On FD, and in several other security forums, Hadmut Danisch
<[EMAIL PROTECTED]>, a respected German information security analyst,
recently published a harsh critique of one optional feature in the
SID800, one of the newest of the six SecurID authentication tokens --
some with slightly differe
In security it's always about raising that bar a bit more.
You should be in the movies :)BojanThat's jan, Bo Jan
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http
On 9/10/06, Lyal Collins <[EMAIL PROTECTED]> wrote:
If there's malware on the machine, and there is a connected USB token, then
authentication is only as good as the password - malware can probe the
connected token as often as desired.
Read my post again. That's not necessary true. The RSA SID8
Based on your description I see this as a security design problem as
well, but only exploitable if the user does a one-time password based
logon while the token is plugged in. It would be inteteresting to know
whether folks at RSA did a risk assessment when decided to implement
this functionality.
nuqneH,
Well, they could have a hardware button on the token itself at least..
On Sat, Sep 09, 2006 at 01:41:55PM +0400, 3APA3A wrote:
> Dear Hadmut Danisch,
>
> 2-factor authentication is not a way to protect against malware.
>
> SecurID authentication supports single sign-on technology.
On 9/9/06, Lyal Collins <[EMAIL PROTECTED]> wrote:
If there's malware on the machine, and there is a connected USB token, then
authentication is only as good as the password - malware can probe the
connected token as often as desired.
In theory, with trusted data paths everywhere (internal to
Lyal
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bojan Zdrnja
Sent: Sunday, 10 September 2006 8:51 AM
To: 3APA3A
Cc: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
Subject: [Full-disclosure] Re: RSA SecurID SID800 Token vulnerable by design
O
On 9/9/06, 3APA3A <[EMAIL PROTECTED]> wrote:
Dear Hadmut Danisch,
2-factor authentication is not a way to protect against malware.
Well, it protects - the authentication process.
SecurID authentication supports single sign-on technology. As a weak
side of this technology, it means,
On 9/9/06, 3APA3A <[EMAIL PROTECTED]> wrote:
The only additional attack factor this issue creates is attacker can
get _physical_ access to console with user's credentials _any time_
while user is logged in, while in case token can not be red (e.g. it's
not plugged to USB) he can only
Dear Hadmut Danisch,
2-factor authentication is not a way to protect against malware.
SecurID authentication supports single sign-on technology. As a weak
side of this technology, it means, if single account on any network
host is compromised, this account is compromised in whole
On 9/8/06, Hadmut Danisch <[EMAIL PROTECTED]> wrote:
Hi,
I recently tested an RSA SecurID SID800 Token
http://www.rsasecurity.com/products/securid/datasheets/SID800_DS_0205.pdf
The token is bundled with some windows software designed to make
user's life easier. Interestingly, this software pro
You might want to look at:
http://www.networksecurityarchive.org/html/Web-App-Sec/2005-02/msg00089.html
for a discussion of this issue and the soft token issue.
--
---Matthew
*** REPLY SEPARATOR ***
On 9/7/2006 at 8:49 PM [EMAIL PROTECTED] wrote:
>Hi,
>
>I recently tes
12 matches
Mail list logo