One of the highlights of the first-ever Unstrung Live conference in New York today was the demonstration -- by a real, live hacker (albeit one on the side of the angels) -- of just how easy it is to break into Cisco Systems Inc.'s (Nasdaq: CSCO) proprietary Lightweight Extensible Authentication Protocol (LEAP) wireless LAN security mechanism and gain unauthorized access to supposedly secure 802.11 networks.
Joshua Wright, an information security architect (who humorously referred to himself as a hacker several times during the presentation) from Johnson & Wales University in Providence, demonstrated -- to an audience of around 200 people -- a tool he has developed to exploit flaws in the LEAP technology.
"I call it ‘Asleep’ -- as in asleep at the wheel," Wright quipped.
This kind of hack involves the use of two applications. The first is the Kismet Linux wireless LAN network sniffer, which is similar to the popular Netstumbler tool that is available on Windows. Wright says he uses this tool to track down Cisco access points that are broadcasting in the area.
After locating his prey, it's time to bring out the big gun: the Asleep tool. This application exploits the challenge/response technique used by a Cisco system when it is trying to authenticate a client connecting to the wireless network. "Challenge/response leaks information about the network," Wright bluntly notes.
This enables a tooled-up hacker to run a so-called "dictionary attack" against the LEAP system. Wright showed two data feeds where he ran massive lists of words -- and even numbers -- against the Maginot Line of the Cisco defenses. In minutes, even seconds, the Asleep tool had found the passwords it needed to gain access to the network.
After compromising the wireless LAN, Wright says, a hacker can often leap onto other parts of a network, because a user may well have the same password to access various directories and applications.
Wright says he informed Cisco about the flaw in LEAP several months ago. In response, the firm issued a brief warning on their Website and asked for more time before he released the tool to the public. Wright now says that the tool will be generally available in a couple of months.
"They've known about this for years -- and that's what really bothers me -- [that] I had to go and point it out to them," Wright says.
I don't think this is so much about the users. If you present them with the opportunity to utilize a stronger password and encorced it they will. If you don't they wont.
I agree 120% that stronger passwords need to be enforced. But this needs to be tempered with reality. We already subject end users to a ridiculous level of complexity. It's the ultimate piss off to make it hard for someone to get to their information. Remember, these systems are not ours. They belong to the end users. Us IT types are too arrogant about the fact that we have the keys to the car when someone else has the pink slip.
They are no security measures against dumb selection of passwords. Exhaustive search attacks can be made enormously difficult with the use of 1024 bit (or more non-repeating/random) Nonce, and using SHA-1 instead of MD5 based Keyed MACs, but if even a small percentage of admins are DUMB enough to use dictionary words as passwords, it takes a small effort to build the list of SHA-1 hashes of all dictionary words offline, capture the LEAP (or any other auth) packets, encrypt the nonce and compare them, to beat any "well-designed" security system.
The Solution - --------------- It should be "Mandatory" to select Mixed Case Alpha-Numeric passwords, and use of punctuation characters should always be "Recommended", otherwise strong cryptography cannot take you any further in protecting your network assets from Hackers.
The problem here isn't really that passwords are poor (which can be a problem anywhere passwords are used) but that it is easy to tell when and where passwords are sent. Discovering stored password hashes on an OS is one thing, but a secure network protocol should completely obscure the authentication process, making it impossible to even tell where the hash occurs in the data stream. If this tool can pull encrypted passwords out of the ether and attack them at leisure, this is a serious problem.
I have been told that this was done offline. Is this true? If so does that mean you can capture traffic during an authentication attempt and then use the dictionary attack offline to get the username/password and therefore bypass any password policy that would disable an account after a number of failed login attempts?
I am sure we'd all like to keep an eye on this tool. Could there already exist a litle more description on the vulnerability; so far, this sounds nothing more than a weakness in the passwords themselves, which admins can reduce its risk by using (and forcing their users) strong passwords, not typically found by dictionary attacks. I also suppose Cisco development could use the approach of revoking access to expecific (by MAC address perhaps) to possible attackers who tried more than (customizable) number of wrong passwords?
The blogs and comments are the opinions only of the writers and do not reflect the views of Unstrung. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
To save this item to your list of favorite Unstrung content so you can find it later in your Profile page, click the "Save It" button next to the item.
If you found this interesting or useful, please use the links to the services below to share it with other readers. You will need a free account with each service to share an item via that service.
Digg
Del.icio.us
Reddit