After the RSA breach, there was a fair amount of debate over how much security fallout there would be, if any. As one security analyst told SearchSecurity at the time, “Good crypto works even if an attacker knows how it works.”
Now, however, it looks like the breach has claimed its first major victim: Lockheed Martin, one of the largest defense contractors in America. As Reuters reported, the company “is grappling with ‘major internal computer network problems,’ said one of the sources who was not authorized to publicly discuss the matter.” While not explicitly stated, it sounds like normal e-mail access is restricted among other disruptions.
Robert X. Cringely reported on the attack early on, without naming the specific company, and wrote that countermeasures were taken, namely in requiring another level of authentication:
It seems likely that whoever hacked the RSA network got the algorithm for the current tokens and then managed to get a key-logger installed on one or more computers used to access the intranet at this company. With those two pieces of information they were then able to get access to the internal network.
The contractor’s data security folks saw this coming, though not well enough to stop it. Shortly after the RSA breach they began requiring a second password for remote logins. But that wouldn’t help against a key-logger attack.
The good news here is that the contractor was able to detect an intrusion then did the right things to deal with it. A breach like this is very subtle and not easy to spot. There will be many aftershocks in the IT world from this incident.
A month ago, as SearchSecurity’s Rob Westervelt reported, that added layer of security was already of renewed interest, despite being a traditionally hard sell to security-stingy executives. Now with Lockheed’s surprisingly public example, it might just be a much easier upgrade to get approved.