I see this all the time on our campuses.
Digging a bit, I invariably find that what I'm seeing is
*clients* trying to find a service by that name -- and
failing, because it isn't here.
My working theory is that these clients have learned of
such a service while being used off-campus, and so are
checking for it as part of finding out what's available.
Bottom Line -- Unless they're getting a connection
established, nothing for me to worry about. Unless this
shows up on one of our machines that never leaves the
campus....
David Gillett
-----Original Message-----
From: listbounce@securityfocus.com
[mailto:listbounce@securityfocus.com] On Behalf Of Shawn
Sent: Tuesday, June 19, 2007 1:27 PM
To: security-basics@securityfocus.com
Subject: In secured office building, "Free Public WiFi"
network shows up out of nowhere
This scenario occurred this morning- any suggestions or
insights are appreciated, as are any comments as to my
handling of this.
I'm a Security Specialist for a medium sized company. I have
only been working in security for 2 months. There are no
other Security Specialists here. I report to our Manager of
Information Security, who is out of town on business. I work
in a 6 floor office building which we own completely. We
lease the second floor to a computer training center. We do
not permit our employees to use any wireless networks, and we
do not have any access points. Ad hoc connection is prevented
through group policy. All of our laptops are XP SP2. Up until
today, I have never seen an available wireless network here.
Periodically I check to make sure that no one has installed
an unauthorized WAP. This morning I fired up NetStumbler and
found that a network named "Free Public WiFi" was not only
available, but available at full strength. This was listed as
a peer to peer network, so I assumed that the network was
actually being broadcast from another wireless device
(laptop). This network was listed as being wide open with no
required key and no encryption. The originating point
definitely appears to be coming from within my building, but
I haven't been able to determine exactly where.
I immediatley checked the MAC address of the wireless SSID to
make sure that it didn't belong to one of my company assets.
It did not.
I then connected to the network with my laptop. I was not
assigned an IP address, rather Windows gave me one of the
default 169.254 APIPA addresses. I then sniffed packets for
over an hour. I felt justified in doing this, to make sure
that none of my companies equipment was connecting to this network.
I found no network activity whatsoever.
Finally, I ran a ping sweep against the 169.254.x.x subnet to
make sure that none of my companies equipment were connected
to this network. The ping sweep returned only my laptop and
one other device. I checked the other device's MAC address in
my inventory and verified that it too was not our equipment.
I then summarized all of my investigation and sent it to my
boss in an email. I suggested that this network does not
appear to be malicious at this time and offered to take more
action pending his recommendation. I believe that this
network probably belongs to someone at the computer training
center on our second floor playing around.
Do you all feel that these were appropriate actions? The only
other possible action I considered regarding this would be to
contact the training center on the second floor and ask them
about this. What do you all think?
As always, your feedback is appreciated.
Thanks,
-Shawn
