Talk:End-user Computer Security/Main content/Wireless Communications

Add information about using Faraday cages/shields and/or aluminium foil as shields to shield unwanted wireless communications?
I suggest that such information on Faraday cages/shields be added to this chapter as well as to the "What to do when you discover your computer has been hacked?" chapter. See here for information about this.

Wrapping mobile phones and smart-cards, that have RFID technology, in aluminium foil, is apparently a way to prevent certain kinds of tracking that could constitute security compromises. Such information can also perhaps be added to this chapter. See also the note here written in respect of such methods for the storage of computing devices.

VPN over free WiFi may be a good idea sometimes? Re. §"Shared WiFi"
Whilst Essex police's advice was not to use free WiFi for anything you wouldn't want a stranger to see, if you use a VPN (virtual private network) for your internet access over free WiFi, there probably is nothing to worry about, apart from people knowing that you are using a VPN. It seems that the VPN would conceal to people with security access to the free WiFi, exactly what you would be doing, apart from the fact that you were using a VPN. In certain circumstances, using such free WiFi in such ways, may be preferred if adversaries are targeting you based on the internet connection easily associated with your name (whether that be at your office, at your home address, tied to your mobile phone number, or otherwise in easy association with your name).

Having intermediate device for internet connection might be more secure?
Rather than your main computing device directly connecting to the internet, perhaps using smartphone tethering (for internet connection) or similar, might induce greater security. To improve security potentially even more, all communications tech (such as WiFi+Bluetooth cards) can be physically removed from your main computing device. Such greater security at least partly works on the principle of isolating the hardware used for your communications. When instead the hardware is within your main device and "known" to the other system components, malware in all the different firmware and dis(c|k)s, as well as "maltech" in the hardware, can potentially "piggy-back" over the communications tech to cause high damage to your computing&mdash;the attack surface is effectively larger, and the potential of such attacks is also much higher because of the integrated nature of computer systems. For perhaps even more security, use the intermediate device for downloading files that are then simply copied over using the OS's standard file-system copy operations. Such is probably more secure, but may still be open to attack if the main device has malware able to interfere with such copy operations.

A USB dongle for WiFi or mobile broadband, can count as such an intermediate device. Increased security is perhaps attained because potential damage caused by malware over the USB interface, is perhaps much less than the damage caused by a wireless communications PCI card over the PCI interface, that is 'within' the computer architecture (wireless tech embedded in SoC tech. may be even worse). Additional security can perhaps be attained by configuring the ordinary&mdash; that is non-firmware &mdash;software and drivers used for USB communication, to be more safe than usual (to perhaps act a bit like a firewall). USB is not the only alternative interface, and there may be other alternative communications interfaces that provide even greater security.

Such an intermediate device is similar to a hardware firewall, as well as a proxy server. If a trusted smartphone can be set-up to mimic the functionality of a hardware firewall and/or proxy server, then using such a smartphone as the intermediate device for a main computer's internet connection, could provide very good security. If the smartphone were set-up as a proxy server, this would perhaps provide strong audit functionality if the server were able to read the HTTPS traffic streams unencrypted (configuring such "spying" capability seems to be possible, see here). Such auditing could also be coded so as to "quarantine" any communication detected as suspicious, until human intervention provided the go-ahead to let such communication out of "quarantine" and onwards to its destination, a bit like how antivirus software works. One potential weakness in such a system, might be that all the TLS (Transport Layer Security which uses cryptography-based security certificates) security for the user, might occur on the main computing device without any double-checking of its correctness. This could mean, for example, that bogus TLS certificates might be deceptively used by malware on the main device for certain communications, that are then open to MITM attacks. To mitigate against this, the intermediate device ought to perform all the TLS functionality for communication from and to the main device (a bit like how the Nitrokey product works?), or the intermediate device ought to confirm that all cryptography operations either side of it were legitimate (i.e. that bogus security certificates were not used, etc.) Some brief research about such a set-up, has indicated that probably there's no technology product out there to do these things, so perhaps this might end-up being something of a new invention.

Interestingly, if on the other hand, your main device is trusted but the smartphone or dongle used for supplying the internet is not trusted, you can piggy-back over the security of the TLS encryption system (by, for example, only using the internet over HTTPS connections), to safely use the internet. Such piggy-backing relies on the aspect that encryption can be leveraged so as to safely use potentially-compromised equipment. See the "Dealing with the situation where you want to work with potentially security-compromised equipment/software" note for more about this.

While these ideas particularly resonate with respect to providing an alternative to built-in wireless internet connections, they do also count to some extent to provision of alternatives for built-in wired internet connections. In this regard, I'm not so sure whether this chapter on wireless communications, is the right place for these ideas.