Bugtraq mailing list archives
Re: SecurID White Paper - A Comment
From: coxa () cableol net (Alan Cox)
Date: Mon, 16 Sep 1996 09:42:45 +0100
powerful freeware packet-manipulation tools like Netcat, it might be about to explode -- more of us will doubtless choose to buy link or application-level crypto. But it is, and should always be, a cost/benefit calculation. Not a bribe to keep the boogieman away.
There is no major cost issue. ssh is free except for a small amount of extra CPU load. Secure mirroring software using rsync and ssh exists.
OTPs serve purposes other than safeguarding network TCP links from session stealing. In many organizations, these are seen as valuable functions. OTP tokens offer greater credibility to both audit and
OTP's don't help protect the important stuff. If someone does a session intercept on your backbone router boy have you got some SERIOUS problems. Worse with stuff like cisco's a UDP intercept including spraying the router with a 1st tftp data block including a cisco password waiting for a boot is just too easy MUCH too easy.
Mr. Neuman asserts that SecurIDs provide "no additional benefit" over reusable passwords when used on a cleartext Internet connection. I suggest this overstates his case considerably, in light of the current prevalence of stolen passwords and replay attacks. [I'm also a little
I think he is close to right. At the end of the day if you get broken into you get broken into. The simple securID attacks demonstrated show the weakness of a pure OTP. Other things show the weakness of pure crypted channels.
When a traveling executive accesses his e-mail server with SecurID over the Internet, he might possibly be hijacked. That might be embarrassing... but it's nothing like the danger involved in having a Pirate win access the corporate financial reports or development plans, for instance. That data, if on another server, could (even likely, would) require an _additional_ SecurID token code... or (perhaps best) might be simply unavailable through the ACE/Client which serves external network links.
Pity if someone emailed to to the travelling executive. Its better to have blanket coverage simply because human beings make regular stupid mistakes, even the best ones.
first identifier, typically the user's name, as the answer needed to all race attacks. (Revising a protocol which has to remain backward compatible to ACE/Clients imbedded in some 200 network products from some 50 vendors is an interesting challenge;-)
You mean you forgot to include a secure download and reprogram of the client units. Ah well Alan
Current thread:
- Re: SecurID White Paper - A Comment Vin McLellan (Sep 10)
- Re: SecurID White Paper - A Comment Adam Shostack (Sep 10)
- Re: SecurID White Paper - A Comment Alan Cox (Sep 11)
- <Possible follow-ups>
- Re: SecurID White Paper - A Comment Mike Neuman (Sep 11)
- Re: SecurID White Paper - A Comment Vin McLellan (Sep 13)
- Re: SecurID White Paper - A Comment Alan Cox (Sep 16)
- Re: SecurID White Paper - A Comment carson () lehman com (Sep 16)
- Vunerability in HP SAM ? John W. Jacobi (Sep 16)
- Re: SecurID White Paper - A Comment Elliot Lee (Sep 16)
- CERT Vendor-Initiated Bulletin VB-96.15 - SCO Security Bulletin CERT Bulletin (Sep 16)
- Re: SecurID White Paper - A Comment Alan Cox (Sep 16)
- Re: SecurID White Paper - A Comment What we're dealing with here is a blatant disrespect of the law! (Sep 16)
- SecurID Peiter Z (Sep 17)
- Re: SecurID White Paper - A Comment Vin McLellan (Sep 16)