[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: F2 hash?

To: [email protected] (J�ri Kaljundi)
Subject: Re: F2 hash?
From: Adam Shostack <[email protected]>
Date: Thu, 8 Aug 1996 06:50:09 -0500 (EST)
Cc: [email protected], [email protected]
In-Reply-To: <[email protected]> from "J�ri Kaljundi" at Aug 8, 96 11:34:48 am
Sender: [email protected]

This doesn't work as of version 1.3(?) and later.  There is a time
delay before the 'ok' message is sent by the server.  If it gets two
correct login attempts in the delay period (1-5 seconds, default 2),
it assumes an attack is underway and rejects them both.

Adam


=?ISO-8859-1?Q?J=FCri_Kaljundi?= wrote:
|  Wed, 7 Aug 1996, Adam Shostack wrote:
| > J=FCri Kaljundi wrote:

| > | At Defcon this year they promised to tell about some security flaws in
| > | SecurID tokens, anyone know more about that?

| > =09My understanding is that the guy who was going to give the
| > talk had nda difficulties.  Vin?  Did you make it out?  The talk was
| > going to be on race conditions, denial of service attacks, and the
| > like.
| 
| This is something that seems to be a little problematic to me. Considering
| the 3-minute time slot, it seems fairly easy to somehow block the SecurID
| server at the time a user is sending his username/passcode, steal that
| information and allow a malicious user to enter that information into the
| server. Or have I misunderstood some security aspects?
| 
| J=FCri Kaljundi
| AS Stallion
| [email protected]



-- 
"It is seldom that liberty of any kind is lost all at once."
					               -Hume

Follow-Ups:
- Re: F2 hash?
  - From: J�ri Kaljundi <[email protected]>

References:
- Re: F2 hash?
  - From: J�ri Kaljundi <[email protected]>

Prev by Date: Re: F2 hash?
Next by Date: Re: Oregon License Plate Site in the News Tonight!
Prev by thread: Re: F2 hash?
Next by thread: Re: F2 hash?
Index(es):
- Date
- Thread