Posted on 07/05/2005 11:21:25 PM PDT by Dont Mention the War
By ALEX LEARY, Times Staff WriterThough wireless mooching is preventable, it often goes undetected.
ST. PETERSBURG - Richard Dinon saw the laptop's muted glow through the rear window of the SUV parked outside his home. He walked closer and noticed a man inside.
Then the man noticed Dinon and snapped his computer shut.
Maybe it's census work, the 28-year-old veterinarian told his girlfriend. An hour later, Dinon left to drive her home. The Chevy Blazer was still there, the man furtively hunched over his computer.
Dinon returned at 11 p.m. and the men repeated their strange dance.
Fifteen minutes later, Dinon called police.
Police say Benjamin Smith III, 41, used his Acer brand laptop to hack into Dinon's wireless Internet network. The April 20 arrest is considered the first of its kind in Tampa Bay and among only a few so far nationwide.
"It's so new statistics are not kept," said Special Agent Bob Breeden, head of the Florida Department of Law Enforcement's computer crime division.
But experts believe there are scores of incidents occurring undetected, sometimes to frightening effect. People have used the cloak of wireless to traffic in child pornography, steal credit card information and send death threats, according to authorities.
For as worrisome as it seems, wireless mooching is easily preventable by turning on encryption or requiring passwords. The problem, security experts say, is many people do not take the time or are unsure how to secure their wireless access from intruders. Dinon knew what to do. "But I never did it because my neighbors are older."
A drive through downtown St. Petersburg shows how porous networks can be. In less than five minutes, a Times reporter with a laptop found 14 wireless access points, six of which were wide open. "I'll guarantee there are tons of people out there who have their wireless network being exploited but have no idea," Breeden said. "And as we see more people utilizing wireless, we'll see more people being victimized."
Prolific Wi-Fi growth
Wireless fidelity, or "Wi-Fi," has enjoyed prolific growth since catching on in 2000. More than 10-million U.S. homes are equipped with routers that transmit high-speed Internet to computers using radio signals. The signals can extend 200 feet or more, giving people like Dinon the ability to use the Web in the back yard of his Crescent Heights home but also reaching the house next door, or the street.
Today someone with a laptop and inexpensive wireless card can surf the Web via Wi-Fi at Starbucks or eat a bagel and send instant messages at Panera Bread. Libraries, hotels, airports and colleges campuses are dotted with Wi-Fi "hotspots." Even entire cities are unplugging.
"The information age is over. The information is out there," said Jim Guerin, technology director for the city of Dunedin, which will soon be the first city in Florida to go completely Wi-Fi. "Now it's the connectivity age. It opens up a whole new area for ethics, legal boundaries and responsibilities. It's a whole new frontier."
There's a dark side to the convenience, though.
The technology has made life easier for high-tech criminals because it provides near anonymity. Each online connection generates an Internet Protocol Address, a unique set of numbers that can be traced back to a house or business.
That's still the case with Wi-Fi but if a criminal taps into a network, his actions would lead to the owner of that network. By the time authorities show up to investigate, the hacker would be gone.
"Anything they do traces back to your house and chances are we're going to knock on your door," Breeden said.
Breeden recalled a case a few years ago in which e-mail containing death threats was sent to a school principal in Tallahassee. The e-mail was traced back to a home, and when investigators arrived, they found a dumbfounded family. The culprit: a neighborhood boy who had set up the family's Wi-Fi network and then tapped into it.
In another Florida case, a man in an apartment complex used a neighbor's Wi-Fi to access bank information and pay for pornography sites.
But he slipped up. The man had sex products sent to his address. "The morning we did a search warrant, we found an antenna hanging out his window so he could get a better signal from his neighbor's network," Breeden said.
Last year, a Michigan man was convicted of using an unsecured Wi-Fi network at a Lowe's home improvement store to steal credit card numbers. The 20-year-old and a friend stumbled across the network while cruising around in a car in search of wireless Internet connections - a practice known as "Wardriving."
(The name has roots in the movie WarGames, in which Matthew Broderick's character uses a computer to call hundreds of phone numbers in search of computer dialups, hence "war dialing.")
A more recent threat to emerge is the "evil twin" attack. A person with a wireless-equipped laptop can show up at, say, a coffee shop or airport and overpower the local Wi-Fi hotspot. The person then eavesdrops on unsuspecting computer users who connect to the bogus network.
At a technology conference in London this spring, hackers set up evil twins that infected other computers with viruses, some that gather information on the user, the Wall Street Journal reported.
Not all encryption is rock solid, either. One of the most common methods called WEP, or Wired Equivalent Privacy, is better than nothing but still can be cracked using a program available on the Web.
"Anybody with an Internet connection and an hour online can learn how to break that," said Guerin, the Dunedin network administrator. Two years ago when the city of Dunedin first considered Wi-Fi, Guerin squashed the idea because of WEP's inadequacy.
Dunedin's network, however, will be protected by the AES encryption standard, used by the Department of Defense. Passwords will be required, and each computer will have to be authenticated by the network. There also will be firewalls. "I'm confident to say our subscribers are at zero risk for that kind of fraud," Guerin said.
Leaving the door open
Not everyone has sinister intentions. Many Wardrivers do it for sport, simply mapping the connections out there. Others see it as part public service, part business opportunity. When they find an unsecured network, they approach a homeowner and for a fee, offer to close the virtual door.
Some Wi-Fi users intentionally leave their networks open or give neighbors passwords to share an Internet connection. There is a line of thought that tapping into the network of a unsuspecting host is harmless provided the use is brief and does not sap the connection, such as downloading large music files. "There is probably some minority of people who hop on and are up to no good. But I don't know there is any sign it's significant," said Mike Godwin of Public Knowledge, a public interest group in Washington, D.C., focused on technology.
"We have to be careful," Godwin said. "There's a lot of stuff that just because it's new triggers social panic. Normally the best thing to do is sit back and relax and let things take their course ... before acting on regulation."
Randy Cohen, who writes "The Ethicist" column in the New York Times Magazine , was swayed by Godwin's thinking. When asked by a Berkeley, Calif., reader if it was okay to hop on a neighbor's Wi-Fi connection, Cohen wrote:
"The person who opened up access to you is unlikely even to know, let alone mind, that you've used it. If he does object, there's easy recourse: nearly all wireless setups offer password protection."
But, Cohen went on to ask, "Do you cheat the service provider?" Internet companies say yes.
"It's no different if I went out and bought a Microsoft program and started sharing it with everyone in my apartment. It's theft," said Kena Lewis, spokeswoman for Bright House Networks in Orlando. "Just because a crime may be undetectable doesn't make it right."
"I'll probably never know'
In a way Dinon was fortunate the man outside his home stuck around since it remains a challenge to catch people in the act. Smith, who police said admitted to using Dinon's Wi-Fi, has been charged with unauthorized access to a computer network, a third-degree felony. A pretrial hearing is set for July 11.
It remains unclear what Smith was using the Wi-Fi for, to surf, play online video games, send e-mail to his grandmother, or something more nefarious. Prosecutors declined to comment, and Smith could not be reached.
"I'm mainly worried about what the guy may have uploaded or downloaded, like kiddie porn," Dinon said. "But I'll probably never know."
--Times staff writer Matthew Waite contributed to this report. Alex Leary can be reached at 727 893-8472 or leary@sptimes.com
I had a similar experience setting up my home network. The instructions said "If you choose..." when discussing the authentication / encryption configurations. Being a geek, but not a network geek, I thought "Um, well YEAH I choose!" and halted the setup, until I had first educated myself on the finer points of wireless LAN security (thank you, internet community!).
The whole experience made me shudder, realizing that most users would be tempted to pass over that whole area, and leave themselves wide open to the hacker wolves.
You DO have firewall software, I hope!
Then call the police and complain about litter.
A firey wall? Why would I want a wall of fire in my home? *snicker*
Of course I do. It's an unfortunate necessity for Windows based machines. I can't really get around that, unless I wanted to go with a Mac (although I guess they should be secured too, but they aren't as vulnerable as Windows). Besides, Macs aren't as compatable, at least it doesn't seem to me, with all the programs out there as Windows seems to be. If I had a business though, I'd be using Macs.
No it doesn't. The roots are from when hobos would use chalk or coal to write symbols (on walls, billboards, etc) providing directions, information, and warnings to other hobos.
I use Cat45 encryption. It was safe, cheap, reliable, and FAST!!!!!
For those who are interested in seeing who is trying to get into your wireless network, here is a cool free tool.
http://home.comcast.net/~jay.deboer/airsnare/
Wow, you read my mind. I was just about to post to ask someone for the link to this program! Thanks.
Probably. And when someone steals that car and uses it in the commission of a crime the police will come knocking on the car owner's door.
There was a rash of stolen vehicles at local (Kansas City) convenience stores where this was exactly the case... Until one day at a sandwich shop, a lady left her SUV running while running in to pick up some dinner. A man who had just been released from jail was right there, and decided to steal the SUV. He jumped in while she was coming out, and she tried to get her young child out of the back seat. He got tangled in the seat belt as she was trying to pull him out, and the man drove off, dragging the child on the pavement. I think it was more than a mile away before a number of pursuing cars forced him to stop, and they held the man for police. I don't believe that he was beaten anywhere near as much as he deserved. Of course, the child was dead long before the SUV was stopped. The MO legislature eventually passed 2 new laws: It's now illegal to leave a child unattended in a running vehicle, and law enforcement agencies must now check for active warrants before releasing prisoners. You see, the man who had just been released from jail was actually wanted, and never should have been released.
Mark
Isn't IPSEC more secure than PPTP? Does using IPSEC in effect encrypt the link between the wirelss adapter and the WAP?
Mark
Go here: https://www.grc.com/x/ne.dll?rh1dkyd2 and run all the tests.
I'm on a new Linksys, saw the article this AM, and found that the GRC tests gave me a clean bill of health.
Have ZoneAlarm and Norton ('04) installed, as well.
Its a pretty cool tool, though you need to train it for a bit, but once you have allowed MAC in database it works great!
GRC wont tell you if your wireless network is safe, it will tell you your computer is safe, but someone can still access your wireless network and setup a server to email child porn, terror threats or whatever. Check the security on your access point/router. Setup router with 128 bit WEP or better, MAC Filtering and do not transmit SSID. Also set a different password then default. And if its a WRT54G router, there are a ton of alternate operating systems for them, most are free and allow a boatload of options over standard linksys firmware.
I'm still yet to know how IPSEC werks with my Linksys WRT54G with HyperWRT firmware.
That's a horrific story. I believe I saw it on Court TV. It's also an interesting situation. The woman's child died a horrible death. If that were to happen again today with the new laws she could be prosecuted. So do we prosecute someone who just lost their child in such a horrible manner? Wouldn't she have suffered enough? While my own opinion would be no I think prosecutors might have a hard time finding a jury that would convict.
No, I don't get on any of the networks - I just map them for fun. And it is really cool what you can do with the brand new Google Earth Plus or Pro, properly formated GPS's wardriving data, and a little know-how. Fun. Now, if I can do it so can people with criminal intent. Secure your WAPS you idiots!
Thanks, friend.
4:40 p.m. July 6, 2005 LA JOLLA – A sport utility vehicle stolen with a sleeping toddler inside was recovered two hours later Wednesday after authorities launched a massive search and issued an Amber Alert for the vehicle.
The 2-year-old girl was still inside the SUV when police found it parked next to a building on the University of California at San Diego campus at North Torrey Pines Road and La Jolla Shores Drive.
A woman had left her daughter inside the Toyota 4-Runner while she went into a sandwich shop in the La Jolla Shores area, then discovered the SUV and the child gone upon her return minutes later, police said.
The auto theft and kidnapping occurred in the 2200 block of Torrey Pines Road shortly before 2:30 p.m., police said.
The mother told investigators she left the keys in the ignition of her vehicle, with the toddler asleep in the back seat, when she went into the sandwich shop, authorities said.
Police issued the child abduction alert, urging the public to be on the lookout for the SUV, at the same time launching a massive search.
Thanks for your help - I'm going to ping a few others to this post to see what they think ...
My DLink DI-624 now allows only our local PC MAC IDs to access the network - both between PCs and the internet. I've installed LucidLink.com's wireless encryption and all systems run ZoneAlarm and McAfee 7? (hard to tell).
GRC reports port 113 (IDENT?) as closed but responding - everything else is "Stealth" level.
The LucidLink wireless encryption DEFINITELY shut down net access til I got it configured correctly. DO NOT change the default "shared secret" setting until you can ask someone how to set it on the client-side! I ALWAYS change default passwords but they say its not necessary and the client (wireless) does not seem to have an option to change the shared secret setting to that of the "Server" so I had to go back to the default to connect - otherwise - no problems.
Tarator: I've read enough about WEP limitations that I went looking for something else but thanks for the post.
Oh and BTW I don't know why I didn't remember to type in " ms-its:%windir%\Help\infrared.chm::/WLAN_client_add_WISP.htm" to pick up a stealth SSID - Sheesh! Actually if the gateway and client ssid match won't they connect? ;-)
.308 PSS: Come back and post any time! WIth the MAC ID filters nobody's going to easily drift in and steal my bandwidth - I'm next to a public park so thanks for your help and - in theory - I'm encrypted too. Thanks for the impetus. ;-)
ninenot: Thanks - I'm an 'ol time fan of grc.com! - I don't know if XP needs it but I'd always use Netbui for F&P shares disconnecting TCP/IP per his instructions. Blind Faith!
Anyway, thanks to all for their posts - I'd been meaning to at least limit network access to MAC IDs and that's now done with PCMAG approved wireless encryption as well (free for up to 3 wireless clients). Comments anyone?
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.