Re: Re: Re[3]: RSA SecurID SID800 Token vulnerable by design

[3APA3A <3APA3A () SECURITY NNOV RU>]

Dear Brian Eaton,

--Monday, September 11, 2006, 7:35:08 PM, you wrote to 3APA3A () security nnov ru:

> > Network   is  compromised  as  long  as  attacker  keeps  control under
> > compromised host regardless of authentication. And sometimes longer.

BE> - the spyware has access to the web mail system for as long as the
BE> token is in the machine
BE> - once the token is removed, the spyware can continue accessing the
BE> web mail system until the web mail system session expires

BE> So the damage is limited to what is stolen during the session, while
BE> with a password-only system the account could be used for an
BE> indefinite time period, i.e. until password change.

Not exactly. As you said, token will be used for initial authentication,
but  cookie  will  be  used  for session tracking. Everything depends on
cookie  expiration  time  and  how  it's  implemented.  If  cookie never
expires,  or expiration time is long enough to keep session between user
logons  to  Web mail - intruder can keep using session with same cookie.
If  IP  is not checked for cookie - intruder can use cookie offline from
his  host. If IP is controlled, but cookie is automatically refreshed or
expiration time is high, intruder can use compromised host as a 'bot' to
keep  session  alive,  even  after  user  logoff.  Intruder can redirect
client's  traffic  to his own host and use it as a proxy to web mail, to
keep  session  from  his  host to web mail after user finishes. A lot of
different scenarios to keep session after token is removed.

-- 
~/ZARAZA
http://www.security.nnov.ru/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/