FRAMINGHAM (10/03/2003) - Cisco Systems Inc. this week said it plans to issue a new -- and better publicized -- warning about a security threat to its user authentication technology for wireless LANs, after it was told that a tool for attacking the software would be publicly released.
Cisco first disclosed in early August that its widely used Lightweight Extensible Authentication Protocol algorithm is vulnerable to so-called dictionary attacks aimed at discovering user passwords. The company posted a notice on its Web site and said its sales force was told to inform customers about the threat. But several Cisco users last week said they never got word of it.
Mike Wiesenberg, director of network services at Sharp HealthCare in San Diego, faulted Cisco for not taking "a more proactive" approach to notifying LEAP users of the potential for attacks. Wiesenberg said he doesn't check Cisco's Web site on a daily basis for security updates and was unaware of the Aug. 7 warning until he was contacted by Computerworld.
Sharp has a network of 8,000 computers spread across seven hospitals, six urgent-care centers and three affiliated medical groups. It uses both wired and wireless Cisco equipment, including about 200 WLAN access points. Wiesenberg said Sharp has always viewed LEAP as a transitional protocol for use until the 802.11i wireless security standard is finalized. Now he plans to explore alternatives to LEAP.
Mike Martell, systems manager at The Dingley Press, a Lisbon, Maine-based catalog printer that uses a Cisco WLAN in its warehouse, also said he didn't know about the potential problem with LEAP until last week. But Martell, whose company is featured in a customer profile on Cisco's Web site, said he wasn't surprised to hear that the security technology could be overcome by a dictionary attack.
Such attacks assault password protection schemes by feeding huge amounts of words and numbers into a targeted system. Thanks to increases in processing power, some dictionary attacks can crack passwords in a matter of minutes, Martell said. He said users should use long passwords with odd combinations of letters and numbers.
Cisco made similar recommendations in the Aug. 7 warning, saying that IT managers can reduce the impact of dictionary attacks by mandating the use of "strong passwords" and ones that become invalid after a specified time period.
Ron Seide, product line manager at Cisco's wireless business unit, last week said his company believes LEAP is "relatively" secure if users follow good password management approaches. He added that Cisco also offers an upgrade path to help customers migrate from LEAP to its stronger Protected Extensible Authentication Protocol, which uses one-time passwords and digital certificates.
Seide said the second notice about the dictionary attack threat will have "more visibility" than the initial one did. Cisco will act "with all due haste" to notify users when it learns of specific plans to release the attack tool, he said. He added that the company will use multiple methods of communicating that to users, but he didn't provide details.
Cisco e-mails security alerts to its sales force as well as to its distributors and resellers, according to Seide. But he said that unlike Microsoft Corp., which lets its users sign up to get e-mail messages containing security-related information, Cisco has no easy way to capture the e-mail addresses of customers.
The threat facing LEAP-based systems was put under a spotlight last week after Joshua Wright, a systems engineer at Johnson & Wales University in Providence, R.I., demonstrated a dictionary attack against the Cisco technology at a conference in New York sponsored by Light Reading Inc. Wright couldn't be reached for comment. But according to sources who were in the audience, Wright said he planned to make the tool he used publicly available within a couple of months.
The University of British Columbia in Vancouver runs a WLAN with about 1,200 Cisco access points. Jonn Martell, who manages the WLAN, said the school decided to use virtual private network technology instead of LEAP because of concerns about dictionary attacks. Password-based systems are "fundamentally not the answer," he said.