Ask Slashdot: How Do You Best Protect Client Files From Wireless Hacking?

dryriver writes: A client has given you confidential digital files containing a design for a not-yet-public consumer product. You need to work on those files on a Windows 10 PC that has a wireless chipset built into it. What can you do, assuming that you have to work under Windows 10, that would make 3rd party wireless access to this PC difficult or impossible? I can imagine that under a more transparent, open-source, power-user OS like Linux, it would be a piece of cake to kill all wireless access completely and reliably even if the system contains wireless hardware. But what about a I-like-to-phone-home-sometimes, non open-source OS like Windows 10 that is nowhere near as open and transparent? Is there a good strategy for making outside wireless access to a Windows 10 machine difficult or impossible?

Virtualization

[hcs_$reboot]

Make a Linux partition via VirtualBox (...), put the encrypted data there through ssh / rsync, encrypt it and keep it encrypted when on disk.

Re:Virtualization

[scdeimos]

I was going to suggest VirtualBox as well.

I routinely install Windows into VirtualBox guests that have no virtual LAN adapters configured (i.e.: no network access). The guests can only access: inserted optical discs and/or .iso files; authorized USB sticks; persistent/non-persistent VirtualBox shares.

The big downside, though, is accelerated graphics:

• You pay a significant penalty for DirectX under VirtualBox.
• The video drivers installed with VirtualBox Guest Additions have OpenGL support limited to API Level 2.1, so you can't run anything that requires OpenGL 3 or better.
• The VBGA OpenGL driver implementation is also really quite flakey. e.g.: Blender won't work with it, but can be made to work if you download the OpenGL Software Driver from the Blender FTP site. Of course this horribly slow because, you know, no hardware acceleration.
• Also the VBGA OpenGL drivers are disabled by default for Windows 8 or later guests. You can enable them by running the Guest Additions installer from the command line with switches and/or Registry hacks.

Two options immediately suggest themselves:

[Chris+Mattern]

1) Don't set up an access point. If you still need an access point, set up a encrypted one (which you should do anyways) and don't give the isolated PC the keys. WiFi isn't magic; if there's no place for it to go, it's not going to go anywhere.

2) Put a Faraday cage around the antenna. This could be as simple as wrapping it in foil.

Re:Two options immediately suggest themselves:

[jonwil]

Shielding the WiFi antenna (or the whole device) is the only way to be sure its secure.

You cant trust any software solutions or any hardware on-off switches installed by the manufacturer.

Re:Two options immediately suggest themselves:

[bughunter]

You cant trust any software solutions or any hardware on-off switches installed by the manufacturer.

Especially if today's Wikileaks dump is true.

Re:Two options immediately suggest themselves:

[peragrin]

Exactly. My Samsung smart TV would randomly turn on the wireless and try to communicate outside. When I first set it up I used wifi, realized how stupid it was and switched it to the wired connection, which then was left unplugged.

I upgraded my router and was screwing around when I noticed a new device was connecting( I used the same SSID and WPA key in both). After shutting everything down I turned on the TV and checked, wifi off,. I turned on wifi and bam. Same Mac address as my mystery guest. That was promptly banned. No wifi for you sneaky TV.

So even if you give a device access the only way to be sure is to disconnect it thoroughly.and software can be sneaky.

Bios settings

[smylie]

Most (all excluding Apple?) laptops wil allow you to turn off / disable the wireless chipset in the bios. Many also have a physical kill switch on the side of the case.

Barring some wikileaks sort of tomfoolery from the CIA, this should stop any network access (assuming you also don't plug in a network cable).

If you're that paranoid..

[nawcom]

.. and disabling the device in Windows 10 or the BIOS isn't enough, then just remove the wireless card. If by PC you mean desktop PC, unless it's a USB wifi chip soldered onto the motherboard, it'll be a typical miniPCIe or M.2 card. Remove it. For laptops a physical switch or hotkey for disabling the wifi card at the firmware level is common, but the same goes for that. They're not soldered onto the board (with some very rare exceptions) - they're miniPCIe or M.2 cards that are removable. Whether they're easily accessible varies by laptop model, but they're still removable.

Probelm identifaction

[buss_error]

on a Windows 10 PC First problem

that has a wireless chipset built into it Second problem.

1. Don't work on sensitive issues using Windows of any version. Explore a windows VM under a more secure hypervisor where the guest cannot override the host on hardware or network issues.

2.Don't work on sensitive issues using a system with communications ability that does not use a verified hardware kill switch. EG: Avoid systems that use software to check the hardware switch to disable. Use hardware that uses a hardware switch to either kill power to that subsystem or uses an NMI to prevent function.

3. Build a Faraday cage room for sensitive work stations. There are government manuals on how to create TEMPEST spaces.

Sound hard? Somewhat. But then again, security, real security, isn't trivial.

Re:Trump

[TWX]

Okay, I'll take a shot...

Maybe that orange mass on his head isn't hair. Maybe it's a finely woven copper Faraday cage.

Disconnect the antenna, disable the interface

[Proudrooster]

Just Google the model of the laptop in question and teardown, example, "thinkpad yoga teardown"

Many laptops still use WIFI+Bluetooth cards which can be physically removed. The antenna wire runs directly to the module and can be removed disabling the antenna if you don't want to pull the module.

Even the newer Yoga's have WIFI modules which can be physically removed.

So if you want to make outside WIFI access difficult or impossible, remove the module and it will be impossible. Plug the laptop into physical wiring only and secure your network.

As for running Windows 10, that OS has a mind of it's own and the only way you can stop the madness is at the network level.

First ask yourself, what are you guarding against?

[PhunkySchtuff]

First ask yourself, what are you guarding against?

What guidelines has the client given you, what expectations do they have?
There's no point in you being so secure that the machine is virtually useless if the client happily stores these files on Dropbox/Google Drive etc.

Are you guarding against random drive-by hacking, script kiddies and the like, or are you guarding against an advanced persistent threat?
If you're guarding against the US Govt then your threat model is very different to if you're simply protecting yourself against casual hacking.

If you're concerned about an APT, then what level of threat do you expect to face? Is this a competitors company that has some guy who knows computers? Is it a multinational corporation with a large budget and a cybersecurity team? Is it a nation state? Is it the US Government?

The answers to those questions will heavily influence the appropriate course of action to take. If you're worried about casual hacking and the client has provided the files to you via Dropbox, then simply don't connect to any open wifi networks and don't connect to any wifi networks you don't know are secure. Make sure the wifi networks use WPA2.
If however you are concerned that the Govt. is likely out to get to your secrets, and they're specifically targeting you (as opposed to you being caught in a drift net) then you will want to physically disable the wifi, probably by taking the wifi card out of the laptop - it's likely on a small mezzanine card that is usually easily removed with a small Philips head screwdriver.