[vox-tech] Laptop WiFi Security
Micah J. Cowan
micah at cowan.name
Tue Apr 25 09:32:51 PDT 2006
On Tue, Apr 25, 2006 at 07:46:18AM -0700, Bob Scofield wrote:
> I have two questions about WiFi security in laptops. (I don't have a laptop
> that allows me to do much WiFi, but I'm interested in these issues anyway.)
>
> If a person uses a WiFi connection at an airport, hotel, coffee house, etc.
> clearly the connection is not encrypted. I have been told that if you use an
> open connection, someone can get into your hard drive. That is, a hacker
> could read your files. This leads me to ask two questions.
>
> 1) One computer professional told me that the solution to the problem is to
> have firewall software on your laptop. He recommends Zone Alarm for Windows,
> but my interest is Linux. I know that SuSE comes with a firewall. My first
> question is: Is there a firewall package for Debian?
Just because you have no firewall, doesn't mean that they can get into
your system (this has generally been a /lot/ more true for Linux than
for Windows). A firewall /is/ a good idea, and I recommend you put one
in place--but as a solution to the problem that connections are not
encrypted, it's bullshit. A firewall will not encrypt your connections.
The problem isn't so much that attackers could get into your system (you
should be protecting against this regardless. Not running telnet or
insecure rsh, using ssh for all remote access, not using important ssh
passwords on public machines, are all important parts of protecting your
machine).
The problem is that attackers can see everything that goes to and from
your computer. If it's financial information, or passwords, etc., that's
not a good thing.
WEP helps a little, but it only slows an attacker down (and that only a
little). It is unknown to me (not a regular 802.11 user) whether a
better mechanism has become mainstream; in any event, the best solution
is to be acutely aware that the connection between you and your WiFi
provider is totally public; and act accordingly (i.e., ensure that
anything important is heavily encrypted).
> 2) The second question is whether there is *any* merit in the following idea
> I thought of. Suppose you had a laptop that had a major Windows partition,
> and a major Linux partition on it. Suppose you also put a second very small
> Linux partition on it. The small Linux partition would be used exclusively
> for e-mail and web surfing at open WiFi connections.
>
> Fstab would be configured on the small partition so that the major Linux
> partition could *not* be mounted. But the fstab on the major partition could
> be configured so that the small Linux partition could be mounted. So any
> e-mail or stuff downloaded through an open WiFi connection could be copied
> over to the main Linux partition when the latter was booted.
>
> Would such a set up protect the files in the main Linux partition when the
> small partition was booted and being used with an open WiFi connection? I
> suppose one problem with such a Baroque set up would be that the password you
> use for e-mail on the small Linux partition would still be subject to theft
> by a hacker.
A hacker won't be able to "view" your password on any Linux partition,
provided you don't send it over the wire in the clear.
Speaking of which: many (most?) ISPs still let you send cleartext
passwords. If you're using IMAP or POP3, and you're not using them over
SSL, and you don't have some box that looks something like "use secure
authentication" checked, you're sending your password in the clear. You
don't need to be on WiFi for that to be insecure.
Using WiFi isn't really that much different from using a regular network
connection. An attacker near you can sniff packets. So can anyone on the
same physical network as you, or anyone on the same network as any
machine between your machine and the one you're talking to. The basic
issues governing communication on both mediums are pretty much the same
(and yes, using Windows (or an insecure Linux) without a firewall can be
very insecure on your cable or DSL modem, too: that's where botnets come
from). The main differences are that there are some authentication
mechanisms for WiFi that you should always try to use if you have
control over the WAP (not for communication security, but to keep people
from sharing your link without your permission); and that it's somewhat
easier to be "on the same network" as you in the case of WiFi.
> So is there any value in this type of set up?
Perhaps a little, but IMO not nearly enough to justify doing this. The
truth is, if an attacker does gain any access whatever to any partition,
you're doing something wrong. Were an attacker to actually gain enough
access to view arbitraru files on a partition, it's extremely likely
that same attacker can see your other partitions as well. So no, I
wouldn't bother.
--
Micah J. Cowan
Programmer, musician, typesetting enthusiast, gamer...
http://micah.cowan.name/
More information about the vox-tech
mailing list