Layman Wireless Security questions

I tried looking it up on the net but couldn't really get the results I wanted, probably because I'm choosing the wrong choice of keywords?

Anyhow, I was wondering about "Wireless Thieves" who surf on leaking/unguarded Wireless networks for free. People say these thieves can be traced via MAC address and IP address; how about if they are using a laptop and just passing by? Even if it was your neighbour who was surfing on your network, how is he theoretically traced down to his house (physical location)?

For that matter, if a hacker surfed free (using a laptop) on someone elses unguarded network and commenced his hacking from there, the network subscriber will be the responsible party right? Will they be able to trace the hacker (theoretically and practically)?

IP address tracing is possible only because we all have to surf via some ISP and they have logs of who is who. Let's just say, for argument's sake, someone found a cable running along the floor and was able to hook up his computer to that cable and surf the net, could he be traced since he has no official subscription/IP address? Is a passing-by laptop user who rides on another network similar to the scenario guy? (ie a surfer with no official IP address)

Sorry if the questions are dumb; I'm just a techie noob!

Thanks in advance!

Let me explain my home setup. I have a Linksys router, on which I run three computers. All of these three computer share the same "public" IP address. That is to say that my ISP provides me with one, individual IP address. I am able to connect multiple computers to the internet on one IP address due to something called NAT routing. NAT routing takes one IP address, and basically creates multiple "private" IP address. Common private IP addresses are something like 192.168.1.1, where there are literally thousands of computers running on this private IP address (because many people have routers, which assign computers private IP address for their own private network). A second computer might be assigned a private IP address of 192.168.1.2 by the router, but they both share the same public IP address provided by the ISP. Due to the magic of NAT routing, my router knows that which computer to send an incoming packet to, since all incoming packets are addressed to my public IP address, and only my router knows which private IP address they are meant for.

Anyhow, anybody who cracks my WEP key (wireless encryption) will get a private IP address from my router (say, 192.168.1.3), but has the same public IP address as all my other computers - which is traceable back to me.

MAC addresses are specific to each and every networking device. My router has unique MAC address, as do my computers and even my modem. However, MAC address can be spoofed. I can make up a new MAC address for my computer, and instruct it pretend to be that MAC address, with a little tweaking. So MAC addressing is not a definitive way to identify somebody.

An IP address is analogus to a postal address. The only way you can get your mail, is by giving somebody your address. The analogy for NAT is that once the mail arrives at the address, somebody looks at the letter or package, and delivers it to a particular individual who is located at the main address.

To send information on the web, I suppose you could use a phony IP, but to receive information you need a real IP, otherwise the information will never get to you. Just like with addresses for letters....the return address can be whatever you want it to be, but if you are hoping to receive anything, you had better give the right address out.

In summation, every computer on a private network will have the same public IP address - to which the subscriber is traceable. The computers are only differentiated by the router, which assigns them private IP address by which it can identify them.

I know this is somewhat wordy and complex, but I hope it makes sense. Feel free to ask me to clarify anything.

Thanks IB!! Great post... It's not wordy and complex at all

Ok so from what I understand, in the scenario I mentioned, a guy who somehow hooks up to a cable on the ground and tries to surf the Net can't really receive any packets because he has no real IP address.

But in the case of a hacker with a laptop who manages to use your network, he is assigned a private IP by your router but he is actually using your public IP address to receive information right?

Any illegal activities will be traced back to you. Any way you can then trace the hacker? Even if you know his private IP and machine MAC address, how do you get his physical location or how do you 'catch' this guy for bandwidth theft?

I'm wondering if let's say my neighbour is surfing on my network, how I would know which unit is the culprit. If his friends come over with their laptops and surf on the network too, how will it be possible to trace them since they aren't even logging on from a fixed physical point. Thanks IB!!

Hi

If somebody use your OPEN wireless network to surf/hack Internet, what the ISP see is your public IP address (traceable to your account)

However, if 'somebody' is dumb enough to perfom activites that are directly associated with himself, then it is 'more' possible for authorities (log files) to trace these activiites to that 'somebody' e.g login to his own email or bank accounts etc

For corporate network, user are typcailly required to logjn before they can access network sources. Guest users are 'restricted' to limited access.

Regards

LEDcandle said:

I tried looking it up on the net but couldn't really get the results I wanted, probably because I'm choosing the wrong choice of keywords?

Anyhow, I was wondering about "Wireless Thieves" who surf on leaking/unguarded Wireless networks for free. People say these thieves can be traced via MAC address and IP address; how about if they are using a laptop and just passing by? Even if it was your neighbour who was surfing on your network, how is he theoretically traced down to his house (physical location)?

For that matter, if a hacker surfed free (using a laptop) on someone elses unguarded network and commenced his hacking from there, the network subscriber will be the responsible party right? Will they be able to trace the hacker (theoretically and practically)?

IP address tracing is possible only because we all have to surf via some ISP and they have logs of who is who. Let's just say, for argument's sake, someone found a cable running along the floor and was able to hook up his computer to that cable and surf the net, could he be traced since he has no official subscription/IP address? Is a passing-by laptop user who rides on another network similar to the scenario guy? (ie a surfer with no official IP address)

Sorry if the questions are dumb; I'm just a techie noob!

Thanks in advance!

Click to expand...

Technically you should be able to track someone via the MAC address. All computers connected to your network will reveal their MAC address, but they can be spoofed (your router does this too). You cannot trace exactly *where* they are, except for a rough proximity to your access point, complicated by the fact that wireless signals can be hindered by all sorts of things.

If you ask me, an open wireless AP is an invitation to free internet. Unless illegal things are being done and excessive bandwidth usage is occurring, no one is hurt by doing this, contrary to what some people want you to think. "It's akin to stealing furniture from someone's house if they leave their door open." Internet nowadays is unlimited. However, it seems that some states (here in the USA, at least) believe using signal boosters (like the Cantenna) to connect to an AP should (and is) illegal -- which I do not understand.

If someone tapped into your internet, whether wireless or by hard line, he would have your IP address, because he is going through your internet connection. You can't tell one computer apart from another when they share an IP address through a router.

Legality is disputed greatly with wireless internet; I suspect it's because legislators don't understand it (much like everything else in the technological world). A few examples:
http://money.cnn.com/2005/07/07/technology/personaltech/wireless_arrest/
http://www.theplainsman.com/vnews/display.v/ART/2004/03/11/4051018c9b9f9
http://news.bbc.co.uk/1/hi/technology/4721723.stm

If you want to protect yourself from a casual wardriver or freeloader, all you need is basic encryption such as a WEP key. It's pretty insecure, but it keeps most people out, because it's saying you don't want people to use your internet, and the casual user will have no idea how to crack it.

Better protection would be enabling WPA, setting the router to reject other computers (MAC address filtering), and making your router "invisible," or "hidden" (does not broadcast a SSID). Turning off wireless functionality and using a hard line is even better.

More info: http://en.wikipedia.org/wiki/Wireless_LAN_Security
http://en.wikipedia.org/wiki/Wireless_security

And of course, if you want to mask your actions, use Tor.

LEDcandle said:

I'm wondering if let's say my neighbour is surfing on my network, how I would know which unit is the culprit. If his friends come over with their laptops and surf on the network too, how will it be possible to trace them since they aren't even logging on from a fixed physical point. Thanks IB!!

Click to expand...

Hi LEDcandle,

First, this is a good question and one that is often overlooked. Sadly, it is one that will come back to haunt many people and thus why new laws have come about.

Secondly, LOGS. Logs are the most important thing. When you have a weak point the logs of your devices will (hopefully) push the burden of proof to the attacker. Logs will give time/date stamped IP information from start to finish, and sometimes that is only the beginning.

With regards to your question...

They are logging on through a fixed physical point. The wireless access point is stationary but provides radial communication for those who are capable. It is actually quite scary because with the right software you can see (sniff) the packets of their communication right out of the air. Just a they are hiding through a cloak of invisiblity their packets are flying through the air like bugs.

When someone signs on to an access point it goes like this.

Laptop - gives handshake
WAP - receives handshake
WAP - processes handshake (checks existence in IP tables, route tables,etc)
WAP - records MAC and determines DHCP IP address (dynamic IP addressing)
WAP - send handshake with dynamic IP address.
Laptop - receives return handshake and configures network with IP given.
Laptop - is now a node on the network.

The MAC address is known typically to the initial hop point only (and any device on the local network that communicates with the MAC address), which in this case would be the WAP. Once the WAP passes the laptops traffic to somewhere else then the WAP MAC address would be provided to its next hop (your router or your ISPs connect point if you have a WAP/router combo). The MAC address is actually requested for (if it is not already know by a network device) first by an arp request. Once the MAC is know it is tied to an IP address that is associated with that MAC address and then ties that combination to your network.

Sorry to get a little technical but... all that to say...

If someone signs on to an unprotected WAP, unless they have logs, the traffic is coming from the victims WAP. So, the authorities when they come looking are going to come to the victim as well. Keep in mind that most home networks have a private IP address on the LAN side of the internet, and a public IP address on the WAN side of the internet (NAT addressing). All of which is on the router that is used to get on the internet in the first place. So any traffic, no matter is the home net has 200+ pcs, will all come from the single public IP assigned by your ISP. To give you an example, this is like someone going by and mailing something shady from your mailbox...

Authorities - "We'll sir why do you mail this?"
Victim - "I didn't!?!"
Authorities - "Sir, it was in your mailbox."
Victim - "Huh, um...?"

It is very scary to have an unsecured WAP. Like others have said, WEP encryption and MAC filter can help... but there is always a way in (to those that knwo how . It is best to use VPN means with WAP to ensure that security is achieved. SSH or IKE/IPSEC VPN next hop after the WAP, so that all traffic must go and authenticate to the VPN gateway (from the wireless laptop) before being allow access to the internal home network. This way you get a good encryption and proper authentication, confidentiality, and integrity.

PS.

MAC filtering mean the network admin has prior knowledge of the devices that will be using his network. Thus, the admin will know the MAC addresses of the wireless cards to be used... which he can then add to the WAP device to only allow access from said devices. This can be defeated but can keep the honest people honest.

Hope this helps.

Sincerely,

Shaman

Thanks csk, carrot and shaman for the long and detailed replies
Don't worry about the technicalities; it will be good to understand the actual process. Does the "Event Viewer" in Windows XP serve as a good enough logging facility or do we use something else?

I use my laptop daily in my vehicle, invoicing, customer photos and GPS tracking. There are very few areas that I stop that my laptop does not find and connect to an unsecured network. I Use a local martini bar to go inside and do the odd bit of paperwork, they provide a free wireless connection for it's patrons so shutting off whatever it is that makes this thing connect isn't an option for me.
I don't know about legalities on riding someone else's network here in Canada, but I do know that almost nobody secures their networks.

No, it wouldn't. Your machine may never see the others connected to your network. Your router may or may not have the capability to log MAC addresses (among other things), and in that case, if it does, you would want to log at the router level.

Anyway, the more hurdles you make for a wardriver, the less likely someone will use your network. Most people would rather just look for an easier mark.

normally a wireless router uses a public adress like 192.168.2.1 to communicate from your PC to wireless router.

normally your wireless router is set for DHCP allowing anyone's receiving signal to talk to your router. you can change your adress to static ip setting to allow only devices that knows adress to communicate. leave 192.168.xxx.x change only last two set of nembers to what ever you desire. But write this number down, as that's what adress is now needed to talk to router.

then you would also need to specify to your laptop to only access that particular ip. with DHCP turned off, you can only access your private router only. you would need to enable DHCP setting to access public wireless networks.

naturally you need to install some type of password protection as well.

hope that was not too confusing...

With DHCP turned off, all one has to do is guess at an internal IP address to use based on the gateway's internal IP address. (That's revealed when you connect.) If the gateway (wireless AP) has the address of 192.168.1.1, then you just have to set your own IP address to 192.168.1.x, where x is a number arbitrarily chosen between 1 and 255 (not inclusive) as long as it's not already taken -- like 192.168.1.47. Also, internal IP addresses do not have to be in the form of 192.168.x.x, I have worked with ones using 10.201.x.x, and I am sure there are others as well.

This may stymie casual users, but no one else.

LEDcandle said:

Thanks csk, carrot and shaman for the long and detailed replies
Don't worry about the technicalities; it will be good to understand the actual process. Does the "Event Viewer" in Windows XP serve as a good enough logging facility or do we use something else?

Click to expand...

LEDcandle,

Well as far as logging goes, only the logs from the WAP (and any other device that the wireless users touch) would suffice for proof or evidence of the existence of another wireless user. For the wireless user, if they are doing something shady, they could care less about the logs on their box. They would however love to get their hands on the logs that showed their existence. The WAP logs being sent via syslog or some other means (emailed, downloaded, etc) to a safe storage medium would also be very beneficial. Keeping them for a standard amount of time is also a good idea.

If the wireless users are authenticating to the XP box then yes you would want to keep that as well. On all valid wireless users (say they are using XP boxes) the event information will be available (if you have it set up to log those types of events in gpedit.msc) and if you want to keep those, they are easily exported.

If possible, make sure all times on each networking device/server are timesync'ed (via ntp,openntp,sats,etc) that way the timestamps in the logs are all the same.

Sincerely,

Shaman

Also keep in mind that some IP addresses are ok to use in the home but cannot be assigned to WAN sides of any networking device in which the WAN side is connected to the Internet. It is the whole public vs private IP address ranges. Private IP addresses are non-internet routable addresses, and may routers and devices will simply /dev/null (drop) the packet.

10.0.0.0 - 10.255.255.255
169.254.0.0 - 169.254.255.255 (APIPA only)
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255

Hope this helps.

I suggest you check out the "Security Now!" podcast that Leo Laport and Steve Gibson do every week, specifically episode 10. Security Now! is a terrific podcast that I have found very helpful and enjoyable.

Could somebody remind me whether or not you can ARP spoof WLANs? I believe some routers isolate all of their wireless clients, so I'm not sure if this is possible or not.

It is possible to secure your traffic between your own computer and the router (VPN), but leave your router open for anybody to use. However, that is more difficult that just securing your WAP using WPA.

While we are on this subject, WEP is good for securing your network from novices, but it is easily cracked by somewhat experienced hackers. WEP is based on some great encryption technology, but it is poorly implemented. You can look up " weak packets" for more information pertaining to this. WPA on the other hand, is properly implemented, and is the only real way to secure your WLAN (other than a VPN, but that's not securing the whole network anyways).

IlluminatingBikr said:

I suggest you check out the
Could somebody remind me whether or not you can ARP spoof WLANs? I believe some routers isolate all of their wireless clients, so I'm not sure if this is possible or not.

Click to expand...

If you mean spoof an MAC address that is assigned via MAC filter on the WAP, then yes. Albeit you need to do some legwork to understand the scope of the WAP and it's clients, but it is just like any other spoof attack. The destination is the same, just need to travel down different roads to get there.

This is why it is important to use the VPN/SSH/SSL tunneling and additional security measures to ensure that even if a valid host is spoofed, the shady person will still need the proper keys to unlock the door.

Sincerely,

Shaman

While we are at it if you want a WEP type security (encryption really) without having to go the VPN/SSH/SSL route then wait for 802.11n standard devices to come out. WEP inherited the RC4 (IIRC) encryption flaw in combination with DES, whereas AES will not suffer the same (802.11n is built with AES encryption).

Sincerely,

Shaman

There are theft of service laws that vary state by state, and their enforcement also varies. If an individual happens to come within range of your A/P, grabs an IP address from your DHCP server and simply starts surfing for harmless sites, it's a little iffy whether they will ever get prosecuted for anytrhing, especially if you've made no attempt to secure the network (WEP, WPA, MAC filtering, etc). On the other hand, logging onto someone else's network for the purpose of doing naughty things is a third degree felony. This is where logs come in really handy. Many A/Ps have the capability to log all connected PCs and even transmit those logs to a syslog server somewhere. There are some free syslog servers for Windows and Linux out there, as well as specialized apps for pulling logs out of A/Ps in particular and making sense of them.

Thanks for all the great posts guys... it's more than I could have asked for