      Why are they still not coming clean on exactly how it happened and what was taken?

This topic is closed for new posts.

Other stories you might like