subject:"MSCHAP V2 completely broken"

Re: MSCHAP V2 completely broken

2012-07-31 Thread Kurt Buff

I'd think that Wireless folks should move away from MSCHAP entirely,
and move to something like EAP-TLS.

Which, BTW, I'm setting up for our network right now, but I'm not
finding the docs I need for the Cisco 1240AG units that we're using.
More searching and asking questions...

Kurt

On Tue, Jul 31, 2012 at 5:47 PM, Kennedy, Jim
 wrote:
> Apparently this MChap vulnerability has been around awhile. It's been broken 
> for some time, just wasn't practical to break the hash. What Moxie did was 
> add the ability to bust the hash in the cloud making it faster and easier. In 
> a PPTP situation grabbing that mchap hash enroute is not easily done. The 
> risk is there (always has been) and PPTP users should move away as soon as 
> practical, PPTP is legacy and now less secure than ever. But no need to panic 
> about this one, imho.
>
> Wireless MChap2 folks should make their clients validate the radius server 
> cert before passing the hash.
>
> Disclaimer:  The above is paraphrasing my source who was at Moxies talk on 
> this at Defcon.
> 
> From: Ben Scott [mailvor...@gmail.com]
> Sent: Tuesday, July 31, 2012 11:51 AM
> To: NT System Admin Issues
> Subject: Re: MSCHAP V2 completely broken
>
> On Tue, Jul 31, 2012 at 11:40 AM, Matthew W. Ross
>  wrote:
>> I don't follow the crypto world, so is there an alternative crypto for PPTP 
>> available? Just curious.
>
>   It's not so much PPTP as Microsoft's various attempts at
> authentication/key exchange methods that are broken.  But for VPNs,
> the rest of the world seems to have gone in the direction of IPsec-
> and SSL-based solutions.  OpenVPN is SSL-based, and Win 2000 and later
> support an IPsec-based VPN.
>
>   This is prolly more significant for places that are using MS-CHAP
> for wireless/network authentication.
>
> -- Ben
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here: 
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here: 
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: MSCHAP V2 completely broken

2012-07-31 Thread Kennedy, Jim

Apparently this MChap vulnerability has been around awhile. It's been broken 
for some time, just wasn't practical to break the hash. What Moxie did was add 
the ability to bust the hash in the cloud making it faster and easier. In a 
PPTP situation grabbing that mchap hash enroute is not easily done. The risk is 
there (always has been) and PPTP users should move away as soon as practical, 
PPTP is legacy and now less secure than ever. But no need to panic about this 
one, imho.

Wireless MChap2 folks should make their clients validate the radius server cert 
before passing the hash.

Disclaimer:  The above is paraphrasing my source who was at Moxies talk on this 
at Defcon.

From: Ben Scott [mailvor...@gmail.com]
Sent: Tuesday, July 31, 2012 11:51 AM
To: NT System Admin Issues
Subject: Re: MSCHAP V2 completely broken

On Tue, Jul 31, 2012 at 11:40 AM, Matthew W. Ross
 wrote:
> I don't follow the crypto world, so is there an alternative crypto for PPTP 
> available? Just curious.

  It's not so much PPTP as Microsoft's various attempts at
authentication/key exchange methods that are broken.  But for VPNs,
the rest of the world seems to have gone in the direction of IPsec-
and SSL-based solutions.  OpenVPN is SSL-based, and Win 2000 and later
support an IPsec-based VPN.

  This is prolly more significant for places that are using MS-CHAP
for wireless/network authentication.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: MSCHAP V2 completely broken

2012-07-31 Thread Kurt Buff

Not really - PPTP is what it is.

Time to move to IPSec, or perhaps OpenVPN.

Kurt

On Tue, Jul 31, 2012 at 8:40 AM, Matthew W. Ross
 wrote:
> I don't follow the crypto world, so is there an alternative crypto for PPTP 
> available? Just curious.
>
>
> --Matt Ross
> Ephrata School District
>
>
> - Original Message -
> From: Kurt Buff
> [mailto:kurt.b...@gmail.com]
> To: NT System Admin Issues
> [mailto:ntsysadmin@lyris.sunbelt-software.com]
> Sent: Tue, 31 Jul 2012
> 08:20:39 -0800
> Subject: MSCHAP V2 completely broken
>
>
>>  http://isc.sans.edu/diary/End+of+Days+for+MS-CHAPv2/13807
>>
>> This affects both PPTP and WPA-Enterprise (if configured to use MSCHAP).
>>
>> PPTP has been known weak since 1999, and this just pounds the last
>> nail in its coffin.
>>
>> Kurt
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>>
>> ---
>> To manage subscriptions click here:
>> http://lyris.sunbelt-software.com/read/my_forums/
>> or send an email to listmana...@lyris.sunbeltsoftware.com
>> with the body: unsubscribe ntsysadmin
>>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here: 
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: MSCHAP V2 completely broken

2012-07-31 Thread Ben Scott

On Tue, Jul 31, 2012 at 11:40 AM, Matthew W. Ross
 wrote:
> I don't follow the crypto world, so is there an alternative crypto for PPTP 
> available? Just curious.

  It's not so much PPTP as Microsoft's various attempts at
authentication/key exchange methods that are broken.  But for VPNs,
the rest of the world seems to have gone in the direction of IPsec-
and SSL-based solutions.  OpenVPN is SSL-based, and Win 2000 and later
support an IPsec-based VPN.

  This is prolly more significant for places that are using MS-CHAP
for wireless/network authentication.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: MSCHAP V2 completely broken

2012-07-31 Thread Matthew W. Ross

I don't follow the crypto world, so is there an alternative crypto for PPTP 
available? Just curious.


--Matt Ross
Ephrata School District


- Original Message -
From: Kurt Buff
[mailto:kurt.b...@gmail.com]
To: NT System Admin Issues
[mailto:ntsysadmin@lyris.sunbelt-software.com]
Sent: Tue, 31 Jul 2012
08:20:39 -0800
Subject: MSCHAP V2 completely broken


>  http://isc.sans.edu/diary/End+of+Days+for+MS-CHAPv2/13807
> 
> This affects both PPTP and WPA-Enterprise (if configured to use MSCHAP).
> 
> PPTP has been known weak since 1999, and this just pounds the last
> nail in its coffin.
> 
> Kurt
> 
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
> 
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
> 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: MSCHAP V2 completely broken

RE: MSCHAP V2 completely broken

Re: MSCHAP V2 completely broken

Re: MSCHAP V2 completely broken

Re: MSCHAP V2 completely broken

5 matches

Site Navigation

Mail list logo

Footer information