RSA #3

March 20, 2011

Another “whoops, there go the seed files” scenario.  This one also works if for some reason you keep all your seed files lying around and someone snags them.

  • Get a good clock, as good a clock as your target has.  NTP makes this easy, of course.
  • Start running every token virtually, recording every token code that pops up.
  • Observe tokens being used.  Maybe you found a system using it to protect telnet or FTP.  Or, something else entirely.
  • Watch the logins.  If it’s a hard token, check to see where that code pops up.  Hopefully it won’t be way too fast or slow, so you’ll have a decent chance of catching it.  If it’s a soft token, you have a little brute forcing to do.

Moral of the story:  If seed records have been obtained, a compromised system or unprotected login method using SecurID can be the weakest link used to enumerate tokens.

%d bloggers like this: