Notices and Known Issues

Validate New 'nyu' Security Certificate

January 4, 2008

If you are using the newer 'nyu' wireless network for accessing NYURoam, you will soon be presented with a dialog box asking you to validate a new server certificate. Simply accept the new certificate and log on as usual. No further action is necessary, and you will not need to validate the certificate again until 2009.

(The annual VeriSign security certificate used as part of the authentication process when accessing NYURoam via 'nyu' is set to expire on January 23 and is being replaced by a new certificate, to provide continuing security for the 'nyu' access path. For more about 'nyu' and NYURoam, see http://www.nyu.edu/its/wireless/configure/.)

Update: LEAP Security

January 23, 2006

The potential security vulnerability regarding the Lightweight Extensible Authentication Protocol (LEAP) described below became a reality in April 2004. To protect yourself from this security threat, ITS recommends that people using LEAP either switch to VPN, or start using a strong password immediately. If you have recently updated your password to meet ITS' once-a-year password security requirements you are very unlikely to become a victim of this vulnerability.

Security Alert for People Using a LEAP Client

(Cisco & Macintosh Wireless Cards)

February 11, 2004

A potential security vulnerability exists regarding the Lightweight Extensible Authentication Protocol (LEAP). This is the protocol used by most of NYURoam's Cisco clients and all Macintosh Airport clients. Please note that people that use Virtual Private Network (VPN) clients to access the NYURoam wireless network are not affected by this vulnerability.

What is the nature of this vulnerability?

During initial communications between your wireless client and the NYURoam infrastructure, a challenge/response mechanism is used. It was recently discovered that a small portion of the information exchanged during this challenge/response process could be captured in transit and used in conjunction with a "dictionary attack"* tool to potentially guess what password is being used by an account or NetID.

What steps can I take to address this potential problem?

You have two options:

1. The first is to continue using LEAP, but to protect yourself by making the password you use with your NetID "stronger". A strong password will help provide you with good protection against anyone who is trying to compromise your password. Here are some elements that make up a good password:
   • Your password must contain at least eight (8) characters. Of course, the longer the password the better.
   • The password must contain a mixture of alphanumeric characters and symbols (i.e., $ ! # @ *).
   • It must contain at least one number and one symbol. The more numbers and symbols the better.
   • Avoid using actual words; use a variation on a word (i.e., instead of "tiger" use "tygur" or "tiegur").
   • Also avoid substituting characters with similar numbers (i.e. t1ger, pa55word, sch00l, etc.)
   • Lastly, dictionary attacks are not limited to the English language. Using words from a foreign language provides you no additional protection.

   For additional password tips, please see: http://www.nyu.edu/its/security/passwords/.

2. Your second option is to change the way you connect to NYURoam. All people with Cisco NICs or Macintosh Airport running any version of Macintosh OS X may use the VPN client distributed by ITS. To acquire, install and configure the software, follow the instructions at: http://www.nyu.edu/its/wireless/configure/vpn.html.

   Note: ITS does not distribute a VPN client for the Macintosh OS 9.x platform. There is, however, a commercially available client you can purchase should you choose to use VPN to access NYURoam. Additional information is available at: http://www.apani.com/vpnclients.html.

It is our understanding that there is a software/firmware modification forthcoming which will directly address the LEAP vulnerability. ITS will continue to monitor this situation and take all steps necessary to protect your transmitted data from being compromised.

* Dictionary Attack: A method used to break security systems, specifically password-based security systems, in which the attacker systematically tests all possible passwords beginning with words that have a higher possibility of being used, such as names and places. The word "dictionary" refers to the attacker exhausting all of the words in a dictionary in an attempt to discover the password. Dictionary attacks are typically done with software instead of an individual manually trying each password. (Source: http://webopedia.com/)

Notice to People Using a VPN Client

September 10, 2003

NYU community members who are interested in accessing the NYURoam network using a VPN client should NOT purchase the following model of Network Interface Card (NIC): Linksys Wireless-B Notebook Adapter WPC11, Version 4.

It has come to our attention that this version of the Linksys NIC has a known problem interfacing with the Cisco VPN Concentrator (which is used in the NYURoam network). As a result, this card will not work with NYURoam straight out of the box (see below). Please note that Version 3 of this Linksys NIC has been tested and does work properly with NYURoam.

Resolved

September 11, 2003; Updated February 2, 2004

If you have already purchased the Linksys v.4 NIC and are having trouble connecting, please visit the Linksys website to download the updated driver for the NIC. Doing so will resolve the issue in question. If you need additional help, please contact the ITS Client Services Center (CSC):

• For help by phone: call 1-212-998-3333,
  M-F, 8:00 am - midnight; Sa-Su, noon-midnight
• For help in person: make an appointment by calling 1-212-998-3333
  Location: 10 Astor Place, 4th floor, M-F, 9:00 am - 6:00 pm

Page last reviewed: March 14, 2007