signal boost: your wireless network is probably leaking passwords

[cellio]

Go read siderea's post about Firesheep and network security. Hijacking your credentials at many web sites, ranging from Twitter to Amazon, just got a lot easier.

No network is really secure, and especially not a wireless one. Someone who really wants to crack you can do so pretty much at will. As with physical security, the point isn't to keep the pros out; it's to discourage the kiddies so they'll go bother someone else instead. That said, you used to have to do at least a little work to crack someone else's security -- run a packet sniffer, launch dictionary attacks, and I'm not really sure what-all else. Now, it comes in the form of a convenient Firefox plug-in. (The running of which is almost certainly a violation of your ISP's terms of service and your employer's IT policies, just to be clear.)

So, reluctantly, I have ended our brief foray into leaking wireless into the street and not minding so long as they didn't eat much. (I had disabled our security recently because I was having problems connecting a new device.) An open network might be mostly harmless (given that we do no commerce, banking, etc from wireless devices), but I don't want to invite casual packet-sniffers onto my network -- don't want the risk that they can in fact get to me, and don't want that activity potentially associated with my IP address.

What I'd really like to have, and I can see no way to do this if you don't build your own router, is to receive an alert when an unknown device does show up on the network. Anyone know how I could do that when the tools available are a couple of Macs, legacy PCs (that are not usually left on), and a Verizon modem/router combo?

Comments

[frrom.livejournal.com]

I hope you put the security back on. Too many people don't bother in the first place, and I feel anyone who leaves their network open deserves to get bandwidth siphoned.

[cellio]

We weren't actually noticing bandwidth problems, but yeah, we're not dangling open wireless in front of people any more.

[siderea]

Oh, darn, I just saw an ad for a PC application which does exactly that... I don't know where I left it on the internet. :( ETA: Found it!

[cellio]

Thanks! Don't know if I want to keep a PC running just for that, but it's good to know about. (Hmm, I wonder if it would need to see the internet. The legacy PC is LAN-only for virus protection.)

[dsrtao]

If you had a wifi router built on DD-WRT or OpenWRT or another Linux distro, it would be easy. (Some of those are even commercial.)

Otherwise, you pretty much have to run an active scan (send packets, hope for responses) of your network every small_time_period, and report back.

[cellio]

Thanks. Yeah, I don't think I'm going to get much help from the current router on this, and I am loathe to disturb a configuration that is working by trying to roll my own.

[brokengoose.livejournal.com]

The "unknown device alert" has been on my to-do list for a long time. Some half-baked thoughts:

If you're willing to run your own DHCP server, this can be trivial. Depending on your DHCP server implementation, there may even be a "run a script if an unknown MAC address connects" option.

If you don't want to run your own server, whatever IS running your DHCP server can probably be configured to write to syslog. There are a few "watch syslog for interesting entries" programs out there. It's pretty easy to make a Mac start saving syslog information. Configure all of your devices to use static addresses at home. Then, if the DHCP server EVER hands out an address, send an alert.

You could always convert one of those legacy PCs to a dedicated network monitoring machine, but that's probably overkill.

[cellio]

Thanks.

I think the DHCP is being done by the router. Is it even possible to move that? I'm not up for building my own router to replace the current box. I'll look around in the settings for something like "run a script if an unknown MAC address connects"; that would be handy.

[ariannawyn.livejournal.com]

So as a mostly non-tech person, I tried to follow the explanations of how to fix this but failed.

I understand that there's a security opening for people to access your login credentials to a variety of sites, but I don't entirely understand whether my own system is at risk. Would you know?

FWIW, I have a Verizon FiOS WIFI network that's password protected with a WEP key. I generally use Google Chrome as my browser, though my kids use IE. That about reaches the limits of what I know about it.

All that said, I live on a rural gravel road where none of the houses nearby is likely to be in range of my WIFI, and there's no casual outside car traffic because it's a dead-end street, so I would think my risk is low anyway...

OTOH, I use a password-protected corporate WIFI at work on IE... but I have no control over the security settings there except on my own laptop.

[cellio]

I'm a latecomer to the wireless world, so not any sort of expert. I have heard from credible sources that WPA2 is better than WEP, for what that's worth. And wired connections are reportedly less vulnerable -- do you have any of those, or are all computers in the house wireless? If you can, I would recommend using sensitive sites (bank, PayPal, etc) from a wired connection.

All that said, given where you live I think you are considerably less vulnerable than many of us.

As for work, I would tend to assume that (1) they probably have it locked down and (2) an employer might be sniffing traffic anyway to see who's abusing the internet access. If it really needs to be private I won't do it from a work machine/network.

[geekosaur]

WEP is completely compromised, and WPA1 sufficiently compromised that I would not want to trust it.

Wired connections are safe for one reason only: switches are so cheap that they've all but replaced hubs, and switches won't forward arbitrary traffic normally. There are ways to defeat that in most switches, though, so it might not be wise to rely on this (although you can't easily apply them repeatedly, so if you have 2 or more switches between you and a potential attacker you are probably safe. For now, at least.)

Verizon's Actiontec routers default to WEP, but can be configured for WPA2 Personal in the Wireless settings. Make sure all your devices support WPA2; some portable gaming platforms (for example most/all? Nintendo DS series) only support WEP.