A couple weeks ago my DSL modem broke. No big deal, right? I contacted my landlord, who put in a request with the local Internet Service Provider to get me a new one. My request is still lost somewhere in the bureaucracy, so I’ve had to go hunting around my neighborhood to use the Internet. It’s been an incredible nuisance, but it’s also given me an opportunity to expand my knowledge of the cyber dark arts.
The more I learn about this stuff, the scarier the world is. Most people have no idea how vulnerable they are. I only know a little about networking and hacking, but I am seeing chinks in the armor everywhere I look. It’s a good thing I’m one of the good guys.
From my living room I can access three unsecured wireless access points. The owners of these hotspots probably don’t know how to set up their routers, and don’t realize that almost everything they do online is transmitted cleartext. Even a mildly talented hacker can “sniff” this out of the air. Even worse, two of these routers are still in their default configuration. By typing in a specific IP address, anyone logged onto their network can access the router’s configuration pages, logs, etc. This information is supposed to be protected by a username and password, but these neighbors still have the default username/password. I knew one combo, because the router was the same brand as mine (and it was boldly advertised in the network’s SSID). I was able to look up the other username/combo on Google in about five seconds. I accessed both router configuration pages just to see if I could.
Because I’m not really a hacker, I just logged back out. But if I wanted to, I could have wreaked all kinds of mischief on these users. I could have set up a WEP or WPA password, effectively locking the user out of his or her own network. I could have set up remote access, allowing myself an entrance from anywhere on the net. I could have accessed logs. I probably could have tinkered with DNS settings, and steer the clueless user to fake versions of real web pages and harvest personal information like usernames and passwords. And if I wanted to, I could read the e-mails and instant messages passing through these networks. And all of this is just from my living room.
I repeated this experiment at my local Starbucks. The modem there is also in its default configuration. A hacker there could do a lot of damage to a lot of people.
The flip side of this scary knowledge is my own vulnerability. Until recently, I never realized how exposed I was at a coffee shop, airport, or other public wifi access point. Now I know: almost everything I do on the Internet at a public wifi hotspot can be “sniffed.” All it takes is the right kind of wifi card and a free open source software program that you can download in about two minutes. I thought I would give this a try, so I downloaded the program and did some snooping–on myself. I let the program run in the background while I did my usual activities on the web like read blogs and e-mails. When I was done, I saved the “sniffed” data and began to parse it. It took some time to find my way around the raw data, but I eventually found and reconstructed the HTML for all the websites I visited. I could see all the web addresses and read all the blog posts.
My personal e-mail address is secure (any data passing through a web page beginning with https:// is encrypted), but I use Outlook and a special e-mail address to participate in a national security e-mail discussion group. I was alarmed to see that Outlook downloaded all these messages as cleartext. Even worse, Outlook passed my e-mail address AND PASSWORD cleartext to the mail server. Anyone who captured this would have indefinite access to my e-mail and to sensitive national security discussions. I’m a reasonably computer savvy guy, but it never occurred to me that Outlook would not be connecting securely to my email. Figuring out how to configure that is at the top of my todo list.
It gets worse. I mentioned that two of the three unsecured networks near my living room were unsecured. The third router had a different password, but that made me suspicious. If the user knew how to change his password, why was it unsecured? What was to stop a hacker from setting up an unsecured hotspot to lure in clueless surfers, then capturing their data? After tinkering around on the network for a while, I opened up my firewall and reviewed the log. Sure enough, another computer on the network was running port scans on my computer. In other words, a hacker was walking down a long hallway, trying each doorknob to see if anything was unlocked. He was looking for a way into my computer.
I’ll never use an unsecured hotspot the same way. Anyone with a home network should use WEP or WPA to secure the hotspot with the password. Of course, WEP has its own problems–using another free software tool, any marginally talented hacker can crack a WEP password in about five minutes. That will be my next challenge when I have the time: trying to break into my own network.