# Hey Buddy Watch Where You Put That Wireless!



## MA-Caver (Apr 25, 2011)

This is an important read... 


> By CAROLYN THOMPSON, Associated Press                       Sun Apr 24, 3:35 pm ET
> BUFFALO, N.Y.  Lying on his family room floor with  assault weapons trained on him, shouts of "pedophile!" and  "pornographer!" stinging like his fresh cuts and bruises, the Buffalo  homeowner didn't need long to figure out the reason for the early  morning wake-up call from a swarm of federal agents.
> That new wireless router. He'd gotten fed up trying  to set a password. Someone must have used his Internet connection, he  thought.
> "We know who you are! You downloaded thousands of  images at 11:30 last night," the man's lawyer, Barry Covert, recounted  the agents saying. They referred to a screen name, "Doldrum."
> "No, I didn't," he insisted. "Somebody else could have but I didn't do anything like that." (read rest of the story) : http://news.yahoo.com/s/ap/20110424/ap_on_hi_te/us_wi_fi_warning


Kinda scary because m'dad is considering getting a wireless router for his equipment. I'll have to make sure that it's a tightly woven encryption so no-one else can piggy back on it. 


> The government's Computer Emergency Readiness Team recommends home users  make their networks invisible to others by disabling the identifier  broadcasting function that allows wireless access points to announce  their presence. It also advises users to replace any default network  names or passwords, since those are widely known, and to keep an eye on  the manufacturer's website for security patches or updates.



It sucks that the ICE don't bother to thoroughly check on something before busting down doors and throwing people down steps before finding out they're innocent or guilty. Almost gestapo/ss like police tactics that shouldn't even be allowed. 
I don't like pedos either but I'd at least make DAMN sure there's no question about their being the guilty party before giving them a piece of what everyone wants them to get. 



Still for those who are not the guilty ones ... seems that it's best to go over the top in secure connections to prevent any misunderstandings. 



Any other recommendations from the Computer smart guys out on MT?


----------



## Bob Hubbard (Apr 25, 2011)

Set your router to only accept access from particular MAC addresses (unique to each network card).   Then you can be pretty wide open yet still reject all but your approved connections.

I restrict to known-good MAC addresses, plus use 1024bit encryption with signed keys.  Never seen a blip on my net in 10 years.  Was a PITA to get the Wii connected though. LOL


----------



## Bill Mattocks (Apr 25, 2011)

Bob Hubbard said:


> Set your router to only accept access from particular MAC addresses (unique to each network card).   Then you can be pretty wide open yet still reject all but your approved connections.
> 
> I restrict to known-good MAC addresses, plus use 1024bit encryption with signed keys.  Never seen a blip on my net in 10 years.  Was a PITA to get the Wii connected though. LOL



MAC addresses can be faked.  

However, it's still good advice.  Most people sucking bandwidth from others will not bother trying to crack encrypted and otherwise hardened devices, they'll move on to easier pickings.  Like locking your car doors will stop man thieves.  If they really want in and they're good, they're going to get in.  However, don't make it simple for them.

http://compnetworking.about.com/od/wirelesssecurity/tp/wifisecurity.htm

If your router is left in the default setup, anyone within distance can attach to it and do whatever they like.  This is not good, for the reasons linked to in the story above.


----------



## granfire (Apr 25, 2011)

Hmm, heard stuff like that about owning growing lights for your indoor plants...


----------



## jks9199 (Apr 25, 2011)

Most of this can be prevented, as Bob & Bill say, by simply securing your router & network.

As to the investigative side -- there's just no practical way that I'm aware of (short of some maybe-stuff at the CIA/FBI super-secret-squirrel stuff) to identify from outside who on a particular network is actually the one doing things.  Once they get inside, and can examine the computers, they can figure out what happened. 

Folks -- I just looked at my wireless networks available.  There are about a dozen of them.  About half are listed as secure.  These scumbags (and others, sometimes including for-real terrorists!) just drive around a neighborhood until they find an open network, and then they have at it.  They'll use a home or an open business net (yeah, you can find those, too) because the legit open networks like maybe a Starbucks or library, or around some parks, have protections and better internal tracking.  If an investigator finds something leading back to those -- they know what's up to a certain extent.  Some "anonymous" home net?  Looks like the guy, no?

It's not unlike the deal where someone has contraband delivered to a house, and they intercept the package before the homeowner gets there to go "what the hell is this?"  Meanwhile, unknown to either the crook or the innocent homeowner, the cops become aware, and do a controlled delivery -- targeting the innocent homeowner.  Sometimes, all the investigation in advance you can do doesn't clear the homeowner until cops knock on the door... and that's often done with a SWAT team in a drug delivery.  (Yes, there have been some glaring cock-ups because someone didn't do that advance investigation very well...)


----------



## Bob Hubbard (Apr 25, 2011)

jks9199 said:


> As to the investigative side -- there's just no practical way that I'm aware of (short of some maybe-stuff at the CIA/FBI super-secret-squirrel stuff) to identify from outside who on a particular network is actually the one doing things.  Once they get inside, and can examine the computers, they can figure out what happened.



It's not that hard, however running those programs tends to violate most ISPs TOS.  For example, if I were to use the software to test MT's security, I violate both the data center and my ISP's TOS.  That's why I have the DC do the testing for me. Keeps the TOS violations out of play, and lets the guys best able to patch the holes do so immediately.

Packet Sniffing. Google it if you're inclined. 
Not responsible for anyone who decides to play with the software though.


----------



## Bill Mattocks (Apr 25, 2011)

For the geeks amongst us...since we're talking routers...

http://www.dd-wrt.com/site/index


----------



## jks9199 (Apr 25, 2011)

Bob Hubbard said:


> It's not that hard, however running those programs tends to violate most ISPs TOS.  For example, if I were to use the software to test MT's security, I violate both the data center and my ISP's TOS.  That's why I have the DC do the testing for me. Keeps the TOS violations out of play, and lets the guys best able to patch the holes do so immediately.
> 
> Packet Sniffing. Google it if you're inclined.
> Not responsible for anyone who decides to play with the software though.


Bill -- I don't know.  You guys work in the field, I don't.  I just can go by what the computer investigators I know tell me they can do.  It may be that they can do it if the computer is currently active, or that there are wiretap related issues...  I don't know.  It may even just be that they know it was Computer X on home network 123 -- but they can't tell you if that computer "lives" there, or was on the street in front of the house.


----------



## Bill Mattocks (Apr 25, 2011)

jks9199 said:


> Bill -- I don't know.  You guys work in the field, I don't.  I just can go by what the computer investigators I know tell me they can do.  It may be that they can do it if the computer is currently active, or that there are wiretap related issues...  I don't know.  It may even just be that they know it was Computer X on home network 123 -- but they can't tell you if that computer "lives" there, or was on the street in front of the house.



That's Bob, not me.  But...

Most wireless routers are DHCP servers.  They receive incoming calls for connections to their outbound internet connection and they assign it an IP address if all security protocols and/or passwords are correct.  Many routers also log such data - the same machine connecting later would generally be assigned the same IP address, unless it had already been given to a different machine.

All connections to the outside network (Internet) is done via the one ISP-assigned IP address; this is what the investigators saw when they asked for a trace.  The ISP in question could tell the investigators what subscriber currently had that IP address, but nothing more unless they owned the router in question (for example, AT&T Uverse does).  In such cases, they could tell the IP addresses and MAC addresses of the devices that had connected to the DHCP server, but not (as you said) whether they were located inside or outside of the residence.

Such forensic data would only become available after the router in question had been examined forensically.  Of course, I am not a criminal investigator; perhaps they have tools I am not aware of.


----------



## Bob Hubbard (Apr 25, 2011)

If I were so inclined (I'm not), I could tell what Bill is doing at any time.
I need to know a few things in advance in order to pinpoint Bill however. 
(No I won't say what)
If I didn't care who I got, I could just watch a series of IPs, monitor the traffic originating from them, and a selection of known destination IPs.  In this way, I could snag Bill's bank access info.  
Unless he's sending it encrypted, which makes reading it quite a bit harder.
Most email is sent in clear text, not encrypted.
So are the usernames and passwords associated with the accounts.
FTP is clear text, which is why when I was running the hosting biz we eliminated FTP in favor of SFTP which is encrpted.
Oh, your facebook access?  Clear text.

Combining this, with data provided by an ISP, and other monitored sites, is how you catch bad guys.  Over simplified explanation.


----------



## Twin Fist (Apr 25, 2011)

eeeek!!


----------



## Bill Mattocks (Apr 25, 2011)

Bob Hubbard said:


> If I were so inclined (I'm not), I could tell what Bill is doing at any time.
> I need to know a few things in advance in order to pinpoint Bill however.
> (No I won't say what)
> If I didn't care who I got, I could just watch a series of IPs, monitor the traffic originating from them, and a selection of known destination IPs.  In this way, I could snag Bill's bank access info.
> ...



All true.  But you still can't tell if I'm located physically inside my house or in a car parked in front of the neighbor's house, is what I'm saying.  From my IP address, you can tell a lot of things; you can even disassemble the packets and look at that.  But not where I am located more precisely that the physical street address that the router I am attached to is located.

Oh, and PGP for email.  I prefer scp to sftp.


----------



## Bob Hubbard (Apr 25, 2011)

All the more reason to be careful when hitting that porn, warez or church site.
You never know who's going to install a backdoor sniffer on your system to scan your whole local network.

At one time, part of my job was to run 2-3 port scans of our network, scan the open ports, print out the findings, then embarrass some VP's with rather interesting info. I miss those days...the money was niiice!


----------



## granfire (Apr 25, 2011)

Keep talking guys....

If I disappear it's because my tinfoil hat got too tight and I chucked my net out the window....


----------



## Bill Mattocks (Apr 25, 2011)

Bob Hubbard said:


> All the more reason to be careful when hitting that porn, warez or church site.
> You never know who's going to install a backdoor sniffer on your system to scan your whole local network.
> 
> At one time, part of my job was to run 2-3 port scans of our network, scan the open ports, print out the findings, then embarrass some VP's with rather interesting info. I miss those days...the money was niiice!



Yeah, I did Tiger Team stuff back in the day as well.

http://news.cnet.com/2100-1001-205144.html

http://news.cnet.com/Student-finds-AOL-bug/2100-1023_3-208416.html

http://news.cnet.com/2100-1023-207228.html

Ah, memories.


----------



## Carol (Apr 26, 2011)

*cough cough* deep packet inspection, stateful packet capture *cough cough*


----------

