[ISN] Hospitals back off Cisco LEAP security for WLANs

From: InfoSec News (isn@private)
Date: Sun Oct 19 2003 - 22:23:45 PDT

  • Next message: InfoSec News: "[ISN] LEAP attack tool author says he wants to alert users to risks"

    http://www.computerworld.com/securitytopics/security/story/0,10801,86189,00.html
    
    Story by Bob Brewin 
    OCTOBER 17, 2003 
    COMPUTERWORLD 
    
    For some health care IT managers, Cisco Systems Inc.'s wireless LAN
    authentication protocol's vulnerability to attacks aimed at
    discovering passwords is reinforcing the importance of developing
    multilayered approaches to securing their networks.
    
    Several users this week said they have already adopted or plan to
    install a mix of WLAN authentication and encryption protocols to
    ensure that their companies comply with the data privacy requirements
    of the federal Health Insurance Portability and Accountability Act.
    
    Chris Lenaghen, a network engineer at St. Alphonsus Regional Medical
    Center in Boise, Idaho, said he views Cisco's Lightweight Extensible
    Authentication Protocol (LEAP) as "a temporary solution" until the
    hospital can install an updated version of Novell Inc.'s Extend
    Director software.
    
    The Novell software supports the Lightweight Directory Access Protocol
    (LDAP), which Lenaghen said should make it harder for malicious
    hackers to run so-called dictionary attacks against the hospital's
    WLAN. St. Alphonsus will speed up its move from LEAP to LDAP because
    of the Cisco technology's vulnerability, Lenaghen said.
    
    Cisco disclosed in early August that LEAP could be compromised by
    dictionary attacks. At a conference earlier this month, Joshua Wright,
    a systems engineer at Johnson & Wales University in Providence, R.I.,
    demonstrated such an attack using a tool he developed. In an interview
    this week, Wright said he plans to make the attack tool publicly
    available in February.
    
    Gene Gretzer, a senior analyst and project leader for access
    technologies at St. Luke's Episcopal Health System in Houston, said
    the health care provider uses LEAP to help secure 100 wireless
    access-point devices made by Cisco. But St. Luke's also controls WLAN
    access through a database of Media Access Control (MAC) addresses and
    use of the Advanced Encryption Standard.
    
    Miami Children's Hospital in Coral Gables, Fla., has taken a layered
    approach to WLAN security as well, said Alex Naveira, its chief
    information security officer. In addition to LEAP, the hospital is
    using MAC address authentication and 128-bit Secure Sockets Layer
    encryption.
    
    Ron Seide, product line manager at Cisco's wireless business unit,
    agreed that many organizations need stronger authentication
    capabilities than LEAP provides.
    
    He said Cisco recommends that such users install the Protected
    Extensible Authentication Protocol (PEAP), which relies on digital
    certificates to control network access. PEAP was co-developed by
    Cisco, Microsoft Corp. and RSA Security Inc.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Mon Oct 20 2003 - 01:08:00 PDT