Token Security | TechSNAP 64

Token Security | TechSNAP 64

How attackers can defeat an RSA token in as little as 15 minutes, FBI has taken down an online fraud ring, we’ve got the details. And a botched software update that shutdown a bank for days.

Plus some great audience questions and our answers.

All that and more on this week’s TechSNAP!

Thanks to:

Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

Limited time offers:

$1.99/mo economy hosting for 3 months – special offer!
Code:  199tech
Expires:  June 30, 2012

$3.99 .US domain!
Code:  399us4

Direct Download:

HD Video | Mobile Video | MP3 Audio | Ogg Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feeds | Torrent Feed


Support the Show:

Show Notes:

Researchers can defeat RSA SecurID 800 tokens in under 15 minutes

  • Researchers were able to use a ‘Padding Oracle Attack’ to compromise the plain text of an imported encrypted key in under 15 minutes
  • A ‘Padding Oracle Attack’, is a side channel attack that allows an attacker to see if a message was decrypted successfully or not
  • By purposely corrupting the encrypted message and/or its padding in different ways, and watching the error message (or even just the amount of time the device takes to attempt the decryption) the attacker is able to gain more and more information about the encrypted message, until they are able to recover the entire message
  • The researchers developed a more efficient version of the ‘million messages attack’, that only requires to be carried out with only a few 10s of thousands of messages, and found that some devices can be attacked with as few as 3800 messages
  • Researcher Blog Post
  • Research Paper
  • Don’t Believe Everything You Read…Your RSA SecurID Token is Not Cracked
  • RSA contends that the researchers did not ‘crack’ the RSA SecurID Token, but rather that they exploited a flaw in PKCS#1v1.5
  • However the researchers show (Table 1 on Page 9 and Table 3 on Page 12) that because the RSA SecurID tokens use a very simple padding check (not checking the length of the encrypted message), they disclose more information about the encrypted message during each attempt, this results in the RSA SecurID tokens taking the least amount of time to compromise
  • The researchers were not able to afford an HSM, but postulate that their attack could compromise even the more secure ones in mere hours

PayPal starts Bug Bounty Program

  • Paypal joins the ranks of Google, Mozilla, Facebook, Barracuda and others with bug bountry programs
  • This resolves a potential legal ambiguity where researchers that were attempting to forge or modify data being sent to the paypal site, might be accused of unauthorized access rather than legitimate research
  • Colin Percivals BSDCan 2012 Presentation – Crowdsourcing Security

FBI run sting operation nets 26 arrests of attempted ‘carders’

  • The operation intercepted over 400,000 compromised credit cards
  • The FBI estimates it prevented $200 million in losses (likely exaggerated)
  • The FBI notified 47 companies, government entities, and educational institutions of the breach of their networks
  • Example charges:
  • zer0 used hacking tools to steal information from the internal databases of a bank, a hotel, and various online retailers, and then sold the information to others, including an individual he believed to be a fellow carder, but who in fact was an undercover FBI agent
  • JoshTheGod (apparently a member of UGNazi) met in Manhattan with an undercover FBI agent to accept delivery of counterfeit cards encoded with stolen information. He was then arrested after attempting to withdraw funds from an ATM using one of the cards
  • kool+kake sold stolen CVVs and advertised to fellow carders that he got fresh CVV’s on a daily basis from hacking into databases around the world
    • According to the PCI-DSS (Security standard for processing credit cards, CVVs are NOT allowed to be stored in database, they are specifically designed to make databases of stolen credit cards useless, since the attacker will NOT have the CVV value (which is a 3 or 4 digit numeric hash of the credit card data and the banks secret key)

Botched software update as Royal Bank of Scotland freezes customer accounts for days



Question? Comments? Contact us here!