On Di Mai 26 2009, Seth Vidal wrote: > On Tue, 26 May 2009, Till Maas wrote: > > On Di Mai 26 2009, Jesse Keating wrote: > >> On Tue, 2009-05-26 at 17:44 +0200, Till Maas wrote: > >>> A problem with phones is, that they are typically not as secure as > >>> hardware tokens. Users can install custom software on them. Also the > >>> phone may be compromised via bluetooth. It might be even possible to > >>> directly access text messages via bluetooth or maybe also wifi > >>> nowadays. > >> > >> Wouldn't that be why you have to combine what comes up on your phone > >> with the password you know, so that just the phone alone can't get you > >> in? > > > > Here is another attack scenario: The attacker first attacks the desktop > > to obtain the password. But then he also compromises the phone once it is > > connected to the desktop to synchronize some data, e.g. contacts, music > > or software. Then the attacker got both factors without having physical > > access on the phone. > > Both of them assume an attacker targetting someone on our system. Why is this? Even an attacker that got access to your desktop without specifically targetting a Fedora infrastructure team member can afterwards compromise your phone, once he noticed that you use it to login to Fedora. The browser cache or e-mails may indicate that you login to Fedora and some config files for phone synchronization can show the attacker, how the phone can be compromised. Regards Till
Attachment:
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
