Windows Wireless Flaw a Danger to Laptops

[David Farber <dave () farber net>]

Begin forwarded message:

From: Brian Randell <Brian.Randell () ncl ac uk>
Date: January 15, 2006 2:20:10 PM EST
To: dave () farber net
Subject: Windows Wireless Flaw a Danger to Laptops

Hi Dave:

A colleague just alerted me to this - I assume that you'll have  
already been sent it by some other IPer, but just in case . . . .

Cheers

Brian

Full story at: http://blogs.washingtonpost.com/securityfix/

> Windows Wireless Flaw a Danger to Laptops
>
> At the ShmooCon gathering in Washington, D.C., today, old-school  
> hacker and mischief maker Mark "Simple Nomad" Loveless released  
> information on a staggeringly simple but very dangerous wireless  
> security problem with a feature built into most laptop computers  
> running any recent version of the Microsoft Windows operating system.
>
> Laptops powered by Windows XP or Windows 2000 with built-in  
> wireless capabilities (these includes most laptops on the market  
> today) are configured so that when the user opens up the machine or  
> turns it on, Windows looks for any available wireless connections.  
> If the laptop cannot link up to a wireless network, it creates  
> what's known as an ad-hoc "link local address," a supposed "private  
> network" that assigns the wireless card a network address of  
> 169.254.x.x (the Xs represent a random number between 1 and 254).
> Shmoocon_002
>
> Microsoft designed this portion of Windows so that the address  
> becomes associated with the name or "SSID" of the last wireless  
> network from which the user obtained a real Internet address. The  
> laptop then broadcasts the name of that network out to other  
> computers within a short range of the machine (which may vary  
> depending a number of things, including the quality of the laptop's  
> embedded network card and things that may obstruct the signal, like  
> walls, e.g.).
>
> What Loveless found was that by creating a network connection on  
> his computer that matches the name of the network the target  
> computer is broadcasting, the two computers could be made to  
> associate with one another on the same link local network,  
> effectively allowing the attacker to directly access the victim's  
> machine.
>
> I followed Loveless up to his hotel room to get a first hand  
> example of how this attack would work. I set up an ad hoc wireless  
> network connection on my Windows XP laptop named "hackme." Within a  
> few seconds of hitting "Ok," to create the network, my laptop was  
> assigned a 169.254.x.x address. A few seconds later, Loveless could  
> see my computer sending out a beacon saying it was ready to accept  
> connections from other computers that might also have the "hackme"  
> network pre-configured on their machines. Loveless then created an  
> ad hoc network with the same name, and told his computer to go  
> ahead and connect to "hackme." Viola! His machine was assigned a  
> different 169.254.x.x address and we both verified that we could  
> send data packets back forth to each other's computer.
>
> Here's the really freaky part about all this: No more than five  
> minutes after I had deleted the "hackme" network ID from my laptop,  
> Loveless and I spotted the same network name being broadcast from  
> another computer that didn't belong to either of us. Turns out,  
> someone else at the hacker conference was trying to join the fun.
> . . .
> Whoops. Anyway, you might be wondering now how you can make sure  
> your Windows laptop is protected from this.....er, feature. First  
> of all, if you are running any kind of network firewall --  
> including the firewall that comes built in to Windows XP -- you  
> won't have to worry about some stranger connecting to your laptop.  
> In fact, I had to shut down my firewall for both of us to  
> successfully conduct our test.
>
> Also, many laptops have a button you can push that disables the  
> built-in wireless feature until you hit that button again. Turning  
> off the wireless connection when you are not using it also prevents  
> this from being a problem.
> . . .
> As a sidenote, Loveless described in delicious detail for a rapt  
> audience at ShmooCon how he used the trick on various airline  
> flights to gain access to Windows machines that other passengers  
> were using.  Referring to a previous conversation he had with  
> Jennifer Grannick, a lawyer who represents accused hackers (and who  
> also gave this morning's ShmooCon keynote), Loveless said he  
> believes that since the attacks were mostly carried while the plane  
> was over international waters that U.S. law enforcement might have  
> a hard time making the case that he was violating any laws. The  
> real answer to that very interesting question, he said, would  
> probably not be evident until someone gets sued in court for it.

--
School of Computing Science, University of Newcastle, Newcastle upon  
Tyne,
NE1 7RU, UK
EMAIL = Brian.Randell () ncl ac uk   PHONE = +44 191 222 7923
FAX = +44 191 222 8232  URL = http://www.cs.ncl.ac.uk/~brian.randell/


-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/