Ask Slashdot: How Do You Best Protect Client Files From Wireless Hacking? 140
dryriver writes: A client has given you confidential digital files containing a design for a not-yet-public consumer product. You need to work on those files on a Windows 10 PC that has a wireless chipset built into it. What can you do, assuming that you have to work under Windows 10, that would make 3rd party wireless access to this PC difficult or impossible? I can imagine that under a more transparent, open-source, power-user OS like Linux, it would be a piece of cake to kill all wireless access completely and reliably even if the system contains wireless hardware. But what about a I-like-to-phone-home-sometimes, non open-source OS like Windows 10 that is nowhere near as open and transparent? Is there a good strategy for making outside wireless access to a Windows 10 machine difficult or impossible?
Don't use wireless (Score:1, Insightful)
First post
Start buying copper wire and staples. (Score:2)
Here you go: Faraday cage. [wikipedia.org]
Re: (Score:2)
Or just disconnect the antenna plugs from the wireless card. It's not going to be able to talk to any networks if you reduce its effective range to less than 6 inches. You can always plug them back in when you're finished.
Re: (Score:2)
That can be difficult with some hardware designs; it also doesn't address various non-wifi signal capture methods.
If you're really concerned, then a properly built Faraday cage combined with excellent physical security is the best answer there is.
move the PC (Score:2)
Re: (Score:2)
to an area without any possibility of a signal.
Like Green Bank, WV [wikipedia.org]:
Green Bank is located within the National Radio Quiet Zone, which means that radio transmissions are heavily restricted by law.
move the PC to a virtual area (Score:3)
As suggested by other discussion threads here around :
You can also achieve the same virtually :
"virtually move" the image to an area without any signal.
I.e.: .iso files you mount) and shared folder (VirtualBox sharing doesn't go through network, so it's not opening windows 10 to remote access, at least not without a collaborating host OS).
Windows 10 goes into a VirtualBox VM.
VM has no network.
VM has only CD-ROM (so can read from
You can pass the files and necessary application through shared folders and .ISO
Re: (Score:1)
Virtual. (Score:2)
WHERE do you find an area with no signal?
The whole point is *VIRTUAL*.
The host's virtual manager (e.g.: Virtual Box running on the Host GNU/Linux distro of your choice) is in charge of what happens.
Windows 10 is installed on a virtual machine, that machine has no network device simulated at all, only a shared directory (Note: Under VirtualBox, shared directory don't work over the network, but use a dedicated separate API offered by VirtualBox. No need to expose the virtual image to the network in order to exchange data. Windows 10 can't phone home
Virtualization (Score:4, Interesting)
Re: (Score:2)
I was thinking about recommending something like this but realized that Windows 10 might be a prerequisite because of some application needed to work with the files. That would then mean finding a way to provide the host OS access to the guest OS's filesystem in order to access those files.
I would be much more inclined to run Windows as a VM on a Linux box as the host OS, and to restrict stuff before Windows ever boots up.
Re: (Score:2)
Re: (Score:3)
Yep, you run win10 in virtualbox on a linux host. You can then disable networking completely or use iptables to restrict access to only the things you need:
(copy-pasted from a thing I wrote a while back)
How to make a Windows 10 VM secure with a Linux host
Simple! Restrict all intarwebs access to everything that you don’t absolutely need:
1. run virtualbox with the vboxusers group:
sudo -g vboxusers virtualbox
2. allow access to the site you want:
sudo iptables -A OUTPUT -m owner --gid-owner vboxusers -d [i
Re: (Score:2)
I am not sure why you appear to think that Virtualbox is the only solution.
With a SPICE display, KVM/QEMU gives very good performance, without the need for closed-source plugins just to get support for basic things like USB2.
Re: (Score:3)
Sorry if I offended your inner zealot. I never said or thought virtualbox was the only solution. It's the one I used when I needed to do this. You can use any virtualisation tool you want, even completely proprietary ones like vmware.
Re: (Score:2)
Nah, you can use the modern.ie [microsoft.com] VMs for something like 30 days without phoning home to MS. And when that time limit is up you can just revert to the snapshot you took before booting for the first time (you did take a snapshot before booting for the first time, right? ;) ).
Personally, 30 days using windows sounds like 30 days too long. It was certainly long enough for me to do compatibility testing for Edge.
Re: (Score:2)
Guest Additions are great when they work, but I find sometimes they just don't.
Re:Virtualization (Score:5, Informative)
I was going to suggest VirtualBox as well.
I routinely install Windows into VirtualBox guests that have no virtual LAN adapters configured (i.e.: no network access). The guests can only access: inserted optical discs and/or .iso files; authorized USB sticks; persistent/non-persistent VirtualBox shares.
The big downside, though, is accelerated graphics:
Watch out for USB (Score:2)
authorized USB sticks
Pay attention that the current default behavious of VBox scripts might open a different kind of vulnerability :
USB-pass-though requires that the VBox process has access to the raw USB device.
This is done by the script "/usr/lib/virtualbox/VBoxCreateUSBNode.sh"
it creates the appropriate entries in "/dev/vboxusb/"
granting them full group access for "vboxusers"
Currently this script is called by default by "/etc/udev/rules.d/90-vbox-usb.rules" for any plugged-in device.
That means the raw USB device of *any* USB
Two options immediately suggest themselves: (Score:5, Interesting)
1) Don't set up an access point. If you still need an access point, set up a encrypted one (which you should do anyways) and don't give the isolated PC the keys. WiFi isn't magic; if there's no place for it to go, it's not going to go anywhere.
2) Put a Faraday cage around the antenna. This could be as simple as wrapping it in foil.
Re:Two options immediately suggest themselves: (Score:4, Insightful)
Shielding the WiFi antenna (or the whole device) is the only way to be sure its secure.
You cant trust any software solutions or any hardware on-off switches installed by the manufacturer.
Re: (Score:3, Insightful)
You cant trust any software solutions or any hardware on-off switches installed by the manufacturer.
Especially if today's Wikileaks dump is true.
Re:Two options immediately suggest themselves: (Score:5, Interesting)
Exactly. My Samsung smart TV would randomly turn on the wireless and try to communicate outside. When I first set it up I used wifi, realized how stupid it was and switched it to the wired connection, which then was left unplugged.
I upgraded my router and was screwing around when I noticed a new device was connecting( I used the same SSID and WPA key in both). After shutting everything down I turned on the TV and checked, wifi off,. I turned on wifi and bam. Same Mac address as my mystery guest. That was promptly banned. No wifi for you sneaky TV.
So even if you give a device access the only way to be sure is to disconnect it thoroughly.and software can be sneaky.
Re: (Score:1)
Yes do what you can on the device, but don't trust the device. Additional controls like banning the MAC at the network level are essential.
Re: (Score:2)
WiFi isn't magic Incorrectly assumes someone doesn't have a system in place that you don't know about, which is likely in any sort of espionage peril.
Put a Faraday cage around the antenna. This could be as simple as wrapping it in foil. Which may or may not work for most wireless APs, but absolutely will not for any sort of serious espionage peril.
Re: (Score:2)
1) Don't set up an access point. If you still need an access point, set up a encrypted one (which you should do anyways) and don't give the isolated PC the keys. WiFi isn't magic; if there's no place for it to go, it's not going to go anywhere.
2) Put a Faraday cage around the antenna. This could be as simple as wrapping it in foil.
Better option, buy a Lenovo M900 mini PC without WiFi and use it exclusively to work on your client files. It's small enough to move around and should be powerful enough (i5 / i7) for most tasks...
Bios settings (Score:5, Insightful)
Most (all excluding Apple?) laptops wil allow you to turn off / disable the wireless chipset in the bios. Many also have a physical kill switch on the side of the case.
Barring some wikileaks sort of tomfoolery from the CIA, this should stop any network access (assuming you also don't plug in a network cable).
Re: (Score:2)
Thats really the question every small or larger brand should be asking.
Is the US government interested in the work been done?
Can a competitor afford to hire a person who worked for the US gov or with the US gov tools to access the files?
Is the competitor another nation, government, with CIA like skill sets or that has a copy of the CIA like tools?
A private detective with friends who worked for the US gov or some other government the US trusted
Re: (Score:2)
Just be sure. Your approach is prone to forget something or somebody or just miscalculate the risk and then the cia(contractor) or somebody using the same security hole still accesses your stuff. Better safe than sorry
Re: (Score:2)
Re ' somebody using the same security hole still accesses your stuff. Better safe than sorry"
The Soviet Union had that issue. By the 1950's they had the final proof that the US and UK had broken many of its codes, one time pad re use.
The option was to stop all chatter on all networks and only use one time pads. That totally locked the NSA
Select "Turn Wi-Fi Off" from menu bar ... (Score:2)
Most (all excluding Apple?) laptops wil allow you to turn off / disable the wireless chipset in the bios.
The Apple macOS menu bar has status indicators. One is for wifi. Select it and a dropdown menu appears. One of the options is "Turn Wi-Fi Off".
Toggle WiFi off from task bar ... (Score:2)
Most (all excluding Apple?) laptops wil allow you to turn off / disable the wireless chipset in the bios.
The Apple macOS menu bar has status indicators. One is for wifi. Select it and a dropdown menu appears. One of the options is "Turn Wi-Fi Off".
And if you prefer to run Windows 10 directly on Apple hardware (Boot Camp rather than emulation) then select the wifi status indicator on the task bar and use the WiFi on/off toggle button.
Re: (Score:1)
Yeah - that's just a software control though and (i imagine) trivially turned on programatically.
Re: (Score:2)
Yeah - that's just a software control though and (i imagine) trivially turned on programatically.
BIOS is software control too. :-)
Re: (Score:1)
yup. but the bios settings are typically a lot harder to change from userland than, well, userland settings (if it's even possible at all - normally it's not)
Re: (Score:2)
yup. but the bios settings are typically a lot harder to change from userland than, well, userland settings (if it's even possible at all - normally it's not)
You don't need to change BIOS settings from userland. From userland to kernel to hardware works just as well, the hardware does not care what is configuring and initializing it.
Re: (Score:1)
Sure. In theory - I've not heard of it being done in practise other than wrt to specific bios settings like clock speed.
As far as I know, this isn't possible in Windows (or linux) - happy to be proven wrong though. Do you have any links with further info? My cursory 30 seconds of googling seemed to suggest was still not possible.
Re: (Score:2)
Sure. In theory - I've not heard of it being done in practise other than wrt to specific bios settings like clock speed. As far as I know, this isn't possible in Windows (or linux) - happy to be proven wrong though. Do you have any links with further info? My cursory 30 seconds of googling seemed to suggest was still not possible.
Drivers interact with the hardware all the time. So too could malware as long as it is running in privileged mode, like drivers and other low level OS code. The hardware I am speaking of are the chipsets for the various types of I/O, not the BIOS itself. BIOS is largely irrelevant once the host OS is running. The host OS may look at current BIOS setting and respect a user setting but it is under no obligation to do so, BIOS can not enforce any limitations on the host OS. So if you can get malware running in
Re: (Score:2)
Lots of windows laptops have this, also. BIOS or hardware switch.
Also, depending on the situation, you could:
1. only one AP in range? i.e. are you working from home, and out of range of other APs?. Blacklist your laptop's MAC address at the AP.
2. turn off DHCP on the laptop, set static IP to 169.254.xxx.xxx
3. not sure about this one, but: arp -s 127.0.0.1 your-mac-address
Re: (Score:2)
However, Typically i'd just go into system preferences and remove the wifi interface from the network settings. OSX will make no attempt to land there if it doesn't have a network interface.
Disable the interface (Score:2)
Disable the wireless interface in the device manager. Or, look for the switch on the side of the computer that turns of the wireless, if it still has such a thing.
Re: (Score:2)
Re: (Score:2)
It might also be possible to disable it in the BIOS.
Or if you're going through the effort to remove it, you might just unhook the tiny little connectors that connect the antennas to it.
Re: (Score:2)
Or if you're going through the effort to remove it, you might just unhook the tiny little connectors that connect the antennas to it.
Frankly, this is probably the only way to be sure. Newer laptops I'm not sure about, but many older ones, the wifi mini-board is easily accessable. Less than 5 minutes to pop it in or out.
Alternatively, if you trust Windows.. airplane mode perhaps?
Re:Trump (Score:5, Funny)
Okay, I'll take a shot...
Maybe that orange mass on his head isn't hair. Maybe it's a finely woven copper Faraday cage.
Air gap it when data is connected (Score:3)
Put all the critical files on an external drive that is only plugged in when the system is isolated. Not perfect, but with good higene and an innocuous configuration on the base it should be fine.
Re: (Score:2)
Sounds like this is a developer. Good hygiene may be a problem.
Re: (Score:2)
Or just encrypt the machine, take standard security precautions, realise that no one is going to magically remotely configure your machine to turn on wifi and act as an access point, and keep the tin foil for baking lasagne.
Seriously. State secrets are not protected against the type of mythical attack being proposed here. And lets face it, getting a windows PC to connect via WiFi as an access point is hard enough to do when you want to and have full administrator privileges on a machine.
If you're really tha
If you're that paranoid.. (Score:5, Informative)
Re: (Score:1)
Just more as an FYI and less as relating to the question asked, but there does seem to be a number of motherboards available now with wifi built in and not in a removable form.
Now to be clear, the only two I've seen so far were clearly marketed as "gaming" computer motherboards and for the DIY demographic, so there is next to no chance of finding this in any company setting.
But I previously had a MSI X99 board in a system that was physically damaged (crap water cooler block) so I salvaged what parts I could
Re: (Score:1)
Yep. Not sure what's so hard about it. Pull the physical card out of the laptop and be done with it.
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
I donno, there has to be a twist...
Re: (Score:2)
Probelm identifaction (Score:5, Informative)
on a Windows 10 PC First problem
that has a wireless chipset built into it Second problem.
1. Don't work on sensitive issues using Windows of any version. Explore a windows VM under a more secure hypervisor where the guest cannot override the host on hardware or network issues.
2.Don't work on sensitive issues using a system with communications ability that does not use a verified hardware kill switch. EG: Avoid systems that use software to check the hardware switch to disable. Use hardware that uses a hardware switch to either kill power to that subsystem or uses an NMI to prevent function.
3. Build a Faraday cage room for sensitive work stations. There are government manuals on how to create TEMPEST spaces.
Sound hard? Somewhat. But then again, security, real security, isn't trivial.
Not enough info (Score:1)
1) Disable NIC in Windows
2) Disable NIC using the hardware switch
3) Disable NIC via BIOS
4) Remove NIC from PC
5) Use WPA2-Enterprise
6) Turn off PC
IDK, what are your constraints?
Relax and disable the wireless (Score:2)
Re: (Score:3)
Use more ethernet (Score:2)
Use ethernet for internal networks.
Ethernet for any internet connected computer.
Buy laptops or desktops with ethernet. If you need wifi for some new device, use it with caution and limit any files that get moved by wifi.
If you need "I-like-to-phone-home-sometimes" turn on wifi for that, let a device do its connection. No need to connect all your file
airplane mode (Score:3)
turn on airplane mode.
Some PCs have a physical switch that turns off all the wireless. If you have one of those, switch it off. Files can be transferred over bluetooth, as well.
unplug the antenna (Score:3)
Disconnect the antenna, disable the interface (Score:4, Informative)
Just Google the model of the laptop in question and teardown, example, "thinkpad yoga teardown"
Many laptops still use WIFI+Bluetooth cards [myfixguide.com] which can be physically removed. The antenna wire runs directly to the module and can be removed disabling the antenna if you don't want to pull the module.
Even the newer Yoga's have WIFI modules [myfixguide.com] which can be physically removed.
So if you want to make outside WIFI access difficult or impossible, remove the module and it will be impossible. Plug the laptop into physical wiring only and secure your network.
As for running Windows 10, that OS has a mind of it's own and the only way you can stop the madness is at the network level.
Re: (Score:2)
Re: (Score:2)
Best answer yet. If the client is really that concerned they should be building a shielded facility to work in.
access control (Score:1)
First make sure the windows firewall is enabled, and the inbound is set to block. you can also use device manager to disable the wireless devices if you want. but
that wont stop malware from doing an outbound connection.
but here the short list:
1 use ciscos opendns and configure the web security rules.
2 decent AV/security software
3 malwarebytes
4 chrome
5 block flash and ads, use WOT plugin
6 UAC set to full do not run as admin
-Nex6
The Sensible option. (Score:1)
Fully disable the onboard chip: Remove the PCI-E Wifi card or remove the antenna's from the card. If the WIFI chip and\or antenna's lead wires are soldered in, cut them in such a way they can be re-soldered later and ensure the metal contacts are electrical taped over so they cannot come into contact with anything inside. Same goes for blue tooth. If the antenna is built into the laptop, find a new laptop. From there, Go into device manager and disable the wifi card, then turn it off via a function ke
Two ways come to mind... (Score:2)
1. Don't turn on wireless when your sensitive data files are laying around on your device...Simple, effective, but not likely what the user wants. You can augment this a bit by encrypting the data when at rest and trying to have a policy that users are NOT allowed to have their wireless on when the data is unencrypted. (I.E. Do individual file/directory encryption and only decrypt when the network is turned off).
2. Only do you work on VM's which are NOT run locally on the portable device but in a secure
Turn on Windows firewall (Score:3)
As bad as it seems.... turn on Windows Firewall with Advanced security, and make sure the computer is not joined to a domain, And None of the firewall exceptions are turned on. Open Computer Management, make sure the only enabled users have strong passwords, and set a Setup Password, User Password, and Hard Drive Unlock password in the BIOS/CMOS,
turn on the computer's TPM Function, and setup BitLocker drive encryption. Shutdown the PC fully when you are not physically present at the keyboard.
What reason in particular do you have to be concerned with 'Hacking over the wireless' again?
How about you Disable all Wireless NICs, then open Services.msc and set all Wireless-related services to Disabled, then reboot.
Re: (Score:2)
That means you need to consider an adversary with physical access (break-in or evil maid) as part of the far end of the threat model.
No way, because that's a basically impossible threat model to secure against. You need a physically secure space to keep the machine at all times (E.g. a Bank-vault grade storage location, with a high-security transport box), and a physically secure space in which to work (Area with entrances under lock and key and 24x7 CCTV + multiple armed guard security watch).
First ask yourself, what are you guarding against? (Score:4)
First ask yourself, what are you guarding against?
What guidelines has the client given you, what expectations do they have?
There's no point in you being so secure that the machine is virtually useless if the client happily stores these files on Dropbox/Google Drive etc.
Are you guarding against random drive-by hacking, script kiddies and the like, or are you guarding against an advanced persistent threat?
If you're guarding against the US Govt then your threat model is very different to if you're simply protecting yourself against casual hacking.
If you're concerned about an APT, then what level of threat do you expect to face? Is this a competitors company that has some guy who knows computers? Is it a multinational corporation with a large budget and a cybersecurity team? Is it a nation state? Is it the US Government?
The answers to those questions will heavily influence the appropriate course of action to take. If you're worried about casual hacking and the client has provided the files to you via Dropbox, then simply don't connect to any open wifi networks and don't connect to any wifi networks you don't know are secure. Make sure the wifi networks use WPA2.
If however you are concerned that the Govt. is likely out to get to your secrets, and they're specifically targeting you (as opposed to you being caught in a drift net) then you will want to physically disable the wifi, probably by taking the wifi card out of the laptop - it's likely on a small mezzanine card that is usually easily removed with a small Philips head screwdriver.
several options (Score:2)
1. disable with physical switch on side of machine if possible. .sys files.
2. disable in bios if possible
3. go to device manager and remove the device. remove driver from driver store. go to \windows\system32\drivers and delete any remaining relevant
4. go to device manager/network manager. Right click wireless adapter, hit disable.
5. remove all entries in windows firewall, set it to block in/out by default, and whitelist required applications. This is the least secure but most convenient of the options be
Virtual Machines to the Rescue (Score:3)
How do you protect yourself from wireless hacking (Score:2)
I know this sounds redundant and trite but I'm serious. The question asks about how to not use wireless on Windows 10, yet few people seem to be giving the stunningly obvious advice of not using wireless on Windows 10. Disable the wireless NIC. Don't use wireless. Don't join a wireless network. Tada! You're not using wireless!
That one is really, really easy (Score:2)
Either get a laptop with a physical RF-off switch, or remove the wireless card. If you bought a really crappy one, you can still almost always disconnect the antenna.
False problem (Score:2)
Why must it be on a system with wireless circuitry? Can't be away from your laptop for 5 minutes?
Turn the router off and any cell tower devices (Score:1)
Re: Turn the router off and any cell tower devices (Score:1)
I like the position of this article (Score:1)
I like the position of this article directly below the exposition of the CIA hacks...
Paai
What are you even asking? (Score:2)
Are you assuming some exploit that allows someone to connect to your computer and start downloading files just because you have a wireless chipset?
Are you assuming someone snooping sensitive information while you are using a wireless connection?
The way the article is worded I'm going to say it's the former. Ignore it. Focus on actual risks which will come from the other end of your network connection. Don't assume someone can magically and silently convince your computer to act as an access point, connect t
You've Already Lost (Score:2)
You need to work on those files on a Windows 10 PC that has a wireless chipset built into it.
You have already lost. You have an NSA/CIA-controlled operating system with wireless communications. The NSA/CIA most likely already have your client files.
Missing the forest for a tree? (Score:1)
Turn the wireless off? (Score:2)
Right?
Ask the client... (Score:1)
Start with a good password (Score:1)
Simple solution (Score:1)
2 - Install real OS