Wednesday, June 1, 2011

Homeland Insecurity

Defense contractors Lockheed Martin and L3 communications have recently been the victims of an extremely professional and sophisticated team of hackers.  Their networks have been penetrated an unknown number of times, to an unstated degree, at a loss of unspecified data.  Now, the good news is that the most classified data sits on "air-gapped" networks, computers that cannot be accessed from the Internet, or even from any computer that can access the Internet.  But that doesn't mean that a tremendous amount of critical information wasn't compromised.  And here's the thing: Everyone KNEW this was going to happen, and it was entirely preventable.  There is simply no point in a public-private network security partnership when those partners are either unwilling or unable to act, even when they have certain knowledge of critical vulnerabilities.

Quick lesson in network security.  At its root, the network just needs to know that you really are who you say you are - this is called authentication.  Because if you are truly and legitimately YOU, the network knows what privileges you are entitled to.  As Bruce Schneir put it so succinctly, you provide authentication to the network in one or more of three ways:  What you know, What you have, and What you are.  Put simply, what you know is a password, what you have is some kind of device or smart card, what you are is biometrics.  If you secure a network using two of these, called "two factor authentication", there is virtually no way to hack that network by spoofing a legitimate login.  If someone gets your token, they don't have your password, and if they crack your password, they still need your token.  Of course, they can easily crack your password, so if they could somehow clone your token, they could authenticate as you to the network.  And the very assumed security of a network using a two factor authentication scheme would mean that it would be very hard to react to such a breach.

March, 2011.  EMC security subsidiary RSA, providers of the widely used SecureID network security token reported a network intrusion, with some uncertain level of data loss.  All the news wires carried the report, but very few people outside of the IT and Security communities had any sense of what it meant.  But many of us have been holding our breath, waiting for exactly this.  It seems incredible that RSA's clients wouldn't demand that every SecureID token be replaced immediately - how could you possibly be in the network security business and NOT assume that the tokens in the field are all compromised?

Think of RSA tokens like this.  It's a simple little device with a custom chip designed to do one thing.  The token itself has a unique identifier, and it leaves the factory with a 'seed', a numeric or alpha-numeric string that represents a 'starting point'.  Every one is different - or not, it theoretically doesn't matter.  Because every sixty seconds (or whatever interval is specified) the device takes the current string and does some kind of mathematical operation on it.  So it generates a different code every minute of every day that is known only to the device, and displayed when the user requests it.  So what the user has is a unique device that displays a unique number that can be verified as having been generated by a specific device.  There are over 40 million of these 'key fob' devices in use, along with over a hundred million software clients, often by very large multi-national firms and government agencies.

So back at least as far as March, RSA knew they had been hacked, and they knew it was at least possible, if not likely, that many, perhaps even all of their authentication code generating systems had been compromised.  They have thousands of clients, many with genuine high level security concerns, who depended on those systems to protect the data on their network.  How could they have decided to just go on with business as usual?  How could they not have told their customers, PAYING customers, that the Security devices they issued to their employees had become insecure, and that they could no longer trust that any authenticated login was not an attacker?  How could they not have begun a program of replacing those systems immediately?  Would it be embarrassing?  Yes.  Inconvenient?  Absolutely.  Expensive?  Tremendously.  But it's not like this is some unimportant IT side business.  This is RSA.  THE security company, in business to serve only one purpose - network security, encryption and authentication.  And far from providing those services at this point, they offered only a false sense of security and tens of millions of pathways into tens of thousands of 'secure' networks all over the globe.

It seems like a weird kind of paralysis has set in, all around the world, at every level.  Whether it's Climate Change, Unemployment, Regional Peace or even just basic Network Security, some unholy combination of the profit motive, political cowardice and tribal rancor has effectively eliminated the ability to take any action, on anything.  Everything costs money.  Everything entails risk.  But it seems as if doing nothing has become the cheapest, safest solution to every problem.  


  1. Tax tax tax the money guys and it won't make a fucking bit of difference if they make their bonus.

  2. Wow! I'm no expert on security, but this seems huge, as you say. I agree absolutely with your final paragraph, too. I think for the average person there's a sense of just being overwhelmed and helpless in the face of oncoming disaster. At the level of the people who should and might possibly be able to do something, it's a combination of short-sighted greed and basic penny wise and pound foolish syndrome. -- Candy

  3. my wife has one of those doohickeys for her VPN access.

  4. ...some unholy combination of the profit motive, political cowardice and tribal rancor has effectively eliminated the ability to take any action

    It is the first that has promoted the second and third.

    I highly recommend this article.