“They breached security systems designed to keep out intruders by creating duplicates to "SecurID" electronic keys from EMC Corp's RSA security division”
Now all have come into place.
Quick question: which country is most interested in LCMO's F-22 and has demonstrated the ability to use cyber technics to get information?
Another quick question: is there a country that would like to conduct an attack and make it seem like it is coming from the country that is the answer to your quick question.
Another quick question: which of the two hypotheses is first to be eliminated by Occam's razor? U.S. is very unlikely to be willing to go to war with its biggest economic partners.
>The person with direct knowledge told Reuters on Friday that an intrusion at Lockheed was related to a recent breach of "SecurID" token authentication technology from EMC Corp's EMC.N RSA security division.
You mean they didn't immediately start changing their system when RSA's key was stolen? Then, IMO, they had it coming.
edit: a thought just occurred to me. Is the reason this is such a great "theft of a nation"-type action because there are known weaknesses that could be exploited easily? I wonder what would happen if military tech were developed with "Open Hardware" goals in mind... security-through-obscurity only works until someone looks.
Tell me more: how do "open hardware" systems work? especially against protecting IP, not allowing another entity of copying a design?
Also, do not forget the public image issue, not just the technical issues. Large organizations, priv or govt, have an additional aspect of work by the image they project. How they are viewed or marketed matters as well. When you start throwing around a soup of abbreviations, people take notice - thru the marketing power. That counts as well - the news made it to the top of google news, though it other recent intrusions had technical&psychological impact as well.
Such intrusions have happened - though now they make it to the top of Google News
I'm not entirely sure, sorry. Just that I think security through obscurity is a flawed practice at its very core.
If you're interested in looking into it yourself, I'd suggest looking at the Arduino, which has been pretty much taking the home-electronics world by storm.
The communications from RSA were that, based on what they knew, there wasn't a huge reduction is security as long as the PINs chosen where reasonably strong.
I wonder which applies: RSA didn't know how bad the breach really was; RSA lied about how dangerous the breach was and how open their customers were; LCMO configured their system such that weak PINs were allowed; or something else happened.
News reports elsewhere say that the PINs were captured by keyloggers, so their strength (as in difficulty in guessing) was irrelevant.
So, either RSA wasn't thinking about keyloggers as a component of a combined attack --- even though replay attacks using captured interaction streams are the main threat that SecurID was designed to counter --- or they were being disingenuous.
> if military tech were developed with "Open Hardware" goals in mind
Not going to happen. Military hardware is (most of the time) cutting-edge technology. If we are talking about a fighter plane, most of its components have to exhibit high performance overall -- and in small package. The abilities of the plane hinge on every component and their co-operation as well; the weakest link is the limiting factor.
Each military technology has two aspects: instances of use (for lack of better word), and capability.
Consider encryption for a moment: an algorithm of any size and complexity is driven by a small key (a bunch of bytes). The small secret part (key) is enough to to keep each use instance (each encoded text) safe.
However, in case of military hardware, the capability itself is of paramount importance as well. You can't focus all the aspects of fighter plane in one `key' piece; each component has to provide some aspect of the capability -- and withstand results of use of other components, such as heat, acceleration, vibration etc. Since no `key' is possible to hardware, you have to guard whatever else is there to guard -- and that, unfortunately, is most of the pieces.
Nb., a lot of military standards [1] are commercially-accessible, to help build a healthy ecosystem of suppliers. But those are not cuttind-edge stuff; I don't think even the formula for SR-71's `JP-7' fuel was accessible during operational use of the plane...
Military hardware is (most of the time) cutting-edge technology
Much as I'd like this to be true, it simply isn't. Your smartphone is more sophisticated than military comms equipment. It's been a running joke for years how bad the British Army's systems like Clansman are. Clansman for example was introduced in the 70s and is only just now being replaced by Bowman. (I used Clansman during the early 90s as a cadet). Think how fast mobile tech moves - can you imagine using a mobile phone 20 years old?
Soldiers serving in the former Yugoslavia in peacekeeping used their personal mobile phones to communicate - more reliable and more secure than the issued kit.
There is a certain benefit to tried-and-trusted systems with known strengths and weaknesses.
I'm not advocating lethargy when adopting new technologies, keeping reliable equipment and weaponry is a good thing.
Also, the cost of creating new technologies may not yield significant benefits. E.g. the F-22 is only marginally better (or marginally worse depending on your perspective) than the aircraft it was intended to replace, but at a huge cost.
Military hardware is cutting edge when it's developed, but by the time it's in service (after years of testing and service trials) it's often 8+ years old. Most of the tech in the F-22 is late 90's era - the same as the French Rafale or the Eurofighter Typhoon - The F-22 has the best late 90's equipment in service, but it's not cutting edge any more.
I don't think these kind of attacks aim to find easily exploitable weaknesses in military hardware. I believe the aim is to find operational parameters etc to improve strategies and counter-strategies. Other possibility is that they want to use acquired data to speed up their own R&D-process, aka make clones of target companys products.
This event will be used as an example of why the US needs an internet kill switch and to impose more restriction on the use of the internet by US citizens. Much like the PROTECT IP act, you'll see more Laws coming out soon.
Some may say this is a "false flag" event. It could even be that there are some subcontractors that worked within Lockheed that may have caused this breech. Regardless, there are going to be more restrictions coming for US citizens and companies that use the internet (in homes, schools, libraries, etc.).
The Wikipedia entry for SecurId says they use a scheme where each physical device has a private key that is also stored on the server (and apparently in RSA severs as well).
I wonder why don't they use a public key scheme where the server only needs the public key of the specific user for authentication. This way the private key is stored only on the physical device.
Alright, so where the f- was the NSA (et al.) in all this?
I would presume that, given sufficient background -- which, presumably, under these circumstances they could insist upon -- it should have taken them about 5 minutes (or seconds) to figure out this scenario.
We spend untold amounts sifting possibly every email crossing a domestic -- and probably many a foreign -- nexus. But when identification/authorization for a defense contractor -- and probably a lot more than one such agent of critical infrastructure -- is compromised, they aren't involved and ahead of the curve in mitigation?
Probably, certainly, there's a lot that the public isn't being told. But the silence is -- whether due to circumstances or to omission -- unsettling.
The silence may be purposeful, even productive. But it does not sit well against the caterwauling of those who insist we make our private, personal communications ever more transparent to government inspection.
22 comments
[ 3.7 ms ] story [ 75.4 ms ] threadNow all have come into place.
Quick question: which country is most interested in LCMO's F-22 and has demonstrated the ability to use cyber technics to get information?
You mean they didn't immediately start changing their system when RSA's key was stolen? Then, IMO, they had it coming.
edit: a thought just occurred to me. Is the reason this is such a great "theft of a nation"-type action because there are known weaknesses that could be exploited easily? I wonder what would happen if military tech were developed with "Open Hardware" goals in mind... security-through-obscurity only works until someone looks.
Also, do not forget the public image issue, not just the technical issues. Large organizations, priv or govt, have an additional aspect of work by the image they project. How they are viewed or marketed matters as well. When you start throwing around a soup of abbreviations, people take notice - thru the marketing power. That counts as well - the news made it to the top of google news, though it other recent intrusions had technical&psychological impact as well.
Such intrusions have happened - though now they make it to the top of Google News
If you're interested in looking into it yourself, I'd suggest looking at the Arduino, which has been pretty much taking the home-electronics world by storm.
I wonder which applies: RSA didn't know how bad the breach really was; RSA lied about how dangerous the breach was and how open their customers were; LCMO configured their system such that weak PINs were allowed; or something else happened.
So, either RSA wasn't thinking about keyloggers as a component of a combined attack --- even though replay attacks using captured interaction streams are the main threat that SecurID was designed to counter --- or they were being disingenuous.
Not going to happen. Military hardware is (most of the time) cutting-edge technology. If we are talking about a fighter plane, most of its components have to exhibit high performance overall -- and in small package. The abilities of the plane hinge on every component and their co-operation as well; the weakest link is the limiting factor.
Each military technology has two aspects: instances of use (for lack of better word), and capability.
Consider encryption for a moment: an algorithm of any size and complexity is driven by a small key (a bunch of bytes). The small secret part (key) is enough to to keep each use instance (each encoded text) safe.
However, in case of military hardware, the capability itself is of paramount importance as well. You can't focus all the aspects of fighter plane in one `key' piece; each component has to provide some aspect of the capability -- and withstand results of use of other components, such as heat, acceleration, vibration etc. Since no `key' is possible to hardware, you have to guard whatever else is there to guard -- and that, unfortunately, is most of the pieces.
Nb., a lot of military standards [1] are commercially-accessible, to help build a healthy ecosystem of suppliers. But those are not cuttind-edge stuff; I don't think even the formula for SR-71's `JP-7' fuel was accessible during operational use of the plane...
----
[1] http://en.wikipedia.org/wiki/U.S._military_standard
Much as I'd like this to be true, it simply isn't. Your smartphone is more sophisticated than military comms equipment. It's been a running joke for years how bad the British Army's systems like Clansman are. Clansman for example was introduced in the 70s and is only just now being replaced by Bowman. (I used Clansman during the early 90s as a cadet). Think how fast mobile tech moves - can you imagine using a mobile phone 20 years old?
Soldiers serving in the former Yugoslavia in peacekeeping used their personal mobile phones to communicate - more reliable and more secure than the issued kit.
I'm not advocating lethargy when adopting new technologies, keeping reliable equipment and weaponry is a good thing.
Also, the cost of creating new technologies may not yield significant benefits. E.g. the F-22 is only marginally better (or marginally worse depending on your perspective) than the aircraft it was intended to replace, but at a huge cost.
I wonder why don't they use a public key scheme where the server only needs the public key of the specific user for authentication. This way the private key is stored only on the physical device.
I would presume that, given sufficient background -- which, presumably, under these circumstances they could insist upon -- it should have taken them about 5 minutes (or seconds) to figure out this scenario.
We spend untold amounts sifting possibly every email crossing a domestic -- and probably many a foreign -- nexus. But when identification/authorization for a defense contractor -- and probably a lot more than one such agent of critical infrastructure -- is compromised, they aren't involved and ahead of the curve in mitigation?
Probably, certainly, there's a lot that the public isn't being told. But the silence is -- whether due to circumstances or to omission -- unsettling.
The silence may be purposeful, even productive. But it does not sit well against the caterwauling of those who insist we make our private, personal communications ever more transparent to government inspection.