Mysterious ad-hoc network.

Our security protocols do not allow for wireless networking, so the wireless radio is disabled on all laptops. I have two users (my bosses) with laptops and both of them came back from working at another company site. Both of them had an ad-hoc network called "pepperdine" that was mysteriously added to their wireless cards. This ad-hoc network is unsecured, with no encryption. In other words, wide open. Both of the users swear that they did not add the connection, and I believe them. There is no reason for these two to lie to me. So now I have to figure out how they got there. Has anyone heard of anything like this happening? Perhaps some spyware?

 

Close,

What other details can you provide? All searches surround Pepperdine University in California which has a law school.
Have you're bosses attempted any inqueries, or you're the one who gets to break the news?


GF

 

I Google'd it too and came up empty. That's when I decided to post here.

I am still looking at one of the laptops. I am looking at everything in it's startup and confirming that it is legit. Some stuff was added, but that was a result of him logging in at the home office. They run SMS down there. I remove SMS from our systems because we are isolated. They also use ePolicy Orchestrator, which I remove, again because we are isolated. When you are isolated, these things cause more grief than they are worth. I still do things the old fashioned way and physically look at each machine every month when Microsoft renews my job security. When that happens, I confirm that each machine is updating McAfee, Spybot, Ad-Aware, and Windows. I manually update them if they aren't and fix the scheduling problem. I scan the systems with McAfee, Spybot, and Ad-Aware after they have been updated. I update other software as well (Office, etc.). My intimacy level with each machine is pretty high, so I can usually tell what’s wrong before I touch the keyboard.

Users are not admin equivalents, so they normally cannot install software. Only laptop users are allowed to install software. This user did install some software;

Apple iTunes
MSN Toolbar

The user has a Mac at home and likes to use MSN.

My instinct says that SMS pushed something out. But I doubt it, since the wireless connection is unsecure.

 

I'd like to add...

The Windows Zero Configuration Service is what you need to look into, most likely responsible for that mishap.
Two pages I thought you might be interested in... Wireless Intrusion Detection Systems, Intrusion Detection FAQ.

There's a variety of packet analyzer's on the SANS site which handle the IEEE 802.11 wireless LAN standard.
SourceForge is another resource that comes to mind.

EDIT - Hey I just caught you're post. Does SMS have something to do with voice over or phone messaging?


GF

 

GForce,

Thanks for the posts. I looked at the sites, and I will look into intrusion systems. Especially in the light of what I am seeing now.

SMS is Microsoft Systems Management Server. Our company uses it to push out software updates and security policies. When one of our systems log into the home office servers, the login script installs SMS onto the system and disable Windows Update. SMS then configures the system to conform to company policy. The problem is that we are isolated, so their updates never get loaded. I update all of the systems manually. That is why I unload SMS, because it doesn't work here anyway. Besides, I usually update Windows and McAfee before the company does.

I believe that I have found the problem, and I am still investigating. All of these systems are Dell Latitude D600s with TrueMobile 1300 Client Utility running. The version of the client utility that these two are using is one revision older than mine. The older version will automatically connect to an unsecure ad-hoc network. My version has a check box that you must select each time you connect to an unsecure ad-hoc network. So the first thing that I must do is update their utilities (I am trying to download the latest drivers as I write, but the Dell web site is too busy. Figures.). Then I need to get the users to change their passwords. I need to change my password, and the local admin password as well.

But I still need to track down the source of the "pepperdine" network. Stay tuned.

Close Hauled