Security threats Toolkit

Story: Windows Wi-Fi attack discovered

• 
• 

I first described the vulnerability that I termed "WiPhishing” over a year and a half ago (Google “wiphishing” for more information). I postulated that “WiPhishing” occurs when a hacker sets up an access point to lure computers that are set to automatically connect to easily guessable SSIDs such as “Linksys”, “BTopenzone” or “dlink”. Computers get set up this way either deliberately by users, so that their computers will automatically connect to their home network or a Starbucks network, or automatically by the XP wireless client. This "newly discovered" vulnerability makes matters even worse, as we now discover that the XP client can't tell the difference between a normal access point-to-laptop (infrastructure) WiFi mode and the less commonly used laptop-to-laptop (ad-hoc) WiFi mode. What is now being pointed out is that laptops set to automatically connect to normal infrastructure (laptop-to-access point) networks called, for example, Linksys (which is bad enough but very common), will also mistakenly automatically connect to ad-hoc (laptop-to-laptop) networks with the same name (SSID). After they have made this connection, they are "infected" with this ad-hoc connection profile and will start broadcasting it, just as they previously broadcasted the Linksys infrastructure connection. Unfortunately, because of this vulnerability, all computers that subsequently connect to them also get “infected” with the ad-hoc profile and so on and so on.

The bottom line is this; because of this vulnerability, all a hacker has to do to WiPhish a laptop, is set up a laptop with an ad-hoc connection set to “Linksys” or “BTopenzone”. As soon as a laptop set up this way is turned on, all other laptops in the vicinity that are set up to automatically connect to a network with the same name will start mistakenly connecting to the hacker’s laptop. A hacker sitting outside an office building or in an airport using this technique can gain access to many users’ laptops, often without their knowledge, and create WiFi mayhem in the process by trying out different easily guessable network names like Linksys until they catch a Phish. Once connected to a user’s laptop, an experienced hacker can not only potentially access data on that laptop (all shared folders are immediately accessible) but can also potentially use the laptop’s authenticated connection to a wired office network to access other network-connected resources such as servers or other computers.

I did a piece on the subject with the NBC affiliate in Dallas last year which can be viewed at the following link: http://cf.nbc5i.com/dfw/sh/videoplayer/video.cfm?id=4459208&owner=dfw

Even if Windows firewall has been turned on and locked by an employee’s network administrator, the user can easily turn it off (so they can play their favorite MPORG) by downloading software readily available on the Internet for this specific purpose.

This is a real problem, not just for users who do not know enough to secure their laptops properly, but more importantly for their employers. For this and other reasons, it is essential that organizations define wireless connectivity policies and have the means to enforce compliance with those policies on all laptops used for and at work. My company developed what we believe is the only complete solution to this threat, which is currently being used by many organizations large and small. We call our solution AirSafe Enterprise, and it enables wireless connectivity policies to be established and enforced across the enterprise, and also automatically turns off a laptop’s wireless adapter whenever the laptop is connected to a wired network.

More information on AirSafe Enterprise and our other products is available at our web site at www.cirond.com, or at that of our exclusive licensee, AirPatrol Corporation, at www.airpatrolcorp.com.
Nicholas Miller
CEO Cirond Corporation

• 
• 

• 
• 
• 

Full Talkback thread