[AI] The wireless gateways to cybercrime

renuka warriar erenuka at gmail.com
Thu May 22 08:37:50 EDT 2008


The Hindu News Update Service
default/empty  
News Update Service
Thursday, May 22, 2008 : 0955 Hrs       

Sci. & Tech.
The wireless gateways to cybercrime 

New York, (GUARDIAN NEWS SERVICE) 

By Rob Ashwell 

Unsecured wireless connections are easily stolen, making increasing numbers of people the victims of crime online 

On a hot summer's day two years ago, members of the Washington police force arrived at a building in Arlington County to arrest a suspected paedophile.
The detectives were met by an elderly woman who, it emerged, had nothing to do with the crime. The problem was her wireless router. The device was openly
allowing access to the internet throughout her apartment building and it is suspected that one of her neighbours was using it to upload child pornography.


A short walk with a Wi-Fi enabled phone or laptop will highlight that stealing wireless internet is easy. In a 2007 online survey of 560 people, more than
half admitted to stealing Wi-Fi previously. To test just how easy it was, I recently took a short stroll with a laptop around my neighbourhood in Bristol.
I found 127 Wi-Fi networks within a half mile of my home. Ignoring the dozen cafes and hotels, one-fifth (23) of them had no security. 

A further quick check at each also showed that all 23 still used the default password to access the administration area of the router - which would enable
a cybercriminal to edit details, lock the user out or steal passwords. This is apparently a typical picture; the IT security consultant, Network Box, estimates
that 13% of all home networks and 16% of business networks are unsecured. With 30m routers sold worldwide last year alone, that's a lot of access points
capable of being exploited. 

There are several dangers associated with leaving the administration area open, says Graham Cluney of the firewall and antiviral software vendor, Sophos.
"Different routers have different functions but you can generally change some of the [router's] settings and the way it works. 

"If you know what you're doing you can make [the router] visit other sites. For example, you can redirect from Google to a replica site that uploads a keystroke
recorder to the computer, which is capable of recording bank details." 

Under attack: 

Gunter Ollmann, of IBM's internet security systems division, agrees. He explained how easy it was to change the DNS settings, which translate a web address
into something the computer understands. By doing this the attacker can dictate where the home user is browsing. 

"Even just controlling the DNS addresses and ensuring that all internet traffic now passes through a proxy server that the attacker controls means that
the attacker can capture all passwords and submission details their victims are using." It wouldn't matter that your computer's antivirus software was
the best in the world, you'd be sending all your details through another machine monitoring every detail you sent. 

Gunter points out that an attacker could also modify settings to ensure the reset button no longer works properly, or just resets to the new operating system
the attack installed on it. 

Identity theft is not the only problem. Susan Hall, a partner in the law firm Cobbetts LLP and a specialist in IT law, highlights the problem of piggybacking
by organised crime, in effect laundering the true IP address of the criminal. Using someone else's internet connection means it is harder to link the act
with the criminal, be it fraudulent activity or the viewing of illegal sites. The prosecution needs only to prove the communication came from a particular
system. Once this is achieved the onus is on the individual to prove his or her innocence. 

As Hall points out: "We've had to argue this for cases of libel and had to try to track it back. It's not at all easy to show it didn't come from you."
With it being "just too easy to do", Hall believes that the number of cases in which stolen Wi-Fi has been used for illegal activity will simply spiral.


Following my initial walk with a laptop, I tracked down a user. With permission - because doing it without would be a breach of the Computer Misuse Act
- I hacked into and altered my "reasonably tech-savvy" neighbour's router Wi-Fi settings; he explained that he simply hadn't been worried enough to spend
the time setting up the security of a password. 

Only the router password and ISP (internet provider) login details were changed, preventing the machine from accessing the internet. My neighbour spent
more than 40 frustrating minutes trying to access the internet - unsuccessfully. 

Simple security: 

Karen Hanley of the Wi-Fi Alliance, a global industry body, believes that network security should be made as simple as possible if it is to be adopted.
It is currently placing its seal of approval on WPA2 encoding for wireless networks. The organisation also recommends changing both the router's password
and name. 

The need for simplicity is slowly being adopted by the device manufacturers. Linksys' new LELA system, the company claims, will be as simple as selecting
from a list of high, medium or low security. 

The question, though, is whether enough people will use it - and how you make sure that they change the default password. 





More information about the AccessIndia mailing list