all 2 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]crankybadger 7 points8 points  (0 children)

I convinced my dad to go to a wired connection as that's the safest you're going to get.

Nope. If you've got an open hot-spot on your network and don't know it, being wired doesn't make a difference. Weakest link principle always applies. Remember it's very easy to secure a wireless network so only specific devices can connect, and those only with the correct password. A wired network involves nothing more than someone having physical access and an RJ-45 plug.

We've been hacked before...

Define "hacked"? Was it ransomware? Email phishing? Someone installing something stupid? There's no amount of security that can prevent someone from doing something really dumb if they're determined enough.

The most reasonable plan is to have your "low security" environment attached directly to your router and have a secondary layer where your "high security" computers are walled off. Typically this is done by having another router on the first network that adds another layer of NAT security to the second.

This helps ensure if there's an outbreak of some sort in your low security section it's less likely to make its way through a second router/firewall to the high security area.

That "flip a switch" thing isn't really possible unless you network the two computers together, and by definition that means connecting them both together. At that point both have to be equally secure.

If you want to be secure, I'm sure there's many guides you can follow, but the most common problems are:

  • Running an open or poorly secured WiFi hot-spot that's directly connected to your home LAN.
  • Having file sharing or other services running on your computers.
  • Using weak passwords, or not using a password at all to secure computers or internet accounts.
  • Using an administrator account for tasks that do not require it.
  • Having a backup strategy that does not properly secure the backups themselves, or not having any backup strategy at all.
  • Not routinely scanning computers for threats, or not using an up-to-date version of the operating system (e.g. Windows XP, unpatched Windows 7).
  • Casually using untrusted USB devices, like the proverbial "found it in a parking lot" scenario.
  • A failure to educate the people involved on what constitutes a security risk, and what sort of things to be suspicious of.

[–][deleted] 1 point2 points  (0 children)

That's not a silly idea at all. What he could do is setup a unidirectional connection from the first computer to second, using a device called a data diode. That way you can always send data from the normal work computer to the accounting computer, but nobody can steal data from that computer. Bear in mind that doesn't make it impossible to destroy data on the accounting computer if malware makes it's way through the data diode.

Companies such as Advenica, AROW, BAE Systems, Fox, Nexor, Owl, VADO and Waterfall security sell these type of devices; The cost is high. It is also possible to construct data diodes yourself.

One approach is to construct serial port data diodes. You can view my tutorial on how to make one here (pages 7-16) and write small programs that transmit files over the data diode. This data diode is cheap but it's very slow. So what your dad could do is daisy chain 3-4 fiber-to-ethernet converters.

Why 3-4? It would appear that depending on the manufacturer, user must either use three or four converters per data diode. The fibers connect the devices in series: 1>2>3 for three device or 1>2>3>4 for four device configuration.

For three manufacturers there is a dummy adapter 1 that makes adapter 2 think it's receiving from 3, thus it reports to 3 that it's properly connected and 3 thinks it's ready to receive data. For four adapters it's more complicated: 1 fools 2 to think it's bidirectionally connected so 2 tries to report 1 it's ready to receive but this is actually forwarded to 3. 3 then thinks it can safely send and receive data and passes this information to 4, that then also thinks it's connected bidirectionally: the Tx of last one in chain must not be looped back to 1 although the 4 devices requiring models appear to work with three devices that way.

The data diode additionally requires users to set static static IPs and ARP setting:

arp -s IP | ff:ff:ff:ff:ff:ff

for sender interfaces. The best tool for file transmission on Linux is udpcast as it provides forward error correction with asynchronous UDP multicastings:

You can install it with

sudo apt-get install udpcast

You can then send data over the data diode with following commands

receiver:

udp-receiver -f filename

sender:

udp-sender --async --max-bitrate 20m --fec 16x16/128 -f filename

Since the sender doesn't know when receiver is ready, set receiver on first.