Windows 7 Can Create Rogue Wi-Fi Access Point 123
alphadogg writes "Windows 7 contains a 'SoftAP' feature, also called 'virtual Wi-Fi,' that allows a PC to function simultaneously as a Wi-Fi client and as an access point to which other Wi-Fi-capable devices can connect. The capability is handy when users want to share music and play interactive games. But it also can allow on-site visitors and parking-lot hackers to piggyback onto the user's laptop and 'ghost ride' into a corporate network unnoticed."
While this means a bit more policing for networks meant to be locked down, it sounds like a good thing overall. Linux users, meanwhile, have had kernel support (since 2.6.26) for 802.11s mesh networking, as well as Host AP support for certain chipsets.
Hard shell, gooey centre security obsolete (Score:5, Insightful)
De-perimeterization (perimeter erosion) Explained [opengroup.org]
Distributed Firewalls [columbia.edu]
Re: (Score:3, Interesting)
Actually, can someone explain to me what the real difference is between "master mode" and AdHoc or mesh networks?
Why is it that only a few chipsets can "do" proper full-blown "master mode" (ie be an Access Point), and yet other chipsets can be used as AdHoc or mesh? I mean - what's the fundamental difference? I've been through this with Linux systems and can't understand why I can't just grab any WLAN card, bring up the interface and whack a DHCP server on it - why doesn't that work for them all?
Just wonder
Re: (Score:3, Interesting)
"Master mode" means that your computer works as a central access point, other computers use it to relay the data.
"Ad-hoc" is a special mode for masterless networks, but it allows to connect only two computers (in essence, wireless channel becomes an analog of good old Ethernet cable).
"Mesh mode" is 'ad hoc' on steroids, it allows any number of computers to connect and uses dynamic routing.
Master mode requires certain additional functionality from your card (managing connections, transmitting SSID informatio
Serious issues found with X (Score:5, Insightful)
Re:Serious issues found with X (Score:5, Insightful)
Microsoft Z has been found to contain feature X, which purports to do Y but used incorrectly could instead cause W! Linux has had feature X since 20VV, the 'Year of the Linux Desktop'.
True. Incompetent users are the problem irrespective of platform. Never forget - computers do what you tell them to do, not what you meant them to do
Watch us both get modded down now
Re: (Score:3, Insightful)
Slashdot reported on it earlier, then it was complaining that it wasn't finished. Now it's complaining that it can be made to work.
http://mobile.slashdot.org/story/09/11/03/1649246/Unfinished-Windows-7-Hotspot-Feature-Exploited?from=rss [slashdot.org]
"It wasn't all that long ago that Microsoft was talking up the Virtual WiFi feature developed by Microsoft Research and set for inclusion in Windows 7, but something got lost along the road to release day, and the functionality never officially made it into the OS. As you might expect with anything as big and complicated as an operating system though, some of that code did make it into the final release, and there was apparently enough of it for the folks at Nomadio to exploit into a full fledged feature. That's now become Connectify, a free application from the company that effectively turns any Windows 7 computer into a virtual WiFi hotspot — letting you, for instance, wirelessly tether a number of devices to your laptop at location where only an Ethernet jack is available, or even tether a number of laptops together at a coffee shop that charges for WiFi."
Re:Serious issues found with X (Score:5, Insightful)
No, a VENDOR who wants to sell you lockdown software is complaining that it can be made to work.
Re: (Score:3, Insightful)
Re: (Score:3)
But any technology can be exploited if used incorrectly or just left unlocked for anyone to use. It will always have to be locked down by the IT department before deployment if they don't want to be pwned and are actually worth the money they are being paid. How exactly is this news again?
Because most people using their laptop in a coffee shop and setting it up as a wifi hotspot are not going to be business users with a large corporate IT department behind them (mainly because such users will have had it di
Re: (Score:2)
the number of businesses who do not have a large corporate IT department (or a competent one)
So that's most of them then!
That's one of the things that people say is good about Windows - that it's so easy, anyone can use it.
They may say that - both they are wrong.
Re: (Score:3, Funny)
Using Windows is very easy so long as you don't expect to install it with decent hardware support OOTB or with decent security OOTB. It's so easy to use that within an hour online, it's often being used by someone the owner never intended. ;-)
Comment removed (Score:5, Insightful)
Re: (Score:2)
Well if they pay bottom dollar and and only hire the cheapest most underpaid flunky they can get to save a few buck, and they get pwned, I should care....why exactly?
Because those pwned computer send you spam.
Re: (Score:1)
Doesn't anyone feel sad about this?
IT is not something you do on the side or just start off without getting real training.
IT is serious. If the sector does not 'grow up', business people will have justified nightmares about IT costing too much money and bringing not enough value.
Shake the tree!
Re: (Score:2)
Re:Serious issues found with X (Score:5, Funny)
Never forget - computers do what you tell them to do, not what you meant them to do
I have a mac you insensitive clod, it does what His Steveness (peace be upon him) meant it to do.
Re: (Score:2)
computers do what you tell them to do, not what you meant them to do
Who is "you" there? The user? Microsoft? others?
In both activating that requires admin/root access, or giving admin access to a program that do that for you.
That program could be a trojan. Still, you have to run that trojan as admin. Now, running an untrusted binary in linux, as admin, even if is for your architecture, seems to require a bit more complex effort in the social engineering side than in Windows to make you run it. And don't know how many windows owners do their normal use of their machines
Re: (Score:2)
True. Incompetent users are the problem irrespective of platform. Never forget - computers do what you tell them to do, not what you meant them to do
The Anti-Microsoft bias is retarded, but it does highlight a problem. A problem, mind you, which has existed since Microsoft introduced Internet Connection Sharing in, what, Windows 98? Or was it from Windows 95 OSR2? The fix is to use IPSEC with per-machine certificates (ow! administration nightmare) to a gateway device for all communications. You don't need to encrypt, only to authenticate the host (AH, no ESP.) Perhaps you could also lock it down by MAC at the same time, which is only slightly useful wit
Re:Serious issues found with X (Score:5, Funny)
Re: (Score:1)
Re: (Score:2)
2.6.26 is less than 2 years old. Not too much to brag about since Linux is on a much more rapid development cycle than Windows.
Re: (Score:2)
Actually, it should be "Linux has had feature W since 20VV" since its about Windows' and Linux' capabilities to work as a WiFi access point which, as TFS states, is actually a pretty useful feature in many scenarios. The only problem with Windows' implementation is that its presumably(*) turned on by default, which can be problematic in some enviroments from a security standpoint.
(*) "presumably" because TFA is awfully thin on details, and is fairly unapologetic about being an ad for some security company's
Re:Serious issues found with X (Score:5, Funny)
Note to Linux fanboys - yes, I was being sarcastic.
Re: (Score:2)
I know you were joking, but you just described our Monday morning routine with these [sunriseimaging.com] (Windows based) film scanners*, which was gleaned after careful work with the current engineers working for Sunrise.
* This is not an ad, it is a warning, they are a POS, IMHO of using them for 3 years.
Re: (Score:2)
Whereas with Windows you have to spend hours trying to find the Windows registry incantation to stop it doing it.
Re: (Score:2, Informative)
Not only is it turned "off" by default, but requires third party software to make it work (not just enable it, but add the complete functionality) as mentioned a long time ago here http://mobile.slashdot.org/story/09/11/03/1649246/Unfinished-Windows-7-Hotspot-Feature-Exploited?from=rss [slashdot.org]
Re: (Score:1)
Microsoft Z has been found to contain feature X, which purports to do Y but used incorrectly could instead cause W! Linux has had feature X since 20VV, the 'Year of the Linux Desktop'.
You got that last bit wrong. It's "Linux has had feature X since 21VV, the 'Year of the Linux Desktop'."
Re: (Score:2)
Er, no. In this case, Linux has features Q and R, which aren't anything like X, but chances are nobody will notice.
Re: (Score:2)
Linux has had feature X since 20VV, the 'Year of the Linux Desktop'.
Hmmm... The same year Dr. Wily tried to take over the world.. again!
Coincidence, I think not!
Ghost ridin' the whip! (Score:5, Funny)
Ghost ridin' the whip! No seriously, I've been wanting to use the Linux host AP features to bring up a mischievous AP that does man-in-the-middle attacks. I'd be connected to some open wifi somewhere, and someone would connect to my netbook and also see an open access point. I'd then give them the upside-downternet: http://www.ex-parrot.com/pete/upside-down-ternet.html [ex-parrot.com]
Re:Ghost ridin' the whip! (Score:5, Funny)
I think you mean "ghost ride the WEP."
Re: (Score:2)
Note: I was deliberately playing down the consequences of that scenario. You could "own" someone pretty thoroughly if that someone was uninformed enough (which 90% of people are) to send sensitive stuff over the network unencrypted. Which is why I use ssh tunnels to a trusted server whenever I'm on an open AP.
Re: (Score:2)
I think I need to introduce you to SSLStrip and Moxie Marlinspike.. http://www.thoughtcrime.org/software/sslstrip/ [thoughtcrime.org]
Unencrypted sensitive data isn't even necessary.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Perhaps you need to be introduced to ssh and the concept of an ssh tunnel. It has nothing to do with SSL.
Re: (Score:2)
Re: (Score:1)
No biased reporting here on /. Just the facts. (Score:5, Insightful)
I have lots of criticisms of Windows generally and I run XP and Kubuntu, but SoftAP is a network management issue for corporate networks, not a "rogue".
Re:No biased reporting here on /. Just the facts. (Score:5, Informative)
Agreed, this is beyond stupid. You could do the same with XP if you like, but now its a little easier. I used to share a cellular card this way years ago. The "policing" and "lockdown" of "rogue" access points is like one click in group policy or a value in a reg key.
Slashdot has become the fox news of tech.
Re: (Score:2)
Also, how many corporate machines are running with wireless cards?
Re:No biased reporting here on /. Just the facts. (Score:5, Insightful)
Also, how many corporate machines are running with wireless cards?
More than you might think. At my work they issue everybody with laptops. They all have inbuilt wireless.
Re: (Score:3, Insightful)
Quite a number. Perhaps not your average cubicle-slave but certainly those in 'client-facing roles' and those encouraged to take work home with them (read unpaid overtime). If security is lax, don't underestimate teenage children in re-enabling features on their parent's work laptop. Then there's consultant teams hired on a project basis that bring their own hardware and aren't subject to internal re-imaging of machines.
Re: (Score:2)
Re: (Score:3, Insightful)
Re: (Score:2)
Oh my, what danger! (Score:1)
Damn!...I forgot to cover the USB hole again! Now a hacker can plug a dirty cable in it!
More seriously, I get it, it's the fact that it is a hidden feature. Still, leave MS alone and stop the fuzz. I may not like them; I may not stand them, but you seem to hate them more^^
so you install a wireless IDS (Score:2)
So you install a wireless IDS like this one [airwave.com] and monitor the airwaves and the wired data path to see if a MAC address shows up in both places...
and then my company makes all the money [google.com]. whee! :)
soon to be part of a hosted service offering [airwave.com] as well.
rouge? (Score:1)
I'd be more impressed if Windows 7 could create a rouge access point.
Not interesting by itself (Score:2)
And certainly other OS's have this feature too.
But you have to look at the big picture. This feature can be combined with one of the other Microsoft "remote access features" that they have been working so hard to remove from their product.
Ghost Ridin' Go Crazy! (Score:2, Funny)
Re: (Score:2)
Re: (Score:2)
What is this crap (Score:5, Insightful)
Re: (Score:2)
Re: (Score:3, Insightful)
Yes, it's that simple... and for most people, they don't want to research all that.
And if Linux wants to be popular with those people, it's going to have to change a bit.
It's more than knowing how a computer works. The only thing you're talking about right now is software. You're not talking about having to know how a graphics card works in order to use it. You're talking about software configuration. But the problem I have with your simplistic explanation is this: for most people, a generic configurati
Re: (Score:1, Troll)
And if Linux wants to be popular with those people, it's going to have to change a bit
We *don't* want to be popular with "those people", you, or your digital camera that you mention.
We assure you get relevant results when you type search queries into google.com. We do NOT assure your OS detects your digital cameras evidence of you cosplaying at comicon.
Re: (Score:3, Interesting)
Re: (Score:2)
In general, I agree with you. The problem I have is that it seems a lot of Linux users look down their noses at Windows users, as though they are stupid and ignorant and if they REALLY were intelligent they would use Linux... because it's intelligent people that care about their computer that are interested in dealing with the issues in order to run a superior operating system.
I guess it's the "superiority complex" issue that seems to be what I take issue with. I know people that are quite happy with Wind
Re: (Score:2)
Rubbish. If you have an installed Linux system, what do you need to learn to do everyday tasks like web surfing or word processing? That you use "firefox" instead of "The blue E" and "OpenOffice" instead of "Office".
Re: (Score:2)
My time is no longer worth nothing and the last thing I want to do is spend time dicking around with a computer for everyday use. At work it costs money and at home, it's the last thing I want to do when I get home. And every time I attempt to use Linux in a desktop environment, I still have to fuck around with some piece of hardware to get it to work. Hell even when I did research this last time on wireless hardware, all the sites said it would work and the card was a couple years old. So I bought it a
Re: (Score:2)
Re: (Score:2)
No, not hypocrisy.
Using Linux, you're expected to take responsibility for your computer and how it's configured. If it's borked, that's because you probably didn't research/learn as you should have and almost certainly changed something without knowing what it does or is for.
When a Windows box is borked, it's generally because MS screwed it up FOR you, before you got it, and without telling you -- if you had any interest in it working correctly in the first place (which most Windows users are willing to ass
Re: (Score:3, Interesting)
Re: (Score:2)
Re: (Score:2)
I've been running Linux for over 5 years, and have never had to do anything like that to get a USB drive to work.
Sure, there's some hardware that won't work under Linux because of drivers -- usually cheap-ass crap that people shouldn't be buying in the first place. Then again, my Linux system does recognise the vast majority of hardware, and doesn't need separate drivers for any of it. Hell, the first thing I do when I buy hardware for my system is throw away the Windows drivers disk(s) that came with it, a
Re: (Score:2)
Easy Solution (Score:5, Informative)
This doesn't seem like any more of a problem than someone jacking in to an empty ethernet port on your network, except that a) they can do it from outside the building wirelessly and b) any special software used by the 7 user to access the network could potentially helpfully forward packets from others, but that would probably be a fault of the software not checking the origin IP on packets...
Anyways the fix is simple. Require authentication for all network resources. Windows enterprise solutions are set up like this by default and do it transparently using Windows login credentials. An intruder on your network would be unable to access anything. There is the LITTLE issue of exploits, so you can either batten down the hatches as much as you can and continually scan for suspicious network traffic, or you can try an alternate solution which may work better (a combination of both would be best):
For complete security, IT could notify all employees that use of this feature is not permitted. On corporate machines it could be disabled or removed or steps taken to block access, but you must assume users are clever enough to get it working (not to mention booting from a LiveCD bypasses every protection known, except complete Windows software compatibility. Someone did mention Linux software that did this though, and my brother's WiFi card supposedly does it too with a special included application.). IT could also compromise and allow users to use it if it is properly configured, with clear steps outlining how to check if this is the case. However either way, severe penalties (starting with being kicked off the network until you have resolved the problem) would be issued for having an open access point. IT would have to periodically stage their own "attacks" to look for such hotspots and attempt to connect, and then lock the user out of the network if they are able to access the user's machine anonymously (ie folder shares with company files) or the network.
OK so it's a long winded solution but basically: The problem isn't new, lock down systems with authentication best you can, routinely scan for hotspots and penalize users that put them up.
Disclaimer: I am not a security expert but I like to think I've picked up a few things.
Re:Easy Solution (Score:5, Informative)
Re: (Score:2)
No, you are misunderstanding the problem. None of these features: virtual WiFi, connection sharing and bridging, are turned on by default.
The GP is exactly right. If someone wants to 'attack' your network this way, it's no different from walking in with a laptop and an extra usb wifi device. Windows 7 makes it slightly less expensive, that's all.
Re:Easy Solution (Score:5, Insightful)
Group Policy can disable this for all domain users in one click.
And even if left on, what admin would allow a non-authenticated user access to anything on the network?
Besides, if I had enough access to a machine to turn this feature on, couldn't I just take control of it via traditional means? Why bother.
Re: (Score:2)
But still they have to authenticate against AD to access shares? Well, I guess this depends how things are configurated but I sure as hell can't access our corporate network shares without proper authentication.
Re: (Score:1)
Re: (Score:2)
Cisco Wireless (used to be airespace) and other wireless management controllers have had the ability to detect rouge networks for at least 5 years. If they see a rouge, they can attempt to use the nearest AP to connect, and see if the packets can route back to your network. (Showing you if someone plugged a linksys router into your building's wired network, or if the business next door just got wireless)
The Airespace controller even had a "feature" that was heavily discourgaed that would basically take a
Re: (Score:1)
Re: (Score:2)
Where I come from, deliberately bypassing network security is a one-strike-and-you're-out termination offense.
Re: (Score:2)
Can you stop by and have a conversation with my HR department? The finance department seems to be stripping security out of the network under the guise of "controlling costs", yet I can't get an HR policy to make it a termination worthy offense to bypass the few controls that are left.
Re: (Score:2)
If the powers that be are morons, then your ship is about to sink.
Re: (Score:2)
Yes, give cisco sh*tloads of money. It's just like the easy solution with corrosion, coat everything in gold. There are better things to do with budgets.
I had an idiot bring in his own wireless access point instead of borrowing any of the spare 8 port switches and a 2 metre cable - and that idiot turned on dhcpd and took quite a few people off the network. The only real way to stop that is firewalls all over the place or firewalls built into all the switches. Effectively you tel
Re: (Score:1)
The only real way to stop that is firewalls all over the place or firewalls built into all the switches.
Most intelligent switches can block with ACLs. We block all sorts of nefarious things at out place.
What would you give up to upgrade a dozen switches (Score:2)
For some reason everyone missed the first sentence about switches that can do this being expensive. What would you do without to upgrade a working network with less than ideal security? Would you go without the things that make the production network productive? That IS sometimes the choice. We are talking about replacing switches worth a couple of hundred wi
Re: (Score:1)
This doesn't seem like any more of a problem than someone jacking in to an empty ethernet port on your network
Unused ports are left unusable. Assigned to a 'quarantine VLAN' which has only an IDS on it designed to set off alarms if anything sends traffic to it.
Ports that are in use, have port security enabled with sticky MAC address, and thus an alarm is also set off on violation.
but you must assume users are clever enough to get it working (not to mention booting from a LiveCD bypasses every prot
Re: (Score:2)
I didn't RTFA, but I guess the problem is user will see an AP with the same SSID that user used to be connecting...and tricked into connecting it but that's actually a rouge one? Even without Win 7, I could do it with a $50 SOHO Wireless Router!...
The parent is right - If your network is that sensitive, please turn on Group Policy to requires IPSec encryption on both ends, and requires Proxy (say MS ISA) to go to the Internet. Then the rouge AP doesn't really matter.
Easier even (Score:2)
I need to check this out (Score:2)
I need to play with this feature on my W7 laptop, I wonder how far the reach is on this and how well I could daisy chain this, just out of curiosity more than anything useful.
Re:I need to check this out (Score:5, Informative)
Re: (Score:1)
Not again.. (Score:1)
Oh I see what you tried to do there.. (Score:2)
What you attempt with 'ghost ride' is better communicated and less retarded with one of the following phrases:
* piggy-backing
* covert channel
* out-of-band
There's no applicable analogy with 'ghost ride' to communicate what you're trying to describe. Don't try to introduce new lingo. You might as well call it 'Dog sledding' as it has just as much in common with covert channels as 'ghost riding' does.
Damn! Should have installed Win7 instead of Ubuntu (Score:2)
Seriously! That is exactly what I wanted to do a few months ago, but it seems I can't with my WiFi Link 5300. Hostap seems to be for Prism chipsets. Easily creating an AP to share files or to play with neighbors [ex-parrot.com] was one of the bonuses I expected from my switch to Ubuntu. What is going on? Is Windows now becoming the fun OS for geeks and Linux the boring Desktop for the average users?
Re: (Score:2)
Re: (Score:2)
Lacking more info, I'm going to venture a guess that yes, the 5300 the GP mentions is the Intel Pro Wireless 5300 chipset (802.11abgn, and generally pretty darn good). The Linux drivers for it are open-source, but that doesn't necessarily mean bug-free or that all features are available. It does mean you could try to get it working yourself if you want, though. I have one such chipset myself, and while I've never tried to make it act as an AP, it would be neat to be able to do so.
On a side note, are there a
Re: (Score:2)
Yes, it's the Intel WiFi Link 5300 (in a Thinkpad), using the iwlagn driver (in Ubuntu 9.04). Not sure if it's because of the chipset, the driver or their combination, but it doesn't support master mode:
# iwconfig wlan0 mode master
Error for wireless request "Set Mode" (8B06) :
SET failed on device wlan0 ; Invalid argument.
Re: (Score:2)
Re: (Score:1)
Kubuntu can do lots of cool stuff I like.
So, I use both.
this is silly... (Score:1)
Domain Administrators can do this. [lmgtfy.com]
Is there an article on Network World that condemns Linux for having this ability? Well I did find this [networkworld.com] when I searched for Linux and HostAP. Don't see anything in the article mentioned that it too, could be a security risk if used incorrectly. It's not called Beware the
Aruba (Score:1)
An important network that does not have wireless intrusion detection and control is definitely not protected well.
However, a proper Aruba deployment with AP's and a mobility controller can and do identify, mark, and shut down rogue APs and ad-hoc networks, as well as wireless bridges.
I am not terribly worried.
-Red
Mesh is here (Score:1)
Re: (Score:2)
Nah, they'll start charging by the gigabyte, so if you hook a computer up to internet and 2000 machines end up routing through it downloading Wolverine, you'll have to pay for 1.4 TB of traffic ($1400 at 1 dollar per gigabyte). Hopefully we'll get rid of ISPs entirely sooner or later, also fixing the net neutrality problem, the throttling problem and kicking the RIAA a few extra times but it'll take at least a decade.
Is this just the Ad-Hoc network option (Score:2)
Is this just the Ad-Hoc network option that can be setup in the network and sharing center, or is it something else?
I have Win7 Ultimate and I can't find anything that refers to "VirtualAP" or "SoftAP."