WOL security issue

This is more of a LAN question than a wireless, but maybe somebody can
give me quick answer.

One of our clients on the LAN wrote me saying that he thinks I should
turn off Wake on LAN on each pc in the subnet because it's a security
issue if somebody inside our LAN is infected with malware.

He says that he knows, because it happened to him in the past.

I can not find any references to WOL security issues and will write
him asking for a link or example. , but thought I'd ask first here.

From what little I understand, it seems that packet sniffing and file-
sharing are more of a security issue within our LAN than having a
sleeping pc woken up.

Anybody got any comments?

Thanks,
Steve

On Sun, 23 Mar 2008 16:35:02 -0700 (PDT), seaweedsl
<(E-Mail Removed)> wrote:

>This is more of a LAN question than a wireless, but maybe somebody can
>give me quick answer.

Sigh.

>One of our clients on the LAN wrote me saying that he thinks I should
>turn off Wake on LAN on each pc in the subnet because it's a security
>issue if somebody inside our LAN is infected with malware.

Yes. In general, if the feature isn't used, turn it off. However,
WOL itself is not a security issue. However, tinkering with the
firewall settings in order to get WOL to work through the firewall
usually does result in a security problem.

>He says that he knows, because it happened to him in the past.

Yep. There are programs the exploit WOL. WOL has no security from
attacks originating from the LAN side of the firewall. Of course, if
you have malware and other junk running on your LAN, you've got bigger
problems than just WOL. Try treating the causes instead of tinkering
with WOL.

>I can not find any references to WOL security issues and will write
>him asking for a link or example. , but thought I'd ask first here.

WOL can only turn on a computah, not off. In order to turn on a
computah, it needs to know the MAC address of the ethernet card. This
can be done by sniffing. If the PC's are on an ethernet switch, the
client machines will only see their own MAC address, the various
server MAC addresses, and any devices they can access (printers,
gateways, routers, etc). Sniffing does not magically obtain everyone
elses MAC address. Try it with a Windoze machine using a sniffer such
as Ethereal, Wireshark, or just "arp -a".

Once an attacker has a shopping list of MAC addresses, it can turn on
any of the machines it see. The theory is that if it's going to
spread viruses and worms, doing so at night, when the offices are
closed is a somewhat better time to attack. If the virus protection
and personal firewalls are functional on the PC's, nothing will
happen.

Frankly, I'm not worried, but there are some issues. Having someone
arrive at the office in the morning, and finding their machine turned
on is rather disconcerting. They usually suspect that someone has
been tinkering, hacking, or snooping on their private files. However,
it's usually NOT a WOL attack. It's me doing remote administration in
the middle of the night using VNC, PC Anywhere, or remote desktop. I
sometimes forget to turn off the machine when done (or screwup and
crash the machine). If your client has reported that machines are
magically turned on in the morning, when nobody is on, look for remote
control software, usually installed by employees that wanna do work at
home.

>From what little I understand, it seems that packet sniffing and file-
>sharing are more of a security issue within our LAN than having a
>sleeping pc woken up.

It's impossible to sniff non-connected traffic on a switched ethernet
port. Try it with Wireshark and you'll only see your own traffic.
However, replace the switch with hub, and you can sniff merrily. Some
managed switches also offer a monitor port, which redirects all the
traffic to some designated port.

>Anybody got any comments?

--
Jeff Liebermann (E-Mail Removed)
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

> This is more of a LAN question than a wireless, but maybe somebody can
> give me quick answer.

Yes, it's a non-issue. Go ask in a wired networking or security group.

On Mar 23, 6:15 pm, Jeff Liebermann <je...@cruzio.com> wrote:

>
> Frankly, I'm not worried, but there are some issues. Having someone
> arrive at the office in the morning, and finding their machine turned
> on is rather disconcerting.


Thank you very much, sir !

Sounds like it very close to being a non-issue. I surmise, as
before, that it won't hurt to turn it off on people's BIOS at leisure,
but I'm not getting excited.

Good to hear that not even packet sniffing is a concern considering we
do use an ethernet switch (router).

Steve

Jeff Liebermann <(E-Mail Removed)> wrote:
> crash the machine). If your client has reported that machines are
> magically turned on in the morning, when nobody is on, look for remote
> control software, usually installed by employees that wanna do work at
> home.

I've had a desktop turn on in the wee hours of the morning. No intentional
holes in the firewall, and WOL is off.

I think it is a Windows XP PC set for "automatic updates" at said wee hour
of the morning that isn't actually off, only in standby.

I don't know what process, if any, runs in "standby". Do scheduled tasks
wake up a machine from standby?

--
Clarence A Dold - Hidden Valley Lake, CA, USA GPS: 38.8,-122.5

On Mon, 24 Mar 2008 21:33:07 +0000 (UTC), (E-Mail Removed) wrote:

>Jeff Liebermann <(E-Mail Removed)> wrote:
>> crash the machine). If your client has reported that machines are
>> magically turned on in the morning, when nobody is on, look for remote
>> control software, usually installed by employees that wanna do work at
>> home.
>
>I've had a desktop turn on in the wee hours of the morning. No intentional
>holes in the firewall, and WOL is off.

Haunted house? Need an exhorcism?

Critters playing on the keyboard? My previous cat would walk all over
the keyboard. It was an HP that a power on/off button on the
keyboard. I also found the machine turned on at odd hours.

It's not impossible to punch a hole in your firewall to use for WOL.
I've often suspected that UPnP can do that

>I think it is a Windows XP PC set for "automatic updates" at said wee hour
>of the morning that isn't actually off, only in standby.

Hmmm... That's possible, but I don't think so. I've got several of
mine set like that, with WOL active (and functional). I haven't seen
that problem on my machines or my customers.

There are many BIOS's that have a wake up from standby feature for
various inputs. Mine shows wake on modem ring, which might be the
culprit.

>I don't know what process, if any, runs in "standby".

Standby means that machine is still running, but at the very lowest
CPU clock speeds and with all the peripherals powered down. In
effect, it's turned on, but in a low power mode.

>Do scheduled tasks
>wake up a machine from standby?

Yes, but only in standby. If in hibernate or powered down, no way.

--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831-336-2558 (E-Mail Removed)
# http://802.11junk.com (E-Mail Removed)
# http://www.LearnByDestroying.com AE6KS

On Mon, 24 Mar 2008 11:30:36 -0400, "Bill Kearney"
<(E-Mail Removed)> wrote:

>Go ask in a wired networking or security group.

I just came back from Starbucks, had my caffeine blast,
<http://www.usatoday.com/tech/science/2007-01-26-buzz-doughnuts_x.htm>
<http://www.buzzdonuts.com>
am fully wired and ready for networking or security questions. Being
wired certainly improves the quality of my answers, but really ruins
my typing and spelling.


--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831-336-2558 (E-Mail Removed)
# http://802.11junk.com (E-Mail Removed)
# http://www.LearnByDestroying.com AE6KS

Jeff Liebermann <(E-Mail Removed)> wrote:
> On Mon, 24 Mar 2008 21:33:07 +0000 (UTC), (E-Mail Removed) wrote:
> >I've had a desktop turn on in the wee hours of the morning. No intentional
> >holes in the firewall, and WOL is off.

> Critters playing on the keyboard? My previous cat would walk all over
> the keyboard. It was an HP that a power on/off button on the
> keyboard. I also found the machine turned on at odd hours.

No critters. It's in the bedroom. I hear the disk spin up, and the
monitor lights up. The keyboard is on a slide in tray, so it would have to
be a small critter. I had to disable the "sleep" button on the upper left
of this HP keyboard. I kept smacking it instead of the ESC key during wild
vi sessions, and sending the PC directly to standby.

> It's not impossible to punch a hole in your firewall to use for WOL.
> I've often suspected that UPnP can do that

UPnP is off... It's a foul thing ;-)

> >I think it is a Windows XP PC set for "automatic updates" at said wee hour
> >of the morning that isn't actually off, only in standby.

> There are many BIOS's that have a wake up from standby feature for
> various inputs.

That should be every night. I did that to myself on a laptop.
No such setting on my desktop.

> Mine shows wake on modem ring, which might be the culprit.

No phone line. I think it has a modem.

> >Do scheduled tasks
> >wake up a machine from standby?

> Yes, but only in standby. If in hibernate or powered down, no way.

Maybe that's it. If we shutdown the PC, it stays off.
If we leave it alone early enough, it eventually goes to hibernate before
the automatic updates scheduled 3am start.
If we leave it alone later, it's still in standby and leaps into action at
3am. I changed the automatic update to 10am.

--
Clarence A Dold - Hidden Valley Lake, CA, USA GPS: 38.8,-122.5

Jeff Liebermann <(E-Mail Removed)> wrote:

> Critters playing on the keyboard? My previous cat would walk all over
> the keyboard. It was an HP that a power on/off button on the
> keyboard. I also found the machine turned on at odd hours.

He was probably looking at kitty porn.

If a host wants to know the MAC address of another system in the same
broadcast domain, it sends an ARP (Address Resolution Protocol) request,
and the destination host responds with its MAC address. It doesn't need
to passively wait hoping to observe MAC addresses.

Your statement: "It's impossible to sniff non-connected traffic on a
switched Ethernet port. Try it with Wireshark and you'll only see your
own traffic.", is false.

Although you normally would only see your own unicast traffic,
broadcasts, multicasts, and the occasional unicast packet flooded by the
switch because it had not yet learned which port the destination device
resided on, it is possible to see "all" of the traffic the switch handles.

A switch maintains a table that associates source MAC addresses with the
ports that they were received on. This table has a limited capacity
(device dependent). If you exceed the tables capacity using readily
available software, switch ports will typically "fail-open". The result
is that unicast traffic will be flooded out "all" the ports (other than
the one the packet was received on), rather than just the port to which
the destination device was attached to.

With this exploit, a sniffer can then see all of the traffic the switch
handles, and not just the traffic that would normally be seen on the
port the sniffer is connected to.

Best Regards,
News Reader

Jeff Liebermann wrote:
> On Sun, 23 Mar 2008 16:35:02 -0700 (PDT), seaweedsl
> <(E-Mail Removed)> wrote:
>
>> This is more of a LAN question than a wireless, but maybe somebody can
>> give me quick answer.
>
> Sigh.
>
>> One of our clients on the LAN wrote me saying that he thinks I should
>> turn off Wake on LAN on each pc in the subnet because it's a security
>> issue if somebody inside our LAN is infected with malware.
>
> Yes. In general, if the feature isn't used, turn it off. However,
> WOL itself is not a security issue. However, tinkering with the
> firewall settings in order to get WOL to work through the firewall
> usually does result in a security problem.
>
>> He says that he knows, because it happened to him in the past.
>
> Yep. There are programs the exploit WOL. WOL has no security from
> attacks originating from the LAN side of the firewall. Of course, if
> you have malware and other junk running on your LAN, you've got bigger
> problems than just WOL. Try treating the causes instead of tinkering
> with WOL.
>
>> I can not find any references to WOL security issues and will write
>> him asking for a link or example. , but thought I'd ask first here.
>
> WOL can only turn on a computah, not off. In order to turn on a
> computah, it needs to know the MAC address of the ethernet card. This
> can be done by sniffing. If the PC's are on an ethernet switch, the
> client machines will only see their own MAC address, the various
> server MAC addresses, and any devices they can access (printers,
> gateways, routers, etc). Sniffing does not magically obtain everyone
> elses MAC address. Try it with a Windoze machine using a sniffer such
> as Ethereal, Wireshark, or just "arp -a".
>
> Once an attacker has a shopping list of MAC addresses, it can turn on
> any of the machines it see. The theory is that if it's going to
> spread viruses and worms, doing so at night, when the offices are
> closed is a somewhat better time to attack. If the virus protection
> and personal firewalls are functional on the PC's, nothing will
> happen.
>
> Frankly, I'm not worried, but there are some issues. Having someone
> arrive at the office in the morning, and finding their machine turned
> on is rather disconcerting. They usually suspect that someone has
> been tinkering, hacking, or snooping on their private files. However,
> it's usually NOT a WOL attack. It's me doing remote administration in
> the middle of the night using VNC, PC Anywhere, or remote desktop. I
> sometimes forget to turn off the machine when done (or screwup and
> crash the machine). If your client has reported that machines are
> magically turned on in the morning, when nobody is on, look for remote
> control software, usually installed by employees that wanna do work at
> home.
>
>>From what little I understand, it seems that packet sniffing and file-
>> sharing are more of a security issue within our LAN than having a
>> sleeping pc woken up.
>
> It's impossible to sniff non-connected traffic on a switched ethernet
> port. Try it with Wireshark and you'll only see your own traffic.
> However, replace the switch with hub, and you can sniff merrily. Some
> managed switches also offer a monitor port, which redirects all the
> traffic to some designated port.
>
>> Anybody got any comments?
>