Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

How do I keep myself safe from others on my LAN?

Question:

How do I stop my brother from seeing my surfing habits in my wireless
laptop? In our house he has the Desktop and the cable router. I’ve set the
connection up with WPA-PSK and I have a Norton internet security 2007 and my
windows firewall is on with the don’t allow exceptions checked; is that
enough?

I can’t help you with your brother, but I want to address this question
because is raises a number of issues around the assumptions that we make when
using our computers at home. Assumptions that can affect our security and our
privacy.

If you have a tech-savvy snoopy brother like the person asking this
question, you won’t like the answer.

Become a Patron of Ask Leo! and go ad-free!

When we set up a home network we put a lot of emphasis on security, or more
specifically keeping “us” safe from “them”. By “them” we mean all the purveyors
of spyware, viruses and what-have-you out on the internet, and by “us” we mean
the machines at home, usually on our local network.

In fact, we often think of the line coming into our home as the boundary. On
the internet side of our router or broadband modem is “them” – the internet –
with “us” on the local network or LAN side.

The implicit assumption we’re making is that every machine and user on our
LAN is trustworthy. I’ll guess that more than 80% of the time that’s a valid
assumption. It’s certainly the explicit assumption I make on my home
network.

What if that assumption is wrong? What if you can’t trust everyone
on your home network?

“The implicit assumption we’re making is that every
machine and user on our LAN is trustworthy.”

Then you have to treat your home network as if it were the internet. Then
you have to set up things like firewalls on each machine you want to keep
safe.

Then you need to start thinking about privacy in a whole different way.

And that last one isn’t pretty.

I know the original question was about wireless sniffing, and I’ve discussed
some of the issues there before. Using WPA is one good way to keep things
fairly secure. But there’s a much, much larger problem here than just
wireless.

There was an interesting statement in the question: “In our house he has the
Desktop and the cable router.” The desktop’s no biggie, but the router? That’s
huge. Whoever controls the router has immense power. In general whoever has
access to the router can typically monitor which sites you visit. Depending on
the router, they may even be able to monitor the traffic itself – reading your
email or viewing the web sites you view.

In the worst case whoever controls your router or connection to the internet
could go so far as to insert a hub “upstream” and be able to monitor all
internet traffic going to and from your entire home network.

Scared yet? It gets worse.

As we’ve heard with the recent router admin password vulnerability, it’s
possible to configure many routers to misdirect you. You may enter
“google.com”, but the router could send you somewhere else entirely. This
depends on your router’s capabilities, and the expertise of the person
controlling the router. It’s not common, but it is possible.

So what do you do?

It depends on your level of paranoia. If the person controlling your router
isn’t that savvy, you may be quite safe in simply making sure your WiFi is
encrypted by using WPA or even WEP and leaving it at that.

If they are savvy, and you believe that they have reason to invest a lot of
effort trying to spy on you, things get very difficult. Some things you may
want to do include:

  • Only connect to web servers via https. This encrypts all
    the data between your machine and the server, and renders it inaccessible to
    anyone in between, including whoever’s running your router. The bad news?
    First, not all websites – in fact very few – have https connections for
    anything except ecommerce. And second, even though he can’t see the data, your
    router admin can still see which sites you’re connecting to.

  • Consider using an anonymous service such as TOR. Not only does this encrypt
    the connection leaving your machine, as https does, but it also hides which web
    sites you’re visiting. The downside is that it can be much slower, and
    I believe it’ll be obvious that you’re using it – meaning that it’ll be obvious
    to whoever’s monitoring your router that you’re hiding something.

  • Use an encrypted connection to your email. Email is normally sent “in the
    clear” and thus could be read by anyone who has access to your router or
    internet traffic and knows how to do it. You can either encrypt the contents of
    your email – which still leaves the information about who you’re emailing
    visible – or you can use an encrypted connection to your email provider. That
    could be as simple as using an https-based web interface, or if your email
    provider supports it, configuring an SSL connection in your mail program’s
    account settings.

There’s a common theme above and that’s “encryption”. You can’t stop the
person who has administrative access to your router from being able to see your
data. You can encrypt that data so that it’s of no use to them.

Now, I’ll definitely admit that all that does sound like so much paranoia.
Certainly sibling interaction could be one reason for paranoia, but there could
be other reasons as well depending on personal situations.

However, I do want to be very clear that for most people there’s really
nothing to be concerned about. We’re the only ones to play with our own
routers, and we may not even have the skills to set up this advanced type of
network sniffing and monitoring. As long as we’ve protected ourselves properly
from “them” – the bad guys out on the internet – we’re safe on our LAN.

But I do think that it’s important to understand what assumptions that
safety entails.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

6 comments on “How do I keep myself safe from others on my LAN?”

  1. Thanks for all the info. When I am connected thru my cable network and also have my wireless connection enabled, does the unknown person in the neighborhood who is leaking his connection (and I am picking up) have access to my internet usage since they are the ones with the router?

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.