back to article RSA SecurID admin console can issue emergency access to decent social engineers

Stop us if you've heard this one: an emergency access feature offered by RSA for SecurID token customers isn't completely secure. That's the opinion of pentest outfit Netspi, whose Alexander Leary worked out how to abuse the SecurID Emergency Access Tokencodes (EAT). The use-once codes are intended to provide a temporary …

  1. Pascal Monett Silver badge

    So the problem is due to managing laziness ?

    A user-managed password token generator for users who forget their passwords exists to avoid admins being hassled. Who exactly thought this was a good idea ?

    I get it. Support hotline and marketroids are getting remarks on how bothering it is to deal with forgetful users. Pressure mounts and some manglement bod starts getting annoyed with the problem. He convenes a meeting with the techs and berates them for creating this issue, then requires solutions. Techs balk at figuring out a way to circumvent security, but a marketroid present in the meeting spurts out a suggestion about a "temporary token". Manglement bod approves, techs implement despite themselves, and now here we are.

    Because clearly we need to relieve admins of the bother of securing their network. They don't need to worry about who is accessing it either. How's about we just subcontract that to the NSA ?

  2. frank ly

    Information

    "Any moderately accomplished black-or-white-hat is probably schooled in Googling peoples' online profile to get a shot at guessing stuff like mother's maiden name, childhood pet cat or dog, ..."

    Are there actually people who spaff this sort of information out for everyone to read?

    1. Anonymous Coward Silver badge
      Holmes

      Re: Information

      Yes. Not necessarily directly though. As an example, my mother is connected to me on facebook but is using her maiden name on there for work confidentiality. Occasionally she'll post an old picture of Biggles the family tortoise with a comment of "How I miss Biggles". It wouldn't take a lot of detective work to put these things together.

      Then there's all the "porn star name" posts where people will happily answer for themselves because it is out of context.

      * Biggles has been anonymised here. Boris didn't like being called Biggles.

      1. Doctor Syntax Silver badge

        Re: Information

        "Boris didn't like being called Biggles."

        And Biggles certainly doesn't like being called Boris - just imagine a tortoise with a silly haircut.

    2. Anonymous Coward
      Anonymous Coward

      Re: Information

      I know someone (not me, of course) who's mothers maiden name is Stingwing, and their first pet was called 'cnutbutler'. Their birthday is (where possible) unix epoch day, and their favourite holiday destination is Leeds. Point being, make it up people.

  3. Anonymous Coward
    Anonymous Coward

    Yes, the real issue with such "security questions" is, that without explicitly telling it to Joe User, (s)he doesn't realize that the answer can be *ANYTHING* that she can think of (and will be able to remeber when asked).

    Because what is verified for an answer to a security question -- is _not_ whether the answer is correct with respect to the question, but whether you give the same answer on recovery attempts that you gave on sign-up.

    You can use an alternative "secret" rather than providing accurate trivia (that may be accessible to google).

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like