Sign in to follow this  

One-time pad hack

This topic is 2846 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

Interesting. I was under the impression that authenticator is one time pad, which should make it safe from MitM and similar attacks. Not true OTP attack, but still effective enough.
Quote:
* The next time you log in World of Warcraft, the game asks for your Authenticator code. * The virus intercepts it, send it to another server, and sends a wrong one to Blizzard = You get an error. * The people behind the virus now have a few seconds/minutes to use the "real" code while it's valid to change your password / empty your account / guild bank.

Share this post


Link to post
Share on other sites
There is no such thing as a secure remote connection, although you can get close as long as you can ensure physical security. This attack falls squarely in "if your computer is compromised, you're screwed" category.

If your local machine is compromised, it's game over -- the virus could just as well watch for you to log on, and then send a "give all my stuff away" command in the background.

Share this post


Link to post
Share on other sites
This sort of authentication is a one-time-password, which is a very different thing than a one-time-pad (being used for authentication, rather than encryption). I've never used the WOW authenticator -- does it not use challenge-response?

Share this post


Link to post
Share on other sites
Note that even with challenge/response, and a random new challenge each time, the attack can work -- all it has to do is to show "failure" to the user, but forward "success" to the server, and keep the attacker look-aside site in the loop.

If the client computer is compromised, it doesn't matter what you do, because the client is entirely in the hands of the attacker after the user has properly authenticated.

Share this post


Link to post
Share on other sites
It's the TLA hell, I was under impression that OTP was Pad, not Password, and that it was completely independent, more similar to how some banks work.

Quote:
Note that even with challenge/response, and a random new challenge each time, the attack can work -- all it has to do is to show "failure" to the user, but forward "success" to the server, and keep the attacker look-aside site in the loop.


I was thinking of not allowing same authentication to be used from more than one IP, but obviously trojan can use the legit user's IP, and just emulate the client from same machine.

The ultimate evil would be trojan that acts as proxy, and lets user login, feeding the client valid data, just making it seem as if server is a bit empty, or laggy, while the trojan itself talks to real server and does its stuff.

Share this post


Link to post
Share on other sites

This topic is 2846 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this