Slashdot Mirror
Windows 7 Can Create Rogue Wi-Fi Access Point
alphadogg writes "Windows 7 contains a 'SoftAP' feature, also called 'virtual Wi-Fi,' that allows a PC to function simultaneously as a Wi-Fi client and as an access point to which other Wi-Fi-capable devices can connect. The capability is handy when users want to share music and play interactive games. But it also can allow on-site visitors and parking-lot hackers to piggyback onto the user's laptop and 'ghost ride' into a corporate network unnoticed."
While this means a bit more policing for networks meant to be locked down, it sounds like a good thing overall. Linux users, meanwhile, have had kernel support (since 2.6.26) for 802.11s mesh networking, as well as Host AP support for certain chipsets.
De-perimeterization (perimeter erosion) Explained
Distributed Firewalls
The Internet's nature is peer to peer - 20050301_cs_profs.pdf
Microsoft Z has been found to contain feature X, which purports to do Y but used incorrectly could instead cause W! Linux has had feature X since 20VV, the 'Year of the Linux Desktop'.
Ghost ridin' the whip! No seriously, I've been wanting to use the Linux host AP features to bring up a mischievous AP that does man-in-the-middle attacks. I'd be connected to some open wifi somewhere, and someone would connect to my netbook and also see an open access point. I'd then give them the upside-downternet: http://www.ex-parrot.com/pete/upside-down-ternet.html
I don't participate much in the bore-a-thon dick-measuring contest called "Windows v Linux" on /. but for the record, its crap reporting to claim that Windows 7's "SoftAP" is a "rogue" which allows "ghostriding" while Linux's "802.11s mesh networking" is somehow better because it pre-dates Windows 7 when it allows the same problem which needs to be policed.
I have lots of criticisms of Windows generally and I run XP and Kubuntu, but SoftAP is a network management issue for corporate networks, not a "rogue".
Tubby or not tubby. Fat is the question
So....what's the problem? Hundreds of features can be used to do evil.
Damn!...I forgot to cover the USB hole again! Now a hacker can plug a dirty cable in it!
More seriously, I get it, it's the fact that it is a hidden feature. Still, leave MS alone and stop the fuzz. I may not like them; I may not stand them, but you seem to hate them more^^
Have you heard about SoylentNews?
So you install a wireless IDS like this one and monitor the airwaves and the wired data path to see if a MAC address shows up in both places...
and then my company makes all the money. whee! :)
soon to be part of a hosted service offering as well.
The World Wide Web is dying. Soon, we shall have only the Internet.
I'd be more impressed if Windows 7 could create a rouge access point.
And certainly other OS's have this feature too.
But you have to look at the big picture. This feature can be combined with one of the other Microsoft "remote access features" that they have been working so hard to remove from their product.
As the riders loped on by him, he heard one call his name
If you want to save your server from Hell, a-riding on our range
Then cowboy change your ways today or with us you will ride
Trying to catch the Devil's herd, across these endless skies
Yippie yi Ohhhhh
Yippie yi Yaaaaay
Ghost Riders in, Ghost Riders in your LAN
Who's that surfin, Patrick Swayze?!
Any OS will have problems if used incorrectly. This biased reporting is BS. It needs to stop.
...you make decisions about how you want to configure it, you put some work into researching how it should be configured correctly, and you face the consequences of what can go wrong if you mess it up.
If you need to be nursemaided in your computer use, stick with a Mac or Windows. If you're prepared to put some effort into learning how a computer works and how to search forums and asks questions of people who are more than willing to help you out free-of-charge, then try Linux.
It's that simple.
Gentoo Linux - another day, another USE flag.
This doesn't seem like any more of a problem than someone jacking in to an empty ethernet port on your network, except that a) they can do it from outside the building wirelessly and b) any special software used by the 7 user to access the network could potentially helpfully forward packets from others, but that would probably be a fault of the software not checking the origin IP on packets...
Anyways the fix is simple. Require authentication for all network resources. Windows enterprise solutions are set up like this by default and do it transparently using Windows login credentials. An intruder on your network would be unable to access anything. There is the LITTLE issue of exploits, so you can either batten down the hatches as much as you can and continually scan for suspicious network traffic, or you can try an alternate solution which may work better (a combination of both would be best):
For complete security, IT could notify all employees that use of this feature is not permitted. On corporate machines it could be disabled or removed or steps taken to block access, but you must assume users are clever enough to get it working (not to mention booting from a LiveCD bypasses every protection known, except complete Windows software compatibility. Someone did mention Linux software that did this though, and my brother's WiFi card supposedly does it too with a special included application.). IT could also compromise and allow users to use it if it is properly configured, with clear steps outlining how to check if this is the case. However either way, severe penalties (starting with being kicked off the network until you have resolved the problem) would be issued for having an open access point. IT would have to periodically stage their own "attacks" to look for such hotspots and attempt to connect, and then lock the user out of the network if they are able to access the user's machine anonymously (ie folder shares with company files) or the network.
OK so it's a long winded solution but basically: The problem isn't new, lock down systems with authentication best you can, routinely scan for hotspots and penalize users that put them up.
Disclaimer: I am not a security expert but I like to think I've picked up a few things.
I need to play with this feature on my W7 laptop, I wonder how far the reach is on this and how well I could daisy chain this, just out of curiosity more than anything useful.
Ave Molech Setting
Didn't we already go through this with Ad Hoc networks on the original version of Win XP? The 'Free Public Wifi' SSID is still around today thanks to this poorly conceived 'convenience' and it was a nightmare for anyone trying to manage a secure wireless network. I think time will show this feature not being worth the trouble it causes.
What you attempt with 'ghost ride' is better communicated and less retarded with one of the following phrases:
* piggy-backing
* covert channel
* out-of-band
There's no applicable analogy with 'ghost ride' to communicate what you're trying to describe. Don't try to introduce new lingo. You might as well call it 'Dog sledding' as it has just as much in common with covert channels as 'ghost riding' does.
Seriously! That is exactly what I wanted to do a few months ago, but it seems I can't with my WiFi Link 5300. Hostap seems to be for Prism chipsets. Easily creating an AP to share files or to play with neighbors was one of the bonuses I expected from my switch to Ubuntu. What is going on? Is Windows now becoming the fun OS for geeks and Linux the boring Desktop for the average users?
you can "what if" lots of features. As near as I can tell from the quick searching I did, it's not like it's on by default. I didn't think it would be, but I haven't fooled with Win7 wireless much.
Domain Administrators can do this.
Is there an article on Network World that condemns Linux for having this ability? Well I did find this when I searched for Linux and HostAP. Don't see anything in the article mentioned that it too, could be a security risk if used incorrectly. It's not called Beware the rogue Wi-Fi access point in Linux Kernel 2.6.26 and up.
Is the WiFi Link 5300 Intel based? A recent blog entry from Connectify indicates that there may be issues with those drivers - at least for Windows. Mind you, if Intel has outstanding issue in the Windows drivers, it's possible that it's a problem in Linux version as well.
...dick-measuring contest called "Windows v Linux" on /.
Slashdot has become the fox news of tech.
I'm going to attend a party that is protesting Windows monopoly and its sucky abilities compared to Linux' superior architecture and abilities.
We're calling it a Pee Party - for the pissing contest element.
Now those in attendance protesting, otherwise know as the Pissers, will be there to try to get MS to straighten up and to promote Linux!
Are you with me! It's for America!
Its called AD-hoc network.
Lacking more info, I'm going to venture a guess that yes, the 5300 the GP mentions is the Intel Pro Wireless 5300 chipset (802.11abgn, and generally pretty darn good). The Linux drivers for it are open-source, but that doesn't necessarily mean bug-free or that all features are available. It does mean you could try to get it working yourself if you want, though. I have one such chipset myself, and while I've never tried to make it act as an AP, it would be neat to be able to do so.
On a side note, are there any easy Linux tools to make a WLAC card act as an AP and a client simultaneously (as SoftAP apparently does)? That would be very nice - I've only got *one* WLAN card in the laptop and it would be fantastic to be able to use it as simultaneously a client and a repeater that others could access (I promise I wouldn't even redirect them all to 64.111.96.38).
There's no place I could be, since I've found Serenity...
MAC802.11 supports creating an AP and since the standard intel wireless driver is MAC802.11 based you should be able to do this easily with the aircrack-ng suite.
Time makes more converts than reason
How come when there's a feature in Linux that can burn you if not set right, the zealots say you're being treated like an adult. If it happens in Windows why is it suddenly it's MS fault for introducing a flaw? Such hypocrisy.
An important network that does not have wireless intrusion detection and control is definitely not protected well.
However, a proper Aruba deployment with AP's and a mobility controller can and do identify, mark, and shut down rogue APs and ad-hoc networks, as well as wireless bridges.
I am not terribly worried.
-Red
Guns don't kill people, "with glowing hearts" kills people.
Kubuntu can do lots of cool stuff I like.
So, I use both.
Guns don't kill people, "with glowing hearts" kills people.
If this article is accurate, we'll see the beginnings of real ad-hoc mesh networks starting in 2010. This feature has the potential for allowing massive ad-hoc networks. Awesome. ISP's are going to pee themselves. Awesome.
I don't respond to AC's.
The old "not quite free" Atheros madwifi drivers were able to do this on Linux for a long, long time. I could use my Thinkpad T41 WLAN card in this way with Linux, and I had that machine in roughly 2004.
There are two parts to this: use a NIC and driver combination that can create multiple virtual NICs from the same hardware, with one in slave mode and one in master; and also run hostap software to provide WPA services. (You could get by with just the driver features in the WEP era, since you just manually set keys once and it worked... now you need the hostap daemon to perform all the WPA authentication and key rotation functions as the network master.)
Yes, it's the Intel WiFi Link 5300 (in a Thinkpad), using the iwlagn driver (in Ubuntu 9.04). Not sure if it's because of the chipset, the driver or their combination, but it doesn't support master mode:
# iwconfig wlan0 mode master
Error for wireless request "Set Mode" (8B06) :
SET failed on device wlan0 ; Invalid argument.
If SoftAP works as well as the Softmodem (Winmodem) I'm using right now; let me expla...{#`%${%&`+'${`%& NO CARRIER
Set your phasers on "funky"!
His Steveness only meant your mac to transfer your money to his store, indefinitely.
Is this just the Ad-Hoc network option that can be setup in the network and sharing center, or is it something else?
I have Win7 Ultimate and I can't find anything that refers to "VirtualAP" or "SoftAP."
Some unfortunates have content filters that wouldn't let my post through otherwise, hence the asterisks - know you know why you see them sometimes.
For some reason everyone missed the first sentence about switches that can do this being expensive. What would you do without to upgrade a working network with less than ideal security? Would you go without the things that make the production network productive? That IS sometimes the choice. We are talking about replacing switches worth a couple of hundred with ones that cost several thousand - a major deal unless you are a tiny operation in a tiny location with only a single switch, and prohibitively expensive if you are a tiny operation spread over a few buildings or floor with a lot of switches. In many places it's not easy to argue for without looking paranoid, since you'll be asked why you are spending this much on INTERNAL network security. Think about coming in from the outside and effectively telling someone they shouldn't trust their employees on the company network and you'll see what I mean. Management see a dumb gigabit switch for a couple of hundred and then want to know why you want to spend thousands on cisco gear.
As I said before, coating everything with gold may solve a potential problem but there are other ways.
The "snicker" bit missed the most important point - it's about protecting the production network from misuse by employees already on there - somewhat of a major difference instead of the simplistic view so much harder to justify on a budget. It's a bit of a major misunderstanding which makes me wonder if you know anything about the subject I'm talking about. If you do know what you are talking about, go ahead and find a cheap 48 port gigabit switch that can do this and I'll take ten. Until then I'll just firewall off the software developers and other potential troublemakers to minimise disruptions. A few routers with decent firewall rules are cheap compared with coating everything in cisco gold.