Re: can they hack into my computer?

Jeff Liebermann wrote:
Jose Rodriguez <josec.rodriguez@xxxxxxxxx> hath wroth:
[...] [A] determined hacker could enter your computer via the
wireless and pull out some emailed bank statements, credit card
payment statements, saved passwords, and whatever else looks
interesting. At wireless speeds, they could copy most of the junk
under My Documents and various email depositories fairly quickly, and
inspect them at their liesure. [...]

That's serious, but for that to work you have to leave things opened and clear; I would only store passwords in an encrypted format and a rather obscure location. And at least online banking is made through a secure conection, isn't it?

There are multiple levels of protection. The most obvious is to
encrypt the wireless traffic so that nobody enters you LAN in the
first place. That's the WPA and WPA2 encrytion.

However, if someone can enter via wireless, what other defenses do you
have? If you have shared folders, are they open to anyone to read or
are they password protected? Do you have intrusion detection software
running? Do you use encrypted folders (XP Pro only)? Are the
documents themselves encrypted? Can they be copied, even if they are
encrypted?

The last is fairly important. Most people assume that a document with
simple encrytion is safe. That really depends on the level of
encryption and the time allowed. The encryption used may be
relatively secure if I had a limited amount of time to recover the
key. However, if I can copy the encrypted file to my own machine, I
can do a brute force or better crack at my liesure. That would
require a more secure system. I've also found that most users tend to
use the same password for ALL their encrypted documents, so cracking
one will usually crack them all. Note the number of "password
recovery" programs and services available:
<http://www.crackpassword.com>
<http://www.lostpassword.com>
etc.

My personal solution is to NOT store anything of value on the machine.
The really important stuff is on a removeable USB thumb drive. It's
also encrypted, password protected, and backed up with a copy
somewhere. Not ideal, but with the whole neighborhood on my
neighborhood wireless LAN, it's prudent.

I totally agree, when I said "I would" I meant exactly that, i.e. that I would do it that way if I had to. An online banking password stored in your computer is probably a way of looking for potential trouble. On the other hand, being realistic, I don't think that anybody would scan my hard drive to afterwards do a brute force attack on some suspiciously encrypted strings of text trying to find out whether they find anything interesting--unless they were pretty sure that they could find it, which it's not obviously the case for I am not (and I don't look like) a very wealthy person. Applying the same reasoning, I don't hold (and I don't look like doing so) any extra important and sensitive information somebody could make any profit out of it. Let's face it, for average Joe--like myself--some of the precautions out there available are overkilling. The same, obviously, does not apply to the corporate world, and knowing how to protect your digital data is, in any case, highly recommendable.

I guess that's one of the reasons why Linux is inherently more secure than Windows--software comes from digitally signed, official repositories, for instance.

Nope. There are distributions that come that way, but most of the
stuff I run isn't. The stuff I've seen that is signed, is self
authenticating and does not use an independent certificate authority.
Therefore, it could be forged. Improbable, but possible.

A similar issue arose in other list when somebody asked how reliable, in terms of security, can SE Linux possibly be, given that it was first developed by the NSA. I agree with some of the opinions given there in that, at the end of the day, you will always have to rely in somebody unless you develop your own OS and your own software--and you don't connect to the internet unless you have your own ISP business, FWIW. I don't know what you run, but there is a qualitative difference between installing something that came from an official signed repository (yes, you have to rely in, say, Debian developers) and running the last supercool screensaver or useless utility (as many windows users do, not to talk about warez). Another point is the difference between open source vs closed one. I'll give you an example: some time ago I downloaded and installed VMWare and it all went fine, but I found the advertising mail they used to send me somewhat annoying. At some point I installed Samba to share files between my Linux and my virtual XP machine, with the consequence of receiving an e-mail inmediately afterwards selling me the goodness of VMWare products connected through Samba servers...I may be seing ghosts here, I don't know.

The major difference between Linux and Windoze security is philosophy.
Linux usually comes secure by default with all the security features
enabled on installation. If you want to do something disgusting, then
you have to do it intentionally. Windoze is built for user
convenience and requires the user to impliment and apply security. At
least that's the way they started. Both extremes found that they had
to compromise somewhat in order to make their products usable. Linux
is becoming more permissive on instalation and Windoze at least
impliments basic password security on installation. Since there's no
"right answer", the issue will continue to be a moving target. Also,
just because the vendor delivers a product that's more convenient than
secure, doesn't mean you have to perpetuate the mistake.

Spot on, I guess, but how many users don't do anything about anything with their systems? I myself, when on windows used to close down everything I could to avoid potential risks, as well as keeping a bare minimum set of security standards like setting separate unprivileged accounts, firewall, antivirus, antispyware and so on, and yet didn't bother to set up WPA till a couple of weeks ago out of pure lazyness and ignorance.

Unfortunately, the wireless router industry has done the worst
possible thing. Most wireless routers are wide open and totally
insecure on installation. Open the box, plug it in, and in most
cases, it will function. That's a great OBE (out of box experience)
but doesn't make for a very secure system. Eventually, someone will
sue a wireless router manufacturer for damaged resulting from the
false perception of security, and things might change. Meanwhile,
only 2-wire has gotten the clue and delivers their routers secure by
default. Again, just because the router manufacturers deliver
insecure products, doesn't mean that you have to perpetuate the
mistake.
One terrific example of worse case scenario I know of has place in Spain. Company X sells this nice wireless routers that provides with their internet package. User Y believes he's safe because it came with encryption, and that sounds cool. What Y probably does not know is that the default ssid of every X router is something like "WLAN ZW", being ZW, if I remember correctly, the last two digits of the router's MAC address, and being the WEP key a combination of the ssid and the whole MAC. Forget about injecting, deauth, statistical attacks whatsoever: one single data packet gathered gives you the key after an extremely quick dictionary search. I'd be quite angry if I was with company X.

Regards
.