You're right - kind of. Connect a NAS to one of those ports and the NAS will save/serve any files on it to any requester that can produce the correct credentials.

That last word is the rub. I'm in the testing phase of a FreeNAS machine, having erased the OpenSolaris machine after Oracle turned nasty. You can set FreeNAS to let anybody have access, or to restrict access as needed, preserve space quotas, etc. To do this the simple way on Windows machines, you need to set it up as a CIFS/SAMBA share, and that means that you have to set the NAS up in the Windows workgroup. Otherwise, you will have to go through other rigamarole to set it up as a network shared drive or an NFS drive, with just as much and probably more futzing around with windows accesses.

Finally, you want your NAS machine to NOT respond to requests outside your local network IP group. This helps in keeping network nasties out of your NAS.

Data theft is big business. I understand that identity theft alone is bigger in terms of dollars than the worldwide narcotics trade, and so the individual hacker is passing into the twilight as organized crime and national governments (wait! was that redundant??) get into data theft. There are large numbers of machines which do nothing except ply the net looking for vulnerable machines with openings that can be automatically exploited. The first step is to simply not respond outside a "white list". Otherwise, you're going to find mob financial records, spam email bots or kiddie porn eating up your NAS.

Hmmm. It just struck me that corresponding to my theory of binary parasites (DEA/drug traffickers, antivirus writers/virus writers, etc) that national governments will be sure to keep the data thieves illegal but continuously operating so they have a farm team for the nationalized hackers.

Great. Sometimes I hate my brain. Now I've depressed myself again.

rg

tell us more about your theory!

ken

I can't. There are these two big guys with badges that *look* like they came from the NSA that stand behind me wherever I go and never say anything, just watch....

Sorry for my late arrival to this thread.

It's time for the "Just Say No to Wireless" speech.

If you are at all concerned about keeping anonymous people from accessing your NAS, your network, your personal files, or stealing your internet service or your web identity, then wireless is a pretty dangerous technology to deploy.

My DSL provider (Verizon/Frontier) recently sent me a new wireless modem/router to replace my really old "dumb modem". They wanted me to "upgrade" because it would make life easier for them. Apparently, it's very difficult for them to service accounts that continue to use the old/legacy/dumb hardware.

When they sent me the wireless modem/router, I decided to look at it from a security standpoint. I hooked up a PC with a wireless adapter, and scanned the airwaves in permissive mode, looking for the new modem/router. Instead of using the known encryption key and passphrase that I used to set up the modem/router, I decided to try to hack into my own internet connection, simulating the methods that a bad-guy would use to try to hack into my system.

It turns out that my DSL provider (used to be Verizon, now it's Frontier) uses really crappy, low cost, obsolete WEP encryption technology in their wireless modems. That's the weakest of all wireless encryption standards. It's easily hacked. I downloaded BackTrack and used the wireless cracking tools, and successfully hacked my way into my own router in a matter of minutes. As the software cracked into my wireless router, it also advised me that it found a dozen or so other WANs in my neighborhood, and provided cracked authentication credentials for all of them. I deleted the ones that didn't belong to me.

The whole process of finding passkeys to every system in my neighborhood only took a couple of hours, listening to wireless connections that weren't in active use. If the systems were in use, the process would only have taken less than a half hour.

I was very disappointed to learn that my ISP used WEP, the weakest wireless encryption protocol available, and that the modem/router wasn't capable of using any other (non-obsolete) encryption standard. Even worse, the device only works on one channel, so everyone in my neighborhood is competing for bandwidth on the same frequency. This tells me that not only is the wireless connection totally insecure, it's going to slow down due to noise when everyone is transmitting on the same channel.

The security problem is a significant issue -- someone with cracking software can generate credentials to authenticate on a WEP wireless router in a matter of minutes, and once they've done that, they have LAN level access to your system. It's just as if they've walked into your house and plugged their PC's cable into your LAN.

This creates a real security nightmare, no matter how good your firewall may be. Once someone has LAN-level access to your system, it's only a matter of time until they brute-force their way into all of of your system services using an automated password cracker.

I threw the free wireless router in the garbage, and I stuck with a wired LAN. Much to my ISP's dismay, I'm still using a 10-year old DSL dumb modem that they're not able to remotely administrate. I kind of like things that way.

If you plan to place a NAS on a wireless system, bear in mind that anyone who can receive the wirless signal could easily gain unlimited access to your system, and you may never even realize it's happened.

I wonder if the MBA geniuses there have yet figured out that their actions would constituted a great cause of action for contributory negligence in an identity theft case; waivers and disclaimers only apply to informed consent.

Bob: I like to use MAC addresses as well as an encryption key, spelling out the only devices to be recognized. I thought that would be safe but I heard that a hacker could clone a MAC address on your list.

I've scaled back my NAS plans a bit- my main computer will be connected to the internet via an ethernet cable plugged into a wireless router w/ 4 ethernet jacks. The wireless router will only serve to allow wireless devices connect to the internet, with no direct connection to my main computer. So with a setup like that will a hacker be able to get into my main computer as you described? (I understand that a good hacker can get into any computer connected to the internet, wired or wireless.)

Steve

P.S. My ISP offers a wireless router/gateway if you want pay extra for it, but it is not recommended or mandatory. It is a cable modem which I understand is lless secure than DSL since it is basically like a network with all of your neighbors on the party line...

I've ALWAYS kept wireless routers in a DMZ a long with perhaps the network printer, on the networks I've setup at my own place, parent's, friend's, etc.

If you want in, you gotta go cable which, if you are working anyways, isn't that big of a problem usually.

I tried hacking my own network as well. Back when WEP encryption was the standard, it literally took 10 minutes as mentioned before. Now with WPA it's a bit more difficult, but not much. MAC-spoofing is as easy as running a command and typing in the new MAC you want. Your client's MAC adresses are visible to people not connected to your network, btw.

I never log in to my bank, paypal or anything in that sorts from a network connection I am not sure of. It sounds paranoid, but in reality it's like using your credit card in some back alley crook's swiper... not safe at all!

As long as it is a credit card being swiped, the customer is responsible for only the first $50 of unauthorized charges- and most banks will even waive that. However if it is your ATM card you could be in deep doo doo- your account could be cleaned out. I mention that because some people think that if they use their ATM card as a credit card (with the VISA or MC logo) they are also protected. Nope, it is still a debit card even if it is used as a credit card, and you are responsible for all charges until reported to your bank.

Thanks for the security tips! Now for another question: If I have my main computer hooked up to a wireless router via an ethernet cable, can an inexperienced hacker get into that computer through a wireless peripheral communicating with the router?

Steve

I don't have debit cards for precisely the reasons mentioned. I don't even like credit cards. I know ... that makes me look like a nut.

MAC spoofing is easy. Most people aren't aware that a wireless user's MAC address is openly broadcast for everyone to hear. Once somebody has caught your MAC address off of the airwaves, it's trivial for them to configure their PC to spoof your MAC address and assume your identity for authentication with the WAP (wireless access point); the net result is that if you have a DHCP server that assigns IP addresses on your LAN based on MAC address, or a firewall that limits traffic based on a MAC address, these security measures are easily thwarted.

It's a good idea to put your wireless modem/router in a DMZ, but that only offers a finite level of security enhancement. The problem is that even if you have your WAP in a DMZ, you are still vulnerable. It's easy enough for anyone to gain access to your WAP, and once they're on your WAP they are on the DMZ subnet of your LAN. DMZ access means that they have unlimited LAN-level access to your internet connection, and all of their surfing activity will be traced to your IP address. Everything that they do on the Internet traces back to you. They also have LAN-level access to the DMZ side of your firewall. If your firewall allows routing of any privileged traffic between the DMZ and your LOC (local subnet), they have an unlimited amount of time to listen and sniff packets, and to brute force their way into LOC authentication. You definitely don't want to allow any services to route packets between the DMZ and the LOC subnet.

Many people believe that a consumer-grade appliance-type firewall/router will save them. It won't. I use a consumer-grade firewall/router as the first line of defense behind my DSL modem, and I keep a commercial-grade firewall/router in series, behind the appliance firewall, to protect LOC. The commercial-grade unit has logged all sorts of unauthorized traffic that has gotten past the properly configured consumer-grade appliance-type firewall routers. Unfortunately, the consumer-grade devices aren't 100% reliable.

Bottom line: everything that has a persistent internet connection can be hacked, so to defend yourself, you want to make it difficult for someone to gain persistent access to an interface on your system. The solution can be as simple as keeping wireless turned off when you're not actively using it, to decrease it's availability to the outside world. Better yet, just say "no" to wireless, and use a wired connection instead. You're much better off from a security standpoint if you require all connections to be made by coming into the house and physically plugging a wire into your hub/switch. Pulling wires through the house isn't all that hard, and it's definitely worth the effort.

It depends on what you mean by "experienced" and "inexperienced." There are some truly powerful cracking systems out there that enable a total newbie to have the kind of hacking power that used to lie in the domain of experts. Today, cracking packages are widely available and they are automated. Download something like backtrack, and an inexperienced hacker can learn to perform expert level hacks in an afternoon.

The worst case scenario answer has to be "Yes".

If someone has wireless access to your router, they have an infinite amount of time to try to exploit any weaknesses that it may have. For this reason, it's best to disable the wireless portion of your router if you're not actively using it. When I called VZ tech support and complained about the hack-ability of their hardware, they offered to tell me how to access the "walled garden" features of the wireless modem/router, to turn off the wireless access point. That rendered the wireless portion of the wireless router non-functional, so that I basically had a wired modem/router. Because the control features could be accessed via wireless, I decided not to use it.

without a doubt, Verizon chose the low bid supplier. they made a conscious decision that low cost hardware was more important than wireless security for their customers. it would be right for someone harmed by that decision to bite back at them. i'm sure that the MBA-types calculated the cost involved for a customer to prosecute the ISP in an identity theft case, and determined that it didn't present them with significant risk.

i think it is important to remember the actual risks involved, and the probabilities of those risks being exploited.

just as in physical home security, it is impossible to make something utterly impregnable. however, if you make it much, much harder to infiltrate than the guy next door, then you have probably done your job.

the bottom line is that a cyber thief/crook is not likely to spend an inordinate amount of time hacking your network just to get a single identity--there are far bigger fish to fry.

and yes, i too do this for a living.

Hmmmm... I never once suspected that you were a cyber thief/crook.