Does having wifi enabled open laptop to security threats?

Discussion in 'other security issues & news' started by David Molesworth, Apr 4, 2006.

Thread Status:
Not open for further replies.
  1. David Molesworth

    David Molesworth Registered Member

    Joined:
    Apr 4, 2006
    Posts:
    1
    I often use my work laptop (running Windows XP) at home. I believe my home ADSL wifi router is reasonably secure using WPA-PSK, a lengthy key, non-broadcast SSID, MAC address filtering and enabled router firewall functions.

    I've been told irrespective on how secure by router is, I can't enable wifi on by laptop as it would open it up to security threats. Hackers could effectively access my laptop if I enabled wifi.

    Is this concern reasonable? How likely would such an attack be?
     
  2. spm

    spm Registered Member

    Joined:
    Dec 9, 2002
    Posts:
    437
    Location:
    U.K.
    As with any security issue, it's a question of risk vs. convenience. If you live in a rural area, WiFi security is less of an issue than it would be in a city centre. Also, your router will likely be the focus of an attack, if at all, rather than your laptop, so securing your router the way you have done is sensible.

    That said, you should be able to configure your laptop's WiFi card so that it will only connect via 'infrastructure' networks (i.e, via a router or WAP), denying ad hoc connections with other computers. It can't then easily be compromised by a hacker roaming around with a laptop.

    Assuming you manage your WiFi card via Windows' Wireless Zero Configuration service, go to Network Connections in your Control Panel, right-click your WiFi card and choose the properties command from the pop-up menu. Now go to the "Wireless Networks" page of the properties window and press the "Advanced" button. Select the "Access point (infrastructure) networks only" option and OK your way out.

    If you manage your WiFi card using a 3rd party utility, you should find the same facility there.
     
  3. Alphalutra1

    Alphalutra1 Registered Member

    Joined:
    Dec 17, 2005
    Posts:
    1,160
    Location:
    127.0.0.0/255.0.0.0
    All that you have done on your laptop makes it impossible for hackers (at the moment since WPA is unbreakable with a good key) to hack your laptop. May I recommend that you broadcast your SSID and turn off mac filtering since it does NOT improve security and only hinders maintenance of your network your devices attempting to connect to your network.

    I also would recommend using a good firewall to prevent any network attacks from other pcs, windows firewall is sufficient.

    Alphalutra1
     
  4. spm

    spm Registered Member

    Joined:
    Dec 9, 2002
    Posts:
    437
    Location:
    U.K.
    Actually, no. The WPA-PSK settings, etc, apply only to WiFi access on a single network - i.e., that managed by his home router.

    When not connected to his home network, the WiFi card on his laptop is not protected by WPA-PSK and - unless you make the configuration change I described above - it is susceptible to ad hoc attacks (should there be any).
     
  5. Alphalutra1

    Alphalutra1 Registered Member

    Joined:
    Dec 17, 2005
    Posts:
    1,160
    Location:
    127.0.0.0/255.0.0.0
    yeah but if he has a firewall, then who cares since noone can connect to his laptop ;)

    Alphalutra1
     
  6. spm

    spm Registered Member

    Joined:
    Dec 9, 2002
    Posts:
    437
    Location:
    U.K.
    Now that is an entirely different matter. But consider this ... if a firewall is configured to block all internal LAN communication, then the laptop will simply not work on the LAN. The usual way of setting things up is to (a) configure the firewall to permit local file and print sharing (and the desired internet access), and (b) create shares on the laptop that restrict what other LAN users can access. Then, keep nothing of value in the accessible shares.

    So, whenever the laptop is away from the protection of the router, if the laptop is compromised via WiFi only the files in the shared resources can be accessed, so limiting any damage.

    In fact, if you use a laptop at multiple locations, I would recommend you take a look at a product called MultiNetWorkManager, here. Among lots of other useful features, this enables you to define a set of 'location profiles' which you can switch to easily at any time. One feature of mnm's profiles allows you to define what shares are to be made available, for instance. Another allows you to enable or disable a network adapter. So you could switch to an "away from home" profile, say, to close all shares and disable your WiFi adapter when not at home.
     
  7. Alphalutra1

    Alphalutra1 Registered Member

    Joined:
    Dec 17, 2005
    Posts:
    1,160
    Location:
    127.0.0.0/255.0.0.0
    Actually, configuring file and print sharing is not needed on a LAN to be able to connect. I don't let my comp be accessed by anything and all I need to enable is DHCP from my router, which cannot be transformed into something malicious.

    Also, firewalls, when used properly, do not allow file and print sharing for every network/internet connection. That would be pointless. Instead, firewalls allow file and print sharing based on ip addresses. That is why you can have file and print sharing allowed for your LAN, but not have people hacking your computer when you put your computer in the DMZ.

    Your way of setting up is not secure at ALL. If you allow file and print sharing(thus opening up Netbios ports which are 137-139 and tcp port 445) then any hacker can use the several exploits to compromise your system and infect you. That is why you MUST use and configure your firewall to only allow filesharing based on ips, and then disable those rules when you are not in your network, which takes one click ;)

    Alphalutra1
     
  8. spm

    spm Registered Member

    Joined:
    Dec 9, 2002
    Posts:
    437
    Location:
    U.K.
    Huh? Connect to what? The internet? If so, then yes - you're right, but I am not talking about that, rather I am considering the general situation in which a computer is part of a local network. The original poster (OP) has a work computer which he is using at home. In that case file and print sharing is almost certainly needed and permitted.

    Again, this is fine provided you have a standalone computer as you obviously do. This is not the case with the OP.

    Correct. What's your point?

    No-one is talking about placing a computer into the DMZ.

    Wrong. Read the words I actually wrote:

    I have emphasised local - you appear to have missed that. I would never advocate enabling file/print sharing on a WAN connection, of course, and I don't understand why you are implying otherwise.

    If you know what you're doing, it is easy enough to disable 'those rules' when using the WinXP SP2 Firewall (by unticking exceptions - which takes a few clicks, anyway), but it is not so easy with many personal firewalls. That's where software like MultiNetworkManager can make such things a breeze.

    In conclusion, it seems you are thinking from the viewpoint that everyone has a single computer connected to the internet via a router. You need to think somewhat differently when considering other scenarios, such as when computers are part of a LAN and/or used at multiple locations.
     
  9. Alphalutra1

    Alphalutra1 Registered Member

    Joined:
    Dec 17, 2005
    Posts:
    1,160
    Location:
    127.0.0.0/255.0.0.0
    Nope, I don't. I just don't want any infected pcs on my lan that aren't under my control infecting me




    Same thing as accessing another WAP or the internet from another lan


    Then why go through the fuss as if his entire computer is open to hackers from this line:

    Why should you even allow access in the first place? That is the dumbest thing I have heard...
    Name a firewall that is hard to disallow this. I have tried many(ZoneAlarm, both versions of kerio, sygate, chx-i, looknstop, outpost, etc.) and all of them have very easy ways of disabling ONE rule in about TWO clicks.
    Why pay for what your firewall does just as easily? Big waste of money.
    No, I never have presented this conclusion. I have multiple computers, and travel with my pcs to MULTIPLE locations with MULTIPLE pcs connected to a router.

    If you need any help configuring your firewall(which you don't seem to understand very well), just ask and I will help. I will also save you a fee that is not necessary ;)

    Alphalutra1
     
  10. spm

    spm Registered Member

    Joined:
    Dec 9, 2002
    Posts:
    437
    Location:
    U.K.
    Alphalutra1,

    It seems that, for whatever personal agenda you have here, you are hell bent on twisting my words and extracting 'meaning' which just is not there. It is clear that you don't really understand the security issues involved (as evidenced from the very beginning, by your assertion that configuring WPA-PSK on one router would protect a laptop wherever it might be), and your subsequent tortuous, circular arguments you put forward in apparent attempt to cover that fact.

    So be it. I won't allow you to patronise me, nor create an argument out of nothing, so do everyone a favour and go elsewhere, right? (not that you will, of course, as I suspect you are not man enough to back out now). I will not be interacting with you again in this thread.
     
  11. securityx

    securityx Registered Member

    Joined:
    Dec 1, 2005
    Posts:
    149
    Just had to weigh in here.....

    - I think everything Alphalutra1 wrote was sound advice.

    - I've never known Alphalutra1 to have "an agenda." That's just wrong.

    - When he was talking about WPA-PSK protection, he was talking about at home in context of the OP.

    - I didn't read any "patronizing" by Alphalutra1.

    - Inviting Alpha to "go elsewhere," is ridiculous. He is a valuable member here.

    - I found your posts to be much more antagonistic and aggressive than alpha's posts.

    Maybe you've just had a bad day?

    -----securityx-----
     
  12. Alphalutra1

    Alphalutra1 Registered Member

    Joined:
    Dec 17, 2005
    Posts:
    1,160
    Location:
    127.0.0.0/255.0.0.0
    Thanks securityx for your support and I apologize to spm for sounding malicious and "hellbent" on bending your words. I was just trying to talk about the issue presented, and as securityx suggested, I was talking about WPA-PSK only at home in context to his own AP in the first post.

    Just to let you know, my friends think I would be a good lawyer :p

    Cheers and sorry about any offense,

    Alphalutra1
     
Loading...
Thread Status:
Not open for further replies.