How to secure a machine that may be infected while visiting untrusted sites?

Discussion in 'other security issues & news' started by richrf, Jan 4, 2007.

Thread Status:
Not open for further replies.
  1. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi everyone,

    I am embarking on developing a new site at www.links.com. The concept is to highlight only the very best websites (yes, wilderssecurity is on the Best of Best list). I do get submissions from sources that are not trusted, which I need to review, so I would like to set up a simple machine which I can use to review these sites. Optimally, the machine should have two capabilities:

    1) Detect any malware that the site might have that might infect other visitors.

    2) Allow me to rollback to a prior state, quickly, easily, and completely without any concern about rootkits, trojans, etc. I was thinking of Shadowuser or Deepfreeze, but would like some confirmation.

    What would be a classical setup for such a machine?

    Thanks, as always, for advice.

    Best,
    Rich
     
  2. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    Hello,

    If you really want super-uber-ultra-security:

    Linux machine.
    VMware Server installed.
    Another Linux machine inside the server.
    Firefox with Noscript.
    Lynx - text browser.

    Mrk
     
  3. TECHWG

    TECHWG Guest

    Oh my god, are you planning for a cyber atomic bomb going off in your cable box ? Linux inside linux ? Now you are talking about a super uber bunker inside a bunker thats 1 mile deep. Oh jee that would do it, but i think its a little overkill. i would say windows xp with vmware server and another XP guest would do it. but thats my opinion. I run my guests with no protection and goto anywebsite
     
  4. tlu

    tlu Guest

    Don't worry - Firefox with Noscript (with Javascript, Java, Macromedia Flash and Other Plugins forbidden by default) is enough - Mrkvonic tends to be ironic sometimes ;-). I also recommend the extensions Adblock Plus and Cookie Button,the latter because of privacy considerations.
     
  5. Ice_Czar

    Ice_Czar Registered Member

    Joined:
    May 21, 2002
    Posts:
    696
    Location:
    Boulder Colorado
    think the point here isnt prevention
    its detection

    you want an unsecured, unpatched OS inside a virtual machine that is running on a secured box

    first part is obviously Windows since that is what the majority will be employing, second part could be Linux if your familiar with it, but it doesnt really matter as long as its secured

    its how to go about logging the attack vectors that will be fun
    is it done from outside the VR or inside
    is it enough to have security aps XYZ say an attempt was made and blocked inside
    or do you want to allow it to compromise the target OS and see the results

    that is beyond my ability to make rational recommendations
    its like a honeynet but a browser\OS
    I know folks do this, but Ive never set one up myself

    richrf one more point here, since you'll be giving your seal of approval
    a site that may be malware free today maynot be malware free tommorow and you cant guarantee their security. they can be compromised and have cross site scripts embedded.
    Thus you might date when the "check" was made and add a disclaimer ;)
    Better yet a short tutorial pinned for users

    from the FAQ linked above
    while this is "old news" and major websites well aware, in a linkfarm your very likely to acquire many websites that while containing great content are less than diligent in their own security. In fact some sites havent been updated for years but still have fantastic info.
     
    Last edited: Jan 4, 2007
  6. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Yes, you have distilled the problem. This is what I am most concerned with. Because of this I may have to resort to allowing links soley to trusted sites. If there are any other thoughts on this matter, I would very much appreciate it.

    Rich
     
  7. Ice_Czar

    Ice_Czar Registered Member

    Joined:
    May 21, 2002
    Posts:
    696
    Location:
    Boulder Colorado
    Ive built my fair share of linkfarms as well as administrated a forum with 40k posts per week (supposedly trying to check all the links) and its should really be beyond your scope to attempt to idiot proof stuff. There is enough administrative overhead just keeping the links relevant (even live links tested through automation can point to something else than the original content, thank the gods for the waybackmachine)

    Id simply say for your own safety employ Firefox w\ noscript and cookiesafe extensions and perferably run it from sandboxie, link em a tutorial and call it good ;)
    http://www.spreadfirefox.com/

    dumbing down to reach the lowest common denominator cuts into the utility value far too much
    but more importantly is administrative overhead you cant maintain manually for very long

    by disclaiming responsibility yet educating the public on safe surfing (provide lots of alternatives) your actually providing a public service, people dont need to have others protect them from the big bad intraweb, they need to learn to do it themselves

    the more utility value your site provides the greater your potential to educate ;)
     
    Last edited: Jan 4, 2007
  8. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi,

    Thanks much for your suggestions. Very helpful. Yes, I am interested in what webmasters who run linkfarms do. I do think there is a special issue that I am facing, in that I am sort of stating that the sites are the Best of the Best, and therefore, there is a certain trust involved. It is a difficult issue, but I may have to resort to a tightening of my approach, or go a slightly different route.

    Thanks again for sharing with me your experiences.

    Rich
     
  9. Ice_Czar

    Ice_Czar Registered Member

    Joined:
    May 21, 2002
    Posts:
    696
    Location:
    Boulder Colorado
    Id say how you present the focus goes along way towards its expectations
    I personally feel utility value trumps everything else
    and would qualify from there.

    Your either making recommendations on how useful the information is or your spending an inordinate amount of time attempting to verify the safety of the source at the expense of those recommendations. You obviously have to employ judgment when gauging the veracity of the information your recommending and that would to a certain extent also extend to the saftey of the link. But you dont personally verify every bit of info published on a site. You should consider some level of parity for security threats as well. A reasonably secure box showed no signs of infection....today.

    and here is a few best practices in the event things change, which they will, eventually
     
  10. fred128

    fred128 Registered Member

    Joined:
    May 21, 2006
    Posts:
    152
    richrf,
    Would you please be willing to explain why your site is red highlighted by SiteAdvisor?
     
  11. Ice_Czar

    Ice_Czar Registered Member

    Joined:
    May 21, 2002
    Posts:
    696
    Location:
    Boulder Colorado
    its a linkfarm?

    odds are its linked to something it doesnt like?

    :blink:
     
  12. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    exactly. apparently somewhere in links.com there is a link to allfreegifts.net which SA considers a "high volume or spammy e-mailer".
     
  13. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hi Rich,

    Long time no see!

    Having a collection of "best sites deemed safe" seems like a useful service.

    For those doing research, we wish that somehow we could check *any* site ahead of time, but that would seem to be an insurmountable task.

    I did a search earlier this morning. I'm compiling an article on first performances of the symphonies of Gustav Mahler. I searched for "mahler symphony 3 first performance" and Google displayed:

    "Results 1 - 100 of about 399,000 for mahler symphony 3 first performance. (0.28 seconds)"

    I've got Google configured to display 100 sites/page, so here I am: There is no way I could take the time to go to a site to check each of these to see if they are safe!

    In the early days, web exploits weren't such a hot topic. Today, I think most people here are pretty well-protected against the known types of remote code execution.

    You ask about roll-back security: researchers at the University here have Deep Freeze installed, so a reboot after each on-line session clears everything. They really can't be bothered with checking sites ahead of time, even if it were possible.

    Of concern today is that many people read *.doc and *.pdf files posted on web sites. Recenty, PoC files show how such documents can be exploited to run code. It would be very difficult to keep tabs on these sites, since they would constantly be changing.

    A recent example is described in this sans.org diary

    One way to help mitigate such exploits is to not view/read documents in the browser. One of the PoC links launches a script when the .pdf file opens in the browser:

    http://www.urs2.net/rsj/computing/tests/pdf/pdf-ie.gif

    But if the browser is configured to open the file in a .pdf reader, then the exploit doesn't work - the code appended to the URL is stripped.

    http://www.urs2.net/rsj/computing/tests/pdf/pdf-acrobat.gif

    The same with MSWord documents. Here, everyone has MIME types in both the browser and email client configured to open *.doc files in a text editor - covering all non-user-originated such documents. So, the latest MSWord exploit was a non-issue here.

    So, while a site like yours that lists "safe" sites is certainly useful, it behooves each person to prepare as much as possible to protect against the known exploits, and to have rollback/backup/imaging plans in place for the worst-case scenario

    As far as catching/analyzing malware yourself, an interesting approach has been set up by LinkLogger at DSLR:

    How to own Malware

    Good success to you in your endeavor!

    -rich
     
  14. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi guys,

    Thanks for spotting this for me. At this time, there is no link that I know of to allfreegifts.net, unless somehow I have been infiltrated. What is the best way to scan my site for this link. It could be hiding somewhere, and I would like to find it if I can. I will also investigate with my Hostgator. Thanks.

    Rich
     
  15. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi Rmus,

    Nice to hear from you again! Obviously, I am up to some new things here on my end. Thanks much for your very informative post. I am going to have to take this all in and see where I go.

    From my vantage point, it is difficult for me to claim Best of Best, and then have a disclaimer which basically warrants the site for 1000 miles. :) I could go ultra safe, but then it dilutes the value of the safe. But the more I open it up, the more the safe becomes less safe to visit. I tough wire to walk. But thanks much for sharing your thoughts. I will visit the site you suggested and take it all in.

    Best always,
    Rich
     
  16. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    i did not find it, SiteAdvisor did. but I do hope you find the link (if it exists) and remove it.
     
  17. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi,

    I have a ticket out on the issue right now. The other information that SiteAdvisor displays (e.g. Canada) is also wrong. So, I have no idea where SiteAdvisor is getting its data, but I think I need a lawyer. :)

    Thanks for bringing this to my attention.

    Rich
     
  18. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    My hosting support ran an SSH of my directory and I ran a google of my site. Neither came up with any instance of allfreegifts.net. I am going to try to get more info from SiteAdvisor. I am plenty upset about this. McAfee seems to think it can go around tagging sites without any warning to owners. If they are wrong, I think we can safely say they are in trouble. We are talking here of a very high visibility site that McAfee has cavalierly labeled as a spam generator.

    Rich
     
  19. fred128

    fred128 Registered Member

    Joined:
    May 21, 2006
    Posts:
    152
    Richdf,
    I hope this isn't a stupid question but is it possible to embed script into your site that would automatically link it to another site?
     
  20. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi,

    I think it is an excellent question. I've tried to think of ways that a link can "manifest" itself, so that SiteAdvisor could see it, yet would escape my searches and SSH. So far, I cannot think of anything.

    But whatever it is, it is incredible that McAfee thinks that they can just label something as being dangerous without notifying the owner or providing any evidence. I am without words at their attitude. Exactly who are these guys that they think they can do this. Talking about "malicious behavior". We shall see how this turns out.

    Rich
     
  21. Ice_Czar

    Ice_Czar Registered Member

    Joined:
    May 21, 2002
    Posts:
    696
    Location:
    Boulder Colorado
    the wonderful world of automation :cautious:
    when you say "they" your probably talking about a bot that is crawling the web and automatically providing data to the database with no human supervision whatsoever. Considering the vast depth and width of the internet generating an email notification for each entry is a somewhat optimistic expectation for any corporation. How they allow you to challenge it will say more about their level of corporate ethics.
     
  22. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi there,

    We have sort of a complicated situation. McAfee, is doing what amounts to corporate blackmail, labeling sites as spamming, with the Big Red X, without any warning or prior notification, and not immediate recourse. A site like Links.com is suffering irreparable damage as such, especially since it is appearing on Google searches.

    Let's say that some oneone over at McAfee will defintely hearing from me. I am trying to be reasonable about this, but I am quite shocked at their irresponsible, cavalier, and quite damaging behavior. It should be interesting to hear what they have to say. I have printed out the "warning page" as well as the Google search page with the "X". If they want to force people to purchase their products, I hope they have the evidence to back it up.

    Rich
     
  23. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi,

    I sent a message to SiteAdvisor/McAfee asking them:

    1) To provide me with all evidence that they have the links.com is affiliated with allfreegifts.net

    2) Asking them why there was no prior notification

    3) Asking them why there is no procedure in place to rectify errors in a prompt manner.

    This is really quite unfortunate, since I am just in the process of attempting to build the reputation of Links.com.

    Rich
     
  24. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    As an update,

    I have finally managed to get in touch with someone at SiteAdvisor. They have confirmed that there is no spam link on my site. Apparently they claim, there wsa such a link at one time, back in October. Possibly this occured when my name was parked. However, I was never notified about this problem, nor have they have showed me any evidence.

    This has been an enormous concern to me. Despite the ongoing damage that there product does to my site name, they responded that it would take up to three weeks to correct the problem. This is clearly not acceptable, and I am working on correcting the problem. It is a jungle out there, and sometimes I am feel I am being attacked by the so-called "white hats" as well as the black ones. Thanks all, for bringing this to my attention.

    Rich
     
  25. fred128

    fred128 Registered Member

    Joined:
    May 21, 2006
    Posts:
    152
    Rich,
    SiteAdvisor now shows green. I'm beginning to realize that unless Mcafee is more careful, they could wind up being on the defending end of lawsuits for libel.
     
Loading...
Thread Status:
Not open for further replies.