On Sat, Sep 16, 2006 at 11:40:55PM -0500, Travis H. wrote:
> This looks mildly interesting:
> http://www.projectblackdog.com/product.html
Yes, a friend lent me one of these to play with a while ago, they're
really quite cool. Lots of interesting possibilities - which was
entirely the point of the
On 9/15/06, Daniel Carosone <[EMAIL PROTECTED]> wrote:
But let's not also forget that these criticisms apply approximately
equally to smart card deployments with readers that lack a dedicated
pinpad and signing display.
This looks mildly interesting:
http://www.projectblackdog.com/product.html
I wouldn't dispute any of the arguments made in the original or subsequent
posts on this topic pointing out that the programmatic interface to the
device opens a security hole. But I think it needs to be said that this is
only in the environment where trojans, etc., can infiltrate the machine.
On Thu, Sep 14, 2006 at 02:48:54PM -0400, Leichter, Jerry wrote:
> | The problem is that _because there is an interface to poll the token for
> | a code across the USB bus_, malicious software can *repeatedly* steal new
> | token codes *any time it wants to*. This means that it can steal codes
> |
| The problem is that _because there is an interface to poll the token for
| a code across the USB bus_, malicious software can *repeatedly* steal new
| token codes *any time it wants to*. This means that it can steal codes
| when the user is not even attempting to authenticate
I think this su
On Wed, Sep 13, 2006 at 10:23:53PM -0400, Vin McLellan wrote:
>
[... a long message including much of what I can only regard as
outright advertising for RSA, irrelevant to the actual technical
weakness in the SID800 USB token that Hadmut described, and which
Vin's message purportedly disputes.
On Cryptography, and in several other online forums, Hadmut Danisch
<[EMAIL PROTECTED]>, a respected German information security analyst,
recently published a harsh critique of one optional feature in the
SID800, one of the newest of the six SecurID authentication tokens --
some with slightly
Lance James wrote:
Agreed, and since my research is focused on online banking I can see
yours and my point, either way, SecurID should not be the only concept
for dependence.
as i've mentioned serveral times, in the mid-90s, the x9a10 financial
standards working group was given the task of pre
One can have a lot of fun with key-wielding tokens, especially on
Windows. See:
J. Marchesini, S.W. Smith, M. Zhao.
"Keyjacking: the Surprising Insecurity of Client-side SSL."
Computers and Security.
4 (2): 109-123. March 2005.
http://www.cs.dartmouth.edu/~sws/pubs/msz05.pdf
--Sean
Sean
On Fri, Sep 08, 2006 at 11:31:28AM -0700, Lance James wrote:
> SecurID should not be the only concept for dependence.
Yeah, however, it is a smart device which provides a reasonable level
of security in a very simple and almost foolproof way (I know a case
where the users complained that it did
Hadmut Danisch wrote:
> Hi Lance,
>
> On Fri, Sep 08, 2006 at 10:26:45AM -0700, Lance James wrote:
>> Another problem from what I see with Malware that steals data is the
>> formgrabbing and "on event" logging of data. Malware can detect if
>> SecureID is being used based on targeted events, examp
Hi Lance,
On Fri, Sep 08, 2006 at 10:26:45AM -0700, Lance James wrote:
>
> Another problem from what I see with Malware that steals data is the
> formgrabbing and "on event" logging of data. Malware can detect if
> SecureID is being used based on targeted events, example: Say HSBC
> (Hypothetical
Hadmut Danisch wrote:
> Hi,
>
> I recently tested an RSA SecurID SID800 Token
> http://www.rsasecurity.com/products/securid/datasheets/SID800_DS_0205.pdf
>
>
> The token is bundled with some windows software designed to make
> user's life easier. Interestingly, this software provides a function
Hi,
I recently tested an RSA SecurID SID800 Token
http://www.rsasecurity.com/products/securid/datasheets/SID800_DS_0205.pdf
The token is bundled with some windows software designed to make
user's life easier. Interestingly, this software provides a function
which directly copies the current toke
14 matches
Mail list logo
