OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Tony Rowan (Tony.RowanSEVEN-PEAS.CO.UK)
Date: Mon Feb 05 2001 - 03:47:45 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Assuming an attacker was able to duplicate the SoftID token on their Palm,
    then they don't have to be that accurate about the time difference between
    the original Palm and their duplicate. The acceptable token values are
    from a window of acceptible values and I think it's +/- 10 values for a
    SoftID token. That means the attacker's Palm could be +/- 10 minutes from
    the original.

    As always, it is imperative that the owner of the authenticator is
    protective of their token, be it a standalone device (standard token) or
    software-based solution. Back to training our users properly I guess.

    -----Original Message-----
    From: Penetration Testers [mailto:PEN-TESTSECURITYFOCUS.COM]On Behalf
    Of Ng, Kenneth (US)
    Sent: 26 January 2001 15:29
    To: PEN-TESTSECURITYFOCUS.COM
    Subject: Re: [PEN-TEST] Palm Pilot Security

    SecurID authentication depends on two components, what you have and what
    you
    know. To defeat a hardware token you must generate the proper code at the
    proper time, and you must know the PIN that the person has chosen. PINs
    are
    from 3 to 8 character alpha numerics, but I bet most people choose 4 digit
    numbers to match their ATM card.

    As far as getting information from a PALM pilot, I'd imagine that you
    would
    have to borrow the pilot twice. The first time put in a program to copy
    the
    PIN. The second time to get the PIN and download the seed information.
    Technically you should also get the time on the pilot with respect to UTC,
    but most equipment should be within a minute or two of the real time.
    Stealing a pilot often isn't hard. Borrowing one that is returned without
    the person noticing is usually harder. I have no idea how long it would
    take to break in and add a PIN grabbing program.

    Summary: is it an increased risk? Yes. Is it significant? Well, depends
    on how well the end user guards his pilot. I keep mine in my pocket
    except
    at home. I never leave it on my desk at work.

    -----Original Message-----
    From: Crist Clark [mailto:crist.clarkGLOBALSTAR.COM]
    Sent: Thursday, January 25, 2001 7:27 PM
    To: PEN-TESTSECURITYFOCUS.COM
    Subject: Re: [PEN-TEST] Palm Pilot Security

    Mike Ahern wrote:

    [snip]

    > Anybody aware of methods to hack past the password
    > protection on the Palm? I assume that like anything
    > else, physical access equals potential for 100% system
    > compromise. Anyone aware of any RSA/Security Dynamics
    > soft token security issues on the Palm Pilot?

    I believe what is important in this case is not necessarily preventing
    people from breaking the password protection, but rather being able
    to detect it.

    Most SecurID tokens have no access control. It's just a little device
    with a number on the screen. If the user loses it or it is stolen, you
    deactivate access for the old one and give him a new one. It is assumed
    it cannot be cloned without the owner noticing. Even if one can crack it
    open to get the secret key out, the owner should be able to tell the
    device was tampered with.

    For a PDA with soft tolken software, the problem is that it may be
    possible for an attacker to clone the tolken without the owner knowing.
    Like you say, one assumes physical access equals compromise. If someone
    loses her PDA, you cancel access for her tolken. Easy call. The challenge
    in arrises when a tolken is stolen, but the physical device is not. It
    is not required that the password protection on the PDA be extremely
    strong or difficult to defeat _PROVIDED_ you can tell when this has
    occurred.

    That said, I really do not know how easy or difficult it is to compromise
    a PDA and then cover your tracks. I just wanted to point out that if some
    people point to general information about PDA security, this should
    probably
    be the criteria used to evaluate their security standards when serving as
    a soft tolken device: Not the ability to repell attack, but the ability
    to tell if an attack has occurred. 

    --
Crist J. Clark                                Network Security Engineer
crist.clarkglobalstar.com                    Globalstar, L.P.
**************************************************************************
***
The information in this email is confidential and may be legally
privileged.
It is intended solely for the addressee. Access to this email by anyone
else
is unauthorized.

    If you are not the intended recipient, any disclosure, copying,
distribution
or any action taken or omitted to be taken in reliance on it, is
prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed
in
the governing KPMG client engagement letter.
**************************************************************************
***
    • application/x-pkcs7-signature attachment: smime.p7s