Re: In secured office building, "Free Public WiFi" network shows up out of nowhere

["Steven Adair" <steven () securityzone org>]

This all sounds fine and reasonable to me.  The SSID you are describing is
a pretty common one that you will run into all over -- at work, the
airport, coffee shop, etc.  it definitely sounds like a wireless that is
configured with ad-hoc mode turned on and is most likely broadcasting out
without the owner's knowledge.  It might not be a laptop though.  It could
just as easily be a PDA or phone of some sort.  You might want to take the
MAC address you got and check it here:

http://standards.ieee.org/regauth/oui/index.shtml

See what it comes back with.  If it returns that it's a company that only
makes PDAs, then you have at least narrowed down the device.  You should
be able to track down the device by the signal strength though.  I've
tracked down many machines in ad-hoc mode with AirMagnet in the past.  The
signal will get into the 90's and perhaps reach 100 when it's within a few
feet.  It is most likely a misconfigured device.  It's not unheard of, but
pretty rare for an ad-hoc device to actually be there for malicious
intent.  It's much more likely someone would target this device for
network access (think ethernet cable plugged in but wireless still on) or
access to the machine itself.

Steven
securityzone.org

> This scenario occurred this morning- any suggestions or insights are
> appreciated, as are any comments as to my handling of this.
>
> I'm a Security Specialist for a medium sized company. I have only
> been working in security for 2 months. There are no other
> Security Specialists here. I report to our Manager of Information
> Security, who is out of town on business. I work in a 6 floor office
> building which we own completely. We lease the second floor to a computer
> training center. We do not permit our employees to use any wireless
> networks, and we do not have any access points. Ad hoc connection is
> prevented through group policy. All of our laptops are XP SP2. Up until
> today, I have never seen an available wireless network here.
>
> Periodically I check to make sure that no one has installed an
> unauthorized WAP. This morning I fired up NetStumbler and found that a
> network named "Free Public WiFi" was not only available, but available at
> full strength. This was listed as a peer to peer network, so I assumed
> that the network was actually being broadcast from another wireless device
> (laptop). This network was listed as being wide open with no required key
> and no encryption. The originating point definitely appears to be coming
> from within my building, but I haven't been able to determine exactly
> where.
>
> I immediatley checked the MAC address of the wireless SSID to make sure
> that it didn't belong to one of my company assets. It did not.
>
> I then connected to the network with my laptop. I was not assigned an IP
> address, rather Windows gave me one of the default 169.254 APIPA
> addresses. I then
> sniffed packets for over an hour. I felt justified in doing this, to make
> sure that none of my companies equipment was connecting to this network.
> I found no network activity whatsoever.
>
> Finally, I ran a ping sweep against the 169.254.x.x subnet to make sure
> that none of my companies equipment were connected to this network. The
> ping sweep returned only my laptop and one other device. I checked the
> other device's MAC address in my inventory and verified that it too was
> not our
> equipment.
>
> I then summarized all of my investigation and sent it to my boss in an
> email. I suggested that this network does not appear to be malicious at
> this time and offered to take more action pending his recommendation. I
> believe that this network probably belongs to someone at the computer
> training center on our second floor playing around.
>
> Do you all feel that these were appropriate actions? The only other
> possible action I considered regarding this would be to contact the
> training center on the second floor and ask them about this. What do you
> all think?
>
> As always, your feedback is appreciated.
>
> Thanks,
> -Shawn