A security firm offers to replace up to 40m electronic keys after its system is compromised. Amid fears of state-sponsored hacker teams, a UK expert tells Channel 4 News “one person could do it”.
Stolen data tokens were used to break into computer networks at Lockheed Martin, the Pentagon’s number one arms supplier which makes fighter jets and warships.
In an open letter to RSA customers Executive Chairman Art Coviello said “defence secrets” were the likely target.
This fits with recent claims in the US that “state-sponsored” cyber warfare – possibly from China – has become a daily threat and will be treated as an “act of war”.
Someone with a computer science PhD in cryptography could do this. Peter Sommer
Mr Coviello wrote: “Certain characteristics of the attack on RSA indicated that the perpetrator’s most likely motive was to obtain an element of security information that could be used to target defence secrets… rather than financial gain or public embarrassment.”
He added that recent high-profile hacks affecting Sony, Google and Nintendo were “totally unrelated to the breach at RSA”.
But Peter Sommer, an information systems security expert and visiting professor at the London School of Economics, said claims about the sophistication of hacks are often overstated.
He told Channel 4 News: “Someone with a computer science PhD in cryptography could do this. You just run a series of tests and turn ‘stolen’ information into something you could deploy.
“It could be someone merely showing off. Or it could be state sponsored espionage.”
He added: “It is a fairly common pattern for people or companies who have been victims of hacks to – instead of saying ‘Oh, we goofed up’ – suggest it is a high-level hack or espionage.”
The “SecureID” system is useful to employees who want to log onto a work computer to remotely access files. Using an an electronic key, they input a six-digit passcode which is regenerated every 30 or 60 seconds. This creates “seed numbers” which match up with pin numbers on a main server to allow access.
Peter Sommer explained: “It’s called two-factor authentication.
“In the UK NatWest also uses this system. The idea is you can use it on a website or over the phone – you put in an inital code from your device.
“In the case of NatWest it is a bit like a calculator. It then comes back at you and you see another set of numbers on your device. If it all matches, you can get into your system and carry out a transaction.”
US officals are expected to classify cyber attacks as “acts of war” in a new Department of Defense strategy document due imminently.
This suggests the US could in future respond to a hack attack with use of force. A Pentagon spokesman recently told the Wall Street Journal: “If you shut down our power grid, maybe we will put a missile down one of your smokestacks.”
In May the Chinese Government admitted for the first time that an elite cyber warfare unit existed in its army, but insisted it was for purely for defence purposes.
Despite the growing threat of cyber warfare, Peter Sommer thinks the US is entering dangerous territory.
He said: “Cyber weaponry falls a long way short of war. Knowing who is attacking you is crucial – otherwise how can you retaliate?”
There are claims two further defence contractors have been hit by the RSA hack. But a UK spokesman for one of them, Northrop Grumman, said he was “not aware” of any breach but said that the firm does “not comment on whether or not it has been a target for cyber intrusions”.