[unisog] *****SPAM***** Re: XP silently configuring ad-hoc wifi networks

John Stauffacher stauffacher at chapman.edu
Fri Sep 23 19:32:33 GMT 2005


Frank,

Do you have the Registry entry, or can you point me to the thread in the 
Wireless archives. I might just implement something like this.

BTW: It seems your email is popping up on some RBLs

Frank Bulk wrote:

>
> Subject:
> Re: [unisog] XP silently configuring ad-hoc wifi networks
> From:
> "Frank Bulk" <frnkblk at iname.com>
> Date:
> Fri, 23 Sep 2005 13:32:08 -0500
> To:
> "'UNIversity Security Operations Group'" <unisog at lists.sans.org>
>
> To:
> "'UNIversity Security Operations Group'" <unisog at lists.sans.org>
>
>
>On the EDUCAUSE WIRELESS-LAN list this specific issue was discussed.  You
>can manually turn of ad-hoc scanning, or push out a registry key to do the
>same thing.  If you have access to your students' desktops, that sounds like
>the thing to do.
>
>Frank
>
>-----Original Message-----
>From: unisog-bounces at lists.sans.org [mailto:unisog-bounces at lists.sans.org]
>On Behalf Of John Stauffacher
>Sent: Friday, September 23, 2005 12:46 PM
>To: UNIversity Security Operations Group
>Subject: Re: [unisog] XP silently configuring ad-hoc wifi networks
>
>IIRC XP will automagically switch over to AD-HOC mode with the SSID of the
>Infrastructure mode if it falls out of reach of the AP it was associated
>with. We first had this issue when our SMCI Laptops started shipping with
>internal wireless cards, but our resnet had no wireless infrastructure. It
>was quite painfull and really had no way of shutting it off.
>
>Michael Schooley wrote:
>
>  
>
>>We had an instance about a month ago where an infected computer 
>>apparently hijacked our legit ssid and when another computer attached 
>>to the ssid a web page came up and asked to install a file. Fortunately 
>>the user had current av software and it was detected as a Trojan. The 
>>security people on campus dismissed the event and called me an 
>>alarmist. Hmmm...sounds familiar...the generals of the tech/security 
>>community ignoring the foot soldiers what a concept. Happy fighting!
>>Michael Schooley
>>Emory University
>>
>>-----Original Message-----
>>From: unisog-bounces at lists.sans.org 
>>[mailto:unisog-bounces at lists.sans.org]
>>On Behalf Of Christopher Chow
>>Sent: Friday, September 23, 2005 11:57 AM
>>To: UNIversity Security Operations Group
>>Subject: Re: [unisog] XP silently configuring ad-hoc wifi networks
>>
>>check out the posting at SANS-ISC that may relate (it refers to AP 
>>networks, but who knows the activity of this yet to be identified 
>>pathogen -- could be also making its own adhoc networks to spread under 
>>the radar and avoid IDS systems
>>
>>
>>http://isc.sans.org/
>>
>>
>>
>>about 3/4 of the way down the page under the heading "Wi-Fi Worm Rumors"
>>
>>
>>speculation as of yet. they are awaiting packet captures and binaries. 
>>might be a good idea to contact a handler if this seems rampant on your 
>>campus.
>>
>>
>>
>>
>>
>>Christopher Chow
>>c-chow at md.northwestern.edu
>>
>>
>>
>>
>>
>>
>>Frank Sweetser wrote:
>> 
>>
>>    
>>
>>>As all of the students wander onto campus this year, we've been 
>>>noticing
>>>   
>>>
>>>      
>>>
>>that a
>> 
>>
>>    
>>
>>>lot of them have common ad-hoc SSIDs configured as a preferred network.
>>>   
>>>
>>>      
>>>
>>So
>> 
>>
>>    
>>
>>>far, none of them admit to having any idea how those networks got
>>>   
>>>
>>>      
>>>
>>configured or
>> 
>>
>>    
>>
>>>where they came from.  While it's quite possible that the users told
>>>   
>>>
>>>      
>>>
>>Windows to
>> 
>>
>>    
>>
>>>connect without realizing or just without remembering, this has made 
>>>me curious.
>>>
>>>Does anyone know of any circumstances under which an XP system might
>>>   
>>>
>>>      
>>>
>>attempt to
>> 
>>
>>    
>>
>>>connect to a previously unconfigured ad-hoc SSID without any user
>>>   
>>>
>>>      
>>>
>>interaction?
>> 
>>
>>
>>
>>_______________________________________________
>>unisog mailing list
>>unisog at lists.sans.org
>>http://www.dshield.org/mailman/listinfo/unisog
>> 
>>
>>    
>>
>
>
>--
>John Stauffacher, CISSP
>Network Administrator
>Chapman University
>stauffacher at chapman.edu
>ph: 714.628.7249
>"It's amazing how much you take for granted when you already know what you
>are doing."
>"there is no /usr/local on my C:\ drive!"
>
>
>_______________________________________________
>unisog mailing list
>unisog at lists.sans.org
>http://www.dshield.org/mailman/listinfo/unisog
>  
>


-- 
John Stauffacher, CISSP
Network Administrator
Chapman University
stauffacher at chapman.edu
ph: 714.628.7249
"It's amazing how much you take for granted when you already know what you are doing."
"there is no /usr/local on my C:\ drive!"

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4870 bytes
Desc: S/MIME Cryptographic Signature
Url : http://www.dshield.org/pipermail/unisog/attachments/20050923/a8de80a4/smime-0001.bin


More information about the unisog mailing list