lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <66445130.20060911203747@SECURITY.NNOV.RU>
Date: Mon, 11 Sep 2006 20:37:47 +0400
From: 3APA3A <3APA3A@...URITY.NNOV.RU>
To: "Brian Eaton" <eaton.lists@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Re: Re[3]: RSA SecurID SID800 Token vulnerable
	by design

Dear Brian Eaton,

--Monday, September 11, 2006, 7:35:08 PM, you wrote to 3APA3A@...urity.nnov.ru:

>>
>> Network   is  compromised  as  long  as  attacker  keeps  control under
>> compromised host regardless of authentication. And sometimes longer.

BE> - the spyware has access to the web mail system for as long as the
BE> token is in the machine
BE> - once the token is removed, the spyware can continue accessing the
BE> web mail system until the web mail system session expires

BE> So the damage is limited to what is stolen during the session, while
BE> with a password-only system the account could be used for an
BE> indefinite time period, i.e. until password change.

Not exactly. As you said, token will be used for initial authentication,
but  cookie  will  be  used  for session tracking. Everything depends on
cookie  expiration  time  and  how  it's  implemented.  If  cookie never
expires,  or expiration time is long enough to keep session between user
logons  to  Web mail - intruder can keep using session with same cookie.
If  IP  is not checked for cookie - intruder can use cookie offline from
his  host. If IP is controlled, but cookie is automatically refreshed or
expiration time is high, intruder can use compromised host as a 'bot' to
keep  session  alive,  even  after  user  logoff.  Intruder can redirect
client's  traffic  to his own host and use it as a proxy to web mail, to
keep  session  from  his  host to web mail after user finishes. A lot of
different scenarios to keep session after token is removed.

-- 
~/ZARAZA
http://www.security.nnov.ru/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ