Slashdot Mirror
Windows Wireless Networking Flaw Identified
An anonymous reader writes "Washingtonpost.com is reporting from the 2nd annual Shmoocon hacker conference about the release of a previously undocumented vulnerability in Windows. The flaw takes advantage of a feature on Windows laptops that have wireless cards built-in. Security researcher Mark Loveless found that Windows laptops which cannot find a wireless connection are configured to broadcast the name of the last SSID they associated with. They assign themselves an ad-hoc 'link local' (think 169.254.x.x.) address, and an attacker can configure his machine to broadcast an SSID of the same name. Thus, the attacker associates with that 'network' and communicates directly with the victim's machine. The funny part from the Post blog entry is that Microsoft helped author the RFC for link local."
FTA
First of all, if you are running any kind of network firewall -- including the firewall that comes built in to Windows XP -- you won't have to worry about some stranger connecting to your laptop. In fact, I had to shut down my firewall for both of us to successfully conduct our test.
its one of those "if you have no firewall and ignore all the alerts and warnings and have filesharing enabled and have a wifi card set to auto DHCP and an attacker is targeting you specifically" flaws
yawn, seems like much ado over nothing, you have more chance dropping and breaking your laptop than you have of being exploited by this "flaw" and if you goto Starbucks (and support their disgusting business model) you deserve everything you get
Ever read the EULA? You hold microsoft not responsible by agreeing.
Disclaimers of warranty are not necessarily legally binding. A decision in court would involve questions of how fair it is for MS to disclaim liability for this.
O.K. Folks, if you program your Linux laptop to connect to an ad-hoc network and broadcast SSIDs, this behaviour is going to occur on Linux too.
This isn't just an MS Windows flaw . . . it is a flaw in the way that the administrators (users) manage the machines.
I wish you all would quit pointing fingers. This isn't some kind of new thing.
This is a common security problem: useless or rarely used functionality. As I've said before, functionality sells whereas security doesn't. Spend a million dollars on functionality and you (hopefully) get a product that can sell for more money. Spend a million dollars on security and you have almost nothing tangiable to show for it.
Before this article, I didn't even know that "link local" thing existed. I guessing that this is probably quite representive of the Slashdot crew. The question is, then, is why on earth is it on by default and why is it even there in the first place?
This is not just a Microsoft issue, this is an issue that applies to nearly every computing project. I was recently playing with Knoppix and two things struck me:
My parents got a new HP computer a month or so ago and I've just gotten round to doing a proper security shake-down on the XP box. I was surprised to find the Python runtime on the computer. Most of you would say, so what? Or perhaps, even applaud HP for doing this. From a security perspective, I think it's downright silly. What possible use could my parents have for the Python runtime? Absoutely none. They'll be running Open Office, Gmail and Itunes to the cows come home so all this does is opens another vector for attack. Don't install stuff on computers that your customers will likely never need.
Of all the pieces of software out there at the moment, Windows XP is the most frustrating. In terms of security, XP should completly out-class Linux/Unix in every metric of measurement. Instead, it's the most disease ridden piece of shit ever concieved by humanity. It's a shame because it could have set a really high standard for everybody in the industry but through a choice of poor defaults they condemed their own product to be a liability to CTOs everywhere. If they'd had some sense, they would have choosen defaults like this:
I haven't got any figures on how many viruses/malware this configuration would stop but I imagine it's somewhere in the region of 99%. If Microsoft had taken the time to consider the platform in a more paranoid sense they could have produced a product of barn-storming quality. Instead, they listened to the marketing people and we all know what result that lead to.
Simon
This isn't a vulnerability, it's just how all network interfaces work on Windows. If you're really that paranoid then just disable the interface.
What we have here is that, in addition to doing this, Windows is also offering to set up an ad-hoc (i.e. computer-to-computer) network on the link-local subnet with the same SSID as that of the last network the laptop connected to. I wonder what the rationale for doing this could have been. It seems to me that a machine should not offer to set up an ad-hoc network unless specifically directed to do so by the user. When such a network is set up then it is appropriate to use link-local addressing to auto-configure the interface.
What if the laptop's last SSID required WEP or WPA (and has it configured in a profile)? Will it still connect if _less_ security is required?
/me heads to coffee shop with WAP and PowerBook and looks for higher end Dell's and Viao's.
What difference does it matter?
This would have to be a direct targeted attack on an individual or small group of individuals, but is still possible.
Script kiddie situation:
Sets up rogue WAP, and gives free internet connection to the laptop. All ssh and SSL or other encrypted channels goes through the free WAP.
Advanced script kiddie situation:
Sets up rogue WAP, and gives free internet connection to the laptop. The kid then has a number of popular local banks' website replicated _without_ SSL and resolves the DNS to a rogue bank site and snags username/password info. (Profit!!!) This could be as advanced as a transparent web proxy that does sed s/https/http/g;
Super advanced and traceable and more expensive version:
Do Advanced script kiddie situation, but buy real SSL certs and then snag username/passwords AND (Profit!!!)
The last one is simply not worth the risk and complexity of buying bankofam1rica.com SSL certs, AND having to be physically close to targets without any trace.
And suppose he doesn't want to have to worry about securing his wireless network if all he uses it for is checking the news on his laptop? Little scroats like you who think it's helpful to mess around with other people's equipment should be shot.
If you're capable of doing that, why didn't you just print off something telling him his network was unsecure, include your phone number and offer to go over and sort it out for him? Let me guess, you're about 13 years old?
I'm unfortunate enough to have one of those WRT54G access points, and due to a hardware flaw I can't run it with WEP *OR* WMA *OR* MAC filtering. I need to get a replacement, but right now I don't have the time to sort it out. So it's unsecured (but I did change the admin password.)
What you need to do is try to help other people, rather than lord it over them. This is why anyone that works in IT is treated like shit, because end users assume we hate them and won't do anything to help.
Get a life, and to hell with my karma.
PocketGamer.org - For the gamer on the go!
I would hardly call this a vulnerability. You're certainly no more vulnerable if someone exploits this little "feature" than you are at any other time you're
connected to a network.
This is such a complete non-issue, it's like a freaking joke. Read the article - all a hacker might gain some this vulnerability is the ability to connect to your computer, as if it was still on a wireless network, after you've moved outside the range of an access point. Big deal. But the author and "discoverer" both talk about it like this is a remote root exploit or something. At one point, the author includes this little gem: "As Loveless pointed out, this "feature" of Windows actually behaves somewhat like a virus." Virus, my ass.
What's with all the foaming-at-the-mouth hype about these minor little things lately? It's counterproductive - going beserk over every slight issue that might, in some fantastic combination of circumstances be a security problem, takes away attention from flaws that actually matter.
This space intentionally left blank.
What we'd need is a flaw in Windows that is damaging without a specialized attack program being involved. If there were something about Windows that needed repairing because you could just press Ctrl Alt Insert instead of Delete, and bypass the login for instance, then that would in my opinion qualify as being negelgent enough for Microsoft to settle a lawsuit.
Saskboy's blog is good. 9 out of 10 dentists agree.
WTF are you smoking? how the hell can you conclude that leaving a network open creates an implied "use me" policy?
last time i checked, you have no right to be on a network (wired or wireless) unless you have been explicitly granted permission by a person in a position of authority over said network. just leaving the network open is not a grant of permission.
"Evil will always triumph because good is dumb." -- Dark Helmet
You mean like this:
user@machine:~> gcc --version
gcc (GCC) 4.0.2 20050901 (prerelease) (SUSE Linux)
Copyright (C) 2005 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Just "gittin-r-done," day after day.
the pita bread you are cooking, i can smell it all the way over at my home... by your logic, i guess i can just head over and eat your pita bread when you leave it at window sill for cooling ?
That involves you going to get something, trespassing on your neighbour's property at the same time. Wireless is sent to you, in your house. Not the same at all. It would be closer to you being allowed to sit at your window and smell your neighbour's cooking to your heart's content. The smell is being "broadcast" (wirelessly, I might add!) to your house. You can do what you want with it.
i can smell you smoking out in my back yard.. i guess i'll come over and take away some of your cigs to smoke
Yet again, involves you going onto your neighbour's property. You need permission for that. You don't need permission to use something your neighbour puts into your house.
light strays from your living room is entering mine.. i guess i'll read my newspaper in your living room
Trespassing again. How is this even remotely the same, again? If you wanted to read your newspaper on your own lawn by the light coming from your neighbour's living room window, there'd be nothing they could do about it.
you are watering your grass and it is leaking into my yard.. i guess i'll use your hose to water my grass
For a start, why bother? If your neighbour is already leaking water onto your lawn, you have a perfect right to use what he leaks to water your grass. It's already happening, and you don't need to do anything. Trespassing on your neighbour's property to bring his hose over to your lawn is different, as it involves you leaving your property. The water that he's leaking onto your lawn, though, is free for you to use. He can't exactly say "You can't use my water leakage to water your lawn! If you do, I'll report you to the cops!" Why should he be able to do that with his leaking wireless signal? This point of yours does more to disprove your point of view than prove it.
try again
Yes, maybe you should.
"City hall" in German is "Rathaus" Kinda explains a few things......