Update, 6 June: Lockheed Martin told the New York Times that a hack on its network involved RSA tokens.
Security experts have refuted claims that compromised RSA tokens were behind hacking incidents at three major US defence contractors last month.
According to penetration tester Marcus Carey and security researcher Jayson E. Street, there was insufficient evidence to link RSA SecurID tokens to reported attacks on Northrop Grumman, Lockheed Martin and L-3 Communications.
Companies faced intrusion attacks daily, they said, noting that "wild speculation" linking the attacks to SecurID, allegedly compromised in March, was damaging the industry.
“There is absolutely nothing new here because these companies are under attack all the time,” Marcus Carey, enterprise security community manager at Boston-based penetration testing company Rapid7, said.
“To pull off a successful attack, along with tokens, you need passwords, user names, pins, and certificate files in some cases – a whole slew of information.”
With that amount of information, it would be “game over” for any company, according to security researcher Jayson E. Street.
“It is a moot point at best if attackers have the [SecurID] seed token.”
Street, also author of Dissecting the Hack: The F0rb1dd3n Network, said a perceived increase in security breaches may be because staff had become more inclined to report them.
Carry and Street's comments followed this week's Fox News report that defence giant Northrop Grumman had reset domain names and passwords following a possible network security breach.
Staff at Northrop Grumman’s Australian office refused to comment on whether passwords had been reset.
A token response
RSA has released scant information about the extent of the compromise of its SecurID system, fuelling speculation that its customers are vulnerable to attack.
Street and Carey disagreed on whether RSA should disclose further details.
“RSA never answered details about what happened and they need to be called to answer,” Street said.
“If we expect so much information from a gaming company (see information on the Sony breach), then why aren’t we expecting the same information from a security company whose customers are in the military, finance, and government sectors?”
Street said corporations could not be trusted to disclose information that could affect bottom lines.
Carey argued that RSA was obliged only to inform its customers, and would disclose any important details about the SecurID breach.
“Not everyone needs to know what happened. If it was critical and something was compromised, they would have done a whole recall, because imagine the penalties they would face for not doing so when it would have the potential to affect so many clients.”
Carey said basic security gaffes were behind 90 percent of breaches. These gaffes, not compromised SecurID tokens, should be the prime suspect of the defence contractor breaches, he said.
“It’s more often the human element that is the cause – staff clicking on phishing emails, which happens after authentication. But we’d rather blame RSA.”
Street agreed, and said breaches would occur until perimeter and web application security improved, and staff – the weakest link – were properly trained in safe information security practice.
“Every company must face the ugly truth that we can be attacked. We need to learn how to respond to attacks to make breaches containable, because often the response creates more issues than the breach itself."