The Good News and the Bad News | Jeff Duntemanns Drive-By Wi-Fi Guide

What Hackers Can Do

The press is fond of saying that there are a multitude of different kinds of hacker exploits, but in truth there are only a few different kinds of things that hackers can accomplish:

They can connect to your computer without your knowledge or permission, inorder to vandalize your machine or steal data or bandwidth.
Even without connecting to your computer, they can 'sniff ' your network traffic to obtain passwords, credit card numbers or other useful information.
They can hijack your machine by planting a Trojan Horse program on it.
If you're running a server of some kind, they can mount a 'denial of service' attack against your server.

Nearly all hacker exploits fall into one of these four categories, which I'll treat separately. Note that viruses are not, strictly speaking, a hacker phenomenon, though many people think of them that way.

Unauthorized Connection

The whole idea of the Internet is to connect machines with one another across distances that can be global. The challenge of Internet security is to prevent such connections when they're not wanted, and limit the scope of the connections that are permitted.

If a hacker manages to connect to your home network, he can read what's on your hard drives and copy out any files he might deem interesting, or possibly plant Trojan horse programs (more on which below) without your knowledge. Simple vandalism is also possible, but the thrill of nuking files or formatting other people's hard drives wears off quickly and isn't done very often.

If you have a Wi-Fi network in place without any security, a 'drive-by' hacker can easily use your Internet connection to surf the Web or check email, which may be annoying but isn't directly damaging. However, drive-by hackers who use your Internet connection are often trying to engage in IP impersonation, which is a species of identity theft. IP impersonation means that they do obnoxious or illegal things through your Internet connection, like sending spam email or transmitting kiddie porn. If the authorities trace this activity back to its source, surprise! It looks like the perpetrator was you. This is in fact your greatest risk as a Wi-Fi network owner, and I'll describe the problem in detail later on. (You'll be pleased to know that it's pretty easy to prevent.)

Network Traffic Sniffing

'Packet Sniffing' is something like a network wiretap. A packet sniffer utility watches traffic going through a network without disrupting it, recording some or all of that traffic in a log file, so the hacker can examine it at leisure. (Traffic over networks is broken into chunks called packets, hence the term. Packet sniffing is something like trainspotting, with teeth.)

On a wired network, there is the not-inconsiderable challenge of installing a packet sniffer utility on one of the networked machines. However, Wi-Fi is based on radio, which opens up a universe of new possibility for packet sniffers. Radio waves are not confined to the inside of a cable, and anywhere your Wi-Fi radio signals go, a packet sniffer program can passively monitor them with no one the wiser. A driveby hacker can park within the field boundaries of your Wi-Fi access point and undetectably sniff packets on a laptop using a free utility like AirSnort or Kismet. Such a hacker doesn't even have to drive: A Linux-based PDA like the Zaurus can run AirSnort in the hacker's pocket or briefcase while he's visiting your company's offices. Once AirSnort logs enough packets, it can reverse-engineer passwords and render your Wi-Fi security mechanism useless.

Packet sniffing is a hazard at its most serious when your Wi-Fi signal extends to places over which you have no knowledge or control. If your office is on the seventh floor of an office building, people in an office directly atop yours on the eighth floor (or below it, on the sixth) can very likely receive your Wi-Fi radio signal, and sniff packets without any way for you to know that they're sniffing. If you live in a neighborhood where the houses are set very close, the teenagers next door may be able to break your WEP encryption with AirSnort at their leisure, using a Linux machine on their desk and an unseen gain antenna aimed at your house… right through their bedroom wall! (Wood frame construction is mostly transparent to microwaves like those used in Wi-Fi gear, and gain antennas can compensate to a great extent for signal absorbed by wood and plaster.)

Packet sniffing in a Wi-Fi environment is the most difficult of hacker exploits to prevent. Your best defense is enabling Wired Equivalent Privacy. While not the perfect defense, it's far better than the press has made it out to be. Again, I'll present much more on this in following chapters.

Hijacking Via Trojan Horse

Perhaps the most diabolical hacker exploit is the 'remote access' Trojan horse, which is a program that, when run on your computer, opens up a 'back door' onto the Internet, through which a hacker can obtain complete control over your machine. A computer under the control of such a Trojan horse has been hijacked, or 'jacked' as techie insiders usually say. The most famous Trojan horse is called Back Orifice, though there are quite a few others, and they all work more or less the same way.

A Trojan horse program can be installed on your system in various ways. A virus coming into your machine on an email attachment can install a Trojan horse. (Remember that a Trojan horse is not the same thing as a virus!) You can unwittingly install a Trojan horse program yourself by downloading a seemingly innocuous program (like a game or animation of some kind) in which the Trojan horse has been deliberately hidden. A hacker who manages to connect to your machine from the Internet can install a Trojan horse manually. If your network defenses are weak or nonexistent, a script kiddie can run an idiot-level script that will install Trojan horse programs automatically on any machine it can get into.

What Trojan horse programs actually do varies widely. Most of them take no action of their own other than simply opening back doors to the Internet, through which a hacker can take control of your machine. Some are 'zombie' or 'drone' programs designed to launch denial of service (DoS) attacks on other systems, usually Web sites. In a DoS attack, a hacker or group of hackers secretly installs a Trojan horse program on a large number of machines. The silent army of zombie programs then waits patiently for a signal to come in from their installers over the Internet, at which time they wake up and begin sending a flood of nonsense packets or connection requests at a specific target. The target machine or server is soon overwhelmed and crashes or must be shut down.

There are many security utilities that watch for Trojan horse programs, including Norton Anti-Virus and the Zone Alarm Pro firewall. A good firewall will also help by blocking the eventual attempt to access the Trojan horse from the Internet.

The 'low-hanging fruit effect' works to your advantage here. There are so many 'easy' machines connected to the Internet that no hacker is going to sweat and strain to plant a Trojan on your machine, if something like Zone Alarm Pro makes it difficult. (And it does!)

Recruiting machines for Trojan horses is done automatically. Hackers use scripts (simple programs) to probe tens of thousands or millions of machines for vulnerabilities. These vulnerabilities fall into several classes. One vulnerability exists when a Trojan horse program is already present on your machine, either planted earlier by a hacker or installed by a virus-infected program, an email attachment, or a program that isn't quite what it appears to be. My firewall logs and blocks dozens of probes every day for Trojan systems like Back Orifice. Another vulnerability is the availability of a protocol like FTP, which would allow a hacker or a script to upload a Trojan and install it on your computer.

All of this has to be done quickly, because to launch a Denial of Service attack, it has to be done many thousands of times. If your machine doesn't respond instantly to a probe, the script passes you by. On the Internet, there's always another sucker right next door.

Denial of Service Attacks

You can also be on the receiving end of a DoS attack, especially if you're running a Web server or some other service that is available over the Internet. Once the attack begins, there's not much you can do but shut your machine down (and, ideally, disconnect from the Internet) until the attack passes. DoS attacks don't usually damage your data, but simply make it impossible for legitimate users to connect to your machine.

Fortunately, residential networks and small office networks are almost never targeted for DoS attacks, because such networks rarely host publicly accessible servers. This is a risk so small that you might as well ignore it.

IP Impersonation

Of all the various attacks that hackers can mount against home office and small office wireless networks, the most important by far is something I call IP impersonation. Unlike the risk of someone mounting a denial of service attack against your system (which is extremely small), the risk of IP impersonation is significant, if not (yet) great.

IP impersonation is a species of identity theft. An intruder connecting to the Internet through your wireless access point is basically impersonating you, and if that intruder's possibly illegal actions are traced back (using the IP address of your Internet connection), it will appear as though you were the one doing the lawbreaking. Not good.

Accessing the Internet is not anonymous. You are identifiable by your IP address. Your Internet Service Provider (ISP) assigns you an IP address (usually automatically, through a DHCP server) and keeps it in a database. Anything you would ordinarily do on the Internet (send email, post a file to a newsgroup, access a peerto-peer file-sharing network) can be associated with your IP address, and if you do something illegal on the Internet and Somebody Notices, you can be tracked down through your IP address.

Most people intuitively understand this, even when they can't explain all the arcana of IP addressing. What a lot of people don't understand is that all machines on a small office or home office (SOHO) LAN that share the same Internet connection also share the same IP address. (See the topic 'Internet Connection Sharing' in Chapter 3 for the technical details.) And what almost nobody seems to understand is that when someone parks in front of your house and accesses your wideopen wireless access point to get onto the Internet, that someone is also sharing your IP address.

What everybody seems to fear from hackers these days is getting their machines hijacked or vandalized, with wiped-out hard drive and lost files. That happens, of course, but not as often as the media would like you to believe. Vandalism appeals to a certain brand of disaffected teenager, but there's no money in it and it loses its novelty after awhile. On the other hand, being able to access the Internet using someone else's IP address can be a paying proposition, and a dangerous one-for you.

Consider spam. Internet service providers generally prohibit the transmission of spam email from their customer accounts. When someone reports spam coming from such an account, most ISPs shut that account down immediately. This is why so much spam comes from email addresses like kjtqvw@hotmail.com. Spammers understand that these are single-use addresses that will probably be shut down within 24 hours, and simply pump out the spam until the ISP acts. Especially on a broadband connection, you can send a lot of spam in 24 hours!

So imagine a spammer with a laptop sitting in front of your house, or perhaps in a parking lot down the street with an innocuous gain antenna on the roof of their car. They connect to your network, run a spam email program, and suddenly tens of thousands of emails per hour begin flowing onto the Internet, through your connection, associated with your IP address. You probably won't even notice that it happened, if a wily spammer does it at two in the morning when you and your family are asleep and your PCs and Internet connection are idle. You won't notice, that is, until your ISP cuts off your Internet service for spamming the next day.

Spamming, while supremely annoying, is not illegal. (As much as most of us would like it to be, sigh.) But suppose some devious person wants to upload pirated videos to a newsgroup-or, worse, kiddie porn? If that person connects to the Net on your IP and transmits illegal files, from the standpoint of law enforcement, it's you doing the transmitting, unless you can prove otherwise. (Proving that you didn't do something is notoriously difficult, especially in the slippery world of cyberspace.)

This has already happened, and it will certainly happen more frequently in the future. Not long ago, the next-door neighbor of an AT&T Broadband customer began transmitting pirated videos to associates in the middle of the night through the hapless customer's Wi-Fi network and AT&T Broadband Internet connection. The video's copyright owners tracked down the customer using his IP address, and the real culprit was caught using network logging software that showed the unwelcome connection when it happened again.

That wouldn't work quite as well in a drive-by situation, because the culprit is usually gone before you notice that anything's afoot. The whole point I'm making is that you can be held responsible for things done by other people through your Internet connection. This is the #1 reason that you should enable Wired Equivalent Privacy (WEP) on your wireless access point, and take the several other easy security steps outlined in the next chapter. IP impersonation is relatively easy to stop, especially the drive-by kind, where the impersonator has little or no time to break through even minimal security measures. Don't leave yourself wide-open, as statistics gathered by wardrivers (see Chapter 18) show that almost 75% of Wi-Fi users do.