Re: RSA SecurID SID800 Token vulnerable by design

2006-09-18 Thread Daniel Carosone
On Sat, Sep 16, 2006 at 11:40:55PM -0500, Travis H. wrote: > This looks mildly interesting: > http://www.projectblackdog.com/product.html Yes, a friend lent me one of these to play with a while ago, they're really quite cool. Lots of interesting possibilities - which was entirely the point of the

Re: RSA SecurID SID800 Token vulnerable by design

2006-09-17 Thread Travis H.
On 9/15/06, Daniel Carosone <[EMAIL PROTECTED]> wrote: But let's not also forget that these criticisms apply approximately equally to smart card deployments with readers that lack a dedicated pinpad and signing display. This looks mildly interesting: http://www.projectblackdog.com/product.html

Re: RSA SecurID SID800 Token vulnerable by design

2006-09-17 Thread Paul Zuefeldt
I wouldn't dispute any of the arguments made in the original or subsequent posts on this topic pointing out that the programmatic interface to the device opens a security hole. But I think it needs to be said that this is only in the environment where trojans, etc., can infiltrate the machine.

Re: RSA SecurID SID800 Token vulnerable by design

2006-09-15 Thread Daniel Carosone
On Thu, Sep 14, 2006 at 02:48:54PM -0400, Leichter, Jerry wrote: > | The problem is that _because there is an interface to poll the token for > | a code across the USB bus_, malicious software can *repeatedly* steal new > | token codes *any time it wants to*. This means that it can steal codes > |

Re: RSA SecurID SID800 Token vulnerable by design

2006-09-14 Thread Leichter, Jerry
| The problem is that _because there is an interface to poll the token for | a code across the USB bus_, malicious software can *repeatedly* steal new | token codes *any time it wants to*. This means that it can steal codes | when the user is not even attempting to authenticate I think this su

Re: RSA SecurID SID800 Token vulnerable by design

2006-09-14 Thread Thor Lancelot Simon
On Wed, Sep 13, 2006 at 10:23:53PM -0400, Vin McLellan wrote: > [... a long message including much of what I can only regard as outright advertising for RSA, irrelevant to the actual technical weakness in the SID800 USB token that Hadmut described, and which Vin's message purportedly disputes.

Re: RSA SecurID SID800 Token vulnerable by design

2006-09-14 Thread Vin McLellan
On Cryptography, and in several other online forums, Hadmut Danisch <[EMAIL PROTECTED]>, a respected German information security analyst, recently published a harsh critique of one optional feature in the SID800, one of the newest of the six SecurID authentication tokens -- some with slightly

Re: RSA SecurID SID800 Token vulnerable by design

2006-09-10 Thread Anne & Lynn Wheeler
Lance James wrote: Agreed, and since my research is focused on online banking I can see yours and my point, either way, SecurID should not be the only concept for dependence. as i've mentioned serveral times, in the mid-90s, the x9a10 financial standards working group was given the task of pre

Re: RSA SecurID SID800 Token vulnerable by design

2006-09-09 Thread Sean W. Smith
One can have a lot of fun with key-wielding tokens, especially on Windows. See: J. Marchesini, S.W. Smith, M. Zhao. "Keyjacking: the Surprising Insecurity of Client-side SSL." Computers and Security. 4 (2): 109-123. March 2005. http://www.cs.dartmouth.edu/~sws/pubs/msz05.pdf --Sean Sean

Re: RSA SecurID SID800 Token vulnerable by design

2006-09-09 Thread Hadmut Danisch
On Fri, Sep 08, 2006 at 11:31:28AM -0700, Lance James wrote: > SecurID should not be the only concept for dependence. Yeah, however, it is a smart device which provides a reasonable level of security in a very simple and almost foolproof way (I know a case where the users complained that it did

Re: RSA SecurID SID800 Token vulnerable by design

2006-09-09 Thread Lance James
Hadmut Danisch wrote: > Hi Lance, > > On Fri, Sep 08, 2006 at 10:26:45AM -0700, Lance James wrote: >> Another problem from what I see with Malware that steals data is the >> formgrabbing and "on event" logging of data. Malware can detect if >> SecureID is being used based on targeted events, examp

Re: RSA SecurID SID800 Token vulnerable by design

2006-09-09 Thread Hadmut Danisch
Hi Lance, On Fri, Sep 08, 2006 at 10:26:45AM -0700, Lance James wrote: > > Another problem from what I see with Malware that steals data is the > formgrabbing and "on event" logging of data. Malware can detect if > SecureID is being used based on targeted events, example: Say HSBC > (Hypothetical

Re: RSA SecurID SID800 Token vulnerable by design

2006-09-09 Thread Lance James
Hadmut Danisch wrote: > Hi, > > I recently tested an RSA SecurID SID800 Token > http://www.rsasecurity.com/products/securid/datasheets/SID800_DS_0205.pdf > > > The token is bundled with some windows software designed to make > user's life easier. Interestingly, this software provides a function

RSA SecurID SID800 Token vulnerable by design

2006-09-08 Thread Hadmut Danisch
Hi, I recently tested an RSA SecurID SID800 Token http://www.rsasecurity.com/products/securid/datasheets/SID800_DS_0205.pdf The token is bundled with some windows software designed to make user's life easier. Interestingly, this software provides a function which directly copies the current toke