I wouldn't dispute any of the arguments made in the original or subsequent
posts on this topic pointing out that the programmatic interface to the
device opens a security hole. But I think it needs to be said that this is
only in the environment where trojans, etc., can infiltrate the machine.
On 9/15/06, Daniel Carosone [EMAIL PROTECTED] wrote:
But let's not also forget that these criticisms apply approximately
equally to smart card deployments with readers that lack a dedicated
pinpad and signing display.
This looks mildly interesting:
http://www.projectblackdog.com/product.html
I
On Thu, Sep 14, 2006 at 02:48:54PM -0400, Leichter, Jerry wrote:
| The problem is that _because there is an interface to poll the token for
| a code across the USB bus_, malicious software can *repeatedly* steal new
| token codes *any time it wants to*. This means that it can steal codes
|
On Cryptography, and in several other online forums, Hadmut Danisch
[EMAIL PROTECTED], a respected German information security analyst,
recently published a harsh critique of one optional feature in the
SID800, one of the newest of the six SecurID authentication tokens --
some with slightly
On Wed, Sep 13, 2006 at 10:23:53PM -0400, Vin McLellan wrote:
[... a long message including much of what I can only regard as
outright advertising for RSA, irrelevant to the actual technical
weakness in the SID800 USB token that Hadmut described, and which
Vin's message purportedly disputes.
| The problem is that _because there is an interface to poll the token for
| a code across the USB bus_, malicious software can *repeatedly* steal new
| token codes *any time it wants to*. This means that it can steal codes
| when the user is not even attempting to authenticate
I think this
Lance James wrote:
Agreed, and since my research is focused on online banking I can see
yours and my point, either way, SecurID should not be the only concept
for dependence.
as i've mentioned serveral times, in the mid-90s, the x9a10 financial
standards working group was given the task of
Hadmut Danisch wrote:
Hi,
I recently tested an RSA SecurID SID800 Token
http://www.rsasecurity.com/products/securid/datasheets/SID800_DS_0205.pdf
The token is bundled with some windows software designed to make
user's life easier. Interestingly, this software provides a function
which
Hi Lance,
On Fri, Sep 08, 2006 at 10:26:45AM -0700, Lance James wrote:
Another problem from what I see with Malware that steals data is the
formgrabbing and on event logging of data. Malware can detect if
SecureID is being used based on targeted events, example: Say HSBC
(Hypothetical
Hadmut Danisch wrote:
Hi Lance,
On Fri, Sep 08, 2006 at 10:26:45AM -0700, Lance James wrote:
Another problem from what I see with Malware that steals data is the
formgrabbing and on event logging of data. Malware can detect if
SecureID is being used based on targeted events, example: Say
One can have a lot of fun with key-wielding tokens, especially on
Windows. See:
J. Marchesini, S.W. Smith, M. Zhao.
Keyjacking: the Surprising Insecurity of Client-side SSL.
Computers and Security.
4 (2): 109-123. March 2005.
http://www.cs.dartmouth.edu/~sws/pubs/msz05.pdf
--Sean
Sean
Hi,
I recently tested an RSA SecurID SID800 Token
http://www.rsasecurity.com/products/securid/datasheets/SID800_DS_0205.pdf
The token is bundled with some windows software designed to make
user's life easier. Interestingly, this software provides a function
which directly copies the current
12 matches
Mail list logo
