Defending a Wi-Fi Network

Promoting Defensive Computing is like nagging children to eat their vegetables. So, when a story hits the news with details of the absolute worst case scenario, it's a teaching moment.

Although the case of Barry Ardolf hacking his neighbors Wi-Fi network has been known about for a while, it's being reported on again because Ardolf was just sentenced to 18 years in prison. His story should scare people into verifying that their wireless network is as secure as possible.

Things started in August 2008 when Matt and Bethany Kostolnik moved into a house near Minneapolis, Minnesota. The day after they moved in, their 4-year-old son wandered into the yard of the house next door to climb on a play-set. The next door neighbor, Barry Ardolf, returned the child, but while doing so, kissed him on the mouth.

Needless to say, the parents reported this to the police and Ardolf then spent two years getting revenge. According to prosecutors the incident

... caused the defendant to begin a calculated campaign to terrorize his neighbors, doing whatever he could to destroy the careers and professional reputations of Matt and Bethany Kostolnik, to damage the Kostolniks' marriage, and to generally wreak havoc on their lives.

In large part, he did this by hacking into their Wi-Fi network.

For details, see the article by David Kravets over at Wired. That article includes a link to the July 8, 2011 sentencing memo, with even more details on the case.

Havoc was indeed wreaked. Ardolf setup a MySpace page for the Kostolniks with child pornography on it. He created a new email account with the victims name (mattkostolnik at yahoo) and sent emails from this account from the victims house. These emails included child pornography sent to co-workers of Mr. Kostolnik.

From the same email account Ardolf made it seem as if Kostolnik, a lawyer, was flirting with some of the women he worked with.

Ardolf then seems to have picked the name of a woman out of the phone book and created another scam email account in that womans name. Posing as her, he emailed two managers at Mr. Kostolnik's law firm complaining that Kostolnik "made sexual advances and grabbed at my breasts."

The wrinkle here is that these scam messages were not sent from either the Kostolnik home nor Ardolf's home. Instead, Ardolf hacked into yet another neighbor's wireless network.

Ardolf also impersonated Mr. Kostolnik when he sent death threats, again from the Kostolnik residence, to the Governor of Minnesota and one of their Senators.

The Vice President of the United States was also sent threatening emails from yet another fraudulent email address with the Kostolniks names in it. All told, Ardolf threatened public officials three times. No surprise then that the Secret Service eventually visited Mr. Kostolnik at his workplace.

Bethany Kostolnik, the mother who initially complained to the police, was also harassed.

In one instance she was sent an email from Ardolf through her employers website. Yet another falsely-created email account was used to send this note:

I know your husband Matt[,] and I'm going to get him! He's going to pay for getting me pregnant. Hell, he already has 3 kids with you. I don't blame him for asking me to have an abortion. He goes out at night but he isn't alwasy [sic] doing what you think he's doing.

When the FBI raided Ardolf's house, they found he was working on still another email, this one to be sent to Bethany Kostolnik's boss, claiming inappropriate behavior by Mrs. Kostolnik in the performance of her job.

Sleuthing

Mr. Kostolnik's law firm hired another law firm to investigate. The investigating firm hired a computer nerd who set up detailed activity logging on the Kostolniks' home network.

How many of you work for a company that would do that for you?

Fortunately for the Kostolniks, Ardolf continued his attacks after this logging had been enabled. Still, had Ardolf been better at hacking, he might have gotten away with it.

The critical break in the case came when the logs showed that a threatening email message had been sent from the same computer that was used to check Ardolf's email. Many email programs are configured to periodically check for new messages. This is most likely what happened on Ardolf's computer. A better hacker would have used a clean system when doing mischief.

Defending Yourself

There is nothing you can do about someone opening an email account in your name. Even if you already have accounts with your full name, a bad guy can make a minor modification, such as adding a year at the end.

The defense here is to never believe the FROM address of an email message. If you've been reading this blog, you'll know that I'm repeating myself, but it bears repeating.

The most important lesson from this story has to do with Wi-Fi encryption. I covered this back in September 2009, (see The Best Security for Wireless Networks), so I'll be brief here.

There are three types of wireless network security, WEP, WPA and WPA2.

WEP is what the Kostolniks were using. It stinks. It's easily hacked. In fact, a case might be made that installing a new router with WEP enabled is malpractice. In November 2010, I tried to make this case when I asked Is Verizon guilty of malpractice?

WPA is not the best, but it's probably good enough. The terminology here is confusing however. When people refer to WPA encryption, they really are referring to TKIP encryption, the two terms are used interchangeably even though, technically, they refer to different things.

The best encryption is WPA version 2 or WPA2 for short. But, you don't just chose WPA2, you also need to chose an encryption scheme for it. I mention this because TKIP can be used with WPA2 as well as with WPA. Using TKIP with WPA2, in effect, makes it WPA.

When you opt for WPA2, be sure to also opt for CCMP, the improved version of TKIP. Sadly, only nerds use the term CCMP, most others refer to it as AES.

In summary, the best option is WPA2-AES (or WPA2-CCMP to techies).

Subscribe to the Security Watch Newsletter

Comments