We Don’t Have Anything Anyone Else Would Want

When I first mention information security to a client, particularly a small business, non-profit, or educational institution, I frequently get a response like this:

  • “Nobody is interested in our network.”
  • “We don’t have anything that anyone would want.”
  • “Our systems aren’t that important.”
  • “No one would steal my account/password/login.”
  • “Why would someone want to hack our computers?”

Recently, two things came to light that made me seriously question this attitude.

Tipped off by the Data Security Podcast, I read an interesting story about Ashton Lundeby, a sixteen year-old who is accused of making bomb threats via the Internet. He was subject to a raid by FBI agents, sanctioned by the USA PATRIOT Act, who stormed his house, seizing his computer and other personal property.

I am not going to go into the political issue of due process, and the constitutionality of the USA PATRIOT Act, because I am not a lawyer and frankly, I don’t know what can be done about this. However, there is another issue here which you can do something about. Lundeby’s mother claims that the boy was the victim of a “proxy attack.” In other words, he did not conduct any sort of attack, but someone else hijacked his network and did so. If this is the case, then it is quite likely that his home computer and/or network were hijacked by a malicious hacker, who then conducted his attack (in this case, bomb scares), from the boy’s network.

My guess would be that his computer either was infected with some sort of malware (virus, spyware, trojan, or similar) or that his family’s wireless network was open, allowing anyone to connect and use it for their own purposes.

To help make my point, here’s an extreme analogy: Imagine that a bunch of criminals set up shop in your basement, and used it as a base of operations for their illegal activities, but because you never noticed (hard to imagine, but just pretend you have a really big house and don’t go to the basement much), this was allowed to go on for a long time. Imagine that the only hint that anything was wrong was that your utility bill was a bit higher (or, for sake of comparison, your Internet usage was higher, or speeds were slower). Then suddenly the FBI knocks on your door one day and says “Hi. You’ve been harboring criminals in your basement. Please come with us.” This is essentially the same thing that Lundeby’s mother is claiming happened to him.

Also this week, I was at a client’s house, helping them set up their new satellite Internet connection. For years, they have had an open, unencrypted wireless system. Also for years, they have complained that their Internet connection is slow. This is no surprise, as satellite Internet is notoriously slow – the slowest of the “broadband” options that I’ve ever had to endure (and believe me, I endured it for years). However, this was really, really slow. Having had prior experience with their new provider, HughesNet, I had seen this before, when a brand new installation was super slow. I called HughesNet and they confirmed my suspicion – my client had “exceeded their fair access limit” by downloading too much stuff.

My client was bewildered, and claimed that this was impossible, as Hughes said that they had downloaded over 1GB of files between the hours of 3-6am, when no computers were even on!To give you an idea, 1GB of files is like downloading 20 different albums (not songs) from iTunes, several Windows service packs, or thousands of books in electronic format.

I immediately suspected that someone was leeching off their open wireless connection. Despite my client’s assurances that this was unlikely, as they have a very remote house, they agreed to let me lock their wireless network down with WPA2 encryption. The next day, my client called and, in a rarity in my line of work, expressed happiness with the fact that everything was working great! Coincidence? I think not. My conclusion is that someone was using her network, probably for a long time, and they never knew it.

While this is not exactly the same as Ashton Lundeby’s predicament, it very well could have been and both of these stories underscore why security should be everyone’s concern.

WRAL News article on Ashton Lundeby’s case
Wikipedia article on Man in the Middle Attacks
USA PATRIOT Act highlights

Comments are closed.