Viewing posts by admin
on-the-security-of-software-tokens-for-two-factor
Posted by: admin 16 years, 3 months ago
Securology has a post about RSA's software tokens. In it, two key issues with are raised, one is specific to tokens that use symmetric encryption such as the RSA software tokens:
Distributing the seed record requires a confidential channel to ensure that it is not perfectly duplicated in transit. Distributing seed records to many of the supported platforms of soft token vendors involves plaintext transmission, such as sending the seed record as an email attachment to a Blackberry client. An administrator may provision the seed record encrypted using an initial passphrase that is distributed out-of-band, but it is common practice for seed records and initial passphrases to be distributed side-by-side. Whereas a physical token can only be in one place at a time, a soft token could be perfectly duplicated by an eavesdropper, even complete with its initial passphrase (especially when it isn't distributed out of band). If Alice receives her soft token and changes its passphrase, Eve could keep her perfect copy with the intial passphrase or choose to change the passphrase-- either way, the back end of the one-time-password authentication system will receive a valid token code (time value encrypted with the seed record).Note that this is not an issue with WiKID's software tokens as we use public key encryption. The private key remains on the device and only the public key is transmitted. It is the out-of-band method of verifying the user's registration code that matters for WiKID. This could be done over the phone or via an application which uses some existing trusted information or credentials. (We protect against a man-in-the-middle attack in this process by hashing the registration code with the WiKID server's public key before presenting it to the user. Thus, if someone is trying to impersonate the server, the registration with the real server will fail.)
more-on-low-frequency-high-impact-events
Posted by: admin 16 years, 3 months ago
Adam's post yesterday on the agency problem got me thinking more about low-frequency, high-impact events and their predictability. His post was about Bear Stearns and how employees lost money. The interesting point for me was that those are the people that should have been in the best position to know that the potential for a high-impact event was increasing.
banks-slow-intrabank-transfers-to-help-spot-fraud
Posted by: admin 16 years, 3 months ago
According to Gartner, four UK banks have slowed intrabank transfers to try to reduce fraud.bankash
Posted by: admin 16 years, 3 months ago
Dave Evans from Teros pointed out that the PWSteal.Bankash.D trojan includes two lists: one for sites thatis-a-password-protected-computer-like-a-locked-box
Posted by: admin 16 years, 3 months ago
A recent Cirtcut Court decision found them to be so:
The 10th Circuit's recent 2-1 decision in U.S. v. Andrus, No. 06-3094 (April 25, 2007), recognized for the first time that a password-protected computer is like a locked suitcase or a padlocked footlocker in a bedroom. The digital locks raise the expectation of privacy by the owner. The majority nonetheless refused to suppress the evidence.In the case in question, the father of the suspect gave the officers permission to search the house and his son's computer. The test for the majority was pretty high:
Judge Michael R. Murphy, joined by the court's newest member, Judge Neil M. Gorsuch, said the legal test is "whether law enforcement knows or should reasonably suspect because of surrounding circumstances that the computer is password protected."While the dissenting judge pointed out that it might be hard to determine if a computer is password protected:
In dissent, Judge Monroe G. McKay called the unconstrained ability of law enforcement to use forensic software to bypass password protection without first determining whether such passwords have been enabled amounts to "dangerously sidestepping the Fourth Amendment."
Recent Posts
- Blast-RADIUS attack
- The latest WiKID version includes an SBOM
- WiKID 6 is released!
- Log4j CVE-2021-44228
- Questions about 2FA for AD admins
Archive
2024
2022
- December (1)
2021
2019
2018
2017
2016
2015
2014
- December (2)
- November (3)
- October (3)
- September (5)
- August (4)
- July (5)
- June (5)
- May (2)
- April (2)
- March (2)
- February (3)
- January (1)
2013
2012
- December (1)
- November (1)
- October (5)
- September (1)
- August (1)
- June (2)
- May (2)
- April (1)
- March (2)
- February (3)
- January (1)
2011
2010
- December (2)
- November (3)
- October (3)
- September (4)
- August (1)
- July (1)
- June (3)
- May (3)
- April (1)
- March (1)
- February (6)
- January (3)
2009
- December (4)
- November (1)
- October (3)
- September (3)
- August (2)
- July (5)
- June (6)
- May (8)
- April (7)
- March (6)
- February (4)
- January (427)
2008
- December (1)
Categories
- PCI-DSS (2)
- Two-factor authentication (3)
Tags
- wireless-cellular-mobile-devices (7)
- Two-factor authentication (10)
- Wireless, cellular, mobile devices (6)
- NPS (1)
- Phishing and Fraud (111)
- Active Directory (1)
- pam-radius (3)
- privileged access (2)
- Cloud Security (10)
- Mutual Authentication (60)
- Web Application Authentication (1)
- Authentication Attacks (99)
- pci (50)
- Security and Economics (97)
- WiKID (133)
- pam (2)
- VPN (1)
- Installation (2)
- RADIUS Server (1)
- Open Source (64)
- Tutorial (2)
- Strong Authentication (35)
- Information Security (137)
- Transaction Authentication (13)
- Miscellaneous (100)
- Linux (2)
- transaction-authentication (6)
- Two Factor Authentication (254)