Staying out of risky places

Hi,


I am curious how effective staying out of risky places is as a defense strategy. So I have setup my wife's PC (XP Home) as an admin. I have installed CTM and DWv3. Our ISP now also provides mail filtering, so the most likely threatgate will be the browser. I would not start this experiment without a real time AV, when the ISP did not filter our outbound e-mails also (you do not want to surprise friends and contacts with infected mails).

With CTM, I can goback, DWv3 will paralise any malware downloaded.

This is the staying out of risky setup

1. Open DNS through router with basic level filtering at their servers
2. AVG Linkscanner free with surfprotection
3. Searching with Google (also filters aout some bad URL's)
4. IE8 with phising and smartscreen enabled

I will use Hitman Pro on demand, and on-line webscanners as Panda Active scan and One care for periodical weekly checking.

I will keep you posted. My wife only does on-line banking and on-line shopping and surfing for things to do, so a typical someone who uses the PC for communicating, information gathering and event shopping, not someone fo rwhom the PC itself is a hobby.

So security strategy is
a) staying out of risky places (see above)
b) reducing attack surface & minimalising impact (DWv3)
c) have a contingency plan (CTM)

Regards Kees

 

Re: Stayng out of risky places

zup Kees!

is DW really stronger than LUA?

 

Re: Stayng out of risky places

This setup should work just fine bro ... even if your wife go to risky places

 

which of them really prevent access (better) and which of them warn you when already accessed (bad)?

The rest of your topic seems how to protect afterward your browser - reactive - NOT active.

 

Hi, Kees!

You don't define what a "risky place" is.

If you mean Porn, Crack, and illegal software sites, I assume your wife doesn't go there!

But realistically, no matter how you define "risky," users today are more apt to get infected just by initially visiting a "safe" site, or even clicking on links in a search page, where cybercriminals have found vulnerabilities in the hosting server and injected code via i-frame or SQL injection, resulting in the user being redirected to a malicious site with a drive-by download. An early sensational example of this was the Super Bowl stadium site:

Super Bowl stadium site hacked, seeded with exploits
February 2nd, 2007
http://blogs.zdnet.com/security/?p=15

No one would classify that site as "risky" yet thousands became victims with a single click to find out Super Bowl information.

Users are also more apt to be fooled by social engineering, than getting hit on a "risky" site:

Who needs exploits when you have social engineering?
http://isc.sans.org/diary.html?storyid=8710

Zbot Social Engineering
http://isc.sans.org/diary.html?storyid=8731

In my view, something like this is all the average user really needs, and is what I've recommended for users for years, with great success. "Risky" cannot really be categorized, so, why worry about it?

Teaching sound policies and procedures, along with your DW or the like, suffices, and all else is excess baggage for the average user, IMHO.


regards,

-rich

 

Well like Rmus has pointed out any site can be infected even so called Safe sites.

Personally I really don't care if sites are infected or not. With the use of MD and Sandboxie If I want to visit the site I go there regardless. I don't let the fear and paranoia of malware restrict my travels on the internet. I don't run away from malware infected sites like a coward I face it head on and smash it to the ground

 

Haa as allways Rich a very good response

Correct, I did not specify that, good of you to elaborate. No I do not think she needs to be warned for crack, porn sites tec. I do not expect her to fall for social engineering either.

These are exactly the type of features I am curious about, Server side intrusions and weaknesses of the client side browser e.g.

http://www.blackhat.com/presentatio...insecure-features-of-Internet-Explorer-wp.pdf

The DW logs and or paralised remnants of periodical scan will proof this (I asked my wife to inform me when AVG, Smartscreen, OpenDNS, Google would throw a pop-up). Are these features (beware of the data snatchers huuuuuh) just marketing gizmo or do they provide real protection.

Regards Kees

 

Kees have you ever tried Sandboxie? Sandboxie has been put through the grinder and tested by many wilders members here. once you configure it it will be easy for your wife to use and you won't have to worry about analyzing DW popups AVG and google popups etc to see if they are real security threats or just marketing gizmo's all you do is simply empty the sandbox and all is good.

 

Okay for a support specialist these are really awkard questions, given the concept of these mechanismens. Problably something is lost in translation. So maybe this helps to explain

Open DNS = server side = prevent

Google = server side = prevent

AVG Linkscanner = adds rating to information cached by Google, so your are only processing Googles data combined with actual LS info = prevent
Exploit shield is when page loads

IE phising/smartscreen prevent when the page loads =
Smartscreen download checker before download starts
( to give you an idea -http://www.youtube.com/watch?v=O94v1MdMcxk- )

Given the nature of CTM and me calling it contingency, we agree on this. Since I only mentioned DW for reducing attack surface and threat containment (reducing impact). Again I am totally missing the point here you want to make, so please elaborate/explain.

Kees

 

Sounds like you got a good plan Kees

But,much like arran said,I'm not gonna let the fear and paranoia of malware restrict my travels on the internet.I've gone everywhere and in the end,when it's time for me to goto sleep for the night,my PC is just as clean as it was when I woke up for the new day. Waay too many people here worry too much,and have security paranoia going on.

If you truelly think out what you want to accomplish in your security setup,it's easy and your golden to surf.

Just some random thoughts of mine

 

No I tried SBIE in the past. The advantage of DW is that it issues near zero pop-ups and the contained downloads are on the real file system. So she does not need to know about DW, the concept is transparent.

When you move something out of the sandbox, SBIE won't protect you any more. That was the whole idea of this test (don't mind infections, DW contains them).

Besides SBIE is difficult to use for someone e-mailing a lot and saving and sharing attachments (e,g, pictures, music), a permanent mail sandbox is no solution (you want to use the attachments out of the sandbox) A tremporary blows the mails after clearing the sandbox.

Another reason why SBIE is nothing for her is the fact that besides her day time job she is a aerobics/spinning teacher (few lessons a week). She likes to setup her own music, so she buys a lot of on-line songs. When you download a zip file the Digital Rights are downloaded at first play. Try to make this work with SBIE.

SBIE would be more suited for me to use on my play PC. I have a lifetime lisence of GeSWall, using the redirect option offers the same functionality as SBIE (GW offers virtualisation and policy containment). I use it to Sandbox Chromium. With only one application Sandboxed GeSWall is okay (SBIE is much more effective in terms of performance when redirecting, when you use redirect to much at GW it will slow own your PC). I also have a lisence of Bufferzone, but I am not using it either.

 

Funny you mention this part.

I try Sandboxie every now and then,and while it's very powerful,I always end up goin back to Geswall or Defensewall. I cant count how many times I've lost bookmarks because of Sandboxie ,among other items I wanted to keep.

 

But did you not know that you can force anything inside a certain folder which is saved to your OS to run in sandboxie? all you need to do is to have a folder on your desktop called say downloads for example and configure your browser and email client to download all files to that folder and any thing in that folder like songs etc will be run in sandboxie.

Lost book marks? but sandboxies configurations can allow access to browser bookmarks.

 

Interesting setup. I would also consider using Spybot SD or Spywareblaster for browser blacklist capabilities or a hosts file, which usually also block ads which is nice with all the malware served through ads lately

 

Spybot SD or Spywareblaster or hosts file can have a lot of false positives.
FF ad block plus or ad muncher is way better. however this thread isn't about blocking ad's

 

Arran,

When she receives photo's she puts them neatly into a directory, next she may want to apply red-eye reduction or crop the picture a little. How would you achieve that with no hassle with an application virtualisation sandbox. When you sandbox a DRM song you will lose the playing rights. It is okay, I am not discussing strenght of SBIE, just practicalities for her to use it. For these type of users Application Virtualisation Sandboxes in general are not as suited as policy containment sandboxes.

Regards Kees

 

BoerenkoolMetWorst,

On my play PC I can see that when I use FireFox portable in stead of chrome (with --safe-plugins switch) , that GeSWall blocks or redirects a lot of disk related acivity of flashads. Problem a lot of these ads run through third party services, so the web site owner has no control over it. Also a lot of people do not know how to manage their flash settings (that it i sven possible is often unknown), so flash/javscript ads are a real pain.

So I whole heartedly agree with ads as a source. I have read a lot about IE8 becoming sluggish when using IP blocking. It is my impression (may be based on old experience, not relevant anymore) that those programs were great at the time of IE6. IE8 for instance allows control over Active X (allow only signed Active X etc) and better cookie handling. So what would be the benefit sof freeware versions of Spybot, Spyware blaster

Regards Kees

 

Excuse me... If Im running under LUA is Geswall redundant?

 

GeSWall had some issues with LUA in the past. I would opt for Surun plus GeSWall while GW running admin (also the server.exe in windows).

GeSWall protects against proces modification, user space registry etc.

You will get a stronger than LUA with GW

 

well it seems this thread has moved on from visiting risky websites to saved files on your OS, but since how you are the OP its ok with me.

The simple solution is to Sandbox the program you open image and video files with. For example you use fast stone to view and edit image files and you use zoom player to watch video files, all you do is force fast stone and zoom player to run in sandboxie and all your files that fast stone and zoom player opens runs in sandboxie.

wrong thread dude.

 

Arran,

How would you deal DRM issues within Sandboxie? I would need LimeWire, WMP, Internet Explorer, Outlook all in sandbox.

She receives e-mails with pictures and music from friends. How do I split pictures from music into the DRM Music sandbox and the Image Sandbox (like mentioned) with red eye reduction, a program to create photobooks (and print them remotely by uploading through a website servide), so I would need IE also in this sandbox..

Same overlap problem will I have with her mobile phone, synchronising with Outlook, synchronising internet bookmarks, pictures and movies and songs.

Are you still with me A virtualisation sandbox is just not fit for this type of usage. DefenseWall runs out of the box transparently (only excluding DRM driectory from update protection by Untrusted). She uses her PC without knowing DW is there to protect.

Regards Kees

 

I install silverlight into the sandbox and watch netflix movies from there without issue. Don't do any DRM music and such though. I do the same thing with flash and other similar items.

Sul.

 

As far as I remember

Music DRM (every first play rights are downloaded) is a real pain for sandboxing, you either need to install everything in the sandbox or outside.

Through mail and through her Mobile phone sync she receives movies, pictures and music. Small phone movies are kept as is, but pictures are manipulated (red eye, cropping) and put in a photo book which is printed through upload. So I have 5 programs needing access to the same data.

Installing everything in the sandbox overshoots its goal, when you consider that the playlists of WMP (beside paid IE downloads) also include music received free with LimeWire (P2P), Outlook, news groups, USB (her mobile phone link). This usage implies that 6 programs need access to the same data.

Any one having a user friendly solution for this which is still safe, do not hesitate to post.

When you consider that DefenseWall has resource protection, meaning not only is trusted seperated from untrusted, but untrusted is seperated from untrusted as well, without any user intervention. Defensewall due to its nature stores untrusted files in the phisical system, making it transparent and bypassing the access and DRM problem. On top of that DW protects against keyloggers (no need to clear a sandbox). So the policy containment solution is much easier to use and implement (as said out of teh box settings with one adoption).

Regards Kees

 

i have seen this video now - ok, its 1 year old and both sides improved.
the important info for me was that IE8 blocks the files - it was said maybe
OneCare, WinDefender or Anti-Malicious Tool did - so not IE8 itself.
also is visible that the action was blocked (see info bar) but the script
which minimized the browser windows was executed.
and THAT is my purpose i try to explain - prevent hitting maliscious
sites or scripts the browser. script filter, ad filter.
and those mechanisms (bad activex requests) only work with internet explorer,
not in firefox, not in opera.

OpenDNS, HOST - deny access to websites, ad muncher can filter ads and scripts
Google for safe browsing - not really, but ok - (at least user click it)

CTM = Comodo Time Machine?
I never used it (personal comodo issue here) - is is comparable to acronis trueimage
or other full featured backup/imaging?
# i dont think so -> http://www.computerguard.de/show_post.php?p=25703
(german article of subset)

BTW i put downloads into a sandbox - in details: the pre-set download folder
for all is a folder within a sandbox - so any action done there ends up in the
(limited) sandbox again.

ofc i dont surf in a sandbox - i would raise my security for firefox but that
browser is secured other methods.

hth