Was I hacked?
October 22, 2006 7:08 PM Subscribe
I was in a public location last weekend with a wi-fi enabled laptop (windows xp). Someone, with another laptop, was broadcasting a session id with the name "Free Wireless Internet." Without really thinking about what I was doing, I connected to this machine for a duration of approx 5 minutes thinking that I would get free internet. There was in fact no internet access. The next time I checked my computer for certain files, I noticed that a bunch of data was missing. Is it possible to do wi-fi computer to computer hacks? In just 5 minutes?
Also, can such actions be considered criminal if convicted in a court of law? FWIW, with a little bit of old-fasioned detective work, I'm pretty sure that I determined where this person lives. Should I confront the rat? Or how likely is it that my missing files are just a coincedence, and this latop owner is really innocent? Also, is it likely that my local podunk police department would have the expertise to investigate a high tech crime?
Also, can such actions be considered criminal if convicted in a court of law? FWIW, with a little bit of old-fasioned detective work, I'm pretty sure that I determined where this person lives. Should I confront the rat? Or how likely is it that my missing files are just a coincedence, and this latop owner is really innocent? Also, is it likely that my local podunk police department would have the expertise to investigate a high tech crime?
(not that you'd pay off the police, rather I mean they won't bother unless it involves high-profile individuals or high-dollar loss)
posted by rolypolyman at 7:18 PM on October 22, 2006
posted by rolypolyman at 7:18 PM on October 22, 2006
Here is a relevant page. The Google search string was wi-fi security.
Any access point can have a sniffer on it.
I'm not up on XP security since I use that only at work, but I suspect if you had files you were sharing with the right set of permissions they could be read or overwritten (it's a clumsy hacker who leaves traces like the ones you note).
Recommendations: use SSH for email checks, don't ever send any password in the clear on any wi-fi node.
If you want to do some Web browsing, use a browser whose cache is pristine.
You'll play hell interesting anybody in legal pursuit.
posted by jet_silver at 7:25 PM on October 22, 2006
Any access point can have a sniffer on it.
I'm not up on XP security since I use that only at work, but I suspect if you had files you were sharing with the right set of permissions they could be read or overwritten (it's a clumsy hacker who leaves traces like the ones you note).
Recommendations: use SSH for email checks, don't ever send any password in the clear on any wi-fi node.
If you want to do some Web browsing, use a browser whose cache is pristine.
You'll play hell interesting anybody in legal pursuit.
posted by jet_silver at 7:25 PM on October 22, 2006
Did you have folders shared on your laptop with read/write permissions?
Do you have a secure admin password? If not, its pretty easy to access any/all of your files.
posted by mphuie at 7:30 PM on October 22, 2006
Do you have a secure admin password? If not, its pretty easy to access any/all of your files.
posted by mphuie at 7:30 PM on October 22, 2006
Possible? Yes, certainly. Much less than 5 minutes depending on your computer's configuration.
I doubt it though. Why would someone delete your files, it would be a sure tip-off of a violation and not get the perpetrator anything.
If someone was doing something nefarious with the connection, it's much more likely they would sniff your net traffic for passwords or install a trojan.
Do a deep virus scan and change any passwords you may have used during the connection, just in case.
Are your deleted files in the Recycle Bin? They'll have a "Date deleted" attached.
Did the files get moved to another folder accidentally? (I've done this more times than I'd like to admit with a careless mouse drag.)
posted by Ookseer at 7:34 PM on October 22, 2006
I doubt it though. Why would someone delete your files, it would be a sure tip-off of a violation and not get the perpetrator anything.
If someone was doing something nefarious with the connection, it's much more likely they would sniff your net traffic for passwords or install a trojan.
Do a deep virus scan and change any passwords you may have used during the connection, just in case.
Are your deleted files in the Recycle Bin? They'll have a "Date deleted" attached.
Did the files get moved to another folder accidentally? (I've done this more times than I'd like to admit with a careless mouse drag.)
posted by Ookseer at 7:34 PM on October 22, 2006
SSH, SSL, and VPNs are all useless on a compromised WAP. It's called a man in the middle attack.
posted by ill3 at 7:49 PM on October 22, 2006
posted by ill3 at 7:49 PM on October 22, 2006
ill3: wrong. ssh, ssl, and vpns have protections against a man in the middle attack.
posted by aspo at 7:55 PM on October 22, 2006
posted by aspo at 7:55 PM on October 22, 2006
ill3, got a positive recommendation besides not using a compromised WAP? I looked up MITM and it seems you're right.
posted by jet_silver at 7:56 PM on October 22, 2006
posted by jet_silver at 7:56 PM on October 22, 2006
SSH, SSL, and VPNs are all useless on a compromised WAP. It's called a man in the middle attack.
If I have the public key of the server I want to connect to stored locally how exactly is a man-in-the-middle attack going to work?
Please back up statements like that made on ask metafilter - with either an explanation or a source.
posted by vacapinta at 7:59 PM on October 22, 2006 [1 favorite]
If I have the public key of the server I want to connect to stored locally how exactly is a man-in-the-middle attack going to work?
Please back up statements like that made on ask metafilter - with either an explanation or a source.
posted by vacapinta at 7:59 PM on October 22, 2006 [1 favorite]
ill3, that's the dumbest thing I've ever heard. MITM attacks are the raison d'etre of secure protocols, since they don't protect you from much else.
posted by cillit bang at 8:13 PM on October 22, 2006
posted by cillit bang at 8:13 PM on October 22, 2006
Boy, I must be some kind of idiot! I'm going to go shut down the security company I, run right now....
Hang on, I will find you some links that explain. I thought this was well understood by most.
posted by ill3 at 8:18 PM on October 22, 2006
Hang on, I will find you some links that explain. I thought this was well understood by most.
posted by ill3 at 8:18 PM on October 22, 2006
Also, If it's not clear I don't run an English department....
posted by ill3 at 8:18 PM on October 22, 2006
posted by ill3 at 8:18 PM on October 22, 2006
Anon: the answer to your question is yes, it's possible, and there are some people who launch this sort of attack deliberately. As to whether it happened in your particular case, it depends - on whether you have any vulnerable services running, or open file shares, or.... but without getting too technical, it's safe to say that if you haven't kept up with your Windows Update - or, in some cases, even if you have, and don't have a personal firewall and antivirus installed, you're more likely to run into the trouble you're asking about.
posted by aberrant at 8:37 PM on October 22, 2006
posted by aberrant at 8:37 PM on October 22, 2006
What we are talking about are called "Evil Twins":
Here are two articles that explain how you can MitM SSH and SSL using dsniff and a compromised WAP:
One
Two
Here is an article in the Chronicle where I am quoted on the topic of Evil Twins :
SFgate
cillit bang : if there are any other "dumbest things" you would like for me to illuminate for you, drop me a line via email.
/indignant
As for a better alternative is having a piece of client software that has two-way assymetric authentication with preinstalled certs, etc
posted by ill3 at 8:37 PM on October 22, 2006 [3 favorites]
Here are two articles that explain how you can MitM SSH and SSL using dsniff and a compromised WAP:
One
Two
Here is an article in the Chronicle where I am quoted on the topic of Evil Twins :
SFgate
cillit bang : if there are any other "dumbest things" you would like for me to illuminate for you, drop me a line via email.
/indignant
As for a better alternative is having a piece of client software that has two-way assymetric authentication with preinstalled certs, etc
posted by ill3 at 8:37 PM on October 22, 2006 [3 favorites]
...and disregard what ill3 says about MITM attacks across compromised WAPs. If you're using standard SSH / SSL / IPSEC, it would take a lot more than a compromised WAP to prevent at least a warning popping up notifying you that the server you're trying to get to is not trusted, unless you've trained yourself to ignore the warnings and just "click through" (stupid), or specifically configured your browser / ssh / vpn software to ignore those warnings (very stupid).
The protocols were designed to work securely across an arbitrary untrusted network that has been assumed to be completely under the control of a malicious actor.
posted by aberrant at 8:41 PM on October 22, 2006
The protocols were designed to work securely across an arbitrary untrusted network that has been assumed to be completely under the control of a malicious actor.
posted by aberrant at 8:41 PM on October 22, 2006
ill3: not to derail, but evil twins don't defeat the security controls of ssh, ssl, or vpn connections. Dsniff (or any one of the MITM tools out there) won't work unless the victim ACCEPTS THE BOGUS KEY - that is, unless the user makes a mistake.
(and where are you quoted in that third article?)
posted by aberrant at 8:44 PM on October 22, 2006
(and where are you quoted in that third article?)
posted by aberrant at 8:44 PM on October 22, 2006
never mind, found it. Still doesn't change the answer.
posted by aberrant at 8:46 PM on October 22, 2006
posted by aberrant at 8:46 PM on October 22, 2006
I'm sorry I have said anything...as we are getting off the original poster's question.
I will concede with a perfectly configured machine and with an educated user, especially one that already has the public key installed on the same machine is relatively safe. However, I would guess 99% of users do not fall within this category.
However, just to beat this horse to death, I will give you three examples :
- Open up IE6 see if you still have SSL 2.0 enabled - I do. If I was attacking you I would implement a version rollback attack spoofing both server and client into thinking that only SSL 2.0, not 3.0 were supported on both the client and the server. I would then be able to take advantage of SSL 2.0's 40-bit MAC. Et voila.
- Again since I not only control all your traffic, I also control your DNS, I could 302 your orginal request to page that is a combination of the real page requested protected by SSL, and an IFRAME that uses layers to lay input boxes on top of the actual page to capture username and password. I have demonstrated this attack to a major bank, without even needing control of the AP.
- Just return you to a page saying "Thanks for using Public WiFi, Click here to go to the page you wanted to access". Pop a "toolbarless window" up with images of the browser's UI, the real URL, and the trustworthy lock at the bottom, with all my content in between. There are really good version of this attack now, where the browser buttons actually work via JavaScript etc.
None of these kick a cert warning.
However, I bet there is a high double digit percentage of users that have seen the "bad cert" or "mixed secure and not secure content" messages enough that many blow right through.
Personally, I use a EVDO modem.
posted by ill3 at 9:16 PM on October 22, 2006 [1 favorite]
I will concede with a perfectly configured machine and with an educated user, especially one that already has the public key installed on the same machine is relatively safe. However, I would guess 99% of users do not fall within this category.
However, just to beat this horse to death, I will give you three examples :
- Open up IE6 see if you still have SSL 2.0 enabled - I do. If I was attacking you I would implement a version rollback attack spoofing both server and client into thinking that only SSL 2.0, not 3.0 were supported on both the client and the server. I would then be able to take advantage of SSL 2.0's 40-bit MAC. Et voila.
- Again since I not only control all your traffic, I also control your DNS, I could 302 your orginal request to page that is a combination of the real page requested protected by SSL, and an IFRAME that uses layers to lay input boxes on top of the actual page to capture username and password. I have demonstrated this attack to a major bank, without even needing control of the AP.
- Just return you to a page saying "Thanks for using Public WiFi, Click here to go to the page you wanted to access". Pop a "toolbarless window" up with images of the browser's UI, the real URL, and the trustworthy lock at the bottom, with all my content in between. There are really good version of this attack now, where the browser buttons actually work via JavaScript etc.
None of these kick a cert warning.
However, I bet there is a high double digit percentage of users that have seen the "bad cert" or "mixed secure and not secure content" messages enough that many blow right through.
Personally, I use a EVDO modem.
posted by ill3 at 9:16 PM on October 22, 2006 [1 favorite]
Not to derail the MITM derail and bring this back on topic, but I am shocked that no one has pointed out that Windows has a bug in it where whatever last ad-hoc (computer-to-computer) WiFI SSID is broadcast out the next time it is connected. This is why you see "hpsetup" or "free wireless internet" in almost every airport in the USA. These are not usually viruses, although thats certainly a possibility. I could have sworn we covered this topic several times here, but Yahoo! search is not helping.
It sounds like you knew (probably from the WiFi manager) that it was an adhoc (rather than infrastructure) setup, so I bet this is the culprit.
posted by crazyray at 9:25 PM on October 22, 2006
It sounds like you knew (probably from the WiFi manager) that it was an adhoc (rather than infrastructure) setup, so I bet this is the culprit.
posted by crazyray at 9:25 PM on October 22, 2006
Link to article describing bug in Windows.
Synopsis
--------
This advisory documents an anomaly involving Microsoft's Wireless Network
Connection. If a laptop connects to an ad-hoc network it can later start
beaconing the ad-hoc network's SSID as its own ad-hoc network without the
laptop owner's knowledge. This can allow an attacker to attach to the laptop
as a prelude to further attack.
posted by crazyray at 9:30 PM on October 22, 2006
Synopsis
--------
This advisory documents an anomaly involving Microsoft's Wireless Network
Connection. If a laptop connects to an ad-hoc network it can later start
beaconing the ad-hoc network's SSID as its own ad-hoc network without the
laptop owner's knowledge. This can allow an attacker to attach to the laptop
as a prelude to further attack.
posted by crazyray at 9:30 PM on October 22, 2006
My apologies for my OCD, but a few more links:
Man in the middle for SSH
Man in the middle for SSH2
posted by ill3 at 9:30 PM on October 22, 2006 [1 favorite]
Man in the middle for SSH
Man in the middle for SSH2
posted by ill3 at 9:30 PM on October 22, 2006 [1 favorite]
crazyray: You might want to look at this thread. Relevant to the OP here as well.
ill3: I believe I know what you're talking about. Its just that your original statement of SSH etc. being "useless" was just a bit overblown or came off that way mistakenly.
posted by vacapinta at 9:44 PM on October 22, 2006
ill3: I believe I know what you're talking about. Its just that your original statement of SSH etc. being "useless" was just a bit overblown or came off that way mistakenly.
posted by vacapinta at 9:44 PM on October 22, 2006
Vacapinta : You are right, calling it useless was hyperbolic.
posted by ill3 at 9:56 PM on October 22, 2006
posted by ill3 at 9:56 PM on October 22, 2006
ill3, just to clarify: If I'm using a Windows laptop, and
* I don't have Windows file sharing enabled, Windows Firewall is turned on, and all exceptions are disallowed on the wireless connection
* I have a wireless connection to some random AP
* I have successfully established a SSH2 connection to my home server using key (not password) authentication, I have received no possibly-bogus-certificate warnings while doing so, and am now forwarding local port 1080 to my own server over that connection
* I'm using Firefox, set up to use a SOCKS proxy on port 1080 and do all its DNS requests via that proxy
are you aware of any reason why I shouldn't be browsing to e-commerce sites with confidence?
posted by flabdablet at 11:08 PM on October 22, 2006 [1 favorite]
* I don't have Windows file sharing enabled, Windows Firewall is turned on, and all exceptions are disallowed on the wireless connection
* I have a wireless connection to some random AP
* I have successfully established a SSH2 connection to my home server using key (not password) authentication, I have received no possibly-bogus-certificate warnings while doing so, and am now forwarding local port 1080 to my own server over that connection
* I'm using Firefox, set up to use a SOCKS proxy on port 1080 and do all its DNS requests via that proxy
are you aware of any reason why I shouldn't be browsing to e-commerce sites with confidence?
posted by flabdablet at 11:08 PM on October 22, 2006 [1 favorite]
ill3, point taken, but the way you originally phrased it was totally misleading.
posted by cillit bang at 5:02 AM on October 23, 2006 [1 favorite]
posted by cillit bang at 5:02 AM on October 23, 2006 [1 favorite]
It's just a bug in Windows networking that leaves the last known access point available as a computer-to-computer network. It's not a hack and not a scam. Just a bug.
posted by mathowie at 8:25 AM on October 23, 2006
posted by mathowie at 8:25 AM on October 23, 2006
fladdablet: Sounds reasonably safe to me.
cillit bang: You are right.
posted by ill3 at 9:04 AM on October 23, 2006
cillit bang: You are right.
posted by ill3 at 9:04 AM on October 23, 2006
« Older Can I safely use a powerstrip with a voltage... | Annoying, dealbreaker-level things women do in... Newer »
This thread is closed to new comments.
posted by rolypolyman at 7:17 PM on October 22, 2006