Bugtraq mailing list archives

Re: SecurID White Paper - A Comment

From: mcn () remise ORG (Mike Neuman)
Date: Wed, 11 Sep 1996 12:15:01 -0600


  Hi Vin, you're wrong. And although you argued eloquently, your statements
seem to reflect those of a person who is blindly defending a purchasing
decision rather than listening to reason.

Both Neuman and Willoughby... don't bother to
acknowledge the limited purpose and function, or any independent value, of
strong user authentication.  (Encryption without strong authentication is
also problematic, to say the least.)


  I never said strong authentication has no value. However, I would not
classify SecureID as strong authentication. SecureID + good encryption
*IS* strong authentication, which is exactly why I said in my message.

       But then, Prophets with a Revelation are like that: single-minded;-)

      These guys, and others who use similar rhetoric, sometimes get so
caught up in their jeremiads that they ignore basic tradecraft. In Compsec,
security is never absolute; both threats and defenses are always relative.


  Here's the reason you're wrong, and the reason one time passwords without
encryption should be completely avoided:

  What is the primary value of One Time Passwords? To eliminate the possiblity
that a sniffer can steal a password and reuse it. All other benefits are
tertiary (i.e. To prevent password guessing? Most systems have limits on
the number of guesses before an account is disabled. To prevent password
file stealing and cracking? If your passwords are that bad, get npasswd,
or any of the other products for VMS, IBM, NT, etc which enforce good
passwords. For dialup? reusable passwords (which aren't transfered over the
network in plaintext) work just fine when taken with account disabling and
good password enforcement, AND they're a LOT cheaper than the $50/pop every
3 years for SecureID.)

  So, if the primary purpose in using SecureID is to eliminate the
effectiveness of sniffers, then guess what--a hijacking attack is a VERY
simple modification of a sniffer. So, your "elimination of the effectiveness
of sniffers" is now anything but.

  This sounds like a pretty major vulnerability to me.

       Yet, professionals who decide that this threat does not yet justify
the expenditure necessary to block it do not deserve to be scorned as
fools. Risk-analysis is Security 101.  How much insurance, at what cost? To
protect against what scope of potential loss?


  Indeed. It seems like SecureID is pretty expensive "insurance" for no
additional benefit. You argument treats hijacking as some esoteric,
theoretically attack. Arguments like yours are the reason TCP Sequence Number
Prediction works--it was theorized about at least 6 years ago, and widely
published. But people claimed, "Oh, it's not that big of a risk,
let's ignore the problem." And we all got bit by it. To use your exact
quote:

       Properly forging TCP packets, the essential skill for tcp-splicing,
is still beyond the wannabes on Alt.2600.


  As my post attempted to point out, there ARE exploit programs out, and
available to the wannabes in Alt.2600.

       The function of a security device is to raise the cost of an attack
upon it -- in terms of time, money, equipment, specialized knowledge, and
risk of criminal penalties -- so that it is no longer (compared to
alternatives) an attractive or likely avenue of attack.


  There is no additional time, money, equipment, knowledge, or risk in session
hijacking. As I said, it's a simple modification of a sniffer. And public
versions DO exist. (Do you take my word for it yet, or would you like me to
post one?) Here's the header from one I picked up during one of my intrusion
investigations:

/* ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** */
/* RoadWarrier presents...                                        */
/*  \|/a8 c00|_ h11j@k|\|g T00lz (wcht)                           */
/* Greetz to:                                                     */
...
/* Use by:                                                        */
/* 1: Get root                                                    */
/* 2: Make sure yer $DISPLAY is correct                           */
/* 3: wcht                                                        */
/* 4: Every new connectiun will be hiijacked after "Last login"   */
/*    or "mail." is seen. An xterm will started on your display   */

  To use an analogy someone else posted on firewalls, using SecureID without
encryption is like paying for a car alarm but never bothering to lock your car.

- -Mike Neuman
mcn () EnGarde com
http://www.engarde.com

Current thread:

Re: SecurID White Paper - A Comment Vin McLellan (Sep 10)
- Re: SecurID White Paper - A Comment Adam Shostack (Sep 10)
- Re: SecurID White Paper - A Comment Alan Cox (Sep 11)
- <Possible follow-ups>
- Re: SecurID White Paper - A Comment Mike Neuman (Sep 11)
- Re: SecurID White Paper - A Comment Vin McLellan (Sep 13)
  - Re: SecurID White Paper - A Comment Alan Cox (Sep 16)
    - Re: SecurID White Paper - A Comment carson () lehman com (Sep 16)
    - Vunerability in HP SAM ? John W. Jacobi (Sep 16)
    - Re: SecurID White Paper - A Comment Elliot Lee (Sep 16)
    - CERT Vendor-Initiated Bulletin VB-96.15 - SCO Security Bulletin CERT Bulletin (Sep 16)
  - Re: SecurID White Paper - A Comment What we're dealing with here is a blatant disrespect of the law! (Sep 16)
  - SecurID Peiter Z (Sep 17)
- Re: SecurID White Paper - A Comment Vin McLellan (Sep 16)