Bugtraq mailing list archives
Re: SecurID White Paper - A Comment
From: mcn () remise ORG (Mike Neuman)
Date: Wed, 11 Sep 1996 12:15:01 -0600
Hi Vin, you're wrong. And although you argued eloquently, your statements seem to reflect those of a person who is blindly defending a purchasing decision rather than listening to reason.
Both Neuman and Willoughby... don't bother to acknowledge the limited purpose and function, or any independent value, of strong user authentication. (Encryption without strong authentication is also problematic, to say the least.)
I never said strong authentication has no value. However, I would not classify SecureID as strong authentication. SecureID + good encryption *IS* strong authentication, which is exactly why I said in my message.
But then, Prophets with a Revelation are like that: single-minded;-) These guys, and others who use similar rhetoric, sometimes get so caught up in their jeremiads that they ignore basic tradecraft. In Compsec, security is never absolute; both threats and defenses are always relative.
Here's the reason you're wrong, and the reason one time passwords without encryption should be completely avoided: What is the primary value of One Time Passwords? To eliminate the possiblity that a sniffer can steal a password and reuse it. All other benefits are tertiary (i.e. To prevent password guessing? Most systems have limits on the number of guesses before an account is disabled. To prevent password file stealing and cracking? If your passwords are that bad, get npasswd, or any of the other products for VMS, IBM, NT, etc which enforce good passwords. For dialup? reusable passwords (which aren't transfered over the network in plaintext) work just fine when taken with account disabling and good password enforcement, AND they're a LOT cheaper than the $50/pop every 3 years for SecureID.) So, if the primary purpose in using SecureID is to eliminate the effectiveness of sniffers, then guess what--a hijacking attack is a VERY simple modification of a sniffer. So, your "elimination of the effectiveness of sniffers" is now anything but. This sounds like a pretty major vulnerability to me.
Yet, professionals who decide that this threat does not yet justify the expenditure necessary to block it do not deserve to be scorned as fools. Risk-analysis is Security 101. How much insurance, at what cost? To protect against what scope of potential loss?
Indeed. It seems like SecureID is pretty expensive "insurance" for no additional benefit. You argument treats hijacking as some esoteric, theoretically attack. Arguments like yours are the reason TCP Sequence Number Prediction works--it was theorized about at least 6 years ago, and widely published. But people claimed, "Oh, it's not that big of a risk, let's ignore the problem." And we all got bit by it. To use your exact quote:
Properly forging TCP packets, the essential skill for tcp-splicing, is still beyond the wannabes on Alt.2600.
As my post attempted to point out, there ARE exploit programs out, and available to the wannabes in Alt.2600.
The function of a security device is to raise the cost of an attack upon it -- in terms of time, money, equipment, specialized knowledge, and risk of criminal penalties -- so that it is no longer (compared to alternatives) an attractive or likely avenue of attack.
There is no additional time, money, equipment, knowledge, or risk in session hijacking. As I said, it's a simple modification of a sniffer. And public versions DO exist. (Do you take my word for it yet, or would you like me to post one?) Here's the header from one I picked up during one of my intrusion investigations: /* ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** */ /* RoadWarrier presents... */ /* \|/a8 c00|_ h11j@k|\|g T00lz (wcht) */ /* Greetz to: */ ... /* Use by: */ /* 1: Get root */ /* 2: Make sure yer $DISPLAY is correct */ /* 3: wcht */ /* 4: Every new connectiun will be hiijacked after "Last login" */ /* or "mail." is seen. An xterm will started on your display */ To use an analogy someone else posted on firewalls, using SecureID without encryption is like paying for a car alarm but never bothering to lock your car. - -Mike Neuman mcn () EnGarde com http://www.engarde.com
Current thread:
- Re: SecurID White Paper - A Comment Vin McLellan (Sep 10)
- Re: SecurID White Paper - A Comment Adam Shostack (Sep 10)
- Re: SecurID White Paper - A Comment Alan Cox (Sep 11)
- <Possible follow-ups>
- Re: SecurID White Paper - A Comment Mike Neuman (Sep 11)
- Re: SecurID White Paper - A Comment Vin McLellan (Sep 13)
- Re: SecurID White Paper - A Comment Alan Cox (Sep 16)
- Re: SecurID White Paper - A Comment carson () lehman com (Sep 16)
- Vunerability in HP SAM ? John W. Jacobi (Sep 16)
- Re: SecurID White Paper - A Comment Elliot Lee (Sep 16)
- CERT Vendor-Initiated Bulletin VB-96.15 - SCO Security Bulletin CERT Bulletin (Sep 16)
- Re: SecurID White Paper - A Comment Alan Cox (Sep 16)
- Re: SecurID White Paper - A Comment What we're dealing with here is a blatant disrespect of the law! (Sep 16)
- SecurID Peiter Z (Sep 17)
- Re: SecurID White Paper - A Comment Vin McLellan (Sep 16)