...twice is coincidence and three times is an act of war Mr. Bond.

[Goldfinger, from the book of the same name by Ian Fleming]

Overview: This is my home network consisting of 2 win2k servers hard wired to the network, automatic updates configured and functioning. One Win2k workstation, hard wired, autoupdating that is functioning. Two WinXP SP2 wirelessly connected to a MAC filtered, WPAPSK encrypted wireless access point, autoupdating that is functioning. The WAP is a Netgear FWG114P configured to allow SMTP, RDP and HTTP to one of the two servers and a secondary HTTP forwarded to one of the wireless laptops, (mine), though the port on the laptop is no longer open - thus a dead forward.

Happenstance: The wireless laptop used by me is generally left connected with certain trusted web sites open in Firefox tabs including my SSL work email, (I know - naughty me). The wireless does drop from time to time and if it is left for a while I find it best to try to connect to Yahoo prior to trying to refreshing my work email or it fails out. Last night I restarted the laptop because it would not come out of hibernation - it was just doing too much but since I had 2 instances of IE also open - because you can't run StatTracker for fantasy football with anything but IE and since yesterday was Sunday both windows were there. I then opened Firefox and attempted to log in to my work email. The certificate came up which I accepted and the login screen was presented. I put in my credentials and hit "OK". I was then warned that I was leaving an encrypted page . I thought about it for a second and decided to proceed. I was provided with my work email - all nice and up to date. I selected an email to read and was presented with the login screen..... Hmmmm..... Me no likey.... The connection was HTTPS, the address bar still indicated I was at my work site but I hadn't been presented the certificate..... I chose to proceed regardless, entered my authentication information and everything went well from there.... There was a niggle in the back of my head but I dismissed it.....

Coincidence: I got up this morning got my coffee etc. and went to my wired workstation in my office. Since it was Tuesday it was time to check on the final results and standings in my fantasy football league. Upon finding how badly I am now doing I noticed that my brother had left me a message so I replied. As Yahoo does it will as you for your password if you have been inactive for a while - it did. I didn't think to check the address bar but the page absolutely appeared to be Yahoo's login screen. I entered my password and was warned that I was leaving a secure page.... which is unusual... I accepted the warning and was represented with the login screen..... Needless to say red flags are up everywhere..... Since time is limited at this hour on a workday I simply closed the two HTTP forwards on the router and checked for the existence of my logs from it on my wired workstation.

Those logs are the only ones I have since I turned off my snort some months ago because I use the VPN a lot for work and having two interfaces running crashes the computer if you fire up the VPN. I will be going through them in the near future.

Since arriving at work I have connected to home via RDP enabled the external interface, (outside the firewall), on my wired workstation and fired up ethereal on it. I then connected to the wireless WinXP laptop and have enabled Ethereal there too. We'll see what happens over the next 24 hours.

Additional Facts:

1. My surfing at home is entirely predictable. Work email, Yahoo, Yahoo UK and Sports, Reef Central and that's about it.

2. My surfing on the laptop is exactly the same as on the workstation but I also do some searches for woodworking stuff due to the bar construction. Basically, my surfing habits at home could be considered very low risk.

3. Sweetie Pie is a bit of an unknown quantity with regards to surfing. She does a lot of surfing for free stuff for her classroom but since she got herself some nasty spyware through IE about a year ago she has been switched to Firefox and has shown to be clean ever since.

4. There are only two houses close enough to me to be able to hold any kind of connection to my WAP reliably. While I don't really know the neighbors I don't believe they are technically adept enough to break my encryption, (run with this for now, ok). Add to that the fact that I have never seen another WAP from my laptop implies that there is no wireless device usage in range.

Questions:

1. Should I readily accept the fact that the "act of war" will come - ie. is this something more than coincidence?

2. Has anyone else noticed "glitching" like this and did I just get two in unusually quick succession making this look like a bad situation when it really probably isn't?

3. Am I a paranoid old bastige?

4. Any other thoughts or comments since I'm not yet ready to begin a full scale forensic investigation on 5 computers.... I'm trying to finish my damn bar..... and the login credentials I have used in these situation are, in no way, what I consider to be my secure ones and won't be able to be used for priviledge escalation nor additional password guessing ?