Sign in to follow this  
Followers 0
Milo

SecurID

20 posts in this topic

Does anyone know about or use a one of these feckers to access a network?

ris-0251.jpg

I use mine to access the company network from home and just recently it is constantly going out of sync (twice a week) and it's a right pain in the backside getting it reset due to our ridiculous IT set-up.

I never used to have any bother and the boffins at our IT dept (subcontracted to IBM) are a waste of space and won't give me a new one mad.gif

Any ideas why it's suddenly gone wonky and is there anything I/they can do? (it's away from any source of magnetism etc)

Ta 169144-ok.gif

Share this post


Link to post
Share on other sites

I use one for our network - never had any problems with it. Is it just yours or are other employees having problems?

Share this post


Link to post
Share on other sites

We've just taken a group-wide step away from these bloody things.

They didn't seem that secure to me, really.

Share this post


Link to post
Share on other sites

our networks are now ultra secure compared to what they used to be. We use a 4 digit password + the securid code to gain access to the outer wall, then another complex password for the inner network.

Share this post


Link to post
Share on other sites
grin.gif I remember those OTP tags being launched they are supposed to be virtually industructible - the demo was to hit them with baseball bats yelrotflmao.gif

Share this post


Link to post
Share on other sites

[ QUOTE ]

I use one for our network - never had any problems with it. Is it just yours or are other employees having problems?

[/ QUOTE ]

There is one individual in my area who I know has ongoing problems with his but he seems to just accept it crazy.gif

Being a homeworker though we're quite isolated so we don't get to know if anyone else in the UK is having problems - there are around 700 of us using these things smashfreakB.gif

As for security, I don't know a great deal about the issues but we have a 9 digit password (alphanumeric) followed by the random 6 number SecurID to access the network.

We then have a further password to access our personal details (expenses etc) which has to be changed every 4 weeks and another password to access the firewall should we want to use the company PC for internet use (changed every 4 weeks).

To compound all that, our PCs have been replaced with Panasonic Toughbooks so we can take them on site - they have 3 different passwords - one on start-up, one to access our reporting system and another to bring the fella out of hibernation. Only 2 of these need to changed every four weeks tongue.gif

It was easier with pens and paper I'm sure.

smashfreakB.gifpengy.gif

Share this post


Link to post
Share on other sites

Might be worth checking if others are having problems or just you!

Also, maybe you have a tag that is not generating the same numbers as the "tag emulation software" is generating. So when it comes to verify the two they do not match.

[ QUOTE ]

They didn't seem that secure to me, really.

[/ QUOTE ]

How come?

The numeric it creates is randon and so as long as this is part of the sign-in process how can they not be unique when added to your own unique ID (to you) so you get "Mollox"+SecureID generated number = Unique!

We use these for Home working / callout - we use our own PIN number plus the unique number generated by the tag to get past the firewall and then use the same set of passwords we would use if we were sitting at our desks.

Share this post


Link to post
Share on other sites

[ QUOTE ]

Any ideas why it's suddenly gone wonky and is there anything I/they can do? (it's away from any source of magnetism etc)

[/ QUOTE ]

It probably hasn't "gone wonky", as they are really quite robust little buggers. It's more likely to be some kind of timekeeping or synch state problem on the server side, to be honest.

SecurID is a really simple system. A public/private key pair is created for each token, the public side lives in the token and the private side is loaded from CD (supplied with batches of tokens) onto the server(s). The token generates a sequence based on a timestamp, that sequence is encrypted with the public key, and only the private key can decrypt it (it's not exactly like that, but in effect the principle is the same). To know what code is on a given token at any time, the server's time has to be quite accurate as the hardware timers in the tokens generally are.

Either the time on a server (the master or one of the replica secondaries) is flapping, or the servers have different times on them, or replication is failing and your authentication is switching between good and bad servers. NTP is useful for synching up the master to a reliable time source, then synching secondaries to that, as Windows Time isn't terribly accurate in comparison (assuming the servers are Windows, not Solaris).

I doubt there's anything you can do apart from continue to moan at IT and hope they sort it. It's a shame bad implementations cause so many problems, as the product is pretty good and doesn't deserve the negative PR it gets when things go wrong.

Share this post


Link to post
Share on other sites

Thanks for the explanation 169144-ok.gif

It would appear any problems would not be at my end hence their reluctance to give me a new token.

I'll have a ring round some colleagues tomorrow to see if I am alone in this. I have been using this particular token for about a year now with no problems (reset maybe once). Everything was fine until the middle of December when the out of sync problems started.

I think there are problems at the server end as for about 6 weeks now we've been getting error messages and corrupt databases when we've been replicating.

What doesn't help is when I have to reload a particular database is it takes forever - the company line is on dial-up (they say they have security issues with BB ??) and at this exact moment in time, my connection speed is 27.8 Kbps Flush.gif

Share this post


Link to post
Share on other sites

Missus uses on and seems to work okay.

Bit of a palarver if you ask me though. Whats wrong with a password and secure access thing (SecureClient at our place)

Share this post


Link to post
Share on other sites

What's the expiry date on the back of it? Could it be the battery? If so you should be able to swap it out for the new smaller ones like mine. cool.gif

RSA_key.gif

p.s. Pic is bigger than real size (at least on my monitor!)

Share this post


Link to post
Share on other sites

Scotty,

Was thinking the same thing about battery if it is loosing time. Also I believe their is more than one method of resetting the sync between token and server. One is normal and fixes most issues, the other is more brutual. But I could be talking rubbish 169144-ok.gif

Used SecureID for ages and it seems a very good system. New company uses a certificate based system which ties my laptop to my work userID.

Share this post


Link to post
Share on other sites

I don't think it's the battery - this unit replaced my old one about a year ago and the expiry on this one is 30/11/07 so it should be good for another 2 years almost.

Share this post


Link to post
Share on other sites

We used to issue them, but now new bods get Certificates instead.

Us in IT still have them and they are VERY handy. I can reset our users ones over the phone with them, and re-issue the 4 digit userid bit if necessary. If that fails, then we just issue a new one or if they are HO based, certificate them up.

Very handy for using on non-work PC's. Very reliable.

Just tell your boss that you cannot work, and need a new one. They should soon replace it.

Share this post


Link to post
Share on other sites

[ QUOTE ]

What's the expiry date on the back of it? Could it be the battery?

[/ QUOTE ]

The battery is *supposed* to outlast the expiry date, at which point (or sometimes slightly before!) it stops generating numbers and just sits there flashing the activity indicator for a few months, then dies altogether.

Share this post


Link to post
Share on other sites

[ QUOTE ]

[ QUOTE ]

What's the expiry date on the back of it? Could it be the battery?

[/ QUOTE ]

The battery is *supposed* to outlast the expiry date, at which point (or sometimes slightly before!) it stops generating numbers and just sits there flashing the activity indicator for a few months, then dies altogether.

[/ QUOTE ]

Spot on; they usually just "die" at some point after the expiry date - I've got a couple floating around a couple of years out of date that are still working, but just not being used (and you should get sent another one by your ops people before it happens anyway)

Share this post


Link to post
Share on other sites

The battery in my SafeWord card is still going now after over 7 years!

Because these systems are time-dependent, the servers normally will check for tokens within a time range if there's no immediate match (if that makes sense). So, normally, it's very difficult for the token-generator to get completely out of sync.

I agree with Chris in that it is probably a clock issue on one of the servers (assuming you have a replicated SecurId server) - or you have a faulty card.

BTW, I assume when this fault happens, you've generated more than one token to try to log in ?

Share this post


Link to post
Share on other sites

I usually attempt to dial in immediately a new number is generated (with 5 markers).

If it kicks me out, you can sometimes try again with when there are only 3 markers left - when the final connection is made, a new number has been generated but it still lets you in.

After 5 or 6 attempts over a period of an hour or so, if it still won't let me gain access I call the helpdesk to reset the token.

I'm going to ring a few people today to find out if I am alone in this problem or whether it is affecting everyone 169144-ok.gif

Share this post


Link to post
Share on other sites

Well it seems a few people are having problems.

Mine has just gone out of sync again - it was only reset yesterday mad.gifmad.gifopenfire.gifopenfire.gif

I hope our company bills IBM for the amount of time our workforce spends on the phone to them trying to sort out all the IT problems that have only started to affect us since they took over the show mad.gifopenfire.gif

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0