WOL security issue
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
|||||||||||||||||||||||||||||||
|
Posted by seaweedsl on March 23, 2008, 7:35 pm
Please log in for more thread options give me quick answer. One of our clients on the LAN wrote me saying that he thinks I should turn off Wake on LAN on each pc in the subnet because it's a security issue if somebody inside our LAN is infected with malware. He says that he knows, because it happened to him in the past. I can not find any references to WOL security issues and will write him asking for a link or example. , but thought I'd ask first here. From what little I understand, it seems that packet sniffing and file- sharing are more of a security issue within our LAN than having a sleeping pc woken up. Anybody got any comments? Thanks, Steve | |||||||||||||||||||||||||||||||
|
Posted by Jeff Liebermann on March 23, 2008, 8:15 pm
Please log in for more thread options Sigh. >One of our clients on the LAN wrote me saying that he thinks I should
>turn off Wake on LAN on each pc in the subnet because it's a security >issue if somebody inside our LAN is infected with malware. Yes. In general, if the feature isn't used, turn it off. However, WOL itself is not a security issue. However, tinkering with the firewall settings in order to get WOL to work through the firewall usually does result in a security problem. >He says that he knows, because it happened to him in the past.
Yep. There are programs the exploit WOL. WOL has no security from attacks originating from the LAN side of the firewall. Of course, if you have malware and other junk running on your LAN, you've got bigger problems than just WOL. Try treating the causes instead of tinkering with WOL. >I can not find any references to WOL security issues and will write
>him asking for a link or example. , but thought I'd ask first here. WOL can only turn on a computah, not off. In order to turn on a computah, it needs to know the MAC address of the ethernet card. This can be done by sniffing. If the PC's are on an ethernet switch, the client machines will only see their own MAC address, the various server MAC addresses, and any devices they can access (printers, gateways, routers, etc). Sniffing does not magically obtain everyone elses MAC address. Try it with a Windoze machine using a sniffer such as Ethereal, Wireshark, or just "arp -a". Once an attacker has a shopping list of MAC addresses, it can turn on any of the machines it see. The theory is that if it's going to spread viruses and worms, doing so at night, when the offices are closed is a somewhat better time to attack. If the virus protection and personal firewalls are functional on the PC's, nothing will happen. Frankly, I'm not worried, but there are some issues. Having someone arrive at the office in the morning, and finding their machine turned on is rather disconcerting. They usually suspect that someone has been tinkering, hacking, or snooping on their private files. However, it's usually NOT a WOL attack. It's me doing remote administration in the middle of the night using VNC, PC Anywhere, or remote desktop. I sometimes forget to turn off the machine when done (or screwup and crash the machine). If your client has reported that machines are magically turned on in the morning, when nobody is on, look for remote control software, usually installed by employees that wanna do work at home. >From what little I understand, it seems that packet sniffing and file-
>sharing are more of a security issue within our LAN than having a >sleeping pc woken up. It's impossible to sniff non-connected traffic on a switched ethernet port. Try it with Wireshark and you'll only see your own traffic. However, replace the switch with hub, and you can sniff merrily. Some managed switches also offer a monitor port, which redirects all the traffic to some designated port. >Anybody got any comments?
-- Jeff Liebermann jeffl@cruzio.com 150 Felker St #D http://www.LearnByDestroying.com Santa Cruz CA 95060 http://802.11junk.com Skype: JeffLiebermann AE6KS 831-336-2558 | |||||||||||||||||||||||||||||||
|
Posted by seaweedsl on March 24, 2008, 3:23 pm
Please log in for more thread options
>
> Frankly, I'm not worried, but there are some issues. Having someone > arrive at the office in the morning, and finding their machine turned > on is rather disconcerting. Thank you very much, sir ! Sounds like it very close to being a non-issue. I surmise, as before, that it won't hurt to turn it off on people's BIOS at leisure, but I'm not getting excited. Good to hear that not even packet sniffing is a concern considering we do use an ethernet switch (router). Steve | |||||||||||||||||||||||||||||||
|
Posted by on March 24, 2008, 5:33 pm
Please log in for more thread options > crash the machine). If your client has reported that machines are
> magically turned on in the morning, when nobody is on, look for remote > control software, usually installed by employees that wanna do work at > home. I've had a desktop turn on in the wee hours of the morning. No intentional holes in the firewall, and WOL is off. I think it is a Windows XP PC set for "automatic updates" at said wee hour of the morning that isn't actually off, only in standby. I don't know what process, if any, runs in "standby". Do scheduled tasks wake up a machine from standby? -- Clarence A Dold - Hidden Valley Lake, CA, USA GPS: 38.8,-122.5 | |||||||||||||||||||||||||||||||
|
Posted by Jeff Liebermann on March 24, 2008, 7:09 pm
Please log in for more thread options On Mon, 24 Mar 2008 21:33:07 +0000 (UTC), dold@17.usenet.us.com wrote:
>> crash the machine). If your client has reported that machines are
>> magically turned on in the morning, when nobody is on, look for remote >> control software, usually installed by employees that wanna do work at >> home. >
>I've had a desktop turn on in the wee hours of the morning. No intentional >holes in the firewall, and WOL is off. Haunted house? Need an exhorcism? Critters playing on the keyboard? My previous cat would walk all over the keyboard. It was an HP that a power on/off button on the keyboard. I also found the machine turned on at odd hours. It's not impossible to punch a hole in your firewall to use for WOL. I've often suspected that UPnP can do that >I think it is a Windows XP PC set for "automatic updates" at said wee hour
>of the morning that isn't actually off, only in standby. Hmmm... That's possible, but I don't think so. I've got several of mine set like that, with WOL active (and functional). I haven't seen that problem on my machines or my customers. There are many BIOS's that have a wake up from standby feature for various inputs. Mine shows wake on modem ring, which might be the culprit. >I don't know what process, if any, runs in "standby".
Standby means that machine is still running, but at the very lowest CPU clock speeds and with all the peripherals powered down. In effect, it's turned on, but in a low power mode. >Do scheduled tasks
>wake up a machine from standby? Yes, but only in standby. If in hibernate or powered down, no way. -- # Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060 # 831-336-2558 jeffl@comix.santa-cruz.ca.us # http://802.11junk.com jeffl@cruzio.com # http://www.LearnByDestroying.com AE6KS | |||||||||||||||||||||||||||||||
| Similar Threads | Posted |
| WOL security issue | March 23, 2008, 7:35 pm |
| Help please...issue with Norton Internet Security 2004 | December 19, 2005, 11:13 pm |
| What's the basic security issue with an unsecured home router? | May 26, 2008, 1:13 am |
| Senao 2611CB3+Deluxe setup issue, network configuration issue, or both? | January 27, 2006, 2:00 pm |
| IP issue | June 8, 2005, 12:56 am |
| DD-WRT issue | October 30, 2006, 3:08 pm |
| Wireless LAN issue | January 28, 2005, 12:51 am |
| connection issue | June 11, 2006, 5:15 pm |
| how 2 fix channel issue 12,13 | September 16, 2006, 12:23 pm |
| Connectivity Issue | October 28, 2006, 11:15 pm |
| Wireless Issue | March 25, 2007, 11:16 am |
| WRT54G v5.1 vpn issue | August 1, 2007, 1:15 pm |
| VERY strange issue | December 29, 2007, 8:47 pm |
| SOS - Wireless Issue | February 11, 2008, 8:12 pm |
| Linksys WRT54G issue | October 18, 2004, 12:30 pm |
>give me quick answer.