titled: "Wi-Fi-hacking neighbor sentenced to 18 years".
Can someone further explain this sentence in that article?
"With Kostolnik's permission, they installed a packet sniffer on his network to try and get to the bottom of the incidents ... A forensics computer investigator working for Kostolnik's law firm examined the packet logs... In the data surrounding the threatening traffic, they found traffic containing Ardolf's name and Comcast account .
Two fundamental questions:
What packet sniffer would I install (Ubuntu & WRT54G) if I were to look for snooping neighbors ... and .. .
Why would a connection to the neighbor's router also leave the perpetrator's actual name and comcast account information?
Thanks for any advice as this both scares and intrigues me.
The hacker, thinking he was undetectable/undetectable probably logged into his own email at Comcast at one point. Also, unless he was spoofing his MAC address they had that as well. A packet sniffer of any sort would work, placed in between the router and the VDSL modem, along with a hub.
Packet logs is not exactly the correct term. Syslog would be more exact. It's *NOT* a packet sniffer. It merely shows connection source, destination, time, and maybe some other stuff. There's also no need for a local syslog server (data collector), since it can be sent over the internet, but in this case, I guess an "invisible" local logger would be useful. Something like this:
Linux and OS/X can play syslog server out of the box. Many routers have built in syslog and proprietary versions built in. Similar information could also be obtained via SNMP.
I don't think they used something like Wireshark to capture packets for later analysis because it seems that they were monitoring for at least several weeks. The amount of data that would need to be collected and analyzed would be monumental.
Start with arpwatch, which will detect if any new MAC addresses appear on the network. Then, search for "Linux intrusion detection system" which offers many applications such as:
There's also Airsnare for Windoze:
If your WRT54G is running one of the alternative firmware packages (DD-WRT, OpenWRT, Tomato, etc), you could run the IDS on the router. Arpwatch certainly will run after some installation problems. Hint: ipkg -force-depends install arpwatch
It didn't. They were probably also sniffing the traffic on the WAN side of the router specifically looking for email headers. Once those were collected, the header would have the comcast email address. It's fairly trivial to sniff for email headers (and other common file formats) but I don't want to post any specific methods. Hint: You can do it with sed or awk/nawk.
No, it would not. Routers and Switches only put packets to the port (on the router) that goes to a specific machine. If you put it on the victims machine, and the hacker is talking to an Internet account, the victims machine would never see it. (I am talking on a mixed wired and wireless system, which most are.) Of course in a fully wireless system, you would see everything. The only way to see everything that transpires that goes to the Internet, the hub and sniffer on the WAN side of the router (to the modem) would be the best way to check the Internet traffic.
Syslog is a standard method of generating ummm... log files commonly found on Unix, Mac, and Linux servers.
The Syslog daemon (program) that does the work has a config file that points to a specific Syslog server, which collects the data. The syslog server could be the local machine (127.0.0.1), a machine on the local network (192.168.xxx.xxx) or any machine reachable on the internet.
In this case, if the router had the ability to generate syslog logs, then simply turning it on, and pointing it to suitable data collector would be sufficient. However, there's a chance that the perpetrator might notice this change, so I guess a sniffer would be more appropriate than syslog.
By pointing configuring syslog.conf to point to an IP address. If you have a Mac, look at /etc/syslog.conf
Filters. syslog.conf has various filters to keep the logging level sane. Here's an example of some syslog output. Note the line with the sample email message:
There are also numerous syslog report generators and analyzers, that look for security breaches and generate reports. (There's nothing more dull and boring than reading log files).
Please note the word "detect". Arpwatch will detect if there are any new machines on the network. Once a new machine has been detected, other tools are used to block or identify the hacker.
No clue. I have no idea what "surrounding" means in an email header. My guess(tm) would be that the Comcast machine name was somewhere in the email header chain.
article says "The packet logs finally bore fruit. A forensics computer investigator found the e-mail sessions sending the threats and in the associated packet information discovered Ardolf's name and his Comcast account."
"The text of the threat email was also contained in the ´packet capture¡ data, and a review of the data also revealed that the same computer that transmitted the data containing Ardolfÿs name and Comcast account also sent the threat email."
--- Posted via news://freenews.netfront.net/ - Complaints to email@example.com
Use WPA or WPA2 encryption, not WEP. This is the main protection against unauthorized access. Once a hacker gains access to the LAN, it's too late.
Set a router config password other than the default.
Turn off remote wireless config on port 8080 or at least change the port number to something else. It's too obvious a target for hacking.
Deploy an IDS (intrusion detection system) such as:
and ocassionally look at the router log files for unauthorized machines.
Control network access to the individual machines with user logins and passwords. Shared folders and NAS servers on the network should not be wide open. I'm guessing, but the documents obtained from the Kostolnik's machine were probably obtained because they were saved in a directory visible from the network.
Turn off the wireless at hours when it is unlikely to be used. Some routers have a front panel switch. Others have internal timer settings. An easy way is to use seperate boxes for the modem, router, and wireless access point. When not in use, just turn off the power to the wireless access point. The modem and router will still function for wired connections.
There are a wide variety of "obstacle" type of defenses recommended by various authorities, such as regular password changes, MAC address filters, and AP isolation. These will slow down intruders, but do little to actually prevent access by a determined hacker. If it's a neighbor doing the hacking, they have plenty of time to sniff, log, and experiment and test what works.
Get to know your neighbors.
In my never humble opinion, one big problem is that concept of the shared wireless pass phrase is flawed. Physical access to any of the wireless computers on the Kostolnik's network, for even a few minutes, could result in the WPA pass phrase (or a usable hash code) being recovered.
This did not happen in this case, but is still a major risk. It would be better to use WPA-RADIUS and a RADIUS server, with individual logins and passwords, authentication, and one time encryption keys. However, RADIUS servers are not commonly available on home wireless systems.
This is a great idea. I'm not sure if that runs on the WRT54G router or on the Ubuntu computer though ... as I'm confused when I got to the web page (and there's no installation in the "ubuntu software center"...
Does airsnare go on the router? Or on the computer?
AirSnare is a Windoze program. No clue if it will run under WINE. For your Ubuntu box, methinks arpwatch will suffice.
On a Windoze computah. It monitors traffic between the DSL/cable/satellite modem and the WAN port on the router. It will NOT work with a modem/router conglomeration in one box where there's no access to the WAN ethernet port.
I use my my home and office addresses as my SSID. For customers, I use the company name. I also broadcast the SSID so that everyone can see it. Security by obscurity is of little value. Providing contact info in the SSID allows anyone that is receiving interference to contact the owner. Also it allows people that want to "borrow" connectivity to get permission from the owner.
Rainbow tables and other precomputation attacks do not work against passwords that contain symbols outside the range presupposed, or that are longer than those precomputed by the attacker. Use a pass phrase with no spaces, that's fairly long, full of non-dictionary words, and stuffed with symbols.
It's a misnamed feature of many access points and is especially useful for wireless hot spots and coffee shops. It should be called "wireless client isolation". It prevents wireless users from seeing and attacking other wireless users. Basically, it prevents bridging (all wireless is bridging) between two wireless clients. The wireless clients can only bridge to the access point, and then to the router and out to the internet. They cannot bridge to each other.