Sandboxes: The Magic Bullet for Unsecure WiFi Hotspot Browsing?

Discussion in 'sandboxing & virtualization' started by Brent Hutto, Dec 4, 2007.

Thread Status:
Not open for further replies.
  1. Brent Hutto

    Brent Hutto Registered Member

    Joined:
    Dec 1, 2007
    Posts:
    72
    Location:
    South Carolina
    I've just gotten a notebook computer for the first time ever and I'm looking forward to being able to use it on the go occasionally at public WiFi hotspots. I'm paranoid enough to avoid transacting business with my bank account or credit cards over an unencrypted link but I've been advised by a couple of people that the more worrisome threat is exposure to certain types of malware that can attack my system in those environments.

    At home I use it behind a WPA2-encrypted, MAC-filtered NAT router...which automatically provides stateful packet firewall I believe. So the vast majority of my Internet usage that happens at home is not a major concern. I'll either put a Norton or Kaspersky suite on the computer or maybe even cheap out and get by with the Vista firewall, Windows Defender and a plain old antivirus scanner.

    But when I go out onto unsecured wireless networks, riddle me this. If I were to install SandboxIE on the notebook and always run Internet Explorer within it while using unsecured wireless, wouldn't that be a fairly robust solution to the class of threats my friends are warning me to beware? I could configure the sandbox not to have a view of any of my personal data and for just plain old browsing it ought to be a real Chinese wall if I understand the technology correctly.

    I'm thinking all I realy need is SandboIE for use in public and a program for making system images on DVD+R every week or two at home and most any old antivirus program will suffice for routine sweeps. Or am I overlooking a big gotcha somewhere that makes all this more complicated than it sounds?

    P.S. Is this sort of thing what is meant by a "drive-by" browser attack?
     
  2. Chuck57

    Chuck57 Registered Member

    Joined:
    Sep 2, 2002
    Posts:
    1,422
    Location:
    New Mexico, USA
    I'd say running Sandboxie with Returnil as a virtualization for the entire OS etc would give you as close to ideal as I think you'll find.
     
  3. Brent Hutto

    Brent Hutto Registered Member

    Joined:
    Dec 1, 2007
    Posts:
    72
    Location:
    South Carolina
    Chuck,

    I think I have my head around what SandboxIE does but ReturnNil is in some different class of device. Can you tell me in 25 words or less what it adds to the equation? Or even 50 words, what the heck...
     
  4. Chuck57

    Chuck57 Registered Member

    Joined:
    Sep 2, 2002
    Posts:
    1,422
    Location:
    New Mexico, USA
    The best way I can explain it comes from their website:

    It provides a simple, effective, and smart way to prevent unwanted or malicious changes from being made to your supported Windows® Operating System and the drive where Windows® is installed. You operate your system in a virtual environment, so anything you do will happen in the virtual environment, not in the real PC. If your computer is attacked or gets infected with Malware, all you need to do is simply reboot the PC to erase all changes. Once restarted, your system will be restored to the original state, as if nothing ever happened!

    It can also create a partition on your drive to save things. You have a choice, if you don't have a second HD. I don't bother with the partition, just move anything I want to keep to my other drive.

    So far as I know, nothing has ever gotten through Sandboxie, but there's always that odd chance. I have Returnil on all day. If I'm going to a new never before visited site, I engage geswall on my browser since, I don't know, I just like it better than Sandboxie.

    Other than Returnil and geswall, I use a free antivirus and that's it on my computer. Also, bear in mind that anything you want to save has to go to the other Hard drive or to the partition, or it will be removed when you shut down or reboot.
     
  5. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,041
    There is no magic bullet for unsecured wifi. But its safe as long as you don't transmit anything vital, like passwords, etc. The problem is the man in the middle problem. You have to go VPN or a secured broadband network for that.
     
  6. Brent Hutto

    Brent Hutto Registered Member

    Joined:
    Dec 1, 2007
    Posts:
    72
    Location:
    South Carolina
    Peter,

    Thanks for pointing out the interception possibility. There is a Cisco VPN concentrator where I work and we're expected to connect to it with Cisco's client any time we're accessing stuff on that network, presumably including to check E-mail. Unfortunately, it is my understanding that the client only routes traffic destined for their subnets through the tunnel and I'm on my own for everything else so I'll need to avoid logging in to anything I can't afford to lose.

    Or something like that. The world sure has changed in the eight years I've been out of the computer business...
     
  7. jfd15

    jfd15 Registered Member

    Joined:
    Oct 12, 2007
    Posts:
    234
    Location:
    Sacramento, CA
    i use the Anchor Free hotspot shield(a VPN)...its free but it puts a small ad at the
    top of the page...
     
  8. Alphalutra1

    Alphalutra1 Registered Member

    Joined:
    Dec 17, 2005
    Posts:
    1,160
    Location:
    127.0.0.0/255.0.0.0
    sandboxie would do nothing at all in addition to what it does when you are connected to an ethernet cable. Your main concerns are interception of traffic and remote attacks. I will keep this short since I have written this in a few threads on the past that I am too lazy to go search for right now.

    1) Get a good firewall to protect you inbounds from any attacks and know how to set it to not allow any incoming connections when you are at a wireless access point.

    2) Try and use the https (secured) form of the websites you visit so the data cannot be stolen, and always be aware of MTM attacks, so if your browser warns you of an insecure certificate, don't allow the connection.

    3) Ideally, setting up a VPN/ssh connection to a remote pc that you trust and directing all of your traffic through there will be the most secure since you are encrypting all of your traffic and tunneling it to a trusted pc from which it will go unsecure to the internet. That means no stupid script kiddie will be stealing any of your data or even seeing the websites you are going to.

    Cheers,

    Alphalutra1
     
  9. Brent Hutto

    Brent Hutto Registered Member

    Joined:
    Dec 1, 2007
    Posts:
    72
    Location:
    South Carolina
    jfd,

    Thanks for the pointer to AnchorFree. I'm posting this reply from a browser with the AncorFee advert bar across the top of the page. Not too intrusive at all. It does seem to create a bit of a CPU load while in use but I guess that's no surprise given that the computer has to encrypt stuff in real time.

    Alphalutra1,

    I've read back through some of your old threads, although not comprehensively enough yet to parse the context of the most of the discussions. But my own thinking before starting to look into this security mess was somewhat along the same lines as you propose.

    You seem to feel that a first-order vulnerability that receives highest priority is to avoid incoming-packet attacks that might exploit O/S holes. Hence, a properly configured incoming firewall is necessary but the one in my router will suffice when I'm at home. So the only task is to have something on the notebook that will serve the same purpose during the time I'm using public WiFi. Is that a correct summary and, if so, can my Windows Home Premium's built-in firewall be set up to provide this function adequately?

    Another point you make is that the outgoing firewall slash application control programs with all the pops and allow/disallow rules are a distraction that should not be necessary if one doesn't allow malware on ones system in the first place. The two things I most detest about simply installing a big security suite are the "firewall training" interruptions and the idea of spending $60, $70, $80 per year subscribing to something that operates in the background and is presumed to keep me safe. So I am very open to the suggestion that an outgoing firewall is unneeded under the right circumstances.

    So I am inclined to feel the same as you that "remote attacks" (i.e. the things an incoming firewall inspects packets in order to block) and especially "interception of traffic" (i.e. reading my mail, so to speak) are the paramount issues. If not the AnchorFree that I'm trying now then certainly some VPN solution is what I most depend on finding. With an incoming firewall (the Vista one if it suffices) and a VPN tunnel is there still any remaining value to a sandbox to limit the spread of any damage encountered during browsing?

    Thanks so much for your reply.
     
  10. silver0066

    silver0066 Registered Member

    Joined:
    Dec 31, 2004
    Posts:
    929
    These free VPN tunnels are great for encrypting your data from a wi fi hotspot. There are also some good paid ones, ie, Steganos Internet Anonym.

    However, you have to have trust in the company that supplies the software as I am sure that they have the ability to decrypt your traffic. A dishonest employee might be able to get your data.
     
  11. jfd15

    jfd15 Registered Member

    Joined:
    Oct 12, 2007
    Posts:
    234
    Location:
    Sacramento, CA

    thanks silver0066, good point...
     
  12. Brent Hutto

    Brent Hutto Registered Member

    Joined:
    Dec 1, 2007
    Posts:
    72
    Location:
    South Carolina
    I think I mentioned earlier that I'll probably never get to the point of trusting enough to sit there and log into my credit card accounts while sitting in Panera Bread eating my sandwich. Anything "real world" like that can wait a few hours until I'm back home sitting behind a router on an Ethernet connection.

    Something like that Anchor VPN though is plenty trustworthy for me to participate in forums or maybe order up something on Amazon. And definitely good enough for keeping in touch by E-mail when I'm travelling (I use a dedicated "Brent On The Road" mailbox during vacation trips overseas) and that sort of thing. I guess the truly paranoid types could get a static IP from their ISP and set up a VPN concentrator on a Linux box at home and have end to end control. There once was a day when I would have thought that was a cool project in which to invest a couple weeks. Today is not that day!
     
  13. ratchet

    ratchet Registered Member

    Joined:
    Feb 20, 2006
    Posts:
    1,906
    As you logged in to your VPN, could you be key logged?
     
  14. Brent Hutto

    Brent Hutto Registered Member

    Joined:
    Dec 1, 2007
    Posts:
    72
    Location:
    South Carolina
    I am not an expert but I'm almost positive that nothing you type while connecting to the VPN is sent over the unsecured TCP/IP link. The prompt I get with the Cisco VPN client they gave me at work is an entry for the client software that runs on my PC. I take it on faith that Cisco is not so silly as to turn around and toss it out there on the 'net unencrypted but then again never underestimate the stupidity of a computer company.

    As for the Anchor free VPN I don't believe I log into it per se but just run the client application and it connects. There is no per-user login, it's an advertising supported open service. Keep in mind the whole idea is to put the VPN client and a matching VPN server somewhere in touch with each other and let them talk back and forth in an encrypted stream. Any logging in a so forth takes place on the ends of that link, not in the clear.

    Or maybe I've got it all wrong. As I say, I'm no expert.
     
  15. jfd15

    jfd15 Registered Member

    Joined:
    Oct 12, 2007
    Posts:
    234
    Location:
    Sacramento, CA
    just click the "anchor free" app from the start menu, it opens a new tab in firefox, click on a button there to start service and it takes a few seconds to authenticate and set a VPN IP address...then surf

    no keys to log
     
Loading...
Thread Status:
Not open for further replies.