The same type of attack used recently to get around security measures at Lockheed Martin, and possibly other defense contractors as well, could also be used to hack international banking services, security experts say.
That’s because both the defense and banking industries rely heavily on RSA’s SecurID tokens, 40 million of which are in use around the world.
Small businesses and private users use SecurID tokens to access online banking services, while large corporations use them to authenticate employees who need to remotely or locally access internal networks and resources.
SecurID devices are small, tamper-resistant tokens that generate numeric codes every 30 or 60 seconds. The complex cryptographic algorithm combines three inputs: the token’s serial number, the internal seed (a secret key hard-coded in the token) and absolute computer time (which counts seconds from January 1, 1970 and never repeats).
The same computation is performed by the authentication server, which compares its code with the one provided by the user. If they correspond, the user is granted access.
The seemingly random sequences of numbers generated by SecurID tokens are technically called OTPs (One Time Passwords) — they can be used only once and expire even if never used.
An OTP can’t be modified, changed or altered, and a SecurID token can’t be fixed, opened or reprogrammed. If it’s compromised, a SecurID token must be replaced.
These tokens can also exist as software applications installed on a PC or a smartphone to perform the same function.
Theoretically, the physical possession of the token, PC or smartphone ensures the security of the authentication mechanism. The only circumstance under which an attacker could clone the token (and it would take some time) would be if seeds and token serial numbers had been stolen.
Unfortunately, that’s exactly what seems to have happened.
“On March 17, 2011, RSA, the security division of EMC Corporation, one of the most important players in the IT security market, publicly announced that information that could be used to reduce the effectiveness of their SecurID authentication implementation was compromised,” explained Paolo Passeri, an ICT (Information and Communication Technology) Security expert based in Rome, Italy.
Passeri was among the first to understand that the RSA security breach could be used to attack EMC Security Division’s corporate clients using SecurID tokens.
Two months later, Lockheed Martin, one of the world’s largest suppliers of military hardware to the U.S. and other countries, announced it had suffered a network intrusion. Lockheed Martin disabled all remote access to its internal networks and said it would replace every one of its RSA SecurID tokens – and that RSA would pay the replacement costs.
“Since the information stolen from RSA, alone, could not be used to successfully clone the tokens, in order to perpetrate the attacks, the hackers must have used keylogger malware and phishing campaigns to get the missing pieces of the puzzle (usernames and PINs — personal identification numbers),” Passeri surmised.
In fact, RSA has not publicly disclosed what was taken from its servers in March (it will tell only existing clients who sign a non-disclosure agreement), and Lockheed Martin has not said if or how its attackers had usernames or passwords.
But the problems for defense contractors may have just begun.
[Read the rest of my article on Tech News Daily]