1

Is there any danger of any of my computer's files being read or changed (mainly - infected by malware) in the following scenario (I'm using Windows 7):

  • I have file sharing turned off (in "advanced sharing settings").
  • I connect to a public wireless network (such as at a restaurant), and surf the web.

Assuming: No vulnerabilities are exploited on the web browser (or its plugins etc.).

This is a question about dangers of connecting to the router itself. Can someone on the same network access my computer?

This is not about anyone sniffing my passwords or what websites I'm visiting. Let's assume I just Google "StackExchange" and then disconnect. Is that safe?

ispiro
  • 773
  • 1
  • 7
  • 18
  • @TildalWave Thanks. Googling didn't uncover that question. I will, however, point out that most of what is said in the answers there is not really to the point - they're talking about sniffing. – ispiro Jan 09 '14 at 14:14
  • Do yourself a favor and install HTTPS Everywhere plugin for your browser. Then don't authenticate with any online service that doesn't use HTTPS and the certificate for it checks out. Don't even try to open those you might be automatically signed into via a browser cookie, to prevent session hijacking. Also select "Public Access Point" when you connect to the newly detected AP, and always check web browser's address where you landed at, if router isn't trusted it might still serve you phishing sites (either the address won't match, or the certificate won't). – TildalWave Jan 09 '14 at 14:15
  • BTW, there are loads of other similar threads here, just search for ["wifi public"](http://security.stackexchange.com/search?q=%5Bwifi%5D+public). I selected one as a possible dupe, because I can't multiple and I don't have the time to read through all of them (again) to see which one would fit your question the best. But there's ample advice already given, if you browse through them yourself. ;) – TildalWave Jan 09 '14 at 14:19
  • @TildalWave Most of those answers (though not necessarily the questions) do _not_ answer my question. As well as your previous comment. I'm not saying it isn't useful information. Thank you for it. _But_ - your comment and those answers refer to different risks (phishing, sniffing, etc.). _Not_ of anyone browsing my files. And, again, thanks for input. – ispiro Jan 09 '14 at 14:23
  • About "not browsing your files" kinda is answered also here in my comments, and also in some of the answers to linked questions - select "public" for your network connection. It will disable all file sharing and related protocols on Win7. Just don't select "office" or "home network", and you'll be fine regarding unwittingly sharing your files. Assuming no other infection, of course. – TildalWave Jan 09 '14 at 14:27
  • @TildalWave Yes. Your comment to Peleus's answer is actually very much to the point. You can transform your comment into an answer. I'd actually like to see if other experts here agree with you or Peleus. – ispiro Jan 09 '14 at 14:30

5 Answers5

5

Safe is a big word, and depending on how tempting of a target you are, achieving it in public might not be possible. XKCD #538 - Security that's rather popular here explains this pretty well:

                           enter image description here

Ideally, if you don't really have to connect to public access points, you wouldn't. But since this often isn't the case, and you still might...

So first order of business should be minimizing your network footprint. You mention in comments that you're using Windows 7. Your operating system will ask you how trusted is the network you are connecting, when you'll be establishing a new connection. It will remember your selection for the next time, so you might want to pay attention when connecting to public Wi-Fi routers next time (if that's the case, select the AP you're connected to in the list, left-click and select "forget"... I think it's something like this IIRC), in case you marked it as more trusted than you ought to. But if you select "Public network", your operating system will automatically disable any unsafe protocols, like e.g. "File and printer sharing for Microsoft Networks", turn on firewall (in case it was turned off before), reset the list of approved firewall exceptions, and do a few other things to prevent any file sharing from happening unwittingly:

    enter image description here

Selecting this option, this connection will only communicate through TCP/IP protocols (IPv4 and IPv6), so assuming no other infection already present on your computer, or later infected through a malicious website, you should stay as safe as the websites you browse and your actions there are. Of course, you shouldn't neglect a chance of a Man-in-The-Middle (MiTM) attack, redirecting your requests to a phishing location, or modifying website responses, so don't ever authenticate with a website using HTTP (non-secure connection), and don't even open them if you expect to be authenticated automatically through a saved web browser user session (cookies), to prevent session hijacking. Ideally, you'd clear your browser cookies (browser history) before opening any previously saved bookmarks or other sites you might be logged in to.

Install HTTPS Everywhere browser extension, only authenticate or send other sensitive information when a secure connection with a website is established via HTTPS, the displayed website location matches the one you expected (mind tiny, hard to spot changes in the address), and the certificate for that website address is valid (browser doesn't report any errors). Usual caution applies, and following these recommendations doesn't guarantee your safety, if you then browse untrusted websites.

But assuming you didn't manually enable networking protocols for your wireless connection, and you're not infected from before, just staying connected to untrusted Access Point (AP) won't put you at risk of unwittingly sharing your files. Something (an infection, user intervention,...) would have to enable any of the required networking protocols for your Wi-Fi connection first, or an infection would have to transmit your local data through enabled ports and using enabled protocols (so TCP/IP only), for that to even be possible.

Oh, and be cautious of shoulder surfing in public places, public AP or not. And that doesn't go merely for people ogling your keyboard as you type passwords, this goes for cameras too, visible or otherwise. Type with one hand and use the other over the fingers of your typing hand, or cover it otherwise. Better yet, don't rely on typing your passwords at all and use multifactor authentication (e.g. combination of biometric readers, typed passwords and smart card stored authentication keys - i.e. something you are, something you know, and something you have), or at least a decent password manager for your authentication needs to avoid typing as much as possible. Most hacking in public areas is opportunistic (yes, that phrase opportunity makes a thief is still valid), and if you make it a bit harder for the attacker, he will likely rather try and find another, easier victim instead.

TildalWave
  • 10,801
  • 11
  • 46
  • 85
  • 1
    Try to use voting, rather than saying thanks - it's just the preferred method on SE, as it contributes to a user's reputation – Owen Jan 09 '14 at 15:24
  • @Owen :) . If you're serious - of course I upvoted. – ispiro Jan 09 '14 at 16:00
  • I have all options in **Control Panel\Network and Internet\Network and Sharing Center\Advanced sharing settings** off. Do I really still need to make it a public network? (I actually have all my networks public anyway. Just to be on the safe side. But still wondering.) – ispiro Jan 09 '14 at 16:09
  • You're not "making your network public" by using that option. With it, you're telling your OS that the "network you're connecting to" is public, i.e. untrusted. And yes, it's a good practice to "tell" the OS as well that the connection isn't trusted, let it do whatever it can to prevent you from unwittingly doing something that would lower your security, even if that means asking you annoying questions more often. It's really easy to forget what you previously allowed it to do. – TildalWave Jan 09 '14 at 16:13
  • @TildalWave Yes, I know. I meant: Doesn't making a network public simply turn off those sharing options? (- making it redundant in my case because they're all off anyway) – ispiro Jan 09 '14 at 16:17
  • By the way - an OP is not notified of comments to answers. So I get notified only if you add the "@ispiro". – ispiro Jan 09 '14 at 16:18
  • OK. I see you edited your comment. You can ignore my comment about redundancy. – ispiro Jan 09 '14 at 16:19
  • @ispiro I would recommend the "public" profile, since Windows Firewall will (or at least can) have other rules configured around public vs private. It's not just those two settings, although admittedly they control some of the most sensitive Windows services. – itscooper Jan 09 '14 at 16:46
3

No, it's not safe.

Any time you're connecting to public wifi you're joining a network of potential attackers. It's possible you have other ports open which the attackers could exploit and gain system access.

Unlikely, but possible.

Peleus
  • 3,827
  • 2
  • 19
  • 20
  • If he's on anything above Windows XP, he'll be asked on connecting to a new AP how trustworthy is the router. All he has to do is to select "Public Access Point" and he won't be joining any network at all, all network protocols except TCP/IP (ver. 4 and 6) will be disabled for the connection. And even on XP, he could simply uncheck all other protocols for his Wi-Fi adapter. So saying he'll be "joining a network" is a bit moot. There are other, on average more worrying threats, if he's not using HTTPS. – TildalWave Jan 09 '14 at 14:11
  • @TildalWave Using Windows 7. – ispiro Jan 09 '14 at 14:19
0

'Safe' is too subjective a term.

For instance, if you literally connected, Googled some random phrase and disconnected, the chances are that you haven't even been connected long enough for anything to happen, but you still might. If your machine has the 'right' issues with security, and the network has an attacker/automated attack for those issues, and launches it quick enough then you aren't safe.

Unless of course there is nothing to lose by having your machine comprimised. If your machine also contains no useful data and you wipe it afterwards, you're more or less safe, although even then you may have contracted a rootkit.

This continues almost ad infinitum, you can't alleviate every threat without spending considerable time on it, like a full time job, so just having good security practices and awareness is the best approach, IMO.

Owen
  • 1,076
  • 5
  • 9
0

No connection to any shared network is safe at all, as long as your are connected to a network that is not 100% encrypted throught a VPN or something like this consider that someone can spoof DNS on the local network someone, can exploit blacksheep session...

It's true also on Wifi where everybody share the same key at least in WEP (tel me for WPA) but I think also.

As long as you connect to a network wired or Wifi with a same key with unknown and untrusted individuals then you can consider your connection as unsafe.

Kiwy
  • 323
  • 1
  • 13
0

To focus specifically on how the machine can be compromised directly, rather than via someone sniffing etc...

The risk of someone being able access files on your computer is increased with each service that you make available on the network. Typically, on a private network that you trust, Windows makes certain services available such as SMB/CIFS for file sharing, NetBIOS, RPC, Remote Desktop etc. Other software packages that you have installed may also provide services that are available on the network. These require you to open networking ports on certain protocols (e.g. TCP, UDP etc). The Windows Firewall (or a 3rd party firewall) controls inbound connections to restrict access to your computer.

These available services can all potentially be attacked, and an attacker would often look for services that are subject to existing vulnerabilities. For example, there are a number of vulnerabilities from over the years that affect the Windows file-sharing service (SMB), which can be fixed by updating your operating system (if they become public, Microsoft are usually quite good at providing patches quickly). However, if your operating system is outdated and you enable file-sharing on an untrusted network, an attacker might be able to exploit and gain access to your system.

The following actions will reduce the likelihood of someone gaining access:

  • Keep your operating system and other software packages up-to-date, reducing the chances that they have known vulnerabilities.
  • A nice strong, unique Windows password to eliminate someone guessing it or figuring it out (just in case you do leave RDP or SMB open one day - added layer of security).
  • For the public profile, turn off Network Discovery and File and Printer Sharing in Advanced sharing settings. This will cause Windows Firewall to automatically block these types of connections.
  • Turn on Windows Firewall.
  • Select the "Public Network" profile when connecting to any new untrusted network.
  • Anti-Virus on and up-to-date.

These are reasonable steps to take in order to lower the risk associated with untrusted networks, although they do not provide a guarantee. Whilst they disable key sensitive Windows services, you may have software installed that has added its own firewall rules, and could potentially be exposing itself. An example would be if you're running something like a VNC server.

To check, find your "Windows Firewall with Advanced Security" settings, view incoming rules and filter by the Public profile. There are some things that you won't want to turn off, particularly core networking, but known applications that you recognise and definitely won't be using on public networks could potentially be disabled (although make sure you only do so for public networks, since some rules are for all profiles).

itscooper
  • 2,230
  • 13
  • 15