Home page logo

bugtraq logo Bugtraq mailing list archives

Re: SecurID White Paper - A Comment
From: coxa () cableol net (Alan Cox)
Date: Wed, 11 Sep 1996 10:07:28 +0100

        Properly forging TCP packets, the essential skill for tcp-splicing,
is still beyond the wannabes on Alt.2600.  And to tap a telephone line --
the typical OTP app is a dial-in phone connection, through a communications
server -- requires a wholly different level of criminal commitment than
"sniffing" on a local LAN or Internet link to which one is already
connected. At least in the US, wiretapping is a federal felony, punishable
by serious jail time.)

Splicing TCP packets is easy and well within the ability of all the people
you have to be most worried about. There is publically available code for it
(the Linux IP masquerade for example), and I have seen modifications of that
code to

        o       Drop changes into ftp data streams as they pass
        o       Type commands when it sees a given prompt, absorbing the
                return until that string is seen again - ie you dont even
                see the command reply when you are hijacked

        Peter Neuman and his ingenious automated tools for TCP splicing --
now potentially in the hands of sundry hackers, outlaws, or crooks --
remain (unfortunately) a threat of a different magnitude.  To deal with
that, we will all need network encyption... plus strong authentication.

Yes. secure shell like systems and stuff like hardware key authentication
systems work hand in hand. Together they are far more powerful than one alone


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]