Results 1 to 5 of 5

Thread: Sandboxing?

  1. #1
    userID
    Guest

    Sandboxing?

    How about sandboxing every network related activity?
    Does it actually shield my box from the "evil"?
    Thanks everyone


  2. #2
    bogus
    Guest

    Re: Sandboxing?

    userID wrote:
    > How about sandboxing every network related activity?
    > Does it actually shield my box from the "evil"?
    > Thanks everyone
    >


    Depending upon your exposure, and the nature of your use, it may be a
    good idea. - especially if you do not practice "safe hex" (e.g. cruise
    dangerous places on Fri/Sat evenings). Heh...Also good if you use a
    laptop at free, public hotspots.

    A good "sandbox" can "contain" any damage within the
    container/sandbox/VM/chroot;etc. e.g. If the damage is a spy, it can
    report only on what is in the container (as little as possible).

    I do a lot of sensitive financial transactions from public hotspots, so
    my exposure is high, and the potential loss is also high.

    Each network connection on my boxes is effected within an individual,
    hardened chroot jail. Even such things as my DHCPCD client (which is up
    for 5 seconds to get an address; set network parameters; and then
    shutdown) comes up in a jail. My browser (firefox) is particularly
    vulnerable to mischief against or within the 3rd-party add-ons, so in
    addition to operating it within a jail, I run the jail within RAMDISK,
    so that if some sort of change is quietly effected on my
    browser/configuration, it is lost at shutdown anyway. I've run across
    other Linux users who do the same thing with their browsers.

    My setup would be considered "over the top" by most folks; especially if
    you're at home behind a Linux/BSD router/firewall. But if you do
    sensitive financial business from public hotspots, you need to put in
    extra "stuff", IMHO (though most users don't).



  3. #3
    userID
    Guest

    Re: Sandboxing?

    On 08/06/2008 23.48, bogus wrote:
    > userID wrote:
    >> How about sandboxing every network related activity?
    >> Does it actually shield my box from the "evil"?
    >> Thanks everyone
    >>

    >
    > Depending upon your exposure, and the nature of your use, it may be a
    > good idea. - especially if you do not practice "safe hex" (e.g. cruise
    > dangerous places on Fri/Sat evenings). Heh...Also good if you use a
    > laptop at free, public hotspots.
    >
    > A good "sandbox" can "contain" any damage within the
    > container/sandbox/VM/chroot;etc. e.g. If the damage is a spy, it can
    > report only on what is in the container (as little as possible).


    Thanks very much.

    I try to stay as protected as I can, practicing safe hex, disabling
    unnecessary network services, running (whenever it's not too cumbersome)
    from unprivileged accounts, automatic windows updates, etc. but I've not
    enough technical expertise to be aware of the degree of exposure of my
    machine.

    I've just taken the advice I've read so far in this newsgroup and
    patched my box accordingly but what's worrying me is the spreading of
    malware in unexpected places, safe sites, pdf files..

    What can I do, preemptively? while containing the loss of usability to
    the minimum? Sandboxing seems just natural but I've also read mixed
    opinions, so I was not sure of the tool..

  4. #4
    bogus
    Guest

    Re: Sandboxing?

    userID wrote:

    > I try to stay as protected as I can, practicing safe hex, disabling
    > unnecessary network services, running (whenever it's not too cumbersome)
    > from unprivileged accounts, automatic windows updates, etc. but I've not
    > enough technical expertise to be aware of the degree of exposure of my
    > machine.


    Though there may be some statistic somewhere, I don't think it (degree
    of exposure) can be known for individuals, or even "experts" - as the
    environment is always changing.

    >
    > I've just taken the advice I've read so far in this newsgroup and
    > patched my box accordingly but


    Home users seem to use three basic approaches to computer security:

    1. "The Distribution (e.g. Gentoo Linux) or manufacturer (e.g. Dell)
    have probably set it up pretty well, and the user shouldn't waste time
    or energy fooling with it." If it breaks, get a new one. (OpenBSD may
    actually achieve this goal - though for a low-risk home user)

    2. "Do what others do." This results in the bi-monthly question, "which
    is the best firewall" and "which is the best AV/AT". The hope here
    is that a "magic bullet" will block attack vectors, or find and "cure"
    infections after the fact. Little real understanding; lots of verbal
    flame wars result when boys argue about their favorite toys.

    3. "Do an informed risk assessment and establish reasonable (cost
    effective, user tolerable) precautions and procedures". Very few home
    users are able and inclined to do this, so most default to 1 or 2.

    > what's worrying me is the spreading of
    > malware in unexpected places, safe sites, pdf files..


    Bingo!!

    And item 3 above is the way to approach this situation if you do
    important stuff with your box. Sadly, I'm not knowledgeable enough to do
    a proper risk assessment/cost-effective response - but given my huge
    potential loss and a personal willingness to muck about the box, I've
    invested heavily in the things listed below.

    >
    > What can I do, preemptively? while containing the loss of usability to
    > the minimum?


    Number 3 above. e.g. if all you do is check your mail and google news,
    your exposure and potential loss is minimal. If you have important
    sensitive info. on board, then you need to go beyond the basic, free
    things that follow: :-) :

    1. Safe Hex.

    This means different things to different people, but broadly means using
    safe tools (Check out SANS...e.g. Opera or FireFox; TBird), used in a
    safe manner (e.g. all active content disabled; all plugins disabled by
    default; text email only; etc.) (e.g. don't go to dodgey places; don't
    download anything without checking source, pgp verification, etc.).
    There are whole pages dedicated to defining basic "safe hex".

    2. Well-lubricated, frequently exercised backup and restoration regime.

    Today's Trojans and Rooted malware is designed by professionals. At the
    first hint of actual infection (not just a malevolent script or vector
    blocked in a cache), a high-risk (e.g. online banking) user should be
    able to reformat, build from scratch, and restore his box in an afternoon.

    3. Use native OS tools to their full benefit.

    e.g. least privilege. This is extremely important, and you're already
    doing it. (There is a proggie called something like "runasadmin" which
    can take a windows box already "oriented" toward a privileged user and
    drop his privileges for the session. Sounds like you don't need this,
    though)

    e.g. Many users. This is now easy to do on Windows, as well as 'IX. On
    my box, for example, there are users "firefox", "tbird", "ooffice",
    "wireshark", etc. I have further configured (not a default on most Linux
    distributions) the box so that user firefox can not read, for example,
    documents owned by e.g. user TaxAct. So if something is compromised, it
    is contained by native access controls.

    e.g. Encryption. Keep sensitive onboard data away from thieves who may
    physically take your box, or Trojan/keyloggers which may exist for a
    while before being detected (lots of different, dedicated, encrypted
    files/containers. e.g. If you never decrypted your tax records during
    that period of infection, the Trojan will not have gained that info.)

    e.g. Many, many other OS features (firewalls, hash validation, etc.):

    .......e.g. Windows:

    http://en.wikipedia.org/wiki/Securit..._Windows_Vista

    .......e.g. Linux:

    http://www.grsecurity.net/features.php


    4. Application Isolation.

    I'm a big fan of this (you called it sandboxes). Applications are
    already isolated with individual, unprivileged access rules - this goes
    to the next step and virtually isolates them physically.

    A PITA to understand and set up (non-geeks should get the assistance of
    the kid next door, or their local computer shop), easy to maintain and
    use once it is understood. Obviously, you should spend some time and do
    it yourself :-) .

    5. Add-on Tools.

    ......Sigh...Now we get to AV/AT signature/heuristic scanning,
    IDS/IPS, Integrity management inventories, Anti-spoofing DNS tools,
    multi-function "replacements" (e.g. firewalls with intrusion signatures,
    automated connection blocking, application hashing, etc.)

    It is easy to sell/buy a "golden bullet" - a security suite which
    absolves the user from thinking about what he does, or how he's
    configured his box. And that is what most users choose.

    But which ones? Sadly, "Do what others do" usually means getting some
    popular, past-its-prime anti-malware (e.g. Norton, Mcafee, AVG, etc.)
    and some popular firewall-of-the-month.


    > Sandboxing seems just natural but I've also read mixed
    > opinions, so I was not sure of the tool..


    IMHO it is a powerful, important natural in a world of emerging threats.
    Comforting and reassuring when you are purposefully or unknowingly
    exposed to the "dark side" through a hidden frame, or poisoned DNS
    server, or buffer-overflowing media file, or ......... :-)

    HTH






  5. #5
    userID
    Guest

    Re: Sandboxing?

    On 09/06/2008 18.11, bogus wrote:

    > HTH


    Thank you very much, that does help indeed! Much appreciated :)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •