RSA Security has downplayed the significance of an attack that offers a potential way to clone its SecurID software tokens. The attack, developed by Behrang Fouladi, senior security analyst at SensePost, offers a potential way to defeat the hardware binding and copy protection embedded in RSA's software. Having defeated this …
They have Software Tokens?
Can't believe they even bother. I'm kind of with RSA on this one, once you have that level of access to the machine then you're hosed anyway, which is presumably why software tokens aren't used for anything secure.
FIPS-140 level 2 is the minimum I've ever seen stipulated for any sort of secure access and that requires tamper-evident hardware tokens.
Re: They have Software Tokens?
"Kind of" with RSA as well, for the reason you say.. But it is RSA who provide the S/W token; like a locksmith who sells you a lock and, when it's compromised, says "oh, everyone knows those aren't secure"
Re: They have Software Tokens?
"Kind of, kind of"
>>like a locksmith who sells you a lock and, when it's compromised, says "oh, everyone knows those aren't secure"
It's more like the locksmith saying, "You let someone have your keys for a couple of hours?" and then saying, "OK, I might have implied that the keys couldn't be copied, but don't let my sales patter get in the way of your commn sense".
Any system is only as strong as it's weakest link, RSA tokens in a two factor scheme is unlikely to be the weakest link, but now it's a little weaker, whereas before a social engineering hack to get software on or physical access to the RSA server wouldn't give you anything, now it does, regardless of the fact that the same software or physical access to a targetted system could get you more.
Re: They have Software Tokens?
Errr, kind of, only this is the norm in the world of locks.
The chances of you finding a tamper proof lock in your high street locksmith is very, very low.
YouTube for lock picking, lock bumping, snap gun and lock bypass.
New Clothes Please
Whilst each thread plucked from the RSA emperors may not be disastrous, eventually enough will be broken to cause a trouser failure.
RSA should now take the opportunity to launch a new redesigned version of SecureID and get it out to the rich masses before they suffer a wardrobe malfunction and risk a loss of respect.
I don't see the business case for selling software tokens. Google or Verisign Labs will give you one for free.
Which hardware supports Google and Verisign software tokens as an authentication mechanism? Is that hardware used by enterprise customers?
If it *can't* protect you against malware, what's it even for?
The value added by a physical hardware token over and above just letting people log on with a password is supposed to be that even if they use a compromised machine, they won't lose anything but the single one-time password instance used on that occasion at worst. But this... what the hell is the point of this? It's two-factor authentication without the second factor. WTF? Of course it's vulnerable if the end-node is subverted, so why on earth even use it? It was always entirely useless security theatre even without this vulnerability. (How would it even know if it was running inside a really accurate VM?)
There is a use, kinda.
It's useful for mobile banking apps; the seed will be encrypted using a key derived by a PIN given by the user. On a phone, it's harder to get malware if you're using a secure mobile OS, especially one that's got FIPS 140-2 lvl 2 certification.
But on Windows? You deserve to have your token pwned. Bad idea! Bad!
Clowns. Brrrr. Scary!
OK, so it is pointless vis-a-vie your run of the mill drive-by script kiddie,
but what about the spook who can only get access to your system today but wants to be able to know what you are doing 6 months from now? Spooks aren't exactly know for strictly linear logic.
Security? What? Where?.....
"However a senior RSA Security exec said that, in practice, the attack would only work on a PC already compromised by a rootkit..."
So if we're talking Windows here, that's ..errr ...just about all of them then!
On a more practical side, what's to stop an employee with malicious intent from (easily) gaining access to a suitable company machine and installing/running some hack to do this? Not much, by the sound of it.
Re: Security? What? Where?.....
> the attack would only work on a PC already compromised
Which could be installed by any windows admin, who would then be able to impersonate anyone else when accessing other systems.
It isn't just about stopping access, its about being able to audit who has done what and is often used when the systems to be accessed have higher security requirements than the PC.
So you might use securid to authenticate to a firewall which allows a single TCP session to your mainframe. The whole point of the changing passcode is to defeat keyloggers and admins who might have control over the local host and be able to compromise a pin.
You don't give your windows admins access to everything, especially if admin is outsourced.
Only one way out of this
This is what you get when you rely for security on the user not having the Source Code to your software. Repeat after me: The only thing that should be assumed to be secret is the decryption key. If you think your software has any way to know it's not running under some sort of emulation, you might be interested in some beachfront properties in Staffordshire.
The only way out of this situation is legislation to require for Source Code to be made available to end users, always, no exceptions, ever.
Yubikey. Proper AES hardware token for $25 in one-offs, no secret algorithms. And all the open-source tools are provided to load your own keys and run your own auth service, if you don't trust them.
Betrayal --- Bad Excuses
If the researchers are correct, this attack will work of every image dump of a system disk. ---- Rootkits are not required --- by no means.
- Boffins attempt to prove the UNIVERSE IS JUST A HOLOGRAM
- China building SUPERSONIC SUBMARINE that travels in a BUBBLE
- Review Raspberry Pi B+: PHWOAR, get a load of those pins
- Experimental hypersonic SUPERMISSILE destroyed 4 SECONDS after US launched it
- That 8TB Seagate MONSTER? It's HERE... (You'll have to squint, 'cos there are no specs)