Re: [SNS Advisory No.60] Windows XP Disclosure of Registered AP Information

From: Preston Hathaway (phathaway@FIRSTAM.COM)
Date: 12/05/02

  • Next message: Russ: "Revised: Microsoft Security Bulletin - MS02-068" 
    Date:         Thu, 5 Dec 2002 06:12:19 -0800
From: Preston Hathaway <phathaway@FIRSTAM.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    It seems to me that two other steps can be taken to limit or prevent
    this problem.

    1. Do not use default SSIDs. As you set up a wireless network, change
    the SSIDs and then change them on a regular basis after setup as part of
    regular network maintenance.

    2. Disable automatic association of "broadcast" SSIDs. The only folks
    using an AP should be those "known" to you. Disabling the automatic
    association allows you to remain in control.

    Thanks,

    Preston

    -----Original Message-----
    From: Windows NTBugtraq Mailing List
    [mailto:NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM] On Behalf Of snsadv@LAC.CO.JP
    Sent: Wednesday, December 04, 2002 5:03 PM
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    Subject: [SNS Advisory No.60] Windows XP Disclosure of Registered AP
    Information

    ------------------------------------------------------------------------ 

    --
SNS Advisory No.60
Windows XP Disclosure of Registered AP Information
Problem first discovered: 30 Aug 2002
Published: 4 Dec 2002
http://www.lac.co.jp/security/english/snsadv_e/60_e.html
------------------------------------------------------------------------
--
Overview:
---------
  Windows XP's wireless LAN feature may disclose registered access
points
  information.
  Packets encrypted with WEP could be sent out even if the radio wave of
  the original access point does not propagate well.
  There is a risk that the list of SSID values assigned to registered
  access points and the packets encrypted with WEP may be intercepted
and
  decrypted.
Problem Description:
--------------------
  Windows XP machines utilizing wireless LAN automatically search for
  available access points. If not found, requests are continuously sent
for
  already registered access points available until connection is
achieved.
  If an access point with the same SSID as of an access point already
  configured for XP is installed, Windows XP will recognize it as the
same
  access point.  Windows XP will then encrypt packets with WEP and start
  transmission.
  Information regarding registered SSIDs can be obtained from available
  inquiry packets by using a packet monitoring tool for wireless LAN.
  Additionally, packets encrypted with WEP of any registered access
point
  for Windows XP machines can also be intercepted by establishing an
access
  point with the same SSID.
  As the functions to search for available access points and to send
  inquiry requests are always enabled, Windows XP machines using
wireless
  LAN feature will leak SSID information of registered access points if
  they cannot establish a connection with an available access point.
  In addition, WEP is susceptible to some already known vulnerabilities.
  Data encrypted with 40-bit keys can be decrypted through brute force
  attacks in a short period of time.  In the case of 104-bit encryption
  use, it has been reported that data can be decrypted in approximately
two
  weeks.
  Consequently, sending out packets encrypted with WEP is not a
recommended
  security practice in an environment where the original access points
are
  not available.
  Refer to the following URL for explanatory figures:
    http://www.lac.co.jp/security/english/snsadv_e/60_e.html
Solution:
---------
  Disable the wireless LAN function of Windows XP and use drivers made
from
  third-parties that are not susceptible to the problem described above.
Discovered by:
--------------
  Nobuo Miwa  n-miwa@lac.co.jp
Vendor Status:
--------------
  After carrying out discussions with the Security Response Team of
  Microsoft Asia Limited, who was informed about this issue on August
30,
  2002, the conclusion drawn was that the problem was related to the
  software specification.  Therefore, consent from the Security Response
  Team of Microsoft Asia Limited was obtained to publish this advisory.
Acknowledgements:
-----------------
  Security Response Team of Microsoft Asia Limited
Disclaimer:
-----------
  All information in these advisories are subject to change without any
  advanced notices neither mutual consensus, and each of them is
released
  as it is. LAC Co.,Ltd. is not responsible for any risks of occurrences
  caused by applying those information.
------------------------------------------------------------------
SecureNet Service(SNS) Security Advisory <snsadv@lac.co.jp> Computer
Security Laboratory, LAC  http://www.lac.co.jp/security/
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
oooo
Delivery co-sponsored by TruSecure Corporation
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
oooo
Demonstrate your knowledge and understanding of core IT Security, become
TICSA certified.
Are you responsible for IT security in job function, but not necessarily
in title? Do you want to prove your IT security knowledge and increase
opportunities? Interested? Visit;
http://www.trusecure.com/solutions/certifications/ticsa/
for more information.
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
oooo
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Delivery co-sponsored by TruSecure Corporation
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Demonstrate your knowledge and understanding of core IT Security, become
TICSA certified.
Are you responsible for IT security in job function, but not necessarily
in title? Do you want to prove your IT security knowledge and increase
opportunities? Interested? Visit;
http://www.trusecure.com/solutions/certifications/ticsa/
for more information.
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo