Re: [Full-Disclosure] Cisco LEAP exploit tool...

[Chris Adams <chris@xxxxxxxxxxxxxx>]

On Apr 14, 2004, at 19:43, Aditya, ALD [Aditya Lalit Deshmukh] wrote:
> > Well, that really depends, doesn't it.  We're doing IPSEC using AES 
> > for
> > wireless on a test network.  It's a good deal more secure than our 
> > wired
> > network, which is still plain text.
>
> this sure is plain text but when combined with switches ( yes i know 
> they can be degraded to act like hubs ) it is not broadcasting any 
> info. so unless the intruder manages to get a physical wire in the net 
> it is *very* secure

Or gets access to a machine with a physical connection - a very nice 
way of upgrading from a single compromised client. Picture what would 
happen if the next email worm included an active password-collection 
feature.

This issue has become rather repetitive - we've gone through how many 
different revisions of wireless network security now? All of them have 
had flaws and those flaws have been more serious than they should have 
been because everyone was working under the same fundamental 
misconception that trusting the network is ever a good idea.

Consider how much more secure the average user would be if all of the 
time wasted on various wireless security systems had instead been spent 
enabling the strong end-to-end encryption already included in most 
common services.

Chris

Attachment: smime.p7s
Description: S/MIME cryptographic signature