Computerworld - Joshua Wright, the systems engineer who created a tool that targets wireless LANs protected by Cisco Systems Inc.'s Lightweight Extensible Authentication Protocol (LEAP), said he did so to demonstrate the ease with which dictionary attacks against the protocol can crack user passwords.
Wright said Cisco users should "be aware of the risks that exist by using the LEAP protocol." He said he plans to release the attack tool, which he has dubbed ASLEAP, in February, although he declined to say how he would make it available.
The tool uses a challenge-and-response methodology built into LEAP to obtain the information needed to mount a dictionary attack, according to Wright. He then uses a 100GB electronic dictionary that includes various languages to discover passwords, a process that Wright said can be done in a matter of seconds.
The dictionary also includes common permutations that end users and IT managers use in their attempts to make passwords attackproof, such as substituting the number zero for the letter O. Wright, who emphasized that his work on ASLEAP has nothing to do with his job at Johnson & Wales College in Providence, R.I., said he told Cisco about the Linux-based attack tool during the summer.
Cisco subsequently posted a notice on its Web site about the threat to LEAP. Ron Seide, product line manager at Cisco's wireless business unit, said that when Wright releases ASLEAP and the threats "move to a higher level," the company will be quick to warn users about the protocol.
Read more about Security in Computerworld's Security Topic Center.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
