[ISN] Bad Karma for Wi-Fi on Windows?

From: InfoSec News (isn@private)
Date: Fri Jan 27 2006 - 02:13:22 PST


This email newsletter comes to you free and is supported by the 
following advertisers, which offer products and services in which 
you might be interested. Please take a moment to visit these 
advertisers' Web sites and show your support for Security UPDATE. 

DSRAZOR for Windows



1. In Focus: Bad Karma for Wi-Fi on Windows?

2. Security News and Features
   - Recent Security Vulnerabilities
   - Least-Privileged User Accounts on Windows XP
   - LANDesk Augments Security with Business Process Management
   - Time to Patch QuickTime

3. Security Toolkit
   - Security Matters Blog
   - FAQ
   - Security Forum Featured Thread
   - New Instant Poll
   - Share Your Security Tips

4. New and Improved
   - Passwords on a Stick


==== Sponsor: DSRAZOR for Windows ====


Q: Are you looking for an easy and reliable way to audit your AD? Do 
you need a tool that will generate baseline and comprehensive reports 
for your auditors?

A: DSRAZOR is your answer. DSRAZOR can easily export your results to a 
format that will satisfy even the most demanding auditors.

Q: Looking to replace the native group membership reporting tools? Do 
you need a tool to identify group membership security trustees?

A: With DSRAZOR, you can simply and quickly get the group membership 
and security trustee reports that you need.

Customized solutions, support & teamwork. 

This is how DSRAZOR helps you manage your Active Directory and Windows 
File Systems.

Schedule Your FREE Interactive Assessment Today!



==== 1. In Focus: Bad Karma for Wi-Fi on Windows? ====
   by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

At the recent SchmooCon conference in Washington, D.C., Mark Lovelace 
(aka Simple Nomad) described an interesting behavior of Wi-Fi 
connectivity in Windows Server 2003, Windows XP, and Windows 2000. In a 
subsequent advisory (at the URL below), Lovelace points out that "If a 
laptop connects to an ad-hoc network it can later start beaconing the 
ad-hoc network's SSID as its own ad-hoc network without the laptop 
owner's knowledge. This can allow an attacker to attach to the laptop 
as a prelude to further attack." 

There are workarounds to help ensure this doesn't happen to your users' 
computers. The best solution is to configure the network connections 
(by using the Wireless Network Connection applet) so that they connect 
only to Access Points (APs), which will prevent any connections to ad 
hoc networks. You'll find step-by-step instructions in Lovelace's 

Lovelace checked during various airplane flights to see how many 
laptops were available via Wi-Fi connectivity and how many of those 
were vulnerable to remote compromise or were open enough to allow files 
to be copied to and from their drives. On one flight, 12 laptops were 
available, and of those 12, 5 were broadcasting ad hoc networks and 4 
were completely vulnerable to intrusion. 

These numbers suggest that many people might have had their personal 
data copied during in-flight use of their laptops. Of course, a decent 
firewall would make such intrusion much more difficult to accomplish. 
But many people don't have adequate protection in place. 

I recently learned about a new Wi-Fi client security assessment tool 
called KARMA. KARMA clearly shows the dangers of wireless networking 
given today's technology. Dino A. Dai Zovi, one of the developers of 
KARMA, wrote that "Windows and Mac OS X probe for every network in the 
preferred/trusted networks list upon boot up and [when] waking from 
sleep. Under Windows the entire list is [probed continually] when the 
machine is not currently associated to a wireless network." And that's 
bad news for Windows users when a tool like KARMA is in use, even if 
you use the workarounds described in Lovelace's advisory.

Here's why: KARMA uses a modified Wi-Fi driver on Linux and FreeBSD 
systems to establish a wireless AP. KARMA operates in stealth fashion--
it doesn't send out beacons advertising its presence. Instead, it 
monitors the airwaves listening for wireless client probes that are 
looking for a particular AP by its SSID. When KARMA detects a probe, it 
responds to the client as if it were the sought-after AP. That is to 
say, KARMA changes its SSID on the fly and mimics a host AP. This 
effectively lures unsuspecting Wi-Fi users into KARMA's wireless 
network. KARMA also includes a framework that can be used to develop 
exploits for use against vulnerabilities in connected client systems. 

According to Zovi, "[KARMA] revealed vulnerabilities in how Windows XP 
and Mac OS X look for networks, so clients may join even if their 
preferred networks list is empty." Zovi also said that Apple already 
issued an update (at the URL below) to correct the problem. Microsoft 
intends to correct this behavior in an upcoming service pack or update 
rollup package. For XP, that could mean Service Pack 3 (SP3), due out 
sometime in late 2007.

In the meantime, you might want to get a copy of KARMA (at the URL 
below) and try it out on your wireless clients. As best I can tell, 
right now the only way to defend against a tool like KARMA is for 
wireless clients to require authentication when connecting to APs.


==== Sponsor: Klocwork====

   New White Paper from Klocwork: Improve software quality and reduce 
life-cycle costs by incorporating Static Analysis tools into your 
routine development processes. Results: More maintainable code, more 
secure, reliable software and a more predictable development process. 
Download White Paper: http://list.windowsitpro.com/t?ctl=1EEB2:4FB69


==== 2. Security News and Features ====

Recent Security Vulnerabilities
   If you subscribe to this newsletter, you also receive Security 
Alerts, which inform you about recently discovered security 
vulnerabilities. You can also find information about these 
discoveries at

Least-Privileged User Accounts on Windows XP
   After a subtantial amount of beta testing, Microsoft published a 
document that can help administrators who want to implement least-
privileged user accounts (LUAs) on Windows XP. However, implementing 
LUAs could come with significant costs and challenges.

LANDesk Augments Security with Business Process Management
   LANDesk announced that it will integrate business process management 
into its systems and security management solutions with the acquisition 
of privately held NewRoad Software. 

Time to Patch QuickTime
   Windows metafiles don't represent the only recently discovered 
dangerous media file vulnerabilities. Apple released an updated version 
of QuickTime that fixes five dangerous vulnerabilities. 


==== Resources and Events ====

WEB SEMINAR: Learn to gather evidence of compliance across multiple 
systems and link the data to regulatory and framework control 

20% off for All Windows IT Pro Subscribers!
   Learn how SOA doesn't require investments in new technology to 
deliver immediate and lasting bottom-line results. Attend Developing 
Service Oriented Architecture, February 20-22 in Orlando.

WHITE PAPER: Optimize your existing Windows Server infrastructure with 
the addition of server and storage consolidation software and 

WEB SEMINAR: Get the tools, tips, and training that you need to avoid a 
messaging meltdown when an outage strikes. View this seminar today:

WEB SEMINAR: Learn how to leverage new features in SQL Server 2005 to 
greatly extend your existing backup and restore capabilities.


==== Featured White Paper ====

WHITE PAPER: Evaluate the costs of losing information and learn what 
real-time information management means and how to accomplish it in your 


==== Hot Spot ====

The Starter PKI Program
   Do you need to secure multiple domains or host names? In this free 
white paper you'll learn how the Starter PKI Program will benefit your 
company with timesaving convenience. Plus--you'll get the chance to 
actually test the program!


==== 3. Security Toolkit ==== 

Security Matters Blog: New Version of Nmap Recently Released
   by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=1EEB1:4FB69

You undoubtedly have Nmap in your security toolkit--it's an incredibly 
useful scanning and auditing tool for nearly any platform, including 
Windows, Linux, BSD Unix, Mac OS X, Solaris, and more. Do you have the 
latest version? Learn about some of the cool features in this blog 

   by John Savill, http://list.windowsitpro.com/t?ctl=1EEAE:4FB69 

Q: How can I monitor registry activity during logon and logoff? 

Find the answer at http://list.windowsitpro.com/t?ctl=1EEAC:4FB69

Security Forum Featured Thread: List All Shares a User Has Access To
   A forum participant wonders if there's a way to list all the shares 
a given user has access to. His servers have dozens of shares, and he'd 
like to start auditing those shares for access privileges per user but 
doesn't know how. Join the discussion at:

New Instant Poll
   Do you plan to upgrade to IE 7.0?
   - Yes, I will immediately install the standalone IE 7.0 upgrade.
   - Yes, but I will wait for the Vista-integrated IE 7.0 version.
   - No, I will continue using IE 6.0.
   - No, I'm using a different browser and don't plan to change.
   Go to the Security Hot Topic on our Web site and submit your vote

Share Your Security Tips and Get $100
   Share your security-related tips, comments, or problems and 
solutions in the Windows IT Security print newsletter's Reader to 
Reader column. Email your contributions (500 words or less) to 
r2rwinitsec@private If we print your submission, you'll 
get $100. We edit submissions for style, grammar, and length.


==== Announcements ====
   (from Windows IT Pro and its partners)

Become a VIP Monthly Pass Subscriber
   Sign up now and get a VIP Monthly Online Pass that includes online 
access to ALL the articles, tools, and helpful resources published in 
SQL Server Magazine, Windows IT Pro, and the Exchange and Outlook 
Administrator, Windows Scripting Solutions, and Windows IT Security 
newsletters. You'll also have 24/7 access to a database of more than 
25,000 online articles that will give you all the answers you need, 
when you need them. BONUS--Includes the latest issue of Windows IT Pro 
each month. Sign up now for just $29.95 per month.

Windows Scripting Solutions Newsletter--2006 Special
   Order now and SAVE up to $30 off the regular price. You'll get 12 
helpful issues loaded with expert-reviewed downloadable code and 
scripting techniques, as well as hundreds of tips on automating 
repetitive tasks. You'll also get access to the entire online 
newsletter archive (more than 500 scripting articles), including the 
popular "Shell Scripting 101" series. Order now for just $99:


==== 4. New and Improved ====
   by Renee Munshi, products@private

Passwords on a Stick
   Dekart released Dekart Password Manager, software that runs on a 
portable memory device such as a USB key drive and automatically 
collects your passwords and personal data as you type them. Password 
Manager then encrypts (by using 256-bit AES encryption) and stores your 
information on the drive, which only you can use. The next time you 
need to supply the information, you insert the drive, and Password 
Manager does the rest. Password Manager works directly from the key 
drive, with no host PC installation. Password Manager requires Windows 
XP/2000/Me/98/95/NT and costs $39. A free 30-day trial period is 
available. For more information, go to

Tell Us About a Hot Product and Get a T-Shirt!
   Have you used a product that changed your IT experience by saving 
you time or easing your daily burden? Tell us about the product, and 
we'll send you a T-shirt if we write about the product in a future 
Windows IT Pro What's Hot column. Send your product suggestions with 
information about how the product has helped you to 


==== Contact Us ==== 

About the newsletter -- letters@private
About technical questions -- http://list.windowsitpro.com/t?ctl=1EEB3:4FB69
About product news -- products@private
About your subscription -- windowsitproupdate@private
About sponsoring Security UPDATE -- salesopps@private


This email newsletter is brought to you by Windows IT Security, 
the leading publication for IT professionals securing the Windows 
enterprise from external intruders and controlling access for 
internal users. Subscribe today.

View the Windows IT Pro privacy policy at

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2006, Penton Media, Inc. All rights reserved.

InfoSec News v2.0 - Coming Soon! 

This archive was generated by hypermail 2.1.3 : Fri Jan 27 2006 - 02:28:21 PST