Based on today’s newest attack on Lockheed-Martin (and possibly many others) using RSA’s stolen SecurID tokens to gain access, it seems as if RSA (ironically a cyber security solutions provider) is now the newest and easiest attack vector.
The details are really unknown right now, but if I were a betting man, I would bet that a token and PIN were stolen back in March that belonged to many of these contractors. The easiest way into a network is through it’s horribly secured network management network. This is usually where SecurID is deployed.
Pondering this, I wonder how could this be?? Well, it’s not as surprising as you might think. Cyber Security solutions providers have often been used as the un-witting target of hackers for years. Ironically again, because these same security vendors don’t seem to practice what they preach when it comes to good cyber security practices.
In March of this year, a hacker simply sent spam email to RSA’s mail servers with a subject of the email titled “2011 Recruitment Plan.” All it took was the right user to click the link. Then the malware was downloaded and installed without anyone knowing it happened. At this point, the hacker got all kinds of data like user names, passwords, and oh yeah, the RSA SecurID seed algorithm. They then pushed the files to another hacked server (likely a trusted domain) and then on to the hacker.
The tragic point was RSA made it an issue to state this wasn’t a big deal and people using its popular 2-factor authentication tool should still use it without fear. I guess it doesn’t help when folk like InfoSec Media are telling us not to “overreact.” Well, I for one am not convinced. I suggest anyone using RSA SecurID stop, now, or you will be next.