Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security Networking

Windows Wireless Networking Flaw Identified 225

An anonymous reader writes "Washingtonpost.com is reporting from the 2nd annual Shmoocon hacker conference about the release of a previously undocumented vulnerability in Windows. The flaw takes advantage of a feature on Windows laptops that have wireless cards built-in. Security researcher Mark Loveless found that Windows laptops which cannot find a wireless connection are configured to broadcast the name of the last SSID they associated with. They assign themselves an ad-hoc 'link local' (think 169.254.x.x.) address, and an attacker can configure his machine to broadcast an SSID of the same name. Thus, the attacker associates with that 'network' and communicates directly with the victim's machine. The funny part from the Post blog entry is that Microsoft helped author the RFC for link local."
This discussion has been archived. No new comments can be posted.

Windows Wireless Networking Flaw Identified

Comments Filter:
  • That's cool (Score:3, Funny)

    by BishopSRQ ( 935893 ) on Sunday January 15, 2006 @08:47AM (#14475373) Homepage
    I think I will go test this out on my parents...
  • Damn!!!! (Score:4, Funny)

    by Anonymous Coward on Sunday January 15, 2006 @08:49AM (#14475380)
    There goes my mobile botnet...
  • by oilisgood ( 161130 ) on Sunday January 15, 2006 @08:51AM (#14475384)
    Also, many laptops have a button you can push that disables the built-in wireless feature until you hit that button again. Turning off the wireless connection when you are not using it also prevents this from being a problem.

    Best advice in the article...
    • I hope he's not referring to the power button.
    • This isn't really good advice in my opinion; if your computer's security is ready for the 21st century it won't be a problem at all. The only reasons this may be a vulnerability you should care about are:
      • You are not running a firewall
      • Your firewall doesn't block access to unsecured services
      • Your firewall makes exceptions solely based on IP subnets
      The no firewall design is great if your computer is on a secured wired network that uses IPv4 networking. However, secured networks should be defined as having:
      • No unsecured wireless access points
      • No WEP secured wireless access points
      • No internet-accessable computers
      • No internet-exposed computers that may contract any form of malware
      • A system that ensures that computers may only be used by the intended user
      • No possibility of a disgruntled workers or pranksters
      This effectively means that you should treat your local area network as you treat your internet connection unless you are only working on your personal home network consisting only of computers behind a network address translator, and exposing no services to the internet. With the coming of IPv6 network address translation should become less popular, and this method of securing your computers will become even more dangerous.
      Run a properly configured firewall on all your computers. Do not use services that do not require authentication or base their authentication off of IP subnets.
    • Good idea, except lots of companies block user config of wireless, even something as simple as turn on/off. So you end up with it on all the time.

      I have noticed this many times where my PC thinks some random access point is around, and says so, even when there clearly is none at all. It's quite odd.

  • Dont panic (Score:5, Insightful)

    by Anonymous Coward on Sunday January 15, 2006 @08:53AM (#14475387)

    FTA
    First of all, if you are running any kind of network firewall -- including the firewall that comes built in to Windows XP -- you won't have to worry about some stranger connecting to your laptop. In fact, I had to shut down my firewall for both of us to successfully conduct our test.

    its one of those "if you have no firewall and ignore all the alerts and warnings and have filesharing enabled and have a wifi card set to auto DHCP and an attacker is targeting you specifically" flaws

    yawn, seems like much ado over nothing, you have more chance dropping and breaking your laptop than you have of being exploited by this "flaw" and if you goto Starbucks (and support their disgusting business model) you deserve everything you get

    • Re:Dont panic (Score:3, Insightful)

      by rbarreira ( 836272 )
      and an attacker is targeting you specifically

      I don't think that's a requirement - couldn't a guy just listen for all SSID broadcasts and then connect to whatever PC he manages to fish?
    • What you said. If you're vulnerable to any real compromise from this you probably got compromised long ago in some other circumstance.
    • Re:Dont panic (Score:2, Insightful)

      by mysidia ( 191772 )

      It's one of those, ...they can make your connection pass through a 'transparent' proxy logging everywhere you visit, capturing copy of e-mail in transit over paintext protocols, and possibly modify a file you download... flaws.

      Think you're downloading something from your OS vendior? (Silent file replacement by hacker attached to Wireless Access Point).... Oops!

    • Right. No need to worry. Until you start thinking about the big picture. It's not just this one flaw that's worth worrying about, it's the combination of Windows' security flaws that are the problem.

      You're sitting in your local coffee shop and someone is there listening for signals... they connect to your machine, install an vbscript that runs periodically and attempts delivery of a payload to any machines available on whatever network you connect to. Or perhaps one that simply puts an e-mail in your ou
    • I haven't R'd TFA, but I see a problem with your logic already. If you've got the firewall set to allow Windows filesharing, then they'll be able to connect to your machine and get files off it. Similar for any other protocol for sharing files. It wouldn't take long to do a portscan of all 65,536 ports and see what responds in some way, rather than ignores you. Then you've got a starting point for some way to get into the target machine.

      That's the problem with most people's view of security. If there's
  • Encryption? (Score:5, Interesting)

    by joepeg ( 87984 ) on Sunday January 15, 2006 @08:53AM (#14475388)
    What if the laptop's last SSID required WEP or WPA (and has it configured in a profile)? Will it still connect if _less_ security is required?
    • Re:Encryption? (Score:3, Insightful)

      by hackstraw ( 262471 ) *
      What if the laptop's last SSID required WEP or WPA (and has it configured in a profile)? Will it still connect if _less_ security is required?

      What difference does it matter?

      This would have to be a direct targeted attack on an individual or small group of individuals, but is still possible.

      Script kiddie situation:

      Sets up rogue WAP, and gives free internet connection to the laptop. All ssh and SSL or other encrypted channels goes through the free WAP.

      Advanced script kiddie situation:

      Sets up rogue WAP, and gi
      • There are people [remote-exploit.org] who work on this very thing. Evil Twins are one of wireless networking's biggest vulnerabilities, and they're why I connect to unsecured WAPs and then immediately connect to my VPN with MS-CHAPv1 [crimemachine.com] authentication disabled.

        You're right about the Man-in-the-Middle SSL attacks [crimemachine.com]; getting your username and password is just the beginning, but it's a damn good start.
  • Security? (Score:5, Funny)

    by yobjob ( 942868 ) on Sunday January 15, 2006 @09:00AM (#14475410) Homepage
    Does anyone actually secure their wireless network? I actually have the problem that, on startup, my computer connects to my neighbour's wireless network instead of my own!
    • Re:Security? (Score:3, Informative)

      by TubeSteak ( 669689 )
      I secure mine, my neighbor doesn't secure their's, my whole freakin neighborhood is practically unaware of this "security" business.

      netstumbler + usb wifi (better reception) in any residential area will show you how little people know/care.

      As for your PC connecting to a network other than the one you want, you can tell windows which networks are "preferred" and they can be placed in order of preference.

      right-click on the network icon ---> status ---> properties ---> wireless networks ---> (the "
      • Not in any. In my area, I see up to 7 Networks, all of them are protected.
      • I secure mine, and about 8 out of the 14 I see (incl. mine) are secure. I use Linux, so my card will only connect to the SSID I tell it to- it will never scan. And since I have it set on DHCP, the interface will never become activated unless it manages to find a network with the same SSID and WEP key as mine and gets a DHCP address. It will not give itself an IP automatically like the Windows machines.
    • by Lxy ( 80823 ) on Sunday January 15, 2006 @09:29AM (#14475478) Journal
      No they don't. True story:

      I bought a new wireless card for Christmas. I was working on getting the madwifi stuff working in Debian and I decided not to set up my AP until I had my wireless card working. Besides, I'm a n00b to wireless under linux so I wanted to take appropriate precauitons.

      I got the card working, and iwlist brought up two APs in my neighborhood. One name "simpsons" and one name "zr45ytg" or something similar with WEP enabled. Not being 1337, I left the WEP one alone (for now) and decided to hop onto simpsons. As you can probably guess, I was given a private IP and internet access. A quick nmap showed two Windows machines connected, using smbclient I found an open printer share.

      Digging farther, I tried to log into the AP itself. Linksys WRT54G with, you guessed it, defult passwords. Oh, let the fun begin! I changed his SSID to "0wn3d" and sent the relevant sections of the Linksys WRT54G manual to his printer. This guy now should know how to set up WEP and change his admin password. He should also notice that his SSID changed.

      One week later, still broadcasting an SSID of 0wn3d, no WEP, and default admin password. Either he didn't get the message or he's illiterate. Oh well, free internet for me!
      • Here's the complete text of War and Peace [friends-partners.org]

        Try printing that out and see if he doesn't notice.
      • Re:Security? (Score:5, Insightful)

        by David Horn ( 772985 ) <david@p o c k e t gamer.org> on Sunday January 15, 2006 @10:20AM (#14475632) Homepage
        And suppose he doesn't want to have to worry about securing his wireless network if all he uses it for is checking the news on his laptop? Little scroats like you who think it's helpful to mess around with other people's equipment should be shot.

        If you're capable of doing that, why didn't you just print off something telling him his network was unsecure, include your phone number and offer to go over and sort it out for him? Let me guess, you're about 13 years old?

        I'm unfortunate enough to have one of those WRT54G access points, and due to a hardware flaw I can't run it with WEP *OR* WMA *OR* MAC filtering. I need to get a replacement, but right now I don't have the time to sort it out. So it's unsecured (but I did change the admin password.)

        What you need to do is try to help other people, rather than lord it over them. This is why anyone that works in IT is treated like shit, because end users assume we hate them and won't do anything to help.

        Get a life, and to hell with my karma.
        • Re:Security? (Score:2, Interesting)

          by kevinl ( 38843 )
          He shouldn't be connecting to his neighbor's open network at all. Would you stroll into your neighbor's house if you found a door left ajar?

          Printing your name and phone number is just as wrong as printing instructions for securing the network, and is way dumber. There are lots of people in the world who are going to consider this an intrusion, and report it to law enforcement. Do you really want a visit from the police as thanks for your "helpful" offer?

          If you find an open network, leave it alone. If yo
          • Why? By leaving it open they are following standards to tell me that they are kindly allowing me to use their network. I do, with thanks if I know whose it is.
            • WTF are you smoking? how the hell can you conclude that leaving a network open creates an implied "use me" policy?

              last time i checked, you have no right to be on a network (wired or wireless) unless you have been explicitly granted permission by a person in a position of authority over said network. just leaving the network open is not a grant of permission.
              • Re:Security? (Score:2, Interesting)

                by TerranFury ( 726743 )

                > WTF are you smoking? how the hell can you conclude that leaving a network open creates an implied "use me" policy?

                If things like public municipal WiFi are to take off, we can't have that point of view.

                Let's say I'm the city of Philadelphia and I want to put free WiFi in the parks. If there's a legal precedent that says you're not allowed to use WAPs you stumble across, then this idea will never take off.

                Or what if we want WiFi to become a truly open broadcasting medium? What if I want to stre

                • Re:Security? (Score:3, Informative)

                  by YrWrstNtmr ( 564987 )
                  A public park, with an unlocked gate - free and open for all to use
                  A private house with an unlocked door - Not free and open for use, stay the hell out.

                  An AP that is meant to be open is fine. Thats what the owners/administrators intended. A private AP in someones house is not necessarily open for all to use. It may be, if that is what the owner intends. But just because it is unsecured is not necessarily an invitation or permission to use it.

                  • A private house with an unlocked door - Not free and open for use
                    When you broadcast your messages onto my property, does that not change things? If I simply fail to discard the messages you send within earshot, am I at fault? Yes, passive listening is different than active communication, but if we can listen, and you can broadcast messages from your private property to my private property without a problem, why can I not respond?
                    • Re:Security? (Score:2, Informative)

                      by vux984 ( 928602 )
                      Because they are not being broadcast into your private property. They are being broadcast within his own private property and spill over into yours.

                      If your neighbor calls out to his kids in the yard that its dinner time, and you can hear him from your yard would you show up at his table ready to eat? After all, "it was a clear invitation for dinner broadcast into your private property" right? Your neighbor wasn't speaking in code, and his door was unlocked too.

                      Perhaps your neighbour ought to install some so
              • The electromagnetic spectrum from his AP is being broadcast into my house. If he doesn't want me using it, he shouldn't be sending it to me, especially unprotected.
                /devil's advocate
                • Re:Security? (Score:2, Informative)

                  by bhawbaker ( 576764 )
                  the pita bread you are cooking, i can smell it all the way over at my home... by your logic, i guess i can just head over and eat your pita bread when you leave it at window sill for cooling ?

                  i can smell you smoking out in my back yard.. i guess i'll come over and take away some of your cigs to smoke

                  light strays from your living room is entering mine.. i guess i'll read my newspaper in your living room

                  you are watering your grass and it is leaking into my yard.. i guess i'll use your hose to water my grass

                  tr
                  • Re:Security? (Score:3, Insightful)

                    by cbiltcliffe ( 186293 )
                    the pita bread you are cooking, i can smell it all the way over at my home... by your logic, i guess i can just head over and eat your pita bread when you leave it at window sill for cooling ?

                    That involves you going to get something, trespassing on your neighbour's property at the same time. Wireless is sent to you, in your house. Not the same at all. It would be closer to you being allowed to sit at your window and smell your neighbour's cooking to your heart's content. The smell is being "broadcas
    • I do. If you've got a Linux box that's always on and hardware that supports it, there's no excuse for not having WPA Enterprise with EAP-TLS.
  • by Anonymous Coward on Sunday January 15, 2006 @09:07AM (#14475427)
    O.K. Folks, if you program your Linux laptop to connect to an ad-hoc network and broadcast SSIDs, this behaviour is going to occur on Linux too.

    This isn't just an MS Windows flaw . . . it is a flaw in the way that the administrators (users) manage the machines.

    I wish you all would quit pointing fingers. This isn't some kind of new thing.
  • What?! NO! (Score:3, Funny)

    by mike518 ( 869465 ) on Sunday January 15, 2006 @09:09AM (#14475432)
    Another Networking Flaw? Dam, i mean the first 74 were completely predictable, but i have to say this one caught me completely off guard. You win this round malicious hackers *shakes fist into air*.
  • by dangermen ( 248354 ) on Sunday January 15, 2006 @09:11AM (#14475437) Homepage
    This is old info and has been known for a while. Anyone having used Kismet or some other sniffer at a public place has see this.
  • String quartet? (Score:4, Informative)

    by julesh ( 229690 ) on Sunday January 15, 2006 @09:13AM (#14475443)
    Loveless then created an ad hoc network with the same name, and told his computer to go ahead and connect to "hackme." Viola!

    Violin! Cello!

    Seriously, though, TFA doesn't seem to say quite the same thing as the summary. The demonstration the reporter saw involved him setting up an ad-hoc network, and then the security researcher was able to connect to it. Err... that's how it's supposed to work.

    The article then goes on to assume that this will happen when you connect to access points and then leave them, but you don't usually set up an ad hoc network for that process. Has he just got something wrong? Missed a step out or something? Is there a URL for a technical level article on this flaw?

    Should you at a later date happen to open up your laptop in the vicinity of another Windows user who also had recently gotten online at Starbucks, those two machines may connect to each other without any obvious notification to either user

    You mean other than the big speech bubble thing popping up and saying "Wireless Network Connection now connected to T-MOBILE"?
  • by Ckwop ( 707653 ) * on Sunday January 15, 2006 @09:15AM (#14475448) Homepage

    This is a common security problem: useless or rarely used functionality. As I've said before, functionality sells whereas security doesn't. Spend a million dollars on functionality and you (hopefully) get a product that can sell for more money. Spend a million dollars on security and you have almost nothing tangiable to show for it.

    Before this article, I didn't even know that "link local" thing existed. I guessing that this is probably quite representive of the Slashdot crew. The question is, then, is why on earth is it on by default and why is it even there in the first place?

    This is not just a Microsoft issue, this is an issue that applies to nearly every computing project. I was recently playing with Knoppix and two things struck me:

    1. Holy shit, out of the box you can actually do real work with this software.
    2. Holy shit, I have three different products that do exactly the same thing. That's a lot of surface area for attack.

    My parents got a new HP computer a month or so ago and I've just gotten round to doing a proper security shake-down on the XP box. I was surprised to find the Python runtime on the computer. Most of you would say, so what? Or perhaps, even applaud HP for doing this. From a security perspective, I think it's downright silly. What possible use could my parents have for the Python runtime? Absoutely none. They'll be running Open Office, Gmail and Itunes to the cows come home so all this does is opens another vector for attack. Don't install stuff on computers that your customers will likely never need.

    Of all the pieces of software out there at the moment, Windows XP is the most frustrating. In terms of security, XP should completly out-class Linux/Unix in every metric of measurement. Instead, it's the most disease ridden piece of shit ever concieved by humanity. It's a shame because it could have set a really high standard for everybody in the industry but through a choice of poor defaults they condemed their own product to be a liability to CTOs everywhere. If they'd had some sense, they would have choosen defaults like this:

    1. This is an obvious one: Users should not run as administrator by default.
    2. Software Restriction Policies should be on by default - in both XP Pro and XP Home
      • Everywhere should be marked "No-Execute" except for C:\Program Files and C:\Windows.
    3. The user should only be able to write to their user directory structure by default. Everywhere else should be read-only.
    4. The Windows Scripting Host should not be install by default.
    5. ActiveX should be off by default in IE.

    I haven't got any figures on how many viruses/malware this configuration would stop but I imagine it's somewhere in the region of 99%. If Microsoft had taken the time to consider the platform in a more paranoid sense they could have produced a product of barn-storming quality. Instead, they listened to the marketing people and we all know what result that lead to.

    Simon

    • If ActiveX was off by default, how would people use Windows Update?

      I'm not disagreeing with you in general, but on that point, I can definitely see why they'd leave it on by default.
      • by Ckwop ( 707653 ) * on Sunday January 15, 2006 @09:36AM (#14475491) Homepage

        If ActiveX was off by default, how would people use Windows Update?

        Simple! Change Windows Update! Why should Windows Update be a web-application anyway? Actually, It's damn scarey that it's a web-application. Doesn't it strike you as odd that a web-application can so throughly inspect your system to determine your patch-level on a whole host of products?

        There is no excuse for ActiveX being on by default and the proof of Microsoft's commitment to security will come with the launch of Internet Explorer 7. If it's still on by default in their latest version then we know their grand security initiative was nothing but hot air.

        Simon

        • Why should Windows Update be a web-application anyway?

          I'm not entirely sure that it is. The service must be running for the updates to happen.
        • Simple! Change Windows Update!

          Actually, they wouldn't have to do anything. Enable automatic updates by default, and let automatic updates take care of everything. The people savvy enough to use Windows Update can probably enable ActiveX for microsoft.com.
        • The way MS could do it is have the updater app run separately from the browser, and have AX enabled in there.

          In the absence of that, you can run Windows/Microsoft Update by
          going to zone security
          -turning off download/run activeX controls in the Internet zone
          -Go to the trusted zone and mark it as medium security, with prompted activeX enabled. [Why does trusted zone exist, is there some web site you really trust to unstall unsigned activeX?]
          -turn off "require https" for trusted sites, and add *.microsoft.com
      • You can create custom security zones which don't show up in IE. Those zones are site-specific and could configure just the Windows Update site to have access to ActiveX. Microsoft could ship Windows with such a zone set up.
        • Except the big security issue with IE is that the security zones tend not to work properly.

          Furthermore, it would be totally unrealistic to ship IE with no ActiveX support, just like you would never want Firefox with no Plugin or Extention support -- too much useful stuff plugs into the browser .. and ActiveX is IE's plugin interface.

          However, MS could do is completely remove the Package Download & Install feature. You could still go to Windows Update (etc), but you would need to install the WU software f
      • > If ActiveX was off by default, how would people use Windows Update?

        With Windows XP you'd have the "autoupdate" and "bits" services running all the time, and you'd have automatic updates set to download and install updates automatically. No need to browse to http://windowsupdate.microsoft.com/ [microsoft.com] - just click "yes to reboot now" when prompted.

        This is what MS intended, and for someone with no idea what updates are (never mind what a particular update is for), it probably makes sense - same as it makes sens
    • Spend a million dollars on security and you have almost nothing tangiable to show for it.

      Lose a million dollars, and you wish you had done things differently.

      Security is directly proportional to the stuff you are securing. I don't put a chain and padlock on my wallet, because it is rare that there is $50 in it, and my drivers license and work IDs are more valuable than that to me.

      When the Brinks truck comes by work to pick up and deliver the cash to the bank, they have a big strong truck and a guy or two w

      • My house has glass doors and windows (not Microsoft).

        If someone really wanted to steal my stolen music, they could easily take my whole computer and stereo while I'm at work. More risky if caught, because I'd fuck their world up. But its certainly easier than breaking into my Mac via the network. And more profitable because they either get a nice computer, or can sell it for at least $1k.

    • The problem is that in a GPC one does not know what the useless or rarely used fuctionality is. That is why it is general purpose. For instance, for years I had no use for a cigarrete lighter, but now it is repurposed as a power source, I am glad that it was not removed.

      So who do we approach building a GPC OS. With MS it is putting all the functionality at the OS level so that users can have guaranteed access, and then work to secure the system. On *nix, it is have a large group of utilities, install

    • If Microsoft had taken the time to consider the platform in a more paranoid sense they could have produced a product of barn-storming quality. Instead, they listened to the marketing people and we all know what result that lead to.

      yeah, they've got about 95% of the OS market and, what, 80% of the desktop W/P, spreadsheet and presentation software markets. Record profits every year without fail. Bill Gates has so much money he's pitch-forking it at deserving causes as fast as he can go, and still gets ric

  • by m50d ( 797211 ) on Sunday January 15, 2006 @09:19AM (#14475462) Homepage Journal
    I mean, I know windows security is bad, but is it really considered a compromise to simply be on the same network as the attacker's machine?
    • Well, unless you're running a software-based "firewall" on your machine, you're pretty much open to any sort of network-based attack. Frankly, I see remotely connecting to someone's LAN as being in a nice big free-for-all of exploit-tasticness! Guaranteed fun for all involved.
    • by lheal ( 86013 )

      I mean, I know windows security is bad, but is it really considered a compromise to simply be on the same network as the attacker's machine?

      Yes. Windows trusts the network. Think Active Directory. If you can trick a Windows machine into thinking you are on its network, it will happily let you be its partner (or maybe even its server) on that network. Though you probably can't trick it into being an AD client right off, you can find out all kinds of things about it, such as any shares it has open.

      • Possible Solution (Score:2, Informative)

        by freakmn ( 712872 )
        I'm not sure if this will help your exact situation, but you could try going to the network connections box, then the advanced menu, then click on advanced settings. In there, you can change the preferred order of your networks. I've used this at work, as the laptops are set by default to use the wireless connection first, but if the wireless connection is flakey, the computer gives many network errors. Setting the wired connection as a higher priority fixes a lot of problems. The only time I've had pro
      • Windows works with multiple NICs you just have to give devices different metrics values in their route tables. Just put wireless to metric to 2 and NIC to 1 if you prefer to use NIC whenever it is connected. You need to do similar thing with Linux too (if using 2 NICs simultaneously).
      • The XP firewall trusts nothing on the local network except filesharing. Well this isn't very venurable either. In the default state, simple file sharing, XP simply has nothing shared by default. You need to activate a shared folder, and it doesn't provide access to anything important. If a user manually enables advanced filesharing, the administrative shares then work, but you need a password. Accounts with no password aren't usable to get at them.

        As for the AD thing, it's clear you are confused. Windows do
      • > you can find out all kinds of things about it, such as any shares it has open.

        Correct me if I'm wrong, but "anonymous connections" have been disabled in recent versions of Windows ... ie, you can't see shares without authenticating first. Admittedly this was a big problem back with NT4.

  • by e271828 ( 89234 ) on Sunday January 15, 2006 @09:32AM (#14475484)
    It seems like there are two different issues in play here. The RFC referenced in the article [faqs.org] talks about link-local addressing, which is simply a way to assign an address in the 169.254/16 subnet if no DHCP server is found. It is not wireless-specific at all.

    What we have here is that, in addition to doing this, Windows is also offering to set up an ad-hoc (i.e. computer-to-computer) network on the link-local subnet with the same SSID as that of the last network the laptop connected to. I wonder what the rationale for doing this could have been. It seems to me that a machine should not offer to set up an ad-hoc network unless specifically directed to do so by the user. When such a network is set up then it is appropriate to use link-local addressing to auto-configure the interface.

  • by gEvil (beta) ( 945888 ) on Sunday January 15, 2006 @09:47AM (#14475522)
    Viola! His machine was assigned a different 169.254.x.x address...

    Good to see that technology journalists are so enthusiastic about orchestra instruments.
  • by avalys ( 221114 ) on Sunday January 15, 2006 @10:36AM (#14475678)
    I would hardly call this a vulnerability. You're certainly no more vulnerable if someone exploits this little "feature" than you are at any other time you're
    connected to a network.

    This is such a complete non-issue, it's like a freaking joke. Read the article - all a hacker might gain some this vulnerability is the ability to connect to your computer, as if it was still on a wireless network, after you've moved outside the range of an access point. Big deal. But the author and "discoverer" both talk about it like this is a remote root exploit or something. At one point, the author includes this little gem: "As Loveless pointed out, this "feature" of Windows actually behaves somewhat like a virus." Virus, my ass.

    What's with all the foaming-at-the-mouth hype about these minor little things lately? It's counterproductive - going beserk over every slight issue that might, in some fantastic combination of circumstances be a security problem, takes away attention from flaws that actually matter.

  • Not reall that funny (Score:3, Interesting)

    by MECC ( 8478 ) on Sunday January 15, 2006 @10:54AM (#14475756)
    "The funny part from the Post blog entry is that Microsoft helped author the RFC for link local."

    I really don't see how MS helping to author a usefull RFC is funny, or even relevant. What's funny is that someone at MS somehow thought it would be a good idea to open up a system to the entire world, since its clearly a thinking flaw as opposed to the usual QA flaw.

    Speaking of thinking flaws, how about this one: If a laptop running XP has a wired and wireless connections going, XP asks the user if they want to share their connection. User clicks 'yes'. XP bridges wired and wireless for them. XP also broadcasts on both sides that it will be a gateway for other systems running XP (via netbios-over-ip, IIRC). Those systems get on board, and make that computer their default gateway.

    Then the computer 'sharing' its connection, and all its 'victims' are suddenly very slow. There never seemed to be a straightforward way to prevent the other XP computers from making the dual-connected XP system their default gateway. If you manually change the default gateway on the victim systems, they just switch back to the dual-connected XP box. I don't know if XP still does this, but talk about stupid.

    Seriously, who the hell thinks this kind of thing up? Do they have brain stem storming sessions or something?

  • by vsync64 ( 155958 ) <vsync@quadium.net> on Sunday January 15, 2006 @11:15AM (#14475856) Homepage
    Oh noes! If my network interface is up you can send me packets that I have to accept or reject?1!!?!? HWATEVER SHALL I DO PLEASE HELPE ME

    i have heard of an even worse vulnerabelity! if you hack yuor micthorwave oven to have teh door open it will JAM MY 80211 packets!!?!!?!!?!?!?!!?!

    Also risk of cooking!

    tell steve gibson of GRC he will save us

  • is any more of a threat than one on an Infrastructure?

    Packets are packets. This article should have been titled, "DANGER: WiFi at Hotels and Starbucks are safe, ad-hocs are not." ...Unless you've configged your laptop to always assume it will be constrained behind a NAT, exposed to a subnet of trusted hosts only. Yeah, right.
  • In the end, the "victims" computer is simply connected on a network with the attacker. That is all. It's the same vulnerability as if you're on a normal network. This time, you just don't realize that you're on a network.

    If you're running windows firewall, I think you'll be all right. Unless you have other security problems already, this won't hurt you at all.
  • This is no news. Just because it is done by a local network doesn't make it interesting. For instance, the same thing can be done with devices seeking an access point. If you don't know this already, be informed that 'regular' PCs can be used as an access point with the proper drivers and OS. The Fake AP problem really hasn't been exploited to the extent it could be. As far as I know -- maybe in some places, it has.
  • Solution for Windows (Score:3, Informative)

    by SirDaShadow ( 603846 ) on Sunday January 15, 2006 @03:18PM (#14477036)
    Here's how to fix this on Windows:

    Start->Control Panel->Network Connections->Double Click on your Wireless Connection->Properties->Wireless Networks->Advanced->Choose "Access point (infrastructure) networks only. Click the Close button then Click OK all the way back. Done.
  • After reading several of the comments, we should just trump our previous definition of "vulnerability".

      If you have a computer and it's power is *ON*, it's vulnerable to something.

      Next week I will show that even a computer in which it's power is *OFF* is vulnerable to the 8lb sledge hack.
  • Built in XP Wireless stinks.

    It does not give a detailed level of signal strength, it is limited to 1-5 bars.

    It will drop the connection far more often than manufacturer's utilities. In other words, don't bother playing online games on it.

    The window isn't resizable. When did Microsoft think this was a good idea?*

    Security passcodes have to be entered twice. That's terrible when the passcode is 10+ characters, and you can't see what you've typed in either.

    It won't re-enable at times for no appearant rea

Fast, cheap, good: pick two.

Working...