Slashdot Mirror
Why You See 'Free Public WiFi' In So Many Places
An anonymous reader writes "Almost anywhere you go these days (particularly at airports), if you check for available WiFi settings, you have a pretty good chance of seeing an ad hoc network for 'Free Public WiFi.' Of course, since it's ad hoc (computer to computer) it's not actually access to the internet. So why is this in so many places? Turns out it's due to a bug in Windows XP. Apparently, the way XP works is that if it can't find a 'favorite' WiFi hotspot, it automatically sets up the computer to broadcast itself as an ad hoc network point, using the name of the last connection the computer attempted. So... people see 'Free Public WiFi' and they try to log on. Then their own computer starts broadcasting the same thing, because it can't find a network it knows. And, like a virus, the 'Free Public WiFi' that doesn't work lives on and on and on."
Windows really *is* a virus!
Ah!
Have you heard about SoylentNews?
That's the SSID for my home wi-fi :-D.
I guess I am not the only one that is thinking that "Free Internet" SSID is a perfect vector for a MIM attack. Has anyone heard of any cases where it has already been exploited?
http://hardware.slashdot.org/article.pl?sid=07/01/26/1420202, among others.
Best Slashdot Co
Steve Gibson covered this over 3 years ago. https://www.grc.com/sn/sn-082.htm
You found me out... I was using it to make a chain of roaming broadcast nodes to beam PETA propaganda directly to your fillings. I guess now I'll have to use twitter.
Common Sense isn't as Common as people think...
Queue the picture featuring a pair of laughing girls.
Oh wow! Is it a big alot? Or a furry one? Is it friendly? I hear alots can be dangerous.
http://hyperboleandahalf.blogspot.com/2010/04/alot-is-better-than-you-at-everything.html
At my old school which I left earlier this year, I remember setting up my laptop as an ad-hoc access point to test some music streaming with VLC.
I have no idea why, but someone must have tried to connect to it. Now, almost a year after leaving that school, people still tell me that the 'ghost' of my laptop broadcasting can still be seen.
There are 2 ad-hoc networks out there that are 'ghosts' now, the first is my nickname (yeah, bad choice for a perpetuating network, I know) and the second is named after the university network, which is accessible on clear days.
The "hpsetup" ESSID is from HP bloatware. It is used to connect the computer to wireless peripherals, namely HP wifi-enable printers.
I researched this myself, and it ended up that there were a bunch of better ways to implement it, but HP flat out didn't care.
Almost anywhere you go these days (particularly at airports), if you check for available WiFi settings, you have a pretty good chance of seeing an ad hoc network for 'Free Public WiFi.'
Doesn't match my experience. I have done a fair bit of flying lately - and always needing at least one connection each time because my closest airport sucks - and haven't seen it at the airports I've been to. I have checked for WiFi at coffee shops and restaurants and haven't seen that SSID there either. Lately I have been connecting through some of the busiest airports in the country (O'Hare and Newark Liberty in particular) and haven't seen this.
In fact, I can't think of the last time I did see it. I often use my blackberry to access open WiFi spots, and I don't have a record of a network that I have connected to called 'Free Public WiFi'.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
to be affected. This was fixed in XP SP3. Love lines like "When a computer running an older version of XP ...." without further explanation. Haters gonna hate!
Now that this information is public, we're going to start seeing networks called "Free Public Wifi - eatatjoes.com". Good job. Should have just kept quiet about it.
actually it looks just like an aswell, only smaller
What better way is there to implement a wireless connection when the user doesn't have any wireless networking equipment other than their computer?
Nerd rage is the funniest rage.
Almost anywhere you go these days (particularly on slashdot), if you check for new stories, you have a pretty good chance of seeing a a duped story from another site. Of course, since it's a duped story (news site to news site) it's not actually news. So why is this in so many places? Turns out it's due to a bug in site moderators. Apparently, the way they work is that if they can't find a 'new' story, they automatically sets up their site to broadcast a duped story, using the title of the last story that was popular. So... people see this and they try to read it. Then their own favorite sites start broadcasting the same thing, because it can't find a good story on its own. And, like a virus, the 'Duped Story' that doesn't work lives on and on and on."
So 'the user buying something' is a better solution than the printer software supporting ad-hoc networks?
We disagree.
Nerd rage is the funniest rage.
While most people use the term "SSL" to refer to "secure internet" most https connections today use TLS.
TLS uses pseudo random element in the handshake which prevents the MITM scenario you described.
Sadly Google Chrome doesn't support TLS (no friggin idea why) so server will negotitate down to the less secure SSL v2 or SSL v1 standard.
IE 8 or later, Firefox 2.0 or later. and Safari (no idea what version) all support TLS but obviously google thinks security is over-rated.
I was once called out for an emergency network repair at a local country club. A company had hired out the banquet room for a large business meeting, and could not get the wireless to work. When I arrived on site, I found that everyone in the room was connected to Free Public Wifi, being broadcast by one of the company owners' laptops. Turned out, the golf course did not have a wireless access point at all.
Seeing that SSID in your client list is just Microsoft's subtle way of telling you to INSTALL XP SP3.
Actually, it is pretty easy to hijack about any wireless network using WPA. WPA2 is only a tad bit more harder and both are easier then wep until you get into some business class security. Basically, all you need to do is flood the connection to force a reconnect between the devices then run a script or program on those packets.
It's actually a little more difficult then that, but once you find the right programs and the right hardware to work with them, it's not much more difficult then that. And the most difficult parts are already taken care of and reusable for the most part.
I have a laptop set up specifically to do this. Whenever I have a customer claim their rocket scientist nephew, or son, or the neibor's- dog's- sister's- aunt's cousin, or the time warner cable guy swears that wireless is safe and I don't know what I'm talking about, I simply tell them to go ahead and install it, then show up to ask how it's going with the wireless and show them that I'm already on the network. Sometimes I have to wait outside for about a half hour before I get it cracked, but I haven't ran into one wireless network yet that took longer then 2 hours to crack into. And yes, all the software needed is pretty much free and available on the interweb waiting to be downloaded and used. There is a pretty steep learning curve though but it's not that hard and there are a lot if tutorials out there. This is especially easy when the time warner guy and most outside techs try to use a phone number for the key phrase. Often, if you have a list of phone numbers to a building with wireless, going through those will get you a working key without needing all the monitoring and cracking software. Start with the Fax numbers as they are often tied to the DSL or the Cable Internet Phone which makes it easy for the technicians to find if they have to service it again.
Anyways, once you are on the network, it's pretty trivial to send command to any windows box to do things that give you more control. Especially if they have the power shell installed. Most firewalls don't screen addresses on the network as it seems to be universally trusted in most environments.
zeroconf and those "Quick Connect" buttons that routers and Windows have these days, for two.
It all depends on how much they want to invest in their attacks. I can see easy ways of doing it that wouldn't require breaking SSL traffic at all. First, look up a wifi pineapple. If you notice, they are using a regular wifi router with a hacked firmware stuffed into a seemingly innocent object. Just take that firmware a bit further by installing a proxy server that captures the key exchange then decode the traffic. Or better yet, rig the proxy to relay everything until it hits a bank site, then cause the page to reload with a dynamic copy of it to mimic the banking site, and refuse the first and second attempts to connect. You know have basically tricked them into entering their username/account numbers and passwords into something you can easily read. They will concentrate more on trying to type the account information in correctly then noticing the page changed slightly. Allow them through the second or third time unobstructed and they will simply think they fat fingered some character as they typed.
There used to be a proof of concept code that would pretty much do just that floating on the web but a quick search turned up nothing I recognized. It basically intercepted all web requests and relayed the page/pages requested to the user as if it was hosted on the gateway device itself. I think it could even mimic some self signed security certificates but had trouble with most of them. Either way, setting it to hit originally with the right page, forcing a reload with the faked page, then allowing the real page to pass could all be controlled with software and scripts giving access to most of the important stuff.
Nah, good businessmen realize that people want cars that work with all the gas, not just the fucking branded gas, and that people will buy more of the cars if they don't have to track down the branded gas.
The assholes that think selling branded gas is awesome are just assholes who like branded gas.
Nerd rage is the funniest rage.
If they are dumb enough to setup their account whithout encryption, they deserve whatever happens to them.
No, they don't.
I would guess that concerns about the support costs might be more of a factor than the actual implementation cost.
Nerd rage is the funniest rage.
Anyone dumb enough not to know how to do their own brain surgery deservers what they get!
The easy part's getting the brain out. The hard part's getting the brain out!
Cogito, ergo sig.
First, I'm not really an authority on this as all I have done is used other people's tools and scripts and read their how-to's and so on. You can call me a script kiddie if you want. You will find a lot of reviews, including videos of people cracking WPA2=AES on the internet. Some of their methods work, some do not- don't get bogged down by the hirer ranked ones as I typically can't get them to work. My understanding is that AES is built into the WPA2 standards by default and your using it regardless. However, how it is used is important.
It's susceptible to dictionary attacks which is actually a lot easier then you think if you know how the person creating the key thinks and can get a known packet. Generally, as I mentioned before, they like to make the key something they can remember which means that a 10 digit phone number somehow associated with the internet account is typically what you need. Some people get a little more constructive but it all points back to the same security strengths of regular passwords I guess. There are attacks that if you can gain access to an existing connected computer (suppose you want on your work network -or girlfriend/neighbor's- network, but they won't give you the key- yet your work laptop -theirs if you have access to it briefly- is already connected), you can either attempt to extract the hash tables storing the key on the computer and crack the key there, or set up a monitoring server at a remote location, then go to a website while monitoring the traffic and then you can crack the encryption a lot more easier because you know a known packet before and after the encryption (details can be found on the web).
One of the drawbacks is that WPA2-AES is not typically used in a way that exploits it's strengths. It's like having a titanium luggage lock with 128 number combination and setting them all to 0-0, 1, 2, 3, 4. I have gotten access to WPA2-AES networks in the past, but the dictionary contained all of the phone numbers the site had and it also was one of the keys. No one seems to want to build a long key of random numbers and signs that they have to input into every wireless device needing access.
If you are worried about security, you shouldn't be running wireless at all- unless your ready to do some enterprise level security and run an IDS with access controls, a radius server, use EAP, and the lot AND have someone monitoring it regularly. Typically, when I do set up wireless networks for businesses that insist on them (granted I'm dealing with small businesses with less then 50 employees), I set them up outside the internal network entirely on it's own IP address then VPN the clients into the network as needed. There are drawbacks with that too. I guess my main point was that you just can't go to best buy and purchase a Dlink- throw it on the network and expect to be completely secure. Some information is more valuable then others as it could carry steep fines and possible jail time in addition to other liabilities if it got out depending on if some law covers it like HIPPA.