Skip to content

A Tale of Two Breaches: Part II

June 5, 2011

Days after Lockheed-Martin’s disclosure of an attempted attack, and weeks after a successful attack against Sony, details from these two events continue to emerge.  In Sony’s case, we know that a second attack against their Sony Pictures division utilized a “basic technique” (SQL injection, perhaps?) to compromise an additional 1 million credit card numbers from a plain-text file.  Other than the fact that data was exfiltrated through a web-based attack, little else is (currently) known.

In Lockheed’s case, the situation is a bit different: Lockheed claims that the dreaded RSA attack from several months ago, which the industry has long-feared would lead to a compromise of the ubiquitous SecurID two-factor authentication tokens, has finally materialized into a real-world attack on their systems.  How did this attack occur?  Well, most likely we’re looking at a remote user exploitation that follows a pattern similar to this:

  • The attackers phished employees at Lockheed, and got someone on a remote laptop to install a keylogger;
  • The keylogger sent user(s) passwords and one-time-use RSA codes to the attackers (or, more likely, third-party systems that they compromised);
  • The attackers then used the RSA seed database that they acquired in the RSA attack several months ago (important caveat: RSA has never stated that the seed database was compromised, but that seems likely now) in concert with the publicly-known RSA algorithm to build one-time use passwords;
  • They then used the users’ personal passwords (captured from the keylogger exercise), coupled with a one-time password they created on their own (using the publicly-known RSA algorithm built with their own code, and the seed database), to connect to the VPN.

At that point, they hackers would have completely assumed the user’s identity on the network.  Fortunately for Lockheed, they indicate that they were able to detect this in-progress, and eliminate the threat in real-time (or darn close to it).

So, what’s the lesson here?  Stay tuned for Part III.

Advertisements
No comments yet

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: