Simson Garfinkel

A View from Simson Garfinkel

Another Open Wireless Network (mine) gets closed.

I had an interesting security incident on my home network today which will appeal to readers interested in security.This morning I noticed that my DSL connection was running very slow. (It’s provided by Megapath and they’re normally very good.) A…

  • December 28, 2003

I had an interesting security incident on my home network today which will appeal to readers interested in security.

This morning I noticed that my DSL connection was running very slow. (It’s provided by Megapath and they’re normally very good.) A bit of sleuthing on my home server revealed that somebody was downloading all of the web pages. Some kind of robot called “Web Copy,” it seemed. This is the third time it’s happened this month, so I threw up a rule on the firewall to block their IP address, then I wrote a small program to prevent this from happening again. (Briefly, the program monitors a particular page on my web server — a page that nobody should ever access — and if the page is accessed, the web server automatically adds a rule to the firewall to block all access from that IP address. Simple and effective.)

Strangely though, the network didn’t get any better. A bit more checking revealed that some computer on my internal network was scanning the Internet, looking for vulnerable computers, and then trying to break into them. Sounded like an unpatched Windows computer that was infected with one of those worms, but I don’t have any unpatched Windows machines. I scanned my internal network and discovered that a computer at the internal IP address of 192.168.1.220 was to blame. Now things were getting interesting

Sitting down at my network patch panel, I started unplugging cables one by one, trying to figure out where 192.168.1.220 was coming from. Turns out it was coming from the Apple AirPort in my kitchen. One of my neighbors was using it!

(Normally this sort of thing would be hard to find out, because most people run their wireless access points as routers. This effectively hides all of the computers in the wireless cloud behind a single IP address that’s used by the wireless router itself. For just that reason, I run my wireless access points as bridges. This makes it easy for me to see all of the computers that are connected to them.)

Around this time I got an email from Megapath saying that a computer on my network was infected with the nachi computer worm. I’m not quite sure how they found out — they claim that somebody complained about me. From the looks of my MRTG traffic tab (see below), it seemed that the computer must have been infected at around 2:15am. Anyway, Megapath told me that they would disconnect me unless I dealt with this immediately. Cost for reconnection: $100



I did some port scans against the computer at 192.168.1.220 and discovered that it was running that Kazaa file trading program. Kazaa will helpfully give you the person’s registered Kazza username, and the name looked suspicious — that is, it looked like the name of my neighbor’s grade school son.

Now everything was beginning to fall into place. I like to keep my wireless network open, so that people visiting me can use their handheld devices without having to ask me for the password. As it turns out, my generosity was turned against me: the neighbor’s son had been using my network connection for file trading (possibly because his father monitors their DSL connection?). In the process, he had gotten infected with a worm, eaten up my outbound bandwidth, and nearly cost me my DSL service!

I did what I had to do: I reconfigured my wireless access points to use encryption. It’s not the strongest encryption, but it should be good enough to keep the grade school kids at bay. Then I called up my neighbor and left a message on their answering machine


All in all, an interesting story. But tracking down this guy was hard. Most people couldn’t do it. I’m increasingly concerned about the impact of open wireless connections in the hands of non-technical users.

Want to go ad free? No ad blockers needed.

Become an Insider
Already an Insider? Log in.

Uh oh–you've read all of your free articles for this month.

Insider Premium
$179.95/yr US PRICE

Want more award-winning journalism? Subscribe to Insider Plus.
  • Insider Plus {! insider.prices.plus !}*

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus ad-free web experience, select discounts to partner offerings and MIT Technology Review events

    See details+

    What's Included

    Bimonthly magazine delivery and unlimited 24/7 access to MIT Technology Review’s website

    The Download: our daily newsletter of what's important in technology and innovation

    Access to the magazine PDF archive—thousands of articles going back to 1899 at your fingertips

    Special discounts to select partner offerings

    Discount to MIT Technology Review events

    Ad-free web experience

/
You've read all of your free articles this month. This is your last free article this month. You've read of free articles this month. or  for unlimited online access.