Slashdot Mirror
Ask Slashdot: How Do You Best Protect Client Files From Wireless Hacking?
dryriver writes: A client has given you confidential digital files containing a design for a not-yet-public consumer product. You need to work on those files on a Windows 10 PC that has a wireless chipset built into it. What can you do, assuming that you have to work under Windows 10, that would make 3rd party wireless access to this PC difficult or impossible? I can imagine that under a more transparent, open-source, power-user OS like Linux, it would be a piece of cake to kill all wireless access completely and reliably even if the system contains wireless hardware. But what about a I-like-to-phone-home-sometimes, non open-source OS like Windows 10 that is nowhere near as open and transparent? Is there a good strategy for making outside wireless access to a Windows 10 machine difficult or impossible?
First post
to an area without any possibility of a signal.
Make a Linux partition via VirtualBox (...), put the encrypted data there through ssh / rsync, encrypt it and keep it encrypted when on disk.
Slashdot, fix the reply notifications... You won't get away with it...
1) Don't set up an access point. If you still need an access point, set up a encrypted one (which you should do anyways) and don't give the isolated PC the keys. WiFi isn't magic; if there's no place for it to go, it's not going to go anywhere.
2) Put a Faraday cage around the antenna. This could be as simple as wrapping it in foil.
Most (all excluding Apple?) laptops wil allow you to turn off / disable the wireless chipset in the bios. Many also have a physical kill switch on the side of the case.
Barring some wikileaks sort of tomfoolery from the CIA, this should stop any network access (assuming you also don't plug in a network cable).
Disable the wireless interface in the device manager. Or, look for the switch on the side of the computer that turns of the wireless, if it still has such a thing.
Do not look into laser with remaining eye.
Put all the critical files on an external drive that is only plugged in when the system is isolated. Not perfect, but with good higene and an innocuous configuration on the base it should be fine.
.. and disabling the device in Windows 10 or the BIOS isn't enough, then just remove the wireless card. If by PC you mean desktop PC, unless it's a USB wifi chip soldered onto the motherboard, it'll be a typical miniPCIe or M.2 card. Remove it. For laptops a physical switch or hotkey for disabling the wifi card at the firmware level is common, but the same goes for that. They're not soldered onto the board (with some very rare exceptions) - they're miniPCIe or M.2 cards that are removable. Whether they're easily accessible varies by laptop model, but they're still removable.
But what if he's a pinball wizard?
on a Windows 10 PC First problem
that has a wireless chipset built into it Second problem.
1. Don't work on sensitive issues using Windows of any version. Explore a windows VM under a more secure hypervisor where the guest cannot override the host on hardware or network issues.
2.Don't work on sensitive issues using a system with communications ability that does not use a verified hardware kill switch. EG: Avoid systems that use software to check the hardware switch to disable. Use hardware that uses a hardware switch to either kill power to that subsystem or uses an NMI to prevent function.
3. Build a Faraday cage room for sensitive work stations. There are government manuals on how to create TEMPEST spaces.
Sound hard? Somewhat. But then again, security, real security, isn't trivial.
Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves.
1) Disable NIC in Windows
2) Disable NIC using the hardware switch
3) Disable NIC via BIOS
4) Remove NIC from PC
5) Use WPA2-Enterprise
6) Turn off PC
IDK, what are your constraints?
I donno, there has to be a twist...
Do not look into laser with remaining eye.
Okay, I'll take a shot...
Maybe that orange mass on his head isn't hair. Maybe it's a finely woven copper Faraday cage.
Do not look into laser with remaining eye.
If you believe Windows 10 is going to spy on you via wireless after you disable it, then you likely don't really understand how to practice good security under any OS.
The Daddy casts sleep on the Baby. The Baby resists!
Stop trusting wifi on any network or device. Its not just the CIA, NSA but also local governments, competitors, random people that are looking for files.
Use ethernet for internal networks.
Ethernet for any internet connected computer.
Buy laptops or desktops with ethernet. If you need wifi for some new device, use it with caution and limit any files that get moved by wifi.
If you need "I-like-to-phone-home-sometimes" turn on wifi for that, let a device do its connection. No need to connect all your files to wifi due to one brand of smart phone. Have a work and home wifi smart phone. Files on both can be kept limited when using wifi.
The main risk with wifi is travel, new cities and other nations security services, competitors, criminal groups getting access to a wifi computer in another nation.
Or the request to open and share the files on a smartphone when entering another nation or returning.
Travel with a very average, trendy looking smart phone that can be replaced without any issue.
Wifi at work can be just for that file, project network, no need to keep the entire history of all work ever done on the same wifi network.
Domestic spying is now "Benign Information Gathering"
turn on airplane mode.
Some PCs have a physical switch that turns off all the wireless. If you have one of those, switch it off. Files can be transferred over bluetooth, as well.
there are 3 kinds of people:
* those who can count
* those who can't
Most PCs with built in wifi have a couple antennas in the top of the case, connected by wires to a wireless card in a pci-e slot. That's so the antennas get better signal than they could deep inside on the card. It's usually on a card, because wifi standards vary across countries, so it's easier to put in the right card, than to make a new motherboard per region. Open it up, unplug the antenna, and remove the card. If the wireless is actually built in to the motherboard, then unplug the antennas, and wrap insulated tin foil around the card.
Just Google the model of the laptop in question and teardown, example, "thinkpad yoga teardown"
Many laptops still use WIFI+Bluetooth cards which can be physically removed. The antenna wire runs directly to the module and can be removed disabling the antenna if you don't want to pull the module.
Even the newer Yoga's have WIFI modules which can be physically removed.
So if you want to make outside WIFI access difficult or impossible, remove the module and it will be impossible. Plug the laptop into physical wiring only and secure your network.
As for running Windows 10, that OS has a mind of it's own and the only way you can stop the madness is at the network level.
First make sure the windows firewall is enabled, and the inbound is set to block. you can also use device manager to disable the wireless devices if you want. but
that wont stop malware from doing an outbound connection.
but here the short list:
1 use ciscos opendns and configure the web security rules.
2 decent AV/security software
3 malwarebytes
4 chrome
5 block flash and ads, use WOT plugin
6 UAC set to full do not run as admin
-Nex6
Fully disable the onboard chip: Remove the PCI-E Wifi card or remove the antenna's from the card. If the WIFI chip and\or antenna's lead wires are soldered in, cut them in such a way they can be re-soldered later and ensure the metal contacts are electrical taped over so they cannot come into contact with anything inside. Same goes for blue tooth. If the antenna is built into the laptop, find a new laptop. From there, Go into device manager and disable the wifi card, then turn it off via a function key shortcut, then go into the BIOS and turn it off. You then need to repeat 3 steps to turn back on the embedded chip.
Use burner USB Wifi adapters: Purchase an inexpensive commercial grade USB Wireless adapter from a reputable name-brand company, use that for any wireless access. Preferably go with a USB 2.0 card to limit transmission bandwidth and range due to the voltage limitations of the standard. This way if you are on the machine and think you are being hacked, unplugging is a 2 second ordeal. If you need to remain anonymous on a large network, you can switch out and dispose of the adapters as needed.
Use an Enterprise grade WAP with key rotation: If you are going to connect to a controlled AP, make sure beaconing is turned off, and make sure to use WPA2-Personal with AES-256 and CBAC turned on with a 128 digit wifi encryption key, and secure the management plane of the device. Cycle this key every few weeks. Most AP's will accept the entire UTF-16 spectrum as a password, as will windows. Setting your password to "ANGRYDUDEÒ_Ó" is way more secure than a 24char alphanumeric; 66536^13 is way more secure than 108^24. Use alt codes to get the extra chars, if your password contains hieroglyphics, you have done it right. If you need better security, buy an enterprise grade WAP that has a certificate then use WPA2-Enterprise which uses the encyrption key to effectively salt the password. Most should also support key rotation, set this to as aggressive as needed. If you are paranoid about your burner adapters having crappy security, change out between different vendors. If done right, thousands of nvidia tegra cards running hashcat will not be able to crack your password in time before the key change.
Encrypt and secure the device properly: Harden the device against the disk being attacked, the network port being attacked, and the interfaces on the laptop being attacked. Full disk encryption, Implement a firewall and A/V Package that will protect the unit against network recon. Disable USB ports except the one you're going to use, and make sure autoplay is turned off. Use Secure boot, set a BIOS password. There are models of laptop where resetting the CMOS Battery will not let you get into the BIOS, get one of these. Set a windows password that has 24 characters minimum, make sure to edit LOCSEC.msc so the password is stored in MD5 and if possible, salted.
Implement an always-on VPN software: This way if the machine is stolen and then reconnected clumsily to the network you want it to phone home. Also, if you connect to a network, keeping the network stack from communicating with the outside world except for through the VPN ensures the data is filtered going to and from that machine. Lo-jack is another option.
Finally, Back up the machine. It's great to put in security, but if you secure the data from yourself, you are totally foobar'd. Encrypt onto a flash drive, store in a safe, and keep the password in your wallet.
Don't forget the biggest draw on 2.4GHz Obligatory XKCD
I have mod points and I am not afraid to use them
1. Don't turn on wireless when your sensitive data files are laying around on your device...Simple, effective, but not likely what the user wants. You can augment this a bit by encrypting the data when at rest and trying to have a policy that users are NOT allowed to have their wireless on when the data is unencrypted. (I.E. Do individual file/directory encryption and only decrypt when the network is turned off).
2. Only do you work on VM's which are NOT run locally on the portable device but in a secure physical location which is only accessed by a secure VPN tunnel which is encrypted. Not so simple, Very effective, but always requires a network connection to "access" the data in question.
Personally I like #2 for a couple of reasons... 1. It's very secure if you have good VPN. 2. It allows editing and sharing of files on a common file system and avoid the "how do I merge this change" issue. 3. If your mobile device gets stolen or searched, your valuable data isn't on it (Just make sure to have some kind of token for the VPN connections)
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
As bad as it seems.... turn on Windows Firewall with Advanced security, and make sure the computer is not joined to a domain, And None of the firewall exceptions are turned on. Open Computer Management, make sure the only enabled users have strong passwords, and set a Setup Password, User Password, and Hard Drive Unlock password in the BIOS/CMOS,
turn on the computer's TPM Function, and setup BitLocker drive encryption. Shutdown the PC fully when you are not physically present at the keyboard.
What reason in particular do you have to be concerned with 'Hacking over the wireless' again?
How about you Disable all Wireless NICs, then open Services.msc and set all Wireless-related services to Disabled, then reboot.
First ask yourself, what are you guarding against?
What guidelines has the client given you, what expectations do they have?
There's no point in you being so secure that the machine is virtually useless if the client happily stores these files on Dropbox/Google Drive etc.
Are you guarding against random drive-by hacking, script kiddies and the like, or are you guarding against an advanced persistent threat?
If you're guarding against the US Govt then your threat model is very different to if you're simply protecting yourself against casual hacking.
If you're concerned about an APT, then what level of threat do you expect to face? Is this a competitors company that has some guy who knows computers? Is it a multinational corporation with a large budget and a cybersecurity team? Is it a nation state? Is it the US Government?
The answers to those questions will heavily influence the appropriate course of action to take. If you're worried about casual hacking and the client has provided the files to you via Dropbox, then simply don't connect to any open wifi networks and don't connect to any wifi networks you don't know are secure. Make sure the wifi networks use WPA2.
If however you are concerned that the Govt. is likely out to get to your secrets, and they're specifically targeting you (as opposed to you being caught in a drift net) then you will want to physically disable the wifi, probably by taking the wifi card out of the laptop - it's likely on a small mezzanine card that is usually easily removed with a small Philips head screwdriver.
Specialist Mac support for creative pros, Melbourne
Most (all excluding Apple?) laptops wil allow you to turn off / disable the wireless chipset in the bios.
The Apple macOS menu bar has status indicators. One is for wifi. Select it and a dropdown menu appears. One of the options is "Turn Wi-Fi Off".
Here you go: Faraday cage.
I've fallen off your lawn, and I can't get up.
1. disable with physical switch on side of machine if possible. .sys files.
2. disable in bios if possible
3. go to device manager and remove the device. remove driver from driver store. go to \windows\system32\drivers and delete any remaining relevant
4. go to device manager/network manager. Right click wireless adapter, hit disable.
5. remove all entries in windows firewall, set it to block in/out by default, and whitelist required applications. This is the least secure but most convenient of the options besides default.
If your client's truly that paranoid (justifiably or not), just operate on the data from a hardwired/airgapped machine and charge him for the inconvenience.
Most (all excluding Apple?) laptops wil allow you to turn off / disable the wireless chipset in the bios.
The Apple macOS menu bar has status indicators. One is for wifi. Select it and a dropdown menu appears. One of the options is "Turn Wi-Fi Off".
And if you prefer to run Windows 10 directly on Apple hardware (Boot Camp rather than emulation) then select the wifi status indicator on the task bar and use the WiFi on/off toggle button.
Use a virtual machine to contain Windows 10. Install an operating system and virtual machine software you trust. Disable any wireless interface for that operating system. Put the files in a Windows 10 virtual machine. Do not give the virtual machine access to any wireless interfaces.
By using a wire.
I know this sounds redundant and trite but I'm serious. The question asks about how to not use wireless on Windows 10, yet few people seem to be giving the stunningly obvious advice of not using wireless on Windows 10. Disable the wireless NIC. Don't use wireless. Don't join a wireless network. Tada! You're not using wireless!
Either get a laptop with a physical RF-off switch, or remove the wireless card. If you bought a really crappy one, you can still almost always disconnect the antenna.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
"You need to work on those files on a Windows 10 PC that has a wireless chipset built into it."
Why must it be on a system with wireless circuitry? Can't be away from your laptop for 5 minutes?
Best answer yet. If the client is really that concerned they should be building a shielded facility to work in.
When working, unplug the router, Airport your phones, and turn off your Bluetooth on the computer. Turn off any IoT devices. Do not use wireless keyboards or mouse. Buy a faraday phone bag on Amazon because iPhones never fully turn off. Some refrigerators work too if you don't want a paper trail. They make software that you can use to scan for radio signals, which is what wifi and Bluetooth are, just to be sure. Keep one original copy (for emergencies) of the file on one flash drive and the modified, edited one on another. When satisfied, boot up a light version of Linux. Use the Linux OS in Live session from a CD to use GParted to format the flash drives. They also make tools such as "shred" and "srm" to wipe and load zeros as many times as you want for a file to prevent recovery. Though to make things easier, Windows 10 will run on VirtualBox with Linux as the main OS. If the Linux machine isn't connected, than neither is Windows in this case. If there's a trial period, you can just save your VirtualBox session as a snapshot after setting the Windows install. When it comes time for the trial to be over, just keep loading the saved snapshot and open the files you need from a flash drive. I've never used Windows 10 (or will ever), but this method definitely worked when I needed Windows 7 because some software devs are dumbasses. Also, Linux has software called WINE to run Windows applications that works well enough to run Office 2013 and some modern games (PlayOnLinux). There is also another way to run Windows apps via ReactOS. It's like Windows but open source, except for real open source. The developers are really friendly if you have any questions. Everyone needs a tin foil hat plan whether you think you need it or not. Future wars will be cyber wars and no smart person fights with a dirty gun.
I like the position of this article directly below the exposition of the CIA hacks...
Paai
Are you assuming some exploit that allows someone to connect to your computer and start downloading files just because you have a wireless chipset?
Are you assuming someone snooping sensitive information while you are using a wireless connection?
The way the article is worded I'm going to say it's the former. Ignore it. Focus on actual risks which will come from the other end of your network connection. Don't assume someone can magically and silently convince your computer to act as an access point, connect to it, and then just hand over files. That's bloody difficult enough to do when you specifically want it to happen.
If you're really super paranoid, enable flight mode. That will disable your wireless altogether.
You need to work on those files on a Windows 10 PC that has a wireless chipset built into it.
You have already lost. You have an NSA/CIA-controlled operating system with wireless communications. The NSA/CIA most likely already have your client files.
As suggested by other discussion threads here around :
You can also achieve the same virtually :
"virtually move" the image to an area without any signal.
I.e.: .iso files you mount) and shared folder (VirtualBox sharing doesn't go through network, so it's not opening windows 10 to remote access, at least not without a collaborating host OS).
Windows 10 goes into a VirtualBox VM.
VM has no network.
VM has only CD-ROM (so can read from
You can pass the files and necessary application through shared folders and .ISO respectively.
I would suggest avoiding USB pass-through because it's complex to configure it in a secure way (defaults VBox scripts just make all device visible to any application running with VBox's goup credentials).
You achieve the same as moving a Windows 10 laptop to an area without any signal.
(i.e.: No network for Windows 10, no matter what)
But you still get to have an actual connection on your host OS (say a well secured and well kept Linux host).
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
If turning off wifi in the system is not secure enough for you (that is, if you are afraid of a targetted attack), don't ask here, but go to some security consultant. There are other attack vectors that you might forget, like a good telescope and a camera in the building over the street. Hint: goverment contracts in one company I know are handled in a windowless, steel lined room without any network access on a certified HW.
How do you think he does it? I don't know!
authorized USB sticks
Pay attention that the current default behavious of VBox scripts might open a different kind of vulnerability :
USB-pass-though requires that the VBox process has access to the raw USB device.
This is done by the script "/usr/lib/virtualbox/VBoxCreateUSBNode.sh"
it creates the appropriate entries in "/dev/vboxusb/"
granting them full group access for "vboxusers"
Currently this script is called by default by "/etc/udev/rules.d/90-vbox-usb.rules" for any plugged-in device.
That means the raw USB device of *any* USB gizmo is available for *ANY* process that runs with VBox's group credential.
This opens quite a big hole.
(Virtual Box it self then use a white list so *NOT ALL* device will be available to the Windows 10 VM, only those that you grant access to.
But it means potentially any USB device could be hacked by any process running with "vboxusers" group privileges).
A better way is to comment out the insersion rules, and only create the devices for device that you want to be visible to virtual box. :
Example of a configuration file that only grants access to a few of my devices that rely on windows-only software for firmware updates
# TomTom Live
ATTRS{idVendor}=="1390",ATTRS{idProduct}=="5454", ACTION=="add", RUN+="/usr/lib/udev/VBoxCreateUSBNode.sh $major $minor $attr{bDeviceClass} vboxusers"
# iRobot Scooba 450
ATTRS{idVendor}=="27a6",ATTRS{idProduct}=="0001", ACTION=="add", RUN+="/usr/lib/udev/VBoxCreateUSBNode.sh $major $minor $attr{bDeviceClass} vboxusers"
# UE MEGABOOM
ATTRS{idVendor}=="046d",ATTRS{idProduct}=="0a53", ACTION=="add", RUN+="/usr/lib/udev/VBoxCreateUSBNode.sh $major $minor $attr{bDeviceClass} vboxusers"
#SUBSYSTEM=="usb_device", ACTION=="add", RUN+="/usr/lib/virtualbox/VBoxCreateUSBNode.sh $major $minor $attr{bDeviceClass}"
#SUBSYSTEM=="usb", ACTION=="add", ENV{DEVTYPE}=="usb_device", RUN+="/usr/lib/virtualbox/VBoxCreateUSBNode.sh $major $minor $attr{bDeviceClass}"
SUBSYSTEM=="usb_device", ACTION=="remove", RUN+="/usr/lib/virtualbox/VBoxCreateUSBNode.sh --remove $major $minor"
SUBSYSTEM=="usb", ACTION=="remove", ENV{DEVTYPE}=="usb_device", RUN+="/usr/lib/virtualbox/VBoxCreateUSBNode.sh --remove $major $minor"
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Guest Additions are great when they work, but I find sometimes they just don't.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
Right?
"Science is the power of man"
https://www.random.org/passwor...
Casteism
WHERE do you find an area with no signal?
The whole point is *VIRTUAL*.
The host's virtual manager (e.g.: Virtual Box running on the Host GNU/Linux distro of your choice) is in charge of what happens.
Windows 10 is installed on a virtual machine, that machine has no network device simulated at all, only a shared directory (Note: Under VirtualBox, shared directory don't work over the network, but use a dedicated separate API offered by VirtualBox. No need to expose the virtual image to the network in order to exchange data. Windows 10 can't phone home.)
It happens this laptop has wider radio capabilities than wi fi and there is no interface to see what the laptop radio is saying over what frequency,
Again, I'm speaking about a virtual machine. A VM will only have as much functionnality as your decide to make available to it.
If that machine has no access to Wifi, nor Bluetooth (well technically to the USB bus on which a Bluetooth device is available. But in practice the result is the same : if you're not passing it to the VM, then the Windows 10 running on the VM can't do much).
The point is to be able to be online without danger, not to be completely isolated. Maybe Win 3.1 was fully isolated, but these new windows do not seem to be able to stop being in permanent conference.
Hence the idea :
- use a normal decent OS to do the actual online work and which has an access to the internet.
- for the things where you absolutely need Windows 10, keep a copy inside a VM that is completely isolated.
Whenever you need *that weird piece of software* that absolutely refuse to work under anything but Windows 10, then you can fire up the Windows 10 VM and run the software.
For everything else, use a "Real Operating System (tm) "
(most Unices will do)
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
1 - Format PC disk
2 - Install real OS