On the heels of the breach that potentially exposed RSA’s source code for its SecurID tokens– the same tokens used every day by thousands of employees to access their corporate VPNs – a defense contractor acknowledged on May 27, 2011 that its network may have been compromised as an indirect result of the RSA breach. As reported by Reuters, Bloomberg, and the New York Times, the defense contractor “detected an intruder trying to break into its networks last Sunday. It shut down much of its remote access and has been providing new tokens and passwords to many workers.”
It is still not certain whether the two breaches are related but it is interesting to note that this story was first broke by a blogger and not the broader media. Given the fact this incident may involve military information, it is likely we will never fully learn what has happened. When it comes to divulging secrets, misinformation is usually the stock in trade of the military.
What remains clear, however, is that advanced persistent threats continue to pose long term threats to corporate and governmental interests. The good old days of naive hackers stumbling upon exposed databases and inadvertently helping to plug a previously unknown hole are no more. We are now in the age where a state actor or sophisticated cyber criminal will gladly sit on vulnerabilities for as long as it takes. Simply put, with enough patience, a determined and sophisticated thief will eventually get whatever information a buyer may want.
[Update: June 10, 2011]
RSA conceded that the defense contractor breaches may be related to RSA’s March breach and has offered to replace corporate SecurID fobs. There is some supposition that a large defense bid was the catylist leading to both the RSA breach and subsequent defense contractor breaches. We may never know who caused the various attacks or why. What we do know, however, is that RSA has decided to appoint its first chief security officer.