Wireless/wired Security

[12wesley]

I think someone is hacking my laptop at work. Im a contractor and not a direct employee of the company. I have no intranet services only internet.

What can I do to stop them? Im running windows 7

I got suspicious when the linksys wireless router was replaced with a buffalo router. The linksys router was functioning properly. The admin removed the wired connection from the wall, he wanted access to my computer to setup the wireless router, but I quickly setup to keep him off of my laptop.

I running hot spot shields which is a type of VPN, not sure how safe this is.

RDP, File/printer sharing are turned off

wesley

[12wesley]

I don't understand how it all works but these are my thoughts

the wireless router is installed on a networked pc. Then routed to a central

server and out to the Internet. Seeing how the

internal network can have several hops

before hitting the Internet I would

think my traffic is logged (possibly the first networkedpc)

before actally tunneled or encrypted by

a VPN or other software.

I installed a program decaffinatid from

irongeek it logs events and flashes a message

at the task bar. I get The below warnings

new ip in cache

mac address changed

[Charles]

If they are capturing packets, there is not much you can do. It's their network, their rules.

[lopez1364]

First of all... What a horrible place that they are using wireless networking. Wired will always bring in the best performance and best security. Your best bet is to set up a SSH tunnel. Every business with servers should have port 22 open for SSH access to their systems, so setting up a SSH tunnel will work out great for you.

[12wesley]

How would I go about setting up a SSH?

[digip]

From a business perspective, your machine poses a risk for the company, so I'm not sure why they even allow you access with it at all.

If you are a consultant, why are they not providing you with a machine, resources, and network logins to use their network? Why would they even allow you to use your own machine at all? Sounds like no security is even in place to begin with. What is to stop you from spreading a virus or malware from your machine, wether you think you are secure or not?

#1 - No company should allow foreign devices to access to their internal network without proper authorization and permisisons from security and managment

#2 - Even if you only had Internet Access and not Intranet/Domain access, you are still on their network, and I'm sure being monitored, even if transparent to you, you have to go through their DMZ and Firewall to get online, so they would see everything anyway

#3 - If they do allow you to use your own device on their network, 9 times out of 10, they are going to want to install their own software on the machine as well as force you to join their domain with their enforced policies from the domain controller. They may even require you to allow them to search the machine and access it remotely for security and trade secret purposes. If its used on their network, they would want total controlover what is installed on the machine, what services can be used, etc.

What kind of consulting work do you do, because you dont sound very tech savy or IT literate?

Edited March 6, 2010 by digip

[12wesley]

digip thanks for your reply but, you would be close minded to believe that your 'business' scenario is the only one. Many situations call for different solutions, this is the purpose of my post.

The company has a very good reason to allow me access to the internet with no restrictions. The company would acquire a desktop workstation if I request, but this is not practical for my purpose.

I'm looking for a path forward with this issue. My IT department has supplied me with a GSM air card, and advised this is the best security in this type of situation. Currently the GSM reception is less than optimal, the company is in the process of purchasing a GSM repeater tower to increase the reception for my air card.

I realise that my IT department will not always have the best solution for each situation. I interact with other companies at this same level, this one in particular seemed suspicious, thus my post.

I appreciate any helpful replies,

12wesley

[VaKo]

I know that the client I am contracted to support has multiple levels of TPA (third party access). The ones that apply here relate to our wireless. Some contractors are issued a domain account so they can access the network in the same fashion as a regular employee, either from one of our machines, there own machine (in the case of some of the clients partners) or just the communicator and outlook web access clients via there own machine. If this is not the case, contractors are provided with internet access via wireless which is run on a seperate VLAN with no access to our network at all (not even VPN).

In your case, you are using your own machine to do whatever it is your doing, so I would assume that you have been provided with access to the internet which is separated from the company network in some fashion. What I don't get is why you think you have been hacked.

In my mind the chain of events is as follows, you're assigned a desk which has a wired network port nearby, and some form of linksys WAP you connected to for internet access. I don't know if these to were connected. At a later point the linksys is replaced with a buffalo and the wired connection is removed. The admin who did this wanted to access your machine to connect to the new WAP, which you declined. If this is wrong, you need to be clearer.

As I've said, I'm not sure of the nature of your work, the reason for you being on a client site and the relationship between yourself, your company and the client your contracted to. The fact that your concerned about being hacked points to a trust issue, but we can leave that unless you want to clarify this. But from a purely technical POV, yes, if you are connecting to the internet via a network you do not control it is possible to intercept and monitor all communication which is not encrypted, so the safest thing you can do in this situation is simply VPN to your company, which would then mean that all traffic would be secure until it hits your employers network. As for your own machine, if it is patched, you have your network settings in Public mode and your not running any network services which are insecure or do not require authentication then you are probally safe.

As for what happened, I suspect that the clients IT team setup an interim solution for you, and later replaced this with one that they are happier with. Usually in this case one of the finance monkeys forgot to process the required PO and someone just hacked something together so you could work. If your curious, just ask one of the local IT guys and see what they say.

[12wesley]

Vako, thanks for the reply you are correct, your patience is appreciated, as I don't want to disclose any of the parities involved, or be to descriptive.

My concerns are that this 'company' has the potential to view or intercept email (outlook exchange client). This information would provide inside information on how bidding would be done in future contracts against multiple competitors. These accounts affect up 50-80% of their overall business within a years period.

Possibly the heightened awareness of computer security has made me more alert to my surroundings, and this maybe nothing at all. The thing that stands out is when the buffalo router was installed I asked the IT manager why the change, it was a linksys N router set to wpa/wpa2 security. He stated he was concenred about security of that model of router which sounded feasible. But when I connected to the network the security was set to WEP, and the surrounding WAPs were set to wpa/wpa2. I inquired as to which was more secure(i knew already) he told me WEP. Maybe this is to separate my connection from the internal network as you pointed out. Additionally my pointer behaves erraticly and seems to have a mind of its own. It usually stops after ~3 seconds of me moving the pointer, this does not happen if Im not connected. The little decaffinateID applet did detect a change in the mac address and warned of a new ip in the cache? not 100% sure what this is, the mac address does concern me, the new ip in the cache could be from a https site or other request that I initiated?

I have taken the security measures you suggested, I have installed linux mint and use it as much as possible but have some programs that cant run on linux even with the wine emulator. I have started connecting only when needed and disconnecting once complete.

I did discuss direct VPN with my cooperate office to resolve, currenlty this is not feasible. Admin has explained that the overseas servers have been taxed out to the point affecting speed. Additional servers are being added in USA to alleviate the load, once this phase is completed (3-6 months) a direct VPN will be available. As I mentioned before the admin suggested the GSM air card as an alternative? Is this really secure?

If you have any more suggestions, let me know.

[Charles]

If you use an Aircard, it should be a direct link to yer ISP, I know it is wireless so it might be able to be sniffed, but I don't know for sure.

[digip]

Vako, thanks for the reply you are correct, your patience is appreciated, as I don't want to disclose any of the parities involved, or be to descriptive.

My concerns are that this 'company' has the potential to view or intercept email (outlook exchange client). This information would provide inside information on how bidding would be done in future contracts against multiple competitors. These accounts affect up 50-80% of their overall business within a years period.

Possibly the heightened awareness of computer security has made me more alert to my surroundings, and this maybe nothing at all. The thing that stands out is when the buffalo router was installed I asked the IT manager why the change, it was a linksys N router set to wpa/wpa2 security. He stated he was concenred about security of that model of router which sounded feasible. But when I connected to the network the security was set to WEP, and the surrounding WAPs were set to wpa/wpa2. I inquired as to which was more secure(i knew already) he told me WEP. Maybe this is to separate my connection from the internal network as you pointed out. Additionally my pointer behaves erraticly and seems to have a mind of its own. It usually stops after ~3 seconds of me moving the pointer, this does not happen if Im not connected. The little decaffinateID applet did detect a change in the mac address and warned of a new ip in the cache? not 100% sure what this is, the mac address does concern me, the new ip in the cache could be from a https site or other request that I initiated?

I have taken the security measures you suggested, I have installed linux mint and use it as much as possible but have some programs that cant run on linux even with the wine emulator. I have started connecting only when needed and disconnecting once complete.

I did discuss direct VPN with my cooperate office to resolve, currenlty this is not feasible. Admin has explained that the overseas servers have been taxed out to the point affecting speed. Additional servers are being added in USA to alleviate the load, once this phase is completed (3-6 months) a direct VPN will be available. As I mentioned before the admin suggested the GSM air card as an alternative? Is this really secure?

If you have any more suggestions, let me know.

If a new mac address is found sometime after you already connected to the wireless access point, one of two things comes to mind. 1, you hit another access point on their network due to a line drop, which probably isn't the case, or 2, someone is doing a MITM attack on your connection which would be dead simple using WEP.

We all know WPA2 is the more secure, so if he told you WEP was the more secure, you have every right to be suspicious and I wouldn't even use their network if that is the case. If anything, it would be better to VPN to one of your own machines and then hop online from there, vs not being able to VPN to your employers network.

It seems to me you have a cat and mouse game going with this admin or security guy who moved you to the WEP access point and I would totally be suspicious of anything that person says given what you have stated.

I still stand by my other post on how as a business, you have to think about the security risks, but it seems thay arent concerned with keeping you on some other vlan (which could be done using the other set up as well, or even a wired connection, so its kind of besides the point) as much as they are putting you on a weaker encrypted lan that they could easily intercept. You should also relay this info to your own IT department and management, so they understand the situation you are under, that your work could be compromised in some manner and there are already trust issues with the parties involved.

Either way, do what you have to in order to cover your ass. Document everything and be sure to relay this info with your employer or whomever you report to, but do it when not at this location, do it from when you are home or wherever you are staying, as it seems they are intercepting everything you do online at this point.

[Charles]

Digip definitely hit it on the head. It's utterly stupid to use WEP in a business setting. It would leave you open to having packets intercepted and other nasty stuff - MitM attacks and whatnot.

Sounds pretty shady to me and it would definitely be a good idea to let your IT department know about it.

[VaKo]

OK, to play devils advocate here, why bother going to the trouble of replacing a wireless AP, using WEP over WPA2, then cracking that WEP connection and doing a MITM attack on this connection if you control the upstream portion of the network anyway? If it was me I would just enable a mirror port on the switch your hooked into and tap that or a similar method of tapping your connection beyond the point you aware of. Far more transparent. Either they are amateur or we're missing something.

As for a solution, which is what you need, I would recommend that you invest in a paid for VPN service and use that while on site. Obviously you can't trust that so much, but this is where your involvement ends and your company starts. If your dealing with sensitive information, then they need to provide you with a secure solution as you can only be excepted to do so much. Installing Linux really isn't a start here as a correctly setup Windows install is just as secure (sorry kids, this is true).

[digip]

If it was me I would just enable a mirror port on the switch your hooked into and tap that or a similar method of tapping your connection beyond the point you aware of. Far more transparent.

Thats a really good point too, and one to consider, that since they own the network they would be able to monitor all your traffic anyway. Thats why I said moving to some other vlan or access point is kind of moot and besides the point, its still their network and "all your traffic are belong to us".

If they want your data, you are on their network, they will be able to see everything anyway. VPN would be ideal, which I guess in your case isnt feesable but I wouldnt trust them at this point anyway.

The other option, try tethering your cell phone to the laptop, and make sure its not in bluetooth or wifi mode of any kind. At least that way you are not on their network at all and can do what you have to online.

AS far as the WEP is concerned, its not just them you have to worry about, but also outside people from even the company. WEP is not secure in any fashion at all, so even if the contractor is not monitoring you, some one in another building, room, or whatever could be.

Edited March 7, 2010 by digip

[12wesley]

Thanks for your replies,

The best interim solution: not use their network all, and only use the air card supplied by my company. This complicates my work flow but is secure.

Is a paid VPN a good alternative? I would only use the air card, if so which one would you suggest?

I think digip mentioned tethering a cell phone, now is this more secure than an air card? both are on the same cellluar network.

I recently changed laptops, the new one has not connected their network. I have only used the air card. Should I be concerned about software installed on the new laptop without my knowledge?

Vako, talking the IT manager he seems competent enough, however he does manage a small to midsize company and may not have all the resources a larger company would.

Your correspondence is actually a second opinion and causes more concern that originally thought by my IT department. I will address with them next week.

[Charles]

Unless someone had access to yer laptop while you weren't there and it wasn't locked you should have nothing on it that you didn't install yourself.

I cannot be 100% positive, but I think both the aircard and tethering yer phone will have the same amount of security, since they should be direct links to the internet.

[barry99705]

I've added my thought in line in blue.

Thanks for your replies,

The best interim solution: not use their network all, and only use the air card supplied by my company. This complicates my work flow but is secure.

This is the best approach.

Is a paid VPN a good alternative? I would only use the air card, if so which one would you suggest?

I'd go with the air card, completely bypasses their network.

I think digip mentioned tethering a cell phone, now is this more secure than an air card? both are on the same cellluar network.

It will be as secure as an air card, as long as it's a usb tether, not wireless!

I recently changed laptops, the new one has not connected their network. I have only used the air card. Should I be concerned about software installed on the new laptop without my knowledge?

So long as it hasn't been out of your control.

Vako, talking the IT manager he seems competent enough, however he does manage a small to midsize company and may not have all the resources a larger company would.

WPA is part of any access point made in the last ten years.

Your correspondence is actually a second opinion and causes more concern that originally thought by my IT department. I will address with them next week.

Edited March 8, 2010 by barry99705

[12wesley]

I now have a path forward until our new servers are installed and setup.

How can I restrict access to the usb ports in windows 7?

I have disabled auto run, I do not wish to completely disable the usb ports in the bios or device manager.

[Charles]

Best way would be to lock the computer if you aren't using it, and always keep it in sight.

The only foolproof way to disable USB completely is in the BIOS.

[digip]

I now have a path forward until our new servers are installed and setup.

How can I restrict access to the usb ports in windows 7?

I have disabled auto run, I do not wish to completely disable the usb ports in the bios or device manager.

You could try DeviceLock, but I have never used them myself:

http://www.devicelock.com/