Scant Facts Regarding Lockheed’s VPN System Takedown

What we know at this point:

UPDATE 28 May 2011 – US DHS has confirmed that Lockheed has experienced a network intrusion (http://www.reuters.com/article/2011/05/29/us-usa-defense-hackers-idUSTRE74Q6VY20110529).

UPDATE 07 June 2011 – RSA has confirmed that data stolen from them was a factor in the Lockheed instrusion. RSA is offering to replace tokens for certain types of customers according to this: http://www.rsa.com/node.aspx?id=3891.

1). Lockheed’s entire VPN system was intentionally taken down by Lockheed
2). This happened about a week ago, and has been down the entire week
3). Lockheed is recalling all remote workers to the closest Lockheed offices to continue their production.
4). The outage is estimated to last two weeks.
5). Affected Lockheed VPN users are being issued new VPN tokens.

References:
http://www.lockheedmartin.com/news/press_releases/2011/0528hq-secuirty.html

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter: twitter.com/patchmanagement

Share

7 Responses to “Scant Facts Regarding Lockheed’s VPN System Takedown”

  1. Pete said:

    May 28, 11 at 9:11 pm

    David –

    Congratulations on keeping to the facts. I think this whole thing is a game of “telephone”. I would note that there still isn’t really evidence of any breach of any kind. it started with Cringely playing a speculation game and has taken off from there. Note that the Reuters source supposedly has direct knowledge of not only the Lockheed breach but also breaches at other installations. Well, that means there must be a leak at some consultant or CERT-like group…. or this person read all the same reports and is using those to confirm his/her “direct knowledge”.

    This whole things smells.

  2. Anon said:

    May 29, 11 at 12:07 am

    What you’re failing to state is that Lockheed is on the record as saying they will not confirm any intrusion activity into their networks. Insinuating that the breach is not as bad as it is simply because Lockheed hasn’t admitted it is intentionally misleading, and a clear act of bad faith. Shame.

  3. David Sharpe said:

    May 29, 11 at 12:16 am

    I don’t think any judgments were made in this article about whether anything serious or not is happening within Lockheed. My intent is to bring the facts to the surface, and let those facts speak for themselves. Jumping to conclusions is sometimes counterproductive and misleading, and I don’t post anything like that here. It could be that Lockheed is making the change to the VPN access simply out of an abundance of caution, and no current or past Lockheed breach had anything to do with whatever might have been taken from RSA earlier related to SecureID.

  4. Anon said:

    May 29, 11 at 12:35 am

    It could also be that the machines have spontaneously become self-aware. Lockheed, just like Northrop, CACI, SAIC, L3, and almost every other defense contractor out there, just got pwned. People don’t make this stuff up — the reason it’s in the media is because it was leaked.

    I don’t hold them to be tremendously irresponsible (other than for making the shamefully poor decision to continue using RSA’s compromised product line) for the breach, but it did occur do to decisions they made. Denialism on these topics is “wumaodang” PR at best and disinformation at worst, and you’re enabling their “no confirmation” policy by running defense.

    If you had an actual interest in determining the truth, you would be using Maltego to enumerate Lockheed’s org chart and be going down their phone tree until you get a knowledgeable comment out of Lockheed from someone who hasn’t been gated off by PR.

  5. David Sharpe said:

    May 29, 11 at 12:57 am

    I meant no offense. Until I have additional confirmed and credible information, I really can’t say anything further. If I get more, I will update this article. Thank you!

  6. LM Employee said:

    May 30, 11 at 11:29 am

    LM is in the process of issuing a PIV-I smart card to all employees which will supplant RSA SecureID use. It’s about 2-3 months away from implementation, as almost 90+% of employees have them today, and shortly all the subcontractors who access the network will as well. This will place LM back into true 2-factor ID (something you know plus something you have), as 2-factor using RSA SecureId is not a trusted solution anymore.

  7. dio said:

    May 30, 11 at 1:10 pm

    uhhhhhm The smart card has been cracked, Mr. Brilliant. Reference Mandiant’s M-Trends 2011 issue and note the smart-card proxy capabilities our adversaries have implemented with wide ranging success. That was the first pillar. When organizations started using RSA in response to threats, they took down that pillar of defense as well. Wake up. Until the actors are made to suffer retributive and punitive punishing attacks for their efforts, nothing will change.


Leave a Reply