Security Basics mailing list archives
RE: In secured office building, "Free Public WiFi" network shows up out of nowhere
From: <jbeauford () EightInOnePet com>
Date: Thu, 21 Jun 2007 09:25:47 -0400
Little more info: http://edge.arubanetworks.com/article/how-wifi-ad-hoc-networks-are-zombies-or-free-public-wifi-phenomenon-0 http://erratasec.blogspot.com/2007/01/ad-hoc-wifi-virus.html jmb -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Scott Ramsdell Sent: Wednesday, June 20, 2007 12:07 PM To: Kurt Buff; Shawn Cc: security-basics () securityfocus com Subject: RE: In secured office building, "Free Public WiFi" network shows up out of nowhere If they are Windows based, and on your domain, then likely they registered their AIPAI IP with your DNS server via DDNS. You may be able to find your hostname there. Kind Regards, Scott Ramsdell CISSP, CCNA, MCSE Security Network Engineer -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Kurt Buff Sent: Tuesday, June 19, 2007 5:26 PM To: Shawn Cc: security-basics () securityfocus com Subject: Re: In secured office building, "Free Public WiFi" network shows up out of nowhere I would have gone a bit further. Since you probably don't have access to the machines in the training center I would start to cultivate a relationship with whomever their IT person is, and get to the point of asking, gently, politely, if they indeed have a wireless access point fired up. However, I would assume that you have root/administrator privileges on all workstations in the spaces your company occupies (though perhaps not all servers - that would depend on your security policy.) Assuming they are Windows-based I would have run PSEXEC against them to find out their network setup, using 'ipconfig /all' and 'route print' to extract details of their network interfaces, etc. Also, I would have gathered all of the arp caches and MAC address tables from your network devices to verify that the machine in question isn't directly attached to the network. Lastly, highly-directional antennas are your friend. They're cheap, too. Kurt On 6/19/07, Shawn <swarzkopf () legolas sinnerz us> wrote:
This scenario occurred this morning- any suggestions or insights are appreciated, as are any comments as to my handling of this. I'm a Security Specialist for a medium sized company. I have only been working in security for 2 months. There are no other Security Specialists here. I report to our Manager of Information Security, who is out of town on business. I work in a 6 floor office building which we own completely. We lease the second floor to a computer training center. We do not permit our employees to use any wireless networks, and we do not have any access points. Ad hoc connection is prevented through group policy. All of our laptops are XP SP2. Up until today, I have never seen an available wireless network here. Periodically I check to make sure that no one has installed an unauthorized WAP. This morning I fired up NetStumbler and found that a network named "Free Public WiFi" was not only available, but available at full strength. This was listed as a peer to peer network, so I assumed that the network was actually being broadcast from another wireless device (laptop). This network was listed as being wide open with no required key and no encryption. The originating point definitely appears to be coming from within my building, but I haven't been able to determine exactly where. I immediatley checked the MAC address of the wireless SSID to make sure that it didn't belong to one of my company assets. It did not. I then connected to the network with my laptop. I was not assigned an IP address, rather Windows gave me one of the default 169.254 APIPA addresses. I then sniffed packets for over an hour. I felt justified in doing this, to make sure that none of my companies equipment was connecting to this network. I found no network activity whatsoever. Finally, I ran a ping sweep against the 169.254.x.x subnet to make sure that none of my companies equipment were connected to this network. The ping sweep returned only my laptop and one other device. I checked the other device's MAC address in my inventory and verified that it too was not our equipment. I then summarized all of my investigation and sent it to my boss in an email. I suggested that this network does not appear to be malicious at this time and offered to take more action pending his recommendation. I believe that this network probably belongs to someone at the computer training center on our second floor playing around. Do you all feel that these were appropriate actions? The only other possible action I considered regarding this would be to contact the training center on the second floor and ask them about this. What do you all think? As always, your feedback is appreciated. Thanks, -Shawn
Current thread:
- In secured office building, "Free Public WiFi" network shows up out of nowhere Shawn (Jun 19)
- Re: In secured office building, "Free Public WiFi" network shows up out of nowhere Steven Adair (Jun 19)
- Re: In secured office building, "Free Public WiFi" network shows up out of nowhere Kurt Buff (Jun 19)
- RE: In secured office building, "Free Public WiFi" network shows up out of nowhere Scott Ramsdell (Jun 20)
- RE: In secured office building, "Free Public WiFi" network shows up out of nowhere jbeauford (Jun 21)
- RE: In secured office building, "Free Public WiFi" network shows up out of nowhere jbeauford (Jun 21)
- Paper - Audit Taxonomy Craig Wright (Jun 20)
- RE: In secured office building, "Free Public WiFi" network shows up out of nowhere Scott Ramsdell (Jun 20)
- RE: In secured office building, "Free Public WiFi" network shows up out of nowhere David Gillett (Jun 20)
- Re: In secured office building, "Free Public WiFi" network shows up out of nowhere Dave Moore (Jun 22)
- <Possible follow-ups>
- RE: In secured office building, "Free Public WiFi" network shows up out of nowhere Jay (Jun 20)