
Lockheed Martin hit by cyber incident, U.S. says - apievangelist
http://www.reuters.com/article/2011/05/29/us-usa-defense-hackers-idUSTRE74Q6VY20110529?feedType=RSS&feedName=topNews
======
riobard
“They breached security systems designed to keep out intruders by creating
duplicates to "SecurID" electronic keys from EMC Corp's RSA security division”

Now all have come into place.

Quick question: which country is most interested in LCMO's F-22 and has
demonstrated the ability to use cyber technics to get information?

~~~
coffie6423
Huh. Those Canadians again... j/k

~~~
omouse
I wouldn't be surprised. The PM has his eyes set on the Arctic! And the U.S.
be stealin our oil! ;p

------
nimrody
The Wikipedia entry for SecurId says they use a scheme where each physical
device has a private key that is also stored on the server (and apparently in
RSA severs as well).

I wonder why don't they use a public key scheme where the server only needs
the public key of the specific user for authentication. This way the private
key is stored _only_ on the physical device.

------
pasbesoin
Alright, so where the f- was the NSA (et al.) in all this?

I would presume that, given sufficient background -- which, presumably, under
these circumstances they could insist upon -- it should have taken them about
5 minutes (or seconds) to figure out this scenario.

We spend untold amounts sifting possibly every email crossing a domestic --
and probably many a foreign -- nexus. But when identification/authorization
for a defense contractor -- and probably a lot more than one such agent of
critical infrastructure -- is compromised, they aren't involved and ahead of
the curve in mitigation?

Probably, certainly, there's a lot that the public isn't being told. But the
silence is -- whether due to circumstances or to omission -- unsettling.

The silence may be purposeful, even productive. But it does not sit well
against the caterwauling of those who insist we make our private, personal
communications ever more transparent to government inspection.

------
r0sebush
This event will be used as an example of why the US needs an internet kill
switch and to impose more restriction on the use of the internet by US
citizens. Much like the PROTECT IP act, you'll see more Laws coming out soon.
Some may say this is a "false flag" event. It could even be that there are
some subcontractors that worked within Lockheed that may have caused this
breech. Regardless, there are going to be more restrictions coming for US
citizens and companies that use the internet (in homes, schools, libraries,
etc.).

------
Groxx
> _The person with direct knowledge told Reuters on Friday that an intrusion
> at Lockheed was related to a recent breach of "SecurID" token authentication
> technology from EMC Corp's EMC.N RSA security division._

You mean they didn't _immediately_ start changing their system when RSA's key
was stolen? Then, IMO, they had it coming.

edit: a thought just occurred to me. Is the reason this is such a great "theft
of a nation"-type action because there are known weaknesses that could be
exploited easily? I wonder what would happen if military tech were developed
with "Open Hardware" goals in mind... security-through-obscurity only works
until someone looks.

~~~
dexen
_> if military tech were developed with "Open Hardware" goals in mind_

Not going to happen. Military hardware is (most of the time) cutting-edge
technology. If we are talking about a fighter plane, most of its components
have to exhibit high performance overall -- and in small package. The
abilities of the plane hinge on every component and their co-operation as
well; the weakest link is the limiting factor.

Each military technology has two aspects: instances of use (for lack of better
word), and capability.

Consider encryption for a moment: an algorithm of any size and complexity is
driven by a small key (a bunch of bytes). The small secret part (key) is
enough to to keep each use instance (each encoded text) safe.

However, in case of military hardware, the capability itself is of paramount
importance as well. You can't focus all the aspects of fighter plane in one
`key' piece; each component has to provide some aspect of the capability --
and withstand results of use of other components, such as heat, acceleration,
vibration etc. Since no `key' is possible to hardware, you have to guard
whatever else is there to guard -- and that, unfortunately, is most of the
pieces.

Nb., a lot of military standards [1] are commercially-accessible, to help
build a healthy ecosystem of suppliers. But those are not cuttind-edge stuff;
I don't think even the formula for SR-71's `JP-7' fuel was accessible during
operational use of the plane...

\----

[1] <http://en.wikipedia.org/wiki/U.S._military_standard>

~~~
gaius
_Military hardware is (most of the time) cutting-edge technology_

Much as I'd like this to be true, it simply isn't. Your smartphone is more
sophisticated than military comms equipment. It's been a running joke for
years how bad the British Army's systems like Clansman are. Clansman for
example was introduced in the 70s and is only _just now_ being replaced by
Bowman. (I used Clansman during the early 90s as a cadet). Think how fast
mobile tech moves - can you imagine using a mobile phone 20 years old?

Soldiers serving in the former Yugoslavia in peacekeeping used their personal
mobile phones to communicate - more reliable and more secure than the issued
kit.

~~~
mcritz
There is a certain benefit to tried-and-trusted systems with known strengths
and weaknesses.

I'm not advocating lethargy when adopting new technologies, keeping reliable
equipment and weaponry is a good thing.

Also, the cost of creating new technologies may not yield significant
benefits. E.g. the F-22 is only marginally better (or marginally worse
depending on your perspective) than the aircraft it was intended to replace,
but at a huge cost.

