Penetration Testing mailing list archives
Re: [PEN-TEST] Palm Pilot Security
From: "Ng, Kenneth (US)" <kenng () KPMG COM>
Date: Mon, 5 Feb 2001 12:50:18 -0500
Soft tokens I am not sure about. Hard tokens it depends on how often the proper end user signs on. Unfortunately I have to be careful here not to spill any NDA data. Lets just say that if he signs on often, the window is small, if he does not sign on often, the window opens up. Also, you need to have the DRIFT of the token as well, since SecurID figures out the drift rate of the tokens. I agree that end user training is the best defense. I've seen end users write the PIN on the SecurID token. I've seen terminals with the user id and password stuck onto the top with a post-it. I've seen people install and set up PC Anywhere without any password and in their defense they say "no one but me will ever find it". To which I state that I did find it, thats why we're having this conversation. We need an updated version of "loose lips sink ships". -----Original Message----- From: Tony Rowan [mailto:Tony.Rowan () Seven-Peas co uk] Sent: Monday, February 05, 2001 4:48 AM To: PEN-TEST () SECURITYFOCUS COM Subject: Re: [PEN-TEST] Palm Pilot Security Assuming an attacker was able to duplicate the SoftID token on their Palm, then they don't have to be that accurate about the time difference between the original Palm and their duplicate. The acceptable token values are from a window of acceptible values and I think it's +/- 10 values for a SoftID token. That means the attacker's Palm could be +/- 10 minutes from the original. As always, it is imperative that the owner of the authenticator is protective of their token, be it a standalone device (standard token) or software-based solution. Back to training our users properly I guess. -----Original Message----- From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf Of Ng, Kenneth (US) Sent: 26 January 2001 15:29 To: PEN-TEST () SECURITYFOCUS COM Subject: Re: [PEN-TEST] Palm Pilot Security SecurID authentication depends on two components, what you have and what you know. To defeat a hardware token you must generate the proper code at the proper time, and you must know the PIN that the person has chosen. PINs are from 3 to 8 character alpha numerics, but I bet most people choose 4 digit numbers to match their ATM card. As far as getting information from a PALM pilot, I'd imagine that you would have to borrow the pilot twice. The first time put in a program to copy the PIN. The second time to get the PIN and download the seed information. Technically you should also get the time on the pilot with respect to UTC, but most equipment should be within a minute or two of the real time. Stealing a pilot often isn't hard. Borrowing one that is returned without the person noticing is usually harder. I have no idea how long it would take to break in and add a PIN grabbing program. Summary: is it an increased risk? Yes. Is it significant? Well, depends on how well the end user guards his pilot. I keep mine in my pocket except at home. I never leave it on my desk at work. -----Original Message----- From: Crist Clark [mailto:crist.clark () GLOBALSTAR COM] Sent: Thursday, January 25, 2001 7:27 PM To: PEN-TEST () SECURITYFOCUS COM Subject: Re: [PEN-TEST] Palm Pilot Security Mike Ahern wrote: [snip]
Anybody aware of methods to hack past the password protection on the Palm? I assume that like anything else, physical access equals potential for 100% system compromise. Anyone aware of any RSA/Security Dynamics soft token security issues on the Palm Pilot?
I believe what is important in this case is not necessarily preventing people from breaking the password protection, but rather being able to detect it. Most SecurID tokens have no access control. It's just a little device with a number on the screen. If the user loses it or it is stolen, you deactivate access for the old one and give him a new one. It is assumed it cannot be cloned without the owner noticing. Even if one can crack it open to get the secret key out, the owner should be able to tell the device was tampered with. For a PDA with soft tolken software, the problem is that it may be possible for an attacker to clone the tolken without the owner knowing. Like you say, one assumes physical access equals compromise. If someone loses her PDA, you cancel access for her tolken. Easy call. The challenge in arrises when a tolken is stolen, but the physical device is not. It is not required that the password protection on the PDA be extremely strong or difficult to defeat _PROVIDED_ you can tell when this has occurred. That said, I really do not know how easy or difficult it is to compromise a PDA and then cover your tracks. I just wanted to point out that if some people point to general information about PDA security, this should probably be the criteria used to evaluate their security standards when serving as a soft tolken device: Not the ability to repell attack, but the ability to tell if an attack has occurred. -- Crist J. Clark Network Security Engineer crist.clark () globalstar com Globalstar, L.P. ************************************************************************** *** The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this email are subject to the terms and conditions expressed in the governing KPMG client engagement letter. ************************************************************************** *** ***************************************************************************** The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this email are subject to the terms and conditions expressed in the governing KPMG client engagement letter. *****************************************************************************
Current thread:
- Re: [PEN-TEST] Palm Pilot Security Tony Rowan (Feb 05)
- <Possible follow-ups>
- Re: [PEN-TEST] Palm Pilot Security Ng, Kenneth (US) (Feb 05)