Re: [Fed-Talk] Malware targeting ActivIdentity smart cards
Re: [Fed-Talk] Malware targeting ActivIdentity smart cards
- Subject: Re: [Fed-Talk] Malware targeting ActivIdentity smart cards
- From: William Cerniuk <email@hidden>
- Date: Fri, 13 Jan 2012 15:48:47 -0500
It might be argued that any input to a computer is a point of vulnerability.
How easy is it to design a wedge driver for USB or Bluetooth? Essentially capture everything in the flow in from the analog world to the digital world. It does not matter how NIST certified your crypto is on that hard drive or that CAC/PIV card; as long as the interface to the device does not have a direct connection to the encrypted device, it is an easy point of attack.
The only way a PIV or a CAC card can be secure from electronic data capture at PIN entry is to have a membrane keypad on the CAC/PIV card itself. But... then it could be argued that a RF monitor embedded below the desk surface, sufficiently close to the PIV card, could pick up the RF leakage and determine the codes bases on keypad voltage variations and the resulting RF output from key presses.
The most secure system is a system that is not used... which frequently is the result of attempts at risk elimination vs mitigation ;-)
Best,
Wm.
On Jan 13, 2012, at 15:11, David Emery <email@hidden> wrote:
> Independent of the problems Windows has with vulnerabilities, this highlights the problems in depending on a 3rd-party add-on as an element of what should be your Trusted Computing Base!
>
>> ...
>>> With ActivIdentity as the target, the attacks are clearly aimed at U.S. defense departments, the Times added. But it's as yet unknown what information the hackers have so far been able to capture.
>
>
> dave
> -----
> David Emery, 703 298 3473 (c) 703 272 7496 (fax)
> Supporting PdM Software Integration
>
>
>
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden