There's a scary trend happening in computer hacking; it looks like the bad guys are escalating from attacking random weak sites to targeted attacks against companies that provide security infrastructure.

Back in March RSA disclosed that they had been compromised and their SecurID system had been targeted. SecurID is a product that's widely used by companies for login security. RSA never came clean on exactly what happened, but they did admit that the incident could "reduce the effectiveness" of SecurID. Now the other shoe has dropped with the NYT reporting that the recent Lockheed Martin compromise appears to be related to the RSA breach.

In May LastPass warned users they had a "network traffic anomaly" that they could not explain. LastPass is a password management tool that stores their customers' passwords. The company's disclosure was quite comprehensive but vague because they don't really know what was taken. I still trust them, but it makes me nervous.

There's been a lot of other recent high profile security incidents: the Gawker fiasco, the Google incident with China, the Sony outage. But the attacks on RSA and LastPass feel different. Those companies are not easy targets, they are sophisticated security companies. And they make security systems, a very valuable asset if you're in the business of attacking protected targets.

The buzzword for this kind of attack is Advanced Persistent Threat. The reassuring thing is these attacks are focussed and purposeful, not random vandalism. Personally I fear random Eastern European password hackers much more than I fear the Chinese government or a US / Israel cooperative. But it's a bad thing if our industry's most sophisticated security companies are no more effective at protecting their customers than a crappy PHP site.

The press is reporting "the attackers created duplicate SecureID devices".
  2011-05-30 14:09 Z