|
 |
|
Unauthorized Network access becomes a felony
Oracle Tips by Burleson Consulting
|
Bad News for wi-fi owners and users
With the epidemic of unsecured wireless
networks being used as platforms for illegal attacks, and we see
that lawyers and victims are fighting back. In many cases, the
crooks simply set-up a portable wi-fi Starbucks and wait for the
suckers to connect. They plant password sniffers and sit-back while
the PC e-mails ssh passwords to them.
- Unauthorized access to a computer network becomes a
felony – Even casual access to an unsecured wireless network
in a hotel can destroy your career. You can be arrested
on-the-spot, even if you have no criminal intent (other than
stealing their bandwidth, of course). In Canada, it’s called
Theft of Telecommunications.
- Sue the hapless wi-fi homeowner - Hacking victims now
have a cause-of-action against the owners of wireless networks
that have been used as access points to commit crimes. If you
manage a computer network, (even if it’s ole Aunt Sara’s) the
wi-fi cannot serve as an open-relay for bad guys. It’s called
“negligence”.
The Polestar of the Paranoid – Maybe they are out to
get you
On one
occasion I had a server breech where a fellow from a China IP
address tunneled right-in via ssh to a confidential server. After
an exhaustive investigation it was discovered that the perp had
used a wi-fi at a hotel to entice suckers into connecting and them
planted a password sniffer that mailed he unencrypted passwords
overseas. In response, many States are expanding existing laws that
were made to curtail cable TV theft (Hence the “unauthorized access”
component), as noted in this
Tennessee law:
It is an offense for any person,
knowingly and with the intent to defraud a communication service
provider of any lawful compensation for providing a
communication service, to:
(1) Possess, use, make, develop,
assemble, sell, distribute, possess with intent to distribute,
lease, license, transfer, import into this state or offer,
promote or advertise any unlawful communication device for the
unauthorized acquisition or theft of any communication service
or to receive, intercept, disrupt, transmit, re-transmit,
decrypt, acquire or facilitate the receipt, interception,
disruption, transmission, re-transmission, decryption or
acquisition of any communication service without the express
consent or express authorization of the communication service
provider as stated in a contract or otherwise, or as otherwise
expressly authorized by law . . .
The Accidental Felon
The threat of arrest aside, I would not want to
be one of those goofs whose defense is that they did not know that
connecting to an unsecured network was not a serious crime? Hey,
why accidentally commit a felony? Ignorance of the law is no
excuse, and it makes you look stupid, too. . . .
We are now seeing a backlash against those who
tap-into unsecured wireless networks for evil purposes, and local
police are now arresting those who tap-into unsecured wireless
networks. As we see, even the benign use of a wireless network is a
felony. Not getting permission is called "unauthorized
access to a computer network, a third-degree felony.”
http://www.sptimes.com/2005/07/04/State/Wi_Fi_cloaks_a_new_br.shtml
“Police say
Benjamin Smith III, 41, used his Acer brand laptop to hack into
Dinon's wireless Internet network. The April 20 arrest is considered
the first of its kind in Tampa Bay and among only a few so far
nationwide.”
The article notes that, according to experts,
wireless networks are often used as a launching pad for criminal
acts:
“People have used
the cloak of wireless to traffic in child pornography, steal credit
card information and send death threats, according to authorities.”
In more-and-more cases, police have been able
to detect and prosecute wi-fi criminals:
“Last year, a
Michigan man was convicted of using an unsecured Wi-Fi network at a
Lowe's home improvement store to steal credit card numbers. The
20-year-old and a friend stumbled across the network while cruising
around in a car in search of wireless Internet connections - a
practice known as "Wardriving."
The article also notes that tapping into an
unsecured wireless network is a felony in Florida:
“In a way Dinon
was fortunate the man outside his home stuck around since it remains
a challenge to catch people in the act. Smith, who police said
admitted to using Dinon's Wi-Fi, has been charged with unauthorized
access to a computer network, a third-degree felony.”
Evil-twins and honey pots
I learned about how hackers work by planting
“honey pots”, internet-enabled computers with loose security. I
kick-back, look-over the crooks shoulder and observe their
behavior. In one case, a hacker from China upgraded my version of
Linux! The wi-fi equivalent of a honey pot is the “evil twin”
attack.
“A more recent
threat to emerge is the "evil twin" attack. A person with a
wireless-equipped laptop can show up at, say, a coffee shop or
airport and overpower the local Wi-Fi hotspot. The person then
eavesdrops on unsuspecting computer users who connect to the bogus
network.
At a technology
conference in London this spring, hackers set up evil twins that
infected other computers with viruses, some that gather information
on the user, the Wall Street Journal reported.”
Going after negligent wi-fi
administrators
This year I’ve been talking to the
FBI Cybercrine agents and federal attorneys on a foreign “John
Doe” subpoena, and we are hearing that even if the attacker used an
unsecured wireless network (or an “open relay” by a negligent ISP),
the victims can still collect damages from the hapless owners of the
unsecured wireless network. That makes sense. Most homeowners
policies have a “gross negligence” clause, and enabling criminals
sure sounds negligent to me.
BTW, this is also true in cases where the
network is protected by inadequate security such as “WEP”, which can
quickly be bypassed by free web programs. WEP is an acronym for
“Wired Equivalent Privacy”, and it can easily be bypassed, according
to the link above:
“Not all encryption is rock solid,
either. One of the most common methods called WEP, or Wired
Equivalent Privacy, is better than nothing but still can be
cracked using a program available on the Web.
"Anybody with an Internet connection and
an hour online can learn how to break that," said Guerin, the
Dunedin network administrator. Two years ago when the city of
Dunedin first considered Wi-Fi, Guerin squashed the idea because
of WEP's inadequacy.”
OK, are you paranoid yet?
This should serve as a sobering note for
unsecured wi-fi owners. If someone taps-into your unsecured
wireless network to commit an attack, YOU are responsible for the
damages, under the "gross negligence" doctrine. This is what
happens when they make wi-fi too easy, and granny unwittingly
becomes a “network administrator” when the lawyers sue her for
providing a portal for a hacker.
In most cases, your homeowner’s policy will
cover damages up to $250,000, but a major attack could cause you to
loose everything, including your house and life-savings. For me,
it’s not worth the risk. Protect your wireless network with “real”
security, and don’t just hop onto any unsecured wireless that your
computer detects.
BTW, there are other unique
Wi-fi intrusion detection tools that offer “practical mind
protection for paranoids”, across the globe, like this one for only
$12.95.
|
