Wifi hotspots

[indierock82]

I’ve had this question on my mind for a long time, but have always forgotten when I’ve talked to techies and other know-hows.

Essentially, everything we do on our home computers is very easy to trace and illegal activities can be monitored by the proper authorities (unless of course you can cover your tracks).

But what about hotspots? You don’t have an IP number that can be traced to you in any way. I suppose if you’ve used your laptop at home, and that would certainly leave a digital footprint that could be used to compare with your hotspot surfing on your computer. But is that how it works?
Otherwise computer crime would be unstoppable because of the anonymity of hotspots.

[PuddingCat]

Public hotspots are a pretty major hole. Say you connect to a free, wide-open hotspot. All the network knows about you is your MAC address and the IP address it gave you. The MAC address can tie you to a hardware vendor but thats about it. Technically, it’s a layer 2 routing address so isn’t generally transmitted past the gateway so it wouldn’t be known to the system being attacked.

Given that the IP leases will change quite often (through DHCP as well as the fact that users are transient) it’s pretty hard to track users down.

However, there are methods that can be used. I don’t think I’m violating any board rules here in discussing this as a) this is used to catch criminals and b) it’s by no means a how-to on avoiding detection.

First, your browser helpfully sends out some useful information about your machine. If you detect a break-in, often you can combine the web server logs to get an idea if the multiple different addresses found in your logs match the same browser (obviously, this works better for esoteric machine configurations, and only if the hole is via the HTTP service).

Secondly, it’s often possible to tie an IP address (from your intrusion detection logs say) to a particular hot-spot, and even a geographic area. If you find a pattern here, it focuses your investigation.

Thirdly, in my experience if somebody is breaking and entering they often come back. It’s not always convenient to sit outside a StarBucks to piggy-back off their WiFi. You only need the perp to connect from home, or their own ISP once and then you suddenly got much closer to finding them.

As an interesting aside, Microsoft used to embed in their Office documents a GUID based on pseudo-random values. A GUID - Globally Unique IDentifier - is used to provide a unique handle to a file or object, irrespective of the name or when it was created. What they didn’t mention (for a very long time) is that one of the values used in the GUID was the MAC address of the network card of that computer - if present. I have in the past traced “improper” documents back to a user and a machine by identifying the GUID and matching the MAC.

There are some other methods but I think discussing them is getting a bit closer to a how-to-avoid-detection.

So, in essence, it does make things harder for the good-guys but the knowledge, techniques and technology for catching people has also increased.

On a similar topic, having read the wealth of “Ask an xxx” threads on the SDMB, I was tempted to offer myself up as the subject of “Ask an ex-hacker”. If there is any interest I’ll start a thread.

[Number]

It is trivial to spoof a MAC address (give a false one) when connecting to a wireless access point, so that information will only be of use if the intruder is particularly careless.

Basically, if you have a completely open WAP then anyone in the neighborhood can hop on and do just about anything – send spam, traffic in child porn, grape posts by the grapist – with impunity. If the authorities trace the activity it will look like you did it. This is why it’s a rather good idea to lock down your wireless connection with WPA or WPAv2 at the very least.

[UncleRojelio]

trmatthe:

On a similar topic, having read the wealth of “Ask an xxx” threads on the SDMB, I was tempted to offer myself up as the subject of “Ask an ex-hacker”. If there is any interest I’ll start a thread.

Number:

This is why it’s a rather good idea to lock down your wireless connection with WPA or WPAv2 at the very least.

[hijack]I’ve got my access point setup to only accept specific MAC addresses. Is this method more or less secure than encryption?

[Revtim]

The Windows computer name of a client machine get sent to the wireless router, right? Of course, that’s even more trivially easy to change than the MAC address.

[PuddingCat]

UncleRojelio:

[hijack]I’ve got my access point setup to only accept specific MAC addresses. Is this method more or less secure than encryption?

This is less secure than proper (WPA, WPA2) encryption but not a replacement by any means. It is trivial to sniff a wireless connection, find out the MAC addresses in use and then use one of those. If you do this during a quiet (for that network) period, then you won’t even get collisions.

Your best bet is to configure WPA/WPA2 encryption and then consider MAC locking if it makes you feel warm and comfy.

[Revtim]

Oh, and does anybody know what the heck this thing does, exactly:
http://anchorfree.com/hotspot-shield/

It claims to encrypt the wireless traffic, but how does it get unencrypyted? Does it route all the traffic through anchorfree.com servers and decrypt there? Or does it use some kind of public-key encryption that wireless routers all support already?

[PuddingCat]

Revtim:

The Windows computer name of a client machine get sent to the wireless router, right? Of course, that’s even more trivially easy to change than the MAC address.

I can’t think of any specific cases where this would happen. Because the router is software-independant and needs to work with Mac, Unix, embedded-devices & Windows it would be unnecessarily complicated to do this.

Basically, in a DHCP (Dynamic Host Configuration Protocol) network, it works as follows:

You turn on your computer.

It joins the wireless network by configuring the wifi card with the SSID (network name), encryption type and settings.

The radio in the wifi card tunes to the proper frequency and your computer sends out a DHCP discover packet. This packet says “Are there any DHCP servers who can give me an address”.

The wifi gateway answers with an IP address and settings for you (such as DNS server, gateway).

You start sending data.

This is slightly simplified. There is one interesting point here. Some configurations of windows, when offered a DNS server may try to register their IP address and computer name with the DNS server. In this case, it is possible that the DNS server would know the computer name but this record will expire automatically, and it does require some configuration. It’s not impossible though.

[PuddingCat]

Revtim:

Oh, and does anybody know what the heck this thing does, exactly:
It claims to encrypt the wireless traffic, but how does it get unencrypyted? Does it route all the traffic through anchorfree.com servers and decrypt there? Or does it use some kind of public-key encryption that wireless routers all support already?

Having had a brief look it appears to be a - VPN Virtual Private Network - solution.

In all likelihood this runs like a normal VPN. You fire it up and your traffic is captured before it leaves your machine, is encrypted and then tunnelled to a server somewhere to be decrypted and released onto the 'net.

They claim it adds no noticable latency which would suggest to me that it doesn’t route all the data to a single datacenter somewhere but perhaps dumps it to a server on the wired side of the hotspot you are using. This seems a bit strange as each site would need to invest in the software/hardware and there is no revenue stream as the product is free. Best guess is that it’s just another VPN and they host the decryption servers.

[Revtim]

Thanks for the info trmatthe!