« New Tool for Old Gmail Account Hijacking Trick | Main | Off-the-Shelf Spyware »

August 12, 2008

iTunes as Network Security Tool

So what was I saying just before I went on summer vacation? Oh … right … you should secure your wireless network lest the Indian police raid your house.

So, summer vacation:

My parents live in the Shenandoah Valley, close enough to the Appalachian Trail that it’s about a ten minute drive to a trailhead on Skyline Drive. I used to live over the mountain in Charlottesville, but long enough ago that purchasing a wireless access point was far too extravagant when all I really needed to do to enjoy the Internet from my futon was run 100’ of CAT5 along the baseboard.

My dad finally got broadband for his house this year. He keeps his computer in the basement while my mom’s is in an upstairs office, so rather than going through the floor to run a cable he opted for Wi-Fi.

It’s fair to say that wireless security issues aren’t on dad’s radar. It’s not something he reads about, has to come in contact with professionally (he manages a social work office), or deals with much personally (he doesn’t have a laptop, he uses a Palm Tungsten, he doesn’t worry about keeping his sync data in the cloud).

When we arrived at my parents’ house last week, I had my MacBook and iPod Touch along. I got out my Touch to check my mail, thinking I’d probably have to ask dad for a password. Not because he thinks about wireless security but because it’s 2008 and his new Linksys WAP surely did some sort of security by default, right?

Nope. The Touch reported one local network with the SSID “linksys.” When I tried to connect, it didn’t prompt for a password. Convenient enough. Because nothing was getting between me and my e-mail, I let the matter go. My parents live on a quiet residential street with big lots, and I think of their home and environs the way I last spent much time there, eight years ago. I figured they’d notice anyone parked out in front of their house using a laptop.

A few days later, I had the MacBook out and had the Touch plugged in to charge it up. That meant iTunes had launched to sync up. In the sidebar, I noticed an available “Shared” music library called “Juli’s Limewire Music.” Huh. Nobody named “Juli” in my parents’ house, and I had my doubts that either of my parents were big Limewire users.

Because dad had left the defaults in place on the WAP, it was a pretty simple matter to go find the default login/password online and log in to its admin interface. I pulled up the DHCP clients list and found my iPhone, MacBook, mom and dad’s computers, along with two machines called “Juli’s Computer” and “Chris’s Computer.”

A Brief Note on Communal Wi-Fi

Despite outward appearances, I have no philosophical problem with shared Wi-Fi. When I first moved to Portland, I used a busted up Dell Inspiron laptop to run a PersonalTelco WAP. If I’m in a strange neighborhood and need connectivity, I’m always pleased to find someone with an open WAP.

Just before we moved into our current house and I had to spend a morning waiting around for the DSL installer to show up, I borrowed a cup of bandwidth from the neighbor while I sat on the floor with my laptop. I tried to follow a few rules, though. There were large software updates waiting, which I deferred. I love SomaFM, but I didn’t bother with it while I was being someone else’s guest. I didn’t upload photos, do an online backup, or spend the morning on YouTube. I certainly didn’t run Limewire or BitTorrent. I just checked my mail, read my feeds and used IM.

All that behavior struck me as polite; or at least as polite as one can be when making self-interested assumptions about the lack of a password on a nearby WLAN. If I had an open WAP, I’d hope my neighbors would do the same.

Back to Our Story

So it’s with all that in mind that I noted the existence of “Juli” and “Chris’s” computers on my dad’s network, Juli running Limewire off of it, and got hot under the collar. I have no idea whether the RIAA is still suing grandmothers, but I didn’t want my parents to help me find out.

I asked a few questions of my parents, who know most of their neighbors’ names. I didn’t go into specifics because I wondered whether they’d volunteer any information. Mom wondered if that was why her connection seemed to slow to a crawl at random, because she had been convinced it was just Comcast sucking or dad screwing something up. Dad wondered what the harm was.

I explained what the potential harm was, trying not to be too dramatic about the matter but wanting to make clear that “Juli” was using their network to do something that would use up a lot of their bandwidth and possibly cause them to be the recipients of scare-letters from their ISP, or put them in danger of dealing with some sort of litigation.

I suggested a few alternatives, but since they didn’t know which neighbor, in particular, might be “Juli,” a neighborly over-the-fence “we’d like to share, but you shouldn’t do stuff we’d have to answer for” chat was out. We could have blacklisted “Juli’s” MAC address from the WAP, but dad doesn’t want to be a network admin on the prowl for abuse from other neighbors, and I didn’t think he’d be interested in reading a good nmap tutorial.

So at my suggestion, dad opted for the simple route: We put a password on the WAP, then we set up WPA with a password that I wouldn’t use for a bank account but would trust to stop a casual connection attempt. Then we clicked “update,” let the router cycle, pulled up the DHCP client list, and verified that “Juli” and “Chris” were gone. I bookmarked a few pages in the router’s interface for my dad so he could check in easily in case their unwanted guests somehow fell into the “determined attacker” category.

Mom thought it was funny to sit on the front porch and loudly say “Hey, Juli!” when someone she didn’t know by name walked out of a nearby house. I suggested that making whoever “Juli” was have to wait around for a few weeks while the local ISP got around to sending out an installer, then having to pay for her own bandwidth, was punishment enough, and that we didn’t really know what “Juli’s” skillset might be.

The Moral of the Story

There is no moral, but I guess I have some takeaways:

  • Why on Earth, in 2008, is it possible to install a wireless access point and NOT have reasonably secure default behavior? My guess: Support calls cost money Linksys et al don’t want to pay. So they waste their time with “security buttons” and other penny-a-unit crap they fervently hope nobody will use, so they won’t have to lose a more costly five or ten minutes of call center time when passwords are forgotten.

  • None of this stuff is obvious to the people who need to understand it. Kicking “Juli” off the network and setting up WPA and a more secure administrator’s password took less than a minute, but each stepped involved a lot more exposition. AES vs. WPA-PSK/TKIP? There wasn’t even a default choice, and some of the options wouldn’t work, depending on the security protocol one chose, but were not grayed out or otherwise made unselectable by the admin tool in the WAP.

  • I hope “Juli” has the good sense to keep her head down if she walks by while mom’s on the porch swing calling her name out to random strangers. Dad was more amused by the whole thing than anything, and took adequate satisfaction in knowing he was more secure. Mom, however, cherishes her online Bridge games, and continues to resent the time she lost to Juli’s bandwidth hogging.

E-mail   0 Comments    Digg This    add to del.icio.us

Posted by mhall at 3:50 PM | Add Comment

Leave a comment











Type the characters you see in the picture above.

 




JupiterOnlineMedia

internet.comearthweb.comDevx.commediabistro.comGraphics.com

Search:

Jupitermedia Corporation has two divisions: Jupiterimages and JupiterOnlineMedia

Jupitermedia Corporate Info


Legal Notices, Licensing, Reprints, & Permissions, Privacy Policy.

Advertise | Newsletters | Tech Jobs | Shopping | E-mail Offers