From: Adam Shostack <adam@homeport.org>
Date: Thu, 8 Aug 1996 23:48:00 +0800
To: jk@stallion.ee (Jüri Kaljundi)
Subject: Re: F2 hash?
In-Reply-To: <Pine.GSO.3.93.960808112837.12351D-100000@nebula.online.ee>
Message-ID: <199608081150.GAA18566@homeport.org>
MIME-Version: 1.0
Content-Type: text


This doesn't work as of version 1.3(?) and later.  There is a time
delay before the 'ok' message is sent by the server.  If it gets two
correct login attempts in the delay period (1-5 seconds, default 2),
it assumes an attack is underway and rejects them both.

Adam


=?ISO-8859-1?Q?J=FCri_Kaljundi?= wrote:
|  Wed, 7 Aug 1996, Adam Shostack wrote:
| > J=FCri Kaljundi wrote:

| > | At Defcon this year they promised to tell about some security flaws in
| > | SecurID tokens, anyone know more about that?

| > =09My understanding is that the guy who was going to give the
| > talk had nda difficulties.  Vin?  Did you make it out?  The talk was
| > going to be on race conditions, denial of service attacks, and the
| > like.
| 
| This is something that seems to be a little problematic to me. Considering
| the 3-minute time slot, it seems fairly easy to somehow block the SecurID
| server at the time a user is sending his username/passcode, steal that
| information and allow a malicious user to enter that information into the
| server. Or have I misunderstood some security aspects?
| 
| J=FCri Kaljundi
| AS Stallion
| jk@stallion.ee



-- 
"It is seldom that liberty of any kind is lost all at once."
					               -Hume