Interesting LBYM Thought

[4merKPer]

Quote:

Originally Posted by glippy I wouldn't say it is a defacto foolish decision to leave a wireless network open. Here's an article on the topic of the pros and cons of leaving a wireless network open. Along with 100+ highly-technical comments on the subject. It's by Bruce Schneier, a well-respected computer security expert. He leaves his own home wireless network open.

In the article the key to the author's security:

Quote:

If I configure my computer to be secure regardless of the network it's on, then it simply doesn't matter.

He's a security expert who knows how to secure the data on his computer. If you don't know how to do that, and you have sensitive data like SSN's, CC #'s, personal financial data, etc. on your PC, you'd better secure your home network.

[RonBoyd]

Quote:

Originally Posted by myself However, it is often very easy to get onto someone's computer without hacking at all, or very, very little.

Example, please, of how to do that. Perhaps "very easy" step-by-step instructions on how to access (not-your-own) e-mail on another computer on your network; one that has sharing blocked.

[bruce1]

Then there was the guy in a larger apartment building who set up an open wireless system and collected credit card and banking info from everyone who used it.

[RonBoyd]

Quote:

Originally Posted by bruce1 Then there was the guy in a larger apartment building who set up an open wireless system and collected credit card and banking info from everyone who used it.

Is there a Link to this story somewhere? ... or is this something you are reporting?

[bruce1]

If there were a link I would have posted it.

[RonBoyd]

Quote:

Originally Posted by bruce1 If there were a link I would have posted it.

Oh.

[Dimsumkid]

Quote:

Originally Posted by RonBoyd Oh.

I found this re: Louisana Law and piggybacking. I get the impression from all the examples given that it's easier to be prosecuted for piggybacking businesses vs. home connections.

http://lawreview.law.lsu.edu/pdf/69....llot-FINAL.pdf

[RonBoyd]

Quote:

Originally Posted by Dimsumkid I found this re: Louisana Law and piggybacking.

Thank you for the Link. Since I not an Attorney, I became quite confused right off the bat and jumped to the "Conclusion" section. Even then, it was way over my head but..

Quote:

Louisiana’s laws prohibiting criminal mischief, offenses against computer users, and computer tampering may allow the courts to penalize wireless piggybackers without the legislature having to enact a specific statute criminalizing the offense. Far more complex, however, is the applicability of trespass to chattels laws to wireless piggybacking. No U.S. jurisdiction has addressed this issue, though it is certain to happen given the nation’s everincreasing number of wireless users. When faced with this dilemma, Louisiana courts must determine whether the reasons for allowing the prosecution of wireless piggybackers logically align with the refusal to afford Wi-Fi users a private remedy.

that seemed to escape from the fog I was in... maybe.

[bruce1]

This was actually from a building my cousin used to live in in Hamilton Ontario. I was visiting one day and and the police showed up and arrested the individual. Warnings re possible compromise of data were later posted in the lobby and office. Unfortunately that is all I know.

[RonBoyd]

Quote:

Originally Posted by bruce1 This was actually from a building my cousin used to live in in Hamilton Ontario. I was visiting one day and and the police showed up and arrested the individual. Warnings re possible compromise of data were later posted in the lobby and office. Unfortunately that is all I know.

Thank you for clarifying. (And I mean that in the nicest, most appreciative way.) Anecdotal evidence does seem, however, to be the bulk of what I have found to work with.

[harley]

Quote:

Originally Posted by glippy I wouldn't say it is a defacto foolish decision to leave a wireless network open. Here's an article on the topic of the pros and cons of leaving a wireless network open. Along with 100+ highly-technical comments on the subject. It's by Bruce Schneier, a well-respected computer security expert. He leaves his own home wireless network open.

I know Bruce from a long time ago, have taken classes from him, was involved with him on the Honeynet project back in the early oughts, and used to be able to email him questions (back before he got to be such a highly respected big shot ). I understand exactly where he's coming from in this article, but I don't agree with him. He's saying the odds are against it, and they are. He also says that if you lose the bet, it's a huge hassle with potentially disasterous results (time, money, possible loss of your computer, slight chance of jail time). I consider this recommendation from him to be bragging, sort of like saying "I've got 10 pit bulls and dobermans, and a couple dozen loaded guns, and I keep my front door unlocked all the time!"

If you follow through on the article, you'll see that most security experts would not recommend this behavior to non-expert users. In my case, I have a fair number of guests each year (beach house), and I just give them the password to the network if they need access. I'll stand by my previous comment. Leaving your network unlocked is exactly like leaving your house unlocked and your financial information sitting out. The odds are nothing will happen, but is it worth it when such a simple solution is available? Your computer (or house) can still be compromised, but you've significantly decreased the odds with little or no effort.

Quote:

Originally Posted by Nords Another law-abiding citizen who has yet to experience a search warrant, an indictment, or the daily soul-crushing realities of the justice system...

Actually, he deals with the soul crushers on pretty much a daily basis. I think he was just in a mood the day he wrote that article.

[harley]

Quote:

Originally Posted by RonBoyd Example, please, of how to do that. Perhaps "very easy" step-by-step instructions on how to access (not-your-own) e-mail on another computer on your network; one that has sharing blocked.

Quote:

Originally Posted by bruce1 Then there was the guy in a larger apartment building who set up an open wireless system and collected credit card and banking info from everyone who used it.

Quote:

Originally Posted by bruce1 This was actually from a building my cousin used to live in in Hamilton Ontario. I was visiting one day and and the police showed up and arrested the individual. Warnings re possible compromise of data were later posted in the lobby and office. Unfortunately that is all I know.

Quote:

Originally Posted by RonBoyd Thank you for clarifying. (And I mean that in the nicest, most appreciative way.) Anecdotal evidence does seem, however, to be the bulk of what I have found to work with.

Truthfully, I quit hacking stopped perfoming pen tests back around Windows 2000, so I can't give you any up to date information. But back in the old days it wasn't very hard to access someone else's computer over an open network. If you were a haxor today, you'd be hanging out on the IRCs, going to Blackhat and Defcon, things like that (I assume. I really am out of date). Gaining access to someone else's computer over the network isn't something you (or I anymore) is going to figure out in a day or so, but for the guys that do it, it's easy as pie usually.

A bigger issue with the open network is the router, which is usally wide open with default ID and passwords still in place. http://www.phenoelit-us.org/dpl/dpl.html Once a person gets onto the router, they can read any unencrypted information that passes through it. They won't get your SSL info, but they can certainly read your email. If they want your SSL data they need to work a little harder and put a keystroke logger on your computer. Hard for me, easy for them. Basically, if they get onto your open network, they can easily collect anything that flows through enencrypted with almost no effort. That can often include credit card numbers, expiration dates, security codes, mother's maiden name type stuff. Some sites encrypt that too, but most only do IDs and passwords.

Since anyone interested in doing a driveby would just keep on going to the next place if your network was secured, it's worth doing. At least, IMO.

[GregLee]

Quote:

Originally Posted by harley If they want your SSL data they need to work a little harder and put a keystroke logger on your computer.

How could hacking your router let them install a keystroke logger on your computer? How would a keystroke logger give them SSL data (since I never type in encryption keys).

[harley]

Quote:

Originally Posted by GregLee How could hacking your router let them install a keystroke logger on your computer? How would a keystroke logger give them SSL data (since I never type in encryption keys).

I meant that they would have to put a keystroke logger onto your computer to get SSL protected info, that they couldn't see it on the router. Whether they could do that is another question. Any good hacker could. I couldn't. If you don't type in the keys, how do you use them? Cut and paste? That would be an added level of protection. But I was talking about IDs and passwords on sites like Vanguard or banks or credit cards, or anywhere that uses SSL to log in. A logger would catch those.

[GregLee]

Quote:

Originally Posted by harley If you don't type in the keys, how do you use them? Cut and paste?

Perhaps it was cut-and-paste; I don't recall, exactly, how I moved the keys from the utility program that generated them to the place where SSL could find them.

I pay as little attention to security as seems feasible, since it's complicated, and I have other ways I'd prefer to spend my time. I've taken down the firewalls in my home system, since it was inconvenient to keep telling my devices on my local network how to drill through them, and nothing bad has happened. For those of us with Linux systems, I'm just not convinced that there is any practical need to worry about hackers. I've run various Unix/Linux systems since the early 90s, at home and at work, and I've only been hacked once -- then I just reloaded the operating system, and all was well.

[BigNick]

I'm with Schneier, but then I can afford to be, since my ISP supplies the router and the WiFi is tied down, so I don't get to choose to leave it open.

In any case, the issue is not your own PC(s) getting hacked - nobody is going to take the risk of getting close to your home to target your WiFi to attack your PC when they could do it just as well from across the world over the Internet. The issues, to the extent that they are problematic, would be to do with illegal downloads, and even then I suspect that any jurisdiction would have a hard time showing that a specific person was involved, as opposed to a specific connection. There's a lot of free public WiFi out there, and I don't see McDonald's or Starbucks worrying too much about what people might be downloading while they sip a latte.

[kumquat]

Quote:

Originally Posted by BigNick I'm with Schneier, but then I can afford to be, since my ISP supplies the router and the WiFi is tied down, so I don't get to choose to leave it open.

I'd get a new ISP and supply and configure my own router. That's just me, I am a former IT security person, YMMV.

Quote:

Originally Posted by BigNick In any case, the issue is not your own PC(s) getting hacked - nobody is going to take the risk of getting close to your home to target your WiFi to attack your PC when they could do it just as well from across the world over the Internet.

Your neighbors are always close to your house, no risk. Sorry, for a variety of reasons it is far easier to target your PC from your local WiFi network. If you want me to expand on this, I will, but it will take a lot of typing.

[Tractor guy]

I'm not sure I understand the point of this discussion. It took me about 30 minutes max to set up security when I installed a new router. I need to give the password to friends who are staying and need to use the network. That takes me 5 minutes.

Why wouldn't you do this? Admittedly security protocols can be compromised but this is the same as not leaving your keys in the car. Most thieves are going to go down the street and take the one that wasn't locked.

There are places in the U.S. where you can leave the keys in a parked car but I don't live in one. Since the information I've got on my computer could hurt me a whole lot more if it was taken than if I lost my car, I'm willing to spend at least as much time securing the computer as I would locking tbe car.

[GregLee]

Quote:

Originally Posted by Tractor guy I'm not sure I understand the point of this discussion. It took me about 30 minutes max to set up security when I installed a new router.

The point, as I'm understanding it, is that you might choose not to securitize your system, giving your neighbors free internet access. Or they might do that for you. Just because you know how to deny neighbors access to the internet through your system, that doesn't mean you necessarily have to do so.

[ikubak]

OK, I got off my arse and got my wifi encrypted and put a password on it (thanks to my 14 year old). I had been meaning to do it (for two years) just never seemed to get around to it.