CISCO LEAP (lightweight Extensible Authentication Protocol) Weak?

Light weight EAP is Cisco's proprietary version of Extensible Authentication Protocol (EAP, used mainly for wireless LANs).  Cisco graciously allowed vendors to support LEAP using Cisco Certified Extenstion (CCX). 

Cisco owns about 60% of the wireless market with 46% of those using Light Weight Extensible Authentication Protocol according to the research group nemertes. 

HAZZAAA!! Cisco is secure…

(except against Dictionary Attacks)

With such a large piece of the wireless market using LEAP, Cisco had sucessfully advertised LEAP as a secure protocol.  Unfortunately, LEAP is weak against Dictionary Attacks (Brewin).

At DEFCON 11, on August 1, 2003, Joshua Wright did a presentation on the weakness of LEAP

 

Here is Cisco's response to Leap Dictionary attacks:

To help our customers respond to the possibility of dictionary attacks, Cisco strongly recommends that all of our customers to review their security policies and institute the previously published best practices that are outlined below and in the Cisco SAFE White Papers.

Use a strong password policy (as detailed below) and periodically expire user passwords (recommended at least every three months) giving users advanced warning to change passwords before they expire.

If unable to implement a strong password policy, consider migrating to another EAP type like EAP-FAST, PEAP or EAP-TLS whose authentication methods are not susceptible to dictionary attacks:

EAP-FAST is an authentication protocol that creates a secure tunnel without using certificates.

PEAP is a hybrid authentication protocol that creates a secured TLS tunnel between the WLAN user and the RADIUS server to authenticate the user to the network.

EAP-TLS uses pre-issued digital certificates to authenticate a user to the network.

 

FINAL NOTE:

“1 month of audits by l33t security companies: No vulnerabilities
1 month of architecture research by CCIE's: No vulnerabilities
2 days of hacking by DaBubble, Bishop, and Evol: Root.
There's some things that fackers should audit (WEBAPPS) for everything else, get a real hacker.” — SecurityFocus

Why doesn't Cisco become more hacker friendly.  They pissed off the Security Profesionals and Hackers alike with that CiscoGate fiasco, don't have any cool hacker parties at the Defcon.. I mean what is the deal, John Chambers?! 

John, I doubt you will ever read this blog, but here goes anyway, I think that Cisco has great products.  I believe in Cisco's amazing engineering, but if you guys don't aggressively attack security issues PROACTIVELY, you will drop from first class to third class quickly.  I'm not trying to tell you how to run cisco, I'm just saying, why not use hackers and their finding to your advantage. 

Take the IE browser as an example: they used to own 95% of the market, consumners got so fed up with its lack of security that now Firefox (co-created by Blake Ross Intern/Hacker) is doing something not even Netscape could do.  

 

Reference:

EAP. RFC 2284. Extensible Authentication Protocol.

EAP, Extensible Authentication Protocol Wiki. Wikipedia.org

George C. Ou. Leap: A looming disaster in Enterprise Wireless LANs.  Lanarchitecture.net

nemertes, Cisco Warns its WLAN Security can be Cracked. nemertes.com

Brewin, Bob. Cisco Warn its WLAN Security can be Cracked. computerworld.com

Cisco, Abusing 802.11: Weaknesses in LEAP Challenge/Response. Defcon 11/2003

Cisco. Cisco Response to Dictionary Attacks on Cisco Leap.

Defcon's Infamous Wall of Sheep

One of my favorite traditions at the Defcon is the “Wall of
Sheep.”  It displays all the “sheeple” that have not secured there
systems yet feel compelled to get on the Defcons Wi-Fi. 
During Defcon 11 one guy was there doing his
taxes!!  Needless to say he was tripped naked and paraded
around the conference like an apple stuffed Luau Pig.  At least
they didn't display his Tax ID.       

Take K. Rose's advice… If you're going to Defcon, don't turn on your laptop.

read more | digg story

Keep Your Home Wireless Network Secure

Wireless can be a huge risk to your personal life.  Wireless has been one of the most unsecured methods of computers. 

Working from home while using a wireless local area network (WLAN) may lead to theft of sensitive information and criminal or virus infiltration unless proper measures are taken.  As WLANs send information over radio waves, someone with a receiver in your area could be picking up the transmission, thus gaining access to your computer. 

Criminal hackers and spammers could load viruses on to your laptop which could be transferred to the company's network when you go back to work.

Up to 40% of WLAN (see Wireless Attacks links below) users do not have standard security features installed, while 20 per cent are left completely open as default configurations are not secured, but made for the users to have their network up and running ASAP.

It is recommended that wireless router/access point setup be always done though a wired client.

Change default administrative password on wireless router/access point to a secured password.

Enable at least 128-bit WEP encryption on both card and access point. Change your WEP keys periodically. If equipment does not support at least 128-bit WEP encryption, consider replacing it.

Although there are security issues with WEP, it represents minimum level of security, and it should be enabled.

But how secure is WEP:

WEP Cracked in 10 Easy Steps (Video)

WEP Cracked in 10 Minutes (Video)

How to Crack WEP parts 1 & 2 (Tutorial)

WEP is not very secure but it is better than nothing.  Without it neighbors can accidently access your network that is being broadcast for all with reception.

Change the default SSID on your router/access point to a hard to guess name. Setup your computer device to connect to this SSID by default.

Setup router/access point not to broadcast the SSID. The same SSID needs to be setup on the client side manually. This feature may not be available on all equipment.

Block anonymous Internet requests or pings.

On each computer having wireless network card, network connection properties should be configured to allow connection to Access Point Networks Only. Computer to Computer (peer to peer) Connection should not be allowed.

Enable MAC filtering. Deny association to wireless network for unspecified MAC addresses. Mac or Physical addresses are available through your computer device network connection setup and they are physically written on network cards. When adding new wireless cards / computer to the network, their MAC addresses should be registered with the router /access point.

Network router should have firewall features enabled and demilitarized zone (DMZ) feature disabled.

You can test your hardware and personal firewalls using Shields Up test available at http://www.grc.com.

All computers should have a properly configured personal firewall in addition to a hardware firewall.

Update router/access point firmware when new versions become available.

Locate router/access point away from strangers so they cannot reset the router/access point to default settings.

Locate router/access point in the middle of the building rather than near windows to limit signal coverage outside the building.

While none of the measure suggested above provides full protection as countermeasures exist, a collection of suggested measures will act as a deterrent against attacker when other insecure networks represent easier targets.

Another more recent method of securing your system is WI-FI Protected Access (WPA).  Newer routers will have a wizard to assist users in setting up the WPA security.  Although WPA is more secure than WEP, it can also be hacked:

Crack WPA (WPA)

WPA2, recently released, offers a new hope for a very secure and trusted Wireless solution.  Unfortunately it may not work with older routers.

 

 

Wireless Attacks

http://www.eweek.com/article2/0,1759,1605143,00.asp

http://www.onlisareinsradar.com/archives/000624.php

http://www.pcmag.com/article2/0,1895,2345,00.asp

Auditor Flash Video Showing WPA Cracking (some WHAX hacks too)

I don't think if would be this easy to crack WPA2.  Unless a hacker really wants your goods he/she/shim is more than likely going to exploit your neighbor next door who doesn't even have WEP enabled.

A nice flash video showing how to crack wpa wireless security encryption. Using the auditor security collection.

This one is even better: http://www.hackingdefined.com/movies/whax-aircrack-wpa.html

WPA hack using WHAX.

More WHAX ATTACKS:

http://eks0.free.fr/whax-demos/

Click read more to access subject of this post.  See why auditor is so very cool.

read more | digg story

WLAN (Wireless LAN) Whitepaper

WLAN Topics Discussed:
The Benefits and Drawbacks of Wireless LANs, WLAN Architecture and Security Challenges, Authentication, Data Privacy, Rogue Access Points, Early WLAN Implementations, The problem with WEP, The 802.1x Solution, Tools Available for use on WLANs.

read more | digg story

1 2