For more info on a specific newsletter, click the title. Details will be displayed in a new window.
Subscribe to
Computerworld 40 years of the most authoritative source of news and information for IT leaders.
Cisco warns its WLAN security can be cracked
or
Other Security Stories
|
|
|
|
October 02, 2003 (Computerworld) -- The proprietary security system used by Cisco Systems Inc. to protect wireless LANs widely deployed by enterprises can be defeated by a "dictionary attack" designed to crack passwords. To counter the security threat, the company is warning customers to institute strong password policies.
Cisco posted a security bulletin on its Web site on Aug. 7 about the vulnerability of its Lightweight Extensible Authentication Protocol (LEAP) to dictionary attacks, according to Ron Seide, product line manager in the company's wireless business unit.
In that bulletin, Cisco acknowledged the flaw and said, "As with most password-based authentication algorithms, Cisco LEAP is vulnerable to dictionary attacks. Creating a strong password policy is the most effective way to mitigate against dictionary attacks. This includes using strong passwords and periodically expiring passwords."
Seide said Cisco believes that LEAP can be made "relatively" secure with strong password policies, which can mitigate against dictionary attacks. He added that the company also has an upgrade path to help customers migrate from LEAP to its stronger Protected Extensible Authentication Protocol (PEAP) which uses one-time passwords and digital certificates. And he said Cisco has used its field sales force to tell customers about the potential problem since the security bulletin was posted.
But all customers may not have gotten the message. A Cisco reseller, who declined to be identified, said he hadn't been contacted by the Cisco field sales force and wasn't aware of the Aug. 7 security bulletin until contacted by Computerworld. And Mike Martell, systems manager for The Dingley Press in Lisbon, Maine, a catalog printer that has installed a Cisco WLAN in its warehouse, said he was unaware of the problem until asked about it by Computerworld. Martell, whose company is featured in a customer profile on Cisco's Web site, said the possibility of a successful dictionary attack -- which involves an assault against password protection by aiming huge amounts of words and numbers at a targeted system -- doesn't surprise him.
In the past, he said, such attacks could take years. Now, thanks to increased computer processing power, dictionary attacks can crack passwords in a matter of minutes. The only way to protect against such an attack, Martell said, is to use long password strings with unusual combinations of letters and numbers that create combinations "not found in the English language."
Joshua Wright, a systems engineer at Johnson & Wales University in Providence, R.I., yesterday demonstrated a dictionary attack against LEAP at a conference in New York sponsored by Unstrung, a Web site that reports on the wireless industry. According to Unstrung, Wright said the tool he used to conduct the attack would be made generally available in the next couple of months.
Wright couldn't be reached for comment.
Robin Gareiss, an analyst at New York-based Nemertes Research, said the LEAP vulnerability "damages Cisco's credibility" since the company has marketed it heavily as a secure system. According to a recent independent study done of the enterprise wireless LAN market by Nemertes, 46% of the IT executives surveyed said their companies use LEAP.
The LEAP problems could also affect Cisco's efforts to market to new customers, she said. According to Gareiss, a survey she conducted of 60 top executives from Fortune 500 companies showed that a number of those looking to deploy WLANs "were assessing Cisco products."
John Pescatore, an analyst at Gartner Inc. in Stamford, Conn., said that since any password-based scheme is vulnerable to dictionary attacks, Cisco may have to reconfigure LEAP to lock out potential hackers after three tries at a password.
|
Print this Story |
|
Send Us Feedback |
|
E-mail this Story |
|
Digg this Story |
|
Slashdot this Story |
|
|
|
|
|
 |
|
All Zones Application Performance Zone Enterprise-Class Security Zone Enterprise Solutions Zone The File Data Management Zone Grid Computing on Windows Zone Security Management Zone ITIL Best Practices Zone The SAS Zone Storage Virtualization Zone The Data Center Management Zone |
 See your link here
|
 |
||||||||
| ||||||||
| ||||||||
| ||||||||
|
Long Tail Supplier Collaboration - What's In It For You? 
Download this Executive Bulletin (a $49.95 value) for free, compliments of MessageLabs.
Get this white paper now!
Read up on the latest ideas and technologies from companies that sell hardware, software and services.
- HP-EDS deal spurs range of customer reactions
- WiMax vs. Long Term Evolution: Let the battle begin
- FAQ: What does the HP-EDS deal really mean?
- More top stories
Security Management ZoneSecurity management is the process of developing a comprehensive data protection plan. It takes into account all potential threats, the existing network environment, the future needs of the organization, and lays out a multi-tiered blueprint to integrate the security technology needed to combat these threats. CDW can help keep your network and data secure. Visit the CDW Security Management Zone now See All Zones
|
 Fired up about IT? Join Sharkbait and share your true tales of IT. SharkBait is the place for you to sound off about everything IT – the good, the bad, and the rest of the weird stuff you deal with every day. New baits 
|
"Security Directions" virtual trade show2008's Code-Red Security Issues for Protecting the EnterpriseHundreds of your peers are currently in attendance. Enter our show right now! 10am- 6pm ET Today! Click here to enter
|
 In SecurityThere's plenty of talk about how to behave during a Customs search of your computer and gear, but Jon Espenschied's got tips for securing your data (and privacy) before you reach the border. Click here to read the latest column by Jon Espenschied |
 |
 |
Layered Security Solutions
Although basic network security issues have changed very little over the past decade, the
network security landscape has changed dramatically. Today's IT professionals still have the
primary responsibility of protecting the confidentiality of corporate information, preventing
unauthorized access, and defending the network against attacks. Security experts and analysts agree that a security solution comprised of multiple layers is the best defense against today's increasingly sophisticated attacks.Download this white paper
|
Universal Threat Management - Because Conventional UTM is Not Enough!
This white paper, written by Mark Bouchard of Missing Link Security Services, examines the challenges confronting today's enterprises with respect to managing threats on a network. It also discusses the need for "Universal Threat Management", which is a security solution approach for all physical locations within an enterprise that require threat protection.Download this white paper |
Selecting the Right Threat Management Solution
This short demo will guide you through key considerations for selecting a solution to manage threats on a network. Learn about the popularity of Unified Threat Management (UTM), and how it fits into an overall security solution. Explore critical elements of a network-wide solution for multisite and large network-size deployments and identify the four key features of a threat management solution.View this demo
|
CIO
Computerworld
CSO
DEMO
GamePro
Games.net
IDG Connect
IDG World Expo
Infoworld
The Industry Standard
ITworld
JavaWorld
LinuxWorld
MacUser
Macworld
Network World
PC World
Playlist
Copyright © 2008 Computerworld Inc. All
rights reserved. Reproduction in whole or in part in any form or medium
without express written permission of Computerworld Inc. is prohibited.
Computerworld and Computerworld.com and the respective logos are
trademarks of International Data Group Inc.
|
