Please allow me just one Sandboxie question...

Bo, I just saw your post on Sandboxie forums:
"If I was doing banking every day, I would install a new browser every time
I did banking and delete the sandbox afterward, it only takes a minute to
install Firefox.
I don't do banking often but when I do, I just make sure that its done on a
new Firefox session that gets closed after performing anything sensitive.
This is done on a hardened sandbox were only FF is allowed to do anything."

For sandboxed Firefox this is very helpful as well.

 

Great, than I will just run Google Chrome sandboxed.
By the way here is the response from Tzuk on Sandboxie forums:
http://www.sandboxie.com/phpbb/viewtopic.php?t=11731&sid=739e21c90823752f0029b41432f833b7

Tzuk said this:
"There are plenty of software that are designed to protect your information when you access to bank website that you already trust.
That software says "if you trust the web site but don't trust your computer to be virus-free, then use me."
So use one such software when you browse to the bank web site.

Sandboxie is designed to protect your computer when you access websites that you don't trust.
Sandboxie says "if you know your computer is virus-free and you want to keep it that way, then use me."
So use Sandboxie when you browse to all other web sites that you do not trust."

And that's pretty much everything you and others said as well.

 

There are many ways to do things, as is evident in this thread.

The original question was asking about Sandboxie. All the other advices are great. But about sandboxie, I don't relegate it to just sites I don't trust, nor sites I do. Nor do I worry about installing a new browser to do banking. I am anal, but not that anal lol.

Rather for me, I start out clean, and use SBIE to remain clean. Because I use two browsers, one for sensitive activity (ie. banking) the other for normal www browsing, SBIE ensures neither influence the system. The only thing to do then is make sure the banking browser sandbox is deleted prior to using. You don't have to worry about plugins or addons, nothing. All you need to do is worry about your banks website, because you only go to that one place you need to do business with. It is about keeping your environment contained, and cleaning it if it needs.

You certainly can't go wrong with all those advanced options that have been listed here. It is fun to experiment with, and it is also fun to have absolute control. I don't want to be that involved any more myself, so I use SBIE in a specific way so that I don't have to take all the extra steps.

Six of this and a half dozen of that as long as the end result is what you want.

Sul.

 

Hi Sul,

are you using two separate browsers in their own sandbox configuration, or the same browser in two different sandbox configurations?

As for plugins and extensions, my take on this is why not remove/disable them for the sensitive browser if they're not needed? They are often malware targets, especially Flash and Java. I've seen many threads this past year where people are seeking a bank/sensitive browsing setup, be it linux, Sandboxie, Defensewall, or guarded by av or similar. It seems these are people who want the safest banking set up possible. Nothing wrong with that, and in fact seems like a sensible goal.

Using a separate browser has been suggested by many and it's an idea I like in particular. It looks to be one you embrace as well Why not start with the browser when configuring this separate browser setup, then think about what other application(s) could be used to augment its security? You say no need to worry about plugins or add ons with Sandboxie, and that could be true, but why not first remove the potential attack vectors from the browser before sandboxing it, or using some other means to secure it?

 

I understand what you are saying, and why you are saying it. I think your ideas are pretty good.

But I don't really want all that effort any more

I have two browsers I use primarily. Each has its own sandbox. One browser is used daily for about everything. It does not delete on exit, only periodically.

The other browser has its own sandbox. It is forced to delete on exit. Since Sandboxie and the browsers were installed on a clean system, and I always use them in SBIE, I can know that everything is always at a clean state.

I ask myself, what does it matter any vulnerability in my banking browser? If I start 100% clean, and only navigate to my banks website, where is the risk? Obviously, there isn't one. If you bank website is going to "own" you because you have an unpatched browser or a risky plugin etc, then you have some pretty big problems. Since my sandbox is delete when the browser shuts down, its back to clean slate again.

The risk comes when I download files from either browser, and then run them on the real system.

For the record, I don't use SBIE like that at home like I used to. I have been playing with a different setup for well over a year now, much simpler. But at work I use it just as I describe it, and everything has been going "peachy-keen" for a long time

Sul.

 

You are right about there being no risk in the bank’s website. As you suggest if one’s bank website is vulnerable, they've got bigger problems than their security setup I guess I’m just striving for the most impenetrable setup possible, without all the excess fluff, even though the extras like hardening the browser so thoroughly is likely overkill. However, if only the browser were to be relied on (I'm talking about a banking/sensitive browser), I would take the stripped down one over the one with default plugins and other extras that could pose a security risk. This is just my mindset; keep things reasonably simple using what's already available in the browser and O/S, but go all out or not at all To me it's not that much effort either; once it's setup, it's good to go. It does, admittedly, get much more involved with firewall restrictions which I've had a play with recently, but again, once it's set up, maintenance is minimal, and for only a banking setup, it's not too bad at all, especially if subnet masks or CIDR notation is used for the ip addresses. But I digress.

You mention the way you view the risks are the files you download and install. This is actually one of my least concerns, as I’ve never been bitten once when I download from a reputable source. The risk from my pov are the potential malicious web borne scripts responsible for drivebys and such, although these aren’t really difficult to prevent either.

 

I look at the solution in two flavors - for me anyway.

1. Browser is restricted - user space is even off limits at this point. What is the browser going to bring into my environment really? If the parent process is limited, children will be as well. Plugins or not, most all threats to the SYSTEM will be contained. Not foolproof, but it has proven on my system to withstand whatever I do online without a problem.

2. Browser is segregated to its own environment - using SBIE as the easiest example. Again, no matter what I have configured in the browser, it is kept from changing the SYSTEM. That doesn't address the sandbox environment housing nasties, but we are talking about things of sensitive nature like banking etc.

From my viewpoint then, if I don't have to worry about what my browser will do, it only leaves what I bring into my SYSTEM, via the browser. And that is files. Executables, archives, pdf, etc etc. I do a lot of experimenting. A lot of tweak tools or just tools. I play some games, but usually buy those. So for me, I cannot always get things from a trusted source. So I rely on some other tricks to make sure my downloads don't execute with any privelages. At home I primarily use a forced downloads directory with SBIE. This lets me test new things out, and most of the time I don't even install it to the real system, only in the sandbox. Delete the box and its back to clean SBIE environment.

For me then, it is the downloads I like that I have to trust. Its a matter of what it is, who recommends it, where I got it. Sometimes you can get them from reputable sources, sometimes not. That is my fear, that I overlook something. But thus far, I have had to change nothing in the last year. And if using SBIE 100%, I would probably be on 3 or 4 years now with no changes to speak of.

As for a firewall, matching on banks CIDR or net block or domain name, or whatever you want - I used to dig that. But not any more. I just don't see how I am going to develop a problem unless my bank themselves get rooted. And if that happens, I don't really think my security is going to give me any peace of mind. Switching banks might though at that point LOL!

A long time ago I decided that I would not get owned like so many did. I made a decision to not store anything of value on my machine. I do have some network shares with decent restrictions, but even there I don't have anything that would ruin me. It is my bank account login that I would worry the most about.

Sul.

 

I'm with you on this, like I said I have 100% clean computer, and this is why I rely on Sandboxie with restrictions. Basically, everything I threw at Sandboxie so far including drive by downloads, pdf, scripit malwares everything, it couldn't get through Sandboxie with restrictions and please note that I tested on the real system not some virtual box, yes from time to time I do that myself just to see how good my inbound protection is.

Sandboxie passed all of my tests, so I just don't see why it wouldn't pass online banking.
You said that Sandboxie is not foolproof, but I'd say it's foolproof if it doesn't have some bug or similar things.
Everything else, yes we can say that Sandboxie is the closest of being foolproof, it just depends if it has any bugs.

 

Very good Sully, thanks! I know your system for your use is bullet proof. Mine I feel is bullet proof too. My experiment is part of a "game" for me It's a hypothetical situation where I'm a PC security contractor approached by an extremely paranoid business wanting a sensitive browser setup on all their machines. They are paying me good money but it better be the most bullet proof setup possible or my reputation will be tarnished for life Again, just a sort of game, maybe silly, but it's fun

 

If I were doing that, in real life, I would not use SBIE most likely. I would also require that they follow what I design to the letter, else they would be held responsible. You can create very good security, as long as the design is followed. When users decide how and what to do, game is over IMO.

Sul.

 

My idea is that not everyone will be accessing the Internet using a direct connection. By this I mean that some person may be part of a home lan, and the computer directly connected to the Internet, and also used by the main owner, may be infected and could have changed the system to redirect the bank's domain to a different IP, for example.

So, in this situation, while the other person's system is clean, the computer used to connect to the Internet is not. So, by using a firewall/Chrome's technique to restrict communications to the bank's IPs, the connection would simply fail, and this would alert them for some issue. Unless they're really "blind" as hell.

We could also be talking about a single system with it's own connection. Think of a modified hosts file. If I run my browser with a customized batch file mapping the domains to the respective IPs, and the connection to the bank fails, either there's some issue on the bank's side or in the user's system. They may even run an antimalware application, etc., but nothing flags anything. At least, this approach would let them know if something is wrong.

Or, the attack could be entirely different and the system be already compromised by a sophisticated piece of malware, which in this case not even Sandboxie/other would help the bank users (as we know it and as been discussed).

 

@m00nbl00d,

a "least user privilege" setup with a default-deny AE in place, should virtually guarantee immunity from infection in the first place, whether it be on a LAN or not. Of course the administrator of the system is ultimately responsible for ensuring only safe programs are installed on it. The tricky directories, at least for me, are anything under %AppData%. Not only because they're not protected against writing, but also there are always some temp paths that make it a challenge for creating path rules because of their varying nature. One example I use for my Portable Chrome banking browser experiment is:

Code:

C:\USERS\my_name\APPDATA\LOCAL\TEMP\*.TMP\REGISTRY.DLL

This is not ideal security-wise but it's about the most restrictive I can get because of the varying nature of the characters preceding .TMP. I hate using hash rules because they are a PITA to maintain, Publisher are great but there are always some files associated with programs (like Chrome) not digitally signed, so my choice on them are to use the most "literal" path rule I can come up with. In the end I have a collection of Publisher and hash Path rules.

The firewall restrictions or host file, or any other method used to restrict the browser's connections should at least keep it from being re-directed, as you've alluded to, (if it were to get to this point) to a malicious location.

Hopefully I didn't miss anything, but here's how I've hardened Chrome Portable as a "banking only" browser:

Harden Chrome: Settings >> +Show advanced settings. Configure the settings as follows:

• Extensions: remove any listed
• Plugins: Unless your bank’s website requires them, disable all plugins not required, especially java, flash and PDF viewers by typing in the address field >> chromelugins then <enter>. Click on “disable” to disable ALL plugins you think you won’t need.
• Set Home Page to your bank’s home page
• On startup: Open a specific page: >> Your bank’s home page URL eg: -http://www.rbcroyalbank.com/personal.html (omit the “-“ prefix)
• Privacy: enable> Enable phishing and malware protection clear > Use a web service to help resolve navigation errors, Use a prediction service to help complete searches and URLs typed in the address bar, Automatically send usage statistics and crash reports to Google
• Passwords and forms: clear> both checkboxes
• HTTPS/SSL: enable> Check for server certificate revocation <-- Optional: maybe not that effective
• Content Settings: enable> Block third-party cookies and site data (but allow exceptions for your bank’s URL’s)
• Javascript >> Do not allow any site to run javascript >> Manage Exceptions >> add the required bank’s URL’s, eg: -https://[*.]www.rbcroyalbank.com:443, -http://www.rbcroyalbank.com, -https://[*.]www1.royalbank.com:443
• Images: [olor=darkblue]enable>[/color] Do not show any images >> Manage exceptions >>add your bank’s URL’s (same as with javascript exceptions)
• Plug-ins: enable> Block all

 

Agree.

Also agree.

I don't use path or publisher rules outside of Program Files and Windows directories. All hashes for me. It takes a bit more to "upgrade" the new hashes, but it's worth the effort for me.

Agree.

Agree.

I disagree with enabling phishing and malware protection. A bank's browser profile would only be able to connect to the bank's own domains/IPs and no other in any of my systems.

Agree

I disagree with enabling the option to check for certificate revocation. I'd rather take the Certificate Revocation Lists file from another Chromium profile, and maybe automate the process of copying it to the bank's profile folder. Again, this would fit in my idea of only letting the browser connect to the bank's IPs.

I agree with all that, but it would had been so much easier to use the command-line switch --host-rules to allow connections only to the bank's domains, IPs and respective ports. This would allow the user to avoid all those other extra steps you're taking.

 

I just realized and corrected a mistake in my previous post:

It is "...publisher and Path rules"

I used to feel the same way, but all the time and effort it took me to maintain them broke me down

Correct of course, but I look at it as "why not?". It's enabled already by default so I leave well enough alone. In the extreme remote chance that the bank's site becomes...

Yeah, one or more of the IP ranges I came up with was Verisign. I don't know about your method. Maybe too complicated for the average user? No doubt it works great.

The command line switch only works in Chrome, doesn't it? The firewall rules work for any browser. As for extra steps, it takes only a few minutes to set the browser up like this, then that's it. It's done for good.

EDIT

actually it might be better to disable the "Check for server certificate revocation"
-http://www.macworld.com/article/1165273/google_chrome_will_no_longer_check_for_revoked_ssl_certificates_online.html

 

Quite true! But, to be honest, all the steps you mentioned were meant for a Google Chrome profile, and not for any other browser. So, it's only fair that I mentioned a way more simple method for Google Chrome users.

And, I don't know about Opera and other browsers (except those based on Chromium), but Firefox doesn't allow this kind of settings that easily, and most likely not without using extensions, something I believe we both agree we shouldn't have to use them in such a browser profile.

 

Agreed

Right, Firefox lacks some of the settings Chrome offers, but it can use one powerful extension I'd have no problem using or recommending in this type setup: NoScript. I think it was some US-Cert paper I read somewhere that recommended it too. Opera and other lesser know browsers I don't know about. IE 9 or 10 can be hardened quite well, and I'd have to look at using Zones.

In reality, as Sully alluded to, this is mostly overkill anyway. Still, it was just interesting to see how far "locked down" I could get a browser for banking purposes.

EDIT

Even though dated, here is a decent paper on MITB attacks including a section on hardened browsers: http://www.cacert.at/svn/sourcerer/CAcert/SecureClient.pdf

 

I suppose that could be one extension Firefox users could use, if it really must be used. Better use it, than not use it (for this one purpose).

Regarding Internet Explorer, I don't recall from memory what exactly it achieves, but Internet Explorer 9/10 has one feature that allows users to pin websites to the taskbar, and that will only allow the browser to connect to that one website. I hope I'm not wrong. If I'm right, then it would be another great measure for such scenario. Unfortunately, Windows XP users would be out of luck considering that they can't install those versions.

Indeed. You could also add --host-rules to your approach.

 

So I just started using Sanboxie a month ago, the free version. Just using default settings, basically have Chrome sandboxed, am I missing something? Should I do more with it?

 

Even if you have your sandbox configured to only allow your browser to run and only allow your browser to have internet access, I think a keylogger could still harm you. What if the keylogger somehow infects/hijacks the browser process itself, which you have allowed to run and use the internet? Then Sandboxie wouldn't protect you from that.

Also can someone confirm to me if it is possible for a keylogger running in SandboxA to capture keystrokes inside SandboxB or outside of any sandbox?

 

Sandboxes don't communicate with each other, to be safer when doing sensitive browsing, close all sandboxes except the one that you are using for banking. But if a keylogger is running in a sandbox, it can record what you type.

Bo

 

All he has to do it to use restrictions for start/run inside the sandbox, in that way downladed sandboxed keylogger cannot start/run.
Wat and Sully helped me a lot regarding online banking, I simply created separated Bankingbox where nothing is allowed to connect the internet and to start/run, so all of my plugins, nitro pdf and etc. are all blocked in that sandbox, all except firefox.exe and iexplore.exe, only these 2 processes can start/run and to access the internet everything else is blocked.
Of course I also enabled to automatically delete sandbox.

 

CWS, Delerious knows about restrictions, he is asking if a keylogger is running inside a sandbox, can it capture keystrokes outside the sandbox. The answer is yes. Thats the correct answer and we, who use SBIE, should be aware of that.

Bo

 

I missed that, ah, most likely I wrote so fast this that I didn't even see what he wrote.
But I have a question for you, since I'm not sure what will moderators say for this following request I truly hope you will send me on PM.
I remember that you said that you can name 25 different reasons why Sandboxie is better than DefenseWall, and why you would pick up over DefenseWall.
I'm not sure if you said exactly 25, but since posts like this most likely are not allowed could you send me PM or send on my e-mail why do you think so?
It's hard to swallow and think about 25 different reasons...

 

I ll send you a PM later today. I remember that post. I think I wrote 25, I can think of more than 25. I not only think DW is great, I know is great, Sandboxie is just much better, in my opinion.

Bo