2007-04-16 Security Link Of The Day

First, some news: we have a new look and feel / theme for the blog and in response to a comment from one reader (Hi William!) the "categories" - General, Alerts, News - have all been broken-out in the page header, along with links to the relevant RSS feeds for each.

So if you prefer to separate the Sun Security Alerts from the Security postings, all you need do is bookmark or subscribe to the relevant page / feed. I'd like to thank Chandan for his as-ever superb graphic tastes... Er.. yes, something like that. You know what I mean.

Second: an observation that I should really have followed-up some time ago; I run almost exclusively Solaris upon my laptops, and having developed the habit early-on for some time now I've been faffing with WiFi configuration at a fairly raw level. - I eschew the GUI convenience of inetMenu and the automation of NWAM in favour of handhacked shellscripts.

In these circumstances I have thus become more intimate than most with the output of Solaris's wifi-administration tools.

For ages I've been plagued by offers of Free Public WiFi - for that is the name of the network, one sees it everywhere - whenever I've been scanning for network access, and it finally struck me to actually look the damned things up. There were too many of these networks for them to be a legitimate enterprise.

Instantly I found a blog posting which not merely explained the phenomenon, but also outlined my extant fears and my eventual conclusion too; in short the phenomenon is not a computer-borne virus but a human-borne viral meme which is caused (enabled?) by a XP misfeature:


So what are these things? In doing a search, I found some references in security-related discussion groups to the phenomenon, and lots of instances of people spotting these, even on airplanes. But didn't see what I was afraid I'd find -- that this is some kind of virus or spyware that sets up an ad hoc network as a trap.

It appears to be a manifestation of a feature of Windows that I wrote about earlier this year. When Windows connects to a network, it retains that network's name, or SSID, then broadcasts its as an ad hoc network, essentially inviting a connection. You can find more details here. Microsoft has said it will fix this in the next XP service pack; it's unclear if Windows Vista behaves this way.

So why do you see so many of these? My theory: It's viral, but not a virus!

What's the thing almost everyone wants to find when they open a WiFi-enabled notebook and search for a connection? Why, free public WiFi! If you see that -- and you don't know any better -- you connect to it.

Your notebook then retains that SSID, broadcasting it as an ad hoc network. Others see you, connect to you, pick up the name, and later pass it on. And on and on it goes. Since people travel with their notebooks, it's easy for this to have moved quickly, across the country -- like a cold spreading in the closed confines of an airplane cabin. (continues...)

See also this and this.

As a student of IT security taxonomy, to me this is clearly different from all of the typical viruses, worms and trojans; I feel that 'meme' is the only remaining accurate description, although I'd welcome alternative suggestions.

- alec


I'd consider it to fall under spoofing. The XP box is advertising itself as something it is not, after all - the main difference between this and a more traditional spoofing attack is that it's the server rather than the client side which is pretending to be something it isn't.

Posted by Dave Walker on April 16, 2007 at 12:55 AM PDT #

OTOH, it's an ad-hoc network, and noone should be connecting to those. So who cares? :) If Windows were advertising itself as an infrastructure base station, and worse, acting as a bridge to the real one, then this would be a BFD.

Of course, there is a privacy concern: this tells the world what network you are connected to or last connected to, as well as what release of Windows you are running.

Posted by Nico on April 16, 2007 at 03:00 AM PDT #

Post a Comment:
  • HTML Syntax: NOT allowed

This blog provides security vulnerability fix notifications relevant to third party software components distributed and supported as part of Oracle Products.
Summarized version of this blog is available as a mapping of CVEs and solutions.


« July 2016