Cisco's LEAP Authentication Cracked 162
mtrisk writes "Just a day after Cisco released a security warning about its WLSE access point management tool, a tool to crack wi-fi networks using LEAP authentication has been released, reports Wi-Fi Networking News. The tool, called Asleap and developed by Beyond-Security, actively de-authenticates users, sniffs the network when the user re-auntheticates, and performs an offline dictionary attack upon the password."
Insight appreciated? (Score:5, Interesting)
dictionary attack? (Score:5, Interesting)
Cool. Now there's a laugh (Score:5, Interesting)
Crypto subsystems are notoriously difficult... (Score:5, Interesting)
I'm a fairly competant amateur- I know better than to assume anything I or anyone else that's not an SME produces in this arena is anything but vulnerable until proven otherwise.
Not quite a crack (Score:5, Interesting)
Re:Not Cisco's week (Score:5, Interesting)
Yeah it's been a bad week for Cisco but they aren't Microsoft. They won't ignore these problems. You'll see firmware updates to fix the password problem in a week tops (if it isn't already out). I suspect you'll also see an update to address the LEAP issues.
The only reason to buy Cisco after all (in my experience -- I'm sure the detractors will speak up the minute I click post) is for the support.
I recall a strange off the wall problem I had using an ISDN line card in a 2600 series router a couple of years back. The line card wouldn't co-exist nicely with the 56k DSU/CSU line card in the other slot. After a few days the ISDN interface would choke and die and the router would need to be rebooted.
After working with our vendor's (Ingram Micro) Cisco support group and trying about a million different IOS upgrades they referenced us to Cisco -- the Cisco that we didn't even have a support contract with. They actually flew somebody out (we are on the East Coast) to look at the problem and released a specific IOS upgrade to address that issue once they confirmed it.
Do you think Microsoft would do that for the small time Insurance Agency with one large router (and a couple of smaller ones in our remote offices)? A lousy $6,000 router at that (money for us -- pocket change for Cisco). That's support and that's the reason why I will continue to buy Cisco products even if they are insanely overpriced.
Re:Insight appreciated? (Score:2, Interesting)
If you're doing anything that needs real encryption, such as administering anything requiring strong passwords or doing financial transactions, you should be researching a VPN layer or something along those lines.
Along the same lines, this seems to open up a new service category... VPN service authentication... Allow you to get a secure link from wherever you are physically at back to the VPN point. Protect your packets from being sniffed (and usable) by wire or wireless. Anyone seen this type of thing? I've only seen server+client side implementation, never an auth service.
Re:Insight appreciated? (Score:2, Interesting)
Not really an issue for large businesses... (Score:5, Interesting)
Unfortunately while the firmware may be upgradeable, the cryptographic functions are usually implemented in hardware (better performance) and it may be hard, if not impossible, to secure the authentication so this kind of attack is harder.
What they really should do is have a public/private key for each access point, with the SSID set to the public key. Then any client can transmit to the access point without possibility of eavesdropping. This would be used to set up the secure LEAP session. Since the password is never sent back to the client then it's not going to be breakable by offline brute force attacks.
Of course, in the end anything is breakable given enough time and/or money.
-Adam
Offline attack (Score:5, Interesting)
There are quite a few others that are saying well thats only if you let your users pick bad passwords... Come on guys, have you actually worked in the real world? Normal users can't remember crazy passwords, they are going to pick their dog and their favorite football player's number put together. Or their aniversary and the current food they are eating.
Keeping a dictionary of enough passwords to get into the network would be trivial. All you need is one user with a weak password to get in, after that who cares how strong the rest are.
Does the US government want insecure WiFi? (Score:5, Interesting)
WEP is broken by design. A few engineers who don't know anything about cryptanalysis making their own encryption system that turns out to be broken is quite plausable however wifi standards are set by the IEEE. The IEEE is not stupid.
Was WEP deliberatly broken to make government snooping easier?
That may seem ludicrus now but what if the likes of consume [consume.net] suceed in their goal of building mesh networks across citys? Securing wireless connections at VPN or application level is so much hassle that only 0.01% of users bother.
The reaction of the American government to the new Chinese wifi encryption standard lends weight to this theory. Supporting WAPI just means hardware manufacturers have to write a bit more software. Once it's in the software it will no doubt be supplied as standard worldwide. It may actuall be secure with little work. Why else would the American government threaten retailation over somthing so obscure?
'twas on http://dis.hert.org a few days ago (Score:4, Interesting)
The site which accidently looks a lot like slashdot, focuses on quality security news; no vuln reports people don't care about... all the latest news and white papers.
A cool white paper on utf-8 shellcodes was released [hert.org] on it too.
Need to move to PEAP ASAP (Score:4, Interesting)
Security protocols are like windows (the physical kind). Once they're broken, duct tape is not the answer.
Re:Does the US government want insecure WiFi? (Score:1, Interesting)
easy because of the other side of it....
"China's WLAN standard has provoked concern among U.S. companies and industry groups for fear that it could fracture the market for WLAN equipment. Also creating some apprehension is a requirement that foreign WLAN equipment vendors must license the technology through coproduction agreements with Chinese companies. The U.S. Information Technology Office (USITO), a U.S. industry group, has said this provision unfairly requires U.S. companies to share proprietary technology with Chinese companies that may also be competitors. "
So there in a nutshell are the other reasons why WAPI is not being embraced by the US government or US businesses. On the other hand I like your tinfoil hat angle because it is so shiny
Re:Insight appreciated? (Score:3, Interesting)
If somebody breaks into your WEP, they can do anything that any machine on your LAN can do. That is, they can sniff your traffic, they can access any internal servers that use only IP address checking for security (NFS is commonly set up this way) and they can use your connection to the net. The latter is more serious than you might think; for instance, what if they launch a DDoS, port-scan a bank, or serve child pornography from your IP address?
Re:Not Cisco's week (Score:5, Interesting)
Read the article - the LEAP problem was reported to them in AUGUST 2003.
I agree they are not a Microsoft, and they are generally much more responsive, but how would you feel if you had over the past six months implemented a major, wonderful, well protected Cisco LEAP wireless network? Only to receive the news that "yeah, we kinda knew since August our security sucked" (for the record, I am NOT in that situation, but LEAP was a contender for our upcoming wi-fi implementation).
Honestly, Bruce Schneier was recently saying that it's no longer about the crypto, as anyone can do strong crypto these days. It's about the factors around it, like usernames and passwords, physical security, but most of all, implementation. You'd think that something which was hailed at the time as the solution to the broken WEP protocol would be partially secure... Ugh. Now I'm just ranting.
-Jack Ash
Hire EXPERIENCED security people, not cheap ones! (Score:5, Interesting)
I'm an ex Cisco security programmer, and thats exactally what was happening before I quit. I wish I could say more...
Re:Offline attack (Score:3, Interesting)
At least we force hard passwords for administrators.
I've got some 7 complex passwords for admin accounts at work.
Add 2 for my regular accounts there.
Add 1 for Lotus Notes there.
Add 1 for my user at my home server.
Add 1 for root at the server.
Add 5 for the encrypted partitions on the server (one of which is 20 characters long).
Add 2 for my laptop.
Add 1 for my university logon.
It's easy to remember passwords once you learn how to create _good_ ones (that aren't based on dogs name + 3-digit number that you raise by 1 every 90 days).
But yes, most of my users tend to forget their passwords and need me to reset them once a month.
And the rest of the bunch use as weak passwords as they can.
The good thing is, their accounts don't matter to me. It's only some files they're going to find.
The admin accounts, OTOH can access any users' files in an instant (saved locally on the computer or on Novell doesn't matter). This is the account that needs protection.
That, and keeping the company off the internet, wireless networks et al.
OUTSOURCING (Score:4, Interesting)
just after cisco started utsourcing, their products have become faulty, sure, the programmers in india are pretty smart, but most are quickly trained amatuers who are usually new to coding secure applications. anyone else think this may be the case?
Re:OUTSOURCING (Score:3, Interesting)
dictionary attack ? (Score:2, Interesting)
I think of a phrase and take first letter of each word, like
Top of the morning to you ==> totmty
etc..