EMC and AmCham-China: A Perfect Recipe For A Network Breach

Here is a classic scenario for how critical technology gets stolen. Take a C-level executive of a company whose focus is high value technology (like Cloud computing) and send him to a country who is spending millions of their currency to acquire that technology (like China) to speak at an event organized by an association that has itself been compromised (like the American Chamber of Commerce in China). 

The event I'm writing about is coming up on August 9 in Beijing: USITO/AmCham-China's ICT Breakfast Series: Cloud Meets Big Data

China is heavily investing in Cloud Computing, having set up its own Cloud Valley located in the Beijing Economic Technological Development Area for RMB 500 million.

One of AmCham-China's employees was sending out email messages with malicious attachments in January, 2011. These were not spoofed emails, which means that the entire organization's network had been compromised and probably still is.

The speaker for the event is the CTO of EMC Jeffrey Nick, whose RSA security division suffered a massive breach last March and whose company offers Cloud computing solutions.

This is a textbook case for how executives may be targeted and compromised by a nation state who's interested in their technology. And if this year has taught us anything, it's that everyone is vulnerable - even a top executive at one of the world's largest information security companies. 

Add to Cart View detail

Three U.S. National Labs Attacked on July 1: Same Mode As RSA

On July 1, 2011, Battelle Memorial Institute suffered a "sophisticated" attack against its network which also impacted Pacific Northwest National Lab and one other lab which wasn't named. Both PNNL and Battelle shut down their email servers and their Internet access as a precaution. As of 0200 03JUL2011, Battelle's website was still down (battelle.org) while PNNL.gov was functioning normally.

Oak Ridge National Lab suffered a similar attack on April 11 which involved a spear phishing email with an human resources related theme that exploited a 0-day in the IE browser. Battelle manages several Department of Energy labs including:

• Brookhaven National Laboratory
• Idaho National Laboratory 
• National Renewable Energy Laboratory
• Oak Ridge National Laboratory
• Pacific Northwest National Laboratory
• Lawrence Livermore National Laboratory

EMC's RSA SecurID division was compromised in a similar way in early March, 2011 via a spear phishing attack with a HR-related theme. In RSA's case it exploited an Adobe Flash 0-day. While Battelle and its managed national labs are all RSA SecurID customers, there is no publicly available information on the ORNL, PNNL, or Battelle attacks which suggests that the SecurID breach played a role at this time.

UPDATE (0300Z 3 JUL 2011):
Since my initial post I've discovered that on Feb 25, 2011 the Dept of Energy issued a "Preliminary notice of violation" to a division of Battelle - Battelle Energy Alliance - which involved three Severity Level I violations, and one Severity Level II violation associated with:

• classification determination; 
• protection and control of classified information; 
• cyber security;
• ineffective self-assessment processes that failed to identify the classified information security, and cyber security noncompliances disclosed by this event.

Battelle Energy Alliance is composed of Battelle Memorial Institute and 4 other institutions including BWX Technologies. BWX (Babcock & Wilcox Company) manages the Y-12 National Security Complex for the National Nuclear Security Administration (NNSA). Y-12 just had its webservers compromised through a SQL injection attack on June 12, 2011 by the Phsy hacker crew who posted usernames and passwords to a Pastebin file. One of the names posted belongs to a VP of SCI Consulting:

(SCI Consulting is the) Prime contract to the DOE Oak Ridge Office to provide the full spectrum of IT support services to the three managing and operating contractors on the Oak Ridge Reservation including Bechtel Jacobs Company, LLC; Babcock & Wilcox Technologies Y-12, LLC; and University of Tennessee-Battelle, LLC.

UT-Battelle LLC is a partnership between the University of Tennessee and Battelle Memorial Institute that manages Oak Ridge National Lab so the possibility of compromise via an SCI Consulting executive's credentials is certainly a risk worth examining. Even if this executive's stolen credentials were not used, it serves as an example of the potential exploitation of AntiSec data released in the public domain which agencies of foreign governments or their agents may use to leverage further exploitation or craft targeted attacks.

UPDATE (07 JUL 2011): The 3rd national lab has been identified as the Thomas Jefferson National Accelerator Facility (aka Jefferson Lab).

www.silobreaker.com

UPDATE (20 SEP 2011): The CIO of Pacific Northwest National Laboratories describes the attack and makes 7 recommendations.

Add to Cart View detail

EMC's Anti-Security Culture: Business First, Security Second

(Updated with additional copy and links - 1920 EST 10 Jun 2011): NetWitness' Chief Security Officer Eddie Schwartz has apparently become the first CSO that EMC's RSA Security division has ever had, which I thought was pretty amazing for a world leader in security technology. In the course of looking into who holds the position at RSA's parent company, EMC, I ran across an EMC Leadership and Innovation article written by former EMC CSO Roland Cloutier that expressed a corporate philosophy which, in my opinion, contributed to the success of the RSA attack earlier this year:

Security must be a business enabler 

Cloutier is adamant that security must be deployed in the service of business goals, enabling the innovation and responsiveness that create competitive advantage. "As security practitioners, our aim is to create an environment for our executives, engineers, and sales folks to build, deliver, and service the absolute best technologies without any impedance or concern about security in our environment," he says. "We want them to understand that security is not a business inhibitor."

One of the recommendations that Cloutier makes in order to keep security from becoming a "business inhibitor" is contained in a special EMC 2009 report "Top Global Security Officers Reveal Strategies for Driving Business Advantage in an Economic Crisis" when he apparently shrunk EMC's security department by 25% in order to create more "efficiency":

"In a tough economy, it's tempting for enterprises to rein in business innovation," said RSA President Art Coviello. "However, strategic initiatives that enable revenue growth and operational transformation are more critical than ever. Security practitioners can help business leaders safely pursue the most lucrative business opportunities by understanding the risk picture and identifying the right trade-offs. At the same time, security teams must find ways to squeeze the most out of every dollar. For example, EMC's Chief Security Officer and council member Roland Cloutier recently freed 25% of EMC's monitoring and response operational resources and achieved a four-fold improvement in alert performance by consolidating device, application and technology monitoring into a centralized SIEM solution."

 EMC's commitment to automation as a "sound" security practice continued right up to February 2011 with the release of their latest RSA security paper "Mobilizing Intelligent Security Operations for Advanced Persistent Threats" (.pdf). No wonder the marketing buzzword "APT" showed up in Art Coviello and Uri Rivner's statements about the March attack. The entire EMC technology and security leadership just finished writing a white paper on it! Here's one of the authors' three recommendations for defending against an APT attack:

3. Focus on developing capabilities that enable the analysis of security information in real time and the automatic adaptation of IT-based defenses. Automation will be essential in minimizing reaction times to attacks: the faster organizations can adapt and stay ahead of the attack, the less time the APT has to cause damage. 

The common theme underscoring all three reports is that in EMC's view automation as an efficiency measure AND a security necessity. It may be a necessity for enabling profitability in a down economy but automated defenses are counter-intuitive for any company that wants to protect its crown jewels from a dedicated and well-funded adversary. Here's why:

An automated solution will never stop a customized attack because the attack was designed to circumvent it!

I'm giving the keynote speech at Basis Technology's Government Users Conference next week on the lack of Cloud security and how Cloud services are becoming sophisticated attackers' preferred targets. Finding economies of scale works for an adversary. It almost never works for the defender. This is a lesson that EMC should have learned by now - the hard way.

Add to Cart View detail

Breach of Trust: 3 Major Problems With RSA's Public Statements

When a high profile attack occurs and becomes public knowledge, such as the one successfully mounted against EMC's RSA Security division, the company's preparation of its public statement(s) is a critical process. The goal is to start rebuilding customer and stock holder confidence in the company. If it's done right, it may work. If not, it can multiply the effect of the breach far beyond whatever harm the original attack caused. The reason why is because when damage control is done right, product replacement is a relatively easy fix. However when a company issues contradictory statements or when essential facts are missing or obfuscated, then customers may feel a breach of trust. And trust, once broken, can almost never be restored.
While I've recently been very critical of the RSA timeline, as soon as I read Art Coviello's second public statement (issued June 6, 2011), I decided to take a closer look at everything that the company has released on the attack and it isn't pretty, especially as it relates to three essential questions:

1. What was taken
2. How much was taken
3. Who was affected

RSA has produced 5 official statements:

• Art Coviello's Open Letter to RSA Customers March 17, 2011 [1]
• Uri Rivner's Anatomy of an Attack blog post April 1, 2011 [2]
• RSA's Required Actions For SecurID Installations (SecurCare Online Note #1) [3]
• RSA SecurCare Online Note #2 [4]
• Art Coviello's Open Letter to RSA SecurID Customers June 6, 2011 [5]

What was taken?
Art Coviello wrote in his June 6 statement that "certain information related to the SecurID product had been extracted." Now compare that wording to what the SecurCare Online Note #2 says: "Our investigation to date has revealed that the attack resulted in certain information being extracted from RSA systems. Some of that information is related to RSA SecurID authentication products", which is a direct quote from Coviello's March 17th letter.

Analysis: Both Coviellos's letter #1 and SecurCare's note #2 specified two product sets from which data was extracted. The primary was termed "RSA systems" as in "certain information being extracted from RSA systems". The second was a subset of RSA systems - RSA SecurID authentication products. Coviello's letter #2 contradicts that statement by removing the primary product set altogether but without any clarification as to why. So which statement of Art Coviello's is true. The one from March 17th or the one from June 6th?

How much was taken?
How RSA defines "certain information" sheds light on how much of RSA's IP was taken. According to Coviello's letter and the SecurCare Online Note, "certain information" is defined as everything except what is in the customer's care. Here's the exact language in the Online note:
"To the best of our knowledge, whoever attacked RSA has certain information related to the RSA SecurID solution, but not enough to complete a successful attack without obtaining additional information that is only held by our customers." FAQ question #7 is particularly telling. It asks "Have my SecurID token records been taken?". Instead of providing a direct answer, the FAQ repeats that additional customer data not held by RSA is required to mount a successful attack.

RSA has defined how much data was extracted from its systems with the phrase "certain information not held by the customer" or, to put it in plain English, RSA's attackers took everything.

Who was affected?
None of the initial reports mentioned what Coviello referred to in letter #2 as "our view of the motive of this attacker" meaning the defense industry, and he only confirmed Lockheed Martin after Lockheed Martin had made the news public. More importantly, no mention was made of the attack on L-3 Communications even though an internal company email reportedly said it involved duplicate SecurID tokens.

Summary
The presence of contradictory information in Coviello's two statements and between his statements and the SecurCare Online Notes paint a picture of a company that's trying unsuccessfully to hide the scale and scope of this breach from the public, from its shareholders, and from its own customers. Art Coviello confirmed in the most obscure language possible that everything it has pertaining to SecurID was breached; that the only parts not breached were the parts owned by the customer.

Furthermore, if the statement in both RSA's SecurCare Online Notes were accurate, other RSA security products were compromised as well although the extent is unknown. To give you an idea of the possible further scope, here is a product list from the RSA website:

The RSA Product Finder

The only other unanswered question at this point is how Coviello's mismanagement of this crisis will impact EMC's sales and stock price. His keynote at February's RSA Conference was "Proof, Not Promises". That's something that RSA's customers including the U.S. government need to be demanding right about now.

Related Posts:


18 Days From 0day to 8K - An RSA Attack Timeline Analysis

An Open Source Analysis Of The Lockheed Martin Network Breach

EMC and Google Lawyers Walked Into A Bar.

Add to Cart View detail

Was The RSA-Lockheed-L-3 Breach Over A $2.6B DHS Contract?

Site Plan New DHS Building

Since my original post on the Lockheed Martin / Prime contractors breach which I and other security researchers connected to the EMC RSA breach (a fact that EMC has now conceded to), I've been investigating possible motives for this multi-faceted attack. Its always been my belief that RSA's technology was not the primary target but a means to an end. And that "end" apparently involved breaching the networks of multiple Department of Defense contractors: Lockheed Martin, L-3 Communications, and allegedly Northrop Grumman. Other primes mentioned as possibilities by Reuters included General Dynamics, Boeing, and Raytheon.

If RSA was stage one of a multi-stage operation, that would suggest that Lockheed, L-3, and Northrup Grumman as the targets would have something else in common besides just being DOD contractors. Since it's my belief that the EMC RSA attack started earlier than March, 2011 and took some planning prior to its launch, I began looking for contract awards in mid to late 2010 that involved the three victim companies. I found a couple of possibilities that warranted further consideration but then I came across this news item from November 8, 2010: 4 competitors protest award of $2.6 billion IT contract to Northrop Grumman

The award, which is now up for re-bidding (GSA solicitation GST0011AJ0021) is for the crown jewels of the new Department of Homeland Security headquarters - building the infrastructure which will support information technology, telecommunications, security, and building management systems. The contractors who filed protests with GAO are Lockheed Martin, General Dynamics, Serco and L-3 Communications. Of the five companies involved, Lockheed and L-3 are confirmed attack targets, Northrop is an alleged target and General Dynamics is a possible target. Serco hasn't been named by any sources familiar with this attack but they also don't use RSA SecurID tokens; opting instead for Signify, one of RSA's competitors for two factor authentication. 

In order to compete for an award, companies must submit detailed technical proposals in written and oral form with an accompanying slide deck. DHS' acquisition schedule for the competing vendors corresponds with the known dates of the attacks:

DHS TIP Industry Day Deck: (Slide 39)

According to the schedule on slide #39, vendor written proposals were due in April and Orals were due in May. L-3 Communications announced active targeting with penetration attacks on April 6, 2011 while Lockheed reported that its breach commenced on May 21.  Late May was also the time of the alleged attack against Northrop Grumman. 

The information and communications infrastructure of the new DHS headquarters would certainly be a target of interest for foreign intelligence services like the FSB. Even the technical proposals from competing DOD contractors would contain valuable information. The level of detail asked for by DHS is fairly intensive as evidenced by the following slide which breaks out one of the eight required tasks: 

Task 2: Requirements Analysis and Design (slide 26)

If the November, 2010 article in the Washington Post triggered the planning stage of the operation, it offered sufficient time for an adversary to discover that the vendors shared the same two factor authentication technology; perform social engineering research on the target companies' employees, probe company websites for vulnerabilities, and craft customized attacks if needed. This doesn't require the resources of a nation state. Any experienced Eastern European hacker crew could pull it off with a relatively low budget. The upside however is huge. The information contained in those DHS technical proposals could be sold to multiple foreign governments and net the crew a seven figure or eight figure payday. And considering the scope of the DHS HQ project (the largest federal construction job since the Pentagon was built in the 1940's according to the Washington Post), this probably isn't the end of it. Whichever prime contractor wins the TIP contract, along with its sub-contractors, will almost certainly become the next targets to be compromised.

Add to Cart View detail

18 Days From 0day to 8K - An RSA Attack Timeline Analysis

There was a lot that bothered me about the official statements surrounding the RSA SecurID breach. For example, they claimed to be victims of an Advanced Persistant Threat that was neither advanced nor persistant.  Then there was news of a related attack against L3 Communications prior to 6 April, less than three weeks after the Coviello letter was made public on 17 Mar 2011. I decided to construct a timeline out of the available facts and see if it supports or conflicts with RSA President Art Coviello [3] and Mr. Uri Rivner's [10] versions of what happened. Either the attack was short-lived, as Mr. Rivner claims, or it was of much longer duration which would put RSA Security division products at greater risk for compromise along with EMC's customers who use them, such as Lockheed Martin [6], L3 Communications [5], and possibly Northrup Grumman [11], among others.


According to Rivner's "Anatomy of an Attack" blog post of 1 April 2011 [10], the attacker used a zero day Flash exploit (CVE-2011-0609) [4]. Neither Rivner nor Coviello provided information about the duration of the attack, however it was easy to calculate.  The 0day that was used in the attack was created on 28 Feb 2011 by a Chinese hacker whose Twitter alias is yuange1975 [2].

yuange1975's Twitter page

If you do the math, 28 Feb to 17 March is 18 days. Think about that for a minute. 18 days from 0day to EMC's 8-K filing with the SEC.  If your head isn't already spinning in disbelief, here's a list of what Uri Rivner claims happened interspersed with other key dates.

1. At some point on or after 28 Feb 2011, an Attacker acquired yuange1975's Flash 0day, embedded it into an .xls spreadsheet entitled "2011 Recruitment Plan" along with a Poison Ivy RAT payload, and wrote a spear phishing letter to deliver it (est. #days = ?) [2], [4]
2. Attacker sent two different phishing emails over a 2 day period before one employee opened the attachment. (est. #days = 2) [10]
3. Attacker gained access to RSA network, learned who the privileged users were who had access to sensitive material and stole their credentials, navigated their way across protected levels of access with multiple authentications, intrusion detection systems, and other layers of defense in depth (est. #/days = ?) [10]
4. Attacker "established access to staging servers at key aggregation points; then went into the servers of interest, removed data (some related to SecurID) and moved it to internal staging servers where the data was aggregated, compressed and encrypted for extraction" (est. #/days = ?) [10], [3]
5. Attacker "used FTP to transfer password protected RAR files from the RSA file server to an outside staging server at an external, compromised machine at a hosting provider. The files were subsequently pulled by the attacker and removed from the external compromised host to remove any traces of the attack." (est. #/days = ?) [10]
6. EMC/RSA Security discovered the attack (date unknown), conducted a forensics investigation, and reported their findings to EMC executives
7. RSA notified SecurID customers individually under NDA (est. #/days to contact 25,000 customers = ?) [8], [9]
8. EMC lawyers edited and/or approved Art Coviello's statement which served as both its customer letter and SEC 8-K notification, which was finally published on 17 Mar 2011. (est. #/days = ?) [3], [7]

I invite readers to make their own estimates on the number of days that it might take to accomplish any of these 8 steps; particularly those involving forensic investigators and attorneys. The 18 day figure is impossibly brief, which means that the likely first stage of the Prime defense contractor attacks in April and May were deliberately down-played to save EMC's stock price and reputation. EMC's customers, particularly its Dept of Defense customers, should be demanding answers from Art Coviello and the EMC Board of Directors right about now.

UPDATE: An excellent analysis of the Flash 0day that was used can be read at Villys777's security blog [12]. 

References:

[2] @yuange1975 Twitter post; 28 Feb 2011: https://twitter.com/#!/yuange1975/status/42357318628802560

[3] RSA.com website, Art Coviello's "Open Letter To RSA Customers" (17 Mar 2011) http://www.rsa.com/node.aspx?id=3872

[4] Adobe Security Advisory 14 Mar 2011 "Security Advisory for Adobe Flash Player, Adobe Reader and Acrobat": http://www.adobe.com/support/security/advisories/apsa11-01.html

[5] Wired.com ThreatLevel blog by Kevin Poulsen "Second Defense Contractor L-3 ‘Actively Targeted’ With RSA SecurID Hacks": http://www.wired.com/threatlevel/2011/05/l-3/

[6] NYTimes 29 May 2011: "Lockheed Strengthens Network Security After Hacker Attack"

[7] Securities and Exchange Commission website "Form 8-K filing from EMC Corporation": http://www.sec.gov/Archives/edgar/data/790070/000119312511070159/d8k.htm

[8] Confidential source provided this information to the author via email correspondence

[9] 25,000 RSA SecurID customers source: 18 Mar 2011 Intrepidus Group blog post: http://intrepidusgroup.com/insight/2011/03/risk-posed-by-securid-hack/

[10] The RSA Blog 1 Apr 2011 "Anatomy of an Attack" by Uri Rivner: http://blogs.rsa.com/rivner/anatomy-of-an-attack/

[11] Fox News.com, 1 June 2011 "EXCLUSIVE: Northrop Grumman May Have Been Hit by Cyberattack, Source Says":
http://www.foxnews.com/scitech/2011/05/31/northrop-grumman-hit-cyber-attack-source-says/#ixzz1O6jjeiyE
[12] Blog IX Security Research: http://bugix-security.blogspot.com/2011/03/cve-2011-0609-adobe-flash-player.html

Add to Cart View detail

An Open Source Analysis Of The Lockheed Martin Network Breach

From RSA website

On Saturday 21 May 2011, multiple U.S. defense contractors [2] had their networks attacked by hackers who, in the case of Lockheed Martin, used duplicates of RSA's SecurID tokens to gain access to Lockheed's internal network. Of the possible defense contractors mentioned by Reuters (Boeing, Raytheon, General Dynamics, Northrup Grumman, Lockheed Martin) only Lockheed Martin has made public statements about the attack once LM employees began leaking information about the breach to tech blogger Robert X. Cringely on Wednesday May 25th [3].

Here's what is known about the attack so far:

1. On Saturday night, May 21, 2011 [2], Lockheed Martin's  (NYSE:LMT) network was breached by attackers who created duplicates to EMC Corp's (NYSE:EMC) RSA SecurID tokens [1]
2. Late Sunday night, May 22, Lockheed shut down all remote access to its intranet for at least one week, possibly longer [3], [4].
3. On Wednesday, May 25, Lockheed announced that all employees would have to reset their passwords; that all SecurID tokens would be replaced with new ones; and added an additional password requirement for remote logins [3], [4].

Lockheed's official press release [6] about the attack contains contradictory language that calls into question how accurate its own assessments are:

BETHESDA, Md, May 28th, 2011 -- On Saturday, May 21, Lockheed Martin detected a significant and tenacious attack on its information systems network. The company’s information security team detected the attack almost immediately, and took aggressive actions to protect all systems and data. As a result of the swift and deliberate actions taken to protect the network and increase IT security, our systems remain secure; no customer, program or employee personal data has been compromised.

The word tenacious means "not easily dispelled" and "persisting in existence". An attack cannot be "swiftly" dealt with and "persistent" at the same time. Further "almost immediately" doesn't reconcile with the timeline provided by the above publicly available data, which implies that the attackers had up to 24 hrs of access to Lockheed's network before VPN access was shut off. Finally, while Lockheed claimed that no customer, program, or employee data had been compromised, it was significant enough for President Obama to receive a personal briefing on it, and for DHS and DOD (and presumably NSA) to offer their assistance on Lockheed's investigation [2], [4], [5].

Lockheed had slightly over two months from the time that EMC notified them and other RSA SecurID customers about their breach. At that time, at least one prime defense contractor (not Lockheed Martin) made the decision to stop using RSA SecurIDs for its senior staff and found a completely different vendor to supply their security tokens (7). Based upon their remediation actions for this breach, Lockheed Martin's senior executives chose to do very little about the compromised SecurID token technology in spite of many warnings issued by security specialists about the potential aftereffects of the RSA attack . Of particular note is the warning issued by ICANN's Whitfield Diffie, a crytographic expert who told John Markoff of the New York Times that "a worst case scenario would be that the intruder could produce cards that duplicate the ones supplied by RSA, making it possible to gain access to corporate networks and computer systems"[8]. Apparently that's precisely what happened [1].

Lockheed Martin has a history of significant cybersecurity breaches dating back to Titan Rain in 2003 [9], and the F-35 Joint Strike Fighter program in 2009 [10]. It has never publicly acknowledged the F-35 breach and it landed on the wrong side of the Sandia National Labs lawsuit (LM manages the lab) when a jury awarded a multi-million verdict to Shawn Carpenter for wrongful termination. By some ironic twist of fate, Shawn's employer NetWitness was just acquired by EMC corporation shortly after its SecurID breach and a month or so before Lockheed's.

Clearly, the extent of the RSA SecurID breach was worse than EMC reported to the public, to the Securities and Exchange Commission, and to its customers; at least the ones that I've spoken to. EMC is still refusing to acknowledge its role in this attack [11]. It'll be interesting to see if EMC is sued by Lockheed Martin or any of the other defense contractors for not providing accurate information on the extent of their SecurID compromise and/or fined by the SEC for same, even if Lockheed management couldn't read the tea leaves for themselves.

REFERENCES:
[1] Reuters 27 May 2011: "Exclusive: Hackers breached US Defense Contractors": http://www.reuters.com/article/2011/05/27/us-usa-defense-hackers-idUSTRE74Q6VY20110527
[2] NYTimes 29 May 2011: "Lockheed Strengthens Network Security After Hacker Attack"
http://www.nytimes.com/2011/05/30/business/30hack.html?_r=1&partner=rss&emc=rss
[3] I, Cringely blog 25 May 2011: "InsecurID: No More Secrets?" http://www.cringely.com/2011/05/insecureid-no-more-secrets/
[4] Reuters 29 May 2011: "Lockheed says frequent cyber target from around the world" http://www.reuters.com/article/2011/05/29/us-usa-defense-hackers-idUSTRE74Q6VY20110529
[5] MSNBC (Reuters) 28 May 2011: "Lockheed Thwarts Cyber Attack": http://www.msnbc.msn.com/id/43199200/ns/technology_and_science-security/t/lockheed-martin-says-it-thwarted-tenacious-cyber-attack/
[6] Lockheed.com 28 May 2011: "Lockheed Martin Customer, Program And Employee Data Secure": http://www.lockheedmartin.com/news/press_releases/2011/0528hq-secuirty.html
[7] SANS Newsbites, Vol. XIII, issue 24 (editorial comment by Alan Paller): http://www.sans.org/newsletters/newsbites/newsbites.php?vol=13&issue=24&rss=Y
[8] NY Times, 17 March 2011: "SecureID Company Suffers A Breach Of Data Security": http://www.nytimes.com/2011/03/18/technology/18secure.html?_r=1
[9] Time.com, 29 August 2005: "The invasion of the Chinese cyberspies": http://www.time.com/time/magazine/article/0,9171,1098961,00.html
[10] WSJ.com, 21 April 2009: "Computer Spies Breach Fighter Jet Project":
http://online.wsj.com/article/SB124027491029837401.html
[11] NY Times, 29 May 2011: "Lockheed Strengthens Network Security After Hacker Attack": http://www.nytimes.com/2011/05/30/business/30hack.html?_r=2&partner=rss&emc=rss

RELATED POSTS:
EMC and Google Lawyers Walked Into A Bar ...
What The RSA and NASDAQ Directors Desk Attacks Have In Common

Add to Cart View detail