Threat Forward

Another “whoops, there go the seed files” scenario.  This one also works if for some reason you keep all your seed files lying around and someone snags them.

• Get a good clock, as good a clock as your target has.  NTP makes this easy, of course.
• Start running every token virtually, recording every token code that pops up.
• Observe tokens being used.  Maybe you found a system using it to protect telnet or FTP.  Or, something else entirely.
• Watch the logins.  If it’s a hard token, check to see where that code pops up.  Hopefully it won’t be way too fast or slow, so you’ll have a decent chance of catching it.  If it’s a soft token, you have a little brute forcing to do.

Moral of the story:  If seed records have been obtained, a compromised system or unprotected login method using SecurID can be the weakest link used to enumerate tokens.