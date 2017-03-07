Slashdot is powered by your submissions, so send in your scoop

 


Posted by BeauHD from the safety-first dept.
dryriver writes: A client has given you confidential digital files containing a design for a not-yet-public consumer product. You need to work on those files on a Windows 10 PC that has a wireless chipset built into it. What can you do, assuming that you have to work under Windows 10, that would make 3rd party wireless access to this PC difficult or impossible? I can imagine that under a more transparent, open-source, power-user OS like Linux, it would be a piece of cake to kill all wireless access completely and reliably even if the system contains wireless hardware. But what about a I-like-to-phone-home-sometimes, non open-source OS like Windows 10 that is nowhere near as open and transparent? Is there a good strategy for making outside wireless access to a Windows 10 machine difficult or impossible?

  • Don't use wireless (Score:1)

    by Anonymous Coward

    First post

  • to an area without any possibility of a signal.
  • Make a Linux partition via VirtualBox (...), put the encrypted data there through ssh / rsync, encrypt it and keep it encrypted when on disk.

    • Re: (Score:2)

      by TWX ( 665546 )

      I was thinking about recommending something like this but realized that Windows 10 might be a prerequisite because of some application needed to work with the files. That would then mean finding a way to provide the host OS access to the guest OS's filesystem in order to access those files.

      I would be much more inclined to run Windows as a VM on a Linux box as the host OS, and to restrict stuff before Windows ever boots up.

      • So do it the other way round. Have the host run Linux and run the application in a Windows VM that doesn't have access to the wireless device.

    • I was going to suggest VirtualBox as well.

      I routinely install Windows into VirtualBox guests that have no virtual LAN adapters configured (i.e.: no network access). The guests can only access: inserted optical discs and/or .iso files; authorized USB sticks; persistent/non-persistent VirtualBox shares.

      The big downside, though, is accelerated graphics:

      • You pay a significant penalty for DirectX under VirtualBox.
      • The video drivers installed with VirtualBox Guest Additions have OpenGL support limited to API Level

  • Two options immediately suggest themselves: (Score:3)

    by Chris Mattern ( 191822 ) on Tuesday March 07, 2017 @07:09PM (#53996171)

    1) Don't set up an access point. If you still need an access point, set up a encrypted one (which you should do anyways) and don't give the isolated PC the keys. WiFi isn't magic; if there's no place for it to go, it's not going to go anywhere.

    2) Put a Faraday cage around the antenna. This could be as simple as wrapping it in foil.

    • Re: (Score:3)

      by jonwil ( 467024 )

      Shielding the WiFi antenna (or the whole device) is the only way to be sure its secure.

      You cant trust any software solutions or any hardware on-off switches installed by the manufacturer.

      • You cant trust any software solutions or any hardware on-off switches installed by the manufacturer.

        Especially if today's Wikileaks dump is true.

    • WiFi isn't magic Incorrectly assumes someone doesn't have a system in place that you don't know about, which is likely in any sort of espionage peril.

      Put a Faraday cage around the antenna. This could be as simple as wrapping it in foil. Which may or may not work for most wireless APs, but absolutely will not for any sort of serious espionage peril.

  • Bios settings (Score:3, Insightful)

    by smylie ( 127178 ) <<spam_me> <at> <smylie.co.nz>> on Tuesday March 07, 2017 @07:10PM (#53996181) Homepage

    Most (all excluding Apple?) laptops wil allow you to turn off / disable the wireless chipset in the bios. Many also have a physical kill switch on the side of the case.

    Barring some wikileaks sort of tomfoolery from the CIA, this should stop any network access (assuming you also don't plug in a network cable).

    • Re: (Score:2)

      by AHuxley ( 892839 )
      Re 'Barring some wikileaks sort of tomfoolery from the CIA"
      Thats really the question every small or larger brand should be asking.
      Is the US government interested in the work been done?
      Can a competitor afford to hire a person who worked for the US gov or with the US gov tools to access the files?
      Is the competitor another nation, government, with CIA like skill sets or that has a copy of the CIA like tools?
      A private detective with friends who worked for the US gov or some other government the US trusted

  • Disable the wireless interface in the device manager. Or, look for the switch on the side of the computer that turns of the wireless, if it still has such a thing.

    • Re: (Score:2)

      by msauve ( 701917 )
      This, but with the knowledge that malware on the PC could potentially turn it back on without your knowledge. If that's still a concern, the wireless card can be removed from many systems - it's often an m.2 or PCI-e card which is plugged into a socket.

      • Re: (Score:2)

        by TWX ( 665546 )

        It might also be possible to disable it in the BIOS.

        Or if you're going through the effort to remove it, you might just unhook the tiny little connectors that connect the antennas to it.

  • Put all the critical files on an external drive that is only plugged in when the system is isolated. Not perfect, but with good higene and an innocuous configuration on the base it should be fine.

  • If you're that paranoid.. (Score:3)

    by nawcom ( 941663 ) on Tuesday March 07, 2017 @07:17PM (#53996227) Homepage
    .. and disabling the device in Windows 10 or the BIOS isn't enough, then just remove the wireless card. If by PC you mean desktop PC, unless it's a USB wifi chip soldered onto the motherboard, it'll be a typical miniPCIe or M.2 card. Remove it. For laptops a physical switch or hotkey for disabling the wifi card at the firmware level is common, but the same goes for that. They're not soldered onto the board (with some very rare exceptions) - they're miniPCIe or M.2 cards that are removable. Whether they're easily accessible varies by laptop model, but they're still removable.

  • on a Windows 10 PC First problem

    that has a wireless chipset built into it Second problem.

    1. Don't work on sensitive issues using Windows of any version. Explore a windows VM under a more secure hypervisor where the guest cannot override the host on hardware or network issues.

    2.Don't work on sensitive issues using a system with communications ability that does not use a verified hardware kill switch. EG: Avoid systems that use software to check the hardware switch to disable. Use hardware that uses a hardwar

  • 1) Disable NIC in Windows
    2) Disable NIC using the hardware switch
    3) Disable NIC via BIOS
    4) Remove NIC from PC
    5) Use WPA2-Enterprise
    6) Turn off PC

    IDK, what are your constraints?

  • If you believe Windows 10 is going to spy on you via wireless after you disable it, then you likely don't really understand how to practice good security under any OS.
  • Stop trusting wifi on any network or device. Its not just the CIA, NSA but also local governments, competitors, random people that are looking for files.
    Use ethernet for internal networks.
    Ethernet for any internet connected computer.
    Buy laptops or desktops with ethernet. If you need wifi for some new device, use it with caution and limit any files that get moved by wifi.
    If you need "I-like-to-phone-home-sometimes" turn on wifi for that, let a device do its connection. No need to connect all your file

  • turn on airplane mode.

    Some PCs have a physical switch that turns off all the wireless. If you have one of those, switch it off. Files can be transferred over bluetooth, as well.

  • Most PCs with built in wifi have a couple antennas in the top of the case, connected by wires to a wireless card in a pci-e slot. That's so the antennas get better signal than they could deep inside on the card. It's usually on a card, because wifi standards vary across countries, so it's easier to put in the right card, than to make a new motherboard per region. Open it up, unplug the antenna, and remove the card. If the wireless is actually built in to the motherboard, then unplug the antennas, and w

  • Just Google the model of the laptop in question and teardown, example, "thinkpad yoga teardown"

    Many laptops still use WIFI+Bluetooth cards [myfixguide.com] which can be physically removed. The antenna wire runs directly to the module and can be removed disabling the antenna if you don't want to pull the module.

    Even the newer Yoga's have WIFI modules [myfixguide.com] which can be physically removed.

    So if you want to make outside WIFI access difficult or impossible, remove the module and it will be impossible. Plug the laptop into physical

  • First make sure the windows firewall is enabled, and the inbound is set to block. you can also use device manager to disable the wireless devices if you want. but
    that wont stop malware from doing an outbound connection.

    but here the short list:
    1 use ciscos opendns and configure the web security rules.
    2 decent AV/security software
    3 malwarebytes
    4 chrome
    5 block flash and ads, use WOT plugin
    6 UAC set to full do not run as admin

    -Nex6

