topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Friday March 29, 2024, 12:12 am
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: Tough Router Question  (Read 8090 times)

raybeere

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 94
    • View Profile
    • Read more about this member.
    • Donate to Member
Tough Router Question
« on: February 06, 2009, 01:41 PM »
First, I need to explain the situation. I need to help my daughter & son-in-law set up their new laptop on the Internet. Simple enough, in itself. The problem is their roommate. I don't know if anyone heard of the study where someone put up a link that said something like "Click here to infect your computer with a virus" - but if she came across that site, she would have clicked on the link. (As I recall, almost 400 people did, in a depressingly short time...). Her computer is actually more screwed up than any public access computer I've ever encountered, and for a few years public access computers were my only link to the Net... No point cleaning out the crapware and any malware lurking among it - she'd just mess it right back up again.

 In fact, they got a laptop so they can use it wirelessly, as they don't dare leave a computer out where she might get her hands on it. (She is also hell on hardware: her keyboard is gummed up with peanut butter, she thinks slapping the CPU around is a great move to resolve any technical issues :o you get the idea.) My s-i-l is trying to manage his dairy farm remotely (it is several thousand miles away, outside the US), so they need to keep their computer secure. I've already been over-ruled on the obvious non-technical solutions. ;) My daughter would have no idea what to do, and my s-i-l has never even used a computer before. So I really have no choice but to figure something out.

I know just enough to do some research: I figured out my best hope is a wireless router with OS firmware so I can set up the LAN ports as one VPN (the roomie's - might as well give her all, as she's the type who is just as likely to unplug her computer and stick it back in anywhere) and the wireless connection as another VPN (my daughter and s-i-l's). The best available choice seems to be the Linksys WRT54GL (as it happens, I just bought one myself, as my router is ailing). I was hoping to use Tomato, but looking over the documentation that exists online, I don't see how it would be possible to do this with Tomato. Or that could just be my ignorance... :-[

Which leaves me with DD-WRT. I have two problems with that: first, the documentation I looked over didn't even leave me quite clear which file to download for that router (I think I know, but I do know enough to be aware when updating firmware that is an awfully risky assumption). Second, I have the definite feeling DD-WRT is going to prove a bit more than I'm prepared to take on, or, to be exact, more than I can quickly master. I could probably figure it out, given time. But my daughter already bought the computer, and wants it hooked up ASAP. (They do really need it, so I can understand her urgency.) I really don't think I have the knowledge to get up to speed with DD-WRT that quickly.

Any suggestions on anything else I might be able to do? Also, one further problem. As the roommate has a boyfriend of dubious honesty and at least some technical knowledge, the "factory reset" option seems a very obvious danger (Internet connection, and, thus, the router are in an area everyone has access to). I presume there is no way to disable or password protect this (that would more or less defeat the point) and I can't even figure out a way to monitor the router and pop up an alert if settings reverted to factory default. (Even if I puzzle out how to write a script to do it, once the settings are reverted, the script wouldn't be run, so it would be pointless to run it to check for the one condition under which it won't be run...)

I suspect there are other issues I haven't even thought of; I don't do a lot with networking, so it isn't an area I know much about. I do know wireless security is shaky (again, that factory default issue makes me nervous - that, and the fact they live in an area where everyone tries to get everyone else to install wireless so they can steal a connection). So any thoughts, information, resources, whatever you can offer would really help. I'm sorry for asking questions I ought to be able to find answers to myself - I just don't think I can find and absorb it all quickly enough (especially since some bits of information I've found contradict others, leaving me with the need to learn enough to figure out which ones were written by idiots).
« Last Edit: February 06, 2009, 01:43 PM by raybeere »

Carol Haynes

  • Waffles for England (patent pending)
  • Global Moderator
  • Joined in 2005
  • *****
  • Posts: 8,066
    • View Profile
    • Donate to Member
Re: Tough Router Question
« Reply #1 on: February 06, 2009, 02:56 PM »
For security and the reset button issue why not set it up and lock it in a a cupboard. If it fails they can always unplug the mains adapter wait a while and plug it in again. If it is a wooden cupboard the wireless connection shouldn't lose too much power over a short distance.

For security make sure you enable WPA2+AES if possible in the router and give it a very long unguessable key. Then switch off broadcasting the SSID (network ID) so that no one can see the router and the only way to log into it is to use the invisible SSID and the unguessable key. Make sure you also change the default router password so she can't log in to change settings. You can also set the router to only accept specific MAC addresses so that even if she guesses the WPA key you can restrict the router to the computer containing her wireless card only.

Now on her computer set her up as a a user (not an admin) and encrypt the admin account, giving it a long unguessable password. That way she will only have basic user rights to the system and won't be able to access system settings and devices etc. If you set up her wireless connection there is no need for her to know the WPA key at all unless the connection is lost or damaged.

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,857
    • View Profile
    • Donate to Member
Re: Tough Router Question
« Reply #2 on: February 06, 2009, 03:16 PM »
Is your sister's Roomate-from-Hell using her own computer, or will she have access to that new laptop?

If she can't use the laptop, it doesn't matter what she gets up to on her own machine. It can't infect or cause problems on your sister's laptop because you're not sharing any files like she might be if she was connected to the same server as your sister. Merely sharing the same router shouldn't cause problems.

Just make sure you keep her grubby mitts off your sister's laptop and all should be well. Use a BIOS bootup password along with a decent Windows password and you should be all set. Change the workgroup name on the laptop from the default WORKGROUP to something nonsensical so that it's hidden from casual net browsing. For extra security you could also disable File and Print Sharing on the laptop since you won't be needing it anyway.

« Last Edit: February 06, 2009, 03:26 PM by 40hz »

raybeere

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 94
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: Tough Router Question
« Reply #3 on: February 06, 2009, 04:26 PM »
For security and the reset button issue why not set it up and lock it in a a cupboard. If it fails they can always unplug the mains adapter wait a while and plug it in again. If it is a wooden cupboard the wireless connection shouldn't lose too much power over a short distance.

Thanks, that's one I hadn't thought of, although I'm not sure the spot where the connection comes in allows many options along that line. And even wooden cupboards use metal fittings, so I suppose it would depend on the exact construction / location of fittings just how much trouble I'd have with any given enclosure. Running wires in / out would also be a huge pain. Still, it is at least another avenue to consider.

Right now, I'm trying to figure out if there's some way to monitor the router's settings from Windows. It won't matter much what the roomie does if my daughter and son-in-law are not connected, and as long as their computer can warn them when they connect... Assuming I can figure out a way to do this. I do find it odd no one ever seems to have considered the built in factory reset as a potential vulnerability. What use is it to set passwords for access when anyone with a finger can override the setting? So I wonder if, somewhere out there, this problem has been conquered already, and I just haven't found the answer yet.

For security make sure you enable WPA2+AES if possible in the router and give it a very long unguessable key. Then switch off broadcasting the SSID (network ID) so that no one can see the router and the only way to log into it is to use the invisible SSID and the unguessable key. Make sure you also change the default router password so she can't log in to change settings. You can also set the router to only accept specific MAC addresses so that even if she guesses the WPA key you can restrict the router to the computer containing her wireless card only.

Yes, I will do all that, at least. AFAIK, though, the MAC address is easy to spoof if you have any idea what you're doing, and it is just a matter of time before WPA2 crumbles. Still, I think that's the best I can do for wireless security at the moment. I'll have to hope if WPA2 is replaced by a better standard, I can find a firmware update that will address that. That, at least, is safely in the future. :) If I can get this up, working, and secure for now, I've at least won the initial battle.

Now on her computer set her up as a a user (not an admin) and encrypt the admin account, giving it a long unguessable password. That way she will only have basic user rights to the system and won't be able to access system settings and devices etc. If you set up her wireless connection there is no need for her to know the WPA key at all unless the connection is lost or damaged.

I may be thick, but I'm not sure I'm clear what you're suggesting here. On my daughter's computer, there's no reason not to let her access an admin account, although her husband isn't ready for that. He hasn't learned what not to touch yet. ;D On the roommate's computer, if I could lock her out of most settings I certainly wouldn't object, ;D but if I could do that this whole thing wouldn't be such an issue.

Yes, I have suggested just telling the roommate she can't use the Internet from there. I would really prefer that, myself, but it isn't my apartment so I can't make that choice. :( Somehow, I have to face the machine from hell long enough to get it working on the new router. Just touching that keyboard is going to have me soaking my hands in alcohol for hours afterward. :'( Of course, if I can't get it to work, roomie is out of luck - and even playing fair, that thing isn't what you'd call highly functional. It spends most of its time displaying little messages like "Uploading your credit card info to Russian Mob now: Confirm / Surrender All Cash Now" (Yes, I exaggerate, but not as much as I wish I were - the woman spends her life on the kind of porn site where they keep telling you to download their "special" viewers... The thing has so much crap loading on it now it has started throwing up "out of memory" errors when you start it up.)

raybeere

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 94
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: Tough Router Question
« Reply #4 on: February 06, 2009, 04:38 PM »
Is your sister's Roomate-from-Hell using her own computer, or will she have access to that new laptop?

If she can't use the laptop, it doesn't matter what she gets up to on her own machine. It can't infect or cause problems on your sister's laptop because you're not sharing any files like she might be if she was connected to the same server as your sister. Merely sharing the same router shouldn't cause problems.

Just make sure you keep her grubby mitts off your sister's laptop and all should be well. Use a BIOS bootup password along with a decent Windows password and you should be all set. Change the workgroup name on the laptop from the default WORKGROUP to something nonsensical so that it's hidden from casual net browsing. For extra security you could also disable File and Print Sharing on the laptop since you won't be needing it anyway.

The roommate is going nowhere near the laptop. If she was going to be allowed to touch it, there'd be no point in having any security at all... And, yes, I'd disable File and Print Sharing on the laptop. But on the sharing a router issue: I keep hearing that alone "shouldn't" be a problem, but here's the thing. Both computers can access this one device, which is handling all the traffic in or out to either machine. So how can anyone be sure one machine can't 'observe' that data flow and collect data from it? What protects the data sent to and from one machine from observation by some app on the other machine? Has anyone actually tested the possibility?

I don't mean any offense. It's just that "I don't know how to do it, and I don't know anyone who knows" is not at all the same thing as "No one can do it". And when the possibility seems as obvious as it does with two machines sharing one connection, I have to wonder. It isn't as though the creeps who write malware and spyware advertise their capabilities; as far as I know, they go to great lengths to hide what they can do / are doing. And if that second machine isn't part of a zombie network already, it sure will be one of these days - I don't think the security researchers who try to collect malware on their machines could do a better job than this woman. ;D

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,857
    • View Profile
    • Donate to Member
Re: Tough Router Question
« Reply #5 on: February 06, 2009, 05:08 PM »
I don't mean any offense. It's just that "I don't know how to do it, and I don't know anyone who knows" is not at all the same thing as "No one can do it". And when the possibility seems as obvious as it does with two machines sharing one connection, I have to wonder. It isn't as though the creeps who write malware and spyware advertise their capabilities; as far as I know, they go to great lengths to hide what they can do / are doing. And if that second machine isn't part of a zombie network already, it sure will be one of these days - I don't think the security researchers who try to collect malware on their machines could do a better job than this woman.


No offense taken. I hear similar concerns all the time from my business clients.

Anything may be possible, but it usually pays to confine one's endeavors to the realm of the probable and doable rather than the theoretically possible. That way lies paranoia.

In answer to your question, there is such a thing as packet sniffing. Is this roomate a hacker or network administrator type? If not, I doubt you'll need to fear much from her observing datagrams (assuming she knew what they were) since you'd need a very high degree of knowledge about network protocols to adequately interpret the results.

If she would be stopped by wireless encryption and passwords, then she's not the type of person with the background to do Wireshark and Nessus snooping.

If you're using Network Address Translation (NAT), which you are since you're using a router, all the packets that are supposed to go to your machine go to just your machine.

For the record, I will categorically state that two people on the same router cannot cross-infect each other as long as they are not also sharing files on their machines. Period. That much I do know.

Hope that's enough assurance for you. 8) ;D
« Last Edit: February 06, 2009, 06:58 PM by 40hz »

raybeere

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 94
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: Tough Router Question
« Reply #6 on: February 06, 2009, 05:24 PM »
In answer to your question, there is such a thing as packet sniffing. Is this roomate a hacker or network administrator type? If not, I doubt you'll need to fear much from her observing datagrams (assuming she knew what they were) since you'd need a very high degree of knowledge about network protocols to adequately interpret the results.

If she would be stopped by wireless encryption and passwords, then she's not the type of person with the background to do Wireshark and Nessus snooping.

I guess I may not have made my concerns clear enough. I do understand there is no danger of virus / malware infection simply from sharing a router. What I'm wondering is this: since the roommate's computer is - or will be - infected with any and every possible variety of nasty malware ever developed, isn't it possible the hackers who control the malware on her machine could use the machine for packet sniffing? The roommate herself is an idiot. Her boyfriend is more of a concern (he might at least think of resetting the router if he wanted to change anything), but any guy who would hook up with her is not going to be up to packet sniffing. But, if her computer is compromised, couldn't it be used to do anything she herself could do with it (assuming she had the knowledge)?

That's the part that's keeping me wondering. Also, I agree, if there is nothing to be done, then there's no point worrying about it. But I have found enough information to make me believe setting up two separate VPNs, one for the wired ports and one for the wireless, might lessen the risk. So, assuming my concern about the potential remote use of the roommate's computer is not unreasonable, that would seem worth trying out, if I can work out how to do it.

Alternately, if I can't work out how to do that, how much would encrypting data (say, using TrueCrypt, or CryptainerLE) before sending - on both ends, of course - protect against packet sniffing snoops? Does anyone know? That routine would be a real pain for my daughter and son-in-law, but might be worth it if no other solution can be worked out.
« Last Edit: February 06, 2009, 05:28 PM by raybeere »

Carol Haynes

  • Waffles for England (patent pending)
  • Global Moderator
  • Joined in 2005
  • *****
  • Posts: 8,066
    • View Profile
    • Donate to Member
Re: Tough Router Question
« Reply #7 on: February 06, 2009, 06:15 PM »
If you set your daughters computer to a randomly named workgroup then there isn't even the possisbiliy of the two computers seeing each other because they aren't on the same network. For the two computers to interact through the router they would have to be joined to the same workgroup AND have file sharing enabled.

If you disable file sharing on your daughters computer AND set a random workgroup name (avoid WORKGROUP and MSGROUP which are both MS defaults and avoid anything guessable) then her room mates computer won't even see your daughters computer on the network.

As for packet sniffing I think for most people that is entering the realms of fantasy unless her room mate is a really knowledgeable hacker. Far more likely that the packets will be sniffed by malicious people on the internet!

Sorry if my post was confusing above - I thought the room mate would have access to the laptop too - so restricting the users to user mode (good practice anyway from Vista onwards) would minimise potential interference.

As above setting a BIOS password effectively stops anyone accessing the computer (including your daughter if she forgets the password)!

Re. router in a cupboard - I wouldn't think hinges etc would be much of an issue if the majority of the cupboard was wooden. Some of the 802.11n routers (esp. the Netgear routers) have really strong transmission (much more than the 802.11b or g routers) which gets through walls without problems - a cupboard should have negligible effect in a room!

PS - most routers are manageable remotely (at least all the ones I have seen are) so you can connect via the internet. You can also set them to email you with any changes made to router setting or other events. Check out the router settings.

PPS - I suppose the reset button is present because mostly routers are either locked away or in the home where there isn't a real issue. If it didn't have a reset button and the settings got scrambled or corrupted (which happens) what would you do?
« Last Edit: February 06, 2009, 06:18 PM by Carol Haynes »

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,857
    • View Profile
    • Donate to Member
Re: Tough Router Question
« Reply #8 on: February 06, 2009, 06:55 PM »
If her roomate's machine has been compromised, or is hosting some sort of zombie-bot, the only machine that would be affected would be her roomate's.

There is only one situation where this might cause a problem for your sister:

If they're both on the same DSL or cable connection, any illegal thing her roomate's machine did (i.e. spam botting, participating on a DOS attack, bootlegging copyrighted materials, sharing kiddie-porn via P2P, etc.) would lead an investigator right back to the WAN IP address on your router.

Depending on the circumstances, you could have your service shut off; possibly get a call from your ISP's security department; or receive a very unpleasant visit from law enforcement officials.

But this is all "worst case scenario" stuff - and pretty far fetched. I wouldn't worry too much about it.

If something very serious went down, I doubt your sister would ultimately be the person in trouble since it wouldn't be her machine that was causing the problem. But establishing innocence and dealing with skeptical security people is a hassle best avoided whenever possible.

If your sister is that concerned, the easiest thing to do would be to just order an additional DSL/Cable line and put The Roomate (hmmm...starting to sound like a movie title isn't it?) on a completely different router.

End to end data transmission encryption (E2EE) is possible, but it's not easy to implement efficiently without additional hardware and some professional (i.e. expensive) assistance.

Data file or folder encryption however, is very doable with CryptainerLE or TrueCrypt. TrueCrypt is more suited to providing protection of files that aren't being transmitted. Think of it more as a strongbox. CryptainerLE is more suited for things you want to protect and send to other people.

If you encrypt your files before sending them, you're about as secure as you can get short of working for the government. Just encrypt whatever file(s) you want to send, and let the recipient know what the password is, and you're set to go. Most apps allow you to create self-decrypting executables so that the recipient wouldn't need anything other than the password to unlock your file.

Alternatively, you could use a public-key/RSA solution like PGP, in which case you could encrypt/decrypt without needing to share passwords at all.

 :Thmbsup:

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,857
    • View Profile
    • Donate to Member
Re: Tough Router Question
« Reply #9 on: February 06, 2009, 07:13 PM »
Quick note on reset buttons and DD-WRT.

The people who wrote DD-WRT have issued warnings regarding hardware resets.

If at all possible - do not use the hardware reset button. If you need to do a router reset, use the Restore Factory Defaults option under the Administration tab in the web interface whenever possible.

It is possible to "brick" your router with the hardware reset button. I don't know if the Linksys WRT L-series routers are susceptible to this problem. But the non-L ones definitely are.

I speak from personal experience on this one.  :-[


Carol Haynes

  • Waffles for England (patent pending)
  • Global Moderator
  • Joined in 2005
  • *****
  • Posts: 8,066
    • View Profile
    • Donate to Member
Re: Tough Router Question
« Reply #10 on: February 06, 2009, 07:18 PM »
Another note on reset buttons and avoiding them being used - if you are sure you never want to use it just trickle super glue around the button so it seizes up. Just make sure the button isn't depressed while you do it ;)

raybeere

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 94
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: Tough Router Question
« Reply #11 on: February 06, 2009, 07:40 PM »
As for packet sniffing I think for most people that is entering the realms of fantasy unless her room mate is a really knowledgeable hacker. Far more likely that the packets will be sniffed by malicious people on the internet!

I guess I don't know enough about packet sniffing. It isn't exactly anything I've ever wanted to do, and so far I haven't written any high-tech spy / thriller stuff, so never needed to research it. So I just assumed it would be easier / more tempting to snoop on the computer right on the same network with the infected one. As far as how knowledgeable the hackers are who infected / will infect the roommate's computer, well, I suppose they don't need to know much. Just how to make a little button that says something like "Hot Action! Download Now!". ;D

Sorry if my post was confusing above - I thought the room mate would have access to the laptop too

:o This is a woman who is quite capable, if she needs a hammer, of picking up the laptop and using it to drive a nail. She's already done things like that - just not quite as costly. It has to be wireless so it can be removed from any area she has access to unless someone is actively using it. (No, I have no idea why my daughter puts up with her.)

PS - most routers are manageable remotely (at least all the ones I have seen are) so you can connect via the internet. You can also set them to email you with any changes made to router setting or other events. Check out the router settings.

But if it is reset to factory defaults, won't that wipe out the setting that tells it to e-mail someone when there are changes?

PPS - I suppose the reset button is present because mostly routers are either locked away or in the home where there isn't a real issue. If it didn't have a reset button and the settings got scrambled or corrupted (which happens) what would you do?

I understand why the button exists - what I don't understand is why there isn't some method of "flashing" the default settings, or at least one or two crucial ones, to allow you to set your own default password, for example. It would give the same functionality, with a lot more security.

Carol Haynes

  • Waffles for England (patent pending)
  • Global Moderator
  • Joined in 2005
  • *****
  • Posts: 8,066
    • View Profile
    • Donate to Member
Re: Tough Router Question
« Reply #12 on: February 06, 2009, 07:44 PM »
You can back up your settings to a file so you can restore them if you need to. Gluing the reset button would only cause a problem if you completely lost access to the router via the admin interface.

raybeere

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 94
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: Tough Router Question
« Reply #13 on: February 06, 2009, 07:51 PM »
Thanks for the info. It gives me a few things to think about. Although considering what The Roommate is like, nothing that happens on her computer would be far-fetched. I think if she saw an offer for "Free Malware" she'd think that was a good thing and download it. ;D

If your sister is that concerned, the easiest thing to do would be to just order an additional DSL/Cable line and put The Roomate (hmmm...starting to sound like a movie title isn't it?) on a completely different router.

I already thought of that. It would mean a lot less work for me, but poor little roomie would have to pay for the extra Internet connection, which for some reason is presumed to be a bad thing. (Not by me...) My daughter and son-in-law are trying to be nice; they feel bad for the woman. I can't fault them for that. But I do think the woman takes advantage of that. Which is something I'm powerless to do anything about, since I'm assuming any reprogrammable entity would be smarter than that.  ;D
« Last Edit: February 06, 2009, 08:01 PM by raybeere »

raybeere

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 94
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: Tough Router Question
« Reply #14 on: February 06, 2009, 07:55 PM »
You can back up your settings to a file so you can restore them if you need to. Gluing the reset button would only cause a problem if you completely lost access to the router via the admin interface.

Thanks, the glue idea is a great one! I already save my settings to a file: one of the first rules of computing I've learned is the one that says: "If you spent any time and effort at all on it - back it up!"

Although, come to think of it, I did lose access to the admin interface on my router once, after a lightning storm. (Yes, I use surge protection. It doesn't seem to have been enough, in this case.) I had to reset to get access so I could restore my settings: but on the other hand, in another month or so, that router just turned belly up and died. A sudden power outage left its replacement unstable - that's why I got a router I could put Tomato in, hoping that would prove a more stable firmware. At least from what I've heard, it is.