The proprietary security system used by Cisco Systems to
protect wireless Lans widely deployed by enterprises can be
defeated by a "dictionary attack" designed to crack passwords. To
counter the security threat, the company is warning customers to
institute strong password policies.
Cisco posted a security bulletin on its website on 7 August
about the vulnerability of its Lightweight Extensible
Authentication Protocol (Leap) to dictionary attacks, according to
Ron Seide, product line manager in the company's wireless business
unit.
In that bulletin, Cisco acknowledged the flaw and said, "As with
most password-based authentication algorithms, Cisco Leap is
vulnerable to dictionary attacks. Creating a strong password policy
is the most effective way to mitigate against dictionary attacks.
This includes using strong passwords and periodically expiring
passwords."
Seide said Cisco believed that Leap can be made "relatively"
secure with strong password policies, which can mitigate against
dictionary attacks.
He added that the company also has an upgrade path to help
customers migrate from Leap to its stronger Protected Extensible
Authentication Protocol (PEAP) which uses one-time passwords and
digital certificates. He also said Cisco has used its field sales
force to tell customers about the potential problem since the
security bulletin was posted.
However, some cutomers had not received the update. A Cisco
reseller said he had not been contacted by the Cisco field sales
force and was not aware of the security bulletin.
Mike Martell, systems manager for The Dingley Press, a catalogue
printer that has installed a Cisco WLan in its warehouse, said he
was also unaware of the problem.
Martell said the possibility of a successful dictionary attack -
which involves an assault against password protection by aiming
huge amounts of words and numbers at a targeted system - does not
surprise him.
In the past, he said, such attacks could take years. Now,
because of increased computer processing power, dictionary attacks
can crack passwords in a matter of minutes. The only way to protect
against such an attack, Martell said, is to use long password
strings with unusual combinations of letters and numbers that
create combinations "not found in the English language".
John Pescatore, an analyst at Gartner said, that since any
password-based scheme is vulnerable to dictionary attacks, Cisco
may have to reconfigure Leap to lock out potential hackers after
three tries at a password.
Bob Brewin writes for Computerworld