Airport Network Compromised
 

Hi everyone--I was connected to my friend's computer over our local network when I got a message stating that the network was compromised. I then got a message stating that OS X had been updated and wanted permission to access the keychain. When I clicked on details, it said that the systemUIserver wants the password. Does this mean that someone got into my computer and accessed my keychain?

Was this message via email?

Can you recall exactly what the message said? Was this message delivered in a dialog window that just popped up out of the blue - or what?

Thanks for the feedback! The message came up in a dialog box rather than via email. I can't remember exactly what it said, but I think it said something about the network being compromised just before the OS X dialog came up. Both came up out of the blue. The OS X dialog said that Mac OS X has been updated and needs to access keychain. I denied access.

Are you sure the dialog message used the word "compromised" ?
I've never seen or heard of that sort of message.
The subsequent dialog that you got asking for permission to access KeyChain is, I think, normal after the 10.3.4 security-related changes. I got that dialog and allowed it access on my system.

What programs were running on the computer? Anything like Henwen?

If not, is it possible your friend whose computer it was was playing a trick on you?

Trevor

Hi--Thanks for the feedback. I'm not sure that it used the word compromised. But it was something similar and scary. No non-commercial software except for Synch.

I'm sure that my friend wasn't playing a trick on me. She is a novice user. I just installed Little Snitch to see if anything is being sent via a Trojan Horse.

Thanks!!!

PS--I have a screenshot of the dialog box, but am not sure how to post it.

The dialog box asking you for permission to access KeyChain is nothing controversial. The thing which we really need to see is the message about your network being compromised. Unless you are running a network intrusion detection system such as snort/Henwen, there's nothing that is going to tell you anything like that. So where would a message like that come from? I have no idea. Frankly, I wonder if you misunderstood something innocuous.

Trevor

Hey Trevor. Could be. I installed Little Snitch after this episode and have only had one warning: check_afp wants to connect to 0.0.0.0 on UDP port 61961.

If that, too, is innocuous (whatever it is), perhaps this is all just me freaking out. The strange thing is the coincidence of the network message and an "update" to OS X, when the system hadn't been updated since 10.3.4.

If you would like to have warnings of these kinds of things, try Henwen, which is a free Mac GUI for snort, the best open source network intrusion detection system. It's available at http://seiryu.home.comcast.net/henwen.html

Trevor

Will do. Thanks for all of your help!

This happens when a mounted drive disappears. E.g., the remote machine is rebooted.

Many thanks. No remote machine mounted since last reboot. The mystery continues...But I've installed HenWen.

Same thing happened to me
 

Hey, just found this page because the same thing just happened to me. OSX came up with a system dialog saying something to the effect of "Your wireless network has become compromised. It will now be shut down for ..." something or other. It then turned off my AirPort (I use AirPort Extreme with the Apple base station).

I thought it was pretty cool when it came up. I was curious as to what it was actually detecting... and how someone compromised my network (I'm using WPA Personal.. don't tell me that's cracked now too...)

Anyone know anything about this? I'm almost positive it did use the word compromised (hence finding this page)

Okay, I found the following strings in the file "Localizable.strings" in the
"ClientController.bundle/Contents/Resources/English.lproj" folder under the
"/System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources" folder:

"wpaIsFailureMIC" = "The wireless network appears to have been compromised and will be disabled for about a minute.";
"wpaIsReplayAttack" = "The wireless network appears to have been compromised and will be disabled for about a minute.";

I have no other information about this, but the names of these strings seem to indicate that the system is indeed detecting some sort of problem with WPA.

Slightly off-topic...
 

but I have to ask.

How did you locate these strings? I still can't seem to bend 'find' to my will, and real-world examples would help.

Thanks!

Although 'find' is very useful and could have been used to look for these strings, I didn't use it in this case.

I first used 'locate' to find the Airport network software components:

I tried:
locate Airport
and that didn't turn up much of interest, so I tried:
locate 802
(Airport networks follow the 802.11b and 802.11g IEEE standards)
and that led me to the folders I mentioned above, where I just browsed the contents until I saw the Localized.strings file.

If you wanted to use 'find' to search for a specific string like "compromised", you could do it with a command like:

find / -type f -exec grep "compromised" {} \;

This would execute the 'grep' command for each file under the / folder - i.e. it would search your whole drive. It would probably be very slow. To make it faster, you could limit the search to a smaller scope by supplying some other folder path as the first argument, E.g.:
find /System/Library -type f -exec grep "compromised" {} \;

But this would still be running a separate 'grep' process for each file. To make it more efficient, you could do one 'grep' on all the files by using 'xargs':

find /System/Library -type f -print0 | xargs -0 grep "compromised"

But the problem is that this will only work if the string "compromised" is in a plain ASCII text file since that is what 'grep' works with.

Many of the strings used in OS X are supplied in Unicode format so that they can be easily internationalized. These files are usually named "Localizable.strings" and are in UTF-16 big endian format. To search Unicode format files is a bit trickier. Perl is capable of handling Unicode but you may still need to know which of the many Unicode formats the file is in.

If we knew that the string we were searching for was in a file named "Localizable.strings" in UTF-16 big-endian format then we could do the search like this:

find /System/Library -name Localizable.strings -print0 | xargs -0 perl -n -e 'use Encode; $_ = decode("utf16be", $_); print if /compromised/'

Found this discussion on Apple's website, and in it a link to a more technical explanation that unfortunately doesn't seem to exist anymore.

Still looking for hard data since the text strings are included for SOME reason.

Found this article which explains some security limitations of the 802.11b WEP security standard. Interesting to note that key reuse is guaranteed after a certain amount is data is sent. It could be that Apple's solution is to reset the base-station after a certain amount of data to avoid using the same initialization vector. Thus you see this message only after a long amount of time using the wireless network or large data transfers.

What version of Airport are you using? Here is some more information about improving the security from WEP to something called WPA, but it seems to be related to using Airport Extreme.

Note that the strings referred to above start with "wpa", so it would seem that they are related to WPA and not to WEP.

Well, that shoots my theory down. It would be nice to know just how significant this message is.