Wireless local area network (LAN) products from Cisco Systems are under fire again after the release of a software tool exploiting an old vulnerability, but the company says it has a new protocol that fixes the problem.
Earlier this week, the networking company acknowledged a previously discovered vulnerability in its Lightweight Extensible Authentication Protocol (LEAP) that makes it easier for hackers to launch dictionary attacks to guess common passwords used to access wireless LANs. The company is now recommending that customers use a new security protocol called EAP-FAST (Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling) , which it said helps reduce this threat.
Dictionary attacks, which run through a massive file of words until finding a password match, threaten every form of password control. But the problem with LEAP let hackers greatly reduce the number of possible password matches, thus making the dictionary attacks faster and easier, said Joshua Wright, a security expert who alerted Cisco to the vulnerability. What"s more, LEAP also allowed hackers to try their password matches offline, giving them ample time and access to hunt for matches. Last August, Wright, who works for the SANS Institute network security group, discovered the LEAP vulnerabilities, and he developed a tool, called ASLEAP, to exploit them. After contacting Cisco, Wright agreed to hold onto the tool until Cisco developed an alternative authentication protocol and notified customers of the risks associated with using LEAP.