How to Negate the Security of an Access Token

Everyone knows that writing your password on your monitor is bad security. Is it really so hard to realize that attaching your SecurID token to your computer is just as bad?

Posted on December 28, 2006 at 7:42 AM • 41 Comments

Comments

Perry E. MetzgerDecember 28, 2006 8:50 AM

Well, it will still at least deter attacks by people who aren't in physical possession of the computer. Of course this eliminates the benefit of SecureID in the case that the computer itself is stolen, but we should remember that part of the benefit of one time passwords is preventing people from stealing credentials by tapping the network.

However, any modern protocol you are logging in with is going to protect the credentials with encryption anyway, so passive tapping isn't of that much interest, active attacks are much more the thing these days.

(I don't want to give the impression I endorse this practice. I roared with laughter when I first saw the picture on a private mailing list some days ago.)

Lastly, I doubt this is a hoax. I've seen things like it happen all too often in my security practice.

Richard BraakmanDecember 28, 2006 9:02 AM

I again caution against using The Daily WTF as a source. A lot of those stories are made up. Or rather, they *start* as real stories, which are then changed in every detail and combined with an unrelated photograph.

Another KevinDecember 28, 2006 9:03 AM

Wait a second, I'm confused.

Let's say that I have a SecurID token to access a VPN. It's useless for logging into my laptop. And it's useful for accessing the VPN from any computer, not just my laptop.

What's the difference whether the token is taped to my laptop, on my keyring in the backpack with the laptop, on my keyring in my pocket, or on my badge lanyard? As far as I can tell, they're all equally bad, in that the SecurID is not "in a secure place."

Well, I'm sorry. I use the VPN when traveling. That's the point of having it. When I'm on an airplane, or otherwise in transit, I don't happen to carry a bank vault with me to put my SecurID in. Do you?

If I was just supposed to get a laugh from the idea that it's an insecure practice, I'm sorry again. Security people have no sense of humor, and I'm fully expecting to see Dilbertian directives about never having my SecurID and my laptop in my possession at the same time, or something. You know, the sort of security that works by destroying the value of your business so there's no point in attacking it.

I. M. SecureDecember 28, 2006 9:05 AM

I suppose that's one step better than hanging it on the outside of your laptop carry bag.

As to secure passwords, no need for sticky notes. A quick security check of the most common passwords shows it's quite easy to "build" a strong password. Use this tool to check:

http://www.microsoft.com/athome/security/privacy/...

Try:
"Password"

Now try:
"Password1"

See? Ditch that sticky note today and start using strong passwords with confidence!

Matt from CTDecember 28, 2006 9:29 AM

1) I do suspect this is a hoax. Hopefully. But I see similiar odd-ball stuff.

2)
@Kevin...

Implementations may vary. I carry a USB key with the encryption keyfile for my customer files on my keyring. As long as both my car keys and laptop aren't stolen at once, in nearly all scenarios I can say with confidence no client data is at risk.

Steal both, there's doubt. Combined with some good detective work on my hard drive, they could probably guess at the passphrase pretty effectively...and being off-line they have as much time as they'd like.

J.D. AbolinsDecember 28, 2006 9:54 AM

I. M. Secure, thank you for the Microsoft password "strength checker". It's entertaining to see what rated weak or strong. As much fun as seeing how texts get rendered in MS Wingding font. Somewhat akin to reading tea leaves or looking for pictures in clouds.

No check for contextual or cultural obviousness of a password. E.g.; "Microsoft" was rated as "medium" strength while "microsoft" was rated "weak"; "Swordfish", a password allusion familiar to Marx Brothers fans, was rated "medium".

Mark HDecember 28, 2006 10:02 AM

I'm not saying this is a *good* idea, but really, what's the big deal? The SecurID is useless without its password; without that it's a poker chip. You could hand out synched SecurID's by the bucket on the street, and none of them will work unless you also know the password.

David Dyer-BennetDecember 28, 2006 10:29 AM

The laptop very probably contains clues to what network and user the token applies to; that seems to be the argument for separating them (which I do when I travel). The SecureID doesn't need any input or passphrase, remember, you just read off and use the current number. (Unlike the Secure Computing "Safeword" cards, which require at least a PIN to be entered, and in some modes go through a full challenge/response with the server.)

another_bruceDecember 28, 2006 10:36 AM

yeah, but if you're prone to forgetting where you put things, attaching it to your computer is the best possible option. for many of us, the risk of misplacing something greatly outweighs the risk that a bad guy will use that token to invade our box, and we deserve just as much respect as you hoity-toity security fetishists!

TremaineDecember 28, 2006 10:37 AM

The SecureID is relatively useless of course without the pin or domain password. However, it's a hell of a lot easier to crack a password than to brute force a 6 digit number that changes every 60 seconds. A password/pin can be taken offline for cracking... no such luck with the token.

Ensuring a thief gets both your laptop AND the secureID seems foolish to me. Even taking the simple step of keeping the token in your pocket on your keyring goes a long way to ensuring you don't lose both.

Stu SavoryDecember 28, 2006 11:11 AM

There are still MANY people who stick an address label on their suitcases. Burglars' assistants at airports merely need to note down/camera-phone the labels to the burglers who know when said flyers are away :-(

Welcome home, stupid!

jDecember 28, 2006 11:26 AM

@Stu S: Don't the airlines REQUIRE an address label on every piece of checked luggage, to the point of supplying a blank to be filled out and attached if you don't have an address tag?

Re SecurID token: Since laptops seem to be lifted all the time, it seems substantially more secure merely to have the token with you but elsewhere about your person.

But further, before I received my first such token, it was a replacement for a credit-card sized token, also from RSA; but the difference was that you had to enter a PIN to retrieve the correct current 6-digit key. So even if the card was stolen with the laptop, the thief would find it useless.

/J

David Dyer-BennetDecember 28, 2006 11:27 AM

There are still MANY people who stick an address label on their suitcases.

The airlines require it, in fact.

Knowing when I'm away doesn't do them much good, though, because of the *other* 4 adults currently living here. The alarm system should also help move this house up into "not worth the trouble" (the highest attainable security classification).

Davi OttenheimerDecember 28, 2006 12:29 PM

Bah, I see this all the time. Actually, I see people tape their SecureID token to the lid of the laptop, and I'm certain the PIN isn't far behind (stored in a file on the desktop or even in the name of one of the icons).

cjcDecember 28, 2006 1:23 PM

This really isn't anything new. RSA already sells "software tokens" which boil down to a unique key hidden in some software installed on the computer.

Both of these really don't break the "something have" and "something you know" layers. In both cases the "something you have" is the whole notebook rather than just the little number generator.

The bad part about these is that when it is lost, the notebook PC has more clues about how to use the something you have to attack the remote access system.

But I prefer a key fob affixed to the system over the software token. Software tokens have at least two very nasty properties: (1) easily clonable and (2) remotely readable. Those two are especially nasty when combined. Remote attacker can clone the token without the owner's knowledge. RSA lost a lot of my respect when they started marketing those with out BIG RED WARNINGS about how evil they are.

markmDecember 28, 2006 1:55 PM

"There are still MANY people who stick an address label on their suitcases. Burglars' assistants at airports merely need to note down/camera-phone the labels to the burglers who know when said flyers are away :-("

Except that if I'm traveling on business, my wife is home - and she'll start shooting sooner than I would.

Preston L. BannisterDecember 28, 2006 2:10 PM

On reflection, I am not sure this as bad as it appears on the surface. If you are the IT director, and the SecureID tokens start to go missing, what do you do? The tokens are small, separate, easily lost - and probably lost a lot more often than laptops.

If you start seeing large numbers of lost SecureID tokens, what will make you more secure? If the user's login is exposed, stealing the SecureID token is a lot easier than stealing a laptop. The user will more quickly notice a missing laptop. A SecureID token is small and easy to misplace. If I could not find my token, I would first suspect that I had misplaced it somewhere ... and very likely would delay before reporting the token as lost.

By attaching the token to the computer, it becomes harder to steal or misplace. Given that humans are imperfect - does this increase to decrease security?

PhilDecember 28, 2006 2:31 PM

>>The SecureID doesn't need any input or passphrase, remember, you just read off and use the current number. (Unlike the Secure Computing "Safeword" cards, which require at least a PIN to be entered, and in some modes go through a full challenge/response with the server.)

The PIN doesn't always have to be applied to the SecureID token itself. At my company, we have to enter the SecureID code PLUS a PIN into the online security app before we gain network access.

CorporateDroneDecember 28, 2006 2:47 PM

My employer uses SecurID tokens and requires the SecurID code plus two passwords plus a user ID (that isn't intuitively obvious) in order to log in to our corporate network.

I'm not sure how login is implemented at whatever company did this, but it might not be quite as insecure as it appears.

JohnDecember 28, 2006 3:25 PM

This fails the "so what" test.

The SecurID token only helps if the basic password is weak. If the basic password is strong, then there's no obvious benefit.

Particularly as passwords are inherently weak to begin with.

And apparently, the whole SecurID thing was an arbitrary requirement imposed by the Feds, not to solve some actual business need.

So of course the IT Director's best interest is to subvert the intent. After all, this is the Feds screwing with his infrastructure.

Bluezoo7December 28, 2006 6:20 PM

Let's not forget the whole point of the token is two-factor auth: Something you HAVE and something you KNOW.

If you're giving up on the something you HAVE part, may as well go to one-factor auth and save your $$$ on all those darn tokens.

If we elect to call ourselves security professionals then we should set the example by seperating our 2-factor auth mechanisms from our laptops.

If this is too difficult or inconvenient, then consider another line of work since if you're not willing to do it, you can bet your company's confidential info that those you are trying to get to meet your security policies won't.

Curt SampsonDecember 28, 2006 6:57 PM

I like the point that the physical token might be an externally imposed security requirement that that an intelligent security administrator is subverting because he's decided that that particular benefit is not worth the cost (if, say, people tend to lose them frequently). Who knows whether it's really the case or not, but the idea is certainly a nice demonstration that imposing arbitrary single security requirements may be rather pointless when it's the entire security system and the environment in which it lives that determines how hard or easy a target is.

As for RSA tokens, I've got a pretty big beef with RSA about these, anyway. As someone mentioned before, they have "software tokens" which, last I checked, their web site and documentation implied were just as secure as the hardware tokens. However, cjc, the laptop is not "something you have"; you can copy the token from the laptop, leave the laptop behind with the owner, and you've now got the token without the owner realizing that it's been stolen, which removes a major factor in the security of "something you have."

But I've got to admit that it's a pretty good business, charging $75 for 128 bits of random data usable for only for a year.

AnonymousDecember 28, 2006 7:05 PM

My favorite is a consultant that lost his tokens so often he left them at home and hooked up a webcam to display the number - on 4 different secure ID cards from different customers. Worse - he was proud of his ingeuity.

PaulieDecember 28, 2006 11:34 PM

"My favorite is a consultant that lost his tokens so often he left them at home and hooked up a webcam to display the number - on 4 different secure ID cards from different customers. Worse - he was proud of his ingeuity."

You mean like this guy? http://fob.webhop.net/

ZaphodDecember 29, 2006 5:22 AM

@David Dyer-Bennet @J

I my experience, the airlines don't require an address label. I fly plenty of times without one. The printed luggage tags are sufficient for identification. If the bags get lost, the little barcode attached to your passport/boarding pass is used by the reclamation company with an address you supply them to return your bags.

Also, surely, one would put the destination address on the label on the way "out" and your home address on the way back. Unless the thief has a large network of contacts, it doesn't work. An LA bag-label-snooper isn't going to get to the NY home of passenger X any quicker than X themself.

Zaphod

Nick-ishDecember 29, 2006 5:43 AM

Re Anonymous:

You might be thinking of: http://www.schneier.com/crypto-gram-0408.html

<Snip>
Here's a guy who has a webcam pointing at his SecurID token, so he doesn't have to remember to carry it around. Here's the strange thing: unless you know who the webpage belongs to, it's still good security.
http://fob.webhop.net/
</Snip>

All attaching the fob to the laptop does is drop it back to 1 factor authentication. Unless you were to attach the wrong fob, which would be 2+ish factor auth. No better no worse. :|


WooDecember 29, 2006 8:55 PM

... and this recommendation comes from the _director_ of IT Security at that company? Firing that person isn't enough.. I vote for tar-and-feathering.

SimonDecember 29, 2006 9:26 PM

To Thomas at December 28, 2006 07:54 AM and Richard Braakman at December 28, 2006 09:02 AM:

While I cannot speak to the truth of the dailyWTF story, I can say that I have handled a laptop (belonging to a in the field sales force member of a top pharma company) in which:

1. The username and password for of the sales force (identity is location based, not individual based) was stickered onto the laptop.

2. A whole had been drilled in a plastic flange near the a hinge through which a small chain was passed and closed with a key ring, onto which the secureID keyfob was attached.

3. The 4 digit PIN number (required to use the secureID) was stickered to the back of the secureID

Worth noting: 1 and 3 were normal for laptops in this companies sales force. I suspect that the support desk shipped them into the field that way.

AnonymousDecember 30, 2006 4:55 PM

All these foolish acts are because, for the people doing them, they are externalities.

The IT director didn't get fired for describing how to lasso the laptop to the fob. He may have gotten an attaboy for reducing costs, i.e. the number of fobs lost per quarter.

The individuals don't care, because losing a fob incurs no penalty: they just get a new one.

The company doesn't care, because they are meeting the requirements of the law. If they weren't, they'd be prosecuted, or their insurance premiums would increase, or something.

So because it's an externality to everyone involved, and no individual or organization is actually held accountable, the situation is what it is. At least until a breach occurs, and then a sacrificial offering will be made, and the gods, er, I mean federal regulators, will be satisfied.

AnonymousDecember 30, 2006 5:02 PM

re: the 4 secure ID tokens - I know and used to work for the gentleman. He added security because he chaged the default webcam password and did not label the customer next to the card... I've said too much already...

joeJanuary 1, 2007 11:06 AM

Did Bruce forget how SecurID tokens work?

To get access you need to know:

1. The username
2. The PIN that is prepended to the current password

Otherwise a SecurID token is useless.

Bruce SchneierJanuary 1, 2007 3:08 PM

@joe

SecureID is supposed to be better than password only. It's two-factor authentication: password + token.

If you're telling me that you can't get access without the username and password, and that's fine, then there's no reason for you to spend money on a SecureID token. The reason you have one is that you don't think username and password is enough.

Ed T.January 2, 2007 8:18 AM

Actually, the way to compromise a SecureID token is to write the PIN on a piece of paper, and tape the paper to the back of the token!

Someone actually did this - and the CISO used it as his "Information Security Minute" in a major company-wide meeting.

~EdT.

JohnJanuary 4, 2007 7:25 PM

From what I see, chaining the SecurID fob to the power supply is an excellent, intelligent, well-infomed choice.

Per the original article: "some mean ole' regulatory agency mandated that remote access is secured with a VPN that requires typing in a constantly changing passcode from a physical token".

These devices exist as a response to a Federal requirement that has absolutely nothing to do with business reality. The fob is nothing more than filling in a checkbox when audited.

Because this is coming from the IT Department, I assume that most (if not all) of the cost associated with replacing a lost / stolen SecurID device comes out of the IT budget. As IT is directly responsible for the cost, but lacks direct control over the device, it is in their best interest to ensure that the device isn't lost. People should be thankful that IT did not epoxy the device to the laptop.

I am also assuming that there is no fully-recovered "cost plus" chargeback mechanism in place associated with lost SecurID devices. If there were, users wouldn't lose them, because each lost device would cost them $100 or so, and that's enough of a penalty that most people start to pay attention to actually securing the device.

I find it very odd that people is pinging the IT Director, given that:

1. Non-Military Feds no practically nothing about real security, yet love to create intrusive security policy that provides little to no practical benefit. Cf. TSA.

2. Responsibility and costs aren't aligned.

I think that the SecuriID fob can best be seen as more "security theatre" writ small.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..