Bugtraq: Re: SecurID White Paper - A Comment

[coxa () cableol net (Alan Cox)]

>         Properly forging TCP packets, the essential skill for tcp-splicing,
> is still beyond the wannabes on Alt.2600.  And to tap a telephone line --
> the typical OTP app is a dial-in phone connection, through a communications
> server -- requires a wholly different level of criminal commitment than
> "sniffing" on a local LAN or Internet link to which one is already
> connected. At least in the US, wiretapping is a federal felony, punishable
> by serious jail time.)
Splicing TCP packets is easy and well within the ability of all the people
you have to be most worried about. There is publically available code for it
(the Linux IP masquerade for example), and I have seen modifications of that
code to

        o       Drop changes into ftp data streams as they pass
        o       Type commands when it sees a given prompt, absorbing the
                return until that string is seen again - ie you dont even
                see the command reply when you are hijacked

>         Peter Neuman and his ingenious automated tools for TCP splicing --
> now potentially in the hands of sundry hackers, outlaws, or crooks --
> remain (unfortunately) a threat of a different magnitude.  To deal with
> that, we will all need network encyption... plus strong authentication.
Yes. secure shell like systems and stuff like hardware key authentication
systems work hand in hand. Together they are far more powerful than one alone


Alan