Wifi and Computer Safety

At our office we had our computer tech set up a guest portal. They have access to the internet that way. According to our IT guy it's safe.

Stick to Wired Networking

My office is still on CAT 5 cable networking with a linksys router/hub. I do have Wifi but do not use for tax preparation.

If you will notice that most computers will shut off Wifi automatically as soon as it detects the ethernet cable plugged in and alive.

@taxea: The question asked was whether it was "secure" for tax work.

I'm not in a position to estimate the threat/probability of an attack being directed against the network. The only part of the equation that is within the control of the business is its level of vulnerability, which is a function of what security it has in place. So, I'm saying that MAC filtering and SSID hiding are both check-the-box activities, whereas WPA2 provides reasonably robust security.

I see it as due diligence.

It's true that I've never heard of anyone's wifi being hacked to get data from a tax office, but I have heard of computers being stolen for the tax data. Apparently it's easier to break and enter the typical tax office vs. the IRS building or a bank...

Really?! Do you really think someone would be interested in hacking your measly little business when they could hack the IRS or the bank down the street? If your wifi is protected by a password, unless the ex spouse is looking for the former spouse's return and knows you prepared it...I wouldn't sweat it.

I don't oppose the use of MAC filtering or hiding SSIDs. It's just that a semi-knowledgeable attacker -- a "script kiddie," as some say -- with a simple tool will be able to siphon the SSID and spoof a MAC known to be in-use on the network.

Also, whether using WPA or WPA2, the largest attack vector is the Wi-Fi Protected Setup (WPS) feature that accompanies most WPA/WPA2-capable devices to make it easier to establish connections. WPS affords a mechanism for sharing the secret key without having to know the secret key, and it does so on the basis of a relatively simple passcode, which has the effect of allowing an attack to bypass a very strong passphrase by attacking a weaker one.

Bottom line: wireless networking is fine as a concept. There's no reason it can't be as strong as wired networking when it is properly implemented. But it's easier to make a mistake that leaves your network vulnerable when you're communicating wirelessly, because outsiders can listen to the network's internal traffic without having to gain physical access to the infrastructure.

At the bare minimum you must use MAC authentication so that only those devices that you have allowed to log in can log in. In addition to using WPA or WPA2 and hiding SSID.

While I might be inclined to argue the relative security of the personal and enterprise implementations of WPA2 in a high-assurance environment, I agree that, for purposes of tax preparation, the distinction is not important. If you find by some quirk that you can avail yourself of WPA2/Enterprise, so do. If not, WPA2/Personal is quite robust. Standard WPA is more vulnerable, and the implementation of basic WEP is so weak that to enable it at all (if you have a router that still supports it) would provide only a false sense of security.

Hiding an SSID is like locking a screen door: it deters only those who both dishonest and technically inept. ;-)

Speaking of Computer Safety and the IRS......

IRS Specifications for computers and Tax Preparation.



However.......

It'd be an absolutely insane concern - however, it's how I read Roberts post, initially. That using wireless would cause local traffic to bounce around the internet. Reading it now, it's obvious he was comparing local traffic to internet traffic not saying that wireless causes the local traffic to become internet traffic. Perhaps I hadn't had my coffee.

I agree, the physical security can't be ignored. If the goal is to obtain a bunch of social security numbers and identifying information most likely to do identity theft, a smash and grab is probably the easiest way to achieve that. How many people are keeping their server and file cabinets physically locked up? I'd be concerned about that, especially in Florida.

It wouldn't occur to me that a computer elsewhere on the planet would even enter the discussion. The obvious problem with wifi is someone sitting in a car, or in the coffee shop next door, trying to crack the wifi.

It doesn't matter whether it's WPA2/personal or WPA2/enterprise, although very few small offices will have the resources to manage the enterprise version. Thus all you really need to remember is WPA2.

As for hiding the SSID, that's debatable. When SSID broadcasting is on, your wireless router broadcasts the network name all the time so everyone can see it. When SSID broadcasting is off, your wireless computer/smart phone/printer/etc. broadcasts the network name so everyone can see it, but only when they're not connected to the network. This would be rare for the fixed devices, but common for smart phones. Search for "said broadcast disabled vs enabled" to find lots more discussions.

Finally,
The MAC address is easily spoofed. See https://en.wikipedia.org/wiki/MAC_spoofing . In fact, back in the very early days of cable internet, we had a cable modem quite capable of locking to a single MAC address client, as the cable company still labored under the dream of charging us for each computer hooked up to the net. But we also had an ordinary, off-the-shelf consumer router that had MAC spoofing built into its configuration menu, so that the router could pretend to be the computer that made the initial connection through the modem. Legal, as our particular cable company never used the MAC address limitation (as far as I know), even though they had the technical ability to do so.

Which is not to say that there's never a cause for configuring MAC addresses into the router. For a wifi network, it's silly, as anyone smart enough to crack the WIFI password will be able to spoof the MAC addresses. For a hardwired network, it can be useful to prevent the unsophisticated dishonest employee (or others) from sneaking a device onto the network. But if you're worried about that, you should also be investing in computers that lock the various cable connections behind a door. (See http://krebsonsecurity.com/2013/12/s...-sale-skimmer/ for some scary info.)

I suggest you speak to the IRS

The publish a guide on security.

The ideal scenario would be.
Hard wired No wireless.
strong password (complex ) on the computer.
The hard drive on the computer should be encrypted.

However....
If you do use wifi

Use WPA2/personal.
The SSID. should be hidden.

The SSID is the name of the network you are connecting to.
With it hidden you have to know what it is - extra security - .

The password should be at least 8 characters. More=better. (complex)
Complex = upper and lower case characters as well as at least 1 number and/or Special Characters [$*!_<) etc]

And yes. To be totally secure the MAC address should be configured into the router so only that PC or Device can access.
The MAC address is like a street address embedded into the hardware and cannot be modified easily (if at all) - I'm sure you can spoof!!

Here is a good explanation on how it all works:

I don't think we're talking about the same thing. Computer G being some other random internet user could be located anywhere on the planet. I think you're talking about someone physically near who is within range of my wireless router (perhaps a neighbor) - not a random internet user.

I disagree.

First, though most modern setups use a router so that traffic only goes between the two computers that are talking, that isn't always the case.

More significantly, computer G is going to see all of the traffic among computers 1,2, and 3. It will just be encrypted.

The main risk seems to be brute force attacks. I suggest looking at http://arstechnica.com/security/2012...asily-cracked/ for a not-too-technical discussion of what was involved. Basically, because we don't get feedback from routers concerning potential attacks, it's not too difficult for someone to check a billion passwords against the router.

The moral of the story is to pick good passwords for the router. Since you rarely need to type them, make them long, make them non obvious (don't use plain phrases or sentences), and use letters or signs in ways that don't match common text message uses (so-called l33tspeak).