Text 9202, 105 rader
Skriven 2006-01-15 09:12:12 av Mike '/m' (1:379/45)
Ärende: Windows Wireless Flaw a Danger to Laptops
=================================================
From: Mike '/m' <mike@barkto.com>


http://blogs.washingtonpost.com/securityfix/2006/01/windows_feature.html

===
At the ShmooCon gathering in Washington, D.C., today, old-school hacker and
mischief maker Mark "Simple Nomad" Loveless released information on a
staggeringly simple but very dangerous wireless security problem with a feature
built into most laptop computers running any recent version of the Microsoft
Windows operating system.

Laptops powered by Windows XP or Windows 2000 with built-in wireless
capabilities (these includes most laptops on the market today) are configured
so that when the user opens up the machine or turns it on, Windows looks for
any available wireless connections. If the laptop cannot link up to a wireless
network, it creates what's known as an ad-hoc "link local address," a supposed
"private network" that assigns the wireless card a network address of
169.254.x.x (the Xs represent a random number between 1 and 254).

Microsoft designed this portion of Windows so that the address becomes
associated with the name or "SSID" of the last wireless network from which the
user obtained a real Internet address. The laptop then broadcasts the name of
that network out to other computers within a short range of the machine (which
may vary depending a number of things, including the quality of the laptop's
embedded network card and things that may obstruct the signal, like walls,
e.g.).


What Loveless found was that by creating a network connection on his computer
that matches the name of the network the target computer is broadcasting, the
two computers could be made to associate with one another on the same link
local network, effectively allowing the attacker to directly access the
victim's machine.


I followed Loveless up to his hotel room to get a first hand example of how
this attack would work. I set up an ad hoc wireless network connection on my
Windows XP laptop named "hackme." Within a few seconds of hitting "Ok," to
create the network, my laptop was assigned a 169.254.x.x address. A few seconds
later, Loveless could see my computer sending out a beacon saying it was ready
to accept connections from other computers that might also have the "hackme"
network pre-configured on their machines. Loveless then created an ad hoc
network with the same name, and told his computer to go ahead and connect to
"hackme." Viola! His machine was assigned a different 169.254.x.x address and
we both verified that we could send data packets back forth to each other's
computer.

Here's the really freaky part about all this: No more than five minutes after I
had deleted the "hackme" network ID from my laptop, Loveless and I spotted the
same network name being broadcast from another computer that didn't belong to
either of us. Turns out, someone else at the hacker conference was trying to
join the fun.

As Loveless pointed out, this "feature" of Windows actually behaves somewhat
like a virus. Think of it this way: If you connect your Windows laptop to the
wireless network at the local Starbucks, for instance, your computer will
indefinitely store the name of the Starbucks network (invariably these are
named "T-Mobile" for the wireless company that provides the service). Should
you at a later date happen to open up your laptop in the vicinity of another
Windows user who also had recently gotten online at Starbucks, those two
machines may connect to each other without any obvious notification to either
user.

This is precisely what was happening for a client of Bruce Kyes Hubbert, a
systems engineer I met at Shmoocon who works for a company called Airmagnet,
which develops wireless security products (companies often use Airmagnet and
other such tools to ensure employees aren't setting up unauthorized wireless
networks that could compromise the organization's security.) Hubbert said he
smacked his forehead while hearing Loveless give his presentation because it
explained weird behavior one of his company's clients has been seeing a lot
more of lately.

Hubbert said this particular client -- a very large company that he asked me
not to name -- was complaining that Airmagnet's products were setting off a
bunch of false-positives, detecting rogue wireless networks throughout the
client's company. He said the odd thing was that there appeared to be more of
these networks being set up every day within the company, at the rate of two or
three additional ad-hoc networks each day.

"They kept telling us, 'we've been seeing more ad-hoc networks showing up in
our building every day,' and most of them were for local hotel hotspots,"
Hubbert said. "So we'd see multiple machines all associating with the same
network SSID, and meanwhile the user is refreshing their PowerPoint
presentation and has no idea this is going on in the background."

As it turns out, the specifications for this Windows feature -- detailed in a
technical document entitled "RFC 3927," were actually written in part by a
Microsoft employee -- one B. Aboba, according to the document. Strangely
enough, the developers of that spec foretold of the dangers of configuring
things the way Microsoft ultimately decided to do with their wireless system in
Windows. This from section 5, paragraph three of the RFC:

"NOTE: There are certain kinds of local links, such as wireless LANs, that
provide no physical security.  Because of the existence of these links it would
be very unwise for an implementer to assume that when a device is communicating
only on the local link it can dispense with normal security precautions. 
Failure to implement appropriate security measures could expose users to
considerable risks."...
===

 /m

--- BBBS/NT v4.01 Flag-5
 * Origin: Barktopia BBS Site http://HarborWebs.com:8081 (1:379/45)