Cisco warns its WLAN security can be cracked
The company has urged customers to implement strong password policies
Computerworld - The proprietary security system used by Cisco Systems Inc. to protect wireless LANs widely deployed by enterprises can be defeated by a "dictionary attack" designed to crack passwords. To counter the security threat, the company is warning customers to institute strong password policies.
Cisco posted a security bulletin on its Web site on Aug. 7 about the vulnerability of its Lightweight Extensible Authentication Protocol (LEAP) to dictionary attacks, according to Ron Seide, product line manager in the company's wireless business unit.
In that bulletin, Cisco acknowledged the flaw and said, "As with most password-based authentication algorithms, Cisco LEAP is vulnerable to dictionary attacks. Creating a strong password policy is the most effective way to mitigate against dictionary attacks. This includes using strong passwords and periodically expiring passwords."
Seide said Cisco believes that LEAP can be made "relatively" secure with strong password policies, which can mitigate against dictionary attacks. He added that the company also has an upgrade path to help customers migrate from LEAP to its stronger Protected Extensible Authentication Protocol (PEAP) which uses one-time passwords and digital certificates. And he said Cisco has used its field sales force to tell customers about the potential problem since the security bulletin was posted.
But all customers may not have gotten the message. A Cisco reseller, who declined to be identified, said he hadn't been contacted by the Cisco field sales force and wasn't aware of the Aug. 7 security bulletin until contacted by Computerworld. And Mike Martell, systems manager for The Dingley Press in Lisbon, Maine, a catalog printer that has installed a Cisco WLAN in its warehouse, said he was unaware of the problem until asked about it by Computerworld. Martell, whose company is featured in a customer profile on Cisco's Web site, said the possibility of a successful dictionary attack -- which involves an assault against password protection by aiming huge amounts of words and numbers at a targeted system -- doesn't surprise him.
In the past, he said, such attacks could take years. Now, thanks to increased computer processing power, dictionary attacks can crack passwords in a matter of minutes. The only way to protect against such an attack, Martell said, is to use long password strings with unusual combinations of letters and numbers that create combinations "not found in the English language."
Joshua Wright, a systems engineer at Johnson & Wales University in Providence, R.I., yesterday demonstrated a dictionary attack against LEAP at a conference in New York sponsored by Unstrung, a Web site that reports on


- Excel 2010 Cheat Sheet
- Register for this Computerworld Insider Cheat Sheet and gain access to hundreds of premium content articles, guides, product reviews and more.
- Driving Secure Enterprise File Sharing and Syncing in the Enterprise
- GroupLogic's new activEcho is the industry's only secure Enterprise File Sharing and Synching solution that balances the need for simplicity for the end...
- The Enterprise File Sharing Option
- Enterprises and IT departments need to address several critical security issues when considering file sharing and syncing products. Many of today's solutions do...
- Security Strategies to Virtualizing Internet-Facing Applications
- The IT organization at Intel has set a goal to transition their enterprise to a private cloud for their Office and Enterprise applications....
- Cloud Security Planning Guide
- Cloud security considerations span protecting hardware and platform technologies in the data center to enabling regulatory compliance and defending cloud access through different...
- Cloud Security Vendor Round Table
- This vendor round table guide will help you to evaluate different cloud technology vendors and service providers based on a series of questions... All Security White Papers
- Live Webcast
Data Privacy and Protection in Production Environments: New Research from Ponemon Institute - Date: Wednesday, June 13, 2012, 1:00 PM EDT / 10:00 AM PDT
In a recent study conducted by Ponemon Institute, fifty-five percent of respondents... - Data Privacy and Protection in Production Environments: New Research from Ponemon Institute
- Date: Wednesday, June 13, 2012, 1:00 PM EDT / 10:00 AM PDT
In a recent study conducted by Ponemon Institute, fifty-five percent of respondents... - Security Certifications 101 - BlackBerry and all those acronyms what do they mean and why they matter?
- FIPS, Common Criteria, CAPS, AISEP, NFC, NIST, Fraunhofer SIT, CESG, DSD - these are just some of the government and industry certifications which...
- BlackBerry PlayBook OS 2.0 Security Overview
- The presentation provides an overview of BlackBerry PlayBook OS 2.0 security capabilities and features, including: BlackBerry® Balance™ technology, BlackBerry® Bridge, data-at-rest protection, and...
- BlackBerry NFC Security Overview
- The presentation on NFC security will provide an overview of the security protections built into the BlackBerry platform to protect users, application developers...
- Playing Defense: Staying on Top of Your Disaster Recovery Game
- When it comes to disaster recovery, rapidly growing data volumes, distributed computing models, and new technologies all combine to present an ever-changing playing... All Security Webcasts