Communicable ad-hoc networks ?

Recently I was baffled to see an ad hoc network in my house with SSID
hpsetup. Time with Google eventually revealed that some forms of
Microsoft Windows can advertise ad hoc networks that they have
previously seen (e.g., http://www.nmrc.org/pub/advise/20060114.txt), and
that some HP printers advertise a hpsetup network. So, as people lug
their Windows laptop around, this network gets advertised in new places.
(I don't know which versions are affected.)

I'm wondering, can this be transmitted from computer to computer, so
that a laptop computer advertising this network might simply be one of a
chain of computers where one saw a HP printer, and 'transferred' this ad
hoc network with SSID preserved from one computer to another? I've only
really played with infrastructure mode before, but I am intrigued to
know if this 'contagion' can spread from Windows machine to Windows
machine as people travel around, with ancestry far from the original HP
printer.

-- Mark

On Tue, 13 Mar 2007 12:52:18 -0400, (E-Mail Removed) (Mark T.B. Carroll)
wrote in <(E-Mail Removed)>:

>Recently I was baffled to see an ad hoc network in my house with SSID
>hpsetup. Time with Google eventually revealed that some forms of
>Microsoft Windows can advertise ad hoc networks that they have
>previously seen (e.g., http://www.nmrc.org/pub/advise/20060114.txt), and
>that some HP printers advertise a hpsetup network. So, as people lug
>their Windows laptop around, this network gets advertised in new places.
>(I don't know which versions are affected.)

That only happens if you actually _connect_ ad hoc.
It's not enough to just "see" the ad hoc SSID.

>I'm wondering, can this be transmitted from computer to computer, so
>that a laptop computer advertising this network might simply be one of a
>chain of computers where one saw a HP printer, and 'transferred' this ad
>hoc network with SSID preserved from one computer to another? I've only
>really played with infrastructure mode before, but I am intrigued to
>know if this 'contagion' can spread from Windows machine to Windows
>machine as people travel around, with ancestry far from the original HP
>printer.

No, it doesn't spread that way. You have to _connect_ ad hoc.

--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>

Mark T.B. Carroll wrote:
> Recently I was baffled to see an ad hoc network in my house with SSID
> hpsetup. Time with Google eventually revealed that some forms of
> Microsoft Windows can advertise ad hoc networks that they have
> previously seen (e.g., http://www.nmrc.org/pub/advise/20060114.txt), and
> that some HP printers advertise a hpsetup network. So, as people lug
> their Windows laptop around, this network gets advertised in new places.
> (I don't know which versions are affected.)
>
> I'm wondering, can this be transmitted from computer to computer, so
> that a laptop computer advertising this network might simply be one of a
> chain of computers where one saw a HP printer, and 'transferred' this ad
> hoc network with SSID preserved from one computer to another? I've only
> really played with infrastructure mode before, but I am intrigued to
> know if this 'contagion' can spread from Windows machine to Windows
> machine as people travel around, with ancestry far from the original HP
> printer.
>
> -- Mark
>

http://support.microsoft.com/kb/917021
"Wireless Auto Configuration sends probe requests to try to connect to
the first ad hoc wireless network in the preferred networks list. An
observer could monitor these probe requests and establish an unsecured
connection with a Windows wireless client.

On a computer that has the Wireless Client Update installed, Wireless
Auto Configuration does not send probe requests to connect to newly
created ad hoc wireless networks in the preferred networks list. Because
many ad hoc wireless networks are created for temporary wireless
connectivity, you must use the Choose a Wireless Network dialog box to
manually initiate a connection to an ad hoc mode wireless network."

John Navas <(E-Mail Removed)> writes:

> That only happens if you actually _connect_ ad hoc.
> It's not enough to just "see" the ad hoc SSID.

The description at
http://news.zdnet.co.uk/security/0,1...9247738,00.htm mentions
"it will automatically try to connect to a wireless network". I know
that Vista's "Preferred Networks" config can be used to cause automatic
connection. Aren't there lots of people with Windows set to connect
automatically to the networks it sees?

-- Mark

On Tue, 13 Mar 2007 13:30:05 -0400, (E-Mail Removed) (Mark T.B. Carroll)
wrote in <(E-Mail Removed)>:

>John Navas <(E-Mail Removed)> writes:
>
>> That only happens if you actually _connect_ ad hoc.
>> It's not enough to just "see" the ad hoc SSID.
>
>The description at
>http://news.zdnet.co.uk/security/0,1...9247738,00.htm mentions
>"it will automatically try to connect to a wireless network". I know
>that Vista's "Preferred Networks" config can be used to cause automatic
>connection. Aren't there lots of people with Windows set to connect
>automatically to the networks it sees?

<http://blogs.zdnet.com/Ou/?p=149>

I checked with a Microsoft spokesperson and they confirmed that
Microsoft Security Research Center states that this is NOT a security
vulnerability. [emphasis added]

Worth reading in its entirety.

--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>

John Navas <(E-Mail Removed)> writes:
(snip)
> <http://blogs.zdnet.com/Ou/?p=149>
>
> I checked with a Microsoft spokesperson and they confirmed that
> Microsoft Security Research Center states that this is NOT a security
> vulnerability. [emphasis added]
>
> Worth reading in its entirety.

Sure. I was just wondering if the network could 'spread' from computer
to computer, I wasn't suggesting anything about if it was bad or good.

-- Mark

Mark T.B. Carroll says...

> Sure. I was just wondering if the network could 'spread'
> from computer to computer, I wasn't suggesting anything
> about if it was bad or good.

This was covered recently in a Security Now episode (#80 I
think), and was described as a harmless Windows bug. Here's
the excerpt:

LEO: Thom in Cortland, New York raised his antenna and
asked: I have a question about Wi-Fi. Recently I took my
university laptop home. Instead of a presentation, I
started the system. Instead of a presentation.

STEVE: Ahead of.

LEO: I'm sorry, I was misreading it. Ahead of a
presentation. I started the system. The laptop is
wireless. It automatically connected to an open hotspot in
my building titled - oh, this is the Free Public Wi-Fi
question. I like this one. I am certain - he got
something, a hotspot saying "Free Public Wi-Fi." I'm
certain there's no free public Wi-Fi and recognize this to
be likely a scam hotspot. But I noticed it quickly; I shut
the system down immediately. Even though I shut it down so
quickly, and there's not any personal data on my machine,
am I at any risk? Is it likely the hotspot was even able
to do anything nefarious considering the quick shutdown?

Do you know the answer to this, Steve? Because I do.

STEVE: Go for it.

LEO: This is actually not a scam. When I first got this
question on the radio, I said what you probably were
planning on saying, which is it probably is a scam because
there's no free public Wi-Fi. It's actually a bug in
Windows. Did you know this?

STEVE: No.

LEO: Yeah, it has to do with...

STEVE: And I've also seen that, so I was wondering, isn't
that a coincidence.

LEO: [Indiscernible]. Because if you've ever logged into
an access point called "Free Public Wi-Fi," it has
something to do with infrastructure Wi-Fi. I don't know
the exact details, and I'll find the reference.

STEVE: Ah, right. I know, where you're going machine to
machine instead of machine to an access point.

LEO: And this is actually, in a way, spreading like a
virus because one guy apparently did it; right? And then
other people saw it and joined it. There's nothing there.
You can't get any Internet access from it. So they forgot
it. But it persists. And it's in your system.

STEVE: It crept into your registry somewhere.

LEO: It shows up on other systems, and it has now spread
across the land, and there are quite a few places where you
will get online and see something called "Free Public
Wi-Fi." It is a Windows machine in infrastructure mode
that at one point logged onto another Windows machine in an
infrastructure mode with "Free Public Wi-Fi" as one of the
hotpots it had been to. I'll find the article because I
did some research when this person asked me the question on
the radio. And I answered it as you I'm sure were going to
answer, which is, yeah, it's probably not a good idea to
join such a thing.

STEVE: Right. We can say a little bit more, although I
think that's very cool news.

LEO: It's fascinating, yeah.

STEVE: We can say a little bit more about this issue in
general. That is, for example, if you were to find that
your machine had automatically connected to a hotspot that
you were suspicious of, first of all, answering this
question, it's probably not the case that just the act of
connecting could be a problem, so long as you've got -
probably you're using Windows XP or maybe Vista. But one
way or another you probably have a personal firewall on.
So as we know, today's exploits generally are people going
out through a firewall asking bad stuff to come back in, or
in the case of a Wi-Fi, people, for example, doing
nonencrypted email log-on where their username and password
are going out in the clear. In both instances, the user is
doing something with the computer, and somebody
deliberately running a malicious Wi-Fi hotspot will be
monitoring that. However, with the firewall up, just the
act of connecting to even something malicious, as long as
you recognize it and shut down, it's probably not - there's
no opportunity for you to be infected in the normal case.

LEO: Yeah. And to add to this, it is a bad idea in
general to log into ad hoc networks.

STEVE: Right.

LEO: There's a difference, and you can tell, whether it's
an infrastructure network or an ad hoc network. And an
infrastructure one is with a Wi-Fi base station and, you
know, like at the coffee shop and so forth.

STEVE: The normal style.

LEO: Ad hoc is coming off of somebody's computer. So you
really probably don't want to join a network on somebody's
computer. That would just be very trusting. The reference
I'm going to put on the website is from Dwight Silverman's
tech blog in the Houston Chronicle. That's where I saw it
first. It's a great story, and it just - it's a bug in
Windows. Microsoft says they plan to fix it at some point
in the next XP Service Pack. But who knows when that's
going to be. Unknown whether it's in Vista.

STEVE: Interesting.

LEO: Isn't that weird?

STEVE: Yeah, that's cool.

On Tue, 13 Mar 2007 18:08:13 -0500, Peabody
<(E-Mail Removed)> wrote in
<y9GJh.6059$(E-Mail Removed)>:

>Mark T.B. Carroll says...
>
> > Sure. I was just wondering if the network could 'spread'
> > from computer to computer, I wasn't suggesting anything
> > about if it was bad or good.
>
>This was covered recently in a Security Now episode (#80 I
>think), and was described as a harmless Windows bug. Here's
>the excerpt:
>
>LEO: Thom in Cortland, New York raised his antenna and
>asked: I have a question about Wi-Fi. Recently I took my
>university laptop home. Instead of a presentation, I
>started the system. Instead of a presentation.
>
>STEVE: Ahead of.
>[SNIP]

Steve and Leo. God help us! Neither has any qualifications in
security.

--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>