noel.wester@webtribe.net hath wroth:
>She asked me "how do I know if this network gets hacked?"
(...)
>So............how would you know? Presumably there's software out
>there that'll flag up intrusion attempts?
Good question. It's exactly like someone breaking into your house
while you're away. You can tell by something is missing, something is
messed up, or something is added. If you had a burglar alarm, the
alarm might go off if someone broke in and did nothing (tourist). The
alarm can also go off because of door rattlers, critters, earthquakes,
etc.
The computer version is identical. There are programs that you can
run that will detect, block, notify, and log intrusion attempts. For
example:
http://home.comcast.net/~jay.deboer/airsnare/
I use Log Viewer
http://svs.sv.funpic.de/
which works on a limited set of routers and gives considerably more
info than just intrusion attempts. Also a wide variety of SNMP based
systems.
These are the burglar alarms that will indicate that something unusual
or unexpected is happening or has happened. The problem is that they
generate considerable output and require some vigilance on the part of
the user. Knowing what an attack looks like and what thing look like
normally, are also helpful.
Something missing is often easy to miss. More likely, the files that
are missing were copied and not removed. For example, some attacker
copying the registry files and cracking the passwords at their leisure
is difficult to detect. Same with copying personal documents. If you
leave important documents on your machine, at least encrypt them so
they don't get stolen.
More commonly, something gets added or replaced on your machine.
That's the virus, worm, trojan horse, key logger, spam reflector, or
similar evil software. For example, an installed key logger will
build a file of all you keystrokes, and send it off to the evil
hacker. If there are any passwords or credit card numbers in there,
it can be extracted. In most cases, such malware can be detected by a
virus scanner and a spyware scanner. The problem with these is that
they often detect the addition or replacement file AFTER they have
been installed. By then, it may be too late. Some of these can be
detected by the network traffic they generate, but that requires more
monitoring.
When I clean a machine from malware, the most common question is
"where did it come from". Quite often, the question revolves around
wireless security, which is rarely the culprit. I have yet to see
much in the way of direct wireless attacks by hackers installing
malware. Unfortunately, I've seen the exception. Customer goes to a
hotel and decides to save dollars by using an open access point
instead of the pricey hotel system. The open system had a script
running that detected connections, looked for open shares, and filled
his machine with executables that were full of malware. This is not
exactly your situation, but should be considered. If you're worried
about someone breaking into your wireless system, one also should
worry about them breaking into the computers on the LAN.
In most cases, the break in doesn't even touch the computers on the
LAN. The attacker doesn't want to destroy your system. They want to
use your broadband internet connection to surf the net for free. The
politics and legalities get thick at this point. Policy can be
anything from wide open permissive to draconian security measures. You
decide for yourself. There are systems designed to make it easy:
http://www.fon.com
My attitude is that I don't mind people using my internet connection
as long as I know who they are and how to contact them. Of course,
abuse, spamming, excessive traffic, file sharing, porn, etc are
discouraged.
The various software packages are useful for detecting such wireless
tourists. You can also see them appear in the router logs and
sometimes in the DHCP table. However, these again require log reading
and vigilance. Most commonly, an unwanted user is detected by the
traffic they generate. I get calls asking if it's normal for the
wireless light on the router to be flashing all the time and for the
connection to be slower than a snail. This is usually an obvious clue
that someone is using the wireless. Just watching the lights is a
helpful clue, but not a guaranteed burglar alarm. It's also subject
to false alarms, such as when various software packages decide to do
their updates.
In general, WPA with a sufficiently long and complex encryption key,
is sufficient security. The real weakness with such a shared key is
that users can "leak" the encryption key. I went to party once and
noticed that the WPA key was scribbled on a piece of paper near the
router. During the party, I declared that I could crack the
encryption in a few minutes. I did some hand waving, some magical
incantations, and I was instantly on their wireless network. I was
hailed as a great hacker. Then I told them that I already knew the
encryption key in advance and how I found it. If you leave the key in
plain sight, expect to be hacked by your friends.
--
Jeff Liebermann
jeffl@comix.santa-cruz.ca.us
150 Felker St #D
http://www.LearnByDestroying.com
Santa Cruz CA 95060
http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558
How to tell if your wi-fi connection has been compromised? 
Linear Mode
