lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <AD1BE98A2FADEA49ADBF5B4AC79B799404D4F191@edxmb1.jdnet.deere.com>
From: WilliamsJonathan at JohnDeere.com (Williams Jon)
Subject: Cisco LEAP exploit tool...

Well, that depends.  For example, if you aren't using some form of
strong authentication (i.e. smart cards, SecureID tokens, etc.) then its
possible for someone to steal a laptop, use something like Cain (from
the package Cain & Able) to extract their password from the registry.
With that and a known wireless laptop, the attacker can then access your
whole network from the parking lot (or the neighbor's house, or 7 miles
away, etc.)

While the same password vulnerability exists for non-wireless
environments, it does mean that the attacker would have to have physical
access to the building to use the credentials.

Jon 

-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Paul
Schmehl
Sent: Wednesday, April 14, 2004 12:42 PM
To: Email List: Full Disclosure
Subject: Re: [Full-Disclosure] Cisco LEAP exploit tool...

--On Wednesday, April 14, 2004 09:17:56 AM -0500 Ron DuFresne
<dufresne@...ternet.com> wrote:
>
> All wireless traffic should be treated as unsecured, and pushed 
> through a DMZ/encryption tunneled setup.  Puttiing wireless AP's 
> directly on the LAN is a major blunder.
>
Well, that really depends, doesn't it.  We're doing IPSEC using AES for
wireless on a test network.  It's a good deal more secure than our wired
network, which is still plain text.

Or did you just assume that everyone is using WEP?

Paul Schmehl (pauls@...allas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ