Tag Archives: F-35

Lockheed's SecurID Breach Also Threatens Online Banking

The same type of attack used recently to get around security measures at Lockheed Martin, and possibly other defense contractors as well, could also be used to hack international banking services, security experts say.

That’s because both the defense and banking industries rely heavily on RSA’s SecurID tokens, 40 million of which are in use around the world.

Small businesses and private users use SecurID tokens to access online banking services, while large corporations use them to authenticate employees who need to remotely or locally access internal networks and resources.

SecurID devices are small, tamper-resistant tokens that generate numeric codes every 30 or 60 seconds. The complex cryptographic algorithm combines three inputs: the token’s serial number, the internal seed (a secret key hard-coded in the token) and absolute computer time (which counts seconds from January 1, 1970 and never repeats).

The same computation is performed by the authentication server, which compares its code with the one provided by the user. If they correspond, the user is granted access.

The seemingly random sequences of numbers generated by SecurID tokens are technically called OTPs (One Time Passwords) — they can be used only once and expire even if never used.

An OTP can’t be modified, changed or altered, and a SecurID token can’t be fixed, opened or reprogrammed. If it’s compromised, a SecurID token must be replaced.

These tokens can also exist as software applications installed on a PC or a smartphone to perform the same function.

Theoretically, the physical possession of the token, PC or smartphone ensures the security of the authentication mechanism. The only circumstance under which an attacker could clone the token (and it would take some time) would be if seeds and token serial numbers had been stolen.

Unfortunately, that’s exactly what seems to have happened.

“On March 17, 2011, RSA, the security division of EMC Corporation, one of the most important players in the IT security market, publicly announced that information that could be used to reduce the effectiveness of their SecurID authentication implementation was compromised,” explained Paolo Passeri, an ICT (Information and Communication Technology) Security expert based in Rome, Italy.

Passeri was among the first to understand that the RSA security breach could be used to attack EMC Security Division’s corporate clients using SecurID tokens.

Two months later, Lockheed Martin, one of the world’s largest suppliers of military hardware to the U.S. and other countries, announced it had suffered a network intrusion. Lockheed Martin disabled all remote access to its internal networks and said it would replace every one of its RSA SecurID tokens – and that RSA would pay the replacement costs.

“Since the information stolen from RSA, alone, could not be used to successfully clone the tokens, in order to perpetrate the attacks, the hackers must have used keylogger malware and phishing campaigns to get the missing pieces of the puzzle (usernames and PINs — personal identification numbers),” Passeri surmised.

In fact, RSA has not publicly disclosed what was taken from its servers in March (it will tell only existing clients who sign a non-disclosure agreement), and Lockheed Martin has not said if or how its attackers had usernames or passwords.

But the problems for defense contractors may have just begun.


[Read the rest of my article on Tech News Daily]

RSA Security breach explained: why US defense programs could be compromised

As almost everybody know by now, on Mar. 17, 2011, RSA (the Security Division of EMC Corporation and one of the most important IT Security vendors of the world) publicly announced that some information that could be used to reduce the effectiveness of one of their two-factor authentication implementations was compromised. In other words: their Database, mapping SecurID token serial numbers, to the token “seeds” was stolen.

What are we talking about?

To make it simple, SecurID devices are small tamper-resistant tokens (resembling calculators), which generate a numeric code at fixed intervals (usually 30 or 60 seconds before the displayed code is replaced by the next one). Even if they are usually pieces of hardware, they exist also as a software application that can be installed on a pc or smartphone to perform the same function. Those randomic sequences of numbers generated by SecurID tokens are authentication codes, technically called OTPs (One Time Passwords). The term One-Time means that they can be used for a single authentication process and they expire even if they are never used. Such tokens provide a OTP that can be used for both network or application/web authentication. Many use them to access their homebanking while companies use them to authenticate employees that need to (remotely or locally) access the internal network and resources.

Image: Wikipedia

These tokens generate the 6 or 8-digit OTP using an AES (Advanced Encryption Standard) algorithm to hash the token serial number, the internal seed and the Current Time (BTW: the server makes the same computation performed by the token devices and generates a OTP that is compared to that provided by the user).

Paolo Passeri studied the subject and in an interesting blog post dated Apr. 10 and provided some more information about the inputs that are used to generate  the OTP:

  • a 128-bit token-specific true-random seed,
  • a 64-bit standard ISO representation of Current Time (yr/mo/day/hour/min/second),
  • a 32-bit token-specific salt (the serial number of the token), and
  • another 32 bits of padding, which can be adapted for new functions or additional defensive layers in the future.

Since the AES-Hash operation is performed on 128 bit blocks, the latter two inputs are not a specific security feature but they are needed to pad the standard Current Time representation to fulfil the “rule” of 128 bit multiples.

As you can understand, both the seed and the serial number are unique for each token and, theoretically, the physical possession of the device ensures the security of the authentication mechanism. The only circumstance under which an attacker could be able to clone the token (and generate authentication codes on behalf of the legitimate user) was if seeds and token serial numbers had been stolen. That’s exactly what happened: an Advanced Persistent Threat (APT) was able (injecting a malware and using other vulnerabilities) to steal the database mapping seeds to serial numbers.

Even if the SecurID generates new strings of digits on a 30-60 second basis, some implementations require the user to enter the OTP along with a PIN (Personal Identification Number), a fixed code like the one used at ATMs. Even if the PIN represents an additional security layer that, for sure, was not stored in the RSA DB, such short codes are easier to hack and can be retrieved using malware, keyloggers and many other methods.

One last thing: the OTP can’t be modified/changed/altered and the token, and the SecurID, being tamper-proof, can’t be fixed, opened, reprogrammed. Therefore, if compromised, the SecurID must be replaced.

Targeting defense contractors

As analysts predicted, the RSA hack was not simply intended to discredit the EMC Security division. The actual targets were the corporate clients which use the SecurID token for user authentication and, among them, defense contractors.

Indeed, the first defense contractor to be known to have suffered a security violation was Lockheed Martin that on May 22 disabled all remote access to its internal network (“at least for a week”) and planned the replacement of all its RSA SecurID tokens after detecting an intrusion in the internal network. Needless to say Lockheed is one of  world’s largest defense contractors, “an American global aerospace, defense, security and advanced technology company” supplying hi-tech military hardware to US and worldwide military (F-16, C-130, F-22, F-35 to name but few interesting Lockheed “products”).

On May 31 Wired reported that another defence contractor, L-3, was targeted using SecurID stolen data even if it is not clear whether the hackers were successful in the penetration or not.

Both attacks show a certain interest for data managed by military contractors which manufacture some of the most sophisticated and sensitive US (and foreign) military equipment; weapon systems currently used in both Iraq, Afghanistan and Libya. However, as Paolo Passeri commented:

I wonder if military contractors are the only targets or if they have been the only ones capable to detect the attempts because of their strict security protocols and policies.

Certainly, defense contractors’ networks contain many classified data about current and future US projects. However, such data is usually secured in closed networks that are not interconnected with corporate LANs or that require additional authentication procedures. I have already explained, when I commented the hack into the F-35 Lightning II JSF (Joint Strike Fighter) project that network intrusions or data leakage not always imply a significant loss. It all depends on the information that is actually stolen.

Image: Lockheed Martin

For sure, Advanced Persistent Threats as well as RSA SecurID weakness, are something that, defense contractors and Government agencies, facing a huge and growing Cyber risk, must be able to deal with.  First of all, companies should follow the example of  Raytheon (another Defense Contractor) that has declared to have taken immediate companywide actions, as soon as the RSA incident information was made public, to prevent a widespread disruption of their network but, to enhance the effectiveness of their security countermeasure, I think, sooner or later, all corporates/agencies will have to consider the opportunity to use more costly biometric devices (usually seen in movies like Star Trek, Minority Report, X-Men, Planet of the Apes  and few others) that perform user authentication by means of voice analysis, face recognition, iris scan, keystroke dynamics identification, etc.

A multi-role Italian Eurofighter Typhoon?

When the following pictures (courtesy of zetamimmo) appeared on the Italian Vipers forum someone thought that, finally, the Aeronautica Militare (Italian Air Force, ItAF), had begun thinking to the Eurofighter Typhoon as a multi-role aircraft, something contrasting the previous vision, according to which, the F-2000 should be only used as an air superiority fighter.

However, the pictures, taken at Decimomannu airbase in February, depicts a TF-2000A that, although wearing the Reparto Sperimentale Volo (RSV – Test Unit Wing of the ItAF), it’s currently flown by both Alenia Aeronautica and RSV to conduct testing activities. For example, during my visit to Decimomannu for the F-15E deployment the aircraft serialled MM X-614/IPA 2 was involved in supersonic runs (see pictures at the end of this article), while it carried GBUs to test the aircraft’s autopilot during flights in heavy configurations.
The last part of my article titled “Italian Typhoon”, published in the April 2010 issue of Air Forces Monthly ended with the following words, which explain the past (and current!) vision of the Italian Air Force about the role of the F-2000:

Under Tranche 3A, by 2013, Italy will receive 21 Typhoons bringing the total to 95 (comprising 27 Trance 1 and 47 Tranche 2 examples). The aircraft will be used in the air superiority role, as Italy, due to the cost associated with the envisaged upgrades required by the integration of the air-to-ground weapons, has always been skeptical about a multi-role Eurofighter. At the end of 2008, answering some questions about the JSF (Joint Strike Fighter), Gen. Vincenzo Camporini, former ItAF Chief of Staff, current Defence Chief of Staff, affirmed that: “There’s no competition or conflict between the JSF and the Eurofighter. The Eurofighter was designed for the Air Defence, a role that the aircraft is perfectly able to fulfil, but it can’t perform the attack role in an economically sustainable manner”. That vision hasn’t changed with the Tranche 3 contract signed in July 2009. In a recent interview, Gen. Giuseppe Bernardis, Air Force Deputy Chief of Staff, said that Italy did not completely rule out the use of Eurofighters for air-to-ground missions, since both T2 and T3 aircraft will have the ability to carry Paveway and JDAM (Joint Direct Attack Munition) that are already used by the Tornado and the AMX, and will be carried in the future by the F-35s (that Italy plans to acquire in 109 examples: 69 conventional take-off and landing F-35As and 40 short take-off and vertical landing F-35Bs). Hence, the air-to-ground mission is viewed as secondary for the Typhoon; provided their ability to use the ordnance in inventory for other aircraft, the Eurofighter will be possibly be used as “back up” attack platforms until 2040.

Fighter generations comparison chart

The appearance of the new J-20 (unofficially dubbed “Black Eagle”) raised many questions about the Chinese stealth fighter. Some experts think it will be more capable than the F-22; others (and I’m among these ones) think that the real problem for the US with the J-20 is not with the aircraft’s performance, equipment and capabilities (even if the US legacy fighters were designed 20 years earlier than current Chinese or Russian fighters of the same “class”); the problem is that China will probably build thousands of them.

Anyway, comparing the US and Chinese fighters, everybody referred to “fifth generation planes” bringing once again the concept of “fighter generation” under the spotlight.

Generations are a common way to classify jet fighters. Often, generations have been “assigned” to fighters in accordance with the timeframes encompassing the peak period of service entry for such aircraft.

The best definition I’ve found so far of fighter generations is the one contained in an article published in 2009 by Air Force Magazine, that proposes a generations breakdown based on capabilities:

Generation 1: Jet propulsion

Generation 2: Swept wings; range-only radar; infrared missiles

Generation 3: Supersonic speed; pulse radar; able to shoot at targets beyond visual range.

Generation 4: Pulse-doppler radar; high maneuverability; look-down, shoot-down missiles.

Generation 4+: High agility; sensor fusion; reduced signatures.

Generation 4++: Active electronically scanned arrays; continued reduced signatures or some “active” (waveform canceling) stealth; some supercruise.

Generation 5: All-aspect stealth with internal weapons, extreme agility, full-sensor fusion, integrated avionics, some or full supercruise.

Potential Generation 6: extreme stealth; efficient in all flight regimes (subsonic to multi-Mach); possible “morphing” capability; smart skins; highly networked; extremely sensitive sensors; optionally manned; directed energy weapons.

In order to give the readers a rough idea of the type of aircraft belonging to each generation based on the above breakdown I’ve prepared the following table with the help of Tom Cooper / ACIG.org and Ugo Crisponi / Aviatiographic.com, who provided the profiles. It’s not meant to show all the aircraft theoretically belonging to a generation and includes only the profiles available at the time of writing…

As I’ve already said on Twitter, what such a table should let you understand at a glance is that capabilities and appearance are inversely proportional: former generations aircraft look much better than more modern fighters…..




How to Fly the Harrier Jump Jet | Danger Room | Wired.com

A few days ago, I published a post to explain how the F-35 JSF flies in both conventional and STOVL (Short Take Off Vertical Landing) Harrier-like mode. The following article provides some interesting info and images about the AV-8B, a version much similar to the one flown by the Marina Militare (Italian Navy):

The Harrier made its final flight with the British RAF last week, marking one end to the jet famous for being able to take off and land vertically. The jet’s recently declassified flight manual shows just how extraordinary it is.

read the rest here: How to Fly the Harrier Jump Jet | Danger Room | Wired.com.