A question of ethics and security

r00k

r00k

2[H]4U
Joined
Aug 24, 2004
Messages
2,696
I'm sitting here at the desk of one of my clients, in a downtown business area of a larger city, working on repairing a windows xp installation.

And while her computer is doin it's thing, i pulled out the laptop, and what should i find, but an unsecured wireless 802.11g signal that i know does not belong to my client. So I did what i assume most any of us would, and that is, use it. Naturally, i wanted to learn what i can, and sure enough, the router uses the default password of admin. There are some dhcp leases out, but no machines reachable by scanning the networks full range of ip's. Which is fine by me. I do an ipchicken and find the ISP, the connection is great.

But now we delve into the other side of things - ethics. What i am doing is considered wrong by some, essentially white hat hacking (by mitnik's definition). I am not attempting to take this network over maliciously, breach it's security to cause harm, but i know that if it was this easy for me to do it, then someone who would want to cause harm will also have a very easy time.

The question is this - should i change the password on the router so that only i, a responsible and well-meaning individual, has the ability to mess with this router, thus preventing malicious individuals from gaining full access? I feel it is safe to assume that the owner does not ever change the settings of this router, they just want it to work, and if they really needed to make a change, they would have to reset the router and reconsider security anyway. Conversely, it is my intention to leave their wireless signal untouched, and not put any security on it because that would effectively disable it for the owner, which would be a malicious act.

Please share your thoughts.
 
don't mess with the router -- no matter what your intentions. bad things (tm) can happen

even if you have good intentions of not allowing a malicious person to hack into the router, you also instantly become a 'hacker' in the eyes of the law and un-technical people for changing the password on the router, and if, for example, it really was a honey pot wireless AP, then you could get yourself in alot more trouble than just letting it be
 
do NOT change the password, it's 'none of yo' business' :)

P.S. I've done this before at my house.... an insurance company over the hill had their wireless 'semi-open'(wep and DHCP turned off).... I figured out the password(admin was left at default and password was the name of their business) IP range(default for Linksys) logged in, found that they were using VNC, VNC'd in to a local machine, used the business name as the user name, and password for password and VOILA! I had acess to the machine they used to do insurance claims and whatnot. What I ended up doing was emailing the guy that set-up the network anonymously and telling him to lock it down.

QJ
 
r00k said:
The question is this - should i change the password on the router so that only i, a responsible and well-meaning individual, has the ability to mess with this router, thus preventing malicious individuals from gaining full access?
Click to expand...
Definetely not. By changing the system, you are likely to add a lot to a potential lawsuit should someone find out that you were the one in their network. Up to now, you could likely claim that this appeared to you as a public, free hotspot.
 
I'm with everyone else; don't change the password.

When I've run into this type of situation in the past, my preferred solution is to disconnect from the network and ignore it. Although I have in the past looked for a computer on the network with a shared printer. Printing something to the effect of, "I happened upon your network by mistake. You might consider calling a consultant to help you secure your system." tends to motivate them to secure their systems.

Even this, really, is beyond what would be considered acceptible by any John Q. Laws. I've only actually printed this message for a couple of the probably 60 or so networks I've encountered similar to your situation. One of those printings was as a proof of concept for a job interview (during the interview, btw).
 
I personally would disable WIFI on it.

I'm a systems administrator (hosting), and most people have the mentality to not even remotely think of securing things UNTIL they are comprimised. Rootkitted, trojanned, RAT'd, etc. Then I have to deal with explaining to some clueless "IT Admin" the importance of security.

This would push them to secure things. If only the router, at least something is secured. And what better thing to secure than the entry point of your network.
 
So I was in the neighborhood doing work on my uncle's house. When I looked over my shoulder to the neighbors home, I noticed the door open and no lock or any handles on any exterior door. Should I go to the hardware store and install locks on the door so nobody can get in there except for me? You know, to prevent mischief....

:p
 
itsmikey said:
I'm a systems administrator (hosting), and most people have the mentality to not even remotely think of securing things UNTIL they are comprimised. Rootkitted, trojanned, RAT'd, etc.
Click to expand...
unfortunately the US government disagrees with your stand. The laws are written to protect the people with less experience, less common sense, as usual. If not by accessing an unprotected WLAN, but certainly by changing anything on the router, will the OP be conducting an illegal act.
 
if you are indeed white hatting, find out who it belongs to..

go round there and tell them what you told us (well not all of it)

explain to them that you wre working across the street and the PC automatically connected to their AP, and it was unsecure..

seeing as you work in IT you might just score yourself a new client.

I'm with everone else here, don't touch a thing.. (I remember the first every attempt at war driving that I made back in 2002, the first AP that I found was unsecure, and belonged to diebold.. (who back then I had to google to find out things about)
 
You must log in or register to reply here.
Back
Top