more on good advice Windows Wireless Flaw a Danger to Laptops

[David Farber <dave () farber net>]

Begin forwarded message:

From: Christian Huitema <huitema () windows microsoft com>
Date: January 15, 2006 8:32:16 PM EST
To: dave () farber net, ip () v2 listbox com
Subject: RE: [IP] Windows Wireless Flaw a Danger to Laptops

The article is somewhat imprecise. It mentions Windows 2000 and Windows
XP as if the wireless support was identical, but Microsoft does not
provide a "wireless autoconfiguration" service for Windows 2000. On this
system, the wireless configuration is typically managed by third party
client, often provided by the maker of the wireless card. Even on
Windows XP, the original Microsoft software is often replaced by a third
party client provided by the make of the wireless card, or the maker of
the computer, or in some case a wireless service provider. The behavior
of these clients is quite diverse.

The rules for managing wireless configuration in Windows XP were
tightened a lot by the successive service packs. The paper presents the
danger of a specific behavior, in which the wireless client remembers
the name of the last network to which it was connected, and then
broadcast an invitation to join an ad hoc network of the same name. That
behavior is not present in Windows XP SP2. Also, the wireless software
distinguishes between "infrastructure" networks, and "ad hoc" or
"computer to computer" network. The attack in a plane reported in the
article just does not work if you have installed XP/SP2 and are using
the Microsoft client.

That being said, it is fairly easy to trick computers into connecting to
various wireless networks. Take the example of a computer configured to
connect to "starbucks". It will automatically establish a connection
every time you enter a Starbucks establishment, which is the expected
behavior. But a hacker sets up a "pirate" access point and names it
"starbucks", the computer will also automatically connect. Computers
have not yet learned how to smell the coffee...

If you are carrying a Windows laptop and connecting to multiple wireless
services, you should really be using XP/SP2, and you should definitely
enable the firewall!

-- Christian Huitema




> -----Original Message-----
> From: David Farber [mailto:dave () farber net]
> Sent: Sunday, January 15, 2006 12:36 PM
> To: ip () v2 listbox com
> Subject: [IP] Windows Wireless Flaw a Danger to Laptops
>
>
>
> Begin forwarded message:
>
> From: Brian Randell <Brian.Randell () ncl ac uk>
> Date: January 15, 2006 2:20:10 PM EST
> To: dave () farber net
> Subject: Windows Wireless Flaw a Danger to Laptops
>
> Hi Dave:
>
> A colleague just alerted me to this - I assume that you'll have
> already been sent it by some other IPer, but just in case . . . .
>
> Cheers
>
> Brian
>
> Full story at: http://blogs.washingtonpost.com/securityfix/
>
> > Windows Wireless Flaw a Danger to Laptops
> >
> > At the ShmooCon gathering in Washington, D.C., today, old-school
> > hacker and mischief maker Mark "Simple Nomad" Loveless released
> > information on a staggeringly simple but very dangerous wireless
> > security problem with a feature built into most laptop computers
> > running any recent version of the Microsoft Windows operating
system.
> > Laptops powered by Windows XP or Windows 2000 with built-in
> > wireless capabilities (these includes most laptops on the market
> > today) are configured so that when the user opens up the machine or
> > turns it on, Windows looks for any available wireless connections.
> > If the laptop cannot link up to a wireless network, it creates
> > what's known as an ad-hoc "link local address," a supposed "private
> > network" that assigns the wireless card a network address of
> > 169.254.x.x (the Xs represent a random number between 1 and 254).
> > Shmoocon_002
> >
> > Microsoft designed this portion of Windows so that the address
> > becomes associated with the name or "SSID" of the last wireless
> > network from which the user obtained a real Internet address. The
> > laptop then broadcasts the name of that network out to other
> > computers within a short range of the machine (which may vary
> > depending a number of things, including the quality of the laptop's
> > embedded network card and things that may obstruct the signal, like
> > walls, e.g.).
> >
> > What Loveless found was that by creating a network connection on
> > his computer that matches the name of the network the target
> > computer is broadcasting, the two computers could be made to
> > associate with one another on the same link local network,
> > effectively allowing the attacker to directly access the victim's
> > machine.
> >
> > I followed Loveless up to his hotel room to get a first hand
> > example of how this attack would work. I set up an ad hoc wireless
> > network connection on my Windows XP laptop named "hackme." Within a
> > few seconds of hitting "Ok," to create the network, my laptop was
> > assigned a 169.254.x.x address. A few seconds later, Loveless could
> > see my computer sending out a beacon saying it was ready to accept
> > connections from other computers that might also have the "hackme"
> > network pre-configured on their machines. Loveless then created an
> > ad hoc network with the same name, and told his computer to go
> > ahead and connect to "hackme." Viola! His machine was assigned a
> > different 169.254.x.x address and we both verified that we could
> > send data packets back forth to each other's computer.
> >
> > Here's the really freaky part about all this: No more than five
> > minutes after I had deleted the "hackme" network ID from my laptop,
> > Loveless and I spotted the same network name being broadcast from
> > another computer that didn't belong to either of us. Turns out,
> > someone else at the hacker conference was trying to join the fun.
> > . . .
> > Whoops. Anyway, you might be wondering now how you can make sure
> > your Windows laptop is protected from this.....er, feature. First
> > of all, if you are running any kind of network firewall --
> > including the firewall that comes built in to Windows XP -- you
> > won't have to worry about some stranger connecting to your laptop.
> > In fact, I had to shut down my firewall for both of us to
> > successfully conduct our test.
> >
> > Also, many laptops have a button you can push that disables the
> > built-in wireless feature until you hit that button again. Turning
> > off the wireless connection when you are not using it also prevents
> > this from being a problem.
> > . . .
> > As a sidenote, Loveless described in delicious detail for a rapt
> > audience at ShmooCon how he used the trick on various airline
> > flights to gain access to Windows machines that other passengers
> > were using.  Referring to a previous conversation he had with
> > Jennifer Grannick, a lawyer who represents accused hackers (and who
> > also gave this morning's ShmooCon keynote), Loveless said he
> > believes that since the attacks were mostly carried while the plane
> > was over international waters that U.S. law enforcement might have
> > a hard time making the case that he was violating any laws. The
> > real answer to that very interesting question, he said, would
> > probably not be evident until someone gets sued in court for it.
>
> --
> School of Computing Science, University of Newcastle, Newcastle upon
> Tyne,
> NE1 7RU, UK
> EMAIL = Brian.Randell () ncl ac uk   PHONE = +44 191 222 7923
> FAX = +44 191 222 8232  URL = http://www.cs.ncl.ac.uk/~brian.randell/
>
>
> -------------------------------------
> You are subscribed as huitema () windows microsoft com
> To manage your subscription, go to
>   http://v2.listbox.com/member/?listname=ip
>
> Archives at: http://www.interesting-people.org/archives/interesting-
> people/


-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/