Home page logo

pauldotcom logo PaulDotCom mailing list archives

Re: Soft Tokens??
From: Todd Haverkos <infosec () haverkos com>
Date: Wed, 21 Nov 2012 13:16:10 -0600

Conrad Constantine <conrad () 1211 net> writes:

Not saying the app is as secure as the hardware token just a different
way to implement it.

yeah, but security is all about the implementation, and a hardware
implementation has a completely different attack surface from a purely
software one. (look at the attack against RSA Soft-Tokens earlier this
year, or the smartcard-hijack trojan that Alienvault Labs (plug plug!)
dissected back in January...

For instance, the RSA hard tokens have a bunch of anti-tamper
mechanisms in them that aren't possible with a soft token. (Travis
Goodspeed's awesome work in bypassing that aside for the moment)

But it's all somewhat moot, really.  Because, soft or hard token, the
token code is going into a web form field somewhere, where on a
compromised host, it's vulnerable to intercept.  This isn't news to
anyone I imagine, but it's worth keeping in mind that this is the most
likely attack path against token or software based 2FA. 

One of my clients uses a mix of hard and soft tokens.  The soft tokens
didn't have to be replaced (at great administrative overhead and pain)
when RSA had their... incident... last year.  The hard tokens did.
Could that time/effort have been better used securing other aspects of
the enterprise?  Surely.  For that year at least, the security ROI
surely landed in favor of soft tokens for RSA customers.

Assuming something like that doesn't happen again, yes, dedicated
hardware makes it harder to compromise the token code, but that's
rarely the lowest hanging fruit in the process.   Software, hardware,
they're both significantly better than passwords.  Hardware does make
your token code harder to get at and predict, but it comes at
administrative cost to physically get them in people's hands, get
people to remember them, get them to not whine about having to carry
them, and then not to lose them, etc.  

Best Regards, 
Todd Haverkos
Chicago, IL 
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
Main Web Site: http://pauldotcom.com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]