Wireless AP Not Secured & used b/outsider - what to do now?

Discussion in 'other software & services' started by pulper, Sep 9, 2006.

Thread Status:
Not open for further replies.
  1. pulper

    pulper Registered Member

    Joined:
    Sep 9, 2006
    Posts:
    4
    Hi Everyone:

    I had set up my wireless router properly a long time ago. I turned off broadcast of wireless (as i don't use it in wireless), and changed the password.

    I just noticed last night that I had, under attached devices in my router page, an extra IP address. I thought this was odd, and once i realized what it might be, I checked my wireless settings. To my surprise, they were set as broadcasting, with no encryption and with an SID that I know I would not have set myself. In other words, someone in my apartment has been using my network.

    I've since turned off the wireless access point, changed the password again, and changed the SID (after writing down the one the intruder was using). I also have a wireless keyboard and while i assume it isn't powerful enough to broadcast, i made it into secure mode (Logitech keyboard).

    My question is - what should I do now? I'm assuming that the person was utilizing it for internet access, but could they also have been using it to get into my computer? I also have Norton IS 2003 running and updated on my computer, while using XP in a double boot with Ubuntu.

    Would you reinstall everything from scratch? any other suggestions? Is there a way to determine who it was who was breaking into my system?

    Any suggestions would be greatly appreciated. I am actually not lacking in competence when it comes to computers - I was just careless. Now, I'm not sure what to do.

    Thanks,

    Pulper
     
  2. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    You can unscrew the antenna off of the router and that will stop the uninvited guest. When I quit useing wireless I turned the broadcast off and removed the antenna and it secured my internet connection from unwanted users. Or you can just buy a new non wireless router for under $30.00 at W-M. Once you have them blocked out there is nothing more they can do. If it would make you more at ease you might change your passwords.
     
    Last edited: Sep 9, 2006
  3. pulper

    pulper Registered Member

    Joined:
    Sep 9, 2006
    Posts:
    4
    thanks for your reply! my major concern now is that my computer would have been compromised. is this likely? i know i have file sharing enabled but don't have any shared drives or folders.

    thanks,

    Pulper
     
  4. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma

    Once you cut the wireless connection they have no more access to your files. unless you had sensitive passwords or pin numbers they might use you should be safe.
     
  5. pulper

    pulper Registered Member

    Joined:
    Sep 9, 2006
    Posts:
    4
    thanks again! my major concern is what was likely to have happened to my computer files. i know they probably would no longer have access (since i've changed my router settings) unless they installed some program on my computer that allows them access (maybe a rootkit or a trojan horse).

    is it very possible that they could have copied some of my files? with NIS running on my computer and updated as well and no shares, would you be concerned?

    thanks,

    pulper
     
  6. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Just a couple of questions, since a couple of items are a bit obscure. In your original message you wrote:
    In most cases wireless routers have a couple of items one can disable - turning off broadcast of the SSID and disabling wireless mode. The former doesn't disable wireless while the latter does. You go on to note that
    This is a typical default setting, nothing special there. Was the SSID the default?
    Here it sounds as though you have in fact disabled the wireless function (as opposed to the SSID broadcast).

    Just asking to verify that your initial setting really did in fact disable the wireless function and simply not stop the broadcast of the SSID since the terminology that you used above is a little ambiguous.

    Assuming you did disable your router initially, the only logical conclusion is that the user of the router - or some other third party - had physical access to your router and/or PC. In some respects, access to files via a wireless connection is not necessarily the most critical thing to focus on if that is the case.

    Blue
     
  7. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma

    if my files and folders were not financial critical I would't be overly concerned.
     
  8. pulper

    pulper Registered Member

    Joined:
    Sep 9, 2006
    Posts:
    4
    I believe that I did both but now am not sure.

    It was a pretty long SSID, so I don't think so. about 12 characters and included a semicolon in it.

    Thanks for the information here. I see your point. Especially since I had a password on my router that was a pretty strong password (ie has special characters), the only way that I can think that someone would be able to access the router setup webpage to change the SSID and broadcast the wireless signal (assuming i had turned that part off) is to use MY computer since it saves the password to login automatically (in firefox). If that is the case, then lost data would be the least of my worries!

    I think that reformatting my drive and reinstalling will be the way to go. I'll have to change all passwords on my accounts to make sure.

    Would there be a way to track who this was? I could make it available again to the user and when he/she is on, i would somehow be able to track where it is coming from or look at their traffic. Or, is this something that is beyond the scope of average computer users?

    Thanks,

    Pulper
     
  9. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Generally default SSID's are simple - such as the manufacturers name, model, simple words (Wireless, WLAN, etc.). In some cases the device MAC ID is a default SSID, this one could look complex.
    I guess the thing to do is assess whether this is a reasonable scenario, either through a friend/roomate who activiated it for very temporary access and it was then left on for a third party to get access or via a physical break-in (which to be blunt would seem very unlikely)
    While this may make a certain amount of sense, it's still unclear whether this was a case of a neightbor simply using open access or something more untoward. If you do go down the route of a reinstall, just verify that you have absolutely everything in hand via hard copy in the way of program serial numbers, activation codes, etc., before you start. I've seen even experience people get caught in a bind due to initial haste. This is a time to be very deliberate on the steps you take.
    There are a few things possible. First of all, the router will have the MAC ID of the connecting card, however, bear in mind that this can be spoofed so it is not a firm tie to the physical device. You can also sniff ethernet traffic between the router and the unknown IP. There are a number of ways to acccomplish this and since you are monitoring the communications going through your device, there should be no privacy invasion or other issues. Whether or not this will yield useful information is another matter.

    Blue
     
  10. wilbertnl

    wilbertnl Registered Member

    Joined:
    Dec 29, 2004
    Posts:
    1,850
    Location:
    Tulsa, Oklahoma
    Maybe it it possbile that your router got reset to the default settings somehow. And then it was easily accessible by someone with knowlegde.

    If your router has the feature of WPA encryption I would enable that. Generate a very strong passphrase here: grc.com.
    Changing password and SID is a great idea.
    Maybe you can also enable the MAC filter, that authorizes access by network card ID.
     
  11. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Usually routers will remember their config even after a power outage.
    They should have a reset button on them that resets everything to factory default.
    Did you ever need to reset it because of some connection problems?

    What is the average effective range of these wireless access points that a war driver would be able to connect?
    Not counting special power boosting antennas and taking into account one wall (or floor/ceiling).
     
  12. wilbertnl

    wilbertnl Registered Member

    Joined:
    Dec 29, 2004
    Posts:
    1,850
    Location:
    Tulsa, Oklahoma
    I live in a free standing family home and I'm able to connect to my neighbours router. Which creates sometimes confusing situations when my own router isn't in the mood to coorporate.
     
  13. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Thank you wilbertnl.
     
  14. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Did you upgrade the firmware after the initial setup? Sometimes some brands will reset all settings when the firmware is updated.

    Did you have a firewall on the PC? If so, do you have it set to allow file sharing? Even if you do, if there's no shares then the chances are less likely. You should have a firewall going, this would make an intrusion less likely (although not impossible, nothing is 100%).

    If someone used the network to gain entry to your system, I really don't think that a format is going to do much. You could scan with something like Pest Patrol and set it to scan for riskware ("hacker tools").

    If it were me, I would remove any personal data from the computer (put email on a USB drive and use it from that for the time being), enable full auditing, then keep an eye on both the router and the audit logs. If someone is forcing their way in then it would likely become obvious, otherwise it may just be someone connecting (intentionally or not) to an open network. Either way you will want to secure things down, spend some time learning to config your firewall, do some hardening.
     
  15. crofttk

    crofttk Registered Member

    Joined:
    May 15, 2004
    Posts:
    1,976
    Location:
    Eastern PA, USA
    I don't know how common it is but my wireless router has the option, as opposed to encryption, to limit access to specific MAC addresses. So, I have mine set to anly allow access by the MAC addresses of my laptop's Wi-Fi adapter and my wife's Wi-Fi adapter.

    From Wikipedia.org: "In computer networking a Media Access Control address (MAC address) is a unique identifier attached to most forms of networking equipment."

    You can find the MAC address of your Wi-Fi access device by issuing the following command from a command prompt shell: "ipconfig/all"

    The MAC address for each Ethernet adapter you have will be reported as "Physical Address" and have a form something like: "12:34:56:78:90:AB"

    CAVEAT: Although I may be comfortable with this method od restricting access, from the standpoint that I think it's highly unlikely there are any real geeks within range of my Wi-Fi router, MAC addresses can be and are SPOOFED. So, hypothetically, if someone knows the MAC address(es) you are restricting access to, they can set their adapter to spoof that MAC address and thus gain access.
     
  16. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    In order for the Wireless AP to route the packets properly, the Ethernet cards have to broadcast their MAC address. At least the AP will need to include the MACs used when it transmits packets to the proper Ethernet card. So the war driver just listens for a little to get your MACs and then spoofs them.
    That doesn't sound like it is too difficult.
    For me, I'd go with encryption (WPA/WPA2) on wireless, if I used wireless.

    What is the performance hit when you use encryption on wireless?
     
  17. crofttk

    crofttk Registered Member

    Joined:
    May 15, 2004
    Posts:
    1,976
    Location:
    Eastern PA, USA
    Don't have a clue, haven't tried it.

    If I don't know what a "war driver" is, I can almost guarantee you that none of my neighbors within range, if there are any, know what it is. In any event, point granted since, in security, almost is not good enough. I will have a look at adding encryption.

    Thanks.
     
  18. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    If you really want to be sure once you reformat or whatever, you might check out this sight http://www.singleclicksystems.com/

    To prevent what happened to you I've used Lucidlink which is no longer available. Single Click has a program that does essentially the same thing. No one gets on your network, unless your desktop say they are okay. I see people in my builiding "borrowing" networks all the time. Just not mine.

    Pete
     
  19. wilbertnl

    wilbertnl Registered Member

    Joined:
    Dec 29, 2004
    Posts:
    1,850
    Location:
    Tulsa, Oklahoma
    It doesn't affect internet speed, since most broadband connections are slower than the maximum wireless LAN speed.
    802.11b is 11 Mb and 802.11g is 54 Mb. My DSL is 5 Mb.
    Maybe you only notice some performance decrease when you try to copy large video files over wireless LAN.
     
  20. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Thanks wilbertnl.
     
  21. crofttk

    crofttk Registered Member

    Joined:
    May 15, 2004
    Posts:
    1,976
    Location:
    Eastern PA, USA
    or do a backup.... I usually will jack my laptop in by cable for a full backup and then just do incremental backups over Wi-Fi.
     
  22. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    In case you are interested, there is a lot of info on wardriving and piggybacking here:
    http://en.wikipedia.org/wiki/War_driver
     
  23. crofttk

    crofttk Registered Member

    Joined:
    May 15, 2004
    Posts:
    1,976
    Location:
    Eastern PA, USA
    Damn ! I had no idea ! It doesn't matter WHAT my neighbors do or don't know then. Thanks again Devinco.
     
  24. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    dang it!
     
Loading...
Thread Status:
Not open for further replies.