Shocking Attacks Through Wireless LAN

   One of the most shocking attacks using a wireless network has finally come to an end, with the perpetrator being sentenced last Tuesday (Jul 12 2011).  Was it a corporate wireless network attack that had company secrets stolen?  Was it a breach that allowed attackers to steal credit card information from customers and use it, like the famous TJX heist (see Jun 24 2009 and Feb 8 2010 blog postings)?  No, it was none of these.  Instead, it was one neighbor attacking another neighbor.

   In 2009 a couple moved into a new house in Minnesota.  The next day their four-year old son wandered into "Barry's" yard, a neighbor.  When Barry returned the child to his house he gave the boy a kiss on the lips.  This shocked and frightened the couple, so they filed a police report.  Barry then decided to take revenge.

   Barry downloaded wireless attack software as well as purchased books on cracking wireless networks and soon cracked the couple's wireless Wired Equivalent Privacy (WEP) {Chapter 6 Security+ 3ed}.  WEP is notoriously weak and can easily be broken.  Barry then acted like a "depraved criminal", according to the prosecutors, and started a "calculated campaign to terrorize his neighbors, doing whatever he could to destroy the careers and professional reputations of [the couple], to damage [their] marriage, and to generally wreak havoc on their lives.” 

  Using the couple's wireless LAN that he broke into, Barry created a fictitious MySpace page with the husband's name on it and posted a picture of child pornography.  He also posted a brash note that pretended to be from the husband stating he was a lawyer and could get away "doing anything".  Barry e-mailed the same pornography to the husband's co-workers and sent flirtatious e-mail to women in the husband's office.  Barry even sent threatening e-mails to the Vice President of the U.S. from the husband's Yahoo account saying he was a terrorist would kill the VP (this prompted a visit from the Secret Service).  And there were many other similar attacks on the couple and their relatives.

   The law office where the husband worked hired a forensics investigator who, with permission, installed a protocol analyzer {Chapter 4 Security+ 3ed} to "sniff" the wireless home traffic.  In the data surrounding the threatening VP e-mail was Barry's name and account information.  The FBI searched Barry's house, found the evidence (along with other evidence that he had done the same to a previous neighbor), and arrested Barry.  He was offered a 2-year sentence but turned it down.  So, the prosecutors piled on more charges.  He finally pled guilty.  Last week Barry was sentenced to a whopping 18 years in prison and even had to forfeit his house (he has two small children).  Barry now says he's innocent, that his attorney coerced him into pleading guilty, that he was sharing a jail cell with a double-murderer who was "terrorizing" him (guess he knows about terrorizing people, eh?), and that the couple had actually framed him by infecting his computer with fictitious evidence.  The judge isn't buying it.

   If you've ever thought that securing your wireless LAN is not important, then just read this again!  

   What should you do to protect yourself?  Don't use WEP but WPA2 instead (if your wireless router is old and does not support WPA2 then throw it away and buy a new one).  Use a key value that is no fewer than 30 characters of gobbilty-gook.  Change the password on your wireless router from the default password.  Disable wireless Web access so the device cannot be accessed remotely but can only be accessed by a computer with a patch cable connected to it.  Disable Remote Management so an attacker cannot access the settings via the Internet.  Limit users by MAC address.  Turn on VLAN so that there is a separate wireless network for guests. Limit the number of concurrent users through DHCP leases.  Change your SSID to something that does not identify you.

   Stay secure!  

http://www.cengage.com/infosec

  • Great post.    If my neighbors are out of wireless range, do I have anything to worry about (other than if they sneak into my yard).

  • Are you absolutely sure they can't pick up your RF signal?  With the new 802.11n devices the signal can travel farther then older 802.11a/b/g devices.  And RF signals can do crazy things sometimes.  Spend the 15 minutes locking down your wireless router and you won't have to worry!