Morning Geekout

Here are a couple of items for the geeks among us:

The UCS has released Dave Lauchbaum’s analyses of data from three Fukushima Daiichi reactors. Dave was a boiling water reactor (BWR) operator, and also has taught BWR operators, so his analysis is both independent and informed. The news to me is that reactor 3’s core was probably close to being uncovered before the tsunami hit because of a lack of operation of emergency cooling systems, though the operators began operating the main emergency cooling system a couple of minutes before the tsunami hit. All the reports are interesting reading for a detailed analysis of the first critical hour of reactor shutdown.

Robert X Cringeley believes that SecurID has been compromised at an unnamed US defense contractor. SecurID is a little keyfob that generates a pseudorandom number every 30 seconds or so. It’s used for “two-factor authentication” which means that the user types in the number from the SecurID along with a password to get remote access to a computer system. SecurId was considered secure because even if someone knew your password, they’d need to have the physical SecurID to the “random” number.

In March, someone broke into SecurID’s manufacturer’s computer and probably stole some key materials. If Cringeley’s source is right, that stolen material was probably used to figure out the number a SecurID would be generating, so just knowing someone’s password was enough to breach a major defense contractor’s security. This is a big deal, because SecurID is widely deployed in defense, banking and other corporate environments.






27 replies
  1. 1
    PeakVT says:

    Wow, if SecurID really is compromised that is a big, big problem. My experience has been that IT shops just assume those things are bulletproof, and give users authorized by one pretty wide access.

    I think the IT community needs to admit that there are just a lot of computers that should not be wired to a network, or at least a network that is wired directly or indirectly to the outside world. No matter what any vendor says, there is a point of attack in any system, and some things are just too important to be subject to that risk. All computers and networks are vulnerable to a physical intrusion, too, but remote attackers have the luxury of time, and a physical hacker doesn’t.

  2. 2
    MizB says:

    I work from home for a large corporation & use SecureID to access the corporate VPN. We had major access problems not too long ago. Corporate security never told us what the problem was but this makes me go hmmmmm.

  3. 3
    Turbulence says:

    I think the Cringely report is BS. There was a breach at some defense contractor. Someone is blaming the RSA breach, but there’s no reason to take them seriously: if someone at big defense contractor IT fucked up, of course they’re going to try and pass the buck to RSA, regardless of whether that’s correct. We don’t have any actual information yet, just a rumor from someone who’s probably trying to cover their ass.

  4. 4

    The reactor stuff is interesting, but so damn technical I’m not sure anyone who’s not a nuclear engineer can really understand its importance.

  5. 5
    estamm says:

    Holy crap, SecureID hacked? I use one all the time. (The cycle is 60 seconds). Actually, there is a bit more to it than just having the sequence. You would have to know the exact minute a particular SecureID was synched with the security system. While every SecureID might generate the same list of pseudorandom numbers, they are all started at different times in the sequence, and you would have to know at which minute a particular one was synched. So, you would still have a problem getting in. Maybe it is more easy now, but there would still be difficulties.

  6. 6
    Mark S. says:

    China forces prisoners to gold farm in WoW. This is on top of the regular manual slave labor and regular beatings.

  7. 7
    Ben Cisco says:

    If the story is true as reported, very bad business; however, estamn is right, the bad guys would have to have more data with regards to sync times.

  8. 8
    Jay C says:

    I use a little doohickey just like this for my business banking: I had always thought they had been pre-loaded with numbers pre-assigned to one’s account – they’re really synched, and can be hacked?

    Ain’t technology wonderful…..????

  9. 9
    HRA says:

    I have been a prisoner to the daily rant from Mr. A about no news and/or update about the Japanese reactors. I am not sure if I even want to show him the above.

    OT -mistermix, I assume you are from the Rochester area as is Doug. Do you know what the newest food fad there called garbage and can you describe it? We are going to a cookout grad party for a relative in Rochester this weekend and that was mentioned as being served.

  10. 10
    Bostondreams says:

    Oh no. Once again, I can expect my Warlock to be left naked, broke, and banned.

  11. 11
    mistermix says:

    @HRA: I think you mean a “garbage plate”

    http://en.wikipedia.org/wiki/N.....bage_Plate

    Avoid at all costs, IMO but YMMV

  12. 12

    To the title of this post, are there any “non-geeks” among us?

  13. 13
    HRA says:

    @mistermix:

    Thanks for the info. Yes, I will be avoiding it. Yuk!

  14. 14
    Poopyman says:

    My own employer, also an Enormous Defense Contractor, went into a defensive crouch immediately after the RSA hack was announced. Sounds like Cringley is referencing yet another EDC. Looks like good times all around the industry.

  15. 15
    Foxhunter says:

    @Poopyman: Same issue here. Back in March, we were told to change passwords and bumped to 4 out of 4 on the complexity scale (upper/lower/numerical/symbol) AND there is a 10 digit PIN implementation before the token is even used.

    Three-factor authentication, anyone?

  16. 16
    Cat says:

    National secrets blah blah blah… Its the same system used by Blizzard to protect your WoW account. Now having your account hacked THATS a tragedy people can relate to. :-0

  17. 17

    Bullshit. Cringely is the Thomas Friedman of the computing world, notable only for his being consistently and utterly wrong about every subject on which he pontificates.

    Major security breach at a major DoD contractor? Happens all the time. Wow, they had to take the VPN down? VPN should have been on a completely separate network in the first place. But if this network was all “sensitive” and such and Cringely implies, well, one does not use VPN for A SECURE ENVIRONMENT. If this mythical defense contractor is real and is allowing people to VPN into the sensitive end of their network to work, they are guilty of massive security violations in the first place and should lose their ability to handle sensitive data.

    Not that such a thing will ever happen to one of the majors. They are literally untouchable.

    But yeah. Cringely. Trades in rumor, speculation, and bullshit. Wrong about everything and I’d bet money he’s wrong about this too.

  18. 18
    Sentient Puddle says:

    That RSA story strikes me as dubious. I’m reading this:

    It seems likely that whoever hacked the RSA network got the algorithm for the current tokens and then managed to get a key-logger installed on one or more computers used to access the intranet at this company.

    I don’t know anything about their algorithm, but aren’t these things supposed to be designed so that it’s really difficult to attack in this way? That’s a pretty basic cryptographic principle right there, and maybe there’s some subtle distinction between those and pseudo-random number generators that I’m missing, but it still strikes me that an attacker shouldn’t be able to keylog a few codes and then be able to reconstruct a seed.

    Then this:

    What if every RSA token has been compromised, everywhere?

    This doesn’t even logically follow. Assuming the method of attack described above is even accurate, they only cracked those few tokens at that one company. There’s no way that attack would have provided them with any useful information for any other RSA token they wanted to try to attack.

  19. 19
    Sentient Puddle says:

    Oh yeah, and @Cat: WoW is safe. Back when the RSA breach was first announced, Blizzard came forward and said that their authenticator was their own in-house implementation. I remember a lot of really nervous people initially.

  20. 20
    Catsy says:

    @Failure, Inc.:

    But yeah. Cringely. Trades in rumor, speculation, and bullshit. Wrong about everything and I’d bet money he’s wrong about this too.

    If that guy doesn’t have one of the top ten eponysterical names on the Internet, I’d be surprised.

  21. 21
    Perfect Tommy says:

    @estamm: There are both 60-second fobs and 30-second fobs. The 30-sec models are probably more expensive, but helpful for someone who needs to open multiple concurrent sessions and does not want to wait 60 seconds between logins.

  22. 22
    LGRooney says:

    Our VPN is down and has been since Sunday… About two months ago we had to re-do passwords, logins to various functions, etc. Then, we started getting very personal, officious-sounding, in-house TTS robo-calls telling us they were working on the problem. Those calls stopped but the system is still down.

    I am fairly certain that there was no access to sensitive industrial information, at least not through this breach, but as for personal info…

  23. 23
    Villago Delenda Est says:

    This is a big deal, because SecurID is widely deployed in defense, banking and other corporate environments.

    Not to mention World of Warcraft accounts.

    On edit: I see Sentient Puddle addressed this most serious of all possible compromises issue already :)

  24. 24
    daveNYC says:

    @mistermix: Embrace the garbage plate. Just make sure to swap the mac salad for home fries. And see if you can get a burger patty instead of a red or white hot as the ‘meat’.

  25. 25
    bago says:

    Even if they get the algorithm, they would still need the seed. If both were compromised that would be a full breach. However, if the seed is safe and the algorithm offers up multiple hashes, then the computational effort to work backwards is non-trivial.

  26. 26
    BombIranForChrist says:

    I used to have one of those fobs. We played poker with them. You would wait for the new number sequence to flash and then see if you got 2 pair, 3 of kind, etc. etc.

    I guess we were pretty bored ..

  27. 27
    Michael Finn says:

    The nuclear reactor stuff is kind of frightening.

    There are three things to keep in mind when it comes to nuclear power control: Power rate (what you are generating), Water flow rate(to cool the rods), and Pressure(how much pressure is coming from the cooling steam?).

    The water rate was at zero for at least a minute, meaning the rods were exposed.

    The power generators worked a grand total of approximately 80 minutes, which means the plant lost the ability to keep the equipment functioning.

    The Main Steam Isolation Valves closed when they lost power, it’s a failsafe to prevent leakage but it is assumed that the water was still coming in. When those valves closed, they couldn’t get power to open them back up because the idiots who built the plant didn’t plug the valves into the generators.

    So the plant lost it’s water flow, had an increase in Pressure, and the power went from 6.1Mpa to 7.1Mpa. You had a hotter reactor, with extra pressure, and no way to turn it off. They started to open the emergency steam pressure valve to ease it off. This is a meltdown.

    Apparently they manually opened and closed the valve until it stopped working.

    The reactor did have an Reactor Core Isolation Cooling system which was meant as a hail mary to keep the system cool but it didn’t start working until at least 4PM. Scarily enough, the Tsunami occured two minutes later and power went bye bye.

    In short: Every fucking thing that could have stopped the meltdown that depended on man to do the right thing didn’t work by either design or missing data.

Comments are closed.