Recently, I have been trying to figure out how to keep the laptops in our office from grabbing an ip address on the wireless connection when they are plugged into the local lan, thus grabbing two ip addresses, not to mention the security implications. Now, one would think this would’ve been something that would have been thought of early on and included in the operating system, or, at the very least, something you could do with group policy on a domain controller. Nope, at least, as far as I have been able to tell. I’m still a little hopeful that I might be able to figure out some registry keys to change, once I find a better registry monitor than the one I have, maybe I will figure it out.
It is very easy on most laptops to turn off the wireless connection, such as hitting the function key and F2 on Dell laptop, but who wants to rely on users pressing a key or key combinations every time they login to our network, so, an it has to automatically happen when you dock your laptop or plug in an Ethernet cable. Below I am outlining what I did to make it happen on several different laptops, the ones we actually use in the office. Good thing wireless networks don’t get too finicky and work with most Telephone Systems International. Click on the image to see the larger size.
Dell laptops with a Dell wireless adapter in them are very easy to disable when connected to a wired network, on the adapter there is a setting called “Disable Upon Wired Connect”, all you have to do is go into device manager, find the network adapter and double click it and go to the advanced tab. Enable this setting and it will turn off the wireless card when connected to your lan.
Unluckily for us, most of our Dell laptops have an Intel wireless adapter, such as the PRO 2200BG, and they do not have this feature. You need to install the Dell Quickset utility, get it here, enter your model and search for quickset, and then go into the location profiles setting:
Next you need to go into the General Mobility Settings and select Modify Settings:
Things just get worse and worse for mobile users who take advantage of cheap or free wireless hotspots, this attack involves the cookies that are used on websites to keep users information so they don’t have to login every time they go there, Gmail is a great example and one they used to demonstrate how easy it really is.
Prior to the demonstration, which involved the live hijacking of a Google mail account (GMail), many sites were thought to be safe because they encrypted the data swapped back and forth when people login.
However, Mr. Graham carried out his attack on the unencrypted cookies, tiny text files, many sites use to identify people that regularly return.
The tools created by Mr. Graham, called “Hamster” and “Ferret”, watch the traffic flowing in and out of public wi-fi hotspots and let attackers grab cookies as they are passed back to people logging in to their webmail or social network account.
Using the cookie an attacker could pose as a victim and enjoy almost the same level of access to an account as its rightful owner. Source: Warning of webmail wi-fi hijack
Lots of wireless networking in the news today.
Honey, there?s a guy in the yard using our Wi-Fi and he wants a decaf latte While most Internet service providers don?t allow users to share access on their wireless networks, Time Warner Cable, in cooperation with Spanish start-up Fon, is encouraging customers to set up their own residential hotspots. Fon builds a router that splits a Wi-Fi connection in two ? one private, for the owner, and one public; the owner allocates the bandwidth available for each.
Does London Have a Reason to Mesh? London is officially jumping on the mesh Wi-Fi bandwagon today with operator The Cloud switching on the 127-node network built with BelAir Networks gear. With some of the large-scale Wi-Fi networks like Taipei?s slow to bring in a significant amount of users, it?s becoming clear that networks need to be built for a variety of specific uses like public safety, or smartly targeted at a population that will actually utilize Wi-Fi services. It?s not as easy as ?build it and they will come.?
Wi-Fi cloaks the City of London The service, launched Monday by The Cloud Networks, uses mesh technology to provide continuous connectivity to more than 350,000 users located in the 2.6-square kilometer city borough, in addition to the thousands of people visiting the area each day.
Wi-Fi-Sharing Communities Rise Up The Wi-Fi business is about to change, big time. One indication: A deal between FON and Time Warner Cable. The cable company agreed to allow its customers to share their bandwidth through FON’s global Wi-Fi sharing community, whose users can use each other’s Wi-Fi access points for free.
Fon Loops in Time-Warner in First US Deal Time Warner Cable will allow its 6.6m broadband subscribers to share their connections via Fon: The Spanish startup has based its strategy on leveraging existing broadband connections, and, in fact, pitching to ISPs that more connections would be installed as a result of Fon?s approach. Fon turns its members??Foneros?access points into hotspots that cost about $2 or ?2 for access. You can also share your Fon hotspot at no cost to a like group of Foneros.
802.11r: Wireless LAN Fast Roaming For Wi-fi to serve as a foundation for mobile applications and voice, networks must provide secure mobility. And to achieve that, mobile devices need robust authentication and encryption, fast roaming and QoS (quality of service). Enterprise IT pros should pay attention to the IEEE’s 802.11r fast-roaming task group, whose standard is likely to make its way to market by late 2007 or early 2008, with broad adoption by enterprise solution providers in 2008.
Public Wi-Fi may turn your life into an open notebook Several tables away was a guy sitting alone with his own laptop. “He’s starting a business,” Cheung said. And the young couple in the far corner? “They’re getting married,” he confided. Cheung isn’t psychic. He had hacked into the coffee shop’s wireless Internet connection on his Toshiba laptop. It took him all of about five minutes to do so, using free software available online.
Categories: Wireless Tags:
Or, did you configure that router or just plug it in?
This is available in PDF format, here. Symantec has a video on this page Drive-By Pharming: How Clicking on a Link Can Cost You Dearly, and some more info.
For background info, the DNS system, or domain name system, is what allows us to just type in www.bank.com in our browser to display that webpage. Each website has at least one ip address, sometimes more, sometimes shared, that we connect to, the DNS system is like a big phone book that our computer checks to find out where to go. When you type in www.bank.com, your computer checks several spots to see how to get to the website, the DNS servers have all of the domain names mapped to ip addresses, so when you type in www.bank.com it checks DNS and the DNS says go to this ip address. If a hacker changed your DNS server to one of theirs, then they can tell your computer where to go. So, when you typed in www.bank.com, it would tell it to check a different ip address, one that was hosting the hackers version of the website, where they could record all of your info as you type it in. Now they have your info and can do whatever you can do in your bank account because they have your userid and password. They only thing that could possibly give it away, is when it tries to log you in, you don’t actually login, they could setup some re-direct to the real bank, where you could login, but this could cause problems to, as your computer thinks www.bank.com is on a different ip address and would end up sending you back to the hackers site, causing even more confusion on your end. But, there are probably workarounds to that as well, such as depositing a hosts file on your computer, etc.
The easiest work around is to change the password on your wireless router, in most cases it is pretty simple and definitely worth the time to keep this from happening to you. Instead of detailing each individual router, here are some links to information on some of the different routers and how to change the default password.
D-Link When clicking this link, it will ask you where you are, US, Canada, etc, pick your country and then come back to this link and click it again and it will then take you straight to the page.
As you can see, it is pretty simple to change it, and to login to most routers, you would connect to http://192.168.0.1 I say most because I have seen a couple that used a different default ip address, the one that comes to mind is one of Microsoft’s. You can probably find the spot to change the password very easily, use the links above if you have trouble locating it.
I will try to post these malicious sites here as we, the security researchers and other security sites find them, and as always, lets be careful out there.
I believe I have mentioned it before in a couple different posts, about how people could use wireless connections, such as the ones in Starbucks, or the un-secured ones in their apartment building or their neighborhood, to cover their tracks when they are doing something wrong. Most recently I mentioned it in this article at Revenews.com, titled Child Porn Database Bill, that describes a bill Senator McCain has introduced to create a national database of child porn, which ISP’s could use to catch pedophiles sending pictures to each other.
The Washington Post has an article today talking about the same problem, a suspected pedophile exchanging child porn online, but when the police track down his ip address and knock on the door, a totally un-expected person arrives to greet them.
Detectives arrived last summer at a high-rise apartment building in Arlington County, warrant in hand, to nab a suspected pedophile who had traded child pornography online. It was to be a routine, mostly effortless arrest.
But when they pounded on the door, detectives found an elderly woman who, they quickly concluded, had nothing to do with the crime. The real problem was her computer’s wireless router, a device sending a signal through her 10-story building and allowing savvy neighbors a free path to the Internet from the privacy of their homes.
Perhaps one of those neighbors, authorities said, was stealthily uploading photographs of nude children. Doing so essentially rendered him or her untraceable. Source: WiFi Turns Internet Into Hideout for Criminals
Until there are easy ways for people do monitor their own networks themselves, this will continue to be a problem, if the security was easy to setup to start with, this wouldn’t be as much of a problem. Cafes, libraries and other sites, like Starbucks, that offer free wi-fi, need to make people signup to run it, and possibly even make someone who works their setup the client, or even have some proprietary solution, to somehow make it easier to track who is using it and for what.
Microsoft has finally patched the hole in their Wireless Security Client that I posted about here, as detailed on the Security Fix website here, although most would consider this a security update, Microsoft apparently does not, as it does not show up on Windows Update, even when you look under optional updates. You can read about it and install it from Microsoft’s site here.
The upshot of all this is bad guys can take advantage of these behaviors, as I wrote in January at the Shmoocon hacker conference, where security gadfly Mark “Simple Nomad” Loveless called attention to this problem. Loveless showed that by sniffing the wireless requests sent out by a target XP machine, an attacker can learn the name of a previously associated network and force the target to connect directly to the attacker’s PC, which for all intents and purposes appears to the would-be victim as just another wireless access point (assuming the victim is even paying attention during all of this.)
“In a hall of 400-500 engineers, we hijacked upwards of 100 clients instantly, enough that our Linux laptop became unstable from all the wireless traffic passing through it,” Dai Zovi recalled in a write-up sent to the Bugtraq security mailing list. “In practice, since nearly every roaming laptop has at least one unencrypted hotspot network in [its] preferred/trusted networks, almost all Windows XP and Mac OS X laptops are susceptible to this kind of attack.”
Dai Zovi continues: “The rogue access point coerces the client into connecting to the attacker’s machine, thus obviating the firewall. This usually requires the user having Web or mail software running, but automatic outbound network requests from [those kinds of programs are] very common and these may be attacked.”
This is possible because a laptop with a wireless connection looks for access points it has previously connected to, so it will auto connect to a laptop that says it is one of those previous access points. From Microsoft’s site,
A computer that has the WPA2/WPS IE Update installed lets users manually configure options for WPA2 authentication and encryption. However, until the Wireless Client Update is installed, network administrators cannot centrally configure WPA2 options by using the Wireless Network (IEEE 802.11) Policies node of Computer Configuration Group Policy. Computers that have Windows XP Service Pack 2 and the Wireless Client Update installed can apply these configuration options when they configure the computers by using Computer Configuration Group Policy.
On a computer that is running Windows Vista or that is running Microsoft Windows Server Code Name “Longhorn,” you can specify WPA2 options when you configure wireless networks by using the Wireless Network (IEEE 802.11) Policies node of Computer Configuration Group Policy. Source: Microsoft
This article from Bugtraq talks about how this has been around since 2004.
Our driver responds to EVERY Probe Request as it operates in HostAP mode. The wireless network is “cloaked”, so it does not send out any beacons, but when a client in range sends a Probe Request for a network (“tmobile”, “linksys”, “megacorp”, etc), the driver will respond as if it were that network. In this way, it acts as a virtual AP for any network requested. This yields an extremely effective attack that is able to cause nearly all unassociated wireless clients within range to join the rogue network. KARMA also includes a tool for passively monitoring probe requests sent out by nearby wireless clients and a framework for exploiting client-side vulnerabilities once the client has joined the rogue network (no live exploits are included, though).
In addition, our driver uncovered vulnerabilities in drivers for 802.11b-only cards where they probe for randomly generated network names when the card is not associated to a network. When the KARMA driver responds to this probe, the card and host will join the network and DHCP an address, etc. I reported this to both Microsoft and Apple in the Spring last year. Apple has subsequently fixed the issue  and Microsoft said that a fix would be in the next service pack.
Again, this is not entirely new stuff. Max Moser released his HotSpotter  tool in April 2004 to create a HostAP based on sniffed Probe Requests. We first released our driver implementing the parallel attack in February 2005 at Immunity’s Security Shindig in NYC. However, awareness of these issues appears to still be low.
Update: I just noticed the date on the Microsoft site, guess I need to be better at following up on my posts, looks like this has been out about three weeks already.
An exploit involving a wireless driver created by Broadcom Corp. that is built into millions of new laptops created by HP, Dell, Gateway and other computer makers as well as some devices made by Linksys and Zonet, has been released, it is for a specific version, but the writer says it could easily be modified to different versions from different manufacturers. The flaw could be used to take complete control of any vulnerable machine that is within a few hundred feet. This flaw is active on most of these machines because of the background checking it does for wireless networks, so even if it is not connected to a wireless network, it is vulnerable.
A security researcher has released a set of instructions for exploiting a security flaw in the wireless Internet devices built into millions of new laptops from HP, Dell, Gateway and other computer makers. An attacker could use the flaw to take complete control over any vulnerable machine located within a few hundred feet, so be forewarned that reading the rest of this post could make you awfully leery of that guy sitting in the corner booth at Starbucks gleefully clacking away on his laptop.
According to the latest addition to the Month of Kernel Bugs project, the vulnerability resides in a flawed device driver from Broadcom Corp. that is bundled with many different laptops and built in to some devices made by Linksys and Zonet. The flaw is exploitable on vulnerable Windows machines whether or not the machine is connected to a wireless network. In fact, it is the wireless card’s background scan for available wireless networks that apparently triggers the flaw. Source: Exploit Targets Widely Deployed Wireless Flaw from SecurityFix via Faill.com
Here is a quote from the original post and a link to it.
The Broadcom BCMWL5.SYS wireless device driver is vulnerable to a stack-based buffer overflow that can lead to arbitrary kernel-mode code execution. This particular vulnerability is caused by improper handling of 802.11 probe responses containing a long SSID field. The BCMWL5.SYS driver is bundled with new PCs from HP, Dell, Gateway, eMachines, and other computer manufacturers. Broadcom has released a fixed driver to their partners, which are in turn providing updates for the affected products. Linksys, Zonet, and other wireless card manufactures also provide devices that ship with this driver. Source: Broadcom Wireless Driver Probe Response SSID Overflow
This could be a SERIOUS problem in the future, some organizations use Dell exclusively for their laptops, if they don’t come up with an easy way to update these laptops to the latest driver, lots of people could be exploited. I can see a whole new crop of botnets springing from Internet cafes, and places that allow free wireless internet access. Someone setting outside with a better antenna could seriously take advantage of some organizations, this could get ugly. Ask your resellers about it now, not later, and get them working on an easy solution for you.
Update: George OU, who writes Real World IT blog at zdnet, has some more information and a fix posted using an updated Linksys driver. The exploit no longer functions with this driver, but they have only tested it on a couple devices, while it should on work on most, I would think, there is always a chance something could go wrong.
Yes this is an UGLY solution but it’s all we have at this point. Broadcom should have provided certified drivers to Microsoft for inclusion in Windows Update but they didn’t. But even then, Microsoft device driver updates are never pushed out as automatic critical updates and we all know that if it isn’t automatic and seamless it probably won’t get done. This is something Microsoft needs to address with the PC industry in general because driver exploits are becoming very common and very dangerous. Source: Real World IT