Slashdot Mirror
Cisco's LEAP Authentication Cracked
mtrisk writes "Just a day after Cisco released a security warning about its WLSE access point management tool, a tool to crack wi-fi networks using LEAP authentication has been released, reports Wi-Fi Networking News. The tool, called Asleap and developed by Beyond-Security, actively de-authenticates users, sniffs the network when the user re-auntheticates, and performs an offline dictionary attack upon the password."
"good luck dictionary attacking a good password"
The time to brute force the password is a combination of many factors not just the strength (length and composition) of the password. The amount of resources avaible to compute the hashes and the complexity of the algorithm used to create the hashes have a large effect on how long it will take to compute a match.
In this age it is becoming possible to precompute the hashes and then look them up, in that case the "strength" of the password becomes less important.
There's another thing that I don't understand. Why use yet another method of encryption for wireless? Why can't the AP or router behind it be set up for a VPN. My company doesn't trust the internet, so it uses a VPN. If you don't trust your WIFI link, why not use a VPN?
:) ). Once VPNing to the router you're given an IP on the normal wired network and off to the races. This way you get none of the downsides of WEP (insecure, slowdown, known key, etc) and all the benefits of encryption.
This is the setup I have at home:
My AP is connected to it's own NIC in my router box (running linux). The DHCP server on the box will give people coming over that interface non-routable IPs, and iptables is configured to drop everything not going to the router from that interface. If a user attempts to go to a web page iptables routes the traffic to the routers web server which tells them how to set up a VPN, if they have a username/pass (my gf is always messing it up, so she needs instructions
It sounds complicated, but really it's not. I can't see why more people aren't doing this as opposed to WEP. It's my understanding WEP==BAD.
Whee! /. goes security journalism:
Dictionary attack == LEAP is cracked!
Yeah it's been a bad week for Cisco but they aren't Microsoft. They won't ignore these problems. You'll see firmware updates to fix the password problem in a week tops (if it isn't already out). I suspect you'll also see an update to address the LEAP issues.
Except that they've known about this problem for months, and the security flaw is not entirely inherent in the protocol. Forcing users to choose strong passwords will provide significantly more protection to a "LEAP-protected" networks than any patch that Cisco could issue for LEAP.
I am entirely unenlightened on EAP-FAST, Cisco's replacement for LEAP, but I'm pretty sure it would be a significant deployment effort for IT to upgrade both the infrastructure and the client devices.
"The problem is that the Chinese government requires that foreign companies provide their intellectual property (chip designs, etc.) to one of a dozen Chinese firms that are licensed to create WAPI. So it's not a matter of just adding code to firmware, in which case it might be Yet Another Redundant Standard. Instead, the Chinese government is requiring that non-Chinese firms essentially give away their technological advances."
this is actually quite true. They want you to turn over your source code to one of 11 (now its 24 I think) 'certified' chinese companies, who would then design and decide whether WAPI goes into software or hardware and where. They then make the required changes. _this_ is the reason why Intel is so pissed about this, and Dick Cheney has been asked by many CEOs to bring this topic up on his visit to China.
With all the work that IEEE 802.11i has done getting AES-CCMP in, wireless security is now almost top-notch, there is no real need for another protocol unless the Chinese govt wants a protocol with backdoors so that they can spy on their citizens.
When I quit Cisco, I was the only real security programmer left in my business unit - all the other positions had been "outsourced" to Bangalore. That team didn't write "bad" code, it just wasn't robust. And they didn't get it. And management didn't care. And marketing just wants it to ship with the feature checklist complete.
I said it below, I'll say it again here. Companies have to CARE enough about security to have experienced crypto people do this sort of work. To design it, to implement it, and to test it.
But now its all about keeping things cheap.
It's WHY you really, really ought to have a cryptologist design your subsystems if at all possible.
No!!!!!!
Seriously, the last thing we need is slow hardware.
The trick to beat hackers and crackers is put out so much variety they have no idea what the hell to do. Seriously, if 99% of people didnt run the same hardware and software for everything hackers would cause very minimal damage.
Some of the fastest hard crypto (i.e. military grade...)
Your talking to someone who worked in DOD. Theres no such thing as military grade crypto. Its the same stuff you find in the consumer market. When the use Cisco hardware they dont load anything special on it. Thats why you hear of crackers/hackers getting into them or military projects hurt by simple things like Microsoft Windows worms.
Even variety doesn't make up for a weakness in your system.
Sure, but which system? Ill use a simple example with three server operating systems: NT, Linux, and Solaris. Name a single virus or weakness (besides DOS) that effects all three?