Proaktiv IT säkerhet
 

Secure tokens turn insecure

2011-06-09 [Protection projects, Security terms, Social engineering, Spreading mechanisms, Trends & predictions]

Background

During the first half of 2011, we have seen a plethora of high-profile attacks on major corporations. In the top league is the cyberattack against the security company RSA, which product portfolio includes SecurID, a hardware token for two-factor authentication.

SecurID is used e.g. for secure remote access to an organization's internal systems. Large organizations as well as governments around the world use SecurID.

In an open letter to its customers, RSA wrote:

Recently, our security systems identified an extremely sophisticated cyber attack in progress being mounted against RSA. (...)

Our investigation has led us to believe that the attack is in the category of an Advanced Persistent Threat (APT). Our investigation also revealed that the attack resulted in certain information being extracted from RSA's systems. Some of that information is specifically related to RSA's SecurID two-factor authentication products. While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack. (...)
(Norman's emphasis)

RSA received some criticism regarding the fact that the company's information was not sufficiently specific, and that the potential security risks for the SecurID customers were vaguely described.

The magazine ars technica e.g. mentioned some potential issues of increasing severity in a news item 19 March.

Subsequent events potentially relevant

Some time after this event, three major US military contractors allegedly had security problems:

  • Lockheed Martin
  • L-3 Communications
  • Northrop Grumman

L-3 Communications and Northrop Grumman did not publicly confirm that they had been attacked.

Lockheed Martin, however, confirmed an attack in a press release 28 May, where the company wrote:

On Saturday, May 21, Lockheed Martin detected a significant and tenacious attack on its information systems network. The company’s information security team detected the attack almost immediately, and took aggressive actions to protect all systems and data. As a result of the swift and deliberate actions taken to protect the network and increase IT security, our systems remain secure; no customer, program or employee personal data has been compromised.

The New York Times reported the next day that

Sondra Barbour, Lockheed’s chief information officer, sent a memo to the company’s employees on Sunday, saying that its systems remained secure. She said Lockheed had quickly shut down remote access to its network after the attack began.

These incidents of course further increased speculations that the RSA cyberattack and compromised SecurID tokens might have been involved.

Confirmation

3 June Lockheed Martin confirmed that the security break was connected to the previous RSA security break. New York Times wrote:

Lockheed Martin said Friday that it had proof that hackers breached its network two weeks ago partly by using data stolen from a vendor that supplies coded security tokens to tens of millions of computer users.

Lockheed’s finding confirmed the fears of security experts about the safety of the SecurID tokens and heightened concerns that other companies or government agencies could be vulnerable to hacking attacks.

RSA finally confirmed in an open letter that its SecurID was instrumental in the attack against Lockheed Martin

(...) on Thursday, June 2, 2011, we were able to confirm that information taken from RSA in March had been used as an element of an attempted broader attack on Lockheed Martin, a major U.S. government defense contractor. Lockheed Martin has stated that this attack was thwarted. (..)

Certain characteristics of the attack on RSA indicated that the perpetrator's most likely motive was to obtain an element of security information that could be used to target defense secrets and related IP, rather than financial gain, PII, or public embarrassment. (...)

(...) we are expanding our security remediation program to reinforce customers' trust in RSA SecurID tokens and in their overall security posture. This program will continue to include the best practices we first detailed to customers in March, and will further expand two offers we feel will help assure our customers' confidence:

  • An offer to replace SecurID tokens for customers with concentrated user bases typically focused on protecting intellectual property and corporate networks.
  • An offer to implement risk-based authentication strategies for consumer-focused customers with a large, dispersed user base, typically focused on protecting web-based financial transactions.

Implications

So, what can lessons can we learn from this chain of incidents?

Whether we uses the current buzz word like RSA did in March, and call this an Advanced Persistent Threat (APT), or choose Lockheed Martin's wording, a significant and tenacious attack (STA?), it is obvious that this is not the work of a "script kiddie". 

If we assume that the real target were the US military contractor(s), the attack was performed in several steps. The RSA attack was then only the first step and not the primary target. This was rather a means to attack the real target(s).
Which - if any - information that was revealed to the attackers are not known to the public, and most likely never will.

However, this incident clearly shows that even organizations, which presumably are more security conscious than most, have vulnerabilities that may be exploited by an attacker who has sufficient resources and determination at her disposal.

Lesson 1:

Any organization and individual may be compromised if the attacker allocates sufficient resources.
Most organizations will be compromised to some degree at some point in time.

One issue that has been heavily debated during the months that have elapsed since the RSA incident was known is whether the affected corporations acted in an optimal manner with respect to themselves, their customers and the public.
We will not conclude regarding this. Suffice it to say that history shows that coming clear with all relevant information regarding compromised security, is usually the best alternative.

Lesson 1 taken into consideration, we can therefore formulate the next:

Lesson 2:

Set up a strategy for actions before you are compromised. After the fact you will lose valuable time and usually not be able to take all aspects into consideration due to time pressure.

Whenever we are compromised, the default action is usually to play down the severity of the incident. This may not be the best cause of action - particularly if recent events show that our initial evaluation was not sincere.
By having a plan set up in advance, well thought through and rehearsed, we avoid being stressed by the situation in such a way that sub-optimal solutions are chosen.
Auditing systems must be in place before any incident in order to be able to track the attackers and/or identify the vulnerabilities in the system.

Such a plan should include elements as (the list is not conclusive)

  • security procedures to implement in order to eliminate/reduce the consequences of the attack
  • information to media
  • information to customers
  • information to other stakeholders, like the police and other authorities
  • analyzing auditing systems for information about the attack

References