Read more of this story at Slashdot.

Read more of this story at Slashdot.

Read more of this story at Slashdot.

Read more of this story at Slashdot.

Read more of this story at Slashdot.

This week, Lockheed Martin—the largest U.S. military contractor—and several other defense contractors have reportedly experienced intrusions in their computer networks. Those intrusions may be connected to a hacking attack on RSA's SecurID security token division, disclosed back in March.

Hackers penetrating Sony's Playstation network or Google, affecting the data privacy of millions of users? Bad. Hackers penetrating the networks of the US military's largest weapons makers? Really, really, really bad.

Reuters was first tonight with the news of the intrusion at Lockheed, which the company is said to have first detected on Sunday.

They breached security systems designed to keep out intruders by creating duplicates to "SecurID" electronic keys from EMC Corp's RSA security division, said the person who was not authorized to publicly discuss the matter. It was not immediately clear what kind of data, if any, was stolen by the hackers. But the networks of Lockheed and other military contractors contain sensitive data on future weapons systems as well as military technology currently used in battles in Iraq and Afghanistan.

A Lockheed press statement, reprinted in part in the Wall Street Journal,

[T]o counter any threats, we regularly take actions to increase the security of our systems and to protect our employee, customer and program data. We have policies and procedures in place to mitigate the cyber threats to our business, and we remain confident in the integrity of our robust, multilayered information systems security.

John Markoff and Christopher Drew in the New York Times link the Lockheed hack to the March RSA breach. While Lockheed's problems may be the first publicly known damage from that attack, other firms may also be affected.

"The issue is whether all of the security controls are compromised," said James A. Lewis, a senior fellow and a specialist in computer security issues at the Center for Strategic and International Studies, a policy group in Washington. "That's the assumption people are making."

Neither RSA, which is based in Bedford, Mass., nor Lockheed would discuss the problems on Friday.

Officials in the military industry, who spoke only on the condition of anonymity given the sensitivity of the matter, said Lockheed had detected an intruder trying to break into its networks last Sunday. It shut down much of its remote access and has been providing new tokens and passwords to many workers, company employees said.

Raytheon published a statement today saying it took "immediate companywide actions" when the RSA breach became known back in March. General Dynamics denied experiencing problems related to the RSA breach; Northrop Grumman and Boeing declined to comment to the Times.

Related reading:

•
SecurID Company Suffers a Breach of Data Security (NYT, March 17, 2011, John Markoff)

• Columbia University computer science professor Steve Bellovin's take on the RSA breach (March, 2011).

• And Ars Technica's counterpoint to RSA's characterization of the breach as "extremely sophisticated."

Sony BMG Greece hacked, company's security woes continue originally appeared on Engadget on Mon, 23 May 2011 15:41:00 EDT. Please see our terms for use of feeds.

With Anonymous Denial of Service attacks and then the twin hacks of PlayStation Network and Sony Online Entertainment, Sony's online infrastructure has been taking a battering over the last few weeks—and it's not over yet. Another successful hack against the company is being reported by security firm F-Secure. A Web server used to host Sony's Thai site has been broken into, and is now being used to host a phishing site that targets customers of an Italian credit card company.

Unlike the PSN and SOE break-ins, this hack is not likely to have any serious consequences; it should be restricted to a relatively unimportant Web server that has no access to sensitive customer information. Still, it shows that Sony's online troubles aren't over yet—and that the entire company needs to take online security more seriously.

Read the comments on this post

Well-designed systems don't store passwords; rather, they take the password you supply and run it through a cryptographic hashing algorithm that turns it into another string (in theory, this string can't be turned back into the password). When you re-visit the website and supply your password, it is run through the algorithm again, and then the result is compared to the stored version. That way, no one -- not even the provider -- knows your password (except you). Again, that which isn't stored can't be leaked. Requiring French online services to keep a record of unhashed passwords is a reversal of decades of best practices in security.

The law obliges a range of e-commerce sites, video and music services and webmail providers to keep a host of data on customers.

This includes users' full names, postal addresses, telephone numbers and passwords. The data must be handed over to the authorities if demanded.

Police, the fraud office, customs, tax and social security bodies will all have the right of access.

Although signing "localhost" is humorous, CAs create real risk when they sign other unqualified names. What if an attacker were able to receive a CA-signed certificate for names like "mail" or "webmail"? Such an attacker would be able to perfectly forge the identity of your organization's webmail server in a "man-in-the-middle" attack! Everything would look normal: your browser would use HTTPS, it would show a the lock icon that indicates HTTPS is working properly, it would show that a real CA validated the HTTPS certificate, and it would raise no security warnings. And yet, you would be giving your password and your email contents to the attacker.

To test the prevalence of the validated, unqualified names problem, I queried the Observatory database for unqualified names similar to "exchange". (Microsoft Exchange is an extremely popular email server, and servers that run it commonly have "exchange" or "exch" in their names. Likely examples include "exchange.example.net" and "exch-01.example.com".) My results show that unqualified "exchange"-like names are the most popular type of name, overall, that CAs are happy to sign.

It may yet be too soon to celebrate the takedown of the world's largest spam botnet. For one thing, PCs that were infected with Rustock prior to this action remain infected, only they are now somewhat lost, like sheep without a shepherd. In previous takedowns, such as those executed against the Srizbi botnet, the botmasters have been able to regain control over their herds of infected PCs using a complex algorithm built into the malware that generates a random but unique Web site domain name that the bots would be instructed to check for new instructions and software updates from its authors. Using such a system, the botmaster needs only to register one of these Web site names in order to resume sending updates to and controlling the herd of infected computers.

Stewart said that whoever is responsible for this takedown clearly has done their homework, and that the backup domains hard-coded into Rustock appear to also have been taken offline. But, he said, Rustock also appears to have a mechanism for randomly generating and seeking out new Web site names that could be registered by the botmaster to regain control over the pool of still-infected PCs. Stewart said Rustock-infected machines routinely reach out to a variety of popular Web sites, such as Wikipedia, Mozilla, Slashdot, MSN and others, and that it is possible that Rustock may be configured to use the news headlines or other topical information from these sites as the random seed for generating new command and control domains.

(Image: Spam wall, a Creative Commons Attribution Share-Alike (2.0) image from 63056612@N00's photostream)

Read more of this story at Slashdot.

Juels says that these cracks were possible because the proprietary algorithms that the firms use to encode the cryptographic keys shared between the immobiliser and receiver, and receiver and engine do not match the security offered by openly published versions such as the Advanced Encryption Standard (AES) adopted by the US government to encrypt classified information. Furthermore, in both cases the encryption key was way too short, says Nohl. Most cars still use either a 40 or 48-bit key, but the 128-bit AES - which would take too long to crack for car thieves to bother trying - is now considered by security professionals to be a minimum standard. It is used by only a handful of car-makers...

What's more, one manufacturer was even found to use the vehicle ID number as the supposedly secret key for this internal network. The VIN, a unique serial number used to identify individual vehicles, is usually printed on the car. "It doesn't get any weaker than that," Nohl says.

(Image: Invalidka - Soviet car for disabled people, a Creative Commons Attribution (2.0) image from dittaeva's photostream)

Read more of this story at Slashdot.

Read more of this story at Slashdot.