Re: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards

To: "Lee Dilkie" <lee_dilkie@xxxxxxxxx>, "Toomas Soome" <Toomas.Soome@xxxxxxxxxxxx>
Subject: Re: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards
From: "Kevin Sheldrake" <kev@xxxxxxxxxxxxxxxxx>
Date: Fri, 06 Aug 2004 12:31:11 +0100
Cc: bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <41123007.8080805@xxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: Electric Cat
References: <Pine.LNX.4.58.0408032206440.2149@xxxxxxxxxxxxxxx> <200408040845.27609.lionel.ferette@xxxxxxxxx> <41114304.4090403@xxxxxxxxxxxx> <41123007.8080805@xxxxxxxxx>
User-agent: Opera M2/7.52 (Win32, build 3834)

Not unless the card is stolen and the owner either doesn't noticeimmediately or doesn't report it immediately. How many people will turnup at work (for instance) claiming to have 'forgotton' their card ratherthan report it lost, on the off chance they have actually misplaced it?If the keys give access to money, reputation, authority or the like thenperhaps the size of the exposure window is important?

Kev

Perhaps I'm missing something here. As far as I can tell, no keyslocated on the card were compromised, only the PIN was. Since this is atwo factor authentication system, possession of the PIN is of littlevalue without possession of the token itself.
Am I missing the point here?

regards,

-lee




--
Kevin Sheldrake MEng MIEE CEng CISSP
Electric Cat (Bournemouth) Ltd

References:
- Clear text password exposure in Datakey's tokens and smartcards
  - From: vuln
- Re: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards
  - From: Lionel Ferette
- Re: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards
  - From: Toomas Soome
- Re: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards
  - From: Lee Dilkie

Prev by Date: RE: International DNS compromise?
Next by Date: RE: International DNS compromise?
Previous by thread: Re: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards
Next by thread: vulnerabilities in JetboxOne CMS
Index(es):
- Date
- Thread