Skip to main content

The WiKID Blog

Viewing posts tagged Authentication Attacks


Josh Hoyt has a preliminary notice about a security fix for MyOpenID. It's limited (at least on MyOpenID) to Safari users, so it's not a big deal. Josh considers it a flaw in the way Safari handles javascript security. But it is clear that OpenID is going through some growing pains as a protocol, which is natural and healthy. I'm impressed with the way the community is handling this vulnerability.


Securology has a post about RSA's software tokens. In it, two key issues with are raised, one is specific to tokens that use symmetric encryption such as the RSA software tokens:

Distributing the seed record requires a confidential channel to ensure that it is not perfectly duplicated in transit. Distributing seed records to many of the supported platforms of soft token vendors involves plaintext transmission, such as sending the seed record as an email attachment to a Blackberry client. An administrator may provision the seed record encrypted using an initial passphrase that is distributed out-of-band, but it is common practice for seed records and initial passphrases to be distributed side-by-side. Whereas a physical token can only be in one place at a time, a soft token could be perfectly duplicated by an eavesdropper, even complete with its initial passphrase (especially when it isn't distributed out of band). If Alice receives her soft token and changes its passphrase, Eve could keep her perfect copy with the intial passphrase or choose to change the passphrase-- either way, the back end of the one-time-password authentication system will receive a valid token code (time value encrypted with the seed record).
Note that this is not an issue with WiKID's software tokens as we use public key encryption. The private key remains on the device and only the public key is transmitted. It is the out-of-band method of verifying the user's registration code that matters for WiKID. This could be done over the phone or via an application which uses some existing trusted information or credentials. (We protect against a man-in-the-middle attack in this process by hashing the registration code with the WiKID server's public key before presenting it to the user. Thus, if someone is trying to impersonate the server, the registration with the real server will fail.)


According to ComputerWeekly's Downtime blog, a password on a post-it note allowed a temp to access email of a London mayor's office staffer, revealing an affair with a married woman. Downtime's take:

Downtime expects Ken to have already ordered a two-factor authentication scheme to protect those afflicted with short-term memory difficulties, banned 3M’s best-selling product and instructed HR to re-do the background checks to weed out anyone with a malicious sense of humour.


Today I receieved a phish that is targeting commercial accounts of BB&T. It's interesting because it will be much harder to do transaction analysis fraud prevention on commercial accounts (same for brokerage accounts) and the email used a pending 'security device' roll-out as the premise for needing the information.


As posted on been hacked.

Recent Posts







RSS / Atom