Security UPDATE--Bad Karma for Wi-Fi on Windows?--January 25, 2006

This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE.

DSRAZOR for Windows



1. In Focus: Bad Karma for Wi-Fi on Windows?

2. Security News and Features

- Recent Security Vulnerabilities

- Least-Privileged User Accounts on Windows XP

- LANDesk Augments Security with Business Process Management

- Time to Patch QuickTime

3. Security Toolkit

- Security Matters Blog


- Security Forum Featured Thread

- New Instant Poll

- Share Your Security Tips

4. New and Improved

- Passwords on a Stick


==== Sponsor: DSRAZOR for Windows ====


Q: Are you looking for an easy and reliable way to audit your AD? Do you need a tool that will generate baseline and comprehensive reports for your auditors?

A: DSRAZOR is your answer. DSRAZOR can easily export your results to a format that will satisfy even the most demanding auditors.

Q: Looking to replace the native group membership reporting tools? Do you need a tool to identify group membership security trustees?

A: With DSRAZOR, you can simply and quickly get the group membership and security trustee reports that you need.

Customized solutions, support & teamwork.

This is how DSRAZOR helps you manage your Active Directory and Windows File Systems.

Schedule Your FREE Interactive Assessment Today!


==== 1. In Focus: Bad Karma for Wi-Fi on Windows? ====

by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

At the recent SchmooCon conference in Washington, D.C., Mark Loveless (aka Simple Nomad) described an interesting behavior of Wi-Fi connectivity in Windows Server 2003, Windows XP, and Windows 2000. In a subsequent advisory (at the URL below), Loveless points out that "If a laptop connects to an ad-hoc network it can later start beaconing the ad-hoc network's SSID as its own ad-hoc network without the laptop owner's knowledge. This can allow an attacker to attach to the laptop as a prelude to further attack."

There are workarounds to help ensure this doesn't happen to your users' computers. The best solution is to configure the network connections (by using the Wireless Network Connection applet) so that they connect only to Access Points (APs), which will prevent any connections to ad hoc networks. You'll find step-by-step instructions in Loveless's advisory.

Loveless checked during various airplane flights to see how many laptops were available via Wi-Fi connectivity and how many of those were vulnerable to remote compromise or were open enough to allow files to be copied to and from their drives. On one flight, 12 laptops were available, and of those 12, 5 were broadcasting ad hoc networks and 4 were completely vulnerable to intrusion.

These numbers suggest that many people might have had their personal data copied during in-flight use of their laptops. Of course, a decent firewall would make such intrusion much more difficult to accomplish. But many people don't have adequate protection in place.

I recently learned about a new Wi-Fi client security assessment tool called KARMA. KARMA clearly shows the dangers of wireless networking given today's technology. Dino A. Dai Zovi, one of the developers of KARMA, wrote that "Windows and Mac OS X probe for every network in the preferred/trusted networks list upon boot up and \[when\] waking from sleep. Under Windows the entire list is \[probed continually\] when the machine is not currently associated to a wireless network." And that's bad news for Windows users when a tool like KARMA is in use, even if you use the workarounds described in Loveless's advisory.

Here's why: KARMA uses a modified Wi-Fi driver on Linux and FreeBSD systems to establish a wireless AP. KARMA operates in stealth fashion--it doesn't send out beacons advertising its presence. Instead, it monitors the airwaves listening for wireless client probes that are looking for a particular AP by its SSID. When KARMA detects a probe, it responds to the client as if it were the sought-after AP. That is to say, KARMA changes its SSID on the fly and mimics a host AP. This effectively lures unsuspecting Wi-Fi users into KARMA's wireless network. KARMA also includes a framework that can be used to develop exploits for use against vulnerabilities in connected client systems.

According to Zovi, "\[KARMA\] revealed vulnerabilities in how Windows XP and Mac OS X look for networks, so clients may join even if their preferred networks list is empty." Zovi also said that Apple already issued an update (at the URL below) to correct the problem. Microsoft intends to correct this behavior in an upcoming service pack or update rollup package. For XP, that could mean Service Pack 3 (SP3), due out sometime in late 2007.

In the meantime, you might want to get a copy of KARMA (at the URL below) and try it out on your wireless clients. As best I can tell, right now the only way to defend against a tool like KARMA is for wireless clients to require authentication when connecting to APs.


==== Sponsor: Klocwork====


New White Paper from Klocwork: Improve software quality and reduce life-cycle costs by incorporating Static Analysis tools into your routine development processes. Results: More maintainable code, more secure, reliable software and a more predictable development process. Download White Paper:


==== 2. Security News and Features ====

Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

Least-Privileged User Accounts on Windows XP

After a subtantial amount of beta testing, Microsoft published a document that can help administrators who want to implement least-privileged user accounts (LUAs) on Windows XP. However, implementing LUAs could come with significant costs and challenges.

LANDesk Augments Security with Business Process Management

LANDesk announced that it will integrate business process management into its systems and security management solutions with the acquisition of privately held NewRoad Software.

Time to Patch QuickTime

Windows metafiles don't represent the only recently discovered dangerous media file vulnerabilities. Apple released an updated version of QuickTime that fixes five dangerous vulnerabilities.


==== Resources and Events ====

WEB SEMINAR: Learn to gather evidence of compliance across multiple systems and link the data to regulatory and framework control objectives.

20% off for All Windows IT Pro Subscribers!

Learn how SOA doesn't require investments in new technology to deliver immediate and lasting bottom-line results. Attend Developing Service Oriented Architecture, February 20-22 in Orlando.

WHITE PAPER: Optimize your existing Windows Server infrastructure with the addition of server and storage consolidation software and techniques.

WEB SEMINAR: Get the tools, tips, and training that you need to avoid a messaging meltdown when an outage strikes. View this seminar today:

WEB SEMINAR: Learn how to leverage new features in SQL Server 2005 to greatly extend your existing backup and restore capabilities.


==== Featured White Paper ====

WHITE PAPER: Evaluate the costs of losing information and learn what real-time information management means and how to accomplish it in your business.


==== Hot Spot ====

The Starter PKI Program

Do you need to secure multiple domains or host names? In this free white paper you'll learn how the Starter PKI Program will benefit your company with timesaving convenience. Plus--you'll get the chance to actually test the program!


==== 3. Security Toolkit ====

Security Matters Blog: New Version of Nmap Recently Released

by Mark Joseph Edwards,

You undoubtedly have Nmap in your security toolkit--it's an incredibly useful scanning and auditing tool for nearly any platform, including Windows, Linux, BSD Unix, Mac OS X, Solaris, and more. Do you have the latest version? Learn about some of the cool features in this blog article.


by John Savill,

Q: How can I monitor registry activity during logon and logoff?

Find the answer at

Security Forum Featured Thread: List All Shares a User Has Access To

A forum participant wonders if there's a way to list all the shares a given user has access to. His servers have dozens of shares, and he'd like to start auditing those shares for access privileges per user but doesn't know how. Join the discussion at:

New Instant Poll

Do you plan to upgrade to IE 7.0?

- Yes, I will immediately install the standalone IE 7.0 upgrade.

- Yes, but I will wait for the Vista-integrated IE 7.0 version.

- No, I will continue using IE 6.0.

- No, I'm using a different browser and don't plan to change.

Go to the Security Hot Topic on our Web site and submit your vote

Share Your Security Tips and Get $100

Share your security-related tips, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions (500 words or less) to [email protected] If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.


==== Announcements ====

(from Windows IT Pro and its partners)

Become a VIP Monthly Pass Subscriber

Sign up now and get a VIP Monthly Online Pass that includes online access to ALL the articles, tools, and helpful resources published in SQL Server Magazine, Windows IT Pro, and the Exchange and Outlook Administrator, Windows Scripting Solutions, and Windows IT Security newsletters. You'll also have 24/7 access to a database of more than 25,000 online articles that will give you all the answers you need, when you need them. BONUS--Includes the latest issue of Windows IT Pro each month. Sign up now for just $29.95 per month.

Windows Scripting Solutions Newsletter--2006 Special

Order now and SAVE up to $30 off the regular price. You'll get 12 helpful issues loaded with expert-reviewed downloadable code and scripting techniques, as well as hundreds of tips on automating repetitive tasks. You'll also get access to the entire online newsletter archive (more than 500 scripting articles), including the popular "Shell Scripting 101" series. Order now for just $99:


==== 4. New and Improved ====

by Renee Munshi, [email protected]

Passwords on a Stick

Dekart released Dekart Password Manager, software that runs on a portable memory device such as a USB key drive and automatically collects your passwords and personal data as you type them. Password Manager then encrypts (by using 256-bit AES encryption) and stores your information on the drive, which only you can use. The next time you need to supply the information, you insert the drive, and Password Manager does the rest. Password Manager works directly from the key drive, with no host PC installation. Password Manager requires Windows XP/2000/Me/98/95/NT and costs $39. A free 30-day trial period is available. For more information, go to

Tell Us About a Hot Product and Get a T-Shirt!

Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to

[email protected]


==== Contact Us ====

About the newsletter -- [email protected]

About technical questions --

About product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]


This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today.

View the Windows IT Pro privacy policy at

Windows IT Pro, a division of Penton Media, Inc.

221 East 29th Street, Loveland, CO 80538

Attention: Customer Service Department

Copyright 2006, Penton Media, Inc. All rights reserved.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.