Ask Slashdot: How Do You Best Protect Client Files From Wireless Hacking?

dryriver writes: A client has given you confidential digital files containing a design for a not-yet-public consumer product. You need to work on those files on a Windows 10 PC that has a wireless chipset built into it. What can you do, assuming that you have to work under Windows 10, that would make 3rd party wireless access to this PC difficult or impossible? I can imagine that under a more transparent, open-source, power-user OS like Linux, it would be a piece of cake to kill all wireless access completely and reliably even if the system contains wireless hardware. But what about a I-like-to-phone-home-sometimes, non open-source OS like Windows 10 that is nowhere near as open and transparent? Is there a good strategy for making outside wireless access to a Windows 10 machine difficult or impossible?

Virtualization

[hcs_$reboot]

Make a Linux partition via VirtualBox (...), put the encrypted data there through ssh / rsync, encrypt it and keep it encrypted when on disk.

Re:Virtualization

[scdeimos]

I was going to suggest VirtualBox as well.

I routinely install Windows into VirtualBox guests that have no virtual LAN adapters configured (i.e.: no network access). The guests can only access: inserted optical discs and/or .iso files; authorized USB sticks; persistent/non-persistent VirtualBox shares.

The big downside, though, is accelerated graphics:

• You pay a significant penalty for DirectX under VirtualBox.
• The video drivers installed with VirtualBox Guest Additions have OpenGL support limited to API Level 2.1, so you can't run anything that requires OpenGL 3 or better.
• The VBGA OpenGL driver implementation is also really quite flakey. e.g.: Blender won't work with it, but can be made to work if you download the OpenGL Software Driver from the Blender FTP site. Of course this horribly slow because, you know, no hardware acceleration.
• Also the VBGA OpenGL drivers are disabled by default for Windows 8 or later guests. You can enable them by running the Guest Additions installer from the command line with switches and/or Registry hacks.

Re:Virtualization

[AntiSol]

Yep, you run win10 in virtualbox on a linux host. You can then disable networking completely or use iptables to restrict access to only the things you need:

(copy-pasted from a thing I wrote a while back)

How to make a Windows 10 VM secure with a Linux host

Simple! Restrict all intarwebs access to everything that you don’t absolutely need:

1. run virtualbox with the vboxusers group:

sudo -g vboxusers virtualbox

2. allow access to the site you want:

sudo iptables -A OUTPUT -m owner --gid-owner vboxusers -d [ip address] -j ACCEPT

3. block everything else:

sudo iptables -A OUTPUT -m owner --gid-owner vboxusers -j DROP

4. In windows you’ll need to edit c:\windows\system32\drivers\etc\hosts to add an entry for the sites you want, since DNS won’t work. Or you could
look at allowing DNS with more iptables rules. But I wouldn’t.

If you follow these simple steps, you never have to worry about your testing VM reporting everything you do back to Microsoft.

For extra security, i recommend disconnecting the virtual network cable before you close the VM. That way if you accidentally start it without the vboxusers group it still won’t be able to access the internet.

If you’re running windows on bare metal in 2015 I have no advice for you, you deserve whatever happens.

Re:Virtualization

[AntiSol]

Sorry if I offended your inner zealot. I never said or thought virtualbox was the only solution. It's the one I used when I needed to do this. You can use any virtualisation tool you want, even completely proprietary ones like vmware.

Two options immediately suggest themselves:

[Chris+Mattern]

1) Don't set up an access point. If you still need an access point, set up a encrypted one (which you should do anyways) and don't give the isolated PC the keys. WiFi isn't magic; if there's no place for it to go, it's not going to go anywhere.

2) Put a Faraday cage around the antenna. This could be as simple as wrapping it in foil.

Re:Two options immediately suggest themselves:

[jonwil]

Shielding the WiFi antenna (or the whole device) is the only way to be sure its secure.

You cant trust any software solutions or any hardware on-off switches installed by the manufacturer.

Re:Two options immediately suggest themselves:

[bughunter]

You cant trust any software solutions or any hardware on-off switches installed by the manufacturer.

Especially if today's Wikileaks dump is true.

Re:Two options immediately suggest themselves:

[peragrin]

Exactly. My Samsung smart TV would randomly turn on the wireless and try to communicate outside. When I first set it up I used wifi, realized how stupid it was and switched it to the wired connection, which then was left unplugged.

I upgraded my router and was screwing around when I noticed a new device was connecting( I used the same SSID and WPA key in both). After shutting everything down I turned on the TV and checked, wifi off,. I turned on wifi and bam. Same Mac address as my mystery guest. That was promptly banned. No wifi for you sneaky TV.

So even if you give a device access the only way to be sure is to disconnect it thoroughly.and software can be sneaky.

Bios settings

[smylie]

Most (all excluding Apple?) laptops wil allow you to turn off / disable the wireless chipset in the bios. Many also have a physical kill switch on the side of the case.

Barring some wikileaks sort of tomfoolery from the CIA, this should stop any network access (assuming you also don't plug in a network cable).

Air gap it when data is connected

[Yoik]

Put all the critical files on an external drive that is only plugged in when the system is isolated. Not perfect, but with good higene and an innocuous configuration on the base it should be fine.

If you're that paranoid..

[nawcom]

.. and disabling the device in Windows 10 or the BIOS isn't enough, then just remove the wireless card. If by PC you mean desktop PC, unless it's a USB wifi chip soldered onto the motherboard, it'll be a typical miniPCIe or M.2 card. Remove it. For laptops a physical switch or hotkey for disabling the wifi card at the firmware level is common, but the same goes for that. They're not soldered onto the board (with some very rare exceptions) - they're miniPCIe or M.2 cards that are removable. Whether they're easily accessible varies by laptop model, but they're still removable.

Probelm identifaction

[buss_error]

on a Windows 10 PC First problem

that has a wireless chipset built into it Second problem.

1. Don't work on sensitive issues using Windows of any version. Explore a windows VM under a more secure hypervisor where the guest cannot override the host on hardware or network issues.

2.Don't work on sensitive issues using a system with communications ability that does not use a verified hardware kill switch. EG: Avoid systems that use software to check the hardware switch to disable. Use hardware that uses a hardware switch to either kill power to that subsystem or uses an NMI to prevent function.

3. Build a Faraday cage room for sensitive work stations. There are government manuals on how to create TEMPEST spaces.

Sound hard? Somewhat. But then again, security, real security, isn't trivial.

Re:Trump

[TWX]

Okay, I'll take a shot...

Maybe that orange mass on his head isn't hair. Maybe it's a finely woven copper Faraday cage.

airplane mode

[lophophore]

turn on airplane mode.

Some PCs have a physical switch that turns off all the wireless. If you have one of those, switch it off. Files can be transferred over bluetooth, as well.

unplug the antenna

[Doke]

Most PCs with built in wifi have a couple antennas in the top of the case, connected by wires to a wireless card in a pci-e slot. That's so the antennas get better signal than they could deep inside on the card. It's usually on a card, because wifi standards vary across countries, so it's easier to put in the right card, than to make a new motherboard per region. Open it up, unplug the antenna, and remove the card. If the wireless is actually built in to the motherboard, then unplug the antennas, and wrap insulated tin foil around the card.

Disconnect the antenna, disable the interface

[Proudrooster]

Just Google the model of the laptop in question and teardown, example, "thinkpad yoga teardown"

Many laptops still use WIFI+Bluetooth cards which can be physically removed. The antenna wire runs directly to the module and can be removed disabling the antenna if you don't want to pull the module.

Even the newer Yoga's have WIFI modules which can be physically removed.

So if you want to make outside WIFI access difficult or impossible, remove the module and it will be impossible. Plug the laptop into physical wiring only and secure your network.

As for running Windows 10, that OS has a mind of it's own and the only way you can stop the madness is at the network level.

Re:Employ a conflicting WiFi device

[MerlynEmrys67]

Don't forget the biggest draw on 2.4GHz Obligatory XKCD

Turn on Windows firewall

[mysidia]

As bad as it seems.... turn on Windows Firewall with Advanced security, and make sure the computer is not joined to a domain, And None of the firewall exceptions are turned on. Open Computer Management, make sure the only enabled users have strong passwords, and set a Setup Password, User Password, and Hard Drive Unlock password in the BIOS/CMOS,
turn on the computer's TPM Function, and setup BitLocker drive encryption. Shutdown the PC fully when you are not physically present at the keyboard.

What reason in particular do you have to be concerned with 'Hacking over the wireless' again?

How about you Disable all Wireless NICs, then open Services.msc and set all Wireless-related services to Disabled, then reboot.

First ask yourself, what are you guarding against?

[PhunkySchtuff]

First ask yourself, what are you guarding against?

What guidelines has the client given you, what expectations do they have?
There's no point in you being so secure that the machine is virtually useless if the client happily stores these files on Dropbox/Google Drive etc.

Are you guarding against random drive-by hacking, script kiddies and the like, or are you guarding against an advanced persistent threat?
If you're guarding against the US Govt then your threat model is very different to if you're simply protecting yourself against casual hacking.

If you're concerned about an APT, then what level of threat do you expect to face? Is this a competitors company that has some guy who knows computers? Is it a multinational corporation with a large budget and a cybersecurity team? Is it a nation state? Is it the US Government?

The answers to those questions will heavily influence the appropriate course of action to take. If you're worried about casual hacking and the client has provided the files to you via Dropbox, then simply don't connect to any open wifi networks and don't connect to any wifi networks you don't know are secure. Make sure the wifi networks use WPA2.
If however you are concerned that the Govt. is likely out to get to your secrets, and they're specifically targeting you (as opposed to you being caught in a drift net) then you will want to physically disable the wifi, probably by taking the wifi card out of the laptop - it's likely on a small mezzanine card that is usually easily removed with a small Philips head screwdriver.

Virtual Machines to the Rescue

[nns6561]

Use a virtual machine to contain Windows 10. Install an operating system and virtual machine software you trust. Disable any wireless interface for that operating system. Put the files in a Windows 10 virtual machine. Do not give the virtual machine access to any wireless interfaces.

move the PC to a virtual area

[DrYak]

As suggested by other discussion threads here around :

You can also achieve the same virtually :
"virtually move" the image to an area without any signal.

I.e.:
Windows 10 goes into a VirtualBox VM.
VM has no network.
VM has only CD-ROM (so can read from .iso files you mount) and shared folder (VirtualBox sharing doesn't go through network, so it's not opening windows 10 to remote access, at least not without a collaborating host OS).

You can pass the files and necessary application through shared folders and .ISO respectively.

I would suggest avoiding USB pass-through because it's complex to configure it in a secure way (defaults VBox scripts just make all device visible to any application running with VBox's goup credentials).

You achieve the same as moving a Windows 10 laptop to an area without any signal.
(i.e.: No network for Windows 10, no matter what)

But you still get to have an actual connection on your host OS (say a well secured and well kept Linux host).