Wireless AP Not Secured & used b/outsider - what to do now?

Hi Everyone:

I had set up my wireless router properly a long time ago. I turned off broadcast of wireless (as i don't use it in wireless), and changed the password.

I just noticed last night that I had, under attached devices in my router page, an extra IP address. I thought this was odd, and once i realized what it might be, I checked my wireless settings. To my surprise, they were set as broadcasting, with no encryption and with an SID that I know I would not have set myself. In other words, someone in my apartment has been using my network.

I've since turned off the wireless access point, changed the password again, and changed the SID (after writing down the one the intruder was using). I also have a wireless keyboard and while i assume it isn't powerful enough to broadcast, i made it into secure mode (Logitech keyboard).

My question is - what should I do now? I'm assuming that the person was utilizing it for internet access, but could they also have been using it to get into my computer? I also have Norton IS 2003 running and updated on my computer, while using XP in a double boot with Ubuntu.

Would you reinstall everything from scratch? any other suggestions? Is there a way to determine who it was who was breaking into my system?

Any suggestions would be greatly appreciated. I am actually not lacking in competence when it comes to computers - I was just careless. Now, I'm not sure what to do.

Thanks,

Pulper

 

You can unscrew the antenna off of the router and that will stop the uninvited guest. When I quit useing wireless I turned the broadcast off and removed the antenna and it secured my internet connection from unwanted users. Or you can just buy a new non wireless router for under $30.00 at W-M. Once you have them blocked out there is nothing more they can do. If it would make you more at ease you might change your passwords.

 

thanks for your reply! my major concern now is that my computer would have been compromised. is this likely? i know i have file sharing enabled but don't have any shared drives or folders.

thanks,

Pulper

 

Once you cut the wireless connection they have no more access to your files. unless you had sensitive passwords or pin numbers they might use you should be safe.

 

thanks again! my major concern is what was likely to have happened to my computer files. i know they probably would no longer have access (since i've changed my router settings) unless they installed some program on my computer that allows them access (maybe a rootkit or a trojan horse).

is it very possible that they could have copied some of my files? with NIS running on my computer and updated as well and no shares, would you be concerned?

thanks,

pulper

 

Just a couple of questions, since a couple of items are a bit obscure. In your original message you wrote:

In most cases wireless routers have a couple of items one can disable - turning off broadcast of the SSID and disabling wireless mode. The former doesn't disable wireless while the latter does. You go on to note that

This is a typical default setting, nothing special there. Was the SSID the default?

Here it sounds as though you have in fact disabled the wireless function (as opposed to the SSID broadcast).

Just asking to verify that your initial setting really did in fact disable the wireless function and simply not stop the broadcast of the SSID since the terminology that you used above is a little ambiguous.

Assuming you did disable your router initially, the only logical conclusion is that the user of the router - or some other third party - had physical access to your router and/or PC. In some respects, access to files via a wireless connection is not necessarily the most critical thing to focus on if that is the case.

Blue

 

if my files and folders were not financial critical I would't be overly concerned.

 

I believe that I did both but now am not sure.

It was a pretty long SSID, so I don't think so. about 12 characters and included a semicolon in it.

Thanks for the information here. I see your point. Especially since I had a password on my router that was a pretty strong password (ie has special characters), the only way that I can think that someone would be able to access the router setup webpage to change the SSID and broadcast the wireless signal (assuming i had turned that part off) is to use MY computer since it saves the password to login automatically (in firefox). If that is the case, then lost data would be the least of my worries!

I think that reformatting my drive and reinstalling will be the way to go. I'll have to change all passwords on my accounts to make sure.

Would there be a way to track who this was? I could make it available again to the user and when he/she is on, i would somehow be able to track where it is coming from or look at their traffic. Or, is this something that is beyond the scope of average computer users?

Thanks,

Pulper

 

Generally default SSID's are simple - such as the manufacturers name, model, simple words (Wireless, WLAN, etc.). In some cases the device MAC ID is a default SSID, this one could look complex.

I guess the thing to do is assess whether this is a reasonable scenario, either through a friend/roomate who activiated it for very temporary access and it was then left on for a third party to get access or via a physical break-in (which to be blunt would seem very unlikely)

While this may make a certain amount of sense, it's still unclear whether this was a case of a neightbor simply using open access or something more untoward. If you do go down the route of a reinstall, just verify that you have absolutely everything in hand via hard copy in the way of program serial numbers, activation codes, etc., before you start. I've seen even experience people get caught in a bind due to initial haste. This is a time to be very deliberate on the steps you take.

There are a few things possible. First of all, the router will have the MAC ID of the connecting card, however, bear in mind that this can be spoofed so it is not a firm tie to the physical device. You can also sniff ethernet traffic between the router and the unknown IP. There are a number of ways to acccomplish this and since you are monitoring the communications going through your device, there should be no privacy invasion or other issues. Whether or not this will yield useful information is another matter.

Blue

 

Maybe it it possbile that your router got reset to the default settings somehow. And then it was easily accessible by someone with knowlegde.

If your router has the feature of WPA encryption I would enable that. Generate a very strong passphrase here: grc.com.
Changing password and SID is a great idea.
Maybe you can also enable the MAC filter, that authorizes access by network card ID.

 

Usually routers will remember their config even after a power outage.
They should have a reset button on them that resets everything to factory default.
Did you ever need to reset it because of some connection problems?

What is the average effective range of these wireless access points that a war driver would be able to connect?
Not counting special power boosting antennas and taking into account one wall (or floor/ceiling).

 

I live in a free standing family home and I'm able to connect to my neighbours router. Which creates sometimes confusing situations when my own router isn't in the mood to coorporate.

 

Thank you wilbertnl.

 

Did you upgrade the firmware after the initial setup? Sometimes some brands will reset all settings when the firmware is updated.

Did you have a firewall on the PC? If so, do you have it set to allow file sharing? Even if you do, if there's no shares then the chances are less likely. You should have a firewall going, this would make an intrusion less likely (although not impossible, nothing is 100%).

If someone used the network to gain entry to your system, I really don't think that a format is going to do much. You could scan with something like Pest Patrol and set it to scan for riskware ("hacker tools").

If it were me, I would remove any personal data from the computer (put email on a USB drive and use it from that for the time being), enable full auditing, then keep an eye on both the router and the audit logs. If someone is forcing their way in then it would likely become obvious, otherwise it may just be someone connecting (intentionally or not) to an open network. Either way you will want to secure things down, spend some time learning to config your firewall, do some hardening.

 

I don't know how common it is but my wireless router has the option, as opposed to encryption, to limit access to specific MAC addresses. So, I have mine set to anly allow access by the MAC addresses of my laptop's Wi-Fi adapter and my wife's Wi-Fi adapter.

From Wikipedia.org: "In computer networking a Media Access Control address (MAC address) is a unique identifier attached to most forms of networking equipment."

You can find the MAC address of your Wi-Fi access device by issuing the following command from a command prompt shell: "ipconfig/all"

The MAC address for each Ethernet adapter you have will be reported as "Physical Address" and have a form something like: "12:34:56:78:90:AB"

CAVEAT: Although I may be comfortable with this method od restricting access, from the standpoint that I think it's highly unlikely there are any real geeks within range of my Wi-Fi router, MAC addresses can be and are SPOOFED. So, hypothetically, if someone knows the MAC address(es) you are restricting access to, they can set their adapter to spoof that MAC address and thus gain access.

 

In order for the Wireless AP to route the packets properly, the Ethernet cards have to broadcast their MAC address. At least the AP will need to include the MACs used when it transmits packets to the proper Ethernet card. So the war driver just listens for a little to get your MACs and then spoofs them.
That doesn't sound like it is too difficult.
For me, I'd go with encryption (WPA/WPA2) on wireless, if I used wireless.

What is the performance hit when you use encryption on wireless?

 

Don't have a clue, haven't tried it.

If I don't know what a "war driver" is, I can almost guarantee you that none of my neighbors within range, if there are any, know what it is. In any event, point granted since, in security, almost is not good enough. I will have a look at adding encryption.

Thanks.

 

It doesn't affect internet speed, since most broadband connections are slower than the maximum wireless LAN speed.
802.11b is 11 Mb and 802.11g is 54 Mb. My DSL is 5 Mb.
Maybe you only notice some performance decrease when you try to copy large video files over wireless LAN.

 

Thanks wilbertnl.

 

or do a backup.... I usually will jack my laptop in by cable for a full backup and then just do incremental backups over Wi-Fi.

 

In case you are interested, there is a lot of info on wardriving and piggybacking here:
http://en.wikipedia.org/wiki/War_driver

 

Damn ! I had no idea ! It doesn't matter WHAT my neighbors do or don't know then. Thanks again Devinco.

 

dang it!