[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] SecurID token crackable...





Hey...

I know it is not directly related to FW-1... but a lot of you may be using
SecurID tokens/+ACE server along with with FireWall-1  ... 

Just received this mail from SANS and thought I should spread the word...

I.C. Weiner claims to have code that will generate the response to the ACE
server's challenge as long as you have the ASC files... (files that come on
a floppy when you buy your tokens)... 

...another reason to highly and extremely protect that floppy and
files!!!!!!...

see note from SANS below...

excerpt from SANS news release (SANS Windows Security Digest Vol. 3 Num. 12
[email protected])
---------
"3.3. RSA SecurID Token is Crackable

I.C. Wiener released sample code showing how to generate SecurID token
responses without having the physical token. According to the advisory,
the algorithm is easily breakable if one has access to the ASC files
used to initialize the tokens. Essentially, the code sample Wiener
released is a SecurID emulator. This is interesting because RSA has
claimed that part of the security of SecurID is the security of the
algorithm it uses. Now that this algorithm has been duplicated, the
security of the token is based only on the token initializer and the
PIN used to access the system protected by the token. Therefore, it is
extremely important that these files be properly protected. It should
be assumed that if the initialization files have been compromised,
so has the entire token system. These files are often stored on a
floppy disk.

As of this writing, it appears that observation of the numbers on
the token is not enough, however, to determine the card secret."
----------

Amin Tora
Secure+
ePlus Technology

This message may contain confidential and/or proprietary information, and is
intended only for the person / entity to whom it was originally destined.
The use of this information and unauthorized access to this information for
any other means is strictly prohibited.  The content of this message may
also contain private views and opinions that do not constitute a formal
disclosure or commitment unless specifically stated.


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================