Caught myself an internet service leech!

[Gewehr98]

For the last couple of weeks, my home network had been really slow, both in file access between machines and while online.  My two stepsons complained that their World of Warcraft online game was laggy at best, and I was having a slow time of just browsing websites like TFL or CNN.  

Last night, I decided I'd do some troubleshooting, so I had my youngest stepson turn his computer off. He volunteered because he was complaining the loudest about lag. His computer is the only one, besides my laptop, that uses the 802.11b wireless connection to the rest of the network, by means of a Wireless Access Point in my office/lab.  Everything else is wired 100-BaseT. When he yelled from across the house that his machine was indeed off, I watched the Wireless Access Point.  It was flashing activity continuously, as if my stepson were playing his online game or downloading a file from the Web.  

I knew my laptop was turned off, so what's sucking through the wireless system?  I clicked on My Network Places, and then Entire Network.  Voila'!  In addition to my normal home Workgroup, there was an additional network workgroup name there, installed nice and pretty.  Clicking on it gave the computer's name and a partial description, and it wasn't a computer I'd set up in my house. Going to the internal webpage of my Linksys router and displaying clients confirmed we had an imposter. Son of a Biscuit, I had a leech!

Now, our houses are pretty far apart in my neighborhood, and the military house to the west of me is vacant.  The unit to the east is a good friend of mine, with his own cable modem.  That left the houses to the north and south of me.  The houses to the north of me are mostly vacant, save for one guy.  He's a single Air Force meteorologist who is on leave away from the local area until after the holidays, so I really didn't think it was him. Now, behind my house to the south, we have neighbors who are, shall we say, visited by the Satellite Beach police department on a fairly regular basis.  They also have their house lit by candles on occasion, because their power gets cut off by FPL for non-payment.  My guess is that it was them, and I'll do a little snooping to see if the personal name on the computer I found leeching is in some way connected to the occupants of that rental unit.

Now, it was my fault that we had a leech.  A couple weeks ago, my wife brought a friend's laptop home to me to install an 802.11g wireless card, and I disabled WEP on my network to get that laptop working without having to type in my personal encryption key.  Like a dummy, once I got that laptop working on the Web just fine, I forgot to re-enable WEP.  I left the door wide open to my network.

So last night, while my erstwhile neighbor was sucking bandwidth through my Wireless Access Point, I logged into the WAP's internal website, selected 128-bit Wireless Encryption Protocol, and created a new encryption key.  I hit the "accept" icon, and watched as the WAP's activity light went from solid green to dark, that quickly.  ahole, I fixed your little red wagon right quick, didn't I? Tonight, everybody in the house was tickled pink how quickly their computers accessed the Web, sent and received email, transferred files, printed documents, and did the multiplayer thing sans lag.  

Later this weekend, I'm going to run a couple WiFi utilities on my laptop, and walk around the perimeter of my backyard, looking for signal strength and the same computer name I just disconnected from my WiFi network.  Maybe I can upload a virus or worm onto that machine if I find it.  Other than that, I doubt there's anything in the legal or law enforcement world I can do.

But I learned an important lesson - if you have WiFi, use encryption.  Period.

[Harold Tuttle]

i wonder if you could snoop his MAC address and set up a redirect for every page request to a preset url

you should be able to see where he was going to via your connection

with that kind of bandwidth suction, i would suspect .torrent downloads of movies

[Sindawe]

You did change the WiFi network's name did you not?  Change the Admin name and make the password complex?  Turn off broadcasting the SSID from your AP?  Set up a MAC exclusion list to permit ONLY the MACs you specify to use the connection?  Routinely examine the AP/router logs to see what traffic is moving?

http://www.jiwire.com/wi-fi-security-home-networks-1.htm

Remember.  Paranoia is not a mental illness.  It is a survival trait.

[mtnbkr]

Actually, if you can get their MAC addresses, take it to the police with documentation of what was going on.  Claim theft of services and press charges.  I believe it is illegal to use someone else's WiFi connection for the purpose of accessing the Internet without their permission.  If your access point keeps a decent log, you can show them connecting.  That, plus their MAC address(es) should be enough proof.

Chris

[cfabe]

I really doubt the local police are going to care much one way or the other about your home computer network and who is using it. Keeping a log of this might be a good idea just incase your leecher was using your access for some sort of illegal activity which would then be traced back to you.

And as mentioned, regardless of your opinions of said neighbor, it could easily be accidential. I had my neighbor's kids laptop on my network a few times when I had left it open. I'm sure she wasn't intentionally stealing my access, probably just clicked 'connect' to whatever network windows found her.

[garrettwc]

Gewehr you should check your logs and try to find out what websites he was going to. If he was engaged in some less than legal activity over the web and they back trace it, the trace will lead right back to your IP address.

[charby]

Salt works well on leeches or you can use them for walleye bait.

[Preacherman]

See if you can't re-admit him to your network and trace where he's going and what he's doing.  If the characters in that house are indeed of the unsavory variety, you could have them removed from your neighborhood for a long time, if they're up to no good...

[roo_ster]

I can see three open WANs from my house.

Of course, I use WEP, do not broadcast SSID, and have changed the admin password.

[Guest]

To my thinking, if you are broadcasting an open connection then you have no real right to recourse. Your AP is broadcasting the connection, the burdon is on you to secure it. *many* network adapters will automatically connect to any open networks, this is because some companies and even municipalities put out freely accessable networks for the public. For the record, the default microsoft windows network software does this.

[Guest]

Now wait one second here.

Let's say you have an apple tree in your back yard.  One year it puts out a monster of a crop, so you take a big basket, fill it up, put a sign on it saying "free apples" and stick it in your front yard next to the curb.

If somebody takes one, are they stealing?

This is *exactly* what you did.  Your system was electronically broadcasting "free internet!" to your whole neigborhood.  That's how WiFi works, the system broadcasts it's availability.  Don't like it, don't use WiFi or at least throw a password on it.

IF they had to crack a password to get in, that's another thing entirely, a felony on their part.

The fact is, any number of people, groups and even government entities are deliberately serving free internet to various areas for various reasons.  It is NOT up to the user to figure out the motivations or to decide when use of a free internet connection is going to be percieved as "stealing".

In short, you have no right to complain, no legal recourse...UNLESS they were doing something illegal on your net like kiddie porn or piracy or whatever.

Unless you're prepared to go prove that, I suggest you NOT contemplate the various felonies you just discussed in "retaliation" (deliberate uploading of a virus, worm, etc.).

The only potential criminal activity you've described here is your own.

[mtnbkr]

Nonsense.  Open wifi, however unwise, is not an invitation to tresspass any more than an unlocked or even open door is an invitation to enter a house.  

Start the paper trail now in case they did use your connection for illegal activities.  Having an official complaint on file will support your case that you did nothing wrong and attempted to take action.

Chris

[Vodka7]

I agree with mtnbkr, Sindawe, and Blackburn.  It's your fault, settle down, secure the network, and report it with the knowledge that it will never go anywhere but at least you'll have documentation that someone was using your network without your knowledge.

It's a bad analogy, but if someone stole your car I'd feel bad for you.  I'd feel a lot less bad if someone stole your car because you left it running with the keys in the ignition.  Despite what the law says, common sense says you should take a few steps to protect your valuables (not something I thought would ever need to be pointed out on this forum.)

[Chris]

And this is exactly why I am opposed to WiFi in our home and for secure purposes.  Sufing the net is one thing.  Secured business should be hard wired.  My .02.

[Guest]

Nonsense.  Open wifi, however unwise, is not an invitation to tresspass any more than an unlocked or even open door is an invitation to enter a house.

False analogy. There was no trespassing. In fact the access point was broadcasting its signal into the home of whoever it was that used it.

[BryanP]

You were broadcasting open WiFi with no password protection.   You've got nothing to complain about.  You've turned on encryption and set a password.  If he uses readily-available tools to break the (laughably vulnerable) WEP encryption and *then* gets on your network again, you've got a legitimate reason to be upset.

[mtnbkr]

And this is exactly why I am opposed to WiFi in our home and for secure purposes.  Sufing the net is one thing.  Secured business should be hard wired.  My .02.

You can secure wifi to the point that all but the most talented and determined hackers can get in (those folks won't need wireless to get in though).  Put an IPSEC VPN encryptor between the wifi device and your network.  Sure, they might connect to the wifi (if they can bypass that device's security), but they still have to authenticate to the VPN encryptor.  That's a bit tougher than sniffing someone's WEP settings.   Of course, every system that needs to access your network via wifi will need a VPN client of it's own, but it'll work fine.  Even better, VPN vendors are developing their clients to be more compatible with wifi, including features such as IP mobility, which maintains your "tunnel" when moving from one wifi access point to another.

There was no trespassing.

They were sending packets across a hostile network without the owner's permission.  

Personally, I wouldn't be bothered by most rogue users, but these folks were using the system pretty heavily, heavy enough to be noticed by the owners.  I would take action simply as a CYA measure in case they were doing something naughtier than checking their email.

Chris

[Phyphor]

Nonsense.  Open wifi, however unwise, is not an invitation to tresspass any more than an unlocked or even open door is an invitation to enter a house.  

Start the paper trail now in case they did use your connection for illegal activities.  Having an official complaint on file will support your case that you did nothing wrong and attempted to take action.

Chris

Um, it's not tresspassing, unless they actually took steps to hack his wireless router.  However, since he admitted to turning off WEP, he basically had an open 'free' hotspot.  It's not up to everyone else to determine whether that hotspot is supposed to be freely availible, it's up to him to secure it.

Now, I'd understand him being pissed if, say, they'da come in his house and plugged a cat-5 into his router, but using unencrypted signals? He's actually pretty fortunate that they didn't do something like plant viruses / trojans / skim his machines for whatever info they could.  

(This is another reason why I only run wired networks, it may be a PITA to run Cat5 all over the house, but at least I know for sure nobody's gonna leech my connect, and they sure as hell aren't gonna screw up my machines)

[Phyphor]

You were broadcasting open WiFi with no password protection.   You've got nothing to complain about.  You've turned on encryption and set a password.  If he uses readily-available tools to break the (laughably vulnerable) WEP encryption and *then* gets on your network again, you've got a legitimate reason to be upset.

Oh, most certainly.  He should definitely keep logging enabled.  (And does the router he uses keep track of MAC addresses? If so, he needs to get that MAC and save it somewhere where it won't get lost, ) If they do in fact hack his router, he DOES have a computer tresspass case, and should certainly nail them to the wall.

Using a widespread, unencrypted, unprotected connection is one thing.  Actually breaking into one is quite another.

[MillCreek]

I have a wireless network that I set up at home, with the default name changed, WEP enabled and MAC address limitations also with the software firewalls.  At any given time, I can see four to five other local wireless networks run by my neighbors, and only mine and one other person has any security on them.  Not to mention with the Verizon DSL service at 768 kbps that we all have not making the most attractive leeching option, I suppose.  Verizon is supposed to start installing a fiber optic high speed network next summer in our area, with 5 Mb/second download speeds.

Amazing to me that my neighbors have no concept of network security.

[pauli]

Later this weekend, I'm going to run a couple WiFi utilities on my laptop, and walk around the perimeter of my backyard, looking for signal strength and the same computer name I just disconnected from my WiFi network.  Maybe I can upload a virus or worm onto that machine if I find it.  Other than that, I doubt there's anything in the legal or law enforcement world I can do.

your post was great till you got here.

you've secured the network. now let the matter rest.

[Gewehr98]

Boy, some folks are wrapped around the axle much more than I was.   I know I accidentally left WEP turned off.  I admitted that, and fixed the problem, assuming they can't crack the 128-bit WEP encryption.  For my own curiosity, however, I want to know which of my neighbors was tapped into my network.  The virus or worm upload is a bitter response, I understand that, and probably wouldn't have done it.    

But I also know nobody "accidentally" installs their workgroup on my home network, and then starts sucking so much bandwidth that I had a hard time working through my cable modem.  This wasn't somebody simply checking emails every now and then.  This was somebody pulling serious downloads, like torrent mpegs, Limewire, WinMX, and the like.  They helped themselves to two weeks of free internet through my network, and they made serious use of the connection until I nipped it in the bud.  The wireless access point lit up the room, the activity light was going continuously.  

Did I expect neighbors to tap into my 802.11B WiFi cloud?  No.  Reception inside my cinder-block home is spotty enough, and that's with the wireless access point in my office just a few feet from the intended recipient, who had to use a high-gain antenna just to get signal inside the house.  As I tried with my own laptop, reception outside was for the most part absolutely horrible by the time I'd gotten to the back fence separating the two properties, and their house is another 100 feet or so from that fence.  That means they probably have an aftermarket antenna, perhaps one of the Hawking or other high-decibel gain versions, aimed at my office window in the cinder block south wall.  Accidental, my posterior.

[Nathaniel Firethorn]

So last night, while my erstwhile neighbor was sucking bandwidth through my Wireless Access Point, I logged into the WAP's internal website, selected 128-bit Wireless Encryption Protocol, and created a new encryption key.  I hit the "accept" icon, and watched as the WAP's activity light went from solid green to dark, that quickly.

I sent back a Belkin access point because it only spoke WEP. We wanted at least WPA-PSK.

I haven't got the SSID turned off. I think I'll leave it that way in case Mrs. Firethorn wants to connect a stray box while I'm not around.

- NF

[mtnbkr]

Something else that can help security a bit is to use a subnet mask that restricts your LAN address space to just the bare minimum you need.  Better yet, turn off DHCP and statically assign your addresses (still use a small subnet).  DHCP is nice in a large network that changes frequently, but overkill in small, static networks.  It won't keep them from connecting to your access point, but it'll keep them from using your network.

I would be tempted to set up a firewall between the access point and your network and maybe even put a honeypot in the network between the firewall and access point for shits and giggles.  Just make sure you set the firewall to block the honeypot in case it gets compromised.  IIRC, there's a way to send logging info directly to a printer so it's printed immediately (and old dot matrix printer and a box of that linked paper would be ideal for this).

Actually, that could be fun and educational at the same time if you have some 'haxor' wannabes in your area.

Chris

[Gewehr98]

I actually considered that firewall/honeypot idea.  I'm working on moving my website, blog, and file server (with all the nice Gewehr98 rifle pics) home to a cute little 3Com web server, and use Dynamic DNS to redirect the URL to this machine.  I could unmask a honeypot and watch my leech neighbor pull the files down, maybe the entire Doom3 demo file, etc.  Could be fun, but I'd rather keep unwanted individuals off my network, period.  

WEP has worked fine so far, but I will probably implement all the extra precautions Sindawe listed.

Good to see Jim March again, even if he's berating me.  How ya doin', Jim?  Hopefully, your software savvy is keeping Diebold at bay.