RE: In secured office building, "Free Public WiFi" network shows up out of nowhere

["David Gillett" <gillettdavid () fhda edu>]

  I see this all the time on our campuses.

  Digging a bit, I invariably find that what I'm seeing is 
*clients* trying to find a service by that name -- and
failing, because it isn't here.

  My working theory is that these clients have learned of 
such a service while being used off-campus, and so are
checking for it as part of finding out what's available.

  Bottom Line -- Unless they're getting a connection
established, nothing for me to worry about.  Unless this
shows up on one of our machines that never leaves the 
campus....

David Gillett


> -----Original Message-----
> From: listbounce () securityfocus com 
> [mailto:listbounce () securityfocus com] On Behalf Of Shawn
> Sent: Tuesday, June 19, 2007 1:27 PM
> To: security-basics () securityfocus com
> Subject: In secured office building, "Free Public WiFi" 
> network shows up out of nowhere
>
> This scenario occurred this morning- any suggestions or 
> insights are appreciated, as are any comments as to my 
> handling of this.
>
> I'm a Security Specialist for a medium sized company. I have 
> only been working in security for 2 months. There are no 
> other Security Specialists here. I report to our Manager of 
> Information Security, who is out of town on business. I work 
> in a 6 floor office building which we own completely. We 
> lease the second floor to a computer training center. We do 
> not permit our employees to use any wireless networks, and we 
> do not have any access points. Ad hoc connection is prevented 
> through group policy. All of our laptops are XP SP2. Up until 
> today, I have never seen an available wireless network here.
>
> Periodically I check to make sure that no one has installed 
> an unauthorized WAP. This morning I fired up NetStumbler and 
> found that a network named "Free Public WiFi" was not only 
> available, but available at full strength. This was listed as 
> a peer to peer network, so I assumed that the network was 
> actually being broadcast from another wireless device 
> (laptop). This network was listed as being wide open with no 
> required key and no encryption. The originating point 
> definitely appears to be coming from within my building, but 
> I haven't been able to determine exactly where.
>
> I immediatley checked the MAC address of the wireless SSID to 
> make sure that it didn't belong to one of my company assets. 
> It did not.
>
> I then connected to the network with my laptop. I was not 
> assigned an IP address, rather Windows gave me one of the 
> default 169.254 APIPA addresses. I then sniffed packets for 
> over an hour. I felt justified in doing this, to make sure 
> that none of my companies equipment was connecting to this network.
> I found no network activity whatsoever.
>
> Finally, I ran a ping sweep against the 169.254.x.x subnet to 
> make sure that none of my companies equipment were connected 
> to this network. The ping sweep returned only my laptop and 
> one other device. I checked the other device's MAC address in 
> my inventory and verified that it too was not our equipment.
>
> I then summarized all of my investigation and sent it to my 
> boss in an email. I suggested that this network does not 
> appear to be malicious at this time and offered to take more 
> action pending his recommendation. I believe that this 
> network probably belongs to someone at the computer training 
> center on our second floor playing around.
>
> Do you all feel that these were appropriate actions? The only 
> other possible action I considered regarding this would be to 
> contact the training center on the second floor and ask them 
> about this. What do you all think?
>
> As always, your feedback is appreciated.
>
> Thanks,
> -Shawn