[757labs] People who are interested in joining

Trevor Lewis trevorl.salad at gmail.com
Thu Sep 22 07:06:45 EDT 2011 

When all else fails, at a second layer of security. At one place I worked we
used the RSA SecurID fobs in combination with a second system that forced us
to punch in personal pin. Honestly I think it had more to do with a lazy
admin strapping SecurID on top of another older system. As kludgey as it
was, if you didn't have the fob and/or you were too drunk to punch in your
pin, the door didn't open. It ended up being effective.

Use the rfid fob to identify the user to the system, and use the user to
verify his identity in turn to the system. Since the rfid tags have a
limited (although plentiful) number of rewrites just store
authorized/revoked status on the fob. Too many attempts to authorize with
that fob, and the keypad refuses that id for X amount of time. And email
Ethan. At 2am. :)

 Apologies if everyone is thinking "umm, yeah, that's what we were gunna
do". I'm not awake yet. :)

On Thu, Sep 22, 2011 at 5:08 AM, <fister at skullfuckers.org> wrote:

> It is difficult for me to believe that today there are no contactless cards
> that are sophisticated enough to foil replay attacks.  If they are all
> simple memories that broadcast to anyone then the state of these things have
> not improved since the 90's.
>
> Some car keys have writable memory.  I know of one particular system that
> writes new data into the tag on every use, but the tag has no way to
> determine if a read is being requested by an authorized station.  So, an
> attacker could read the tag from a pocket, and if he used the data before
> the authorized tag holder, he would receive access and his tag would be
> updated, leaving the real tag unusable because it has the wrong secret now.
>  See here:  http://www.nxp.com/acrobat_**download2/other/**
> identification/pcf7935-pp.pdf<http://www.nxp.com/acrobat_download2/other/identification/pcf7935-pp.pdf>  (We know the secret keys where these are applied so that issue is moot for
> us - the authenticator at the lab will not be produced and distributed for
> everyone to take apart, and will not suffer this)
>
> ISO7816 [synchronus six contact] telephone cards [payphones in mexico,
> canada, rest of world] do not have any cryptography besides an algorithm
> with a shared secret.  This mechanism proves to the telephone and the
> smartcard that each other are legitimate.  It took detailed examination of
> telephone's firmware and of the smartcard's microcircuit to break this
> scheme for each operator of telephones.  Until that milestone, an adapter
> had to be used with a real card so that the challenge/responses would be
> passed and the countdown counter that stored the card value was intercepted
> and replaced with arbitrary information.
>
> That shit has been in service for nearly two decades and the fraud has been
> so low that there has not been much effort to strengthen these applications.
>  Check out the parking meters in San Francisco.  Same old garbage.
>
> The CAC card is a more sophisticated type of 7816 [asynchronus eight
> contact.]  Look what it does.
>
> On other points, there are vandal-proof 7816 receptacles that could be
> mounted on an outside wall - the best ones are machined so that they will
> not fit a card that is too thick :) and have some contacts to ensure that
> nothing on the card is conductive :)  reactionary fixes to past attacks.
>
> Magstripe readers are cheap enough that there are few instances where
> someone tries to protect them.  Look at the ones that are meant to deny
> homeless the warmth and dryness of bank ATM lobbies during winter.  Bank
> people assume the worst thing that will happen to this part is it will be
> destroyed.  Even after it has been widely publicised that these things are
> choice skimmer sites.
>
>
> On 14:59, telmnstr at 757.org wrote:
>
>> You got it, and much less secure (prox cards.)
>>
>
>  ______________________________**_________________
> 757labs mailing list
> 757labs at 757labs.org
> http://757labs.org/cgi-bin/**mailman/listinfo/757labs<http://757labs.org/cgi-bin/mailman/listinfo/757labs>
> If we knew what we were doing it wouldn't be research.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://757labs.org/pipermail/757labs/attachments/20110922/e6f70977/attachment.html>

More information about the 757labs mailing list