Main Area and Open Discussion > Living Room

Tough Router Question

<< < (2/3) > >>

40hz:
I don't mean any offense. It's just that "I don't know how to do it, and I don't know anyone who knows" is not at all the same thing as "No one can do it". And when the possibility seems as obvious as it does with two machines sharing one connection, I have to wonder. It isn't as though the creeps who write malware and spyware advertise their capabilities; as far as I know, they go to great lengths to hide what they can do / are doing. And if that second machine isn't part of a zombie network already, it sure will be one of these days - I don't think the security researchers who try to collect malware on their machines could do a better job than this woman.
--- End quote ---


No offense taken. I hear similar concerns all the time from my business clients.

Anything may be possible, but it usually pays to confine one's endeavors to the realm of the probable and doable rather than the theoretically possible. That way lies paranoia.

In answer to your question, there is such a thing as packet sniffing. Is this roomate a hacker or network administrator type? If not, I doubt you'll need to fear much from her observing datagrams (assuming she knew what they were) since you'd need a very high degree of knowledge about network protocols to adequately interpret the results.

If she would be stopped by wireless encryption and passwords, then she's not the type of person with the background to do Wireshark and Nessus snooping.

If you're using Network Address Translation (NAT), which you are since you're using a router, all the packets that are supposed to go to your machine go to just your machine.

For the record, I will categorically state that two people on the same router cannot cross-infect each other as long as they are not also sharing files on their machines. Period. That much I do know.

Hope that's enough assurance for you. 8) ;D

raybeere:
In answer to your question, there is such a thing as packet sniffing. Is this roomate a hacker or network administrator type? If not, I doubt you'll need to fear much from her observing datagrams (assuming she knew what they were) since you'd need a very high degree of knowledge about network protocols to adequately interpret the results.

If she would be stopped by wireless encryption and passwords, then she's not the type of person with the background to do Wireshark and Nessus snooping.
-40hz (February 06, 2009, 05:08 PM)
--- End quote ---

I guess I may not have made my concerns clear enough. I do understand there is no danger of virus / malware infection simply from sharing a router. What I'm wondering is this: since the roommate's computer is - or will be - infected with any and every possible variety of nasty malware ever developed, isn't it possible the hackers who control the malware on her machine could use the machine for packet sniffing? The roommate herself is an idiot. Her boyfriend is more of a concern (he might at least think of resetting the router if he wanted to change anything), but any guy who would hook up with her is not going to be up to packet sniffing. But, if her computer is compromised, couldn't it be used to do anything she herself could do with it (assuming she had the knowledge)?

That's the part that's keeping me wondering. Also, I agree, if there is nothing to be done, then there's no point worrying about it. But I have found enough information to make me believe setting up two separate VPNs, one for the wired ports and one for the wireless, might lessen the risk. So, assuming my concern about the potential remote use of the roommate's computer is not unreasonable, that would seem worth trying out, if I can work out how to do it.

Alternately, if I can't work out how to do that, how much would encrypting data (say, using TrueCrypt, or CryptainerLE) before sending - on both ends, of course - protect against packet sniffing snoops? Does anyone know? That routine would be a real pain for my daughter and son-in-law, but might be worth it if no other solution can be worked out.

Carol Haynes:
If you set your daughters computer to a randomly named workgroup then there isn't even the possisbiliy of the two computers seeing each other because they aren't on the same network. For the two computers to interact through the router they would have to be joined to the same workgroup AND have file sharing enabled.

If you disable file sharing on your daughters computer AND set a random workgroup name (avoid WORKGROUP and MSGROUP which are both MS defaults and avoid anything guessable) then her room mates computer won't even see your daughters computer on the network.

As for packet sniffing I think for most people that is entering the realms of fantasy unless her room mate is a really knowledgeable hacker. Far more likely that the packets will be sniffed by malicious people on the internet!

Sorry if my post was confusing above - I thought the room mate would have access to the laptop too - so restricting the users to user mode (good practice anyway from Vista onwards) would minimise potential interference.

As above setting a BIOS password effectively stops anyone accessing the computer (including your daughter if she forgets the password)!

Re. router in a cupboard - I wouldn't think hinges etc would be much of an issue if the majority of the cupboard was wooden. Some of the 802.11n routers (esp. the Netgear routers) have really strong transmission (much more than the 802.11b or g routers) which gets through walls without problems - a cupboard should have negligible effect in a room!

PS - most routers are manageable remotely (at least all the ones I have seen are) so you can connect via the internet. You can also set them to email you with any changes made to router setting or other events. Check out the router settings.

PPS - I suppose the reset button is present because mostly routers are either locked away or in the home where there isn't a real issue. If it didn't have a reset button and the settings got scrambled or corrupted (which happens) what would you do?

40hz:
If her roomate's machine has been compromised, or is hosting some sort of zombie-bot, the only machine that would be affected would be her roomate's.

There is only one situation where this might cause a problem for your sister:

If they're both on the same DSL or cable connection, any illegal thing her roomate's machine did (i.e. spam botting, participating on a DOS attack, bootlegging copyrighted materials, sharing kiddie-porn via P2P, etc.) would lead an investigator right back to the WAN IP address on your router.

Depending on the circumstances, you could have your service shut off; possibly get a call from your ISP's security department; or receive a very unpleasant visit from law enforcement officials.

But this is all "worst case scenario" stuff - and pretty far fetched. I wouldn't worry too much about it.

If something very serious went down, I doubt your sister would ultimately be the person in trouble since it wouldn't be her machine that was causing the problem. But establishing innocence and dealing with skeptical security people is a hassle best avoided whenever possible.

If your sister is that concerned, the easiest thing to do would be to just order an additional DSL/Cable line and put The Roomate (hmmm...starting to sound like a movie title isn't it?) on a completely different router.

End to end data transmission encryption (E2EE) is possible, but it's not easy to implement efficiently without additional hardware and some professional (i.e. expensive) assistance.

Data file or folder encryption however, is very doable with CryptainerLE or TrueCrypt. TrueCrypt is more suited to providing protection of files that aren't being transmitted. Think of it more as a strongbox. CryptainerLE is more suited for things you want to protect and send to other people.

If you encrypt your files before sending them, you're about as secure as you can get short of working for the government. Just encrypt whatever file(s) you want to send, and let the recipient know what the password is, and you're set to go. Most apps allow you to create self-decrypting executables so that the recipient wouldn't need anything other than the password to unlock your file.

Alternatively, you could use a public-key/RSA solution like PGP, in which case you could encrypt/decrypt without needing to share passwords at all.

 :Thmbsup:

40hz:
Quick note on reset buttons and DD-WRT.

The people who wrote DD-WRT have issued warnings regarding hardware resets.

If at all possible - do not use the hardware reset button. If you need to do a router reset, use the Restore Factory Defaults option under the Administration tab in the web interface whenever possible.

It is possible to "brick" your router with the hardware reset button. I don't know if the Linksys WRT L-series routers are susceptible to this problem. But the non-L ones definitely are.

I speak from personal experience on this one.  :-[

Navigation

[0] Message Index

[#] Next page

[*] Previous page