I'm aware of an attack on a bank which had implemented EAP, and had fun when a Pen tester was simply getting domain login credentials without having to work much at all.
Could you maybe provide a rebuttal for this attack? and/or explain how to make it especially secure? On Tue, Apr 7, 2009 at 8:28 AM, Alan DeKok <[email protected]> wrote: > Arran Cudbard-Bell wrote: >> Ohh are you referring to the scaremongering 'The Register' was doing >> last year? Because of course, anyone with a hacked copy of FreeRADIUS >> can steal all your users credentials ! > > Unfortunately, people read his column, and believe him. They might > also believe that he actually writes his own material. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Random quote of the week/month/whenever i get to updating it: "Opportunity knocked. My doorman threw him out." - Adrienne Gusoff "At school you don't get parole, good behavior only brings a longer sentence." - The History Boys - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
