wifi file sharing security

[hiprakhar]

Hi friends,

hope you are in the best of your healths.

Here it goes- I have a desktop and a laptop sharing a common internet.
The desktop is "wired" to router and laptop is connected via "wifi" to
same router.

I also share files and data between the 2 computers over LAN (not
internet). And I have allowed root sharing of the drives in both
computer.

What more can I do to secure my files and data while sharing between
the 2 systems and also from the internet??????

Its working fine. The problem is, the people next door are smart. So I
want adequate security measures to prevent misuse of my internet
connection and access to my files and data on both computer to
outsiders.

Measures already take:
1) I have enabled WPA2 only wireless security to router, given a
strong password
2) changed the default username and password of the router, to a very
strong one.

hiprakhar wrote:
> Hi friends,
>
> hope you are in the best of your healths.
>
> Here it goes- I have a desktop and a laptop sharing a common internet.
> The desktop is "wired" to router and laptop is connected via "wifi" to
> same router.
>
> I also share files and data between the 2 computers over LAN (not
> internet). And I have allowed root sharing of the drives in both
> computer.
>
> What more can I do to secure my files and data while sharing between
> the 2 systems and also from the internet??????
>
> Its working fine. The problem is, the people next door are smart. So I
> want adequate security measures to prevent misuse of my internet
> connection and access to my files and data on both computer to
> outsiders.
>
> Measures already take:
> 1) I have enabled WPA2 only wireless security to router, given a
> strong password

Good

> 2) changed the default username and password of the router, to a very
> strong one.
>
>

Also good

The three most basic wireless security precautions, none of which
you've mentioned:

1) Disable SSID broadcasting. This makes it harder for outsiders to
detect your network.

2) In addition to changing the wireless router's default admin username
and password, change all of the default IP addresses, both the default
DHCP server address and the DHCP range used.

3) Enable MAC filtering, so only computers that *you* specify by MAC
Address can connect to the router.


--

Bruce Chambers

Help us help you:
http://www.catb.org/~esr/faqs/smart-questions.html

http://support.microsoft.com/default.aspx/kb/555375

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. ~Benjamin Franklin

Many people would rather die than think; in fact, most do. ~Bertrand Russell

The philosopher has never killed any priests, whereas the priest has
killed a great many philosophers.
~ Denis Diderot

In article <#9pFMBS7JHA.1716@TK2MSFTNGP03.phx.gbl>,
bchambers@cable0ne.n3t says...
> 1) Disable SSID broadcasting. This makes it harder for outsiders to
> detect your network.
>
....
>
> 3) Enable MAC filtering, so only computers that *you* specify by MAC
> Address can connect to the router.
>

Taken from a security advisors site:

MAC filtering: This is like handing a security guard a pad of paper with
a list of names. Then when someone comes up to the door and wants entry,
the security guard looks at the person's name tag and compares it to his
list of names and determines whether to open the door or not. Do you see
a problem here? All someone needs to do is watch an authorized person go
in and forge a name tag with that person's name. The comparison to a
wireless LAN here is that the name tag is the MAC address. The MAC
address is just a 12 digit long HEX number that can be viewed in clear
text with a sniffer. A sniffer to a hacker is like a hammer to a
carpenter except the sniffer is free. Once the MAC address is seen in
the clear, it takes about 10 seconds to cut-paste a legitimate MAC
address in to the wireless Ethernet adapter settings and the whole
scheme is defeated. MAC filtering is absolutely worthless since it is
one of the easiest schemes to attack. The shocking thing is that so many
large organizations still waste the time to implement these things. The
bottom line is, MAC filtering takes the most effort to manage with zero
ROI (return on investment) in terms of security gain.

SSID hiding: There is no such thing as "SSID hiding". You're only hiding
SSID beaconing on the Access Point. There are 4 other mechanisms that
also broadcast the SSID over the 2.4 or 5 GHz spectrum. The 4 mechanisms
are; probe requests, probe responses, association requests, and re-
association requests. Essentially, youre talking about hiding 1 of 5
SSID broadcast mechanisms. Nothing is hidden and all youve achieved is
cause problems for Wi-Fi roaming when a client jumps from AP to AP.
Hidden SSIDs also makes wireless LANs less user friendly. You dont need
to take my word for it. Just ask Robert Moskowitz who is the Senior
Technical Director of ICSA Labs in his white paper Debunking the myth of
SSID hiding.


--
You can't trust your best friends, your five senses, only the little
voice inside you that most civilians don't even hear -- Listen to that.
Trust yourself.
spam999free@rrohio.com (remove 999 for proper email address)

Leythos wrote:
> In article <#9pFMBS7JHA.1716@TK2MSFTNGP03.phx.gbl>,
> bchambers@cable0ne.n3t says...
>> 1) Disable SSID broadcasting. This makes it harder for outsiders to
>> detect your network.
>>
> ...
>> 3) Enable MAC filtering, so only computers that *you* specify by MAC
>> Address can connect to the router.
>>
>
> Taken from a security advisors site:
>
> MAC filtering: This is like handing a security guard a pad of paper with
> a list of names. Then when someone comes up to the door and wants entry,
> the security guard looks at the person's name tag and compares it to his
> list of names and determines whether to open the door or not. Do you see
> a problem here? All someone needs to do is watch an authorized person go
> in and forge a name tag with that person's name. The comparison to a
> wireless LAN here is that the name tag is the MAC address. The MAC
> address is just a 12 digit long HEX number that can be viewed in clear
> text with a sniffer. A sniffer to a hacker is like a hammer to a
> carpenter except the sniffer is free. Once the MAC address is seen in
> the clear, it takes about 10 seconds to cut-paste a legitimate MAC
> address in to the wireless Ethernet adapter settings and the whole
> scheme is defeated. MAC filtering is absolutely worthless since it is
> one of the easiest schemes to attack. The shocking thing is that so many
> large organizations still waste the time to implement these things. The
> bottom line is, MAC filtering takes the most effort to manage with zero
> ROI (return on investment) in terms of security gain.
>


No security precaution can ever be 100% effective against a determined,
knowledgeable bad guy with malicious intent.

However, all the OP wants to do is stop his neighbor's from stealing
his bandwidth. How many people in your neighborhood have sniffers? I'd
wager that, if asked, a few of them might think a sniffer is a glass for
serving brandy.


> SSID hiding: There is no such thing as "SSID hiding". You're only hiding
> SSID beaconing on the Access Point. There are 4 other mechanisms that
> also broadcast the SSID over the 2.4 or 5 GHz spectrum. The 4 mechanisms
> are; probe requests, probe responses, association requests, and re-
> association requests. Essentially, youre talking about hiding 1 of 5
> SSID broadcast mechanisms. Nothing is hidden and all youve achieved is
> cause problems for Wi-Fi roaming when a client jumps from AP to AP.
> Hidden SSIDs also makes wireless LANs less user friendly. You dont need
> to take my word for it. Just ask Robert Moskowitz who is the Senior
> Technical Director of ICSA Labs in his white paper Debunking the myth of
> SSID hiding.
>
>


I said nothing about "SSID hiding." I advised turning of the
broadcast, and I know exactly what it does. Again, we're discussing a
household LAN, here. How many access points do you have in your house?
(And this is stimulating and turning off SSID broadcasts might cause
problems for a roaming client. I know from first hand experience that
it doesn't, if the clients are properly configured.)


You might want to have CompTIA revamp their Security+ course work and
exams then.


--

Bruce Chambers

Help us help you:
http://www.catb.org/~esr/faqs/smart-questions.html

http://support.microsoft.com/default.aspx/kb/555375

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. ~Benjamin Franklin

Many people would rather die than think; in fact, most do. ~Bertrand Russell

The philosopher has never killed any priests, whereas the priest has
killed a great many philosophers.
~ Denis Diderot

"I'd wager that, if asked, a few of them might think a sniffer is a
glass for serving brandy."

That's a snifter.
---
Leonard Grey
Errare humanum est

Bruce Chambers wrote:
> Leythos wrote:
>> In article <#9pFMBS7JHA.1716@TK2MSFTNGP03.phx.gbl>,
>> bchambers@cable0ne.n3t says...
>>> 1) Disable SSID broadcasting. This makes it harder for outsiders to
>>> detect your network.
>>>
>> ...
>>> 3) Enable MAC filtering, so only computers that *you* specify by MAC
>>> Address can connect to the router.
>>>
>>
>> Taken from a security advisors site:
>>
>> MAC filtering: This is like handing a security guard a pad of paper
>> with a list of names. Then when someone comes up to the door and wants
>> entry, the security guard looks at the person's name tag and compares
>> it to his list of names and determines whether to open the door or
>> not. Do you see a problem here? All someone needs to do is watch an
>> authorized person go in and forge a name tag with that person's name.
>> The comparison to a wireless LAN here is that the name tag is the MAC
>> address. The MAC address is just a 12 digit long HEX number that can
>> be viewed in clear text with a sniffer. A sniffer to a hacker is like
>> a hammer to a carpenter except the sniffer is free. Once the MAC
>> address is seen in the clear, it takes about 10 seconds to cut-paste a
>> legitimate MAC address in to the wireless Ethernet adapter settings
>> and the whole scheme is defeated. MAC filtering is absolutely
>> worthless since it is one of the easiest schemes to attack. The
>> shocking thing is that so many large organizations still waste the
>> time to implement these things. The bottom line is, MAC filtering
>> takes the most effort to manage with zero ROI (return on investment)
>> in terms of security gain.
>>
>
>
> No security precaution can ever be 100% effective against a
> determined, knowledgeable bad guy with malicious intent.
>
> However, all the OP wants to do is stop his neighbor's from stealing
> his bandwidth. How many people in your neighborhood have sniffers? I'd
> wager that, if asked, a few of them might think a sniffer is a glass for
> serving brandy.
>
>
>> SSID hiding: There is no such thing as "SSID hiding". You're only
>> hiding SSID beaconing on the Access Point. There are 4 other
>> mechanisms that also broadcast the SSID over the 2.4 or 5 GHz
>> spectrum. The 4 mechanisms are; probe requests, probe responses,
>> association requests, and re-
>> association requests. Essentially, youre talking about hiding 1 of 5
>> SSID broadcast mechanisms. Nothing is hidden and all youve achieved is
>> cause problems for Wi-Fi roaming when a client jumps from AP to AP.
>> Hidden SSIDs also makes wireless LANs less user friendly. You dont
>> need to take my word for it. Just ask Robert Moskowitz who is the
>> Senior Technical Director of ICSA Labs in his white paper Debunking
>> the myth of SSID hiding.
>>
>>
>
>
> I said nothing about "SSID hiding." I advised turning of the
> broadcast, and I know exactly what it does. Again, we're discussing a
> household LAN, here. How many access points do you have in your house?
> (And this is stimulating and turning off SSID broadcasts might cause
> problems for a roaming client. I know from first hand experience that
> it doesn't, if the clients are properly configured.)
>
>
> You might want to have CompTIA revamp their Security+ course work
> and exams then.
>
>

[hiprakhar]

Quote:

Originally Posted by Leonard Grey

"I'd wager that, if asked, a few of them might think a sniffer is a
glass for serving brandy."

That's a snifter.
---
Leonard Grey
Errare humanum est

Bruce Chambers wrote:
> Leythos wrote:
>> In article <#9pFMBS7JHA.1716@TK2MSFTNGP03.phx.gbl>,
>> bchambers@cable0ne.n3t says...
>>> 1) Disable SSID broadcasting. This makes it harder for outsiders to
>>> detect your network.
>>>
>> ...
>>> 3) Enable MAC filtering, so only computers that *you* specify by MAC
>>> Address can connect to the router.
>>>
>>
>> Taken from a security advisors site:
>>
>> MAC filtering: This is like handing a security guard a pad of paper
>> with a list of names. Then when someone comes up to the door and wants
>> entry, the security guard looks at the person's name tag and compares
>> it to his list of names and determines whether to open the door or
>> not. Do you see a problem here? All someone needs to do is watch an
>> authorized person go in and forge a name tag with that person's name.
>> The comparison to a wireless LAN here is that the name tag is the MAC
>> address. The MAC address is just a 12 digit long HEX number that can
>> be viewed in clear text with a sniffer. A sniffer to a hacker is like
>> a hammer to a carpenter except the sniffer is free. Once the MAC
>> address is seen in the clear, it takes about 10 seconds to cut-paste a
>> legitimate MAC address in to the wireless Ethernet adapter settings
>> and the whole scheme is defeated. MAC filtering is absolutely
>> worthless since it is one of the easiest schemes to attack. The
>> shocking thing is that so many large organizations still waste the
>> time to implement these things. The bottom line is, MAC filtering
>> takes the most effort to manage with zero ROI (return on investment)
>> in terms of security gain.
>>
>
>
> No security precaution can ever be 100% effective against a
> determined, knowledgeable bad guy with malicious intent.
>
> However, all the OP wants to do is stop his neighbor's from stealing
> his bandwidth. How many people in your neighborhood have sniffers? I'd
> wager that, if asked, a few of them might think a sniffer is a glass for
> serving brandy.
>
>
>> SSID hiding: There is no such thing as "SSID hiding". You're only
>> hiding SSID beaconing on the Access Point. There are 4 other
>> mechanisms that also broadcast the SSID over the 2.4 or 5 GHz
>> spectrum. The 4 mechanisms are; probe requests, probe responses,
>> association requests, and re-
>> association requests. Essentially, youre talking about hiding 1 of 5
>> SSID broadcast mechanisms. Nothing is hidden and all youve achieved is
>> cause problems for Wi-Fi roaming when a client jumps from AP to AP.
>> Hidden SSIDs also makes wireless LANs less user friendly. You dont
>> need to take my word for it. Just ask Robert Moskowitz who is the
>> Senior Technical Director of ICSA Labs in his white paper Debunking
>> the myth of SSID hiding.
>>
>>
>
>
> I said nothing about "SSID hiding." I advised turning of the
> broadcast, and I know exactly what it does. Again, we're discussing a
> household LAN, here. How many access points do you have in your house?
> (And this is stimulating and turning off SSID broadcasts might cause
> problems for a roaming client. I know from first hand experience that
> it doesn't, if the clients are properly configured.)
>
>
> You might want to have CompTIA revamp their Security+ course work
> and exams then.
>
>

Thanks a lot Leonard and Bruce. I've already got the hint that both of you are friendly and intelligent. We can get things better if we start collaborating.

I applied MAC filtering yesterday after Bruce told. And it took less than a minute. I agree with Leonard that MAC spoofing is like a piece of pancake. But then it really does not require "effort" so I dont care for ROI, since something is always better than nothing.

However I figured out that WPA uses strong encrypting algo (courtesy:wiki) and has been just hacked once that too in lab (wiki might be wrong though). So I think uses a strong key secures in the first hand.

Turning off SSID broadcast was a pain. Just when I disabled it (in my DLink DIR-300 router), the connection failed, and I was'nt able to detect it in the windows wifi catcher. I tried using the previous wifi profile to connect but it didnt work. And as the internet was disabled too, i could not use internet help. So i had to reset the router. So really turning the SSID off is less user friendly.

I need to ask one more thing about file sharing security. I have a laptop and a Desktop and i do seamless data sharing between them through the wifi router. Now I want to add more computer to the same router loop, but I DONT WANT IT to be able to access the files on my laptop or desktop. (It should access only internet)

The person on the 3rd computer can easily figure out the ip of both of my computer using the "ipconfig /all" and enter it to explorer to access my files.

How can I avoid this??? I require that the files should not be accessible unless a password authentication is done.

Please help.

In article <#1iz8Ki7JHA.1424@TK2MSFTNGP02.phx.gbl>,
bchambers@cable0ne.n3t says...
> However, all the OP wants to do is stop his neighbor's from stealing
> his bandwidth. How many people in your neighborhood have sniffers? I'd
> wager that, if asked, a few of them might think a sniffer is a glass for
> serving brandy.
>

Bruce, I only left the above part of your reply because it's important
to address the idea that somehow a HOME computer doesn't warrant the
protection that an office computer would.

In many cases, in every neighborhood, you will find people running home
businesses, doing their finances, keeping identity information on their
computers. While a BUSINESS makes a very large target, a home network
makes a very nice target because they don't EXPECT to be hit or
attacked, they are just a home network, the idea is flawed.

As for what my neighbors have, well, when I was a teen, many decades
ago, people use to thing the same thing - they are only kids, or it's
only a modem....

Why should we, as professionals, not advise people of ALL of the
security issues related to securing their machines?

--
You can't trust your best friends, your five senses, only the little
voice inside you that most civilians don't even hear -- Listen to that.
Trust yourself.
spam999free@rrohio.com (remove 999 for proper email address)

[hiprakhar]

[some typos have been removed in this post]

Thanks a lot Leonard and Bruce. I've already got the hint that both of you are friendly and intelligent. We can get things better if we start collaborating.

I applied MAC filtering yesterday after Bruce told. And it took less than a minute. I agree with Leonard that MAC spoofing is like a piece of pancake. But then it really does not require that "effort" so I dont care for ROI, since something is always better than nothing.

However I figured out that WPA uses strong encrypting algo (courtesy:wiki) and has been just hacked once that too in lab (wiki might be wrong though). So I think using a strong key secures me in the first hand.

Turning off SSID broadcast was a pain. Just when I disabled it (in my DLink DIR-300 router), the internet connection failed, and ofcourse I was'nt able to detect it in the windows wifi catcher. I tried using the previous wifi profile to connect but it didnt work. And as the internet was disabled too, i could not use internet help either. So i had to reset the router. Really, turning the SSID off proved less user friendly.

I need to ask one more thing about windows file sharing security. I have a laptop and a Desktop and i do seamless data sharing between them through the wifi router. Now I want to add more computers to the same router loop, but I DONT WANT REST OF THEM to be able to access my files on my laptop or desktop. (they should be limited to access only internet)

The person on the 3rd computer can easily figure out the ip of both of my computer using the "ipconfig /all" and enter it to his explorer to access my files. Even my MAC address.

I think one of the solution can be that the files (on my lap & desk) should not be accessible unless a password authentication is done. How to do this? Any better solution?

Please help.

hiprakhar <hiprakhar.3tvvvb@DoNotSpam.com> wrote in
news:hiprakhar.3tvvvb@DoNotSpam.com:

> I need to ask one more thing about windows file sharing security.
> I have a laptop and a Desktop and i do seamless data sharing
> between them through the wifi router. Now I want to add more
> computers to the same router loop, but I DONT WANT REST OF THEM to
> be able to access my files on my laptop or desktop. (they should
> be limited to access only internet)
>
> The person on the 3rd computer can easily figure out the ip of
> both of my computer using the "ipconfig /all" and enter it to his
> explorer to access my files. Even my MAC address.
>
> I think one of the solution can be that the files (on my lap &
> desk) should not be accessible unless a password authentication is
> done. How to do this? Any better solution?
>
>

You can't keep Computer 3 from accessing the shares, but you can set
permissions on *users* of other computers (including Computer 3) from
accessing files on the computers with shared files.
Under XP, this can be done by disabling Simple File Sharing and setting
up permissions for your shares. This means that the two computers that
you don't want the user on the 3rd to access must be running XP Pro.
Given that, simply follow Microsoft's instructions:

"How to configure file sharing in Windows XP"
<http://support.microsoft.com/kb/304040>

The following article tells you how to set permissions on shared
folders to only allow those that you choose to have access. Skip down
to the section "Setting Permissions on a Shared Folder":

"How to disable simple file sharing and how to set permissions on a
shared folder in Windows XP"
<http://support.microsoft.com/kb/307874>

HTH,
John

[hiprakhar]

Thankyou so much John!!!

Leonard Grey wrote:
> "I'd wager that, if asked, a few of them might think a sniffer is a
> glass for serving brandy."
>
> That's a snifter.


Guess I proved my own point, inadvertently, huh?


--

Bruce Chambers

Help us help you:
http://www.catb.org/~esr/faqs/smart-questions.html

http://support.microsoft.com/default.aspx/kb/555375

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. ~Benjamin Franklin

Many people would rather die than think; in fact, most do. ~Bertrand Russell

The philosopher has never killed any priests, whereas the priest has
killed a great many philosophers.
~ Denis Diderot