Data Breach at Security Firm Linked to Attack on Lockheed

We are saddened to report another very serious data breach problem. This one is so vast, encompassing both national security mission-critical targets and potentially posing a risk to Fortune 500 companies and therefore a danger to the entire economy of the United States.

The New York Times reported, "Lockheed Martin, the nation’s largest military contractor, has battled disruptions in its computer networks this week that might be tied to a hacking attack on a vendor that supplies coded security tokens to millions of users, security officials said on Friday.

The SecurID electronic tokens, which are used to gain access to computer networks by corporate employees and government officials from outside their offices, are supplied by the RSA Security division of the EMC Corporation."

This is also a great example of what we have been arguing for years. Data breaches DO NOT RESULT IN IMMEDIATE ATTACKS but often have a significant delay period before the confidential information that was stolen is put to use in criminal or military/security attacks. The data from EMC was stolen in a March breach. It took almost three months before evidence began to surface that the stolen "tokens" were being illegally used.

By the way these tokens provide security " ... beyond a user name or password by requiring users to append a unique number generated by the token each time they connect to their corporate or government networks." So, if you steal the token the YOU TOO can get the magic "new number" when you start hacking these sensitive web sites!

“The issue is whether all of the security controls are compromised,” said James A. Lewis, a senior fellow and a specialist in computer security issues at the Center for Strategic and International Studies, a policy group in Washington. “That’s the assumption people are making.”

So now even the highest level security access, the one used by military contractors and other "high end" users, has shown us how inherently weak all of our network security systems really are. We need a whole new architecture, a new concept, for Internet security and the industry seems incapable of inventing that because until recently security cut into profits and no one was demanding higher vigilance.