Lockheed Martin's Network Breached

rwmidl · May 2011

Turgon wrote: »

I have met a lot of security types over the years and with a few exceptions have felt underwhelmed by what they have to offer. Im all for security and can definitely see a role for individuals to take a lead, but we need to spend less time getting through audits and adhering to accredited standards, cranking a handle to pass, and more time on doing security *properly*. That means commercial, management, process and technical skills so a business is not only adequately defended but also lean enough to respond and continue to operate in an efficient manner. The discipline requires intelligent people not salary chasers.

I've met a lot of people over the years who I've been less than impressed with, it's not limited to just security. As for "spending less times getting through audits, cranking a handle to pass" as you said, more than likely that is management doing the pushing, not IT/security (at least from my experience). IT/security tries to implement best policy, but management is the ones saying that passing the audit is most important.

As for "needing intelligent people, not just salary chasers", sounds like the 1990's all over. If we look at the dot.com boom of the 1990's a lot of people were getting in to IT for the "big paychecks". The bubble burst, and those who knew what they were doing stuck around. Those who were after the money in most cases moved on.

Turgon · May 2011

rwmidl wrote: »

I've met a lot of people over the years who I've been less than impressed with, it's not limited to just security. As for "spending less times getting through audits, cranking a handle to pass" as you said, more than likely that is management doing the pushing, not IT/security (at least from my experience). IT/security tries to implement best policy, but management is the ones saying that passing the audit is most important.

As for "needing intelligent people, not just salary chasers", sounds like the 1990's all over. If we look at the dot.com boom of the 1990's a lot of people were getting in to IT for the "big paychecks". The bubble burst, and those who knew what they were doing stuck around. Those who were after the money in most cases moved on.

Or moved into security..or what ever else was treated as a fad. In the private sector it's often the commercial strategy that drives security audit requirements these days, as opposed to management. Management push of course, but usually to appease whatever mantra is set from on high to obtain the latest security badge of honour. Getting the balance right is a challenge for all concerned as there is a business to run.

NightShade03 · May 2011

As for doing security *right* I think it is important that companies understand they need to train and educate employees not just require them to pass some test where brain **** and answers are available all over the net. I know developing a custom education solution is expensive but it is worth the investment.

To the point everyone is making about security being a *trend* I think that this is head on. Slashdot had an article the other day pointing to a report of over 175 majors available in the US. Comp Sci / Engineering / Info Systems were all in the top ten strong paying majors right now. Many people are seeing that and just going for a degree or certifications to get into the field for the big pay...problem is that they don't really know what they are doing....

On another note I have the following list going, which is a list of notable hacks since the beginning of the year:

Barracuda Network (WAF disabled)
Sony PS3 (user data 77 million)
Sony Entertainment Online (user data)
PBS Kids (2PAC + affiliates)
Lockheed Martin (Nothing but priving RSA worked)
HBGary (CC and SSN)
RSA (Token Algorithms)
Comodo (Root SSL)
Epsilon (email breach
NY Yankees (employee emailed out 21,000 season ticket users info)
Oak Ridge National Lab (data being stolen; pulled the "internat plug")
Wordpress.com (DoS one month / Source code and credentials stolen after breakin)
MySQL (SQL Injection caused embarassment only)
TripAdvisor.com (data theft, but no passwords)

rwmidl · May 2011

NightShade03 wrote: »

To the point everyone is making about security being a *trend* I think that this is head on. Slashdot had an article the other day pointing to a report of over 175 majors available in the US. Comp Sci / Engineering / Info Systems were all in the top ten strong paying majors right now. Many people are seeing that and just going for a degree or certifications to get into the field for the big pay...problem is that they don't really know what they are doing....

For degrees, couldn't the same argument, "getting into the field for the big pay" be made for those going to law school, wanting to become a stock broker/investment banker, etc? I don't see many people saying "I really want to be a stock broker because I have a great desire to help people plan for a successful retirement".

Turgon · May 2011

rwmidl wrote: »

For degrees, couldn't the same argument, "getting into the field for the big pay" be made for those going to law school, wanting to become a stock broker/investment banker, etc? I don't see many people saying "I really want to be a stock broker because I have a great desire to help people plan for a successful retirement".

Lawyers and stockbrokers have a fairly strong track record of being employable and making money. Im not convinced a career in security has the same mileage for the rank and file who get qualified in it. The field is already bloated and a lot of middle aged people with a way to go to retirement are hanging on to the best jobs. The cost of security is a concern to companies and efforts are already underway to cut the expense where possible. For a while it will be happy days for the defence contractors, but I fear that within 5 years there may be a lot of washed up security professionals hitting the streets.

colemic · May 2011

Turgon wrote: »

. Im all for security and can definitely see a role for individuals to take a lead, but we need to spend less time getting through audits and adhering to accredited standards, cranking a handle to pass, and more time on doing security *properly*. That means commercial, management, process and technical skills so a business is not only adequately defended but also lean enough to respond and continue to operate in an efficient manner. The discipline requires intelligent people not salary chasers.

While I agree with you, on a matter a scale, it can be impossible. From a DoD perspective, if they turned every installation/every network loose to do their own thing, it would chaos in minutes, if not seconds. The value in audits and adhering to standards is consistency across a wide spectrum of unique architectures and flavors, all of which are important (if not necessarily critical). Which, in turn, leads to gaps. I can definitely acknowledge the problem, but at least for DoD,without having guru-level knowledge at each installation/network, can't even begin to do that. That lack of technical knowledge being evenly distributed is one reason that the AF a few years ago started consolidating network management into theatre-level NOCs.

I don't think that a realistic, doable path forward has been established yet. I believe that NASA has totally foregone accrediting their systems, in favor of relying on monitoring for prevention. Whether it works for them or not remains to be seen. I just think DoD has far too many tentacles for that to be effective.

That being said, I am an accreditation ho, and IT security auditor.

rwmidl · May 2011

Turgon wrote: »

Lawyers and stockbrokers have a fairly strong track record of being employable and making money. Im not convinced a career in security has the same mileage for the rank and file who get qualified in it. The field is already bloated and a lot of middle aged people with a way to go to retirement are hanging on to the best jobs. The cost of security is a concern to companies and efforts are already underway to cut the expense where possible. For a while it will be happy days for the defence contractors, but I fear that within 5 years there may be a lot of washed up security professionals hitting the streets.

I'm 37 so I guess I now fall in to that "middle aged" category. You kids get off my lawn!!

colemic · May 2011

NightShade03 wrote: »

On another note I have the following list going, which is a list of notable hacks since the beginning of the year:
Barracuda Network (WAF disabled)

Sony PS3 (user data 77 million)

Sony Entertainment Online (user data)

PBS Kids (2PAC + affiliates)

Lockheed Martin (Nothing but priving RSA worked)

HBGary (CC and SSN)

RSA (Token Algorithms)

Comodo (Root SSL)

Epsilon (email breach

NY Yankees (employee emailed out 21,000 season ticket users info)

Oak Ridge National Lab (data being stolen; pulled the "internat plug")

Wordpress.com (DoS one month / Source code and credentials stolen after breakin)

MySQL (SQL Injection caused embarassment only)

TripAdvisor.com (data theft, but no passwords)

YOu can add in Michael's (craft store), over 90 debit card terminals were compromised nationwide, and is still ongoing. BoA had a pretty big breach (in Michigan, I think?) a month or so ago as well.

And IEEE had a PII/cc number breach as well.

Turgon · May 2011

rwmidl wrote: »

I'm 37 so I guess I now fall in to that "middle aged" category. You kids get off my lawn!!

hehehe..me too, me too.

joneno · May 2011

Another one bites the dust..lol. Poor old PBS hacked.
Hackers post phony Tupac story on PBS website - Yahoo! News

Turgon · May 2011

colemic wrote: »

While I agree with you, on a matter a scale, it can be impossible. From a DoD perspective, if they turned every installation/every network loose to do their own thing, it would chaos in minutes, if not seconds. The value in audits and adhering to standards is consistency across a wide spectrum of unique architectures and flavors, all of which are important (if not necessarily critical). Which, in turn, leads to gaps. I can definitely acknowledge the problem, but at least for DoD,without having guru-level knowledge at each installation/network, can't even begin to do that. That lack of technical knowledge being evenly distributed is one reason that the AF a few years ago started consolidating network management into theatre-level NOCs.

I don't think that a realistic, doable path forward has been established yet. I believe that NASA has totally foregone accrediting their systems, in favor of relying on monitoring for prevention. Whether it works for them or not remains to be seen. I just think DoD has far too many tentacles for that to be effective.

That being said, I am an accreditation ho, and IT security auditor.

I appreciate the value of standards and what have you. All Im saying is your security model has to be deployed intelligently to support what your business is about. Obviously one has to expect a certain amount of pain getting there, but it's hardly of value finally reaching some accredition or another if by the time the certificate is ready to be framed the lights are about to go out on the business as a consequence.

rwmidl · May 2011

Turgon wrote: »

hehehe..me too, me too.

Right now we are still in the "wild west" phase of security. Honestly, companies for so long have really made it a low priority/small line item on the budget. Now, more and more are seeing the need to have good it security measures in place. In some instances, not doing enough do dilligence can not only cost a company financially, but could have criminal implications to senior members.

There will always be a need for IT security professionals, both in the public and private sector. Are schools (both for-profit and non-profit) trying to ride the current gravy train? Yes. In a few years they will move on to something else, just like they did in the 90's when you saw ads saying "get your A+/CCNA/MCSE, etc and make 50k or more a year starting!!"

Turgon · May 2011

rwmidl wrote: »

Right now we are still in the "wild west" phase of security. Honestly, companies for so long have really made it a low priority/small line item on the budget. Now, more and more are seeing the need to have good it security measures in place. In some instances, not doing enough do dilligence can not only cost a company financially, but could have criminal implications to senior members.

There will always be a need for IT security professionals, both in the public and private sector. Are schools (both for-profit and non-profit) trying to ride the current gravy train? Yes. In a few years they will move on to something else, just like they did in the 90's when you saw ads saying "get your A+/CCNA/MCSE, etc and make 50k or more a year starting!!"

Yes I accept that, although doing too much can create inefficiencies and problems of it's own. The system becomes too big and too obstructive with leaner companies scooping up your revenue. There will be a need for IT security professionals in the future, but I suspect fewer of them some years hence. The schools will try and sell whatever fad is out there, but there will be fewer of those in the future too and fewer people beating on the door to get into IT. The entry level options are rapidly diminishing for the inexperienced.

rwmidl · May 2011

Turgon wrote: »

Yes I accept that, although doing too much can create inefficiencies and problems of it's own. The system becomes too big and too obstructive with leaner companies scooping up your revenue. There will be a need for IT security professionals in the future, but I suspect fewer of them some years hence. The schools will try and sell whatever fad is out there, but there will be fewer of those in the future too and fewer people beating on the door to get into IT. The entry level options are rapidly diminishing for the inexperienced.

If a "leaner" company comes in and scoopes up business either a) they are really doing something right and they should serve as a model for other companies or b) they really are cutting corners/not adhering to standards/rules and eventually will get caught.

NightShade03 · May 2011

rwmidl wrote: »

For degrees, couldn't the same argument, "getting into the field for the big pay" be made for those going to law school, wanting to become a stock broker/investment banker, etc? I don't see many people saying "I really want to be a stock broker because I have a great desire to help people plan for a successful retirement".

They may say that until they realize that is isn't true. Lawyers are one of the hardest hit professions right now...I know people coming out of top law schools who can't find jobs...

Lamini · June 2011

rwmidl wrote: »

I'm 37 so I guess I now fall in to that "middle aged" category. You kids get off my lawn!!

Turgon wrote: »

hehehe..me too, me too.

gaspedy gasp! you, too?!

Forsaken_GA · June 2011

NightShade03 wrote: »

Barracuda Network (WAF disabled)

Sony PS3 (user data 77 million)

Sony Entertainment Online (user data)

PBS Kids (2PAC + affiliates)

Lockheed Martin (Nothing but priving RSA worked)

HBGary (CC and SSN)

RSA (Token Algorithms)

Comodo (Root SSL)

Epsilon (email breach

NY Yankees (employee emailed out 21,000 season ticket users info)

Oak Ridge National Lab (data being stolen; pulled the "internat plug")

Wordpress.com (DoS one month / Source code and credentials stolen after breakin)

MySQL (SQL Injection caused embarassment only)

TripAdvisor.com (data theft, but no passwords)

Didn't the backtrack website get compromised at one point? Or was that last year?

UnixGuy · June 2011

BBC News - Sony network attacked again, hackers claim

Forsaken_GA · June 2011

RSA finally comes clean: SecurID is compromised

It's official. Seeds are in the wild.

If your company uses SecureID, please please please raise hell and highwater with whatever powers you need to in order to secure your networks, even if that means shutting the VPN off until you get replacement tokens (or a new vendor). Do not be low hanging fruit, and do not be like Sony.

it_consultant · June 2011

Turgon wrote: »

It's just another example of how bloated and ineffective the IT security genre is. Far too many people swarmed into an area of IT that got unnecessarily bigger for it's own sake. When that happens the quality goes down. It's time the entire security workforce had a shakedown so it is fit for purpose for the next decade. It would save the tax payer too.

They need to change the title from security to auditor, maybe that will give people a better idea of what security folks should be doing. Look at it from a physical security perspective; half the time a security guard is accounting for keys, looking for defective locks, etc. Sound auditing will catch even the most sophisticated attacks. So will regularly auditing basic things like your double factor authentication. Even if RSA is compromised, why wasn't the second factor of authentication effective in stopping the breach?

colemic · June 2011

it_consultant wrote: »

They need to change the title from security to auditor, maybe that will give people a better idea of what security folks should be doing. Look at it from a physical security perspective; half the time a security guard is accounting for keys, looking for defective locks, etc. Sound auditing will catch even the most sophisticated attacks. So will regularly auditing basic things like your double factor authentication. Even if RSA is compromised, why wasn't the second factor of authentication effective in stopping the breach?

I suspect it has to do with a master seed key.

it_consultant · June 2011

That was more of a rhetorical question. A good audit would find out why even though one factor of authentication was compromised, how was the other compromised as well. It isn't truly double factor if both methods rely on the same underlying technology or vendor. Its kind of like plugging your server into two separate switches (for failover) and having your switches daisy chained. Good idea, won't work like you think it will when push comes to shove.

instant000 · June 2011

*ouch* can you imagine being in charge of reissuing tokens for a company of 10,000 employees?

Devilsbane · June 2011

instant000 wrote: »

*ouch* can you imagine being in charge of reissuing tokens for a company of 10,000 employees?

Keep in mind those things are like $50 a piece.

Devilsbane · June 2011

Forsaken_GA wrote: »

RSA finally comes clean: SecurID is compromised

It's official. Seeds are in the wild.

If your company uses SecureID, please please please raise hell and highwater with whatever powers you need to in order to secure your networks, even if that means shutting the VPN off until you get replacement tokens (or a new vendor). Do not be low hanging fruit, and do not be like Sony.

I guess it depends on how much they got. For example, somebody could have my seed. But how would they know that it is my seed? As far as I know, RSA has no knowledge of which FOB is assigned to me. Only the AT&T system knows that. So wouldn't they need to know my username (which has no afiliation with my name), the serial of my fob(which they could either get from AT&T or off the back), the pin I have set up(which only I know), and then my AD password since our remote systems also authenticate me.

Unless I am mistaken, it seems doubtful that someone could compromise my account.

it_consultant · June 2011

Devilsbane wrote: »

I guess it depends on how much they got. For example, somebody could have my seed. But how would they know that it is my seed? As far as I know, RSA has no knowledge of which FOB is assigned to me. Only the AT&T system knows that. So wouldn't they need to know my username (which has no afiliation with my name), the serial of my fob(which they could either get from AT&T or off the back), the pin I have set up(which only I know), and then my AD password since our remote systems also authenticate me.

Unless I am mistaken, it seems doubtful that someone could compromise my account.

In a semi government bureaucracy like Lockheed I imagine that the problem was less about the compromised tokens alone but the compromised tokens plus weak security and auditing habits.

instant000 · June 2011

Devilsbane wrote: »

I guess it depends on how much they got. For example, somebody could have my seed. But how would they know that it is my seed? As far as I know, RSA has no knowledge of which FOB is assigned to me. Only the AT&T system knows that. So wouldn't they need to know my username (which has no afiliation with my name), the serial of my fob(which they could either get from AT&T or off the back), the pin I have set up(which only I know), and then my AD password since our remote systems also authenticate me.

Unless I am mistaken, it seems doubtful that someone could compromise my account.

^^^

Anything can be compromised. Please don't get a false sense of security.

The two factors of the RSA authentication was that it was based on something you have, as well as something you know. Unfortunately, if they know the seeds, they got you, as they can use the known seeds + the algorithm, to know what the next number would be.

Once they have the seeds and the algorithm, they can pinpoint who you are, just by capturing the key strokes using a simple keylogger, as the presented key plus the pin you enter have been compromised. And, if they have a keylogger, they just got your username and your password, too. So, they have everything to get into the system.

colemic · June 2011

I am still in the 'there is a master seed key' conspiracy camp.'

ChooseLife · June 2011

Forsaken_GA wrote: »

RSA finally comes clean: SecurID is compromised

Lockheed confirms:
Stolen RSA data used to hack defense contractor ? The Register

Defense contractor Lockheed Martin has confirmed that a recent attack on its network was aided by the theft of confidential data relating to RSA SecurID tokens employees use to access sensitive corporate and government computer systems.
According to an email the company sent to reporters, theft of the data for the RSA tokens was “a direct contributing factor” in last month's intrusion into its network.

Lockheed Martin's Network Breached

Comments