Windows Wireless Networking Flaw Identified

An anonymous reader writes "Washingtonpost.com is reporting from the 2nd annual Shmoocon hacker conference about the release of a previously undocumented vulnerability in Windows. The flaw takes advantage of a feature on Windows laptops that have wireless cards built-in. Security researcher Mark Loveless found that Windows laptops which cannot find a wireless connection are configured to broadcast the name of the last SSID they associated with. They assign themselves an ad-hoc 'link local' (think 169.254.x.x.) address, and an attacker can configure his machine to broadcast an SSID of the same name. Thus, the attacker associates with that 'network' and communicates directly with the victim's machine. The funny part from the Post blog entry is that Microsoft helped author the RFC for link local."

Class Action Lawsuite

[matr0x_x]

Are there ever class action lawsuites filed over large scale vunerabilities like this?

Re:Class Action Lawsuite

[Philomathie]

If that was possible the richest man in the world would be a lawyer...

Re:Class Action Lawsuite

[nurb432]

Ever read the EULA? You hold microsoft not responsible by agreeing. So the answer would be no, no class action suits.

Re:Class Action Lawsuite

[julesh]

Ever read the EULA? You hold microsoft not responsible by agreeing.

Disclaimers of warranty are not necessarily legally binding. A decision in court would involve questions of how fair it is for MS to disclaim liability for this.

Re:Class Action Lawsuite

In no event shall Microsoft be liable for any damages whatsoever, even in the event of fault (including negligence).
-- Windows XP Professional license agreement

Sue Microsoft in court. Yeah, right. The U.S. government sued them, won the case, and Microsoft didn't suffer one bit. Good luck with that.

Re:Class Action Lawsuite

[TubeSteak]

In Sony's rootkit class-action, part of the agreement is that Sony will not enforce a $5 limit on damages or the requirement that you sue them in New York.

Two EULA clauses not being enforced.

Sony = teh fscked

Re:Class Action Lawsuite

[Professor_UNIX]

This isn't a vulnerability, it's just how all network interfaces work on Windows. If you're really that paranoid then just disable the interface.

Re:Class Action Lawsuite

[Tony+Hoyle]

Actually it is. It's not hard to write code that associates automatically with any laptops which are switched on but not currently associated to anything. Run that in a public place and you can have a browse around a few people hard drives.

Re:Class Action Lawsuite

[rikkards]

I agree with what you are saying but the only thing that could become an issue is depending on how the laptop is configured (i.e ICS is enabled), theoretically someone could use the wireless access that they have now acquired to get access to the rest of the network. I have seen with so many companies how the three top rules are ignored:
1. No admin access with a user account. If the person is required in their job to need that level of access, create them an account that they can run the necessary app with.
2. Utilize proxies to get access to the internet, no direct connection through the firewall. Reduces specific applications from getting out (oh and log everything)
3. Patch your machines dammit. Hell using MS's SAS will make your job easier. Once you have tested to make sure it doesn't break anything then approve the patch for your users.

Re:Class Action Lawsuite

[MBHkewl]

D00d! You read EULAs ?!!?

Re:Class Action Lawsuite

[kfg]

Ever read the EULA?

By reading this you agree to stand on your head, cluck like a chicken and send me a Godzillion dollars.

EULAs are like newspapers. Just because you read something in one doesn't make it so. You cannot be legally bound to that which is not legally binding, no matter how many times you click "I Agree." EULAs are wet dreams, not contracts.

How do you find out if you are legally bound?

Well, you file a lawsuit to put the matter before a judge, that's how.

KFG

Re:Class Action Lawsuite

An EULA, however restricting, is not a legal document in many countries because it conflicts with the laws of that particular country.

For example the Microsoft EULA that ships with every Microsoft product is infact in violation of several laws in several EU countries but because no one has taken it to the court, it hasn't been deemed invalid.

Naturally such a decision (to rule that EULA is invalid and people are entitled to compensation) would have long lasting and massive reprocussions.

Re:Class Action Lawsuite

[AgentTim3]

Disclaimers of warranty are not necessarily legally binding. A decision in court would involve questions of how fair it is for MS to disclaim liability for this.

Unfortunately it's not even about fair. With regards to security, Windows is provided "AS IS". Show me one place where Microsoft even makes the slightest guarantee about security. The product was never engineered to be secure and barring a complete rewrite it never will be. They're not dumb, they know it's not very secure, and they don't advertise it as such. They don't need to "disclaim liability", the courts need to prove why it should be assigned to them in the first place.

Anyone who has an expectation of security in Windows is a sucker, plain and simple. Think about the common excuses: "99% of our customers use it so we have to also." "We store all our data on it, it OUGHT to be secure." "It's too expensive to switch to something else." You choose to use Windows, you get what you pay for. If you failed to do proper research and just created an assumption of security inside your head, it's your own fault. Quit whining about it.

Everyone wants to sue Microsoft just because they exploit human stupidity, and they're really good at it. Great use of the court system.

Re:Class Action Lawsuite

[saskboy]

What we'd need is a flaw in Windows that is damaging without a specialized attack program being involved. If there were something about Windows that needed repairing because you could just press Ctrl Alt Insert instead of Delete, and bypass the login for instance, then that would in my opinion qualify as being negelgent enough for Microsoft to settle a lawsuit.

Re:Class Action Lawsuite

[Dave_bsr]

Unfortunately it's not even about fair. With regards to security, Windows is provided "AS IS". Show me one place where Microsoft even makes the slightest guarantee about security. The product was never engineered to be secure and barring a complete rewrite it never will be. They're not dumb, they know it's not very secure, and they don't advertise it as such. They don't need to "disclaim liability", the courts need to prove why it should be assigned to them in the first place.

Of course, all of the open source licenses include similar liability clauses. "We're giving this away for free. Don't sue us. Don't use it for anything you're not prepared to have it break, or guarantee yourself that it will work."

Re:Class Action Lawsuite

[level_headed_midwest]

You mean like this:
user@machine:~> gcc --version
gcc (GCC) 4.0.2 20050901 (prerelease) (SUSE Linux)
Copyright (C) 2005 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Re:Class Action Lawsuite

[discojohnson]

I think you meant SMS. However, to exploit this flaw requires an aweful lot of work. I would have to know which network you've been trying to connect to, then change my set up to be that. Then your settings in Windows would have to allow me to connect to you (no firewall, some other exploit that would take considerable time). People would have to be specifically targetted for this to work (minus the handful of people that have unrestricted access to their root shares and last connected to "linksys")

Re:Class Action Lawsuite

[drgreg911]

It's been awhile since I've installed Windows, but I seem to recall some of the install screens making claims as to the security of Windows XP.

Re:Class Action Lawsuite

Then what are all these "studies" M$ pays for that claims *#$dows is more secure than Linux, Unix, Mac, a rock, Fort Knox, etc

Re:Class Action Lawsuite

[poopdeville]

Who cares if they suffer? I just want my millions.

Re:Class Action Lawsuite

[nurb432]

No, but our lawyers do.

Re:Class Action Lawsuite

This story is old. If you had half a brain you should have figured out this hole like 2 years ago.

Re:Class Action Lawsuite

[RetroGeek]

Ok, but do even they understand them?

Re:Class Action Lawsuite

[fluffy99]

You mean like being able to hit "escape" at the Windows98 logon screen instead of entering a username/password? No network access, but you have full access to the local machine and W98 used a trivially reversable methodto store users passwords (XOR'd with the number 7 as I recall).

Re:Class Action Lawsuite

[rikkards]

Sorry I meant SUS which is Microsoft's implementation of the Window's Update service where admins can download and bless what patches their workstations will get. Definitely handy if set up and diligently administered.

Looking at how many companies I have seen(including previous security companies that preach one thing but don't necessarily practice it) don't lock down their desktops who knows what could be done. It is (mostly) theoretical anyways assuming that specific things come together.

Forgot 2 more important pieces of advice:
4. Randomize the local admin password
5. Add specific security group to the local Administrators that all workstation support admin accounts belong to.

Re:Class Action Lawsuite

[Zenix]

Ever read the EULA? You hold microsoft not responsible by agreeing. So the answer would be no, no class action suits.

Of course not.

Re:Class Action Lawsuite

[bigpicture]

What if the EULA was found to be non enforcable (null and void) because of such a thing as as duress or undue infulence? You know the monopoly thing, you don't have a choice "duress"?

Re:Class Action Lawsuite

[Lars+T.]

The richest man in the world studied law before he dropped out. Does that count?

I wonder...

[layer3switch]

I wonder how many "undocumented" flaws made into US-CERT vul. list.

Re:I wonder...

This is an interesting article, although they clearly made an error in research, as evidenced by the incorrect 6th item.

That's cool

[BishopSRQ]

I think I will go test this out on my parents...

Damn!!!!

There goes my mobile botnet...

Re:Damn!!!!

Such a useful botnet, too, given none of them have Internet connections.

Re:Damn!!!!

[MaXiMiUS]

Maybe he haxx0r3d their computers to have an internet connection. PS: Anybody who thinks that's even possible, please leave Slashdot immediately. Seriously.

Should be standard on all laptops and desktops

[oilisgood]

Also, many laptops have a button you can push that disables the built-in wireless feature until you hit that button again. Turning off the wireless connection when you are not using it also prevents this from being a problem.

Best advice in the article...

Re:Should be standard on all laptops and desktops

[tunah]

I hope he's not referring to the power button.

Re:Should be standard on all laptops and desktops

[Fnord666]

Saves on battery too. I don't know why you wouldn't turn off the wireless card when you weren't using it anyway.

Re:Should be standard on all laptops and desktops

[geobert]

I use Trend Micro (the wife uses Norton); they both support halting of network traffic (which is what I select often if I don't need to be online and always when I'm not at the computer).

Re:Should be standard on all laptops and desktops

[bot24]

This isn't really good advice in my opinion; if your computer's security is ready for the 21st century it won't be a problem at all. The only reasons this may be a vulnerability you should care about are:

• You are not running a firewall
• Your firewall doesn't block access to unsecured services
• Your firewall makes exceptions solely based on IP subnets

The no firewall design is great if your computer is on a secured wired network that uses IPv4 networking. However, secured networks should be defined as having:

• No unsecured wireless access points
• No WEP secured wireless access points
• No internet-accessable computers
• No internet-exposed computers that may contract any form of malware
• A system that ensures that computers may only be used by the intended user
• No possibility of a disgruntled workers or pranksters

This effectively means that you should treat your local area network as you treat your internet connection unless you are only working on your personal home network consisting only of computers behind a network address translator, and exposing no services to the internet. With the coming of IPv6 network address translation should become less popular, and this method of securing your computers will become even more dangerous.
Run a properly configured firewall on all your computers. Do not use services that do not require authentication or base their authentication off of IP subnets.

Re:Should be standard on all laptops and desktops

[sulli]

Good idea, except lots of companies block user config of wireless, even something as simple as turn on/off. So you end up with it on all the time.

I have noticed this many times where my PC thinks some random access point is around, and says so, even when there clearly is none at all. It's quite odd.

Re:Should be standard on all laptops and desktops

[level_headed_midwest]

Every computer can support halting of network traffic. Just right-click on the interface's monitor in the taskbar and hit "Disable" in Windows. In OS X, click on the wireless icon and select "Disable." In Linux, if you have Gnome's netapplet or network-selector installed, hit "Disconnect." If you have KIntenet, right click and select "Hang Up." If you have none of those, type "sudo /sbin/ifdown eth*" where * is the number of your wireless, usually 0 or 1. You don't need any third-party program.

Re:Should be standard on all laptops and desktops

I detest that button on my Acer Aspire 3502. I was unable to get my wireless card working in Linux for weeks due to confusion created by that button, it can't be disabled because it's solid state and after I disassembled my laptop to clean up a hot chocolate spill it seems to have permanently disabled my wireless card.

Re:Should be standard on all laptops and desktops

[sconeu]

My Toshiba Satellite has a physical on/off switch for the 802.11. I'd like to see any company block that in software.

Re:Should be standard on all laptops and desktops

[warrior003]

yep, that's what I do when I see that there are only ad-hoc network available. Actually I discovered this flaw long time ago. When I am at university in classroom that doesn't have wireless internet, I see many ad-hoc network named with university SSID.

Hmmm

This is very interesting. I had feared a situation like this for a long time and have always regarded the "Centrino" laptops as a problem for corporate security. But, to be fair, I have not seen this behavior as yet. Having managed dozenes of laptops I have yet to see one assign a link local address. They always pop-up and ask if you want to connect to a detected Access Point(AP) but, telling them NO ends it there.

Have I been blind or is there a bit more involved in this attack?

Re:Hmmm

[imaginaryelf]

You have to try to connect, and FAIL, to be assigned a 169.254.x.y address.

Re:Hmmm

[gEvil+(beta)]

Have I been blind or is there a bit more involved in this attack?

From the description, it sounds like you'd need to take your laptop to either a very remote or a very shielded place (eg, no available APs anywhere near you) in order for this to work. The chances of two people having their laptops open with wifi enabled in such a situation are fairly slim (though certainly possible). Which is probably why this is only being discovered now.

Re:Hmmm

[Mr+Z]

How about an airplane? I see plenty of laptops open on airplanes.

Re:Hmmm

Actually, you get the 169.254.x.x address if you don't get a response from a DHCP server. You are already "connected" before you get that address.

Re:Hmmm

[jerkychew]

I'm working at a conference in Vegas this week. I just set up 40 wireless networks for 1400 laptops. (Win XP SP1 and SP2) You're only partially incorrect.

Windows will keep broadcasting its last SSID, looking for the network of that name. When it finds the network it's looking for, it will jump on the network automatically, without asking you.

If it doesn't find that network, it will not give itself a 169.254 (APIPA) address, at least not on the surface. The interface will show up as "Media link disconnected" or whatever the term is. However, if it finds the SSID, but cannot get an IP, it will give itself an APIPA address.

I'm guessing that you can sniff the name of the SSID that's being broadcast by the laptop, and then set up your own AP or whatever. At that point, the attacked laptop will give itself an APIPA address if it can't get an IP from your AP. I'm not really sure what the significance of the APIPA stuff is, since the SSID is the important part. I'd just set up a DHCP server on my attacking AP.

Ok, back to rolling out networks.. :-)

Re:Hmmm

[Bretai]

You're right on the mark. If the laptop had DHCP or a fixed IP address, he'd be in the same boat. A sniffer will see DHCP discovery packets or ARP requests, and the attacker will configure his machine accordingly. So the exposure of link local is irrelevant here, and by his own admission, well documented. It sounds like this tech writer is new to networking - wireless or otherwise.

The only thing I would add is that when windows connects to the unsecured network automatically, "without asking you", that's because it did ask you when you first created the unsecured network on the wireless card, and the victim here must've said connect anyway. Bad decision.

Dont panic

FTA
First of all, if you are running any kind of network firewall -- including the firewall that comes built in to Windows XP -- you won't have to worry about some stranger connecting to your laptop. In fact, I had to shut down my firewall for both of us to successfully conduct our test.

its one of those "if you have no firewall and ignore all the alerts and warnings and have filesharing enabled and have a wifi card set to auto DHCP and an attacker is targeting you specifically" flaws

yawn, seems like much ado over nothing, you have more chance dropping and breaking your laptop than you have of being exploited by this "flaw" and if you goto Starbucks (and support their disgusting business model) you deserve everything you get

Re:Dont panic

[c_woolley]

Couldn't agree more. The flaw isn't as major as people want it to seem, as long as there are semi-intelligent people involved. Even my 68 year old grandfather (who knows very little about computers) knows enough to stay away from this.

Re:Dont panic

[rbarreira]

and an attacker is targeting you specifically

I don't think that's a requirement - couldn't a guy just listen for all SSID broadcasts and then connect to whatever PC he manages to fish?

Re:Dont panic

[lseltzer]

What you said. If you're vulnerable to any real compromise from this you probably got compromised long ago in some other circumstance.

Re:Dont panic

[mysidia]

It's one of those, ...they can make your connection pass through a 'transparent' proxy logging everywhere you visit, capturing copy of e-mail in transit over paintext protocols, and possibly modify a file you download... flaws.

Think you're downloading something from your OS vendior? (Silent file replacement by hacker attached to Wireless Access Point).... Oops!

Re:Dont panic

its one of those "if you have no firewall and ignore all the alerts and warnings and have filesharing enabled and have a wifi card set to auto DHCP and an attacker is targeting you specifically" flaws

Unfortunately, you just described the average Windows user.

Re:Dont panic

[cbiltcliffe]

I haven't R'd TFA, but I see a problem with your logic already. If you've got the firewall set to allow Windows filesharing, then they'll be able to connect to your machine and get files off it. Similar for any other protocol for sharing files. It wouldn't take long to do a portscan of all 65,536 ports and see what responds in some way, rather than ignores you. Then you've got a starting point for some way to get into the target machine.

That's the problem with most people's view of security. If there's one tiny little crack, somebody is going to hammer and chisel away at it until they get in. Then some smart hacker will write a tool to do it automatically, which will be downloaded by skript kiddiez the world over, and make it a much bigger problem.

This is bigger than a tiny little crack. Admittedly, it's not a huge, worm-infested nightmare of a hole, but it's still there, which makes it a problem.

Re:Dont panic

[PurPaBOO]

I hope that "by this", you mean Starbucks.

:-)

Encryption?

[joepeg]

What if the laptop's last SSID required WEP or WPA (and has it configured in a profile)? Will it still connect if _less_ security is required?

Re:Encryption?

[falter]

This question was posed during Simple Nomad's talk... he stated that when the laptop reverts from Infrastructure mode (wep or not) to the adhoc mode w/ link local, WEP is disabled. So, even if you were using WEP on your last network, if you're in an area that is void of wireless networks for you to auto-attach to, you'll be broadcasting your last network SSID in adhoc mode, using the link local addresses, unencrypted.

Re:Encryption?

[hackstraw]

What if the laptop's last SSID required WEP or WPA (and has it configured in a profile)? Will it still connect if _less_ security is required?

What difference does it matter?

This would have to be a direct targeted attack on an individual or small group of individuals, but is still possible.

Script kiddie situation:

Sets up rogue WAP, and gives free internet connection to the laptop. All ssh and SSL or other encrypted channels goes through the free WAP.

Advanced script kiddie situation:

Sets up rogue WAP, and gives free internet connection to the laptop. The kid then has a number of popular local banks' website replicated _without_ SSL and resolves the DNS to a rogue bank site and snags username/password info. (Profit!!!) This could be as advanced as a transparent web proxy that does sed s/https/http/g;

Super advanced and traceable and more expensive version:

Do Advanced script kiddie situation, but buy real SSL certs and then snag username/passwords AND (Profit!!!)

The last one is simply not worth the risk and complexity of buying bankofam1rica.com SSL certs, AND having to be physically close to targets without any trace. /me heads to coffee shop with WAP and PowerBook and looks for higher end Dell's and Viao's.

Re:Encryption?

[XXIstCenturyBoy]

No it won't, at least with SP2. My Compaq laptop run XP and when I change my wireless network to remove encryption (because my Nintendo DS doesn't connect if its enabled, but I live in the woods, so I don't worry much) Windows refuse to connect AUTOMATICALY, even if I keep the same SSID. It will connect if I tell him to though (by clicking OK on a dialog that warn me that the connection is not secure and encrypted).

Re:Encryption?

[zbuffered]

There are people who work on this very thing. Evil Twins are one of wireless networking's biggest vulnerabilities, and they're why I connect to unsecured WAPs and then immediately connect to my VPN with MS-CHAPv1 authentication disabled.

You're right about the Man-in-the-Middle SSL attacks; getting your username and password is just the beginning, but it's a damn good start.

Security?

[yobjob]

Does anyone actually secure their wireless network? I actually have the problem that, on startup, my computer connects to my neighbour's wireless network instead of my own!

Re:Security?

[TubeSteak]

I secure mine, my neighbor doesn't secure their's, my whole freakin neighborhood is practically unaware of this "security" business.

netstumbler + usb wifi (better reception) in any residential area will show you how little people know/care.

As for your PC connecting to a network other than the one you want, you can tell windows which networks are "preferred" and they can be placed in order of preference.

right-click on the network icon ---> status ---> properties ---> wireless networks ---> (the "use windows" box has to be checked) ---> preferred networks

Re:Security?

[Lxy]

No they don't. True story:

I bought a new wireless card for Christmas. I was working on getting the madwifi stuff working in Debian and I decided not to set up my AP until I had my wireless card working. Besides, I'm a n00b to wireless under linux so I wanted to take appropriate precauitons.

I got the card working, and iwlist brought up two APs in my neighborhood. One name "simpsons" and one name "zr45ytg" or something similar with WEP enabled. Not being 1337, I left the WEP one alone (for now) and decided to hop onto simpsons. As you can probably guess, I was given a private IP and internet access. A quick nmap showed two Windows machines connected, using smbclient I found an open printer share.

Digging farther, I tried to log into the AP itself. Linksys WRT54G with, you guessed it, defult passwords. Oh, let the fun begin! I changed his SSID to "0wn3d" and sent the relevant sections of the Linksys WRT54G manual to his printer. This guy now should know how to set up WEP and change his admin password. He should also notice that his SSID changed.

One week later, still broadcasting an SSID of 0wn3d, no WEP, and default admin password. Either he didn't get the message or he's illiterate. Oh well, free internet for me!

Re:Security?

[TubeSteak]

Here's the complete text of War and Peace

Try printing that out and see if he doesn't notice.

Re:Security?

[ettlz]

I do. If you've got a Linux box that's always on and hardware that supports it, there's no excuse for not having WPA Enterprise with EAP-TLS.

Re:Security?

[David+Horn]

And suppose he doesn't want to have to worry about securing his wireless network if all he uses it for is checking the news on his laptop? Little scroats like you who think it's helpful to mess around with other people's equipment should be shot.

If you're capable of doing that, why didn't you just print off something telling him his network was unsecure, include your phone number and offer to go over and sort it out for him? Let me guess, you're about 13 years old?

I'm unfortunate enough to have one of those WRT54G access points, and due to a hardware flaw I can't run it with WEP *OR* WMA *OR* MAC filtering. I need to get a replacement, but right now I don't have the time to sort it out. So it's unsecured (but I did change the admin password.)

What you need to do is try to help other people, rather than lord it over them. This is why anyone that works in IT is treated like shit, because end users assume we hate them and won't do anything to help.

Get a life, and to hell with my karma.

Re:Security?

[kevinl]

He shouldn't be connecting to his neighbor's open network at all. Would you stroll into your neighbor's house if you found a door left ajar?

Printing your name and phone number is just as wrong as printing instructions for securing the network, and is way dumber. There are lots of people in the world who are going to consider this an intrusion, and report it to law enforcement. Do you really want a visit from the police as thanks for your "helpful" offer?

If you find an open network, leave it alone. If you feel you must help, use the signal strength to determine which neighbor has the open access point, and make a personal visit. But don't be surprised if you get told to mind your own business.

Re:Security?

[cortana]

That's all well and good, until a terrorist or child pornographer uses your connection to do something that will get you into trouble.

Re:Security?

[spacefight]

Not in any. In my area, I see up to 7 Networks, all of them are protected.

Re:Security?

[vsync64]

Why? By leaving it open they are following standards to tell me that they are kindly allowing me to use their network. I do, with thanks if I know whose it is.

Re:Security?

[defaria]

Leaving your wireless network flat open is stupid. You deserve what you get. Others are under no obligation to inform you of your stupidity and printing the relevant sections of the manual is akin to "A word to the wise". I'm sorry you were not able to figure out how to enable the proper security for your network card and that you were still stupid enough to use is unprotected. As for treatment of IT people, there are far too many stupid and lazy people out there to teach them all how to crack a book once in a while but it does pay the bills - quite nicely I might add. However I've figured out long ago that dealing with idiots and morons who never bother to take the time to learn how to use the sophisticated piece of hardware and software that their company places on their desks is not one of the better paying positions in IT. So I deal with people who know what they are doing and who have much more complex problems and are willing to pay well into the 6 figures for somebody who knows how to solve their problems. I've long ago passed the helping the stupid exec who cares more about their office location, what people are wearing and what title they have managed to obtain while the company is managing to pay him less than 6 figures. Helping him learn the difference betweenn capturing just the image of the active window and capturing the whole desktop and why that's a waste of resources when all that is required is the one line error message itself, is a waste of time!

Re:Security?

[defaria]

Yes us smart people do. We can't help what you stupid people do however (but we can exploit it!)

Re:Security?

[user32.ExitWindowsEx]

WTF are you smoking? how the hell can you conclude that leaving a network open creates an implied "use me" policy?

last time i checked, you have no right to be on a network (wired or wireless) unless you have been explicitly granted permission by a person in a position of authority over said network. just leaving the network open is not a grant of permission.

Re:Security?

Oh crap, I guess I should stop using the internet then!

Re:Security?

[TerranFury]

> WTF are you smoking? how the hell can you conclude that leaving a network open creates an implied "use me" policy?

If things like public municipal WiFi are to take off, we can't have that point of view.

Let's say I'm the city of Philadelphia and I want to put free WiFi in the parks. If there's a legal precedent that says you're not allowed to use WAPs you stumble across, then this idea will never take off.

Or what if we want WiFi to become a truly open broadcasting medium? What if I want to stream my own MP3s to whoever is nearby who might care? This vision of the future can't happen with implied non-permission.

The problem is the "breaking-and-entry" metaphor we've been using. What we're talking about is radio communication. CB operators have never had an expectation of privacy, nor have HAMs. Unless there's an explicit lock -- it doesn't even need to be cryptographically secure; it just needs to send the message "you do not belong here" -- then I think we need to use the same assumptions we use for other radio communications.

Re:Security?

So somebody checking news on their laptop means they should feel okay that they've left a wide open AP on their internal network? Anybody buying computer equipment should read the manual. If they don't have the skills or ability to configure it properly then they should find somebody who can.

Hardware flaw? WTF are you going on about? Every version of the WRT54G released will work with WEP at a minimum. IF it doesn't then you're not doing it properly.

You're a PHB idiot, a troll or both together.

Re:Security?

[Arthemys]

I'm sorry but I have an issue with this train of thought.

Access points that are intentionally not secured with filtering or encryption, AND are meant for municipal access usually if not always are made obvious via its SSID.

Granted there are beyond a ton of unsecured APs in this world, you should just keep your nose in your own business, and not connect willy-nilly to any free/open AP.

Finally, there will never be any legal precedent over "not connecting to APs you stumble across" as the 802.11x spectrum requires no licensing. So don't gripe about that.

Re:Security?

Excellent post. A more relevant analogy would be finding an open web server. If the website has no authorization mechanism, you have implied authorization to connect and download whatever you want. That's how permission is granted on computer networks -- through automated computer interfaces, not in person or in writing. The Internet would be 1% as useful as it is today without this policy. An AP associating with you and granting you a DHCP lease constitutes permission to connect.

BTW, encrypted transmissions are illegal under FCC regulations on CB and amateur bands.

Re:Security?

[YrWrstNtmr]

A public park, with an unlocked gate - free and open for all to use
A private house with an unlocked door - Not free and open for use, stay the hell out.

An AP that is meant to be open is fine. Thats what the owners/administrators intended. A private AP in someones house is not necessarily open for all to use. It may be, if that is what the owner intends. But just because it is unsecured is not necessarily an invitation or permission to use it.

Re:Security?

[level_headed_midwest]

I secure mine, and about 8 out of the 14 I see (incl. mine) are secure. I use Linux, so my card will only connect to the SSID I tell it to- it will never scan. And since I have it set on DHCP, the interface will never become activated unless it manages to find a network with the same SSID and WEP key as mine and gets a DHCP address. It will not give itself an IP automatically like the Windows machines.

Re:Security?

[zbuffered]

A private house with an unlocked door - Not free and open for use
When you broadcast your messages onto my property, does that not change things? If I simply fail to discard the messages you send within earshot, am I at fault? Yes, passive listening is different than active communication, but if we can listen, and you can broadcast messages from your private property to my private property without a problem, why can I not respond?

Re:Security?

[PitaBred]

The electromagnetic spectrum from his AP is being broadcast into my house. If he doesn't want me using it, he shouldn't be sending it to me, especially unprotected.
/devil's advocate

Re:Security?

[dhruvx]

lol. better setup WPA or atleast WEP ( 128 bit ). I've secured my wifi network with WPA but the problem is that WPA can also be broken with just 4 packets. It's difficult but not impossible.

Re:Security?

[bhawbaker]

the pita bread you are cooking, i can smell it all the way over at my home... by your logic, i guess i can just head over and eat your pita bread when you leave it at window sill for cooling ?

i can smell you smoking out in my back yard.. i guess i'll come over and take away some of your cigs to smoke

light strays from your living room is entering mine.. i guess i'll read my newspaper in your living room

you are watering your grass and it is leaking into my yard.. i guess i'll use your hose to water my grass

try again

bob

Re:Security?

[cbiltcliffe]

the pita bread you are cooking, i can smell it all the way over at my home... by your logic, i guess i can just head over and eat your pita bread when you leave it at window sill for cooling ?

That involves you going to get something, trespassing on your neighbour's property at the same time. Wireless is sent to you, in your house. Not the same at all. It would be closer to you being allowed to sit at your window and smell your neighbour's cooking to your heart's content. The smell is being "broadcast" (wirelessly, I might add!) to your house. You can do what you want with it.

i can smell you smoking out in my back yard.. i guess i'll come over and take away some of your cigs to smoke

Yet again, involves you going onto your neighbour's property. You need permission for that. You don't need permission to use something your neighbour puts into your house.

light strays from your living room is entering mine.. i guess i'll read my newspaper in your living room

Trespassing again. How is this even remotely the same, again? If you wanted to read your newspaper on your own lawn by the light coming from your neighbour's living room window, there'd be nothing they could do about it.

you are watering your grass and it is leaking into my yard.. i guess i'll use your hose to water my grass

For a start, why bother? If your neighbour is already leaking water onto your lawn, you have a perfect right to use what he leaks to water your grass. It's already happening, and you don't need to do anything. Trespassing on your neighbour's property to bring his hose over to your lawn is different, as it involves you leaving your property. The water that he's leaking onto your lawn, though, is free for you to use. He can't exactly say "You can't use my water leakage to water your lawn! If you do, I'll report you to the cops!" Why should he be able to do that with his leaking wireless signal? This point of yours does more to disprove your point of view than prove it.

try again

Yes, maybe you should.

Re:Security?

Hardware flaw crippling everything except access? Wow, what did you do, put it in a bucket of water?

Re:Security?

[vux984]

Because they are not being broadcast into your private property. They are being broadcast within his own private property and spill over into yours.

If your neighbor calls out to his kids in the yard that its dinner time, and you can hear him from your yard would you show up at his table ready to eat? After all, "it was a clear invitation for dinner broadcast into your private property" right? Your neighbor wasn't speaking in code, and his door was unlocked too.

Perhaps your neighbour ought to install some sort of sound dampener -- say a 20ft tall concrete wall, at the border between your yards to ensure you don't get confused? Perhaps with a lead sheet inside to keep his radio waves from entering your property too?

Communication not intended for you ought to be ignored by you. Common courtesy and all that.

Re:Security?

[Skeld]

A neighboor of mine has been connecting to my unsecured wifi. He's usually connected to a secured AP I can see, but if I deauth him or just wait long enough with my AP up and open, he ends up back on mine.

Two days ago I started a man in the middle attack (http://www.crimemachine.com/Tuts/Flash/SSLMITM.ht ml). I control the AP, so it's easy. He hasn't gone anywhere interesting yet, and I haven't gotten any passwords, so this is far from a successful hack. It's more of a cautionary tale.

You really can't assume there's a noob on the other end of that open wifi.

Re:Security?

Or, just as likely, they may not know much about technology. They just want to plug in the wireless router and surf the net. They probably don't know what "0wn3d" means either.

Re:Security?

[kadathseeker]

He _did_ print the security sections of the manual for the guy. He just changed the name to make him notice and had the solution sitting right next to it. It's not like he started loading horse porn and bragging messages all over his pc.

Re:Security?

[lachlan76]

And a private house with the door held open and a sign in front saying "COME IN!"?

Re:Security?

[sparkz]

Using the neighbour's WiFi kit is potentially modifying his property (changes to access logs, traffic counts, etc). That is unauthorised use of a computer system. Whether technically easy or not, it is unauthorised.

Re:Security?

[isorox]

This is why anyone that works in IT is treated like shit, because end users assume we hate them and won't do anything to help.

Well, to be fair...

Re:Security?

Windows keeps track of the previous wireless networks you have connected to. If you view your wireless network connection properties and select the wireless networks tab, you can then change the order of which networks windows will try to connect to under the preferred networks section.

Re:Security?

Same reason you can't tap into a neighbor's cable, phone or power... The lines might easily run through your yard but that doesn't give you the right to use them-- in fact it's illegal to do so, and if it's not illegal to use someone else's wireless network yet it will be so soon.

Need another example? If the postman, UPS guy or newspaper boy delivers a check, package or magazine to your house by mistake that doesn't mean it's yours to use or keep.

Or another? Say your neighbor is an exec at a major corporation and you happen to overhear one of his conversations. Think that means you have the right to buy or sell stock based on that information?

Part of living in a community is accepting that our lives and our "stuff" have to overlap. Owning a piece of property doesn't give you complete autonomy over everything that passes over, under and through your little kingdom.

Re:Security?

[Vegeta99]

Precisely.

It's kind of like me standing in my backyard and asking for someone to make a phone call for me. But before I even get to ask, someone else shouts that they'll even give me my own phone number for people to call me back on!

It's your machine, if you don't want it to behave in its default way (that is, to provide services to anyone), then CONFIGURE IT NOT TO.

Re:Security?

[metallic]

You are still illegally accessing a private network. With your same logic, if the FBI had an unsecured WAP on their network in Quantico, you would be perfectally justified to snoop around. The only problem is that I doubt the FBI would see it that way.

Re:Security?

[snoredog]

I think that this is the best post I have read so far about the topic. Say you want to wash your car. Your neighbor has spigot and water hose close to your driveway and your water hose has a hole in it. Would you: A: Just walk on over and turn the water on and start washing your car? B: Go and ask if you could use it? What's the ethical thing to do?

Re:Security?

[bhawbaker]

That involves you going to get something, trespassing on your neighbour's property at the same time. Wireless is sent to you, in your house. Not the same at all. It would be closer to you being allowed to sit at your window and smell your neighbour's cooking to your heart's content. The smell is being "broadcast" (wirelessly, I might add!) to your house. You can do what you want with it. And hopping onto your neighbor's wireless base is not trespassing ? If your neighbor is broadcasting and you can hear the packets, go ahead and listen to it. Hopefully your neighbor is smart enough to use encryption somewhere such as HTTPS, WEP, SSH, etc to prevent you from knowing what is being said. However, logging onto someone's open base, is trespassing too since you are "physically" logging onto their hardware. bob

RTFA - Nothing to See . . . Move Along

O.K. Folks, if you program your Linux laptop to connect to an ad-hoc network and broadcast SSIDs, this behaviour is going to occur on Linux too.

This isn't just an MS Windows flaw . . . it is a flaw in the way that the administrators (users) manage the machines.

I wish you all would quit pointing fingers. This isn't some kind of new thing.

Re:RTFA - Nothing to See . . . Move Along

[Fnord666]

The point is that you would have to program your Linux machine to behave like this whereas the Windows machine comes configured this way by default.

Re:RTFA - Nothing to See . . . Move Along

[sn0wflake]

With Linux you have to program anything anyways.

Re:RTFA - Nothing to See . . . Move Along

[TheLink]

Uh that's just because most Linux distros aren't "easy" enough for Joe Average yet. Once they start getting easy to use you'd probably see the same thing. Making things easy AND secure is sometimes possible, but usually hard.

But how is this behaviour a flaw anyway? I don't get it.

Re:RTFA - Nothing to See . . . Move Along

[aaronl]

What user is going to want this feature? I would be hard pressed to find a single person that makes use of this function. To make it worse, Windows doesn't tell you that the machine is doing this, and you can't turn it off without disabling wireless entirely. It might sound nice, in theory, and you might think it would be used... but consider: how many people actually used IrDA. MS did the same thing with autodetection and configuration using it, but very few people cared.

This is another stupid mis-feature from Microsoft. It isn't new, in that MS has had it since they included wireless networking support. However, this flaw is sort of specific to MS, in that they were the only ones foolish enough to implement it.

Re:RTFA - Nothing to See . . . Move Along

[numatrix]

Not only is it not a new 'feature', but it's not a new reporting of it either.

Dino and K2 demonstrated this and some other fun quirks that can be abused in windows wifi selection process (including getting a windows laptop to associate without wep even if it's supposed to be on). I can't find the slides handy, but here's a summary:

http://blog.ncircle.com/archives/2005/05/cansec_we st_day_3.htm

Re:RTFA - Nothing to See . . . Move Along

[RobertLTux]

odd with any distro released in the last 3 months (or so) you should be able to 1 connect any devices that present as a "mass storage device" and have a 50% chance they are auto mounted (and will show up as sd? even if they aren't automounted) 2 use 3/4 of the wired network cards running about (not counting cards that aren't functioning in any OS) 3 use 1/2 of the wireless network cards (possibly with a native driver but..) 4 use 80% of video cards (not counting cards that came out 6 months ago) the tools are out there (results may vary but..)

Re:RTFA - Nothing to See . . . Move Along

[Nosnam]

Before you go contradicting a thread that says "RTFA" perhaps you should RTFA. Windows is not configured like this by default. You have to disable the built in firewall, which is on by default.

Re:RTFA - Nothing to See . . . Move Along

You allude to
the point,My Dear!
In windows 95
You had to configure wireless connections as infrared.
Since Windows
2000 this wireless connection can be
pre-installed.
In most cases it's even in later versions as
XP - there are variants
of - not the case. You make the valid example with the laptops!
And now to Linux. There
is such a risk too!Example:
NewsFeed and
UpDates have
a strong tendency to
spy and connect
You wireless.
I could You
give CorporationNames
which want at any price
have a hidden
connection
(including
a wireless one).

What?! NO!

[mike518]

Another Networking Flaw? Dam, i mean the first 74 were completely predictable, but i have to say this one caught me completely off guard. You win this round malicious hackers *shakes fist into air*.

I'm sorry, this is old info

[dangermen]

This is old info and has been known for a while. Anyone having used Kismet or some other sniffer at a public place has see this.

Re:I'm sorry, this is old info

[archen]

Yeah, I don't see what the news is here. I mean I read that XP would broadcast the SSID at least 2 years ago. Anyone familiar with windows networking knows the network windows defaults to if it cannot obtain a DHCP lease. This vulterability is like an aha moment when someone puts 2 and 2 together. It also requires that the firewall is down and filesharing disabled. Doesn't seem to meantion that if the firewall is down and filesharing is diabled that you can do the same thing OVER THE WIRE if the machine cannot obtain a DHCP lease.

String quartet?

[julesh]

Loveless then created an ad hoc network with the same name, and told his computer to go ahead and connect to "hackme." Viola!

Violin! Cello!

Seriously, though, TFA doesn't seem to say quite the same thing as the summary. The demonstration the reporter saw involved him setting up an ad-hoc network, and then the security researcher was able to connect to it. Err... that's how it's supposed to work.

The article then goes on to assume that this will happen when you connect to access points and then leave them, but you don't usually set up an ad hoc network for that process. Has he just got something wrong? Missed a step out or something? Is there a URL for a technical level article on this flaw?

Should you at a later date happen to open up your laptop in the vicinity of another Windows user who also had recently gotten online at Starbucks, those two machines may connect to each other without any obvious notification to either user

You mean other than the big speech bubble thing popping up and saying "Wireless Network Connection now connected to T-MOBILE"?

Useless functionality..

[Ckwop]

This is a common security problem: useless or rarely used functionality. As I've said before, functionality sells whereas security doesn't. Spend a million dollars on functionality and you (hopefully) get a product that can sell for more money. Spend a million dollars on security and you have almost nothing tangiable to show for it.

Before this article, I didn't even know that "link local" thing existed. I guessing that this is probably quite representive of the Slashdot crew. The question is, then, is why on earth is it on by default and why is it even there in the first place?

This is not just a Microsoft issue, this is an issue that applies to nearly every computing project. I was recently playing with Knoppix and two things struck me:

1. Holy shit, out of the box you can actually do real work with this software.
2. Holy shit, I have three different products that do exactly the same thing. That's a lot of surface area for attack.

My parents got a new HP computer a month or so ago and I've just gotten round to doing a proper security shake-down on the XP box. I was surprised to find the Python runtime on the computer. Most of you would say, so what? Or perhaps, even applaud HP for doing this. From a security perspective, I think it's downright silly. What possible use could my parents have for the Python runtime? Absoutely none. They'll be running Open Office, Gmail and Itunes to the cows come home so all this does is opens another vector for attack. Don't install stuff on computers that your customers will likely never need.

Of all the pieces of software out there at the moment, Windows XP is the most frustrating. In terms of security, XP should completly out-class Linux/Unix in every metric of measurement. Instead, it's the most disease ridden piece of shit ever concieved by humanity. It's a shame because it could have set a really high standard for everybody in the industry but through a choice of poor defaults they condemed their own product to be a liability to CTOs everywhere. If they'd had some sense, they would have choosen defaults like this:

1. This is an obvious one: Users should not run as administrator by default.
2. Software Restriction Policies should be on by default - in both XP Pro and XP Home
   • Everywhere should be marked "No-Execute" except for C:\Program Files and C:\Windows.
3. The user should only be able to write to their user directory structure by default. Everywhere else should be read-only.
4. The Windows Scripting Host should not be install by default.
5. ActiveX should be off by default in IE.

I haven't got any figures on how many viruses/malware this configuration would stop but I imagine it's somewhere in the region of 99%. If Microsoft had taken the time to consider the platform in a more paranoid sense they could have produced a product of barn-storming quality. Instead, they listened to the marketing people and we all know what result that lead to.

Simon

Re:Useless functionality..

[etrnl]

If ActiveX was off by default, how would people use Windows Update?

I'm not disagreeing with you in general, but on that point, I can definitely see why they'd leave it on by default.

Re:Useless functionality..

[Ckwop]

If ActiveX was off by default, how would people use Windows Update?

Simple! Change Windows Update! Why should Windows Update be a web-application anyway? Actually, It's damn scarey that it's a web-application. Doesn't it strike you as odd that a web-application can so throughly inspect your system to determine your patch-level on a whole host of products?

There is no excuse for ActiveX being on by default and the proof of Microsoft's commitment to security will come with the launch of Internet Explorer 7. If it's still on by default in their latest version then we know their grand security initiative was nothing but hot air.

Simon

Re:Useless functionality..

I've seen worse. In Japan, NEC install Apache and a streaming media server app onto their laptop, of course running by default.

Re:Useless functionality..

It's offtopic, but python is included in OpenOffice 2.0. Even on the linux distros where python is almost always in the box already, OO.org includes python.

Weird.

Re:Useless functionality..

[ilyanep]

1. The problem with Windows is that you can't do anything in a limited account. At least in Linux you can do stuff with non-root accounts (such as install programs), which is why you don't go in there ever (since you can set super user mode on command line and do it that way). Some software makers go as far as to tell you to login to an admin account, and disable your anti-virus and firewall!!!
2. This makes sense and marking all but certain directories no-execute would be a wondrous idea! However, personally I use E:/Games, C:/Games, and E:/Program Files as well, so I'd want to be able to configure it
3. So basically the Linux ownership system. Another good idea, but needs a changing of Windows core code, such as #1
4. Makes sense
5. There are so many things MS could do with IE to make it more secure such as not including it*.
6. 
   
   Overall, you present very interesting points there. I wish you were the one working for Microsoft Security.
   
   Why must buy an Operating System only to be forced to download patches every week until its support cycle ends (after which we get the same exploits, just no patches)?

Re:Useless functionality..

[Jamesday]

You can create custom security zones which don't show up in IE. Those zones are site-specific and could configure just the Windows Update site to have access to ActiveX. Microsoft could ship Windows with such a zone set up.

Re:Useless functionality..

oh shut the hell up. You are yourself the perfect example of useless.

Re:Useless functionality..

[sqlrob]

Why should Windows Update be a web-application anyway?

I'm not entirely sure that it is. The service must be running for the updates to happen.

Re:Useless functionality..

[hackstraw]

Spend a million dollars on security and you have almost nothing tangiable to show for it.

Lose a million dollars, and you wish you had done things differently.

Security is directly proportional to the stuff you are securing. I don't put a chain and padlock on my wallet, because it is rare that there is $50 in it, and my drivers license and work IDs are more valuable than that to me.

When the Brinks truck comes by work to pick up and deliver the cash to the bank, they have a big strong truck and a guy or two with shotguns. Hmm. Fort Knox has an army base next to it. Dunno if anything is in there or not.

Of all the pieces of software out there at the moment, Windows XP is the most frustrating. In terms of security, XP should completly out-class Linux/Unix in every metric of measurement. Instead, it's the most disease ridden piece of shit ever concieved by humanity.

Yup. Yes, I'm an apple fanboy, but for a reason. OS X has remote access via file sharing and ssh. It also comes with a web server, and I guess other stuff, I don't use my personal computers as a server. I spurged, and turned on file sharing on my home Mac so I could easily DND files from my PowerBook to it from time to time. Mostly "stolen" music I snagged while at work.

So I turned on file sharing, and here is the damage to my system:

netstat -an | grep LISTEN
Bullshit lameness filter is lame. It opens up ports 427 and 548.

I'm behind my wireless router's firewall. After turning on file sharing, look at this:

Other Macintosh users can access your computer at afp://192.168.2.175/ or browse for "My excellent's iMac G5" by choosing Network from the Go menu in the Finder.

The "My excellent's", is actually my real name, I'm not going to put that here.

I'm broadcasting my IP address! Hmm, its a private one.

Not too tough for an "advanced feature", and its even secure by default. I'm limited by someone hopping onto my WAP, AND brute forcing my username and password.

Its not going to happen, and if it did, I hope the person does not delete all of my free music.

I wouldn't use a WAP if I was worried about anything. A simple firewall box would be more than sufficient.

Other computer systems leave these advanced features on by default, and make it more difficult than clicking on a checkbox to disable it.

Re:Useless functionality..

[toadlife]

"# The problem with Windows is that you can't do anything in a limited account. At least in Linux you can do stuff with non-root accounts (such as install programs), which is why you don't go in there ever (since you can set super user mode on command line and do it that way). Some software makers go as far as to tell you to login to an admin account, and disable your anti-virus and firewall!!!"

Windows doesn't force you to do anything of the sort. I've been running my Windows machines as a limited user for years. There are many things MS could have done to make it easier though. The reason companies write software that doesn't install or work well for limited users is not because it's hard to do, but because Microsoft never forced the issue by making users limited users by default. They went for compatibility over security, and hoped that all of the software developers would start writing their programs to work with the Windows' security model.

"So basically the Linux ownership system. Another good idea, but needs a changing of Windows core code, such as #1"

No changes to the Windows core code would be needed for this. Limited accounts are already are pretty much restricted to writing to their home dir.

Re:Useless functionality..

[fermion]

The problem is that in a GPC one does not know what the useless or rarely used fuctionality is. That is why it is general purpose. For instance, for years I had no use for a cigarrete lighter, but now it is repurposed as a power source, I am glad that it was not removed.

So who do we approach building a GPC OS. With MS it is putting all the functionality at the OS level so that users can have guaranteed access, and then work to secure the system. On *nix, it is have a large group of utilities, install a small base, and then educate users on what they need add, perhaps with warnings about those that are installed or removed at some significant cost.

The problem with MS and some *nix is that the defaults are ruled by user experience, not be security. This means that everything gets installed, everything is wide open. When the pendulum swings, we get distracting messaging about the fact we are trying to do some work, and perhpas we do not want to do the work.

So, in the end it still comes down to some basic decisions. What is going to be considered basic in the OS. How much security can the bussiness plan take, and how much must you force the user to leave open so that the customer can be monetized. How much flexibility in final configuration should be allowed, and how open should the system be to third part applications.

The bottom line, as always, is that if money cannot be made, then neither should the product. This is very clear with the ActiveX thing. Windows Update uses ActiveX so that every Windows computer has to have it on, so that developers can feel confident using this nonstandard web technology.

Re:Useless functionality..

[toddestan]

Simple! Change Windows Update!

Actually, they wouldn't have to do anything. Enable automatic updates by default, and let automatic updates take care of everything. The people savvy enough to use Windows Update can probably enable ActiveX for microsoft.com.

Re:Useless functionality..

[RemovableBait]

Some software makers go as far as to tell you to login to an admin account, and disable your anti-virus and firewall!!!

Electronic Arts is particularly bad at that. They produce software that not only requires Admin rights to RUN, but interferes with Antivirus software. Back when I used to run Norton, The Sims would crash on loading. The official answer from EA's Tech Support? Disable Norton and try again. Funnily enough, it works. Now, a company like EA which produces games, has a responsibility to provide software that does not interfere with security software and to provide support advice that does not open up security holes. Especially when the user can't see the holes being exploited from behind a full screen game...

Re:Useless functionality..

[Daltorak]

Microsoft *has* changed Windows Update in Vista so that it is no longer a web application. Here, I took a screenshot of this for you.

Microsoft *has* disabled the execution of any ActiveX by default in Internet Explorer 7, too. Do some basic research (hint: google "ActiveX IE7") and you can learn more about it.

Does this satisfactorily address your concerns?

Re:Useless functionality..

[NutscrapeSucks]

Except the big security issue with IE is that the security zones tend not to work properly.

Furthermore, it would be totally unrealistic to ship IE with no ActiveX support, just like you would never want Firefox with no Plugin or Extention support -- too much useful stuff plugs into the browser .. and ActiveX is IE's plugin interface.

However, MS could do is completely remove the Package Download & Install feature. You could still go to Windows Update (etc), but you would need to install the WU software from outside of the browser.

Re:Useless functionality..

[Curmudgeonlyoldbloke]

> If ActiveX was off by default, how would people use Windows Update?

With Windows XP you'd have the "autoupdate" and "bits" services running all the time, and you'd have automatic updates set to download and install updates automatically. No need to browse to http://windowsupdate.microsoft.com/ - just click "yes to reboot now" when prompted.

This is what MS intended, and for someone with no idea what updates are (never mind what a particular update is for), it probably makes sense - same as it makes sense to control what your computer connects to and when if you know how to.

Re:Useless functionality..

[pboulang]

Oh, has Vista been released? Has it gone gold so you can be so arrogant in your reply? Just because something is currently sane doesn't preclude a last minute decision to change the default behavior for some asinine reason.

However, more interesting is that both of these features/configurations can pretty easily be put into XP via windows update, yet MS has just about ZERO motivation to. They are probably clapping their hands wildly with all the holes being mentioned as it will be a motivating factor for people to shell out more cash for Vista.

Re:Useless functionality..

[cbiltcliffe]

Microsoft *has* changed Windows Update in Vista so that it is no longer a web application. Here, I took a screenshot of this for you.

Just because it doesn't run in a regular IE window, doesn't mean it isn't a web application that's running in IE. Here, take a look at these:

http://www.zdnet.com.au/shared/images/tandb/avant_ 546x437.jpg
http://www.informanews.net/imagenews/avant-browser .jpg
http://www.softpedia.com/screenshots/Avant-Browser _2.png

Do any of those look like Internet Explorer? No? That's because they're not. They're screenshots of Avant, which uses the IE engine to render HTML!!

That Vista update screen could look just the same way, but be an HTML page rendered by IE.

Re:Useless functionality..

[Daltorak]

It's not. I checked. There is no ActiveX control in Vista for Windows Update. Those pages are part of a control panel applet now; it gets its information about available updated by calling a web service, exactly the same way that the Automatic Updates client in Windows XP gets its information.

It's changed, okay? Save yourself the embarassment and come around to this line of thinking -- it's the way it is n Vista. Posting screenshots of Windows XP is completely irrelevant to a discussion about how the technology works in Vista. COMPLETELY irrelevant.

You are, of course, welcome to try it out for yourself and confirm the technical accuracy of what I'm saying instead of jumping to unfounded conclu.... oh, shit, this is Slashdot, never mind that idea.

Re:Useless functionality..

[Daltorak]

Hahaha. Allright, bro, you bookmark this posting and if Vista comes out without the functionality I've described, get in touch with me and I will Paypal you $20 USD. I think this stupid Windows Update website crap is going to be a thing of the past, and I'm willing to bet money on it.

Re:Useless functionality..

[cbiltcliffe]

Ok, if you've checked, and it's not using ActiveX at all, then fine. But I've seen so many people say something similar about a program not being IE, or not using IE, but they have no idea that pretty much the entire fscking interface since Windows 98 is HTML rendered by IE.

If you've checked and researched into this, fine, but surely you can understand my initial skepticism.

Re:Useless functionality..

[steve_l]

The way MS could do it is have the updater app run separately from the browser, and have AX enabled in there.

In the absence of that, you can run Windows/Microsoft Update by
going to zone security
-turning off download/run activeX controls in the Internet zone
-Go to the trusted zone and mark it as medium security, with prompted activeX enabled. [Why does trusted zone exist, is there some web site you really trust to unstall unsigned activeX?]
-turn off "require https" for trusted sites, and add *.microsoft.com .

The result is to turn off ActiveX except for microsoft.com

As an aside, being a Vista beta tester, I can assure you that while phishing and popups are more locked down (you can even disable turning off status bar and location bar in new windows), ActiveX is still set to prompted download in the Internet. That is just plain silly. ActiveX is one of the primary attack channels into IE, the one that doesnt even need to exploit unofficial back doors (its a "front door" ).

-steve

Re:Useless functionality..

[Cally]

If Microsoft had taken the time to consider the platform in a more paranoid sense they could have produced a product of barn-storming quality. Instead, they listened to the marketing people and we all know what result that lead to.

yeah, they've got about 95% of the OS market and, what, 80% of the desktop W/P, spreadsheet and presentation software markets. Record profits every year without fail. Bill Gates has so much money he's pitch-forking it at deserving causes as fast as he can go, and still gets richer each year than the gross domestic product of many small countries. Where did it all go wrong?

Re:Useless functionality..

[ilyanep]

This was always my problem. Had I not been a pretty experienced user, I would never be able to run Battlefield 2 even on low settings without turning off ZoneAlarm and Avast! (By the way, ZoneAlarm hates full-screen programs).

But I'm never buying anything from EA again until they clean up their act (putting them as #2 on the list next to Sony)

Maybe Microsoft could find a way to force these software designers to keep security in mind (such as perhaps making it harder to shut off the firewall the user is running or adding in a colorful "EA sucks don't listen to their support. I'm surprised they even replied" notice*). I'd just want to see it happen so that all these software designers would have their support lines swamped. But of course then we'd get the "Oh...evil M$" remarks that are all too common on /.

*Okay, the latter is a little tounge in cheek

Re:Useless functionality..

[man_ls]

Trouble is, the fact that everyone runs as Administrator was because that was the *only* account back on the shitty operating systems Windows 95 and Windows 98. Newer, modern systems are backwards compatible with the older applications -- which want full access. Many apps just will not work without an administrator login. And, because of this existing bulk of work that couldn't be rewritten, MS went with backwards compatability over security.

That assumption made, developers ran with it, knowing that their applications didn't need to be written to honor pesky ACLs and so forth.

So MS couldn't add it as an add-on. Sure, you can manually configure permissions on different registry keys with the registry editor and a hook monitor application (and some people do) but that's too much work for anyone but a dedicated security freak.

Windows 2000 and XP wouldn't have sold a single copy if they weren't compatible with most of what was already out there.

Interestingly enough, the whole Registry issue would be basically moot and invalid if the Registry didn't exist at all -- apps which get their config from XML or (my preference) INI files in their folders, don't have to worry so much. Trouble being, so many core system settings are stored in the Registry, there'd have to be a "common base" of config files and so forth. An equally big mess, really. Once again, the Registry lets a lot more applications know a lot more about the system they are running on, than config files. Ease of use versus security.

It's a very fine line, and I'm not so happy with the way XP security is done, but I understand why they made a lot of the "security vs. X" tradeoffs they did. In a corporate environment, it certainly can be locked down to whatever degree you want via GPOs, but in a home environment it's pretty open (on XP Home anyway, XP Pro is a lot more sane about network stuff by default in my experience.)

Re:Useless functionality..

[ilyanep]

I'd still like to see a command line option similar to 'su' in Linux. Otherwise, the main parent's suggestions are very good and are why Linux is considered so secure.

Re:Useless functionality..

[dbIII]

XP should completly out-class Linux/Unix in every metric of measurement

Why? It's for home computers - look at the server versions of the MS operating systems if you expect something better than a glass typewriter or a games machine.

Re:Useless functionality..

[NumerusSpy]

2. Software Restriction Policies should be on by default - in both XP Pro and XP Home * Everywhere should be marked "No-Execute" except for C:\Program Files and C:\Windows.

This is one of those geek jokes that I don't get isn't it?

Re:Useless functionality..

[toadlife]

There is command line option similar to "su". It's called "runas". Runas is avaiable in the gui to by holding down shift and right clicking on a shortcut.

Re:Useless functionality..

Start->...->Command Prompt ... [Rt Click]->Run As ... Administrator Account

Connecting to a network is a vulnerability now?

[m50d]

I mean, I know windows security is bad, but is it really considered a compromise to simply be on the same network as the attacker's machine?

Re:Connecting to a network is a vulnerability now?

I would say so,

The Windows machine automatically associates with the "hacker" machine
Now if this flaw goes deeper and such that IF the previous AP had encription ON, but the Hacker-AP has none but the Windows machine still connects then the Havker can now snoop at unencrypted traffic and wait for a credit card number to allow him to then buy some repeaters and get more credit card numbes from more ppl

Re:Connecting to a network is a vulnerability now?

With a normal OS, it isn't. But this is Windows we are talking about, remember? There, it actually _is_ a compromise if you are on the same network.

Windows boxes need to be shielded by real systems.

Re:Connecting to a network is a vulnerability now?

[necro2607]

Well, unless you're running a software-based "firewall" on your machine, you're pretty much open to any sort of network-based attack. Frankly, I see remotely connecting to someone's LAN as being in a nice big free-for-all of exploit-tasticness! Guaranteed fun for all involved.

Re:Connecting to a network is a vulnerability now?

[m50d]

I have no software firewall. I give my machines static, public IPs and leave them on all the time. I see no vulnerability in this.

Re:Connecting to a network is a vulnerability now?

[Tony+Hoyle]

More than that - the Windows firewall opens many ports to those machines it considers to be on the local LAN - Netbios, etc. Since your blackhat machine *would* be on the same subnet then the Windows firewall would be essentially invisible - all that is required is to browse to the network share (assuming it's got passwordless shares, which is not unusual at all if the target is normally connected to a corporate LAN - in fact the last place I worked it was policy to do so so the management could see what you were working on).

Re:Connecting to a network is a vulnerability now?

[AnyoneEB]

Umm... why would credit card numbers ever be unencrypted. Even if the network is not using WEP or WPA, the data would still be sent over HTTPS for an online store.

Re:Connecting to a network is a vulnerability now?

[pitc]

The word 'compromise' wasn't used... I read 'Networking Flaw'. But that aside, yes, it is a vulnerability. If somebody in my office brings up an unauthorized wireless network I am definately going to go ape crazy to shut it down.

The consultant mentioned in the article who was told there are a lot of false positives really does have his work cut out for him. Those are not false positives at all. All it takes is one of those wireless-enabled to have a rootkit on it and *POOF*, your whole network is open to the neighbourhood script kiddies.

Re:Connecting to a network is a vulnerability now?

[typicallyterrific]

Think less 'rape it full of trojans and viruses' and more 'my bank's online banking website looks slightly russian today. The URL is the correct one tho -- oh well'

Re:Connecting to a network is a vulnerability now?

[NutscrapeSucks]

I assume that you also do not use things like NFS, RPC (Unix or Windows), yp, NetInfo, and so on.

Re:Connecting to a network is a vulnerability now?

[Cally]

the Windows firewall opens many ports to those machines it considers to be on the local LAN - Netbios,

No, it does not.

Re:Connecting to a network is a vulnerability now?

[m50d]

NFS I have but only readonly, non-sensitive stuff that might as well be public. I haven't deliberately set up any of the others, and can't imagine most users would need to.

Re:Connecting to a network is a vulnerability now?

[necro2607]

That's irrelevant, that your shares are "read only". Exploits don't care about your regular settings, your "security". Exploits usually abuse flaws in software regardless of how the user has configured it.

Having no firewall between your machine and others opens you up to any network-based exploit, unless your machine has every single security flaw patched for every piece of software installed.

Just try plugging your machine directly to the net sometime, and turn off the firewall. It won't be long before some kind of exploit is used on your machine.

Re:Connecting to a network is a vulnerability now?

[m50d]

Just try plugging your machine directly to the net sometime, and turn off the firewall. It won't be long before some kind of exploit is used on your machine.

I did that about six months ago. No exploit so far.

Ad-hoc networks vs link-local

[e271828]

It seems like there are two different issues in play here. The RFC referenced in the article talks about link-local addressing, which is simply a way to assign an address in the 169.254/16 subnet if no DHCP server is found. It is not wireless-specific at all.

What we have here is that, in addition to doing this, Windows is also offering to set up an ad-hoc (i.e. computer-to-computer) network on the link-local subnet with the same SSID as that of the last network the laptop connected to. I wonder what the rationale for doing this could have been. It seems to me that a machine should not offer to set up an ad-hoc network unless specifically directed to do so by the user. When such a network is set up then it is appropriate to use link-local addressing to auto-configure the interface.

Re:Ad-hoc networks vs link-local

I haven't RTFA, but:

1) one can define a different "alternative configuration" for the IP-Address. Instead of letting it take a link local address, you can set a static address. Does anyone know what happens if you choose 0.0.0.0?

2) In the dialog where the WAP/WPA key is configured, there's a checkbox that I believe would require the base station or link partner on the wlan to use the same key.

Either of those settings should prevent the attack as described above.

Re:Ad-hoc networks vs link-local

I wonder what the rationale for doing this could have been?
 
The idea I guess was to allow systems on a wireless network to continue to talk to eachother in the event that the Wireless Access Point failed. If all the systems in the network perform the behaviour suggested in the article then an ad-hoc network will be created automatically if the WAP is unavailable. On its own I can't see it being much of a security risk, unless, as suggested in an earlier post, encryption is disabled by default (even if the previous network used it).

large violins

[gEvil+(beta)]

Viola! His machine was assigned a different 169.254.x.x address...

Good to see that technology journalists are so enthusiastic about orchestra instruments.

Time

[MBHkewl]

I guess being "loveless" gave "Mark Loveless" all the time in world, aih? Heh, poor nerd..
Oh, wait...

It's a foot in the door.

[lheal]

I mean, I know windows security is bad, but is it really considered a compromise to simply be on the same network as the attacker's machine?

Yes. Windows trusts the network. Think Active Directory. If you can trick a Windows machine into thinking you are on its network, it will happily let you be its partner (or maybe even its server) on that network. Though you probably can't trick it into being an AD client right off, you can find out all kinds of things about it, such as any shares it has open.

This vulnerability is an enabler, rather than a gaping hole.

What I hate is Windows' inability to route on multiple network cards. If a user is on a wireless link and they go somewhere where they plug in, Windows still thinks the wireless card is the active connection. It's been that way for years, going back to modem-PPP connections.

Also, if you have both a wired connection and a wireless (or modem) connection and leave the wired network (connecting over wireless (or modem)), Windows can't find IP addresses that are on the wired subnet. If you have a web server on a network at work, you can't connect there over the wireless/modem link. You have to disable the wired network connection, and then it works. What a design!

Re:It's a foot in the door.

[raynet]

Windows works with multiple NICs you just have to give devices different metrics values in their route tables. Just put wireless to metric to 2 and NIC to 1 if you prefer to use NIC whenever it is connected. You need to do similar thing with Linux too (if using 2 NICs simultaneously).

Re:It's a foot in the door.

[NutscrapeSucks]

> you can find out all kinds of things about it, such as any shares it has open.

Correct me if I'm wrong, but "anonymous connections" have been disabled in recent versions of Windows ... ie, you can't see shares without authenticating first. Admittedly this was a big problem back with NT4.

that's a broken-by-design behavior of XP

http://support.microsoft.com/default.aspx?scid=kb; en-us;811427&Product=winxp

Basically -- trust pappy Microsoft that disabling broadcast of your SSID is 100% useless for keeping out knowledgeable, mal-intentioned people (instead of acknowledging it's partially useful for keeping out random neighbors) and re-configure your access point to broadcast its SSID to the world.

Maybe they'll work out all of the bugs ...

[barfomar]

Maybe they'll work all of these bugs out by the time Vista comes out.

Or create a whole new batch to ensure job security...

Oh Yes...

...another week... another security "feature"...
...and once again from the richest man in the world...

Err...vulnerability?

[avalys]

I would hardly call this a vulnerability. You're certainly no more vulnerable if someone exploits this little "feature" than you are at any other time you're
connected to a network.

This is such a complete non-issue, it's like a freaking joke. Read the article - all a hacker might gain some this vulnerability is the ability to connect to your computer, as if it was still on a wireless network, after you've moved outside the range of an access point. Big deal. But the author and "discoverer" both talk about it like this is a remote root exploit or something. At one point, the author includes this little gem: "As Loveless pointed out, this "feature" of Windows actually behaves somewhat like a virus." Virus, my ass.

What's with all the foaming-at-the-mouth hype about these minor little things lately? It's counterproductive - going beserk over every slight issue that might, in some fantastic combination of circumstances be a security problem, takes away attention from flaws that actually matter.

Re:Err...vulnerability?

I wonder... are you completly blind all of you ?? fuck the laptop, it is worthless ! You are giving them the SSID for the whole fucking network !!

Re:Err...vulnerability?

Exactly. If this is considered a vulnrability, then every Windows laptop that's ever been connected to a public hotspot is vulnerable. Right now a fully patched XP SP2 system is not vulnerable to any known remote exploit, so having it connected to any network is not a risk.

Mostly annoying for network admins

[Stalin]

This explains why we get a lot of laptops broadcasting our AP names on campus. What makes it annoying is that XP defaults to connect to the first available network it finds with the name you have given it. You can check off a box that says something to the effect of "ignore ad-hoc networks" but how many users do you know that would have any idea that is the reason their wireless card "isn't working"?

Re:Useless functionality.. (one more thing)

[hackstraw]

My house has glass doors and windows (not Microsoft).

If someone really wanted to steal my stolen music, they could easily take my whole computer and stereo while I'm at work. More risky if caught, because I'd fuck their world up. But its certainly easier than breaking into my Mac via the network. And more profitable because they either get a nice computer, or can sell it for at least $1k.

Not reall that funny

[MECC]

"The funny part from the Post blog entry is that Microsoft helped author the RFC for link local."

I really don't see how MS helping to author a usefull RFC is funny, or even relevant. What's funny is that someone at MS somehow thought it would be a good idea to open up a system to the entire world, since its clearly a thinking flaw as opposed to the usual QA flaw.

Speaking of thinking flaws, how about this one: If a laptop running XP has a wired and wireless connections going, XP asks the user if they want to share their connection. User clicks 'yes'. XP bridges wired and wireless for them. XP also broadcasts on both sides that it will be a gateway for other systems running XP (via netbios-over-ip, IIRC). Those systems get on board, and make that computer their default gateway.

Then the computer 'sharing' its connection, and all its 'victims' are suddenly very slow. There never seemed to be a straightforward way to prevent the other XP computers from making the dual-connected XP system their default gateway. If you manually change the default gateway on the victim systems, they just switch back to the dual-connected XP box. I don't know if XP still does this, but talk about stupid.

Seriously, who the hell thinks this kind of thing up? Do they have brain stem storming sessions or something?

Re:Not reall that funny

[Allador]

Well, lets see.

Probably the easiest way to avoid having Internet Connection Sharing on is to not turn it on in the first place.

ICS is not on by default, so you've turned it on, and now you're complaining that its turned on?

Go to Control Panel -> Network Connections, and right click on your wireless link, and choose Properties.

Click on the advanced tab, and then uncheck 'allow other network users to connect through this computer's internet connection'.

Note that you have to do this through a local admin account, you wont see the Advanced tab at all from your regular unpriv'd account.

Please just look and leave!

[Phanominon]

I have to agree that it would be easier to steal my whole laptop and probaly more profitable. My only concern if you break into my laptop, either via networking stupidity on my account or that you are really talented, is that please just copy what ever usless porn or emulators you want. But dont destroy anything!!! I dont keep sensetive material on my portable systems. So who cares!

HELP! NIC works as intenden1?!!?!?!!?

[vsync64]

Oh noes! If my network interface is up you can send me packets that I have to accept or reject?1!!?!? HWATEVER SHALL I DO PLEASE HELPE ME

i have heard of an even worse vulnerabelity! if you hack yuor micthorwave oven to have teh door open it will JAM MY 80211 packets!!?!!?!!?!?!?!!?!

Also risk of cooking!

tell steve gibson of GRC he will save us

Re:HELP! NIC works as intenden1?!!?!?!!?

Yeah really. This is just more fodder for the /. groupthink that wants to smear Microsoft at all costs. If an inconsequential bug like this was remarked for Linux, everyone here would be up in arms about the bad journalism taking place. When its for Microsoft, then its OK.

Re:HELP! NIC works as intenden1?!!?!?!!?

this post is the antithesis of "teh suck".

what an awesome fucking post.

With Warm Regard and Love to the Moon Master,

Ignignokt and Err

Possible Solution

[freakmn]

I'm not sure if this will help your exact situation, but you could try going to the network connections box, then the advanced menu, then click on advanced settings. In there, you can change the preferred order of your networks. I've used this at work, as the laptops are set by default to use the wireless connection first, but if the wireless connection is flakey, the computer gives many network errors. Setting the wired connection as a higher priority fixes a lot of problems. The only time I've had problems switching between is if it is in the middle of a file transfer during the switch.

why not?

EULA is pretty shaky at best. This could happen, if someone took the "patented software" angle and used it. When the government added the right to patent software it seems to me that it then put it into the tangible products category, somethinhg that didn't exist before when all they had was copyright. AFAIK no lawyer has tried this angle yet to sue them for failing to provide a reasonable warranty like other tangible products offered in the US for sale or lease-to-use. There are certainly enough people who might join in, as well as businesses who have suffered direct financial harm and expense from MS software being not suitable for purpose. Would it be hard to do this? Yes. Impossible? No, it could be done and I think there's better than a fair chance of winning, perhaps starting in local courts and working your way up. Even though MS is big, only one lawyer can actually stand up and talk at one time once you get to court. Other big business cartels have finally had to eat it in the past, once someone called them on shady practice, and despite a lot of folks saying in advance that you can't fight the 800 lb gorilla, etc. It used to be a few decades ago-just for one instance-you had a hard time getting anything from any large insurance company, despite an obvious clear cut case, now it's quite common, and insurance companies are still around. It used to be common for big businesses to just dump whatever crap they wanted to in streams, now it is highly illegal and many of them have been fined and now must jump through hoops to avoid this. it took lawsuits and eventual law changesd, but it happened, and I remember when it was first starting and people said you "couldn't fight them" and it was "impossible". Now we have the EPA and standards. I remember working on such issues way back then. It takes commitment and some courage and some heavy skull sweat, but it can happen.

People have short memories it seems.

It's doable. If such a case got off the ground and had an advertising campaign to get individuals and businesses to join-again common practice today with various class action suits, it could happen. You might get a million people responding eventually, and it would help if at least one large corporation that WASN'T in the software business would join in, some corp that has gotten nailed over and over again and had to shell out a lot of money to try and fix what shouldn't be broken in the first place. Remember, the DOJ suit was entirely non-focused on useability, it was an anti trust suit, not a flawed products suit. I also think you could take the angle that using a "not my fault" EULA is a RICO attempt at actual fraud once a lot of money changes hands.

Proves Nothing! Seriously

[ikejam]

Like someone mentioned before, the actual demonstration invovled somthign that appears as legit as it should be. Someone set up a ad-hoc network, it worked. The third person supposedly trying to join the 'hackme' network could have obviously detected the ssid if it was boradcast, and seing an unsecured network would have just tried to join in. nothing to see here dammit. Has anyone demonstrated that windows starts an ad-hoc network, unless specifically set up by the user? this looks, worst case (also not demonstrated i think), more like a case of if someone sets up an ad-hoc network for some reason, and does not disable it, he next time it will still be there. I could be wrong, but the article albeit detailed is not particularly convincing.

And an attacker on my ad-hoc...

[SmurfButcher+Bob]

is any more of a threat than one on an Infrastructure?

Packets are packets. This article should have been titled, "DANGER: WiFi at Hotels and Starbucks are safe, ad-hocs are not." ...Unless you've configged your laptop to always assume it will be constrained behind a NAT, exposed to a subnet of trusted hosts only. Yeah, right.

Re:And an attacker on my ad-hoc...

[twitter]

Unless you've configged your laptop to always assume it will be constrained behind a NAT, exposed to a subnet of trusted hosts only. Yeah, right.

As Windoze has a 12 minute half life on any network this is exactly how an admin would want to set up a Windoze laptop. The reported behavior setting up rouge subnets between laptops in and outside the company exposes those laptops to much more than any admin ever intends.

Unpredicted and unintended behavior are always security problems.

Re:And an attacker on my ad-hoc...

[SmurfButcher+Bob]

Mmmm... in re-reading my post, I wasn't too clear... my bad. Perhaps I should phrase it this way...

If being exposed on an ad-hoc is a problem, then you're screwed no matter what.

The point of my original "re-title" was to point out the implication of TFA... that adhocs pose more of a risk than an established infrastructure, and it's bull@#$. What should be clarified... if you can survive on the typical public infrastructure, then an ad-hoc is irrelevent; there's nothing exposed there that isn't exposed on the infrastructure. Likewise, if someone CAN gain a foothold over this ad-hoc, they can do exactly the same thing over an infrastructure. From the admin perspective, *unless* the admin expects that the laptop will ONLY connect to a specific bastion infrastructure... this entire "ad-hoc" threat is moot, and is merely the same case as the typical infrastructure.

Phew!

Undocumented != unknown

[Hydian]

Anyone who has worked with a decent wireless scanning tool has probably seen this. We saw it while using Airmagnet Surveyor to baseline a site. We kept seeing an SSID being broadcast even though we were in a location where nothing could have been in range and there weren't any detectable wireless devices on site. It turned out to be our own laptops broadcasting the SSID from the hotel we were staying at.

XP SP2 not affected

FWIW, once again SP2 users are not affected by this. The on-by-default firewall stops it, TFA clearly states they had to turn it off first to get it to work.

Be careful if you do that.

[TheLink]

So what if your computer automatically sets up an IP that doesn't clash, and then sets up adhoc wireless networking with the previous SSID _if_ you have your wlan interface on?

How is that a flaw? That's a _feature_ in many cases. Especially if you really want to share files and you don't have a WAP.

From the article: "First of all, if you are running any kind of network firewall -- including the firewall that comes built in to Windows XP -- you won't have to worry about some stranger connecting to your laptop. In fact, I had to shut down my firewall for both of us to successfully conduct our test. "

Doh.

If you actually care about security you'd already know that wireless networking is a lot less secure than wired networking.

To "wise guys" trying to connect to other peoples stuff. You yourself could be exploited if you connect to any untrusted wireless LAN and try using the internet or connecting to "open" shares[1]. There's so much that can be done to _you_ that it's not funny.

What are you going to do if your computer gets "owned" or fubared after you open a share that's called "Do Not Open" or something like that?

People who think they are smart and connect to "open" wireless LANs run by "stupid" people should also assume the possibility that someone can sniff, hijack and fake their traffic.

If turns out those "stupid" people aren't that stupid and are evil, your usernames and passwords could be taken, or your data. Or you could be victim of a MITM attack. What you see may not be the real thing.

Even if they aren't actively hostile, they could log your activities too and I doubt they are under the same limitations/restrictions as ISPs.

The company I work for provides systems that make it _easy_ for people to get connected to the internet and do their stuff - they don't have to fool around with their internet or browser settings.

Malicious folk can do the sort of stuff we do and more for nefarious purposes.

[1] You're running windows and you think you're smart to open some "stupid" person's unsecured shared folder? Well you better make sure you've set your My Computer and Local Intranet security settings to something safe[2]. And it's probably best to turn off "view as a webpage" and all that junk...

Whatever O/S you are using, you better be fully patched when you expose yourself to an untrusted network. I believe many modern Linux distros have file managers that generate image previews, and there was an image library bug not so long ago.

[2] See: http://support.microsoft.com/?kbid=315933 and http://support.microsoft.com/?kbid=182569

Re:Be careful if you do that.

[level_headed_midwest]

You raise some very true points, but why not enforce the connection to only get an address assigned by DHCP if that is how the interface is set up? That way, if there are no APs out there, the NIC will not give itself an IP and ad-hoc on its own accord. I'd also make it easy to give yourself a temporary static IP for when you want to ad-hoc- but it would require the user to do it by clicking a button or selecting a right-click menu item. That should not inconvenience the users very much but would fix this problem.

Re:Be careful if you do that.

[Bretai]

DHCP does not make the problem more difficult. A windows client doesn't need an IP address to create an Ad Hoc network, and any associated computer can just run a DHCP server.

Anyway, as someone else mentioned, this isn't a security flaw. Since XP SP1 the user is warned when they create an unsecured wireless profile - for a reason.

Re:Be careful if you do that.

[TheLink]

If you are going to use wireless networking you should already be securing your computer and network configuration in ways where this "flaw" won't be an issue at all.

Because, if you associate with a malicious network you're pretty much in danger anyway. So if you actually care about security, the best way is to turn off your wireless network, or only allow connection using safe WLAN protocols e.g. EAP-TLS and similar stuff. Once you have that, your computer isn't going to automatically connect to any strange network.

Otherwise your computer may try to connect to its previous AP with a given SSID, and a malicious AP could then just say "yes that's me"[1], and then a malicious DHCP server could take over your machine if you have a vulnerable DHCP client. Even if your DHCP client is fine, there's plenty of other stuff - you might have IM/POP3/IMAP clients that automatically try to log on with your credentials.

How many of those clients will securely check to see that the server they connect to is genuine? All using TLS?

[1] Or maybe there's worse it could do? I wonder if there's room in the protocol to mess up WiFi client/server software - e.g. specify some weird reply fields and buffer overflow the victim.

No it doesn't

[Sycraft-fu]

The XP firewall trusts nothing on the local network except filesharing. Well this isn't very venurable either. In the default state, simple file sharing, XP simply has nothing shared by default. You need to activate a shared folder, and it doesn't provide access to anything important. If a user manually enables advanced filesharing, the administrative shares then work, but you need a password. Accounts with no password aren't usable to get at them.

As for the AD thing, it's clear you are confused. Windows doesn't just magically partner with servers, it's not like a domain controller jsut says "hey join up" and it does. Windows only "partners" with machines that have accounts with the same credentials. So if you have two computers both with the same username/password logged in, they can access each other, since the first thing windows tries it to use the current user's credentials (if that doesn't work, it asks you for proper credentials).

However for all that, you still need to turn on advanced filesharing, or have manually opened up a simple share. It just doesn't share anything in the default state and there's jack you can do about it.

I encountered this when XP was new and got really confused. I'd only ever used it in an AD environment at work, where the shares are all advanced by domain policy. So I had two system that were non-domain systems, and I wanted to get files form one to the other, both had the same admin user name and password. I did the Windows 2000 thing and connected to \\computer\c$ that's the admin share for the c drive, gets to all the files. Windows said no, and gave me an odd dialogue that just wanted a password, no username, and it wouldn't take the password. I went back and forth for like 10 minutes before I finally found out about simple filesharing. Turning that off made it work like I expected.

So in it's default config, there's nothing particularly dangerous about being able to pretend you are on the same network as a system. The filesharing port will be open, but there's nothing you can do with it.

Re:No it doesn't

[Cally]

">I wanted to get files form one to the other, both had the same
>admin user name and password."

i'm sorry to say you display an understanding of Microsoft CIFS / SMB 'file sharing' networking that is fundamentally broken. Not that I blame you: trying to reverse engineer what the hell it's supposed to do, and how, by staring at it, scratching your head, then trying stuff at random to see what changes, is a slow but certain route to premature baldness, impotence, and ultimately stark, bug-eyed staring psychosis. I recommend checking out the O'Reilly Windows network admin book(s). (Haven't read 'em myself since the NT4 days, but they were pretty good then.)

Re:No it doesn't

[Sycraft-fu]

I'm sorry to say but it's not, that's how they work in XP. Try it yourself. Oh, and I've read "Windows Internals" which is probably the best reference for this sort of thing. What you knew from NT4 has no application to XP. There have been significant changes.

Is this really that big of a flaw?

[Transcendent]

In the end, the "victims" computer is simply connected on a network with the attacker. That is all. It's the same vulnerability as if you're on a normal network. This time, you just don't realize that you're on a network.

If you're running windows firewall, I think you'll be all right. Unless you have other security problems already, this won't hurt you at all.

Not news

[drwho]

This is no news. Just because it is done by a local network doesn't make it interesting. For instance, the same thing can be done with devices seeking an access point. If you don't know this already, be informed that 'regular' PCs can be used as an access point with the proper drivers and OS. The Fake AP problem really hasn't been exploited to the extent it could be. As far as I know -- maybe in some places, it has.

And now, you're a Criminal!

Congratulations!

[OT] your sig

[Mr+Z]

Not only is ZEN a prime number in base-36, but so is DOH.

Re:[OT] your sig

[pb]

Not only is pb a prime number in base 36, it's also 911 in base 10!

Why look in Windows?

Instead of concentrating on identifying/fixing bugs in Windows, wouldn't it give us more returns if we were concentrating on identifying/fixing bugs in FOSS?

This is an old vulneribility

[computergeek1200]

The Wireless Zero Configuration service (WZC) Ad-Hoc vulneribility is a very old one. I knew about this for a long time before this article came out. There is also a vulneribility that will allow you to acquire the wireless keys on WZC. The program wzcook.exe which is part of aircrack will give you the keys for the wireless networks that are stored by the WZC.

Riiiiiight...

[kiddailey]

Right. No need to worry. Until you start thinking about the big picture. It's not just this one flaw that's worth worrying about, it's the combination of Windows' security flaws that are the problem.

You're sitting in your local coffee shop and someone is there listening for signals... they connect to your machine, install an vbscript that runs periodically and attempts delivery of a payload to any machines available on whatever network you connect to. Or perhaps one that simply puts an e-mail in your outbound Outlook queue to anyone in your address book.

Yeah, no need to worry at all.

Re:Riiiiiight...

[Allador]

And how exactly do they 'connect to your machine and install vbscript'??

Just being on the same subnet doesnt give you the Magical-Auto-Granting-Of-Local-Admin-Username-And- Password (TM).

The only way this would work is if there was no firewall on the machine, or the firewall considered the APIPA subnet a trusted network. Then the person would have to have an easily guessable local admin user/pass combo. Then the attackee would have to leave their wifi on for long enough for this to happen when there is no signal.

Where exactly is the security concern in this?

Re:Riiiiiight...

[fishbot]

"Then the person would have to have an easily guessable local admin user/pass combo"

You mean like:

Username: Administrator
Password:

Surely nobody would do that, would they? I mean, it's not like it's the default on just about every preinstalled XP machine ever is it?

Saying that something isn't a security risk just because it's unlikely doesn't stop it being a security risk. Or are you one of the crowd who think that obscurity == security?

Re:Riiiiiight...

[Allador]

Windows allows no remote access to an account that has a blank password, so this user/pass combo gives you absolutely nothing.

Windows Firewall considers all wifi interfaces to be untrusted by default.

As I said, this gives you absolutely nothing more than some other guy sitting at Starbucks who is also connected to T-Mobile. That guy is also on the same subnet, and using the same SSID, and therefore the same local access to the person's computer.

But it still doesnt give you any special access to the system.

And for corporate machines, where the real value is, they're going to have strong passwords enforced by GP, going to have good firewall rules setup, and will be using a certificate-based VPN to talk to the corporate network.

Again I ask, where is the vulnerability? This is not an obscure issue, this is a non-issue.

out-class Linux/Unix in security?

[Phatmanotoo]

In terms of security, XP should completly out-class Linux/Unix in every metric of measurement.

Although I can think of many areas in which XP can outclass Unix/Linux, security is not even remotely one of them.
I do agree with the rest of your argument (default settings being so insecure), but that statement above is so preposterous
I could not let it go by unchallenged.

Solution for Windows

[SirDaShadow]

Here's how to fix this on Windows:

Start->Control Panel->Network Connections->Double Click on your Wireless Connection->Properties->Wireless Networks->Advanced->Choose "Access point (infrastructure) networks only. Click the Close button then Click OK all the way back. Done.

Conflicting opnions on what is vulnerable

[Cytlid]

After reading several of the comments, we should just trump our previous definition of "vulnerability".

  If you have a computer and it's power is *ON*, it's vulnerable to something.

  Next week I will show that even a computer in which it's power is *OFF* is vulnerable to the 8lb sledge hack.

And users

[steve_l]

It also explains why things go so badly wrong at conferences.

All it takes is one laptop to suddenly go out of range of the AP and it becomes an adhoc network *with the same name as the conference network*. Then laptops that are in range and dont have "connect to ad-hoc networks" disabled, also start binding to that node, as suddenly there is a choice between the real and ad-hoc network, both with same fucking name.

This isnt a security risk, any more than running unencrypted protocols over a WLAN in the first place, but it just makes the windows laptop experience that much worse for everyone involved, at least those who dont know that turning off ad-hoc networking makes sense. Maybe now a fear of a security vulnerability will help people to do that.

And lets be ruthless: if it gives windows users a worse experience than apple or, say, ubuntu laptop owners, well, serves them right. (My laptop is actually running winXP; it is my last non-vmware windows image. I keep in in DOS-land as it runs those apps I need at work (Exchange, MSWord), and it helps test that the apps I write do actually work on XP as well as unix. But I could do the latter with vmware-based testing, so maybe this is the year to migrate to a good linux laptop distro.

Built in XP Wireless

[ScottCooperDotNet]

Built in XP Wireless stinks.

It does not give a detailed level of signal strength, it is limited to 1-5 bars.

It will drop the connection far more often than manufacturer's utilities. In other words, don't bother playing online games on it.

The window isn't resizable. When did Microsoft think this was a good idea?*

Security passcodes have to be entered twice. That's terrible when the passcode is 10+ characters, and you can't see what you've typed in either.

It won't re-enable at times for no appearant reason. * Anyone know a way to force apps to be resizable?

Not from RFC 3927

Where does it say in RFC 3927 that a machine should automatically create ad-hoc wireless networks based on its last known SSID? It doesn't. People are confusing the issue. This "security flaw" has nothing to do with RFC 3927. Regarding Chris Wysopal's comments, Mac OS X does implement RFC 3927, however, Mac OS X does not automatically create ad-hoc wireless networks. That's why Mac OS X doesn't have this flaw, while Windows does.

( Comment from TFA, Posted by: Snoop | Jan 15, 2006 3:11:37 PM )

Re:Non WinXP wireless software

Whoever modded this offtopic is a moron.

Sad State of Being 0wned...

[woolio]

The sad thing about the people who most often get "0wned" is that even when informed of the security problem, they might be likely to undo the fix...

I can picture a scenario like this:

1. Jon Idiot uses unsecure AP without a firewall...
2. Mad Hatter informs Jon of problem and instructions on how to fix.
(two weeks later)
3. Jon's laptop cannot connect to internet through AP (cause: poor signal, network card not inserted, cable modem/dsl outtage, etc)
4. Knowing the last thing that changed occured in step #2, Jon reverses actions of step #2 (factory reset of router)
(meanwhile, cable modem/dsl starts working again -- a very short outage)
5. After completing #4, Jon sees Internet working on his laptop... feels problem has been solved.

If some type of network problem occurs, many users will first DISABLE their firewall to see if it helps... And since such an action does not visibly "break" anything, they can easily forget to re-enable it... (unless that stupid thing in XP reminds them)

Mods on Crack?

[woolio]

its one of those "if you have no firewall and ignore all the alerts and warnings and have filesharing enabled and have a wifi card set to auto DHCP and an attacker is targeting you specifically" flaws

Well, virtually all wireless cards **ARE** going to be configured using DHCP... Even users with wifi in their home are going to be (most often) using a wireless router (which uses dhcp).

And who says the attacker must be a human? The default DHCP IP address used by a Windows hosts is easy to spot... Seems likely someone will write an automated scanning tool -- and someone else will package it with a botnet virus. All it takes is one infected exec reading his Outlook mail in an airport to infect hundreds.... In this manner, computer viruses could spread (mainly wirelessly) in a way very similar to air-borne biological viruses.

And don't Windows XP-Firewall permissions work at the "Interface Level" versus the network configuration level??? Which means if a lazy Joe Schmo uses filesharing at work/home/etc (wireless), he will probably always leave it enabled in the firewall!!!! At home/work this **might** be okay but in a public wifi network, this would be disasterous.

I'm curious as to how many slashdotters have bothered to set-up VPNs to allow controlled access to unsafe resources (as opposed to 'host address'-based firewall configuration). Even if your firewall only allows filesharing from your work's internal private IP block, it would be easy for a tool to start trying IP addresses from the private IP blocks). And how many wireless routers operate with a default like 192.168.0.0/24 ???

Section 1 Computer Misuse Act

[mulhall]

You've commited a crime, at least under UK law, so I hope you're in the UK.

Section 1 of the Computer Misuse Act (1990) defines unauthorised actions that are intended to secure computers as a crime:

"1.--(1) A person is guilty of an offence if--

              (a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer;"

Not to mention you're also an ass.

I think you DO have permission...

[meringuoid]

Machine X: 'Hi everybody. Here I am. I do wireless networking.'
My Machine: 'Cool. Can I connect to you?'
Machine X: 'Sure. Here, use this IP number.'
My Machine: 'Nifty. Thanks.'

Connecting to an open wireless network is definitely legit. You asked permission and got it. Using the 'house' metaphor, it's as if I come up to your mansion, knock at the door, and get let in by the butler, who has been instructed to let in anybody who asks.

What I proceed to do with the connection is another matter. For instance, having connected I might proceed to download mp3s over your connection. You pay by the megabyte, or perhaps you have a monthly usage limit? Then this costs you money. This is the equivalent of coming up to your mansion, being let in by the friendly butler, and proceeding to nick all your silverware...