Archive for August, 2005
CISCO LEAP (lightweight Extensible Authentication Protocol) Weak?

Light weight EAP is Cisco's proprietary version of Extensible Authentication Protocol (EAP, used mainly for wireless LANs).  Cisco graciously allowed vendors to support LEAP using Cisco Certified Extenstion (CCX). 

Cisco owns about 60% of the wireless market with 46% of those using Light Weight Extensible Authentication Protocol according to the research group nemertes. 

HAZZAAA!! Cisco is secure…

(except against Dictionary Attacks)

With such a large piece of the wireless market using LEAP, Cisco had sucessfully advertised LEAP as a secure protocol.  Unfortunately, LEAP is weak against Dictionary Attacks (Brewin).

At DEFCON 11, on August 1, 2003, Joshua Wright did a presentation on the weakness of LEAP

 

Here is Cisco's response to Leap Dictionary attacks:

To help our customers respond to the possibility of dictionary attacks, Cisco strongly recommends that all of our customers to review their security policies and institute the previously published best practices that are outlined below and in the Cisco SAFE White Papers.

Use a strong password policy (as detailed below) and periodically expire user passwords (recommended at least every three months) giving users advanced warning to change passwords before they expire.

If unable to implement a strong password policy, consider migrating to another EAP type like EAP-FAST, PEAP or EAP-TLS whose authentication methods are not susceptible to dictionary attacks:

EAP-FAST is an authentication protocol that creates a secure tunnel without using certificates.

PEAP is a hybrid authentication protocol that creates a secured TLS tunnel between the WLAN user and the RADIUS server to authenticate the user to the network.

EAP-TLS uses pre-issued digital certificates to authenticate a user to the network.

 

FINAL NOTE:

“1 month of audits by l33t security companies: No vulnerabilities
1 month of architecture research by CCIE's: No vulnerabilities
2 days of hacking by DaBubble, Bishop, and Evol: Root.
There's some things that fackers should audit (WEBAPPS) for everything else, get a real hacker.” — SecurityFocus

Why doesn't Cisco become more hacker friendly.  They pissed off the Security Profesionals and Hackers alike with that CiscoGate fiasco, don't have any cool hacker parties at the Defcon.. I mean what is the deal, John Chambers?! 

John, I doubt you will ever read this blog, but here goes anyway, I think that Cisco has great products.  I believe in Cisco's amazing engineering, but if you guys don't aggressively attack security issues PROACTIVELY, you will drop from first class to third class quickly.  I'm not trying to tell you how to run cisco, I'm just saying, why not use hackers and their finding to your advantage. 

Take the IE browser as an example: they used to own 95% of the market, consumners got so fed up with its lack of security that now Firefox (co-created by Blake Ross Intern/Hacker) is doing something not even Netscape could do.  

 

Reference:

EAP. RFC 2284. Extensible Authentication Protocol.

EAP, Extensible Authentication Protocol Wiki. Wikipedia.org

George C. Ou. Leap: A looming disaster in Enterprise Wireless LANs.  Lanarchitecture.net

nemertes, Cisco Warns its WLAN Security can be Cracked. nemertes.com

Brewin, Bob. Cisco Warn its WLAN Security can be Cracked. computerworld.com

Cisco, Abusing 802.11: Weaknesses in LEAP Challenge/Response. Defcon 11/2003

Cisco. Cisco Response to Dictionary Attacks on Cisco Leap.

Securing Sensitive Data: Understanding FIPS

Every want to know more about the Federal Information Processing Standards (FIPS)? ME NEITHER! Here it is.

With technologies like wireless snowballing into a cultural phenomenon we suddenly can not live without, Federal Information Processing Standards are even more important.

If you are lucky enough to not have to know what FIPS I'll share some of the pain in plain english.  FIPS are all the federal documents addressing how  sensitive data will be processed.  Without these standards any government agency could use any kind of crypto they wanted with no regard of whether or not it is a SHA-1 that has just been cracked by the Chinese

See more FIPS

read more | digg story

Taking the CISSP: part 1

I took the CISSP.  I really don’t know what to say about it aside from acknowledging that it was extremily difficult.  Andrew Briney’s article is the most accurate description of the CISSP test.  Briney says, “It’s a mystery wrapped in riddle inside an enigma.”

His other very true point:

The exam is best characterized as an ‘inch deep and a mile wide.’ Whether this makes it easy or difficult is a matter of perspective.”

For me the hardest part were the answers.  I feel like I’ve mastered the art of studying for a test.  The fact that there is so much knowledge crammed in a 250 question test makes my study techniques watered down.  Its very difficult to cover all 10 domains effectively.

I’m not one of those bastards that can walk into a test cold (no studying, no worries) finish in half the average time and pass.  If I don’t study, I fail.  I’ve learned to live with this.  I know my weakness.  I just second guess myself too much on every answer.  I’m one of those guys that does not believe that everything is black and white but that everything is a million shades of gray.  For me that is where the difficulty lies.  The CISSP wants you to choose the “best” answer.  So while many or even ALL of the answers might be true, there is only one BEST answer.  But my best might not be your best.

I’ve taken many certifications.  They have become almost a hobby of mine.  In June, I took the Security+ hoping it would help prepare me for the CISSP.  First of all let me just say comparing the the CISSP and the Security+ is like comparing Lennox Lewis’ fighting style to that of some 12 year old girl from John C. Still Middle School.  There is NO freakin’ comparison… NONE, do you hear me!  The preparation that I put into the Security+ is what help me in my CISSP success.  That being said, there were about 6 very similar questions from the Security+ that were on the CISSP but the CISSP contains ALL of the domains of the Security+ on a comprehensive level.

As I said, I’ve taken many certs.  And I DO NOT think that taking a test will make anyone instantly smarter or more technically skilled then some “l33t hacker” that has been cracking databases since age 12, but I DO believe some certifications have great value to the IT and Security industry.  With the possible exception of the CISA, the CISSP is the most exaulted security cert you can get right now.  Many say that any dependency on certification is what is lowering the amount of IT and security professionals with skills.  While there maybe truth to that, I say it is just another way for employers to gauge whether or not they are investing in a skilled employee.  Whether they choose the right candidate will ultimately be decided (just like anyone else) by time.

NO certification I have taken comes within an Astronomical Unit of the CISSP.  Of course I’m not an MCSE or a CCNP (though I’ve tasted the fruits of both) so perhaps there is a match in its level of difficulty.

Having taken the test I don’t feel I was fully prepared even though I have legitamate experience in nearly all aspects of security, I read a book and studied on and off for a year before taking the test.  I tell you, this test beat the shit out of me.  They give you 6 hours to complete the test and I finished in 5 1/2 hours.  When I was done, I was sure I’d failed.  I started trying to think of ways I’d pay the company back since they would not pay for a failed certification.  I also started studying for the repeat.  I was pleasantly surprised when I got the “congradulations” email.

Adequate study for me would have consisted of reading no less that two “600 page” books and going to a boot camp. 

This is the best online CISSP resource I have found: www.cccure.org.

 

Special Shout outs go to the ISSA COS chapter and Mr. Proeller, so long and thanks for all the bagels.. bad, bad joke…42.

How To Create An Uncrackable Password

For maximum security, passwords should not be cohesive words or phrases and should not be too obviously related to something like your birthday or the birthday of someone close to you. Personal information is one of the first things used when people attempt to break passwords.

read more | digg story

Turn your Wok into a 2.4GHz parabolic dish WiFi repeater

Heres a site with some cool wifi enhancements

read more | digg story

Tallarico talks smack about TechTV and Morgan Webb.

Tommy Tallarico, co-host of G4TechTV's “Judgment Day,” recently came to the defense of his parent channel, saying that the station is “on the way up,” and that its detractors should thank the channel, “for saving any bit of [TechTV] at all.” He also commented on XPlay's Morgan Webb, saying some see her as a “only eye candy.”

First off, I like Tommy Tallarico and the show Judgment Day.  I think he's pretty entertaining… like a midget clown or something!

 I don't watch that show (or ANY other show on G4) on a regular basis.  They're not GEEK enough for me.  Their perversion of the Screen Savers ended any hope I had caring about G4.  Although, I hear that Call For Help will be coming back on the air.

I do think that a lot of people have taken Tallarico's words out of context (at least the part about Morgan Webb's titty to gamer ratio).  He did say that some people were saying that, but maybe it was a tactful way to be tactless. 

According to Leo Laporte, G4 is appearently doing quite well.  I can't find any stats on how their ratings are now compared to TechTV and the merger.

What I do know is the Screen Savers, my favorite show on cable TV (Pre Battle Star Galactica), was shutdown.  I really didn't watch the other TechTV shows as religiously and I wouldn't doubt that Future Fighting Machines had low ratings. 

I hope that some other show will be able to wet my GEEK apetite by talking about hacking and mods and other cool shit like that.  Until then I'm stuck with waiting for Systm, Broken and Shadows to tease me every three months with a 5 minute speed bump.

read more | digg story

The del.icio.us for programs

“This site allows you to keep a social list of the programs you use. You can easily find new, interesting and popular software in various categories, track after specific categories…”
Quite a useful site. Thing is, that free software has no advertising budget. This free service may be the way to reach it.

read more | digg story

Security Now! Episode 1

I've just posted the first episode of Security Now! with Steve Gibson. This shorty podcast (18 minutes) will be a weekly look at hot topics in security from the creator of ShieldsUP and Spinrite (and TWiT regular). We'll release it by midnight Thursday every week, just in time for your weekend podcasting.

read more | digg story

Hacking tools and tutorials

This is a pretty good collection. Lots of the usual suspects plus a few I hadn't seen before. Worth checking out the link, whether you digg it or not.

read more | digg story

'Ethical hackers' recruited

A NEW generation of “ethical hackers” are to be trained in Wales to test and protect the world's computer security systems.

read more | digg story