November 26, 2024

Deploying New Tools to Stop the Hackers

Trying to secure a computer network is much like trying to secure a building — the challenge is trying to screen out real threats without impeding the normal traffic that needs to go in and out.

And as the recent hacking attacks against Citigroup, RSA Security and Lockheed Martin show, even sophisticated security systems can be breached.

“We’re seeing an inflection point where the attackers are extremely smart, and they are using completely new techniques,” said Nir Zuk, the chief technology officer at Palo Alto Networks, a firewall company based in Santa Clara, Calif. “Every piece of content that you receive can attack you.”

Historically, the first line of computer defense, the firewall, is like the guard desk at a building. It scrutinizes the traffic going in and out of the system, looking for obviously suspicious characters.

Virtually every company also has antivirus software, which typically keeps an eye out for anything on a “black list” of well-known malware and prevents it from entering the computer system or causing havoc once inside. A more rare type of security grants access only to programs on a “white list” of safe software— the equivalent of allowing employees with ID cards to come and go as they please but preventing anyone else from entering.

But as hackers unleash ever-sneakier attacks, big corporations and government agencies are scrambling to deploy new tools and procedures to deal with all the delicate gray areas in between — the cool-looking new smartphone app, the funny Facebook link, the unknown foreign Web site. The flood of malicious software is also prompting renewed debate over how to balance access and protection.

“Right now, if an application is not known, we let it run,” said Peter Firstbrook, an analyst at Gartner, a research firm, referring to the prevailing view in most companies. “That’s the wrong thing to do.”

Companies like Symantec, the giant Internet security firm, are introducing services that assess the “reputation” of software, weighing factors like how old it is and how widely it is used to decide if it is safe. Other vendors are selling enhanced firewalls and products that can sniff out impersonators by detecting unusual file-usage patterns.

Nearly everyone agrees that a mix of defenses is vital, and that even so, some hackers will still slip through. Experts also say that the proliferation of smartphones, the growing workplace use of Facebook and other social media tools, and the shift toward storing more data in a computing cloud are providing new avenues for attackers.

Symantec’s chief executive, Enrique Salem, acknowledged at a conference in February that traditional antivirus scans “long ago failed to keep up.” As points of entry into corporate and government networks “proliferate on this seemingly insane trajectory,” he added, “so do the threats they attract.”

The growth in malicious software has been staggering, as criminal organizations seek to ferret out credit card numbers and other ways to make money and hackers in China and Russia are believed to be seeking national security secrets.

Last year, Symantec discovered 286 million new and unique threats from malicious software, or about nine per second, up from 240 million in 2009. The company said that the amount of harmful software in the world passed the amount of beneficial software in 2007, and as many as one of every 10 downloads from the Web includes harmful programs.

Unlike past blitzes of spam with clunky sales pitches, today’s attacks often rely on a familiar face and are extremely difficult to stop. In a practice known as spear phishing, hackers send e-mails that seem to come from co-workers or friends and include attachments that can release malware to steal passwords and other sensitive data. In other cases, malware can be activated when a Web link is clicked.

Article source: http://feeds.nytimes.com/click.phdo?i=818a48414feb6ce9fda7d7b2c74cb550

Stolen Data Is Tracked to Hacking at Lockheed

Lockheed’s finding confirmed the fears of security experts about the safety of the SecurID tokens and heightened concerns that other companies or government agencies could be vulnerable to hacking attacks.

The tokens, which are used to protect remote access to computer networks, are sold by the RSA Security Division of the EMC Corporation. RSA officials said Friday that they accepted Lockheed’s findings and were working with customers to offset the risks through other measures.

RSA disclosed in March that hackers had stolen data that could compromise a company’s SecurID system in a broader attack, and the breach of Lockheed, the nation’s largest defense contractor, is the first time that is known to have occurred.

A rash of prominent breaches has brought new attention to an increase in the frequency and sophistication of computer hacking. Google said this week that it believed an effort to steal hundreds of Gmail passwords for accounts of prominent people, including senior American government officials, had originated in China.

The Pentagon, which has long been concerned about efforts by China and Russia to obtain military secrets, announced separately that it would soon view serious computer attacks from foreign nations as acts of war that could result in a military response.

RSA officials noted that Lockheed said it planned to continue using the SecurID tokens, and they said they believed other customers would as well. But security experts said RSA’s reputation had most likely been seriously damaged, and many of its 25,000 customers, including Fortune 500 companies and government agencies around the world, could face difficult decisions about what to do next.

RSA’s prospects for holding on to some of those customers “certainly seems bleak,” said Harry Sverdlove, the chief technology officer at Bit9, a firm that provides other types of security products and does not compete with RSA.

He and other experts said RSA might need to reprogram many of its security tokens or create an upgraded version to rebuild confidence in its systems.

In response to questions on Friday, Lockheed said in an e-mail that its computer experts had concluded that the breach at RSA in March was “a direct contributing factor” in the attack on its network. Government and industry officials said the hackers had used some of the RSA data and other techniques to piece together the coded password of a Lockheed contractor who had access to Lockheed’s system.

Lockheed, which makes fighter planes, spy satellites and other confidential equipment, said it had detected the attack quickly and blocked it before any important data was compromised.

Lockheed said it was replacing 45,000 SecurID tokens held by workers who need to log into its system from customer offices, hotels or their homes. It also required its employees to change their passwords, and it added a step to its sign-on process.

One top RSA official, who would speak only on the condition of anonymity on Friday because of customer relationships, acknowledged that some customers would lose confidence in the devices. “It’s certainly going to have an initial impact,” he said.

He said the company would discuss reprogramming tokens with companies. But, he said, in some cases that may require more work than other measures they could take to beef up different parts of their security systems.

RSA, based in Bedford, Mass., has declined to specify what data was stolen in March. It has also said that it detected the attack as the hackers were removing the data and that the attack was only partly successful.

But independent security experts have speculated that the hackers obtained at least part of the databases holding serial numbers and other critical data for the tens of millions of tokens, and Lockheed’s confirmation that the stolen data played a role in its attack supported that theory.

The RSA tokens provide security beyond a user name or password by requiring users to enter a unique number generated by the token each time they connect to their networks.

But to make use of the data stolen from RSA, security experts said, the hackers would also have needed the passwords of one or more users on Lockheed’s network. RSA has said that in its own breach, the hackers accomplished this by sending “phishing” e-mails to small groups of employees, including one worker who opened an attached spreadsheet that contained a previously unknown bug.

This let the hacker monitor the worker’s passwords. Security specialists suspect that something similar happened in the Lockheed attack, with the hackers using the data stolen from RSA to predict the security codes that the token would generate.

Mr. Sverdlove said that in mounting attacks, many hackers now studied Facebook and other social media for information to personalize their phishing e-mails and increase the odds they will be opened. He said that over the last two years, there had been “an exponential increase” in these attacks.

Security experts said that the alternatives to the tokens, including computerized smart cards and biometric tools, tended to be more expensive. They said Northrop, another giant military contractor, was shifting from SecurID tokens to smart cards.

Article source: http://feeds.nytimes.com/click.phdo?i=0d5490229d59bc2a5b694eaa667daef6

Lockheed Strengthens Network Security After Hacker Attack

Lockheed and RSA Security, which supplies coded access tokens to millions of corporate users and government officials, said they were still trying to determine whether the attack had relied on any data that hackers had stolen from RSA in March or if it had exploited another weakness.

Lockheed, which is based in Bethesda, Md., said on Saturday night that the attack, which occurred on May 21, was “significant and tenacious.” Lockheed officials said they had stopped the attack shortly after hackers got into a system, adding that no customer or company data was compromised.

Sondra Barbour, Lockheed’s chief information officer, sent a memo to the company’s employees on Sunday, saying that its systems remained secure. She said Lockheed had quickly shut down remote access to its network after the attack began.

Still, the attack was significant enough that it was described in briefing materials provided to President Obama, the White House spokesman, Jay Carney, said on Sunday. He said the damage was “fairly minimal.”

Government officials have said Lockheed Martin, the nation’s largest military contractor, and other military companies face frequent attacks from hackers seeking national security data.

Officials at Lockheed and RSA Security, a division of the EMC Corporation that provides the SecurID brand of electronic access tokens, said they were working with federal officials to investigate how the attack occurred and who was behind it.

Ms. Barbour said Lockheed also had accelerated a plan to increase network security. The company has upgraded the SecurID tokens supplied by RSA and is resetting all user passwords. Lockheed also switched to eight-digit access codes from four-digit codes, which are randomly generated by the tokens.

Lockheed officials said on Friday that the attack on its systems might have been linked to one on the RSA network in March. At the time, RSA said it had sustained a data breach that could have compromised some of its security products. Its announcement shocked computer security experts, particularly because its systems are widely used.

Shortly after RSA announced that breach, Lockheed, like many other large companies, said it had added an additional password to the process employees used to connect to its system from remote locations.

One Lockheed executive, who spoke on the condition of anonymity because of security issues, said on Sunday that investigators “cannot rule out” a connection between the attacks on the RSA and Lockheed networks.

EMC said in a statement on Sunday that it was “premature to speculate” on the cause of the Lockheed attack.

Some blog items and articles have suggested that customers would back away from using RSA’s SecurID tokens. But Lockheed said it planned to continue using them, and EMC said it remained confident in the tokens.

Article source: http://feeds.nytimes.com/click.phdo?i=5d93c9a1190580fe52eee98888484e5f