none
Wait a sec...File Explorer showing I have a Cisco network bridge,not the Pace RG installed. RRS feed

  • Question

  • Hi.

    Been hacked for a couple years more times than anyone I know.  It seems it follows me based on my logging in with my Hotmail.com ID.  For multiple reasons, we decided to install Cat5e in seven rooms at the house here where I work.  ISP is AT&T and package is Uverse450.  When I finished the Cat5e and moved the AP to a more central location for better wifi and shorter Ethernet runs, it was bliss for a couple weeks.  Then service went out and wifi performance was worsened for the 5GHz radio.  After trying to get back to blissful state I noticed in Windows 8.1 when I open File Explorer (FE) I have a label in the left column for "network."  I clicked on it and it gives me the properties window listing the manufacturer as Cicso and the model as WVBRO and the model number as WVBRO-25-US and it says it is my network infrastructure. However, AT&T has provided a Pace RG, not Cisco, and the Cisco showing and the Pace I'm supposed to be hooked up to have different MAC addresses.  Many confusing issues. 

    I do believe the neighbors have AT&T Dish service and someone said maybe they placed their Cisco product in the DMZ and my computer is picking it up.  AT&T didn't know what to say.  They sent a tech out and he said he didn't have any idea but that I should post the details at AT&T forums, so I did.  Because I don't know networking the thread is long with my shot gun approach to things.  Sorry about the length.  There are screen grabs and details.  Too many to replicate here.  If anyone has suggestions, I'm listening.

    Here below is the link to the long thread.

    https://forums.att.com/t5/Residential-Wi-Fi-Gateway/Wait-a-sec-That-s-not-my-router-I-m-on-Pace-not-Cisco-Am-I/m-p/4346229#M20566

    To moderators.  Not sure what forum to post this into since it involves multiple devices for both use and testing.  I chose this one because my Surface RT with 8.1 windows is what ID'd the cisco network bridge product.

    Surface RT 8.1

    Dell Vista SP2

    Mac OSX 10.6.8

    Mac OSX 10.10

    and others.

    Thanks for listening.


    Thursday, March 31, 2016 2:42 AM

All replies

  • You say "neighbours", are you on the same network? Can you provide a network map?


    Best regards, George

    Thursday, March 31, 2016 1:56 PM
  • Hi,

    As George mentioned, you could try to check the network.

    In addition, you could also ask network providers for further help.

    Best Regards,

    Tao


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Friday, April 1, 2016 9:29 AM
    Moderator
  • Darn.  New here.  I forgot to put my email into my profile for notification.  I thought it was strange there was no reply, and true enough you folks have replied and I didn't know it until today.

    Yes I have spent many hours over months with AT&T, our ISP, on tech support phone calls, escalation tech support phone calls, as you can read about in the AT&T forum thread, they sent me a new Pace gateway and it was internet bliss for about two weeks until I believe hacked again.  They replaced the gateway with another Pace, same model 5268AC, and it was bliss for less than a day until hacked again or something.  They sent a tech out to investigate and he didn't know what was happening and asked that I post the problem on AT&T forum to get help.  There has been no resolution, so I am posting here also.

    Is there a chance someone has time to visit the AT&T forum I linked above?  Actually, here it is again.

    AT&T forum thread:
    https://forums.att.com/t5/Residential-Wi-Fi-Gateway/Wait-a-sec-That-s-not-my-router-I-m-on-Pace-not-Cisco-Am-I/m-p/4346229#M20566

    There are many screen grabs.

    Here is the main one that clued me in about the network map part of it.

     

    There is so much information that I could look at about this.  If I new more I could be more surgically precise.  If you cannot view the thread at AT&T forums, please let me know.  Thanks for your help.


    Christopher Jay Wolff



    Wednesday, April 6, 2016 1:35 PM
  • In trying to communicate with the device, I went to Network and Sharing control panel and Setup a new connection or network.  Then in the dialogue box that comes up I selected "Set up a New network/Setup a new router or access point" and clicked Next. The following dialogue showed the Cisco router as the only device. It asks for a PIN to access it. I few days ago when I tried this it would only accept 4 digits no matter what. Today while trying to replicate that the dialogue box now says the digits can go up to 8. When I look on my Pace router the sticker shows the PIN and it is more digits than 8.  So as it was a few days ago when the limit was four digits, there is no way to enter my PIN from the Pace into this Cisco router.  Duh.  Just proving it out if anyone has any ideas.  It feels like someone knows way too much about what I'm doing and adjusts accordingly.

    Here are the screens.

    And here is the PIN request screen


    Christopher Jay Wolff

    • Proposed as answer by DubeySaurabh Sunday, December 24, 2017 5:25 AM
    Wednesday, April 6, 2016 4:30 PM
  • In response to George, sorry, I realize it is annoying to use a link to get more info.  There are pictures of network maps from Vista in the AT&T thread.  However the Dell with Vista is so old it only has 2.4 GHz radio so doesn't show the Cisco device in the map.  The closest I believe I  can get to a net map in 8.1 is using File Explorer and clicking network while connected to 5 GHz wifi on this dual band router.  Then add more columns to view.  It's not a map but indicative of some things that are going on with the network.  If you'd like something from the command line, let me know.

    The way the very long story went, it seems our router was hacked and taken over.  So now I show this Cisco router on my newest system, which is Surface RT8.1 and it is what provided the screen grabs here.  I don't know what this Cisco, thing is for sure, but looking into it seems to show it is something to do with Dish network and network bridges.  That is based on the properties window of the Cisco device you see above.  I don't want to be hooked up to it.

    If you can imagine hacking a neighbor's router and how you would do it , please explain how to defend a router from this.  If I get a new router it will probably temporarily fix the problem as it did before.  Used to work beautifully for as much as two weeks.  Then got hacked and my Surface RT 5GHz radio shows only 2-3/5 bars.  Used to be 5/5 over most of house.  Also found the Cisco device showing as what I'm hooked up to.  Try to use your imagination because people have serious gobs of money and not enough to do sometimes.  I'm thnking virtual router or other virtual things too based on unresponsiveness of what is supposed to be our router page settings.  Also because of somewhat degraded performance overall.

    If I had a procedure to go by to buy and install a new router I would.  But I want to know better defenses before I spend more time and money.  This Pace doesn't even have MAC address filtering that works.  I'm not sure if due to hack or it is just starting shipping from Pace and AT&T before it was finished being designed.


    Christopher Jay Wolff

    Monday, April 11, 2016 3:18 AM
  • Protect the router with a whitelist of your network cards MAC-addresses.

    Or, if you know the attackers MAC you can build a blacklist.


    Best regards, George

    Monday, April 11, 2016 5:12 AM
  • I found that I had a similar concern.  I was troubleshooting network issues after a power outage and I found that device listed in my router's configuration.  I opened up a connection to the device using wget from my linux box and I found an index.html document that was returned by its onboard web server.  Here is the header that I found:

    ------------------------

    Vendor:LINKSYS ModelName:WVBR0-25-US Firmware Version: 1.0.35.163016 Firmware Builddate: 2014-08-26 18:05 Product.type: production Linux: Linux version 2.6.30 (root@build-vm) (gcc version 4.2.1 (ARC_2.3)) #1 Tue Aug 26 10:47:37 PDT 2014 Board: titans

    ------------------------

    There is much more details I could share, but I don't think that they are relevant.  I copied down the MAC address listed in the index.html document that I downloaded from the device and I went around the house looking for the device that had that MAC address.  I have DirectTV and I found that it belonged to the wireless video bridge that enables my DVR's throughout my house.  Mine was jammed behind my TV where it wasn't visible.  You might want to check for it if you have service.  If not, then your neighbors might be using your hotspot.

    Friday, November 4, 2016 1:57 PM
  • Thanks Mike!!

    That's interesting.  I've left investigating this for many weeks.  I have so little knowledge of networking it is a slow go for me and I remain busy.  I have looked at the MAC addresses of our stuff and nothing matches the Cisco bridge that I can ID.  Everything on our RG device list is accounted for except for my dad's Mac Mini, which is apparently on a different subnet or something.  If he is the one who changes it he won't say.  I sometimes have to get on his system and I put it back on the same subnet, but later it is gone again, and the RG's Device List has been reset.  How would I find his Mini from my machine, without getting on his, if I have the RG passwords and don't see his Mini on the RG Device List?

    One thing I meant to try months ago, is to plug his Mini's Ethernet cable directly into the RG on Port1 for instance, rather than the switch where it normally is plugged.  Then the RG page should list something on Port1.    And this Cisco bridge is only showing via File Explorer, not in the RG Device List as far as I can see.  From what I've observed, Cisco bridge shows only in File Explorer when I'm connected to 5GHz Wifi.

    Someone tried to advise me if I cannot connect via PIN to the Cisco bridge then it's nothing to be concerned about.  Makes no sense to me.  If it shows as my network infrastructure, then I'm connected to it, I just don't know the PIN.  That doesn't mean whoever owns the Cisco isn't free to roam our LAN.  It seems like if it were an AT&T legitimate thing, someone would have told me that in technical terms by now.  Maybe it is our video wifi that comes with a Uverse subscription, in a similar manner to yours.  But they would have had to build it into the STB as I cannot find any extra equipment anywhere, plus my computer shows up as connected to the bridge.  I have wondered things like, does AT&T have a bridge up the link somewhere away from our house.  That doesn't make sense to me either.  I also wonder, am I not supposed to see the Pace RG as infrastructure via File Explorer?

    One other thing I believe I mentioned on another forum about this months ago, as you see in the earlier screen grab above, the Discovery Method listed in File Explorer for the Cisco bridge is WCN.  When I stop the WCN service to be rid of the Cisco bridge, the Cisco bridge still shows up in File Explorer, however the Discovery Method column is blank with the WCN service off, and everything seemed to still function.

    In response to George, sorry I'm late getting back.  The whitelist approach is something I tried via MAC address filtering.  In the RG settings page, this filter is only available for 2.4GHz Wifi, not 5 GHz where the Cisco shows up.  If I remember correctly, while the filter says it's there and usable, I couldn't get the 2.4 to function at all.  So was going to replace RG with one that has functionality, or put router behind router so I can try to protect our stuff.  Lots to learn and too busy.

    Hope to work on this soon, but have a plumbing leak to work on right now.

    Thanks.

    Chris


    Christopher Jay Wolff

    Friday, November 4, 2016 5:57 PM
  • Thanks Mike!!

    That's interesting.  I've left investigating this for many weeks.  I have so little knowledge of networking it is a slow go for me and I remain busy.  I have looked at the MAC addresses of our stuff and nothing matches the Cisco bridge that I can ID.  Everything on our RG device list is accounted for except for my dad's Mac Mini, which is apparently on a different subnet or something.  If he is the one who changes it he won't say.  I sometimes have to get on his system and I put it back on the same subnet, but later it is gone again, and the RG's Device List has been reset.  How would I find his Mini from my machine, without getting on his, if I have the RG passwords and don't see his Mini on the RG Device List?

    One thing I meant to try months ago, is to plug his Mini's Ethernet cable directly into the RG on Port1 for instance, rather than the switch where it normally is plugged.  Then the RG page should list something on Port1.    And this Cisco bridge is only showing via File Explorer, not in the RG Device List as far as I can see.  From what I've observed, Cisco bridge shows only in File Explorer when I'm connected to 5GHz Wifi.

    Someone tried to advise me if I cannot connect via PIN to the Cisco bridge then it's nothing to be concerned about.  Makes no sense to me.  If it shows as my network infrastructure, then I'm connected to it, I just don't know the PIN.  That doesn't mean whoever owns the Cisco isn't free to roam our LAN.  It seems like if it were an AT&T legitimate thing, someone would have told me that in technical terms by now.  Maybe it is our video wifi that comes with a Uverse subscription, in a similar manner to yours.  But they would have had to build it into the STB as I cannot find any extra equipment anywhere, plus my computer shows up as connected to the bridge.  I have wondered things like, does AT&T have a bridge up the link somewhere away from our house.  That doesn't make sense to me either.  I also wonder, am I not supposed to see the Pace RG as infrastructure via File Explorer?

    One other thing I believe I mentioned on another forum about this months ago, as you see in the earlier screen grab above, the Discovery Method listed in File Explorer for the Cisco bridge is WCN.  When I stop the WCN service to be rid of the Cisco bridge, the Cisco bridge still shows up in File Explorer, however the Discovery Method column is blank with the WCN service off, and everything seemed to still function.

    In response to George, sorry I'm late getting back.  The whitelist approach is something I tried via MAC address filtering.  In the RG settings page, this filter is only available for 2.4GHz Wifi, not 5 GHz where the Cisco shows up.  If I remember correctly, while the filter says it's there and usable, I couldn't get the 2.4 to function at all.  So was going to replace RG with one that has functionality, or put router behind router so I can try to protect our stuff.  Lots to learn and too busy.

    Hope to work on this soon, but have a plumbing leak to work on right now.

    Thanks.

    Chris


    Christopher Jay Wolff

     I'm having the same problem, did some research this is what might be the problem. Got the MAC address from CISCO00437 and found a Model number and part number WVBRO-25 which is a bridge for DIRECTV(AT&T), someone  in my neighborhood has one of this and is getting into my system, not getting signal but being picked up by my system. Check my routers clients and that MAC is not included, still it is affecting my signal and networking capabilities.  Is this not against the FCC laws?
    Sunday, November 6, 2016 4:56 PM
  • I found out I can shut off WCN and the Cisco bridge FINALLY is gone from FE for a whole day now.  As mentioned earlier I tried to shut off the WCN service in Services, but all it did was remove the word "WCN" from the "Discovery Method" column of FE for the Cisco bridge entry and leave it blank.  With the dll renamed so it cannot load, now the Cisco bridge is not showing at all in FE.  But, I still have sluggish and weak signal 5GHz WiFi.

    My old Dell Vista machine is really cranking along today.  Whew.  Tried to get Full Net Map since I was on Vista machine today.  Wouldn't show.  Got this.


    Christopher Jay Wolff

    Tuesday, January 3, 2017 9:59 PM
  • You have or had a whole home setup from DIRECTV and this is there wireless modem. Check the MAC address with your s.
    Thursday, August 3, 2017 1:09 PM
  • I'm having the exact same behavior and have never had ATT/DISH/DirectTV installed on my network. Seeing quite a few mysterious devices show up in file explorer that don't show up in my router's connected devices.
    Friday, September 29, 2017 2:30 PM
  • Hi all.

    jmv43-

    My thoughts are similar.  But if I see a device that isn't ours in FE, then I don't trust my RG device list either.  This due to some features of the RG known to be failing.  With all of today's attack methods, I figure it is possible it is not just signal, but access also.  Some software did the handshaking to display the bridge in my FE, so something sure as heck happened.

    tdytexas-

    Have never had, and still do not have DirectTV.  As I mentioned in opening paragraph of this thread, I checked Mac addresses.

    jfarr12-

    I wonder what mysterious devices you have showing up.  And if they and their MAC addresses change like they have before in my FE.  

    I was hoping Microsoft could tell us what happens in order to get that bridge to display in FE and if that bridge is connected and being listed as my Network Infrastructure in FE, is my network bridged and open?  After all, someone at Microsoft wrote the code that allows the display of the bridge in FE, and the code which lists it as accessing via WCN.


    Christopher Jay Wolff

    Sunday, October 1, 2017 1:06 AM
  • DEC 13, 2017 @ 11:00 AM

    A Huge Security Hole In AT&T DirecTV Gives Hackers An Easy Route To Spy On Your Home

    https://www.forbes.com/sites/thomasbrewster/2017/12/13/att-directv-linksys-vulnerability-allows-spies-into-the-home/#2b1f04b44d0e


    • Edited by Tctrip Saturday, January 27, 2018 10:18 PM
    Saturday, January 27, 2018 10:17 PM
  • Thanks.  Disabling Windows Connection Manager under services worked for me. I had the same issue.
    Monday, February 5, 2018 8:39 AM
  • tctrip

    Thanks for the great article.  It sounds quite relevant.  I hope to take the time to learn how to investigate like that.  It's too bad the ISP doesn't show me how when here at the house.  Or on the forum.  I had similar response where I posted this same issue on the ATT forum, and someone suggested I learn busybox.  The link to ATT forum version of this thread is somewhere above.

    Tammie W.

    Thanks Tammie.  I don't know how you got it to work.  I'm running Surface RT 8.1 and when I disabled Windows Connection Manager, it warned me that autoconfig for WLAN and WWAN would no longer function.  So I tried it anyway.  It immediately disconnected my wireless 5GHz connection, which is where I have this issue.  If I never need wireless this might do somehow, but I'll probably not investigate this method much further as I sometimes have to get off Ethernet and use wireless.  I usually tend to use the 2.4GHz since this issue shows up on 5GHz.


    Christopher Jay Wolff

    Tuesday, February 13, 2018 4:52 PM
  • It didn't work after all.  I've tried MAC filtering in every possible location on my Verizon router.  I recently found a 'Cisco' folder under event viewer/applications and services logs.  I also have a TRENDnetAPS Access Point, model number: TEW-638PAP showing up. 

    I finally installed Vistumbler and found the MAC address and the associated SSIDs for both.  If you have an antenna (I don't), then you can use the geolocation feature. 

    I intend to complain to my ISP now that I have screen shots of VIstumbler and file explorer. Frustrating and interesting at the same time. 

    Tammie


    • Edited by Tammie W Sunday, September 23, 2018 6:24 AM
    Sunday, September 23, 2018 4:53 AM
  • I found a link on how to block a Wi-Fi network. I typed the below netsh command into Windows PowerShell.  The interface returned "The filter is added on the system successfully".  I then ran netsh wlan show filters to verify, and the SSID is listed under the block list.  I also checked the wireless icon on the Windows taskbar and it doesn't show up in the list of available networks.  Prior to, Vistumbler showed the below SSID at a 43% signal strength and active.  After I did the netsh command, it's now 'dead' and 0%.  After seeing it work, I permitted my SSID, and by default, it blocks everyone else (per the article).  I still left an explicit deny for the rogue SSID.  After about 8 hrs straight on this, I'm calling it a night.  Good luck to all!

    netsh wlan add filter permission=block ssid=DIRECTV_WVB_25226521380 networktype=infrastructure

    https://www.maketecheasier.com/block-wifi-network-windows10/


    • Edited by Tammie W Sunday, September 23, 2018 6:30 AM
    Sunday, September 23, 2018 6:23 AM
  • Tammie.

    That was interesting.  I immediately tried it using the SSID for the neighbor's DirectTV showing in my WiFi selection menu.  I used elevated command prompt and netsh.  After first failing for dot3 service not running and getting it started, it then reported successful.  Then I did show filters and it was there.  Yet same SSID for neighbor's DirectTV still showing in my WiFi selection menu and Cisco infrastructure still showing in FE.  No change.  Then I thought maybe you got magic from Powershell, so tried it there and it reported filter already exists.  Rebooted, no change.

    Pretty sick of this.  Once again, as is wayyy too common, when I tried your filter from command prompt and discovered dot3 service not running, I launched services and found I need to turn on about 40-50 services, including Defender for network (disabled).  If I recall, the most important security services were disabled and many needed services were off and set to manual.  A few services had greyed out options, for instance I couldn't change some from Manual to Automatic.  I didn't make a note of it as it's all too much information for me.  Maybe there is a way to run Services.msc from admin.  It makes me wonder how the computer can function as good as it did with all that off.  Also, by going through all my services, I found a French one.  Could it possibly be a legitimate service?  Note double space between "Office" and "Source" in the title.  Not usual looking for Microsoft.


    Christopher Jay Wolff


    Sunday, September 23, 2018 1:59 PM
  • I have this service.  Here is my path: "C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE".  Nothing under dependencies, log on as LSA, start type: manual, description: Saves installation files used for updates and repairs and is required for the downloading of Setup. 
    Sunday, September 23, 2018 2:24 PM
  • I will also add that when this first happened, I tried my best to lock down my Win10 machine.  I used the Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG) for Win10 https://www.stigviewer.com/stig/windows_10/2017-04-28/.  It took a few hours and I did not implement everything (e.g., domain-specific recommendations), I also had to upgrade the OS so I can have full drive encryption. 
    Sunday, September 23, 2018 2:36 PM
  • " immediately tried it using the SSID for the neighbor's DirectTV".

    How did you confirm the MAC address for your neighbor's SSID?  Did you use Vistumbler? Also, make sure there are no typos when you enter the command.  I initially typed DIRECTV_WVD instead of DIRECTV_WVB and it let me enter the command just fine.  I couldn't figure out why the SSID was still in the list until I went back and checked the spelling.

    Sunday, September 23, 2018 9:14 PM
  • Hi Tammie.

    OSE Service

    I have same path.  But it shouldn't be in French I don't think.  About a month ago I had someone email me a recording they made by hacking my phone and listening in on a conversation I had with someone.  My phone always kept working, but was almost as smooth as it probably should be.  I understand a person can use TOR on Onion Net and browse for hacking kits that target different systems.  I imagine it might be like this for my two Surface RTs.  If so, (and of course maybe it's not so, but still...) then if a French hacker designed a kit to attack Surface RTs, and recompiled OSE.EXE with malware, and didn't make his kit in all languages, then could this be the reason mine is in French?  Is yours in French?  Do you have the double-space?  Is so, then hurrah!!  Microsoft is just looney.  In the past I had two One-Note related extensions in IE11 that would show up in French.  Made no sense either.  Surface RT performed way better when I deleted them from the registry so they no longer appeared in IE11 Add-0ns.  I don't use One-note.  In the past, I have also had official looking updates that seemed like malware.  Cannot remember the details.  What better way to install malware than learning how to fake sec. certs.

    Locking down system.

    I haven't looked into those docs but may get there.  When I try locking things down little by little as I understand what to do, I then get a hack that is debilitating and am forced to wipe and reset and start all over.  During that time, I'm supposed to be keeping up with work.  Last week I think I reset 3 times on one Surface as I felt it wasn't clean.  The first reset I left alone to go work and when I came back it was locked up and wouldn't update any more.  During setup I always stay disconnected from Net so I can turn off updates until I feel ready.  This third reset still hasn't had any updates.  Maybe French will go away when and if I update.  Back when I did the second reset last week, I did all the updates except 8 optional ones, so I think the total was just around 200 updates and took hours.  Still got messed up.  Surface RT is set to have secure boot and bitlocker always on.  Has been running fairly decently with this 3rd reset and no updates.

    MAC addressing and Vistumbler and WiFi Analyzer Classic by farproc.

    I didn't see any reference to MAC in your post and used the command prompt and Powershell without MAC address.  The MAC address shown in my April 11 post above from FE is showing, but I simply entered the SSID as in your example.  In the WLAN context of netsh I ran show networks and got the SSID and it matches the one showing in WiFi Selection menu.  When add filter didn't do anything, I triple checked spelling and I would have had to make the same error in powershell since it said the filter already exists.  Tried Vistumbler on old Dell, and it shows quite a bit of info but does not list DirectTV SSID because I only have my old Dell with 2.4 WiFi.  Surface RT is ARM-based processor so not Intel-compatible and cannot run Vistumbler.  My Windows 8.1 RT is what is showing the DirectTV connection to our LAN in FE.  None of our Macbooks or the Dell or Cell phones show the DirectTV connection as far as I can tell.  Rather than Vistumbler, I use WiFi Analyzer Classic by Farproc downloaded from Google Play and run on cell phone.  Very helpful.  The negative reviews of it I read a few minutes ago are wrong.  It has not added new requests for more permissions access.  It simply works great as always.  Doing OUI lookup of neighbor's DirectTV MAC comes up with Wistron Neweb Corp. which led me to...

    https://community.linksys.com/t5/Wireless-Routers/Unknow-Online-Device-EA6500-Wistron-Neweb/td-p/847934

    Which doesn't tell me much.

    If I look at APs with my phone using WiFi Analyzer, it shows the familiar 2.4 and 5 WiFi APs, yet DirectTV SSID doesn't show up.  On Surface RT it is usually 2 out of 5 bars.

    So after these years of this, I have wondered if Surface RT with Windows RT 8.1 is the only cop that can show evidence, or if it's a bug.  It always feels like evidence, but I don't know enough.


    Christopher Jay Wolff

    Monday, September 24, 2018 4:16 PM
  • Holy #$%RR#$, I have been dealing with the last year and I thought I was losing my mind. I have had to reset my computer, phone, and every other electronic device so many times it is ridiculous. I thought I was losing it because there was no way all of mine and my wife's devices could get compromised so quickly, but then they never even went after any bank accounts so it just boggles me. How did you end up getting rid of it?
    Saturday, November 23, 2019 11:38 PM
  • I still had the problem after a blanket "netsh wlan add filter permission=block" except my own SSID.  I never removed the command.  Matter of fact, I had to deny network=adhoc too because something managed to pop up in my available networks.  The only downside is adding allow statements everytime I travel and connect to a family member's wi-fi or like today, waiting at the dealership for service.  I was racking my brain because it is case sensitive and didn't have a "_" between the two words in the SSID. 

    I recently read other forums like this one and someone suggested that you should open up file explorer, right-click on the column headings (e.g., Name, category, etc.) and check them all.  That way you can see how the device is being "discovered".  I did that and sure enough WCN was under the discovery column.  I did some more research on how to disable WCN, but I can't remember my exact steps.  I know I disabled the service but I can't remember if I changed anything in the local security or group policy.  Haven't seen the "intruder" yet.  Not even a temporary pop-up like I saw before, but I'm not holding my breath.

    I removed wireless Hosted Network recently for sh&TS and giggles and when I went through my event logs, I saw someone/something trying to connect using Windows Hello for Business.  Didn't have time to research, but I disabled that in group policy too.  Definitely nothing in msconfig.  Last time I changed something there was in October.  

    Sunday, November 24, 2019 1:57 AM
  • @CJK_Database

    I feel your pain.  Do you show Cisco in your File Explorer?

    @everyone

    Things I've noticed and some updates.

    Many, many, security updates from Microsoft on Surface RT 8.1 ARM and Dell Intel.  Praise God.

    On Surface RT with ARM architecture I often would find ADS binaries attached to Favorites (Browser bookmarks) and what I'm calling forensic screen grabs, since I'm saving the grabs to prove something about potential malware.  I guessed the ADS might be malware and placed on my Favorites and forensic screen grabs because the thinking might be the ADS will have longer life expectancy because I don't want to delete my bookmarks nor my screen grabs.  I don't know enough and don't know how to investigate the ADS binaries themselves.  I only know to delete them.  Maybe they were legitimate but I doubt it. They were, at a minimum, not necessary and deleting them gave both systems performance improvements.   Often discovered them on Surface RT by temporarily having backups of Surface RT residing on the Dell with Intel architecture while coincidentally running the ADSSpy.exe.  Then if I want to look at Surface RT ADS there are no tools like ADSSpy.exe for ARM architecture that I know of other than the built-in CMD.  For me it's a slow go with command line.  I'd have to master the use of DIR command and write a script I guess.

    Upgraded Vista to Win10Pro with Bitlocker.  Hurray!!

    Please enjoy visiting the ATT forum thread mentioned above.

    I learned from a free Net class teaser provided by CQUREacademy.com that it is possible to hide a running process from Task Manager.  I guess security providers must know about this.

    I suppose, I and my devices and WAN are "fun" to hack for voyeurism and practice, due to many platforms and devices.  Once the word gets out, maybe it's open season.  No idea.  Just a thought.  There is a large and famous Computer Engineering School here at the local University.  Too much damage to my devices from hacking or me obtaining forensic proof (bank account issues) would cause a law enforcement investigation and possibly end the hacking practice opportunity.  So maybe it's more like hacking for educational value rather than theft.

    A good secure router with security features that work, behind AT&T router should help.  I haven't even gotten that far yet.

    I good VPN that doesn't have backdoors may help.

    Put a 3M post it on cameras and turn off devices when not in use.  A couple weeks ago I got out my old Moto X cell phone with Android 5.1 for use with a USB webcam on a 20 foot selfie stick I use for hand-held inpsection tool.  Phone battery had died in drawer.  Charged it, used it.  Now it sits on my desk the last couple weeks and it turns itself on by itself once every day or two.  Come on.  Really?  I keep shutting it down.  It turned itself on again this morning.  I'll remove the battery or run it down. 

    I met an AT&T installer on the sidewalk at a business downtown.  I decided I had to ask him about my problems and mentioned being sent to the AT&T forums and he listened for a few mintues.  He concluded, if they want in they're gonna get in.  Not the answer for which I'd hoped.

    If your devices are on and in the same room, live like you have an untrustworthy roommate with you.

    In the end, I think the reason I no longer see the Cisco router on Surface RT in File Explorer (FE) is because the neighbors dropped DirectTV a few months ago.  But why does Surface RT ARM still have less than 5/5 bars with both 2.4 and 5.0 GHz WiFi?  No idea.  When it was bliss, I had 5/5 over the whole house, except at one extreme end where 5.0 dropped to 3-4/5 as expected for 5.0.  Now, for about 3 years, the very best is 4/5 bars for both 2.4 and 5.0, with 5 GHz often less.  Even if 3 feet to 15 feet away from RG.  Maybe AT&T changed the RG firmware to reduce amplification.  Or could malware accomplish that?  There is a wifi radio setting in the AT&T RG pages but I always have the slider at 100 percent amplification.

    Now switching to cell phones even though it may be unrelated to Microsoft.  I think it is still relevant.  Interesting development on old Moto X phone with 5.1, and also on new cell phone with 9.0 to this day.  The moment a call is placed or received, I first get the sound of a satellite uplink connection.  So I'm thinking Ham radio operators?  I understand they have access to Satellite usage.  Really?  That has been happening for about 3 years to me.  Many, but not all calls.  No one is saying anything about this where I've asked.  As soon as the connection is made, the first thing I hear is a two-toned screechy blip.  Sometimes it occurs three to five times over the first 1-2 seconds of the connection being made.  No idea about this really.  Been happening to me for years, but intermittently.  I don't know anyone else who has this happen.  The recording I have doesn't do justice to how loud it is.  It startles me and I have to move the phone away from my ear.  I'll try to upload a recording but you'll only hear it once at the start of the call.

    https://1drv.ms/u/s!AqrwEjAAuTqeugVLgeQ1WVgU9q6k

    For years I've complained to AT&T, which is also my cell phone service provider, about weak or dropped signal.  Very irritating.  Since I got new phone earlier this year, it made me think differently.  I called manufacturer and they had me try many things.  Nothing changed.  One problem I've had with both old and new phone is while looking at phone at idle, it shows 3-4/5 bars 4G LTE. When I make or recieve calls it switches to 1-3 bars of H or H+.  Last week I experimented with new phone.  While idle phone showing 4/5 bars 4G LTE, I changed settings to only allow LTE and nothing else.  Afterwards, I confirmed signal remained at 4/5 bars 4G LTE, and tried to place a call.  I had no service.  Could not place any call or text.  I then decided to pick up the landline and dial my cell phone.  The landline call went immediately to cell phone voice-mail and my cell phone never rang.  It just sat in my hand showing 4-5 bars of 4G LTE.  LOL.  Did I do something wrong?  Is that a valid experiment?  Does "LTE only" setting not include 4G LTE?  Then just a few minutes ago while checking wifi before posting here I found a wifi named Stingray.  You've got to be kidding me!!!!  Someone named thier wifi "Stingray"?  It must be coincidence, yes?  Also, for years, you can see we've also had someone in the area with Comcast hookup for internet and no security so anyone can get on the internet.  I asked the neighbors and no one admitted having it.  I called Comcast a couple years ago about it thinking they would do something or care.  The lady said they do that all over the USA to let people try the service.  Could that really be true?  I doubt it, but maybe it's true.  But maybe it's for another purpose.  Also in the same screen grab of wifi radios you can see A2wireless wifi radio which is a business located miles away.  How does that show up here?  They've been showing up for years.  I called them a couple years ago to ask about it and they must have thought I was a hacker or something and hung up on me.  How is that business showing up here?  Screen grab and a link.

    WiFi radios in local area that seem suspect.

    https://nakedsecurity.sophos.com/2016/11/08/who-needs-a-stingray-when-wi-fi-can-do-the-job/

    All the best.

    Chris


    Christopher Jay Wolff

    Sunday, November 24, 2019 5:02 PM