back to article Attack of the clones: Researcher pwns SecureID token system

RSA Security has downplayed the significance of an attack that offers a potential way to clone its SecurID software tokens. The attack, developed by Behrang Fouladi, senior security analyst at SensePost, offers a potential way to defeat the hardware binding and copy protection embedded in RSA's software. Having defeated this …

COMMENTS

This topic is closed for new posts.
  1. Androgynous Cupboard Silver badge

    They have Software Tokens?

    Can't believe they even bother. I'm kind of with RSA on this one, once you have that level of access to the machine then you're hosed anyway, which is presumably why software tokens aren't used for anything secure.

    FIPS-140 level 2 is the minimum I've ever seen stipulated for any sort of secure access and that requires tamper-evident hardware tokens.

    1. John H Woods Silver badge

      Re: They have Software Tokens?

      "Kind of" with RSA as well, for the reason you say.. But it is RSA who provide the S/W token; like a locksmith who sells you a lock and, when it's compromised, says "oh, everyone knows those aren't secure"

      1. No, I will not fix your computer
        Thumb Up

        Re: They have Software Tokens?

        "Kind of, kind of"

        >>like a locksmith who sells you a lock and, when it's compromised, says "oh, everyone knows those aren't secure"

        It's more like the locksmith saying, "You let someone have your keys for a couple of hours?" and then saying, "OK, I might have implied that the keys couldn't be copied, but don't let my sales patter get in the way of your commn sense".

        Any system is only as strong as it's weakest link, RSA tokens in a two factor scheme is unlikely to be the weakest link, but now it's a little weaker, whereas before a social engineering hack to get software on or physical access to the RSA server wouldn't give you anything, now it does, regardless of the fact that the same software or physical access to a targetted system could get you more.

      2. Anonymous Coward
        Anonymous Coward

        Re: They have Software Tokens?

        Errr, kind of, only this is the norm in the world of locks.

        The chances of you finding a tamper proof lock in your high street locksmith is very, very low.

        YouTube for lock picking, lock bumping, snap gun and lock bypass.

  2. ElNumbre

    New Clothes Please

    Whilst each thread plucked from the RSA emperors may not be disastrous, eventually enough will be broken to cause a trouser failure.

    RSA should now take the opportunity to launch a new redesigned version of SecureID and get it out to the rich masses before they suffer a wardrobe malfunction and risk a loss of respect.

  3. Joe Harrison

    I don't see the business case for selling software tokens. Google or Verisign Labs will give you one for free.

    1. Anonymous Coward
      Anonymous Coward

      Well

      Which hardware supports Google and Verisign software tokens as an authentication mechanism? Is that hardware used by enterprise customers?

  4. Anonymous Coward
    Anonymous Coward

    If it *can't* protect you against malware, what's it even for?

    The value added by a physical hardware token over and above just letting people log on with a password is supposed to be that even if they use a compromised machine, they won't lose anything but the single one-time password instance used on that occasion at worst. But this... what the hell is the point of this? It's two-factor authentication without the second factor. WTF? Of course it's vulnerable if the end-node is subverted, so why on earth even use it? It was always entirely useless security theatre even without this vulnerability. (How would it even know if it was running inside a really accurate VM?)

    1. Daniel B.

      There is a use, kinda.

      It's useful for mobile banking apps; the seed will be encrypted using a key derived by a PIN given by the user. On a phone, it's harder to get malware if you're using a secure mobile OS, especially one that's got FIPS 140-2 lvl 2 certification.

      But on Windows? You deserve to have your token pwned. Bad idea! Bad!

  5. Anonymous Coward
    Anonymous Coward

    Clowns

    Clowns. Brrrr. Scary!

  6. Tom 13
    Black Helicopters

    OK, so it is pointless vis-a-vie your run of the mill drive-by script kiddie,

    but what about the spook who can only get access to your system today but wants to be able to know what you are doing 6 months from now? Spooks aren't exactly know for strictly linear logic.

  7. Rich 2 Silver badge
    Devil

    Security? What? Where?.....

    "However a senior RSA Security exec said that, in practice, the attack would only work on a PC already compromised by a rootkit..."

    So if we're talking Windows here, that's ..errr ...just about all of them then!

    On a more practical side, what's to stop an employee with malicious intent from (easily) gaining access to a suitable company machine and installing/running some hack to do this? Not much, by the sound of it.

    1. P. Lee
      Holmes

      Re: Security? What? Where?.....

      > the attack would only work on a PC already compromised

      Which could be installed by any windows admin, who would then be able to impersonate anyone else when accessing other systems.

      It isn't just about stopping access, its about being able to audit who has done what and is often used when the systems to be accessed have higher security requirements than the PC.

      So you might use securid to authenticate to a firewall which allows a single TCP session to your mainframe. The whole point of the changing passcode is to defeat keyloggers and admins who might have control over the local host and be able to compromise a pin.

      You don't give your windows admins access to everything, especially if admin is outsourced.

  8. A J Stiles
    Linux

    Only one way out of this

    This is what you get when you rely for security on the user not having the Source Code to your software. Repeat after me: The only thing that should be assumed to be secret is the decryption key. If you think your software has any way to know it's not running under some sort of emulation, you might be interested in some beachfront properties in Staffordshire.

    The only way out of this situation is legislation to require for Source Code to be made available to end users, always, no exceptions, ever.

  9. Anonymous Coward
    Anonymous Coward

    One word...

    Yubikey. Proper AES hardware token for $25 in one-offs, no secret algorithms. And all the open-source tools are provided to load your own keys and run your own auth service, if you don't trust them.

  10. adamsh
    FAIL

    Betrayal --- Bad Excuses

    If the researchers are correct, this attack will work of every image dump of a system disk. ---- Rootkits are not required --- by no means.

    HA

This topic is closed for new posts.

Other stories you might like