Wireless ISP security issue

[sizere]

Hi,

I have a wireless internet connection which is to say my ISP has a transmitter tower on a line of sight hilltop which sends to the receiving antenna mounted on my house. Overall its a wonderful thing since I get 1.5mbps in both directions and I live too far out in the sticks to get cable or DSL service.

The problem is that someone is treating the transmitter as a 'hotspot' and has hacked my logon and password and is downloading a lot of data..best guess 60-100mb a day.

My plan allows for one gigabyte a month of bandwidth; beyond that I have to pay extra for the excess usage.

My ISP keeps telling me that it isn't possible to hack them.

But after dealing with their suggestion that it had to be spyware doing it to me I finally got my password changed this past Wednesday (07/21/04)..on Thursday I had about 18mb of traffic...but by Friday it jumped back up to 60+mb and today is up to 69mb and climbing.

I have Sygate Pro firewall installed, Nortan AV updated regularly, XP home with all updates and I routinely run Spybot and Adaware (both with latest updates). Additionally I have a bogus Hosts file that redirects all known adclick sites to 127.0.0.1. And my home network is hardwired.


So..what can I do to convince my ISP that they are being hacked? How is it being done? What can I do to protect my self? Is it possible to track down the culprit? If so, I would love to show them some 'mountain justice.'

Thank you.

Erick

[skiddieleet]

Is there any sort of encryption between you and the tower for when you have to use your username and password? Seems to me it would be fairly easy to sniff traffic between you and the tower. I would say if you have a spare machine you could use some sniffing software and save a log and show them that people can easily swipe your user and pass. Good luck.

[MK19]

You can also look into getting a more "directional" attenea. A parabolic is kinda expensive but it offers more direct signal and some of them you will have to either be in the line of sight or behind the tower.

You other choices are yagis, and sectional. Sectionals are not a good choice since they are expensive and spread out the signal more. Yagis narrow it down a bit but still have a spread to them. They are less expensive and you may even find ways of building them yourself (I've seen them made out of Pringle cans)

[annihilator_god]

First, I second what Heretic said... Any encryption is good (wep), and good encryption is better (wpa + tkip or aes). If the ISP doesn't have/allow encryption then you need to pound the idea into their head. What they should also do is use mac address authentication. But if someone was determined to get online they could probably use some method to find the mac address and then change the address of their card.

You could download some wifi sniffing tools from the web, get a schematic for a Pringles can antenna, and a brute force program. Then forward that data to the isp (better have a friend do it for you) and hope they wake up to the truth.

Second, this is just a "maybe" guess and might be (probably is) completely wrong. If your computer is on 24/7 and the antenna (to your computer, not the isp) is powered and connected, then the problem might be hardware. It "could" be that the ISP is sending out pings or something to see if you are still there, then your computer responds "yes I'm still here". Over a 24 hour period of time this might rack up some extra bandwidth, though I highly doubt the traffic would be in the area of 60+ mb/day.

Also, there is an alternative to this system out in the "sticks". You could get high speed internet through a satellite provider (like satellite TV). I doubt you would want to spend the money if you are fine with 1gb/month. I tend to use 3 gb+ per day on my cable modem. in fact, over the past 21 hours, I've sent 1.5gb and received 1.2 gb, and that is only on this machine, not counting the laptops.

Oh and tracking down the culprit for "mountain justice"... I highly doubt you could do it. Unless it's one of your friends who saw the login name and password written on a sticky note stuck on your computer monitor. But since you are here on AO, I highly doubt you would be that physically insecure.

[KorpDeath]

There shouldn't be a username and password for a wireless link. The culprit would have to use the same type of antenna you use to connect which would mean they'd have a different MAC address. If your ISP hasn't locked down their system to only allow the antennas they install to connect then I'd say go back to dial up, cause they are a joke AND a waste of money.

If what you say is true then maybe you should PM me with a phone number for them so I can ask them some questions.

If you want to try to solve the issue yourself then you could use ethereal to sniff for any other MAC addresses than that of your antenna and your machine. Report the MAC addressto your ISP and if your ISP is worth more than a pile of sh*t they should be able to isolate and track that MAC address.

[jr05linux]

i have never herd of a pass and username for wireless ut oky and more of a directional antena for more clearing of reception and

[shell_coder]

Sounds like you may have a problem with an attacker executing a man in the middle attack. I dont completely understand what is going on, but that is my best guess... The only good way to prevent man in the middle is buy encrypting the transmission between you and the ISP. I know its already been said, but in my opinion it is something that can not be stressed enough. Also, I happen to have written a few articiles on WEP and WPA... and beleive me,
WPA is not signifigantly better, just use 128 bit WEP its better than nothing. And if you really want to be secure, I threw a perl script together a while back for dynamic WEP keys... it only worked for Adhoc though. Hope this helped...

-Shell_Coder

[Highlander]

As well as using WEP, your ISP should also use
a Mac address as part of the logon....

[sizere]

First of all. thank you all for your responses.

Secondly, I inadvertently left out some information which may well have been necessary, to wit,
my ISP treats my pc as a VPN...so I log on with my username and password much like a dial-up connection.

The only thing wireless about my setup is ny connection with my ISP so I'm not sure how I could enable WEP...I suspect whatever encryption is used would have to be initiated by my ISP.

A directional antenna could help if it would keep the signal to a narrow pathway and if my ISP used a similarly configured antenna...I will look into this.

I did d/l Ethereal and WinPCap and ran them last night...got some very interesting traffic as my total for the day climbed to 109mb in downloads alone.

Today it is very quiet..currently at about 4mb and Ethereal is showing nothing beyond what I would expect in a secure connection. Which raises a question--Can packet sniffers detect the presence of other packet sniffers, so that a hacker could temporarily shut down his operation while I have Ethereal running?

And, no, I don't have my username and password 'stickied' to my monitor!..lol

In a worst case scenario, I will just keep paying the overages until such time as I can get a satellite connection set up cuz the thought of dial up is more than I can bear..no one in my neighborhood connects faster than 26,400 and that is like watching grass grow...<G>

Thanks again.

Erick

[shell_coder]

Yes, unfortunately packet sniffers can be detected. L0pht's antisniff utility, is the only tool that comes to mind right off hand. What do you mean by "interesting" activity... could you post some example logs?

-Shell_Coder