[ISN] RSA SecurID software token cloning: a new how-to

From: InfoSec News <alerts_at_private>
Date: Tue, 22 May 2012 01:39:25 -0500 (CDT)

by Dan Goodin
Ars Technica
May 21 2012

A researcher has devised a method attackers with control over a victim's 
computer can use to clone the secret software token that RSA's SecurID 
uses to generate one-time passwords.

The technique, described on Thursday by a senior security analyst at a 
firm called SensePost, has important implications for the safekeeping of 
the tokens. An estimated 40 million people use these to access 
confidential data belonging to government agencies, military 
contractors, and corporations. Scrutiny of the widely used two-factor 
authentication system has grown since last year, when RSA revealed that 
intruders on its networks stole sensitive SecurID information that could 
be used to reduce its security. Defense contractor Lockheed Martin later 
confirmed that a separate attack on its systems was aided by the theft 
of the RSA data.

Last week's blog post by SensePost's Behrang Fouladi demonstrated 
another way determined attackers could in certain cases circumvent 
protections built into SecurID. By reverse engineering software used to 
manage the cryptographic software tokens on computers running 
Microsoft's Windows operating system, he found that the secret "seed" 
was easy for people with control over the machines to deduce and copy. 
He provided step-by-step instructions for others to follow in order to 
demonstrate how easy it is to create clones that mimic verbatim the 
output of a targeted SecurID token.

"When the above has been performed, you should have successfully cloned 
the victim's software token and if they run the SecurID software token 
program on your computer, it will generate the exact same random numbers 
that are displayed on the victim's token," Fouladi wrote.


LayerOne Security Conference
May 26-27, Clarion Hotel, Anaheim, CA
Received on Mon May 21 2012 - 23:39:25 PDT

This archive was generated by hypermail 2.2.0 : Mon May 21 2012 - 23:35:08 PDT