Cisco Systems announced the availability of a protocol that is designed to defeat brute-force dictionary attacks which capture users' passwords in its wireless Lan products.
The company has urged end users and systems administrators to download the related patch from its website.
Joshua Wright, a systems engineer and deputy director of training at the SANS Institute developed an automated dictionary-attack tool last year which could be used against Cisco's Lightweight Extensible Authentication Protocol, known as Leap.
According to Cisco, Wright released the attack tool last week.
A dictionary attack is a method in which an attacker runs millions of passwords against a database until a match is eventually found.
Chris Bolinger, manager of wireless Lan product marketing at Cisco, said the company's new protocol defeats dictionary attacks by sending credentials through an encrypted tunnel. The patch is relatively easy to install, Bolinger said, and it updates wireless Lan client software on a notebook or laptop computer.
Cisco announced the availability of the protocol, called the Extensible Authentication Protocol-Flexible Authentication via Secure Tunnelling (EAP-Fast), and made it available to the Internet Engineering Task Force in February.
Bolinger said he expected other wireless Lan suppliers to incorporate EAP-Fast into their security offerings.
Wright said that he believed EAP-Fast is a better authentication solution than Cisco's proprietary Leap.
But "I am not yet convinced it is completely secure," he said, recommending that users migrate to the Protected Extensible Authentication Protocol, which is also available from Cisco, since it is a more established protocol.
Wright said the source code and a Windows executable for his dictionary attack tool are available at asleap.sourceforge.net.
Bob Brewin writes for Computerworld