The same type of attack used recently to get around security measures at Lockheed Martin, and possibly other defense contractors as well, could also be used to hack international banking services, security experts say.
That's because both the defense and banking industries rely heavily on RSA's SecurID tokens, 40 million of which are in use around the world.
Small businesses and private users use SecurID tokens to access online banking services, while large corporations use them to authenticate employees who need to remotely or locally access internal networks and resources.
[ When Online Accounts Are Robbed, Should Banks Pay? ]
SecurID devices are small, tamper-resistant tokens that generate numeric codes every 30 or 60 seconds. The complex cryptographic algorithm combines three inputs: the token's serial number, the internal seed (a secret key hard-coded in the token) and absolute computer time (which counts seconds from January 1, 1970 and never repeats).
The same computation is performed by the authentication server, which compares its code with the one provided by the user. If they correspond, the user is granted access.
The seemingly random sequences of numbers generated by SecurID tokens are technically called OTPs (One Time Passwords) — they can be used only once and expire even if never used.
An OTP can't be modified, changed or altered, and a SecurID token can't be fixed, opened or reprogrammed. If it's compromised, a SecurID token must be replaced.
These tokens can also exist as software applications installed on a PC or a smartphone to perform the same function.
Theoretically, the physical possession of the token, PC or smartphone ensures the security of the authentication mechanism. The only circumstance under which an attacker could clone the token (and it would take some time) would be if seeds and token serial numbers had been stolen.
Unfortunately, that's exactly what seems to have happened.
"On March 17, 2011, RSA, the security division of EMC Corporation, one of the most important players in the IT security market, publicly announced that information that could be used to reduce the effectiveness of their SecurID authentication implementation was compromised," explained Paolo Passeri, an ICT (Information and Communication Technology) Security expert based in Rome, Italy.
Passeri was among the first to understand that the RSA security breach could be used to attack EMC Security Division's corporate clients using SecurID tokens.
Two months later, Lockheed Martin, one of the world's largest suppliers of military hardware to the U.S. and other countries, announced it had suffered a network intrusion. Lockheed Martin disabled all remote access to its internal networks and said it would replace every one of its RSA SecurID tokens – and that RSA would pay the replacement costs.
"Since the information stolen from RSA, alone, could not be used to successfully clone the tokens, in order to perpetrate the attacks, the hackers must have used keylogger malware and phishing campaigns to get the missing pieces of the puzzle (usernames and PINs — personal identification numbers)," Passeri surmised.
In fact, RSA has not publicly disclosed what was taken from its servers in March (it will tell only existing clients who sign a non-disclosure agreement), and Lockheed Martin has not said if or how its attackers had usernames or passwords.
But the problems for defense contractors may have just begun.
Only a few days after the Lockheed Martin breach, anonymous sources quoted in news reports said that two more defense contractors, L-3 Communications and Northrop Grumman (the manufacturer of the B-2 stealth bomber), had been targeted using SecurID stolen data.
Neither company has confirmed the breaches.
The attack on Lockheed Martin, as well as the two possible others, shows a certain interest in data belonging to defense contractors which produce some of the most sophisticated U.S. (and foreign) military equipment being used in Afghanistan, Iraq and Libya.
However, network intrusions do not always imply a significant loss, as happened in the 2009 alleged hack into the F-35 Lightning II JSF (Joint Strike Fighter) project.
China's growing interest in American stealth projects creates a huge and ever-increasing security risk to all U.S. military projects. Defense contractors may soon have to consider more costly biometric means of user authentication — voice analysis, facial recognition, iris scans or even keystroke dynamics, which analyze the unique way each individual types.
However, defense contractors are not the only ones at serious risk following the RSA hack. RSA is the dominant vendor in the strong authentication market, and around 80 percent of U.S. banks, according to the research group Gartner, give SecurID tokens to business clients.
"The breach has potentially exposed banks' online banking customers to attacks aimed at stealing usernames and PINs," Passeri said. "Coupled with RSA stolen data, these pieces of information could enable the attackers to log illegitimately into accounts and perform illicit transfers and credit card payments."
Shortly after Lockheed Martin got RSA to perform and pay for complete replacement of its SecurID tokens, the company extended the offer to almost all of its customers, including banks such as Citigroup, JPMorgan Chase and Wells Fargo.
"Advanced persistent threats, as well as SecurID weakness, are threats that defense contractors as well as banks must be able to deal with, using technology and an appropriate user policy," Passeri said.
An "advanced persistent threat" is security jargon for a cyberattack mounted by a skilled, well-funded, patient team of hackers, often backed by a foreign government.
"These attacks have shown that the most sophisticated technology is useless," Passeri said, "if users are not trained to face the new wave of cyberthreats, which leverage traditional form of attacks (such as malware or phishing) as the first step to perpetrate more complex multilayered attacks."
David Cenciotti is a military aviation journalist and information security expert based in Rome, Italy. Follow him on Twitter @cencio4