<<< Date Index >>>     <<< Thread Index >>>

[IP] more on good advice Windows Wireless Flaw a Danger to Laptops





Begin forwarded message:

From: Christian Huitema <huitema@xxxxxxxxxxxxxxxxxxxxx>
Date: January 15, 2006 8:32:16 PM EST
To: dave@xxxxxxxxxx, ip@xxxxxxxxxxxxxx
Subject: RE: [IP] Windows Wireless Flaw a Danger to Laptops

The article is somewhat imprecise. It mentions Windows 2000 and Windows
XP as if the wireless support was identical, but Microsoft does not
provide a "wireless autoconfiguration" service for Windows 2000. On this
system, the wireless configuration is typically managed by third party
client, often provided by the maker of the wireless card. Even on
Windows XP, the original Microsoft software is often replaced by a third
party client provided by the make of the wireless card, or the maker of
the computer, or in some case a wireless service provider. The behavior
of these clients is quite diverse.

The rules for managing wireless configuration in Windows XP were
tightened a lot by the successive service packs. The paper presents the
danger of a specific behavior, in which the wireless client remembers
the name of the last network to which it was connected, and then
broadcast an invitation to join an ad hoc network of the same name. That
behavior is not present in Windows XP SP2. Also, the wireless software
distinguishes between "infrastructure" networks, and "ad hoc" or
"computer to computer" network. The attack in a plane reported in the
article just does not work if you have installed XP/SP2 and are using
the Microsoft client.

That being said, it is fairly easy to trick computers into connecting to
various wireless networks. Take the example of a computer configured to
connect to "starbucks". It will automatically establish a connection
every time you enter a Starbucks establishment, which is the expected
behavior. But a hacker sets up a "pirate" access point and names it
"starbucks", the computer will also automatically connect. Computers
have not yet learned how to smell the coffee...

If you are carrying a Windows laptop and connecting to multiple wireless
services, you should really be using XP/SP2, and you should definitely
enable the firewall!

-- Christian Huitema




-----Original Message-----
From: David Farber [mailto:dave@xxxxxxxxxx]
Sent: Sunday, January 15, 2006 12:36 PM
To: ip@xxxxxxxxxxxxxx
Subject: [IP] Windows Wireless Flaw a Danger to Laptops



Begin forwarded message:

From: Brian Randell <Brian.Randell@xxxxxxxxx>
Date: January 15, 2006 2:20:10 PM EST
To: dave@xxxxxxxxxx
Subject: Windows Wireless Flaw a Danger to Laptops

Hi Dave:

A colleague just alerted me to this - I assume that you'll have
already been sent it by some other IPer, but just in case . . . .

Cheers

Brian

Full story at: http://blogs.washingtonpost.com/securityfix/

Windows Wireless Flaw a Danger to Laptops

At the ShmooCon gathering in Washington, D.C., today, old-school
hacker and mischief maker Mark "Simple Nomad" Loveless released
information on a staggeringly simple but very dangerous wireless
security problem with a feature built into most laptop computers
running any recent version of the Microsoft Windows operating
system.

Laptops powered by Windows XP or Windows 2000 with built-in
wireless capabilities (these includes most laptops on the market
today) are configured so that when the user opens up the machine or
turns it on, Windows looks for any available wireless connections.
If the laptop cannot link up to a wireless network, it creates
what's known as an ad-hoc "link local address," a supposed "private
network" that assigns the wireless card a network address of
169.254.x.x (the Xs represent a random number between 1 and 254).
Shmoocon_002

Microsoft designed this portion of Windows so that the address
becomes associated with the name or "SSID" of the last wireless
network from which the user obtained a real Internet address. The
laptop then broadcasts the name of that network out to other
computers within a short range of the machine (which may vary
depending a number of things, including the quality of the laptop's
embedded network card and things that may obstruct the signal, like
walls, e.g.).

What Loveless found was that by creating a network connection on
his computer that matches the name of the network the target
computer is broadcasting, the two computers could be made to
associate with one another on the same link local network,
effectively allowing the attacker to directly access the victim's
machine.

I followed Loveless up to his hotel room to get a first hand
example of how this attack would work. I set up an ad hoc wireless
network connection on my Windows XP laptop named "hackme." Within a
few seconds of hitting "Ok," to create the network, my laptop was
assigned a 169.254.x.x address. A few seconds later, Loveless could
see my computer sending out a beacon saying it was ready to accept
connections from other computers that might also have the "hackme"
network pre-configured on their machines. Loveless then created an
ad hoc network with the same name, and told his computer to go
ahead and connect to "hackme." Viola! His machine was assigned a
different 169.254.x.x address and we both verified that we could
send data packets back forth to each other's computer.

Here's the really freaky part about all this: No more than five
minutes after I had deleted the "hackme" network ID from my laptop,
Loveless and I spotted the same network name being broadcast from
another computer that didn't belong to either of us. Turns out,
someone else at the hacker conference was trying to join the fun.
. . .
Whoops. Anyway, you might be wondering now how you can make sure
your Windows laptop is protected from this.....er, feature. First
of all, if you are running any kind of network firewall --
including the firewall that comes built in to Windows XP -- you
won't have to worry about some stranger connecting to your laptop.
In fact, I had to shut down my firewall for both of us to
successfully conduct our test.

Also, many laptops have a button you can push that disables the
built-in wireless feature until you hit that button again. Turning
off the wireless connection when you are not using it also prevents
this from being a problem.
. . .
As a sidenote, Loveless described in delicious detail for a rapt
audience at ShmooCon how he used the trick on various airline
flights to gain access to Windows machines that other passengers
were using.  Referring to a previous conversation he had with
Jennifer Grannick, a lawyer who represents accused hackers (and who
also gave this morning's ShmooCon keynote), Loveless said he
believes that since the attacks were mostly carried while the plane
was over international waters that U.S. law enforcement might have
a hard time making the case that he was violating any laws. The
real answer to that very interesting question, he said, would
probably not be evident until someone gets sued in court for it.


--
School of Computing Science, University of Newcastle, Newcastle upon
Tyne,
NE1 7RU, UK
EMAIL = Brian.Randell@xxxxxxxxx   PHONE = +44 191 222 7923
FAX = +44 191 222 8232  URL = http://www.cs.ncl.ac.uk/~brian.randell/


-------------------------------------
You are subscribed as huitema@xxxxxxxxxxxxxxxxxxxxx
To manage your subscription, go to
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-
people/


-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/