MISCELLANEOUS

What should we learn from the Lockheed Martin attack

Afterthoughts on the human factor and on the RSA SecurID authentication system

 

About a year ago, I wrote a post about an interesting experiment conducted by three researchers at the University of Michigan, which revealed that RSA 1024 bit private key encryption could be cracked using a simple and inexpensive piece of hardware device.

However, the case of the current successful attack carried over the network of the US defense contractor tells a slightly different story about the RSA SecurID systems and its impenetrability, in particular, and about network security, in general. Although one could argue that successfully targeting a major player in the military industry and compromising the infrastructure of an organization whose purpose is actually to provide protection are the highlights in this case, I strongly believe that the focus should be elsewhere. If we dissociate the circumstances from the name of the actors involved in this troublesome situation, I believe that the focus should be on the following three aspects pertaining to computer security:

First and foremost, the RSA data heist was based on one of the simplest (yet, as we can see, most efficient) methods of unauthorized information harvesting, i.e. a combination between a targeted spam campaign and a phishing raid exploiting an Adobe Flash zero-day vulnerability. This proves – once again – that old-school cybercrime methods are still valid and productive, as long as there is a weak link to be exploited in the security chain.

Which leads us to the second important aspect in this case, i.e. the human factor. No matter how advanced a defensive system is, all you need to breach it is a refined social engineering mechanism and some gullible users. This is more than enough to circumvent spam filters or bypass a security suite, not to mention bringing an entire organization down to its knees.

Last but not least, I guess that this case clearly shows that IT&C security is never a local or individual issue. With the advent of Web 3.0, designing and implementing network and resource defense based on an insular strategy and without taking into consideration the scale of interconnectivity or, to be more specific, interdependence of safety devices and tools at work is as perilous as securing your home front door with a single lock (the key to which you decide to hide under your very own mat, in the end).

Safe surfing everybody!

All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.

About the author

Răzvan LIVINTZ

With a humanities passion and background (BA and MA in Comparative Literature at the Faculty of Letters, University of Bucharest) - complemented by an avid interest for the IT world and its stunning evolution, I joined in the autumn of 2003 the chief editors' team from Niculescu Publishing House, as IT&C Chief Editor, where (among many other things) I coordinated the Romanian version of the well-known SAMS Teach Yourself in 24 Hours series. In 2005 I accepted two new challenges and became Junior Lecturer at the Faculty of Letters (to quote U2 - "A Sort of Homecoming") and Lead Technical Writer at BluePhoenix Solutions.

After leaving from BluePhoenix in 2008, I rediscovered "all that technical jazz" with the E-Threat Analysis and Communication Team at BitDefender, the creator of one of the industry's fastest and most effective lines of internationally certified security software. Here I produce a wide range of IT&C security-related content, from malware, spam and phishing alerts to technical whitepapers and press releases. Every now and then, I enjoy scrutinizing the convolutions of e-criminals' "not-so-beautiful mind" and, in counterpart, the new defensive trends throughout posts on www.hotforsecurity.com.

Balancing the keen and until late in night (please read "early morning") reading (fiction and comparative literature studies mostly) with Internet "addiction", the genuine zeal for my bright and fervid students with the craze for the latest discoveries in science and technology, I also enjoy taking not very usual pictures (I'm not a pro, but if you want to see the world through my lenses, here are some samples http://martzipan.blogspot.com), messing around with DTP programs to put out some nifty book layouts and wacky t-shirts, roaming the world (I can hardly wait to come back in the Big Apple), and last but not least, driving my small Korean car throughout the intricacies of our metropolis's traffic.