|08-06-2008, 10:28 PM||#2|
> How about sandboxing every network related activity?
> Does it actually shield my box from the "evil"?
> Thanks everyone
Depending upon your exposure, and the nature of your use, it may be a
good idea. - especially if you do not practice "safe hex" (e.g. cruise
dangerous places on Fri/Sat evenings). Heh...Also good if you use a
laptop at free, public hotspots.
A good "sandbox" can "contain" any damage within the
container/sandbox/VM/chroot;etc. e.g. If the damage is a spy, it can
report only on what is in the container (as little as possible).
I do a lot of sensitive financial transactions from public hotspots, so
my exposure is high, and the potential loss is also high.
Each network connection on my boxes is effected within an individual,
hardened chroot jail. Even such things as my DHCPCD client (which is up
for 5 seconds to get an address; set network parameters; and then
shutdown) comes up in a jail. My browser (firefox) is particularly
vulnerable to mischief against or within the 3rd-party add-ons, so in
addition to operating it within a jail, I run the jail within RAMDISK,
so that if some sort of change is quietly effected on my
browser/configuration, it is lost at shutdown anyway. I've run across
other Linux users who do the same thing with their browsers.
My setup would be considered "over the top" by most folks; especially if
you're at home behind a Linux/BSD router/firewall. But if you do
sensitive financial business from public hotspots, you need to put in
extra "stuff", IMHO (though most users don't).
|09-06-2008, 06:15 AM||#3|
On 08/06/2008 23.48, bogus wrote:
> userID wrote:
>> How about sandboxing every network related activity?
>> Does it actually shield my box from the "evil"?
>> Thanks everyone
> Depending upon your exposure, and the nature of your use, it may be a
> good idea. - especially if you do not practice "safe hex" (e.g. cruise
> dangerous places on Fri/Sat evenings). Heh...Also good if you use a
> laptop at free, public hotspots.
> A good "sandbox" can "contain" any damage within the
> container/sandbox/VM/chroot;etc. e.g. If the damage is a spy, it can
> report only on what is in the container (as little as possible).
Thanks very much.
I try to stay as protected as I can, practicing safe hex, disabling
unnecessary network services, running (whenever it's not too cumbersome)
from unprivileged accounts, automatic windows updates, etc. but I've not
enough technical expertise to be aware of the degree of exposure of my
I've just taken the advice I've read so far in this newsgroup and
patched my box accordingly but what's worrying me is the spreading of
malware in unexpected places, safe sites, pdf files..
What can I do, preemptively? while containing the loss of usability to
the minimum? Sandboxing seems just natural but I've also read mixed
opinions, so I was not sure of the tool..
|09-06-2008, 04:26 PM||#4|
> I try to stay as protected as I can, practicing safe hex, disabling
> unnecessary network services, running (whenever it's not too cumbersome)
> from unprivileged accounts, automatic windows updates, etc. but I've not
> enough technical expertise to be aware of the degree of exposure of my
Though there may be some statistic somewhere, I don't think it (degree
of exposure) can be known for individuals, or even "experts" - as the
environment is always changing.
> I've just taken the advice I've read so far in this newsgroup and
> patched my box accordingly but
Home users seem to use three basic approaches to computer security:
1. "The Distribution (e.g. Gentoo Linux) or manufacturer (e.g. Dell)
have probably set it up pretty well, and the user shouldn't waste time
or energy fooling with it." If it breaks, get a new one. (OpenBSD may
actually achieve this goal - though for a low-risk home user)
2. "Do what others do." This results in the bi-monthly question, "which
is the best firewall" and "which is the best AV/AT". The hope here
is that a "magic bullet" will block attack vectors, or find and "cure"
infections after the fact. Little real understanding; lots of verbal
flame wars result when boys argue about their favorite toys.
3. "Do an informed risk assessment and establish reasonable (cost
effective, user tolerable) precautions and procedures". Very few home
users are able and inclined to do this, so most default to 1 or 2.
> what's worrying me is the spreading of
> malware in unexpected places, safe sites, pdf files..
And item 3 above is the way to approach this situation if you do
important stuff with your box. Sadly, I'm not knowledgeable enough to do
a proper risk assessment/cost-effective response - but given my huge
potential loss and a personal willingness to muck about the box, I've
invested heavily in the things listed below.
> What can I do, preemptively? while containing the loss of usability to
> the minimum?
Number 3 above. e.g. if all you do is check your mail and google news,
your exposure and potential loss is minimal. If you have important
sensitive info. on board, then you need to go beyond the basic, free
things that follow: :-) :
1. Safe Hex.
This means different things to different people, but broadly means using
safe tools (Check out SANS...e.g. Opera or FireFox; TBird), used in a
safe manner (e.g. all active content disabled; all plugins disabled by
default; text email only; etc.) (e.g. don't go to dodgey places; don't
download anything without checking source, pgp verification, etc.).
There are whole pages dedicated to defining basic "safe hex".
2. Well-lubricated, frequently exercised backup and restoration regime.
Today's Trojans and Rooted malware is designed by professionals. At the
first hint of actual infection (not just a malevolent script or vector
blocked in a cache), a high-risk (e.g. online banking) user should be
able to reformat, build from scratch, and restore his box in an afternoon.
3. Use native OS tools to their full benefit.
e.g. least privilege. This is extremely important, and you're already
doing it. (There is a proggie called something like "runasadmin" which
can take a windows box already "oriented" toward a privileged user and
drop his privileges for the session. Sounds like you don't need this,
e.g. Many users. This is now easy to do on Windows, as well as 'IX. On
my box, for example, there are users "firefox", "tbird", "ooffice",
"wireshark", etc. I have further configured (not a default on most Linux
distributions) the box so that user firefox can not read, for example,
documents owned by e.g. user TaxAct. So if something is compromised, it
is contained by native access controls.
e.g. Encryption. Keep sensitive onboard data away from thieves who may
physically take your box, or Trojan/keyloggers which may exist for a
while before being detected (lots of different, dedicated, encrypted
files/containers. e.g. If you never decrypted your tax records during
that period of infection, the Trojan will not have gained that info.)
e.g. Many, many other OS features (firewalls, hash validation, etc.):
4. Application Isolation.
I'm a big fan of this (you called it sandboxes). Applications are
already isolated with individual, unprivileged access rules - this goes
to the next step and virtually isolates them physically.
A PITA to understand and set up (non-geeks should get the assistance of
the kid next door, or their local computer shop), easy to maintain and
use once it is understood. Obviously, you should spend some time and do
it yourself :-) .
5. Add-on Tools.
......Sigh...Now we get to AV/AT signature/heuristic scanning,
IDS/IPS, Integrity management inventories, Anti-spoofing DNS tools,
multi-function "replacements" (e.g. firewalls with intrusion signatures,
automated connection blocking, application hashing, etc.)
It is easy to sell/buy a "golden bullet" - a security suite which
absolves the user from thinking about what he does, or how he's
configured his box. And that is what most users choose.
But which ones? Sadly, "Do what others do" usually means getting some
popular, past-its-prime anti-malware (e.g. Norton, Mcafee, AVG, etc.)
and some popular firewall-of-the-month.
> Sandboxing seems just natural but I've also read mixed
> opinions, so I was not sure of the tool..
IMHO it is a powerful, important natural in a world of emerging threats.
Comforting and reassuring when you are purposefully or unknowingly
exposed to the "dark side" through a hidden frame, or poisoned DNS
server, or buffer-overflowing media file, or ......... :-)
|New To Site?||Need Help?|