Wireless Security

[stevevan]

Just an observation here. I'm currently working at a building located on a small airport in southern Florida. I set my laptop up and, lo and behold...my wireless card picked up a very strong wireless network signal. (There are some houses and condo's across the street from the site, so I'm thinking it's from one of them.) There is no security on this network and I'm able to get into the Internet and browse at will if I wanted to. I also did some network system checks. Whomever owns this network also has file sharing enabled on their system so I was able to see into their computer. (For the record, I did NOT use this network for Internet access...that is illegal.) This is NOT a good thing!

 

There are many websites available that will explain wireless security and how to secure your network a bit. (Do a google search on "wireless security".) Even most of the router manufacturers have information that can be found on their websites. You don't have to be a rocket scientist and understand how each and every byte of information goes through every port. Just the basics...like changing the default wireless security settings after the router is installed.

 

Due to my job, I spend quite a bit of time on the road. I can tell many horror stories of network security issues that some people, including some major hotel chains, had no clue about. (On the plus side, I've gotten several free nights out of pointing out network problems to the hotel management! ) Now I don't claim to be a security expert, but I have learned enough to be able to secure my wireless system at home pretty effectively.

 

Bottom line is a little knowledge goes a long way. In these days of hackers and ID theft, it is MUCH better to be informed than to become a victim of some unscrupulous characters. In this case, it is a good thing to be a little paranoid.

[TCH-Tim]

Here's a white paper some guy wrote after some fun on a public wireless network at Boston's South Station.

 

My neighbor has a Linksys wireless router with the username: admin and password: admin and no security set up. I would learn him about the evil ways of the world, but then I wouldn't have a backup Internet connection when mine goes down.

[Madmanmcp]

I use GRC.com to tighten my network and check for holes. The only things I "share" are the printers and internet access. If someone really wants to sit in a car outside my house, in the cold or the heat just to get a poor connection and use my internet...go for it. If it starts slowing the network down I'll just chase them away with a shotgun . And if they really want to print something they will need to knock on the door and I'll charge them 10 cents a sheet if they want to keep it.

 

But I am trained for networking so I have a good idea what I am doing.

[Madmanmcp]

(For the record, I did NOT use this network for Internet access...that is illegal.)

 

Are you sure?

 

If someone leaves their access open, its not illegal to access and use it. You can't steal files or data or do damage like changing or deleting files. But just browsing the web I believe is ok...unless you secure it and its hacked or broken into.

 

I believe since its wireless and is broadcast over the radio wavelength its covered by FCC rules...and receiving radio frequencies is not illegal.

 

But I could be wrong .

[TCH-Tim]

If someone really wants to sit in a car outside my house, in the cold or the heat just to get a poor connection and use my internet...go for it.

 

If someone is on your network, they're halfway to where they want to be, whether the destination is the Internet or your computer (whether anything is shared or not isn't the point). Since it's so easy to turn on basic security settings to keep your average stranger out, and a little research can tighten the network even further, why not do it? Letting someone use your wireless network is equivalent to letting somebody walk into your office building to plug his laptop into your corporate network. You just don't let it happen. Granted, I was an IT guy at a bank for awhile, so that paranoia is ingrained in my brain now.

[Madmanmcp]

Since it's so easy to turn on basic security settings to keep your average stranger out, and a little research can tighten the network even further, why not do it?

 

I have. If you goto grc.com and visit the Shieldsup portion of Steve Gibson site, he explains in depth how to tighten security on your systems and lets you run a test to see how well you did. I've pretty much unbound all the security risks on all computers on my network.

 

Yes I could go the extra mile and tighten even further. Maybe I will if someone gets thru what I have now.

[TCH-Don]

LOL according to grc, I am ether in stealth mode or not connected to the Internet

[Madmanmcp]

Thats good Don, but it might be deceiving if you are behind a router or firewall. Try without them and see what you get.

[MikeJ]

If someone really wants to sit in a car outside my house, in the cold or the heat just to get a poor connection and use my internet...go for it. If it starts slowing the network down I'll just chase them away with a shotgun .

<{POST_SNAPBACK}>

 

Yea, a lot of that depends on location. At your house, they might have to sit in a car. At my place, I can see 7 wireless access points. When I was at my friends condo playing poker, we pulled out our laptops and found 20 access points (yes, we're geeks).

 

When someone can sit in the comforts of their own home and attempt to hack your network or use up your bandwidth, you become a little less friendly with leaving the key under the doormat.

[Guest Serpentine]

Good thing it is impossible to get access to my wireless router.

[MikeJ]

Good thing it is impossible to get access to my wireless router.

<{POST_SNAPBACK}>

 

Is it unplugged (or non-existant)?

[TCH-Tim]

Good thing it is impossible to get access to my wireless router.

<{POST_SNAPBACK}>

 

Is it unplugged (or non-existant)?

<{POST_SNAPBACK}>

 

An unplugged router is the only truly secure router. Unless of course you have physical access. Impossible is a pretty strong word when you're talking about network security.

[Guest Serpentine]

MikeJ,

 

My wireless router is still in the box at the store. In this case impossible is the right word.

Edited March 4, 2005 by Serpentine

[stevevan]

(For the record, I did NOT use this network for Internet access...that is illegal.)

 

Are you sure?

 

If someone leaves their access open, its not illegal to access and use it. You can't steal files or data or do damage like changing or deleting files. But just browsing the web I believe is ok...unless you secure it and its hacked or broken into.

 

I believe since its wireless and is broadcast over the radio wavelength its covered by FCC rules...and receiving radio frequencies is not illegal.

 

But I could be wrong .

<{POST_SNAPBACK}>

 

Receiving is not illegal...transmitting is.

 

(But really officer! It was only for a second or two! )

[Madmanmcp]

Receiving is not illegal...transmitting is.

 

Ok, thats from the FCC rules. So who exactly is doing the transmitting? If the network is open "anyone" can use it. I send a request to the network to view a specific web site and the router transmits the request on.

 

Since the Network is open I was given permission to use it. The network is doing all the transmitting. Where is the illegality?

 

Maybe this is why all the War drivers do what they do and the police just tell them to move along.

[TCH-Tim]

Receiving is not illegal...transmitting is.

Without your computer transmitting and receiving, you would not have been able to get on the network, and you definitely wouldn't have known that you could get on the Internet through it. But I agree with Madman, is it illegal if it's open? The network practically begged you to connect. I'm sure it could be illegal to intentionally access somebody's computer on the network, but "accidentally" connecting to a wireless network that just happens to allow you to get on the Internet, what judge would convict you?

[stevevan]

Ok, thats from the FCC rules. So who exactly is doing the transmitting? If the network is open "anyone" can use it. I send a request to the network to view a specific web site and the router transmits the request on.

 

Since the Network is open I was given permission to use it. The network is doing all the transmitting. Where is the illegality?

 

Maybe this is why all the War drivers do what they do and the police just tell them to move along.

<{POST_SNAPBACK}>

 

You do some of the transmitting, like you said..."send a request to the network". But your last statement is very true. To prosecute everyone would definitely be cost prohibitive. That's why they only go after the "big fish".

[Guest Serpentine]

So, if I leave my front door unlocked does that mean it is legal for you to come in and watch my TV?

[stevevan]

So, if I leave my front door unlocked does that mean it is legal for you to come in and watch my TV?

<{POST_SNAPBACK}>

 

[TweezerMan]

So, if I leave my front door unlocked does that mean it is legal for you to come in and watch my TV?

I see it more like this: What if you leave a working telephone in front of your house at the edge of your property? Would it be legal for anyone to just come up and use it?

[Guest Serpentine]

If it were only local calls. I am not paying for you to make calls long distance. And your scenario is a bit off. It would be if I left a working telephone line at the edge of my property. The user still has to bring their own equipment to the wireless table so to make it even they have to bring their own phone as well.

[TCH-Bruce]

And your scenario is a bit off.  It would be if I left a working telephone line at the edge of my property.  The user still has to bring their own equipment to the wireless table so to make it even they have to bring their own phone as well.

So how does that apply to them coming into an unlocked house to watch TV?

 

Wouldn't they also have to bring in their own TV to watch?

[Madmanmcp]

You are sort of talking apples and oranges here. With the telephone or TV you are crossing a physical boundary to get them to work and it is trespassing. With wireless you are talking airwaves and the use of these airwaves is free and is covered under different rules. You are sitting in a public space when you access these airwaves.

[stevevan]

Man I love a lively discussion!

 

As I interpret things, the transmission of signals is the issue. But as Bob alluded to before (and I said earlier), unless there's a huge point to be made, either personally, financially, or politically, most prosecutors and judges won't even touch the small fish.

[Guest Serpentine]

Bruce,

 

Only if the cable line ends at my property. Now shush.

 

Bob,

 

It is still fruit, stop ruining my plans of forum domination.

 

Steve,

 

The airwaves are free, my hardware is not and the govt. cant catch me... or something like that.

[stevevan]

[Deverill]

With wireless you are talking airwaves and the use of these airwaves is free and is covered under different rules. You are sitting in a public space when you access these airwaves.

 

The use of airwaves is free, but to use those airwaves to freeload on someone else's resources (ISP costs, equipment costs, electricity, etc) is not. It is similar to finding out that your cordless phone works on your neighbor's base set so it must be free to make calls to whomever you want, right? After all, the airwaves you are using are free and it's not your fault the neighbor has a phone line hooked up to his receiver!

[TCH-Tim]

The use of airwaves is free, but to use those airwaves to freeload on someone else's resources (ISP costs, equipment costs, electricity, etc) is not.  It is similar to finding out that your cordless phone works on your neighbor's base set so it must be free to make calls to whomever you want, right?  After all, the airwaves you are using are free and it's not your fault the neighbor has a phone line hooked up to his receiver!

Is it illegal if you don't know that your phone is working off your neighbor's base station and not yours? On occasion, my computer will connect to my neighbor's unsecured wireless network instead of my own. Usually I pick up on it right away, but sometimes I don't realize it until I go searching for the cause of my slow Internet connection. Is ignorance criminal?

[Madmanmcp]

The use of airwaves is free, but to use those airwaves to freeload on someone else's resources (ISP costs, equipment costs, electricity, etc) is not.

 

Can you point me to the law or the FCC rule that says this? Things that you believe are wrong are not always against the law.

 

Laws are always way behind technology and take years to catch up. I believe its wrong to connect to someone else wireless network and "steal" his bandwidth and freeload off some unsuspecting computer user. But am I actually breaking a law if I did? I don't think I am, but I am willing to read and learn if someone out there knows where it is.

[TCH-Tim]

Things that you believe are wrong are not always against the law

 

Exactly. Ethics aside, anything broadcast on the public domain is public. Just like a CB radio. I can sit here and listen all day and it's perfectly legal. Your wireless network is broadcast in the public domain, so if you don't want me to see it, secure it. It's just that simple.

 

I would also be very interested in reading the rule (FCC or otherwise) that says it's illegal to connect to an unsecure wireless network and possibly use it for Internet access.

[stevevan]

Give me some time to research and see if I can find something and I'll get back with everyone.

[stevevan]

What I have found so far (which is rather rough using a dial up!):

 

I started at the Cybercrime website. Through a few links, I ended up here - Federal Computer Intrusion Laws. From here, I found 18 U.S.C. 2510, Chapter 119. I think this may cover the legality of accessing unsecured networks.

 

DISCLAIMER: I am not, nor do I claim to be, a lawyer. Any legal questions concerning this thread need to be referred to a competent attorney knowledgeable in this area.

 

I also have an email into the FCC, so we'll see if they respond with anything to contribute.

[Guest Serpentine]

I rather enjoyed this post. I really dont care as I dont have one but if I do get one and I go through the trouble of securing it and then you break in then I think that should be against the law.

[Head Guru]

Serpentine,

 

To be honest I've never enjoyed a thing that John C. Dvorak has ever written.

 

Bill

[Madmanmcp]

I started at the Cybercrime website. Through a few links, I ended up here - Federal Computer Intrusion Laws. From here, I found 18 U.S.C. 2510, Chapter 119. I think this may cover the legality of accessing unsecured networks.

 

Wow, I had to ask didn't I

 

I browsed around and got dizzy and fell to the floor screaming for mercy! I'm a computer tech, not a lawyer

 

Last night in my search I found a web site that talked about a New Hampshire (I believe) bill that is being worked on that will change the law and make it the responsibility of the individual user of a wireless network to secure it. If its not secure its fair game.

 

So now I guess I beleive a law is out there somewhere but as Steve pointed out, prosecuting the "small fish" is not going to happen. I browsed around the Cybercrime website and specifically looked for a case and could not find one. So it appears that this part of the law has not been tested in court...

 

Love the disclaimer Steve and thanks for starting this thread. Bet you didn't think it would evolve into to this.

[Madmanmcp]

To be honest I've never enjoyed a thing that John C. Dvorak has ever written.

 

I enjoyed his keyboard.

[Deverill]

The use of airwaves is free, but to use those airwaves to freeload on someone else's resources (ISP costs, equipment costs, electricity, etc) is not.

Can you point me to the law or the FCC rule that says this? Things that you believe are wrong are not always against the law.

 

Well, if you want to get precise about it, what country's laws are we talking about?

 

Here's something I found:

Under the federal Computer Fraud and Abuse Act (18 United States Code § 1030), such hijacking constitutes unlawful "access," which is the first element of the crime. However, under the second element of the crime -- namely, damage --, you cannot be convicted unless damage exceeds $5,000, which likely did not occur in your situation. Interestingly, the damage element can be satisfied (and the hijacking is therefore illegal), if the network owner spends $5,000 in re-securing the network, even if you caused no system or data loss. Be careful, however, because most states have similar laws, some of which require a much lower damage threshold.

Which sums up what I was thinking. Of course the little guy will never get prosecuted... but then again, ask the 80 yr old Granny that got slapped with an RIAA lawsuit because her granddaughter Kazaa'd some albums.

 

Tim said

Your wireless network is broadcast in the public domain, so if you don't want me to see it, secure it. It's just that simple.

to which I would reply - "If you don't want me in your house, lock the door and if you don't then it's perfectly legal for me to enter and help myself.

 

Additionally, check out the laws about receiving police transmissions. In every state in the US there are laws that say to receive police transmissions in a car is illegal. Yes, it is the airwaves and it is "public domain" but if you have a scanner and get caught then you'll have the scanner taken and possibly charged with a crime. The only exception is emergency response folks (fire, police, ambulance, etc) and licensed amateur radio operators. So, this is another example that just because it's out there doesn't make it legal to intercept. As was said (sort of), just because something seems legal doesn't make it so.

 

Bottom line - if you're not doing it then fine, don't worry about it. If you are then be prepared for the consequences if you get caught and someone wants your skin bad enough to pursue it in court.

[TCH-Tim]

Tim said

Your wireless network is broadcast in the public domain, so if you don't want me to see it, secure it. It's just that simple.

to which I would reply - "If you don't want me in your house, lock the door and if you don't then it's perfectly legal for me to enter and help myself.

*goes to lock door*

*returns to keyboard*

 

Trespassing and automatic connections to stray wireless networks are not quite the same.

 

If a wireless signal enters my house (I didn't go looking for it, it just showed up), is it my responsibility to refuse the connection, or is it the network owner's responsibility to make sure I can't connect? I'm not talking about wardriving or actively looking for a network. I turn on my computer, it finds a network, it connects. All I know is that I'm on the Internet, and it could be my router, but maybe it's not. Who's at fault?

[Deverill]

I would assume the courts would approach it like stolen goods - if you go down to the shady part of town and buy a TV for $20 off the back of a truck then you'll probably go to jail. If you buy something at a pawn shop and it turns out that it was stolen they'll just take it away from you but there will be no charges against you.

 

If you acidentally hit an unsecure network in your neighborhood they'll never catch you but if they did it would be a "be careful next time" and that's it.

 

The funny thing about the law is they like for the prosecutors to prove intent.

 

This is only opinion based on my limited knowledge of how some of the legalities work.

[Guest Serpentine]

Serpentine,

 

To be honest I've never enjoyed a thing that John C. Dvorak has ever written. 

 

Bill

<{POST_SNAPBACK}>

 

Bill,

 

You know that our opinions differ on many things but I do agree on what he is saying.

[stevevan]

Love the disclaimer Steve and thanks for starting this thread. Bet you didn't think it would evolve into to this.

No, I didn't! But I love the participation! As we can tell here, there are as many different opinions as "what if's". I guess it really boils down to your own set of values. Hopefully this thread will make someone want to learn a little more about their own network and/or computer security. Knowledge is always a good thing.