

Lockeed Martin network suffers security breach - achyuta
http://www.nytimes.com/2011/05/28/business/28hack.html

======
matt1
Quick anecdote: About ten years ago I ran a prominent AOL hacking website
called AOL-Files.com. AOL employees had admin rights tied to their screen
names and the ones with the highest levels of access had to enter a SecurID
token after they entered their normal account password. Since we were always
trying to outdo each other, these high-level employees became a popular
hacking targets.

Getting an employee's password and SecurID token was very difficult, as you
can imagine. Most phishing attempts failed, but every now and then we found an
employee who would enter their password and SecureID pin into a bogus website,
which we then had forwarded to us so we could immediately log onto their
screen name before the pin changed.

The most notable hack was when BMB, my co-founder, gained access to an account
with keyword admin privileges. What this meant is that he could direct any
keyword to any destination. He chose to redirect keyword "Welcome", which
every AOL member is sent to when they sign on, to our website, aol-files.com.
For a period of about half an hour, every single person who signed onto AOL
was redirected to our AOL hacking website. We received over 100K hits in 30
minutes.

I've got an archive of AOL-Files up on my blog [1], which has lots more
information about this hack and many others. Ah, memories...

[1] <http://www.mattmazur.com/archive/aol-files.html>

~~~
xd
What's the betting the next knock on your door is the feds.

Don't you feel in the slightest bit worried by publicly talking about your
antics?

~~~
yuhong
Well, it was ten years ago.

------
lawnchair_larry
The RSA hack was used to clone the Lockheed VPN tokens (which means SecurID
was junk crypto to begin with).

[http://www.reuters.com/article/2011/05/28/usa-defense-
hacker...](http://www.reuters.com/article/2011/05/28/usa-defense-hackers-
idUSN2717936920110528)

~~~
javert
OK, it's clearly junk crypto, but do you know enough to explain exactly what
went wrong?

I heard something about being able to generate private keys from the serial
numbers of the tokens, but even if that's the case, you'd need to know what
token/serial number you acutally care about. Not all users are going to have
access to anything interesting.

~~~
jwegan
FTA lawnchair_larry linked to:

He said the initial RSA attack was followed by malware and phishing campaigns
seeking specific data that would link tokens to end-users, which meant the
current attacks may have been carried out by the same hackers.

------
zzen
Hmm. A couple days after the reports of Lockheed Martin becoming the first
buyer of a commercial quantum computer:

[http://blogs.forbes.com/alexknapp/2011/05/25/d-wave-sells-
qu...](http://blogs.forbes.com/alexknapp/2011/05/25/d-wave-sells-quantum-
computer-to-lockheed-martin/)

Perhaps coincidence. Still, interesting.

~~~
Estragon
Very likely a coincidence. D-Wave is a bit of a joke.

    
    
      Do you think the method is scaleable up to the 128 qubits that D-Wave is claiming?
    
      Well, there’s no reason of principle why you couldn’t scale to a larger
      number of qubits!  But given the history here, I’d be skeptical of
      claims by D-Wave to have done so already, and would want to see the
      evidence.  (As usual, the burden is on D-Wave to prove that they’ve done
      something, not on everyone else to prove that they haven’t!)
    
      http://blogs.forbes.com/alexknapp/2011/05/24/q-and-a-with-prof-scott-aaronson-on-d-waves-quantum-computer/

~~~
rbanffy
Many times, the success of a project in a company large enough to buy and
operate a D-Wave computer has more to do with the amount written in the check
than with attaining measurable results. Success will be defined according to
what was achieved and the worst possible outcome is the person responsible for
the project accepting a position on the vendor.

