The Case of the Stolen Wi-Fi

The Case of the Stolen Wi-Fi

Whether you're unwittingly sharing your wireless LAN or poaching, be
aware of the risks.

Stephen Lawson, IDG News Service
Monday, August 08, 2005

Benjamin Smith III and Gregory Straszkiewicz both were arrested for
allegedly stealing something no one could see, hear, or feel. That
thing was valuable enough for victims to press charges in both cases.
But the arrests were over something many consumers throw out their
windows every day: a Wi-Fi signal.

The idea of a police car roaring down the street to catch a roving
"Doom" junkie using someone else's wireless LAN may seem silly, but
there are real dangers if your network plays host to strangers. The
hazards you might face include eavesdropping, theft of data, painful
legal hassles or even a conviction for computer-related crimes. And if
you casually tap into your neighbor's Wi-Fi sometimes, these
arrests--Smith's in Florida and Straszkiewicz's in Isleworth,
U.K.--signal that it's at least possible you might run afoul of a law
and an irritated fellow citizen.

On April 21, Richard Dinon of St. Petersburg, Florida, called police
after he saw Smith in a car on the street outside his house using a
notebook computer. Smith, 40, was arrested and charged with a felony
under a Florida law that prohibits unauthorized access to a computer
or network, according to police. A pretrial hearing is set for
September 8. In July, a court in Isleworth convicted Straszkiewicz of
using a laptop to access the Internet over unprotected residential
wireless LANs on several occasions. He was fined $874 and got a
12-month conditional discharge.

Easy to Steal

A typical home Wi-Fi signal can transmit about 150 feet from an access
point or router. Walls and windows will slow it down, but if it
reaches the edge of your property, it won't stop there. In densely
populated areas, it's common for a Wi-Fi device such as a notebook to
detect multiple residential networks from one place.

It's not hard for even an innocent user to tap into a broadband
Internet connection via an unprotected wireless LAN: As soon as the
Wi-Fi client detects the network, the user can click on it and join.
Some broadband subscribers even like opening their networks. But
Internet access may not be the only thing being shared.

"People who steal bandwidth aren't necessarily going to stop there;
they might steal data as well," said Gartner analyst Richard Hunter.
Most consumers wouldn't even know if a stranger was using the network,
he added.

"If you've got an unprotected Wi-Fi network and you are in any kind of
populated area, then you really should do something to protect that,"
Hunter said.

Specifically, on a Windows PC, a intruder on your wireless LAN could
get into any folder that is set with file sharing enabled, Hunter
said. Whatever is in the file could be modified, copied, or posted on
the Internet. So whatever you do, file sharing should be disabled, or
restricted to certain trusted people on every folder, he said. That
would at least prevent "a very casual hacker" from snooping in your
files, Hunter said. File sharing is enabled by default in Windows XP
Home Edition, according to Microsoft.

Beware Viruses, Data-Theft

Likewise, it wouldn't be hard for someone to monitor data being sent
from that unprotected LAN out to the Internet, said Kevin Bankston, an
attorney at the Electronic Frontier Foundation. That could include
e-mail messages and passwords. Even a low-priority password such as
one for a free news site could pose a hazard for a user who sets up
the same password on high-priority sites, Bankston pointed out. For
users of unprotected Wi-Fi networks, he recommends encrypting e-mail
and passwords with a tool such as Pretty Good Privacy (PGP), also
available as freeware.

Having an open wireless LAN also could make you more vulnerable to
viruses and other malicious code, according to security experts. The
biggest danger in that respect comes from users who just want to share
an Internet connection, said Gartner security analyst John Girard.
Many home Wi-Fi routers are equipped with firewalls, which can provide
protections such as deflecting attempts to scan your PC for
vulnerabilities. Anyone who gets on your wireless LAN is behind the
firewall, so if their systems are laden with viruses or other
malicious code it can spread over the LAN. This includes tools that
search for systems to turn into "bots" controlled by hackers.

One area where wireless LAN users have less to worry about is
interception of online passwords, said Martin Herfurt, founder of
Trifinite Group, a group of European wireless security experts.
Internet commerce sites that secure customer transactions will encrypt
passwords and other information all the way from the user's browser to
the store's server, so the same protections are there on the LAN as on
the Internet, he said. However, if you instruct your browser to save
your passwords, an intruder might be able to steal them from your PC,
he added. In addition, some kinds of Internet-borne attacks let
hackers record your keystrokes, according to Gartner's Girard. For the
best protection, he recommends having firewalls in both the router and
PC.

Evolving Law

Though it's less likely, an intruder could cause serious problems even
without getting into your computer. Whatever that person did over your
Internet connection--which could include downloading child porn,
sharing copyrighted content, or executing a denial-of-service
attack--could be linked to you, observers said.

When crimes are suspected on the Internet, usually the first piece of
evidence investigators look for is the IP address from which the
activity was carried out, the EFF's Bankston said. Organizations such
as the FBI or the Recording Industry Association of America can
subpoena your ISP to find out who you are.

Though there aren't many precedents from which to judge, lacking any
other evidence, it's unlikely someone with an unprotected Wi-Fi
network would be convicted just because a crime was committed from
that network, both Hunter and Bankston said. But along the way,
investigators could seize your computer to look for evidence and
discover something else that could get you in trouble, such as your
own illegally downloaded music, he said.

For that matter, arrests for "stealing" Wi-Fi are still rare and if
someone taps into your network, in some places it may be hard to
prosecute them, Bankston said. It's hard to prove an intruder was
deliberately snooping rather than just taking advantage of signal that
was intentionally made public. The flip side is that if you're the one
looking for a signal and you happen to find your neighbor's wireless
LAN, the odds seem fairly slim that you'll be punished for it.

Too Tough to Guard?

Estimates vary on the percentage of unprotected wireless LANs, but
many observers agree on the main reason: It's too complicated for the
average consumer to set up.

All certified Wi-Fi gear made since late 2003 are equipped with Wi-Fi
Protected Access (WPA), an encryption system strong enough for
business use, and earlier approved products have at least Wired
Equivalent Privacy (WEP), a weaker system. Even WEP will force a
would-be intruder to do some work, and most snoopers will just move on
to the next unprotected LAN, Girard said.

However, consumers often don't use either because they aren't aware of
the problem or can't figure out the startup process. For example,
setting up WPA requires the new Wi-Fi user to come up with a good
"pass phrase," type it into the computer, and then enter it on the
router via the network, said David Cohen, senior product marketing
manager at Wi-Fi chip maker Broadcom.

Broadcom recently moved to simplify the process with Secure Easy
Setup, a system that automatically creates a pass phrase and lets the
user set up WPA just by clicking on a software button on the PC and
then pushing a hardware button on the router. Secure Easy Setup is now
shipping with products from Cisco Systems Inc.'s Linksys division, the
biggest seller of home Wi-Fi gear, and will be adopted by other
vendors that use Broadcom chips, Cohen said.

The Wi-Fi Alliance, the industry group that certifies Wi-Fi gear,
wants to ensure easier setup for all consumers. In the first half of
next year, it plans to create a standard that vendors can build in and
have certified as a check-off item on their products, said Frank
Hanzlik, the organization's managing director. The standard won't be
required on all Wi-Fi products because it wouldn't be appropriate for
complex enterprise gear installed by IT professionals, he added.

Altruistic LANs

Some consumers will still choose to leave their networks open as a
public service, the EFF's Bankston said. In addition to possibly
violating the terms of your broadband contract, that move calls for
all the safeguards mentioned above.

"If you don't know how to control network permissions, you should not
run open Wi-Fi," Bankston said. "Even if you know what you're doing,
opening up your network to the public will increase your risk."

http://www.pcworld.com/news/article/0,aid,122153,tk,dn080905X,00.asp


===
"The pressure is outrageous. Everyone is picked apart and it's so superficial and not real. I'm not superskinny and not overweight. I'm just normal."
-- Hilary Duff
.

Loading