Re: [fw-wiz] Username password VS hardware token plus PIN

From: Marcus J. Ranum (mjr_at_ranum.com)
Date: 02/22/05

  • Next message: Kevin Sheldrake: "Re: [fw-wiz] Locking down public wireless access" 
    To: MHawkins@TULLIB.COM, firewall-wizards@honor.icsalabs.com
Date: Tue, 22 Feb 2005 11:50:51 -0500

    MHawkins@TULLIB.COM wrote:
    >What is the value of hardware token with burned in PIN as compared to
    >username password (when the password policy is forced strong)?

    A physical device has the valuable property that it cannot be
    stolen twice. I can steal your password and you still have it.
    If I steal your token, you know it's gone - unless I steal it using
    much more complicated techniques that involve me sending an
    undercover agent to your location. This is a particularly valuable
    property for network devices and systems because we don't yet
    know how to steal a physical device over SSH.

    I suppose the closest that'd come would be a social engineering
    attack along the lines of:
            "Dear bozo@yourdomain.com -
            We need to change the batteries in your authentication token,
            as part of annual maintenance. Please mail it in the included
            business reply envelope within the next 30 days if you wish to have
            continued access. Include a $20 bill for the battery replacement service
            and disposal of the old batteries. There will be a $100 late fee if you
            take longer than 30 days to return your authentication token for
            service.
                    Thank you,
                    The Security Department,
                    Yourdomain.com"

    And my guess is 10% of your average users would fall for it.

    mjr.

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Kevin Sheldrake: "Re: [fw-wiz] Locking down public wireless access"