of Mac and Men

Arran Cudbard-Bell a.cudbard-bell at sussex.ac.uk
Thu Apr 9 22:51:50 CEST 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Paul Bartell wrote:
> Right. Its better to give crackers less information versus more.
> so others do not get login credentials. Though, if certificates
> were properly implemented, there would be mutual authentication

Exactly. The only attacks I know of that can be easily implemented
rely on administrator/user ignorance/stupidity.

For example some administrators tell users to explicitly uncheck the
'Validate Server Certificate' check box in their supplicants (i've
actually seen this in eduroam documentation *shudder*). The result
(depending on the EAP method used) is that when an attacker comes
along with an AP  broadcasting the same SSID as trusted wireless
infrastructure, users (or their supplicant software) hand credentials
over no questions asked.

With PEAPv0, the inner method (MsCHAPv2) is insecure which is why it's
wrapped in a TLS tunnel. If you strip off the TLS tunnel MsCHAPv2
becomes trivial to break.

EAP itself is not insecure, but is susceptible to exactly the same
kind 'phishing' attacks used with other methods that rely a user
entering a userid and password (possibly more so as many supplicants
will cache credentials).

Arran

>
> On Tue, Apr 7, 2009 at 8:12 AM, Arran Cudbard-Bell
> <a.cudbard-bell at sussex.ac.uk> wrote: Paul Bartell wrote:
>>>> I too have had weird behavior on macs. I just ended up using
>>>> mac-address authentication (due to insecurities in EAP. (or
>>>> possibly rumored, i havn't seen a paper on it yet))
> Wait what... You went to Mac-Based authentication because you
> thought EAP was insecure ?
>
> Ohh are you referring to the scaremongering 'The Register' was
> doing last year? Because of course, anyone with a hacked copy of
> FreeRADIUS can steal all your users credentials !
>
>>>> On Tue, Apr 7, 2009 at 7:08 AM,  <A.L.M.Buxey at lboro.ac.uk>
>>>> wrote:
>>>>> Hi,
>>>>>
>>>>>> Have you actually traced the wireless traffic
>>>>>> (passively), are you sure it's the Macs at fault with
>>>>>> this one?
>>>>> as everything works fine on the same Mac when it runs Vista
>>>>> (yes, I know...) and works all okay on random PCs and
>>>>> PDAs/smartphones..the big greasy pointy finger is pointing
>>>>> decidedly at the OSX
>>>>>
>>>>> alan - List info/subscribe/unsubscribe? See
>>>>> http://www.freeradius.org/list/users.html
>>>>>
>>>>
>>>>
>>
- -
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkneX+UACgkQcaklux5oVKInpgCeJ1zXDxSXmHhSi/gYyuVI/JkO
fkUAn0wrgrRFZH+2i3YJtGUI5dBbyTHx
=/r0T
-----END PGP SIGNATURE-----




More information about the Freeradius-Users mailing list