- From: bogus <bogus@xxxxxxxxx>
- Date: Mon, 09 Jun 2008 12:11:43 -0400
I try to stay as protected as I can, practicing safe hex, disabling unnecessary network services, running (whenever it's not too cumbersome) from unprivileged accounts, automatic windows updates, etc. but I've not enough technical expertise to be aware of the degree of exposure of my machine.
Though there may be some statistic somewhere, I don't think it (degree
of exposure) can be known for individuals, or even "experts" - as the
environment is always changing.
I've just taken the advice I've read so far in this newsgroup and patched my box accordingly but
Home users seem to use three basic approaches to computer security:
1. "The Distribution (e.g. Gentoo Linux) or manufacturer (e.g. Dell)
have probably set it up pretty well, and the user shouldn't waste time
or energy fooling with it." If it breaks, get a new one. (OpenBSD may
actually achieve this goal - though for a low-risk home user)
2. "Do what others do." This results in the bi-monthly question, "which
is the best firewall" and "which is the best AV/AT". The hope here
is that a "magic bullet" will block attack vectors, or find and "cure"
infections after the fact. Little real understanding; lots of verbal
flame wars result when boys argue about their favorite toys.
3. "Do an informed risk assessment and establish reasonable (cost
effective, user tolerable) precautions and procedures". Very few home
users are able and inclined to do this, so most default to 1 or 2.
what's worrying me is the spreading of
malware in unexpected places, safe sites, pdf files..
And item 3 above is the way to approach this situation if you do
important stuff with your box. Sadly, I'm not knowledgeable enough to do
a proper risk assessment/cost-effective response - but given my huge
potential loss and a personal willingness to muck about the box, I've
invested heavily in the things listed below.
What can I do, preemptively? while containing the loss of usability to the minimum?
Number 3 above. e.g. if all you do is check your mail and google news,
your exposure and potential loss is minimal. If you have important
sensitive info. on board, then you need to go beyond the basic, free
things that follow: :-) :
1. Safe Hex.
This means different things to different people, but broadly means using
safe tools (Check out SANS...e.g. Opera or FireFox; TBird), used in a
safe manner (e.g. all active content disabled; all plugins disabled by
default; text email only; etc.) (e.g. don't go to dodgey places; don't
download anything without checking source, pgp verification, etc.).
There are whole pages dedicated to defining basic "safe hex".
2. Well-lubricated, frequently exercised backup and restoration regime.
Today's Trojans and Rooted malware is designed by professionals. At the
first hint of actual infection (not just a malevolent script or vector
blocked in a cache), a high-risk (e.g. online banking) user should be
able to reformat, build from scratch, and restore his box in an afternoon.
3. Use native OS tools to their full benefit.
e.g. least privilege. This is extremely important, and you're already
doing it. (There is a proggie called something like "runasadmin" which
can take a windows box already "oriented" toward a privileged user and
drop his privileges for the session. Sounds like you don't need this,
e.g. Many users. This is now easy to do on Windows, as well as 'IX. On
my box, for example, there are users "firefox", "tbird", "ooffice",
"wireshark", etc. I have further configured (not a default on most Linux
distributions) the box so that user firefox can not read, for example,
documents owned by e.g. user TaxAct. So if something is compromised, it
is contained by native access controls.
e.g. Encryption. Keep sensitive onboard data away from thieves who may
physically take your box, or Trojan/keyloggers which may exist for a
while before being detected (lots of different, dedicated, encrypted
files/containers. e.g. If you never decrypted your tax records during
that period of infection, the Trojan will not have gained that info.)
e.g. Many, many other OS features (firewalls, hash validation, etc.):
4. Application Isolation.
I'm a big fan of this (you called it sandboxes). Applications are
already isolated with individual, unprivileged access rules - this goes
to the next step and virtually isolates them physically.
A PITA to understand and set up (non-geeks should get the assistance of
the kid next door, or their local computer shop), easy to maintain and
use once it is understood. Obviously, you should spend some time and do
it yourself :-) .
5. Add-on Tools.
......Sigh...Now we get to AV/AT signature/heuristic scanning,
IDS/IPS, Integrity management inventories, Anti-spoofing DNS tools,
multi-function "replacements" (e.g. firewalls with intrusion signatures,
automated connection blocking, application hashing, etc.)
It is easy to sell/buy a "golden bullet" - a security suite which absolves the user from thinking about what he does, or how he's configured his box. And that is what most users choose.
But which ones? Sadly, "Do what others do" usually means getting some popular, past-its-prime anti-malware (e.g. Norton, Mcafee, AVG, etc.) and some popular firewall-of-the-month.
Sandboxing seems just natural but I've also read mixed
opinions, so I was not sure of the tool..
IMHO it is a powerful, important natural in a world of emerging threats.
Comforting and reassuring when you are purposefully or unknowingly
exposed to the "dark side" through a hidden frame, or poisoned DNS
server, or buffer-overflowing media file, or ......... :-)
- Re: Sandboxing?
- From: userID
- Re: Sandboxing?