Browser settings of a Security expert - No use of A/V

How would you put in practice this solution on a windows machine XP?

The whole interview is available here : Going Three Levels Beyond Kernel Rootkits

also The three approaches to computer security

thanks for your help

 

i also do something similar with sandboxie, although i don't put my daily browsing under the least trusted heading.

that said, ms. rutkowska is not a malware or anti-malware expert. "security expert" is too broad a term to be actually useful. there are to many disciplines under the banner of 'security' for anyone to be an expert in all of them and so "security experts" are really just experts in one or 2 subdomains of security. as such be careful following the lead of a "security expert" in things that are outside their area of actual expertise or you might find yourself with the business end of a false sense of security.

 

The lovely Joanna runs in multiple virtual enviroments, but as i'm sure most of us know, even Keyloggers can still rule in this mode. Wonder if she does any online banking or purchases etc ?

Not saying she has been highjacked, or will be, but without ANY other protection in place, the possibility exists.

assabihi_1

To answer your question, i would say, it's still wise to take precautions, even when in a virtual enviroment, VM or otherwise.

I recently had a very nasty experience when i had Returnil enabled https://www.wilderssecurity.com/showthread.php?goto=newpost&t=248174

So even though, generally speaking Apps such as that normally provide a very good degree of protection, you can't always 100% rely on them, nor should you, as nothings perfect, or ever will be.

 

i think you do not get it my dear friend
just check this wiki article Blue Pill (malware)
She is highly regarded and the author of sophisticated malware that bypass
a lot of security layers. named in this Five Hackers Who Left a Mark on 2006 article.
Also check her wiki page.

it looks like she is using the xen vm machine but maybe the vmware esx do the job on windows.

though all of this seems to require some high level of knowledge to put it in practice(malware),the use of her requirements seems to be at everybody s hand as she says in the article(her flatmate seems to use it too) though i find little information on the practical implementation.

 

Real experts like her don't use browsers.

They read raw code and interpret it using their brain.

That solution works for them, there's absolutely no reason it won't for you and you should follow their example.

Right?

 

Several VM's and several hard drives here which I can wipe and clone or reimage.

I even have a vLited XP Pro VM that I can run off a 4 gig usb stick.

Same vLited XP Pro VM sits under a gig which I can copy and paste to a 2 gig ramdrive. Want speed then try that.

And yep, each and every setup whether XP, Vista, HD install or VM has the first two apps in my siggy as the only security with no AV or any realtime blacklist being used here in yonks.

I know a VM probably doesn't need Sandboxie and or Returnil but I just feel kinda naked without seeing their icons around the place.

 

Well, if you'd actually read the article, you would have noticed she says she does online banking and purchases. Who doesn't?

She runs three different virtual machines: one for untrusted stuff, one for somewhat trusted, and one for extremely trusted (banking). Sure, keyloggers work in VMs, but how exactly do you intend to infect the virtual machine that is used to do banking? She uses the "green" virtual machine only for accessing her bank account - nothing else, no other sites, no email, nothing. How would you get the keylogger into that virtual machine, unless you could hijack her bank's website - in which case there are far larger problems than just some keylogger? The answer obviously is that you wouldn't be able to get any keylogger into that VM. Or in other words, the possibility of hijack practically does not exist, at least not anywhere where it would actually matter (the trusted virtual machine).

With that out of the way, I thought I'd state the obvious: Joanna uses an approach that is the very definition of extreme overkill for almost any other user. Three virtual machines just to browse the web? Someone must have too much hardware power and no idea what to do with it.

I wouldn't. But if you really want to, the article already tells you how.

Step 1: Acquire some virtualization software like VMWare and install that.
Step 2: Set up three different virtual machines
Step 3: Use one virtual machine only for browsing "untrusted" sites, meaning anywhere you don't intend to purchase anything, do banking, or spread around your personal information - regularly wipe clean this virtual machine so it isn't infected all the time. Use another virtual machine for somewhat more trusted stuff, like visiting the websites you purchase stuff from, and only for that purpose. Use the final virtual machine only for visiting your bank's website, and nothing more, ever.
Step 4: Profit (and a massive waste of hardware power that could probably find better use elsewhere).

As you see, it's not about browser settings at all. It's about a whole lot of virtualization. The browser settings don't really matter much at all in that kind of strategy: in the first virtual machine, it doesn't matter whether it gets infected or not, so the browser settings are rather irrelevant. In the second machine Joanna says she does stuff like NoScript to limit scripts. In the third machine, you'd likely want to run the browser with "everything enabled" as far as scripting is concerned, because you'll only be visiting the bank's website and you want that to work.

Personally, I wouldn't waste that much hardware power on virtualization. Instead, for a "somewhat paranoid" setup, I'd just use a limited user account, a whitelist software restriction policy, and a browser with scripting and plugins (Adobe Flash and Reader, for example, to mention two of the often targeted ones) disabled globally and only enabled for trusted sites like the bank. And if you want to go more paranoid, you could always run two different limited user accounts: one for other browsing, and the other for "safe" browsing of only trusted sites like the bank. In which case, even if you somehow managed to get the first limited account infected, the second would most likely still be clean, unless you either really screwed up or the attack that infected the account was more clever than anything that has been discovered in the wild out there so far.

 

To OP:

heh: great minds
I have 3-4 Linux OS set-ups in different VMs
Weak point might be the host OS: XP

The linux VMs can be set up for free with VM Server or Virtual Box, even booted from USB installs or live CDs if required
It's easy to do and did I say: FREE.

Dare I say it: ...might even be safer than using XP as guest


Windchild: that was quick...
I can assure you the VMs are not complex to set-up and run and require very little maintenance, add not too much overhead if the host is trimmed and the virtual machines can be trimmed to the bone...the vms do not have to run spontaneously or if so, one or several can be suspended as required, this isn't even mentioning snapshots etc

I'm prolly teaching you stuff you already know..apologies...

tbh:

That makes my head spin and I'd likely forget some thing eventually: senior moments come and go.

Of course there are many options for the host that we all know sandboxes, policy restrictions etc etc and some damn good softs around: the added benefit of the VMs is expanding your computing horizons.

Image is my Core2 quad with 3G of ram running non trimmed XP SP2 with Ubuntu 904, CentOS 5.3, and PCLOS 2009.1 all booted in VMWare WS

( I did specify some, what was then cool HW as a gift to myself, for my plans ..and ..>cough<..>cough<.. the initial simultaneous boot just now -for the first time actually- did require some higher CPU and Ram use but no real speed issue here and host functioning normally during simultaneous boot of the 3 VMs )
Regards.

 

i'm quite familiar with joanna and her blue pill, thanks. i've blogged about her on a number of occasions http://anti-virus-rants.blogspot.com/search/label/joanna%20rutkowska

she's highly regarded in the general security community, yes. the general security community and the anti-malware community don't always see eye to eye, however - especially when it comes to malware.

and while she may be an expert on her particular brand of malware (which you'd certainly hope she was) she has yet to display any breadth of knowledge of malware in general, or anti-malware techniques/technologies. therefore i stand by my initial statement that she is not a malware or anti-malware expert.

 

OK, OK: I too use the great sandboxie and some others bits and pieces on host OS
Kurt: luv ya.
But: my other way is more fun ,it's become second nature for me, all the functionality I need can be found in the FREE Os's.
I aint a malware analyst coder/hexer, just basic end user: browse carelessly, print, digicams, videos, use Office stuff, Flash, etc etc: the computer as a TOOL.

From JR

LOL
I am a generic mortal.
Dont have an iPhone, dont know what a #G network card is

She even says it:

Even my squishy *nix in a VM seem ok for mere mortals with LOTS of built in functionality: See KW's next post
Regards.

 

as a vmware user and a sandboxie user i can tell you that there is no difference in the convenience of refreshing the sandbox created by either. sandboxie can be configured refresh it's sandbox automatically by deleting the sandbox's contents when the session ends (as you are probably already aware), but vmware (and virtual pc as i recall) can be configured to not save any of the changes made during the session so you get the same effect.

 

i must be really paranoid - i do all that stuff AND use virtualization.

and to be honest i hardly even think about the fact that i'm doing it.

 

LOL, we all have such trust in Windows and 3rd parties !!
Bet you don't get too worried about Linux in VM ??

 

not AS worried, but not care-free either. after all, the *nix platforms are where rootkits came from originally.

 

Ms Rutkowska is quite adept at making extravagant claims that she'll only back up for a lot of $$$$

http://blogs.zdnet.com/security/?p=334

 

AH, now, OT, but: care to elaborate: most pundits regard a simple Linux install as pretty damn secure subject to end user folly and "passing on" the other OS's mals ??
Doubtless you go places and do things I'm hopefully not/less likely to have to deal with ?

Oh yeah: A HW firewall/router always makes me feel a bit better

 

Sweet paranoia. A good thing about paranoia is there is no upper limit.
I go for orange approach - one browser and everything done inside it, happily.
Don't click, don't get infected, simple.
Mrk

 

not sure how much more elaborate i can be. as i already mentioned, rootkits originally came from the *nix platform. the earliest one i'm aware of (one literally called "rootkit" at a time when people were instead talking of 'toolkits') was found in the wild, rather than being some lab research project.

viruses and other malware for linux aren't unheard of either. that's one of the reasons why there are *nix tools like tripwire.

and for the record, i don't generally go looking for bad things on the internet - i'm more end-user focused, more interested in how users can protect/defend themselves, and looking for bad things doesn't really feed into that. risk aversion, on the other hand, does.

 

Risk aversion: tricky thing.

 

Yes, well, you may have noticed that I didn't say VMs were complex to set up. I said they were overkill for most users, and that I personally wouldn't waste hardware power on VMs just for "security." I can keep my systems in a "safe enough" state without any VMs, so I don't see a reason to use VMs for purposes of security. VMs have other uses for me, but security is not one of those uses. Of course, your mileage may vary, and Joanna's at least apparently does. That's how it goes. Me? I generally prefer keeping hardware power for productive uses, instead of spending it on security software and virtualization and what not. For the stuff I do, I certainly never find myself having too much hardware power, not CPU or memory or anything, and therefore I really don't want to spend even small portions of that on running software that do nothing useful for me as far as security or productivity goes. And why spend time on tweaking and trimming some software to use less resources, when I don't even need that software and therefore can make it use no resources at all simply by not running it?

Doing all that plus virtualization just for security is indeed pretty paranoid on my scale of paranoia. Not that there's anything wrong with being paranoid, as long as it doesn't lead to delusions, like Joanna's delusions (or perhaps the better term would be "marketing speeches") about her undetectable rootkits and colorful pills.

 

Well, this is an old interview, and stuff like this surfaces every year around the Black Hat Convention, and typically, much of the interview is ego-gratification for both the interviewer and interviewee.

And you've all missed the most important statement she made:

First: I've not seen any URL with a web-based exploit that will bypass proper security in place.

Second, follow Mrkvonic's advice:

regards,

rich

 

I wouldn't say that at all. After all, this thread isn't about Joanna's funny claims of undetectable rootkits and hypervisor attacks and what not - it's just about using virtualization software for safer browsing without AV products.

If we bring all of her "invisible rootkit research" into this thread, it'll be a very different thread indeed.

 

I mention her statement in light of the title of the thread.

If the exploit can't install -- nothing else matters.

----
rich

 

Yes, certainly true as far as blocking malware infections is concerned. Of course, one can freely talk of virtualization software without missing that point. In fact, using virtualization software in the way described here is one method of keeping the exploit from installing anything to the system that you want to protect - whether that is a real system or a virtual one.

 

That sounds like an effective approach.

----
rich