Windows 7 Can Create Rogue Wi-Fi Access Point

alphadogg writes "Windows 7 contains a 'SoftAP' feature, also called 'virtual Wi-Fi,' that allows a PC to function simultaneously as a Wi-Fi client and as an access point to which other Wi-Fi-capable devices can connect. The capability is handy when users want to share music and play interactive games. But it also can allow on-site visitors and parking-lot hackers to piggyback onto the user's laptop and 'ghost ride' into a corporate network unnoticed." While this means a bit more policing for networks meant to be locked down, it sounds like a good thing overall. Linux users, meanwhile, have had kernel support (since 2.6.26) for 802.11s mesh networking, as well as Host AP support for certain chipsets.

Hard shell, gooey centre security obsolete

[anti-NAT]

De-perimeterization (perimeter erosion) Explained

Distributed Firewalls

Re:Hard shell, gooey centre security obsolete

[jhaar]

Actually, can someone explain to me what the real difference is between "master mode" and AdHoc or mesh networks?

Why is it that only a few chipsets can "do" proper full-blown "master mode" (ie be an Access Point), and yet other chipsets can be used as AdHoc or mesh? I mean - what's the fundamental difference? I've been through this with Linux systems and can't understand why I can't just grab any WLAN card, bring up the interface and whack a DHCP server on it - why doesn't that work for them all?

Just wonderin...

J

Re:Hard shell, gooey centre security obsolete

[Cyberax]

"Master mode" means that your computer works as a central access point, other computers use it to relay the data.

"Ad-hoc" is a special mode for masterless networks, but it allows to connect only two computers (in essence, wireless channel becomes an analog of good old Ethernet cable).

"Mesh mode" is 'ad hoc' on steroids, it allows any number of computers to connect and uses dynamic routing.

Master mode requires certain additional functionality from your card (managing connections, transmitting SSID information, resolving collisions, etc.) which some drivers were lacking. Fortunately, it's being fixed with the introduction of the new mac80211 stack in the Linux kernel it'll become better.

Serious issues found with X

[Josh04]

Microsoft Z has been found to contain feature X, which purports to do Y but used incorrectly could instead cause W! Linux has had feature X since 20VV, the 'Year of the Linux Desktop'.

Re:Serious issues found with X

[goldaryn]

Microsoft Z has been found to contain feature X, which purports to do Y but used incorrectly could instead cause W! Linux has had feature X since 20VV, the 'Year of the Linux Desktop'.

True. Incompetent users are the problem irrespective of platform. Never forget - computers do what you tell them to do, not what you meant them to do

Watch us both get modded down now

Re:Serious issues found with X

[goldaryn]

Insightful? He's got the century wrong!

Re:Serious issues found with X

[recoiledsnake]

Slashdot reported on it earlier, then it was complaining that it wasn't finished. Now it's complaining that it can be made to work.

http://mobile.slashdot.org/story/09/11/03/1649246/Unfinished-Windows-7-Hotspot-Feature-Exploited?from=rss

"It wasn't all that long ago that Microsoft was talking up the Virtual WiFi feature developed by Microsoft Research and set for inclusion in Windows 7, but something got lost along the road to release day, and the functionality never officially made it into the OS. As you might expect with anything as big and complicated as an operating system though, some of that code did make it into the final release, and there was apparently enough of it for the folks at Nomadio to exploit into a full fledged feature. That's now become Connectify, a free application from the company that effectively turns any Windows 7 computer into a virtual WiFi hotspot — letting you, for instance, wirelessly tether a number of devices to your laptop at location where only an Ethernet jack is available, or even tether a number of laptops together at a coffee shop that charges for WiFi."

Re:Serious issues found with X

[LarrySDonald]

Hey! We've totally had that since 19VV!

Re:Serious issues found with X

[Draek]

Actually, it should be "Linux has had feature W since 20VV" since its about Windows' and Linux' capabilities to work as a WiFi access point which, as TFS states, is actually a pretty useful feature in many scenarios. The only problem with Windows' implementation is that its presumably(*) turned on by default, which can be problematic in some enviroments from a security standpoint.

(*) "presumably" because TFA is awfully thin on details, and is fairly unapologetic about being an ad for some security company's software. I'm merely assuming it's turned on by default because it's the only way it could be considered a problem to begin with.

Re:Serious issues found with X

[natehoy]

No, a VENDOR who wants to sell you lockdown software is complaining that it can be made to work.

Re:Serious issues found with X

[DiamondGeezer]

With Linux you have to recompile the kernel, perform a hardware patch between two delicate components using baling wire, do the hokey-pokey and sacrifice a chicken to Satan. THAT'S why its secure.

Note to Linux fanboys - yes, I was being sarcastic.

Re:Serious issues found with X

[maitai]

Not only is it turned "off" by default, but requires third party software to make it work (not just enable it, but add the complete functionality) as mentioned a long time ago here http://mobile.slashdot.org/story/09/11/03/1649246/Unfinished-Windows-7-Hotspot-Feature-Exploited?from=rss

Re:Serious issues found with X

[CharlyFoxtrot]

Never forget - computers do what you tell them to do, not what you meant them to do

I have a mac you insensitive clod, it does what His Steveness (peace be upon him) meant it to do.

Re:Serious issues found with X

[__aasqbs9791]

I know you were joking, but you just described our Monday morning routine with these (Windows based) film scanners*, which was gleaned after careful work with the current engineers working for Sunrise.

* This is not an ad, it is a warning, they are a POS, IMHO of using them for 3 years.

Re:Serious issues found with X

[hairyfeet]

You know, I always wondered why /. never points that out in TFA, because you would think that would be pretty relevant to the discussion. company with vested interest in selling you solution A says product B is insecure, therefor you need to buy solution A.

From reading TFA (I know, but I got bored) it sounds like pretty much anything that connects to anything is gonna be labeled insecure by this guy, as it gives him a reason to sell you solution A. But pretty much any business should have figured out by now with things such as wardriving that wireless needs to be locked down, yes? Given the fact that MSFT has always been good about having just about every feature and piece of software that comes with Windows easily locked down via group policies, I don't see what the big whoop is. I'm sure Windows 7 Enterprise and Business has group policies for turning this off without requiring solution A.

But any technology can be exploited if used incorrectly or just left unlocked for anyone to use. It will always have to be locked down by the IT department before deployment if they don't want to be pwned and are actually worth the money they are being paid. How exactly is this news again?

Re:Serious issues found with X

[gbjbaanb]

But any technology can be exploited if used incorrectly or just left unlocked for anyone to use. It will always have to be locked down by the IT department before deployment if they don't want to be pwned and are actually worth the money they are being paid. How exactly is this news again?

Because most people using their laptop in a coffee shop and setting it up as a wifi hotspot are not going to be business users with a large corporate IT department behind them (mainly because such users will have had it disabled and told not to do it). Of course, the number of businesses who do not have a large corporate IT department (or a competent one) will also be using this feature.

Don't forget that the 'corporate IT' with full TechNet training and MSVP guys is the very rare exception, not the rule. That's one of the things that people say is good about Windows - that it's so easy, anyone can use it.

Re:Serious issues found with X

[Knackered]

Microsoft Z has been found to contain feature X, which purports to do Y but used incorrectly could instead cause W! Linux has had feature X since 20VV, the 'Year of the Linux Desktop'.

You got that last bit wrong. It's "Linux has had feature X since 21VV, the 'Year of the Linux Desktop'."

Re:Serious issues found with X

[gmuslera]

computers do what you tell them to do, not what you meant them to do

Who is "you" there? The user? Microsoft? others?

In both activating that requires admin/root access, or giving admin access to a program that do that for you.

That program could be a trojan. Still, you have to run that trojan as admin. Now, running an untrusted binary in linux, as admin, even if is for your architecture, seems to require a bit more complex effort in the social engineering side than in Windows to make you run it. And don't know how many windows owners do their normal use of their machines as unprivileged user over the ones that do most as admin,but once there, even pdfs could enter into the trojan realm.

And won't be so amazed if (maybe targetted) spam or sites start teaching step by step how to do some setting in windows registry to "improve" your wireless performance.

Re:Serious issues found with X

[jpmorgan]

Er, no. In this case, Linux has features Q and R, which aren't anything like X, but chances are nobody will notice.

Re:Serious issues found with X

[Brian+Gordon]

2.6.26 is less than 2 years old. Not too much to brag about since Linux is on a much more rapid development cycle than Windows.

Re:Serious issues found with X

[the_womble]

the number of businesses who do not have a large corporate IT department (or a competent one)

So that's most of them then!

That's one of the things that people say is good about Windows - that it's so easy, anyone can use it.

They may say that - both they are wrong.

• Keeping Windows secure (locking stuff down, separating user and admin accounts, installing and updating anti-malware, etc.) is too hard for most home users I know. Why do you think IE has a porn browing mode? Because the whole family shares a single login.
• Installing software on Windows is difficult (compared to Linux as long as its in the repos, anyway)
• The Windows UI is very familiar because it is widely used, but it is not actually particularly easy - if someone had never used a computer before Windows would not be the easiest OS to learn.

Re:Serious issues found with X

[the_womble]

Whereas with Windows you have to spend hours trying to find the Windows registry incantation to stop it doing it.

Re:Serious issues found with X

[hairyfeet]

While all that you say is true, from what I understand (and I could be wrong) Windows doesn't have this activated by default, you have to turn it on. Any Linux install has the capacity to be an unsecured server, just hanging out there in the breeze for anybody to infect. We don't say that is a bad thing though, do we?

MSFT added a feature. Now this feature, which could be very handy for those that need to share files or want to set up a quick gaming LAN, can be misused and cause security problems. That a handy OS feature can be misused and cause a security problem applies to just about every single program that can access the net. As for corporations? Well if they pay bottom dollar and and only hire the cheapest most underpaid flunky they can get to save a few buck, and they get pwned, I should care....why exactly? Good things cost good money, the same goes for people. if a company is so badly run that this single feature can completely turn their network security into a house of cards I think they have bigger problems, don't you agree?

In the end the whole TFA felt to me like creating a bogeyman for them to defeat with their super neato security product. But you and I know security doesn't come in a can. it isn't some product you can just slap on the network and all is well. Security is an ongoing process, that must be planned, implemented, and adapt with changing conditions. And that all needs competent staff to implement correctly. in the end companies that go for bandaids like the TFAs product (which may be good for all I know) will end up failing miserably when some fool on their network does something stupid. This feature won't kill any networks, piss poor admins and security policies that don't exist will take care of that all by themselves, thanks.

Re:Serious issues found with X

[mr_mischief]

Using Windows is very easy so long as you don't expect to install it with decent hardware support OOTB or with decent security OOTB. It's so easy to use that within an hour online, it's often being used by someone the owner never intended. ;-)

Re:Serious issues found with X

[drinkypoo]

True. Incompetent users are the problem irrespective of platform. Never forget - computers do what you tell them to do, not what you meant them to do

The Anti-Microsoft bias is retarded, but it does highlight a problem. A problem, mind you, which has existed since Microsoft introduced Internet Connection Sharing in, what, Windows 98? Or was it from Windows 95 OSR2? The fix is to use IPSEC with per-machine certificates (ow! administration nightmare) to a gateway device for all communications. You don't need to encrypt, only to authenticate the host (AH, no ESP.) Perhaps you could also lock it down by MAC at the same time, which is only slightly useful without cert auth. And of course, in cases where you have managed switches with significant intelligence, you can lock the port to all but the approved MACs for additional security. Then you only need to physically protect interconnections between switches.

If this sort of thing becomes SOP then the management tools will be developed to support it.

Re:Serious issues found with X

[verbal]

Doesn't anyone feel sad about this?

IT is not something you do on the side or just start off without getting real training.

IT is serious. If the sector does not 'grow up', business people will have justified nightmares about IT costing too much money and bringing not enough value.

Shake the tree!

Re:Serious issues found with X

[geminidomino]

Linux has had feature X since 20VV, the 'Year of the Linux Desktop'.

Hmmm... The same year Dr. Wily tried to take over the world.. again!

Coincidence, I think not!

Re:Serious issues found with X

[vertinox]

Well if they pay bottom dollar and and only hire the cheapest most underpaid flunky they can get to save a few buck, and they get pwned, I should care....why exactly?

Because those pwned computer send you spam.

Re:Serious issues found with X

[hairyfeet]

Well I can tell you why I'm NOT sad about this: It nearly always comes down to greed on the part of PHBs. You wouldn't expect to hire a Master's degree on minimum wage, would you? Developing good IT skills takes work, dedication, lifelong desire to learn, and a willingness to adapt to changing conditions. Yet IT seems to be the ONLY field where they act like you should be grateful to even have a job, forget getting paid well!

So no I don't feel sad about it, because I have seen companies turn away friends of mine with years of real IT security experience for some kid that doesn't know anything that isn't in the MMC because they could get the kid for a buck above McDonald's wages. Nobody freaks when the plumber gives you a huge bill for services, yet everybody expects the geeks should do the work for practically nothing. Is it any wonder so many good IT guys are getting out of the business? Soon all that will be left is geek squad "clicky clicky" jocks, and I say that is all they deserve. I for one am sick of individuals and businesses that expect 5 star service for McDonald's pay.

Ghost ridin' the whip!

[hkz]

Ghost ridin' the whip! No seriously, I've been wanting to use the Linux host AP features to bring up a mischievous AP that does man-in-the-middle attacks. I'd be connected to some open wifi somewhere, and someone would connect to my netbook and also see an open access point. I'd then give them the upside-downternet: http://www.ex-parrot.com/pete/upside-down-ternet.html

Re:Ghost ridin' the whip!

[MrEricSir]

I think you mean "ghost ride the WEP."

Re:Ghost ridin' the whip!

[hkz]

Note: I was deliberately playing down the consequences of that scenario. You could "own" someone pretty thoroughly if that someone was uninformed enough (which 90% of people are) to send sensitive stuff over the network unencrypted. Which is why I use ssh tunnels to a trusted server whenever I'm on an open AP.

Re:Ghost ridin' the whip!

[ehrichweiss]

I think I need to introduce you to SSLStrip and Moxie Marlinspike.. http://www.thoughtcrime.org/software/sslstrip/

Unencrypted sensitive data isn't even necessary.

Re:Ghost ridin' the whip!

[LeperPuppet]

The TV show the Real Hustle showed this run as a scam to harvest credit card details. A scammer with a laptop sets up as a fake access point which serves up fake payment screen to anyone who connects to that point. Most of the people connecting to the point assume that the payment screen is legitimate and enter their details. You might not catch the truly paranoid or alert, but there's still plenty of people who would be fooled.

Re:Ghost ridin' the whip!

[iammani]

SSLStrip does nothing to disable SSL. If you see the video posted in your link - the guy types "http://gmail.com" and instead of being sent to "https://www.google.com/accounts/ServiceLogin?" to login, he is being redirected to "http://www.google.com/accounts/ServiceLogin?". That is SSL is still safe, provided you take notice of whether you are on an encrypted page or not.

Re:Ghost ridin' the whip!

[Score+Whore]

Perhaps you need to be introduced to ssh and the concept of an ssh tunnel. It has nothing to do with SSL.

Re:Ghost ridin' the whip!

[ehrichweiss]

SSLStrip watches for https connections and redirects them as well. He even went into great detail why and how it works: http is the thorn in the side of https.

Re:Ghost ridin' the whip!

[ehrichweiss]

No, I simply need to start considering glasses, I swore I had read ssl.

No biased reporting here on /. Just the facts.

[DiamondGeezer]

I don't participate much in the bore-a-thon dick-measuring contest called "Windows v Linux" on /. but for the record, its crap reporting to claim that Windows 7's "SoftAP" is a "rogue" which allows "ghostriding" while Linux's "802.11s mesh networking" is somehow better because it pre-dates Windows 7 when it allows the same problem which needs to be policed.

I have lots of criticisms of Windows generally and I run XP and Kubuntu, but SoftAP is a network management issue for corporate networks, not a "rogue".

Re:No biased reporting here on /. Just the facts.

[gad_zuki!]

Agreed, this is beyond stupid. You could do the same with XP if you like, but now its a little easier. I used to share a cellular card this way years ago. The "policing" and "lockdown" of "rogue" access points is like one click in group policy or a value in a reg key.

Slashdot has become the fox news of tech.

Re:No biased reporting here on /. Just the facts.

[recoiledsnake]

Also, how many corporate machines are running with wireless cards?

Re:No biased reporting here on /. Just the facts.

[Krneki]

This is why you press the "-" button near the news.

Re:No biased reporting here on /. Just the facts.

[maxrate]

I couldn't agree with you more - seems a good few of the /. linux user base has 'something to prove' quite often. It gets old real quick. I just wish it would end.

Re:No biased reporting here on /. Just the facts.

[kevingolding2001]

Also, how many corporate machines are running with wireless cards?

More than you might think. At my work they issue everybody with laptops. They all have inbuilt wireless.

Re:No biased reporting here on /. Just the facts.

[ChunderDownunder]

Quite a number. Perhaps not your average cubicle-slave but certainly those in 'client-facing roles' and those encouraged to take work home with them (read unpaid overtime). If security is lax, don't underestimate teenage children in re-enabling features on their parent's work laptop. Then there's consultant teams hired on a project basis that bring their own hardware and aren't subject to internal re-imaging of machines.

Re:No biased reporting here on /. Just the facts.

[DiamondGeezer]

Yes, your keyboard moved and words came out. Unfortunately the ideas conveyed were nonsense.

Oh my, what danger!

[Jorl17]

So....what's the problem? Hundreds of features can be used to do evil.


Damn!...I forgot to cover the USB hole again! Now a hacker can plug a dirty cable in it!

More seriously, I get it, it's the fact that it is a hidden feature. Still, leave MS alone and stop the fuzz. I may not like them; I may not stand them, but you seem to hate them more^^

so you install a wireless IDS

[FooAtWFU]

So you install a wireless IDS like this one and monitor the airwaves and the wired data path to see if a MAC address shows up in both places...

and then my company makes all the money. whee! :)
soon to be part of a hosted service offering as well.

Not interesting by itself

[FranTaylor]

And certainly other OS's have this feature too.

But you have to look at the big picture. This feature can be combined with one of the other Microsoft "remote access features" that they have been working so hard to remove from their product.

Ghost Ridin' Go Crazy!

[introspekt.i]

Who's that surfin, Patrick Swayze?!

Re:Ghost Ridin' Go Crazy!

[maxrate]

I guess that wasn't too soon.

Re:Ghost Ridin' Go Crazy!

[introspekt.i]

The song predates his death, and references him starring in the movie "Ghost"

What is this crap

[CSHARP123]

Any OS will have problems if used incorrectly. This biased reporting is BS. It needs to stop.

Linux Treats You Like An Adult....

[pandrijeczko]

...you make decisions about how you want to configure it, you put some work into researching how it should be configured correctly, and you face the consequences of what can go wrong if you mess it up.

If you need to be nursemaided in your computer use, stick with a Mac or Windows. If you're prepared to put some effort into learning how a computer works and how to search forums and asks questions of people who are more than willing to help you out free-of-charge, then try Linux.

It's that simple.

Re:Linux Treats You Like An Adult....

[CannonballHead]

Yes, it's that simple... and for most people, they don't want to research all that.

And if Linux wants to be popular with those people, it's going to have to change a bit.

It's more than knowing how a computer works. The only thing you're talking about right now is software. You're not talking about having to know how a graphics card works in order to use it. You're talking about software configuration. But the problem I have with your simplistic explanation is this: for most people, a generic configuration does work nicely.

And allow me to say I'm glad "Linux" didn't make my digital camera. I'd hate to have to go research on forums just to figure out how to take a picture at a different resolution than it was set at ;) Joking aside, I'm somewhat serious. Most people want to research how to configure things they like working on. Most people don't like working on the computer... most people like working on something ELSE on the computer.

Re:Linux Treats You Like An Adult....

[Dorsai65]

I've been running Linux for over 5 years, and have never had to do anything like that to get a USB drive to work.

Sure, there's some hardware that won't work under Linux because of drivers -- usually cheap-ass crap that people shouldn't be buying in the first place. Then again, my Linux system does recognise the vast majority of hardware, and doesn't need separate drivers for any of it. Hell, the first thing I do when I buy hardware for my system is throw away the Windows drivers disk(s) that came with it, along with whatever suck-ass "free" program they had to toss in to try and convince me to buy it. On top of that, I don't have to reboot eleventy-seven times while installing said drivers.

Re:Linux Treats You Like An Adult....

[the_womble]

Rubbish. If you have an installed Linux system, what do you need to learn to do everyday tasks like web surfing or word processing? That you use "firefox" instead of "The blue E" and "OpenOffice" instead of "Office".

Re:Linux Treats You Like An Adult....

[pandrijeczko]

Actually, your comment tells me that you've never used Linux - or at least not recently.

I have all manner of USB disks, webcams, drives, phones, etc. at home and use them all on dual-booting Gentoo Linux and Windows XP machines. The biggest problem I have had with USB recently (and strictly speaking it's not a USB issue) is how to get NTFS-formatted external USB disks to mount with proper permissions using the ntfs-3g user space driver.

The reason this problem came about in the first place was because Microsoft don't allow you to format any drive over 32GB with FAT32 in recent Windows versions (even though FAT32 partitions have a size limit of 2TB) and I needed to have USB disks readable/writeable by both OSes.

In the end I found fat32format which does allow me to use FAT32 on big external disks (even PartitionMagic sets an arbitrary 200GB FAT32 partition limit) and ditched NTFS completely.

I suggest you go ahead and try a modern Linux distro with built in daemons like hal and udev running on startup - because with a modular kernel these days, hardware detection is pretty much automatic....

Re:Linux Treats You Like An Adult....

[pandrijeczko]

This is precisely the reason why I have a problem with so many people on here...

There is *NO*, repeat, *NO* war being waged by Linux to defeat Microsoft. If there was, then it would have already won several battles when it comes to its penetration into server space and into embedded devices - but in the case of servers, it has done far more damage to displacing Sun Solaris, AIX, HP-UX and other "paid for" UNIX implementations.

So there is no *desire* for Linux to be accepted, it's there as an alternative and some people who write apps or GUIs for it do look at how things are done in Windows and emulate it in Linux, because they assume that anyone who *chooses* to try it and is from a Windows background will at least have some familiarity.

If anything, the fact that Linux is there and, in many cases, now a viable alternative to Windows, it has given Microsoft a "kick up the backside" to focus more on giving Windows users a better experience - I seriously doubt a Windows OS as reliable and as liked as XP would have existed without Microsoft fearing the uptake of Linux...

Re:Linux Treats You Like An Adult....

[ducomputergeek]

My time is no longer worth nothing and the last thing I want to do is spend time dicking around with a computer for everyday use. At work it costs money and at home, it's the last thing I want to do when I get home. And every time I attempt to use Linux in a desktop environment, I still have to fuck around with some piece of hardware to get it to work. Hell even when I did research this last time on wireless hardware, all the sites said it would work and the card was a couple years old. So I bought it and turned out it was the one revision that linux wouldn't support with an NDIS wrapper. It cost me about a half days worth of work to get everything configured correctly. At my billable hours rate those 4 hours was an opportunity cost of $340. That easily makes up the price difference between a barebones kit and the price of a Mac Mini.

That's why when OSX 10.2 came out I said the hell with it and bought a mac and never looked back. OSX stays the hell out of my way. If something comes up, and since we're in development things do, I can always open up terminal and I got just as much power as would in Linux.

Re:Linux Treats You Like An Adult....

[pandrijeczko]

I'm a telecoms consultant billed at $300 per hour, my head is not so far up my backside that I cannot find time to continually hone my skills & play about with operating systems (whether Linux, Windows, whatever) and last but not least, someone who demands as much for their time as you do probably should learn to control your language and temperament a little better.

Re:Linux Treats You Like An Adult....

[CannonballHead]

In general, I agree with you. The problem I have is that it seems a lot of Linux users look down their noses at Windows users, as though they are stupid and ignorant and if they REALLY were intelligent they would use Linux... because it's intelligent people that care about their computer that are interested in dealing with the issues in order to run a superior operating system.

I guess it's the "superiority complex" issue that seems to be what I take issue with. I know people that are quite happy with Windows. To many, I think the difference between Windows and Linux would be like asking them to drive a car on the left side of the road with the steering wheel operated by their feet and the "pedals" with their hands. It's just completely different - at first/to them - and I don't think the Linux community should look down on them for that.

This coming from a Linux user. :) But I also use Windows. Depends on what I'm doing and waht I want to do.

Easy Solution

[The+MAZZTer]

This doesn't seem like any more of a problem than someone jacking in to an empty ethernet port on your network, except that a) they can do it from outside the building wirelessly and b) any special software used by the 7 user to access the network could potentially helpfully forward packets from others, but that would probably be a fault of the software not checking the origin IP on packets...

Anyways the fix is simple. Require authentication for all network resources. Windows enterprise solutions are set up like this by default and do it transparently using Windows login credentials. An intruder on your network would be unable to access anything. There is the LITTLE issue of exploits, so you can either batten down the hatches as much as you can and continually scan for suspicious network traffic, or you can try an alternate solution which may work better (a combination of both would be best):

For complete security, IT could notify all employees that use of this feature is not permitted. On corporate machines it could be disabled or removed or steps taken to block access, but you must assume users are clever enough to get it working (not to mention booting from a LiveCD bypasses every protection known, except complete Windows software compatibility. Someone did mention Linux software that did this though, and my brother's WiFi card supposedly does it too with a special included application.). IT could also compromise and allow users to use it if it is properly configured, with clear steps outlining how to check if this is the case. However either way, severe penalties (starting with being kicked off the network until you have resolved the problem) would be issued for having an open access point. IT would have to periodically stage their own "attacks" to look for such hotspots and attempt to connect, and then lock the user out of the network if they are able to access the user's machine anonymously (ie folder shares with company files) or the network.

OK so it's a long winded solution but basically: The problem isn't new, lock down systems with authentication best you can, routinely scan for hotspots and penalize users that put them up.

Disclaimer: I am not a security expert but I like to think I've picked up a few things.

Re:Easy Solution

[Niobe]

You are misunderstanding the problem. The PC running this feature becomes a router bridging their local and probably unauthenticated network with whatever secure network they are already connected to. Add network connection sharing to the mix and you have a security hole regardless of how 'locked down' the original network is. How big a problem this is will depend on the implementation and I haven't seen it.

Re:Easy Solution

[QuantumRiff]

Cisco Wireless (used to be airespace) and other wireless management controllers have had the ability to detect rouge networks for at least 5 years. If they see a rouge, they can attempt to use the nearest AP to connect, and see if the packets can route back to your network. (Showing you if someone plugged a linksys router into your building's wired network, or if the business next door just got wireless)

The Airespace controller even had a "feature" that was heavily discourgaed that would basically take a few of the nearest AP's, and bombard the rouge with packets and DDOS it. I think that the more advanced ones had the ability to use 802.1x features to shut down the network port that the rouge was going through, if I am not mistaken, but I didn't have a model that could do that.

Re:Easy Solution

[shentino]

Where I come from, deliberately bypassing network security is a one-strike-and-you're-out termination offense.

Re:Easy Solution

[dbIII]

Anyways the fix is simple

Yes, give cisco sh*tloads of money. It's just like the easy solution with corrosion, coat everything in gold. There are better things to do with budgets.
I had an idiot bring in his own wireless access point instead of borrowing any of the spare 8 port switches and a 2 metre cable - and that idiot turned on dhcpd and took quite a few people off the network. The only real way to stop that is firewalls all over the place or firewalls built into all the switches. Effectively you tell the new device that if you are not on the list you are not sending or receiving anything. Only very expensive switches can do this on every port, so the other answer is a lot of firewalls to quarantine off network segments and limit the damage.
IT notifying people is not enough - because then you still get the clueless n00b that thinks they are a genius so the rules do not apply to them and they decide a production network is a nice place for them to learn the basics of networking by poking it with a stick until it breaks. You have to give them a sandbox and whack them on the nose when they sh*t outside of it.

Re:Easy Solution

[jpmorgan]

No, you are misunderstanding the problem. None of these features: virtual WiFi, connection sharing and bridging, are turned on by default.

The GP is exactly right. If someone wants to 'attack' your network this way, it's no different from walking in with a laptop and an extra usb wifi device. Windows 7 makes it slightly less expensive, that's all.

Re:Easy Solution

[grub]

The only real way to stop that is firewalls all over the place or firewalls built into all the switches.

Most intelligent switches can block with ACLs. We block all sorts of nefarious things at out place.

Re:Easy Solution

[Redlazer]

Cisco's implementation is the most cumbersome and the most expensive. I don't truly know how useful it is compared to Aruba's, but I know that Aruba's works like a charm every time, and is automatic and fast.

Re:Easy Solution

[DavidD_CA]

Group Policy can disable this for all domain users in one click.

And even if left on, what admin would allow a non-authenticated user access to anything on the network?

Besides, if I had enough access to a machine to turn this feature on, couldn't I just take control of it via traditional means? Why bother.

Re:Easy Solution

[dave562]

Can you stop by and have a conversation with my HR department? The finance department seems to be stripping security out of the network under the guise of "controlling costs", yet I can't get an HR policy to make it a termination worthy offense to bypass the few controls that are left.

Re:Easy Solution

[weicco]

But still they have to authenticate against AD to access shares? Well, I guess this depends how things are configurated but I sure as hell can't access our corporate network shares without proper authentication.

Re:Easy Solution

[mysidia]

This doesn't seem like any more of a problem than someone jacking in to an empty ethernet port on your network

Unused ports are left unusable. Assigned to a 'quarantine VLAN' which has only an IDS on it designed to set off alarms if anything sends traffic to it.

Ports that are in use, have port security enabled with sticky MAC address, and thus an alarm is also set off on violation.

but you must assume users are clever enough to get it working (not to mention booting from a LiveCD bypasses every protection known, except complete Windows software compatibility.

802.1X authentication required to bring up the wired network port. The certificate is installed and available to Windows, but rebooting the machine would cause connection to be lost, and the Live CD distribution would be unable to re-authenticate and gain access (since Linux has no access to Windows' secure crypto keystores).

So, you see.. This Windows 7 problem is much harder to address, and a much bigger risk than other issues such as LiveCDs or unused ports which are very easily made basically non-risks.

Re:Easy Solution

[snowytoxa]

[sarcasm] windows ( or any other OS) is so insecure! skilled user/admin can use commands like format c: or rm -rf /, let's wipeout them from our hard drives! [/sarcasm]

Re:Easy Solution

[sam0737]

I didn't RTFA, but I guess the problem is user will see an AP with the same SSID that user used to be connecting...and tricked into connecting it but that's actually a rouge one? Even without Win 7, I could do it with a $50 SOHO Wireless Router!...

The parent is right - If your network is that sensitive, please turn on Group Policy to requires IPSec encryption on both ends, and requires Proxy (say MS ISA) to go to the Internet. Then the rouge AP doesn't really matter.

Re:Easy Solution

[shentino]

If the powers that be are morons, then your ship is about to sink.

I need to check this out

[greymond]

I need to play with this feature on my W7 laptop, I wonder how far the reach is on this and how well I could daisy chain this, just out of curiosity more than anything useful.

Re:I need to check this out

[mrbene]

If you want easy-mode, check out Connectify. Timothy (the poster for this article) linked a story about Connectify back in November.

Re:I need to check this out

[xtracto]

Yeah, I checked connectify when it was first released as a beta. Unfortunately they force WPA security thus it is not useful for connecting other portable devices (say Nintendo DS). In addition it is not possible to make it work if you are behind a proxy.

Not again..

[Niobe]

Didn't we already go through this with Ad Hoc networks on the original version of Win XP? The 'Free Public Wifi' SSID is still around today thanks to this poorly conceived 'convenience' and it was a nightmare for anyone trying to manage a secure wireless network. I think time will show this feature not being worth the trouble it causes.

Re:Not again..

[agizis]

No this is different, because Microsoft does not allow you to turn off encryption. It's always WPA2-Personal AES encryption. So you have to give people a key to connect. MS only gives command line tools to it, so you need to get a user interface to it like Connectify, but then it's for sharing with your other devices and co-workers, no good at all for setting up free airport honeypots.

Oh I see what you tried to do there..

[synthesizerpatel]

What you attempt with 'ghost ride' is better communicated and less retarded with one of the following phrases:

* piggy-backing
* covert channel
* out-of-band

There's no applicable analogy with 'ghost ride' to communicate what you're trying to describe. Don't try to introduce new lingo. You might as well call it 'Dog sledding' as it has just as much in common with covert channels as 'ghost riding' does.

Damn! Should have installed Win7 instead of Ubuntu

[rduke15]

Seriously! That is exactly what I wanted to do a few months ago, but it seems I can't with my WiFi Link 5300. Hostap seems to be for Prism chipsets. Easily creating an AP to share files or to play with neighbors was one of the bonuses I expected from my switch to Ubuntu. What is going on? Is Windows now becoming the fun OS for geeks and Linux the boring Desktop for the average users?

this is silly...

[BitwiseX]

you can "what if" lots of features. As near as I can tell from the quick searching I did, it's not like it's on by default. I didn't think it would be, but I haven't fooled with Win7 wireless much.

Domain Administrators can do this.

Is there an article on Network World that condemns Linux for having this ability? Well I did find this when I searched for Linux and HostAP. Don't see anything in the article mentioned that it too, could be a security risk if used incorrectly. It's not called Beware the rogue Wi-Fi access point in Linux Kernel 2.6.26 and up.

Re:Damn! Should have installed Win7 instead of Ubu

[mrbene]

Is the WiFi Link 5300 Intel based? A recent blog entry from Connectify indicates that there may be issues with those drivers - at least for Windows. Mind you, if Intel has outstanding issue in the Windows drivers, it's possible that it's a problem in Linux version as well.

Re:Damn! Should have installed Win7 instead of Ubu

[cbhacking]

Lacking more info, I'm going to venture a guess that yes, the 5300 the GP mentions is the Intel Pro Wireless 5300 chipset (802.11abgn, and generally pretty darn good). The Linux drivers for it are open-source, but that doesn't necessarily mean bug-free or that all features are available. It does mean you could try to get it working yourself if you want, though. I have one such chipset myself, and while I've never tried to make it act as an AP, it would be neat to be able to do so.

On a side note, are there any easy Linux tools to make a WLAC card act as an AP and a client simultaneously (as SoftAP apparently does)? That would be very nice - I've only got *one* WLAN card in the laptop and it would be fantastic to be able to use it as simultaneously a client and a repeater that others could access (I promise I wouldn't even redirect them all to 64.111.96.38).

Re:Damn! Should have installed Win7 instead of Ubu

[Xabraxas]

MAC802.11 supports creating an AP and since the standard intel wireless driver is MAC802.11 based you should be able to do this easily with the aircrack-ng suite.

Aruba

[Redlazer]

Aruba Networks has support for detection and elimination of rogue AP's.

An important network that does not have wireless intrusion detection and control is definitely not protected well.

However, a proper Aruba deployment with AP's and a mobility controller can and do identify, mark, and shut down rogue APs and ad-hoc networks, as well as wireless bridges.

I am not terribly worried.

-Red

Re:Damn! Should have installed Win7 instead of Ubu

[Redlazer]

Windows 7 can do lots of cool stuff I like.

Kubuntu can do lots of cool stuff I like.

So, I use both.

Re:Anyone see the Linux bias here?

[Dorsai65]

No, not hypocrisy.

Using Linux, you're expected to take responsibility for your computer and how it's configured. If it's borked, that's because you probably didn't research/learn as you should have and almost certainly changed something without knowing what it does or is for.

When a Windows box is borked, it's generally because MS screwed it up FOR you, before you got it, and without telling you -- if you had any interest in it working correctly in the first place (which most Windows users are willing to assume it does).

Mesh is here

[DogDude]

If this article is accurate, we'll see the beginnings of real ad-hoc mesh networks starting in 2010. This feature has the potential for allowing massive ad-hoc networks. Awesome. ISP's are going to pee themselves. Awesome.

Re:Mesh is here

[selven]

Nah, they'll start charging by the gigabyte, so if you hook a computer up to internet and 2000 machines end up routing through it downloading Wolverine, you'll have to pay for 1.4 TB of traffic ($1400 at 1 dollar per gigabyte). Hopefully we'll get rid of ISPs entirely sooner or later, also fixing the net neutrality problem, the throttling problem and kicking the RIAA a few extra times but it'll take at least a decade.

Re:Anyone see the Linux bias here?

[pandrijeczko]

As I'm both a Windows XP and Linux user (and I like them both for their own reasons), let me explain this to you in more detail.

Any Linux application I use holds it configuration in a text-based file somewhere on the system - either in my home directory, or globally under /etc somewhere. Whenever I want to change the configuration of an app, I can back up the old configuration just by making a copy of a text file.

So if I'm messing about with the configuration of, say, Xorg (the modern implementation of the X-Windows GUI) to get a particular graphics card feature to work, it's quite possible I break Xorg and have to go scanning through log files to find out why what I did broke it. But I can also just copy back in the original /etc/X11/xorg.conf file and it will work again...

If I'm messing about with some new kernel features, then I can end up putting in place a kernel that panics when I try to boot. But it's very easy to configure the GRUB bootloader to give you the option of booting from the last working kernel that you always keep a copy of, so if my new kernel borks then I can always boot back on the old kernel and try compiling a new one again.

Yes, this stuff is all complicated, even to a Linux veteran like me, but as long as you act responsibly, think about the ramifications about what you are doing, and make sure you have a backout plan, it's not really a problem.

Now explain to me how this would work in Windows? Don't get me wrong, XP is a bloody reliable OS (I can't comment on Vista or 7 because I've never used either) and uninstalling an application usually works to get you out of any mess you're in.

But what about if that app trashes the registry, what do you do then?

And why is it such a big deal whenever I try to backup my "Documents and Settings" directory in Windows, that it won't let me backup a lot of the files unless I boot into safe mode? Or how about I want to take my app settings from one XP machine to another? Presumably I have to use some convoluted backup program, whereas in Linux I can just use "cp" or "scp" over the network to send my home directory and all it's config contents somewhere else.

I'm sorry, but if something happens on an OS that the user cannot prepare a reasonable backup plan for, then it's a flaw in the OS. No, it doesn't happen often in XP but even as recently as last week, there were reports of some automatic updates trashing users' PCs...

Re:Anyone see the Linux bias here?

[pandrijeczko]

Incidentally, I object to being a called a zealot purely because I happen to utter words in support of Linux.

I do use both XP and Linux, and, for example, I have a handful of killer apps on Windows that I don't have on Linux - so there's a plus for XP to balance it out a bit, if that makes you happier.

Re:Damn! Should have installed Win7 instead of Ubu

[rduke15]

Yes, it's the Intel WiFi Link 5300 (in a Thinkpad), using the iwlagn driver (in Ubuntu 9.04). Not sure if it's because of the chipset, the driver or their combination, but it doesn't support master mode:

# iwconfig wlan0 mode master
Error for wireless request "Set Mode" (8B06) :
        SET failed on device wlan0 ; Invalid argument.

Easier even

[srussia]

If SoftAP works as well as the Softmodem (Winmodem) I'm using right now; let me expla...{#`%${%&`+'${`%& NO CARRIER

Is this just the Ad-Hoc network option

[moxley]

Is this just the Ad-Hoc network option that can be setup in the network and sharing center, or is it something else?

I have Win7 Ultimate and I can't find anything that refers to "VirtualAP" or "SoftAP."

What would you give up to upgrade a dozen switches

[dbIII]

Some unfortunates have content filters that wouldn't let my post through otherwise, hence the asterisks - know you know why you see them sometimes.
For some reason everyone missed the first sentence about switches that can do this being expensive. What would you do without to upgrade a working network with less than ideal security? Would you go without the things that make the production network productive? That IS sometimes the choice. We are talking about replacing switches worth a couple of hundred with ones that cost several thousand - a major deal unless you are a tiny operation in a tiny location with only a single switch, and prohibitively expensive if you are a tiny operation spread over a few buildings or floor with a lot of switches. In many places it's not easy to argue for without looking paranoid, since you'll be asked why you are spending this much on INTERNAL network security. Think about coming in from the outside and effectively telling someone they shouldn't trust their employees on the company network and you'll see what I mean. Management see a dumb gigabit switch for a couple of hundred and then want to know why you want to spend thousands on cisco gear.
As I said before, coating everything with gold may solve a potential problem but there are other ways.
The "snicker" bit missed the most important point - it's about protecting the production network from misuse by employees already on there - somewhat of a major difference instead of the simplistic view so much harder to justify on a budget. It's a bit of a major misunderstanding which makes me wonder if you know anything about the subject I'm talking about. If you do know what you are talking about, go ahead and find a cheap 48 port gigabit switch that can do this and I'll take ten. Until then I'll just firewall off the software developers and other potential troublemakers to minimise disruptions. A few routers with decent firewall rules are cheap compared with coating everything in cisco gold.