Promoting Defensive Computing is like nagging children to eat their vegetables. So, when a story hits the news with details of the absolute worst case scenario, it's a teaching moment.
Although the case of Barry Ardolf hacking his neighbors Wi-Fi network has been known about for a while, it's being reported on again because Ardolf was just sentenced to 18 years in prison. His story should scare people into verifying that their wireless network is as secure as possible.
Things started in August 2008 when Matt and Bethany Kostolnik moved into a house near Minneapolis, Minnesota. The day after they moved in, their 4-year-old son wandered into the yard of the house next door to climb on a play-set. The next door neighbor, Barry Ardolf, returned the child, but while doing so, kissed him on the mouth.
Needless to say, the parents reported this to the police and Ardolf then spent two years getting revenge. According to prosecutors the incident
... caused the defendant to begin a calculated campaign to terrorize his neighbors, doing whatever he could to destroy the careers and professional reputations of Matt and Bethany Kostolnik, to damage the Kostolniks marriage, and to generally wreak havoc on their lives.
In large part, he did this by hacking into their Wi-Fi network.
Havoc was indeed wreaked. Ardolf setup a MySpace page for the Kostolniks with child pornography on it. He created a new email account with the victims name (mattkostolnik at yahoo) and sent emails from this account from the victims house. These emails included child pornography sent to co-workers of Mr. Kostolnik.
From the same email account Ardolf made it seem as if Kostolnik, a lawyer, was flirting with some of the women he worked with.
Ardolf then seems to have picked the name of a woman out of the phone book and created another scam email account in that womans name. Posing as her, he emailed two managers at Mr. Kostolnik's law firm complaining that Kostolnik "made sexual advances and grabbed at my breasts."
The wrinkle here is that these scam messages were not sent from either the Kostolnik home nor Ardolf's home. Instead, Ardolf hacked into yet another neighbor's wireless network.
Ardolf also impersonated Mr. Kostolnik when he sent death threats, again from the Kostolnik residence, to the Governor of Minnesota and one of their Senators.
The Vice President of the United States was also sent threatening emails from yet another fraudulent email address with the Kostolniks names in it. All told, Ardolf threatened public officials three times. No surprise then that the Secret Service eventually visited Mr. Kostolnik at his workplace.
Bethany Kostolnik, the mother who initially complained to the police, was also harassed.
In one instance she was sent an email from Ardolf through her employers website. Yet another falsely-created email account was used to send this note:
I know your husband Matt[,] and Im going to get him! Hes going to pay for getting me pregnant. Hell, he already has 3 kids with you. I dont blame him for asking me to have an abortion. He goes out at night but he isnt alwasy [sic] doing what you think hes doing.
When the FBI raided Ardolf's house, they found he was working on still another email, this one to be sent to Bethany Kostolnik's boss, claiming inappropriate behavior by Mrs. Kostolnik in the performance of her job.
Mr. Kostolnik's law firm hired another law firm to investigate. The investigating firm hired a computer nerd who set up detailed activity logging on the Kostolniks' home network.
How many of you work for a company that would do that for you?
Fortunately for the Kostolniks, Ardolf continued his attacks after this logging had been enabled. Still, had Ardolf been better at hacking, he might have gotten away with it.
The critical break in the case came when the logs showed that a threatening email message had been sent from the same computer that was used to check Ardolf's email. Many email programs are configured to periodically check for new messages. This is most likely what happened on Ardolf's computer. A better hacker would have used a clean system when doing mischief.
There is nothing you can do about someone opening an email account in your name. Even if you already have accounts with your full name, a bad guy can make a minor modification, such as adding a year at the end.
The defense here is to never believe the FROM address of an email message. If you've been reading this blog, you'll know that I'm repeating myself, but it bears repeating.
The most important lesson from this story has to do with Wi-Fi encryption. I covered this back in September 2009, (see The Best Security for Wireless Networks), so I'll be brief here.
There are three types of wireless network security, WEP, WPA and WPA2.
WEP is what the Kostolniks were using. It stinks. It's easily hacked. In fact, a case might be made that installing a new router with WEP enabled is malpractice. In November 2010, I tried to make this case when I asked Is Verizon guilty of malpractice?
WPA is not the best, but it's probably good enough. The terminology here is confusing however. When people refer to WPA encryption, they really are referring to TKIP encryption, the two terms are used interchangeably even though, technically, they refer to different things.
The best encryption is WPA version 2 or WPA2 for short. But, you don't just chose WPA2, you also need to chose an encryption scheme for it. I mention this because TKIP can be used with WPA2 as well as with WPA. Using TKIP with WPA2, in effect, makes it WPA.
When you opt for WPA2, be sure to also opt for AES, the improved version of TKIP. The term AES is not technically correct, so nerds wanting to be accurate call it CCMP. Most routers though, use the term AES.
In summary, the best option is WPA2-AES.
Note that extremely old routers only support WEP and not the newer WPA or WPA2. These routers should be replaced. WEP security is false security.
Very often, you'll read that WPA2 is safe. While it is safer than WEP or WPA, in and of itself it is not safe.
Any wireless network is subject to a brute force attack where the bad guy guesses millions of passwords a second. A WPA2-AES network with a password of "hello" is no safer than a WEP network. I wrote about this back in September 2009 (see What no one is saying about WPA2 security).
Passwords for both WPA and WPA2 can range from 8 to 63 characters. The longer the password, the better. Considering that computers are always getting faster, I suggest a password of 20 or more characters.
Despite what most people say, the password does not have to be totally random to be secure. Something like
is a good choice. Add a couple special characters to season as desired.
If you can't remember the password, write it on a piece of paper and tape it to the router (face side down).
I live in big city surrounded by way too many Wi-Fi networks. Back in September 2009 I wrote about a survey I did in my area where out of 100 tested networks, 49 were using WEP and 12 had no security at all.
This seems to be improving, at least in my neighborhood. Of 29 Wi-Fi networks visible to my laptop, 5 are using WEP, 3 have no security at all, 7 are secured with WPA/TKIP and 14 are secured with WPA2/AES.
Looking over the networks near me pointed up another Wi-Fi issue -- the name of your network. Apparently it took Ardolf some time to figure out which network belonged to the Kostolnik family. That's a good thing. The name of a Wi-Fi network should not identify the owner.
Some people near me give up a bit too much identifying information.
For example, there are two networks with a pair of first names (think GrouchoandHarpo). Another network has a pair of last names as the SSID (think Woodward-Bernstein). Two networks use the owners first and last name. Another network is named along the lines of joey12399 which looks innocent at first. However, there is a building near me whose address is 123 West 99th Street so this too is offering a bit too much information.
There is no defense against a bad guy learning the name of your network by walking around with a smartphone or laptop computer and measuring signal strengths. Still, it's better to be anonymous.
Another important issue is protecting the router itself.
Here too, we deal with passwords, the biggest defense coming from changing the default router password. As with any password, don't use a word in the dictionary and longer is better. This password too can be written down and taped to the router. All too often, I run across router owners that don't know the userid/password to configure their router.
Another way to protect a router is insuring that only someone on the local network can get into its internal website to make configuration changes. You don't want the router talking to any Tom, Dick and Harry from the Internet that rings its doorbell asking to be let in. Look for a feature called remote management or remote administration and make sure it's turned off.
In addition, some routers offer an option that prevents all wireless users from logging in. I've locked myself out using this, but still recommend it.
Another great security feature offered by some routers is a guest network. Having two networks lets you use a private Wi-Fi password on your private network and a second Wi-Fi password for the guest and visitors network. The second password can be changed without impacting the password used by your computers.
Last year I was pleasantly surprised when I found this feature offered on the Netgear WGR614 router, a bottom-of-the-line $40 model.
Prosecutors in the Ardolf case wrote that "Ardolf was also able to access all of the Kostolniks computers that were connected to the router". This brings to mind three things.
The first is firewall software running on a computer which should go a long way towards protecting the machine from anyone that infiltrates the local network. Windows has enabled its firewall by default for years. OS X on the Mac however, disables the firewall by default. Unfortunately configuring a firewall is beyond the ability of non-techies.
The second is file sharing. If you don't share files on a LAN, then turn off the file sharing features in your operating system.
Finally, a router can also offer file sharing protection. The previously mentioned Netgear WGR614, for example, offers a Wireless Isolation feature that gives wireless users access to the Internet but prevents them from seeing any other computers on the network. This over-rides any file sharing attempted by the computers on the network.
It does not appear that Ardolf learned the passwords of the email accounts actually used by the Kostolnik family. It is possible though that a better hacker can learn email passwords after infiltrating a network.
Yahoo webmail is vulnerable because after logging in securely, Yahoo reverts to an insecure HTTP connection. This lets snoopers capture identifying cookies and logon as you. That's what Firesheep was all about. Gmail, in contrast, always uses secure web pages.
If you use an email program (Outlook, Thunderbird), rather than webmail, be aware that, while this can be secure, it often is not.
The protocols used to read email are POP3 and IMAP. The one to send is SMTP. Each of these comes in a secure and insecure version, much like HTTP vs. HTTPS. The secure versions of these protocols offer an encrypted connection between your computer and the one hosting or sending your email. It is not end to end security, but it will protect you from eavesdropping by a bad guy sharing the LAN with you.
Finally, a word about technical topics covered by the main stream media.
Over at Time magazine, Giles Turnbull writes
If you end up with someone like Ardolf as your neighbor, there's not much you can do to deter them from trying to hack into your Wi-Fi. His victims had, after all, taken the usual precaution of locking their network down and putting a password in front of it.
As this article tried to show, there is much that can be done above and beyond a WEP password.
Blogger Ben Rooney at the Wall Street Journal wrote
It is a chilling tale, all the more so because Mr. and Mrs. Kostolnik had secured their Wi-Fi network.
No, they had not secured their Wi-Fi network. No techie would call a WEP protected network secure. If the Kostolniks had actually secured their Wi-Fi network, none of this would have happened.
People who don't know anything about automobiles are not in the habit of installing new engines. Yet, non-techies often setup their own wireless network. Hopefully, this article will make some of them safer.
Update July 20, 2011: Some other cases of very bad behavior done while logged on to unprotected or poorly protected WiFi networks: NY case underscores Wi-Fi privacy dangers