Security Sandboxes and Virtualization

The easiest way to take advantage of the new security sandbox technology is to upgrade your hardware and software. Not everyone can afford to do that. What other options are there if you want a security sandbox?  Sandboxing is closely related to virtualization. Virtual computing is a good way to get some of the benefits of sandboxes without having to pay premium for a new machine.

This recommendation comes with two disclaimers. First of all: virtual machines may not be completely isolated, so if you decide to use them, you will still need to be vigilant. Second: as Joanna Rutkowska has rightly pointed out in her blog, hosted hypervisors (like VMware Workstation) are only as secure as the underlying host operating system.  A more secure solution would be to use bare-metal hypervisors, like VMware ESX, that are installed directly onto the hardware.

My next PC will be a macho laptop (lots of RAM, CPU, and disk), with a bare-metal hypervisor like VMware ESX.  (When Qubes OS supports Windows guest OSes, that would be a great choice too!)  Then, I will install Windows or Linux as a guest operating system, and use that for my regular computing needs.  Swa Frantzen from the Internet Storm Center suggested this:

That said, I think there’s an easier future for sophisticated users in running a number of virtual machines for their needs (e..g one VM for online banking and nothing else, one for data storage and nothing else (using virtual networking to the other VMs as needed), one for browsing the internet, one for working on private documents, one for working on work related documents, one to act as a firewall, one to play games on, one to watch ???? on, … That’s something one can do today already, it’ll work and it’ll have as much hassle as you set for yourself.

Below, I’ve put together some virtualization resources, categorized by operating system.

Microsoft Windows

  • Microsoft Windows 8 plus limiting yourself to buying programs from the Windows App Store.
  • Microsoft Hyper-V: if you are running Windows 8 Pro or Windows 8 Enterprise, you can run Hyper-V.
  • VMWare Workstation: I use it.  It is awesome.  But, it’s not as secure as Qubes OS.
  • Bromium: I haven’t tried this yet, but it sounds really interesting. If you try Bromium, let me know in the comments how it works for you!
  • Qubes OS: this bare-metal hypervisor is based on Xen, but with significant security enhancements.  Qubes looks like the most secure architecture of all.  Here is a great article about Qubes and how it compares to other potential solutions. It looks like the Qubes OS team is adding Windows support in the near future.  Once that is accomplished, this will be the most secure alternative of all for running Windows VMs.  Joanna Rutkowska is the force behind this, and she knows what she is talking about.
  • Linux Xen: less secure than Qubes OS, but has support for Microsoft Windows.

Apple Mac OS X

  • Mac OS X Mountain Lion (10.8) plus limiting yourself to buying programs from the Apple App Store.
  • VMware Fusion: VMware’s hosted hypervisor for Mac OS X.  In addition to enhanced security, it also allows you to run Windows programs.  The author of this article thinks Fusion is the best bet. 
  • Parallels Desktop
  • VirtualBox

Linux and Unix

  • Solaris Containers
  • Qubes OS: this bare-metal hypervisor is based on Xen, but with significant security enhancements.  Qubes looks like the most secure architecture of all.  Here is a great article about Qubes and how it compares to other potential solutions. It looks like the Qubes OS team is adding Windows support in the near future.  Once that is accomplished, this will be the most secure alternative of all for running Windows VMs.  Joanna Rutkowska is the force behind this, and she knows what she is talking about.
  • Linux Xen: less secure than Qubes OS, but has support for Microsoft Windows.

Java

JAVA’s security sandbox is getting a bad rap. Java implemented a security sandbox with version 1.0.  Now, it may not be perfect, and many people are trying to break into Java now (because hackers have already found the easier security vulnerabilities in Windows and OS X), but hey: the developers of Java are really trying, and they have done a lot of things right!!  Give James Gosling of Sun Microsystems, the creator of Java, some kudos.  Thank you, James!!  You are an incredible rock star!!  In Java, James implemented a security sandbox technology in 1995.

How to Use Facebook Securely

There’s a lot of routine activity on Facebook that I bet people would think twice about if they considered it from a security perspective:

  • How many times have you seen posts like, “I’m out at Starbucks getting my morning coffee and reading the paper…” Great!  All a burglar (or the NSA) needs to know is WHEN you are at Starbucks, so they can ransack your house, and carry off your computer with your top-secret documents.
  • If some creep thinks you’re cute, all they need is to know WHEN and WHERE you are so they can start stalking you.
  • What about when a prospective employer asks to see your Facebook profile, and starts looking at the pictures of you at that drunken party last night?  Oops.

How much information about yourself are you putting online? Whatever it is, it is probably too much. I do have a Facebook account, but there’s not much on there.  What is safe to post? My daughter, a 20-something, uses two rules of thumb:

  1. She only posts about past events (things she’s already done)– that way there’s no “where and when” information to tempt stalkers or robbers.
  2. She doesn’t post anything that she wouldn’t want her family, employers, and the kids she volunteers with to see.

I do have a Facebook account, but there’s not much on there (besides the photos that my daughter tags me in). That’s because I just don’t trust Facebook. Have you ever watched the movie “The Social Network”?  What an insight into the creation of Facebook.  Consider carefully:

  • How does Mark Zuckerberg choose Facebook’s first employees?  Remember the scene when they are having a race to break into a computer, drinking shots of alcohol, and the first hacker that breaks into the computer becomes an employee of Facebook?  That scene was terrifying to me!  You have the brightest hackers in the world (remember, this happened at Harvard), very knowledgeable, malicious enough to break into a computer, and THOSE are the people who are programming Facebook?  They are telling you that your Facebook account is secure?
  • Remember how Mark Zuckerberg treats Eduardo Saverin?  Eduardo Saverin is the guy that put up the money that Mark Zuckerberg needed to create Facebook.  Initially, Eduardo Saverin had a 34% ownership in Facebook, because he was the guy with the money.  Then, later in the movie, in a malicious deal, Mark Zuckerberg screws Eduardo Saverin out of his ownership share, and dilutes his Facebook ownership to 0.03%!!  Consider, if Mark Zuckerberg treats his FRIENDS like that, how is he going to treat YOU?  He doesn’t know you, and judging from past behavior, he probably doesn’t care very much about you, or the security of the personal information you enter into Facebook.

If Facebook says they are concerned with security, it is only because they are being forced to by some competition (Google+) and some bad publicity.  Facebook isn’t concerned about the security of your information. They are more interested in how to leverage the information you enter into Facebook to do some Targeted Advertising.

After all, Facebook makes its money by advertising.  That’s why, amongst my friends chatter,  I am seeing come-on pictures of women that I don’t know trying to sell me stuff.  These “saleswomen” used to just be on the side.  Now, they are inline, in the middle of my friends chatter, where I have to glance at those ads.

Just remember, whatever you post out there in public will be viewable by many, many people (maybe millions of people) for a very long time, maybe for your entire lifetime.  And the vast majority of those people are not your “friends.”

To summarize, here are some pointers for using Facebook securely:

  1. If you want something to be private, don’t post it ANYWHERE on the Internet— and especially not on Facebook!
  2. If you must use Facebook, then only post about past events and stuff that’s not in any way incriminating.
  3. Don’t “friend” people who you’ve never met in person.
  4. Don’t assume only your “friends” will see your posts.  If there are any security weaknesses at all, your posts may become accessible to the entire Internet.
  5. If you have overly chatty friends on Facebook, refer them to this post.
  6. Don’t judge people by what you see online.  Online identity and real identity are two completely different things.
  7. If you want to meet someone, meet them at public place surrounded by a lot of other people.

 

Targeted Advertising

Ever been interested in a certain product, and done some Google research about it?  Then, for days afterwards, whenever you go to a website, you see ads for that very same thing?  What a coincidence!  Well, actually, it is not a coincidence.  It is called Targeted Advertising.  Whenever you browse to a certain site, the site can store “cookies” on your computer.  These are not cookies you can eat (I know, what a bummer).  Browser “cookies” are small bits of information that your browser stores, based on instructions sent from the websites you visit.  Once a cookie is stored, if you browse to that site again, your browser can read the cookie, feed that information back to the website, and voila, the website content is magically tailored for you.  That is targeted advertising.

I’ve already discussed “unsolicited incoming packets.”  Now that you have browsed to the website, your traffic is not “unsolicited” anymore, so your firewall won’t block it.  If some program (ANY program) on your computer initiates a connection to the Internet, the request (and the rest of the Internet “conversation”) is no longer “unsolicited”, and your firewall will not block the traffic.  This goes for all the third-party ad servers that are referenced in the webpage you browsed to.  Now, you didn’t ask to go to the ad server, but it is referenced in the webpage you did ask for, so it has the same access to your information that your browser has.  I’m not sure of the security implication of this, with browser sandboxes and all, but after the earlier experiment with TOP_SECRET.html, I am nervous about it.

The New York Times has a good article about this called “Resisting the Online Tracking Programs.”  It points to another article titled “Removing and Blocking Ad Cookies, Browser by Browser.”  I recommend that you review these two articles and implement some (or all) of their suggestions. Make sure your browser is also configured securely.

One method I just tried is to install AdBlock Plus (https://adblockplus.org/en/internet-explorer).   I sure hope it works.  I’m keeping my fingers crossed…

How to Strengthen Your Passwords

Don’t use the same password for everything. If a hacker penetrates one website, and discovers your password, they could try the same password on another site (like your bank’s website).  If it works, the hacker could get rich quick and you would be out of luck.

So, how should you deal with passwords? Download KeePass. Use it to generate a DIFFERENT random password for each new website where you need to have an account.  Here is a sample randomly-generated password: Y1TbnleYT6vYjXUJZmb6

You ask: How in the heck am I supposed to remember that?  You don’t have to.  All you have to remember is one master password for your KeePass file.  Here are some strategies for making a password that you can remember.  Don’t use any of these common passwords. Hint: “password” is not a good password.  🙂

Note: Hackers have a funny way of spelling words.  It is called Leet. Some people use Leet for creating passwords.  If you are doing that, it may not be as strong as you think it is, because Leet is a hacker’s favorite way to spell. 🙂

If you have already used the same password for lots of different websites, here is something you could do:

  1. Have your credit card company issue you a new credit card, with a new number.
  2. Use KeePass to generate a new password for each of your favorite websites, store the new passwords in KeePass, and update the password at the website.
  3. After you have updated the website password, you can safely enter your new credit card number.

Finally, a note from my daughter Julia, who has a different strategy for password security. It’s not as strong as KeyPass, but it’s a step in the right direction if you’re currently using the same password for everything:

“I don’t store ANY of my passwords electronically. Instead, I’ve memorized a handful of passwords and assigned them each a “sensitivity category.” When I make a new user account, I think: how sensitive will the information in this account be? Then, I choose the password from the corresponding sensitivity category. So, websites with similar amounts of personal information have the same passwords. (For example, my Pandora and Pinterest passwords are the same.) That way, if hackers discover one of my passwords and plug it in everywhere, they won’t find much that they don’t already know. My exception to this rule is banks. Each bank has a different password and the only place they are written down is on a nondescript, physical piece of paper which is hidden. I figure that the risk of someone physically stealing my passwords is WAY smaller than the risk of me getting hacked.”

 

 

 

How to Make Your Browser More Secure

Indulge me in a little test. Create a text file on your PC.  Copy and paste this into it:

<html>

<body>

<br>My secret plans to become the next billionaire.

<br>My secret recipe for killer scones to sell to Starbucks.

<br>My password to all my websites.

</body>

</html>

Save the file with the name “TOP_SECRET.html”. Now, open your browser, and browse to the file (File => Open => Browse => (select your TOP_SECRET.html file) => Click: OK. What you do you see?

My secret plans to become the next billionaire.

My secret recipe for killer scones to sell to Starbucks.

My password to all my websites.

So, your browser can see all the data on your computer.  Okay…  should you care?  YES.  Browser security is very important.  Some newer browsers have implemented security sandboxes too.  Yippee!  (Security sandboxes are for geeks what real sandboxes are for children: a cause for high excitement.)

For Windows, IE10 now has “Enhanced Protected Mode.”  If you’re running Windows 7 or Windows 8, I would recommend that you install IE10, and activate Enhanced Protected Mode.

Why isn’t this activated AUTOMATICALLY?  I’m glad that Microsoft made the new security feature, but it’s annoying that I have to go into my browser options and click the checkboxes. More than that, it makes me worry that other people won’t take the time to do the same, and their browsers won’t be secure.

After activating Enhanced Protected Mode, I tried to access my TOP_SECRET.html file.  It still worked. I didn’t expect that.  What is the Enhanced Protected Mode bringing to the table, and how can I secure some private files (like TOP_SECRET.html) so the browser couldn’t see them?  However, the Enhanced Protected Mode is blocking some content: now I can’t open PDF files anymore.  Lovely.

Unfortunately, IE10 is only available if you are running Windows 7 or Windows 8.  It is not available for Windows XP or Windows Vista.  So, what about IE9?  Well, it’s already been hacked.    The older but similar IE9 functionality called Protected Mode isn’t quite as secure.  A really telling quote from the article linked above: “Bekrar quickly added that Protected Mode in the beta version of IE 10 running on Windows 8 is close to gaining parity with the current Chrome sandbox.”

What’s this about Chrome?  Give Google some huge kudos for Chrome’s security.  Now, you have to take this study with a grain of salt, because Google paid for the research, but the details are very telling.  Since reading this, I have uninstalled Firefox from my computers, and installed Chrome instead.  Now, Chrome still doesn’t protect your TOP_SECRET.html file.  (You can still browse to: “file:///C:/Users/{your username}/Documents/TOP_SECRET.html” and see your secret plan to become the next billionaire.) But at least Chrome security is heading in the right direction.  But, like anything in the security world, you can’t rest on your laurels.  The Chrome sandbox has also been broken.

Note: the US CERT has a good article about browser configuration.  It’s a little old, but some of the information is still applicable.  CERT needs to update this article, or at least point users to their updated browser configuration docs.

For Mac OS X, the newer versions of Safari also have a sandbox.  The sandbox was implemented with Safari 5.1, so if you can update Safari to at least version 5.1, that will help.  If you can’t, it would be better to run Chrome.  There is a version of Chrome for the Mac, so download that, install it, and run it.

What to do:

a)      For Windows: upgrade to Windows 7 or 8.  Install IE 10, and activate Enhanced Protected Mode. If you really CAN’T upgrade to Windows 7 or 8, at least start using Chrome instead of IE or Firefox.

b)      For Mac OS X: update to Safari 5.1 or later, or use Chrome.

c)       If you have top secret data, the only 100% guaranteed way to keep it private is to disconnect it from the internet. 

d)       If you’re using a newer version of Internet Explorer, you also need to disable proxy autodetection.

e)       Learn more about targeted advertising and disable cookies.

A GREAT Book on Security

A while ago, there was something called the Trusted Computing initiative.  Here is its marketing message. Sounds great, right?  I think the truth is probably closer to these Trusted Computing FAQs.  Just to make matters more confusing, there is also a Trustworthy Computing initiative.  According to Wikipedia, “More recently, Microsoft has adopted the term Trustworthy Computing as the title of a company initiative to improve public trust in its own commercial offerings.”

So, who wrote this information about the Trusted Computing initiative?  His name is Ross Anderson.  Ross Anderson is an AMAZING guy.  Talk about a knight in shining armor.  He has written a comprehensive, detailed book called Security Engineering.  I read it, and learned SO MUCH about computer security.  I wish all the software developers in the world would read it and adopt the things Ross writes about.  If you want to know more about computer security, buy the 2nd edition, and give this guy some returns on the incredible effort he went to to write and publish this.  Here are a few selected reviews:

‘I’m incredibly impressed that one person could produce such a thorough coverage. Moreover, you make the stuff easy and enjoyable to read. I find it just as entertaining — and far more useful — than novels (and my normal science fiction). When I first got it in the mail, I said to myself “I’m never going to read all of that.” But once I started reading I just kept going and going. Fantastic: well done. Now, let’s hope that all those in charge of security for information technology will also read the book and heed the lessons.’
Don Norman

‘The book that you MUST READ RIGHT NOW is the second edition of Ross Anderson’s Security Engineering book. Ross did a complete pass on his classic tome and somehow made it even better…’
Gary McGraw

‘It’s beautiful. This is the best book on the topic there is’
Bruce Schneier

 

How to Opt Out of Junk Mail

Data Marketers have lots of data about you.  Acxiom’s latest ploy is for them to show you what data they already have on you.  I checked at https://aboutthedata.com/portal.  It really wasn’t that interesting, and much of it was wrong.  The Acxiom website allows you to correct the information that is wrong.  You can do that, if you want them to have better data on you.  At least they aren’t offering downloads to scour my computer for anything they find interesting (e.g. everything).

One reader suggested going to some opt-out sites.  Good idea.  Here are some ways to opt out:

  1. For telemarketing in the U.S., there is the National Do Not Call Registry.
  2. For E-mail marketing, it looks like your best bet is a spam filter.
  3. For junk mail, here are some websites where you can opt out:

If you opt out, you won’t get so much junk mail.  Save a tree!  Better yet, plant a tree.

How to Download Software Safely

There is no such thing as free. “Free” software, music, video, and toolbar downloads are some of the the most common culprits for malware infection

If you want to run software on your computer, you have to trust the software vendor not to do anything stupid, malicious, or sneaky on your computer.  Most software vendors are trustworthy, and while they might engage in a little extra data collection, they are probably not going to do anything really malicious.  But, there is really no way to know for sure what a program does.  For example:  do you know what files your program is accessing on your computer?  Do you know what sites your program is accessing on the Internet?  If you’re like most people, the answer is no.  You don’t know, and I don’t know.  So, I really don’t know what programs are doing with my personal data.  You can experiment and explore with a few free tools (with the help of Wireshark and TCPVIew), but most of this information still eludes me.

(I know.  I’m recommending you not download suspicious software, but I download and install some security software anyway.  I guess I’m not a vigilant as I should be.)

Unless you are blocking a program’s access to the Internet, you really don’t know what it is doing with your data.  There are software firewalls that can help control a program’s access to the Internet.  One that I use is Zone Alarm.  You Internet Security Suite probably has a software firewall too.  Perhaps it can block a program’s access to the Internet.

I guess I would consider the motivation of the developers.  If you’re buying software, the motivation is pretty clear; you are paying the company money in exchange for a useful program.  But, what about free downloads?  What is the motivation of the people who have developed that software?  It’s not always very obvious.  If it is an expiring demo, you’re probably OK.  They want to sell you the software, and are willing to let you try it for free before you buy it.  That’s pretty nice.  If the download is just free, and you can’t see why, I would wonder about the motivation, and be hesitant to download and install it.

Once again, if you really want something to remain private, you can encrypt the information, or just unplug the computer from the network.

What to do:

a)      If you can afford it, upgrade to get the new security sandbox technology.

b)      If not, at least buy software that you need from legitimate sources.  That way, you’re more certain about their motivation (they want your dollars, and you’re paying for their software outright).

c)       Beware of programs you can download where the motivation isn’t clear.  If you’re not paying the developers directly, you have to wonder “What’s in it for them?”  Will they secretly be trying to perform identity theft or fraud?  Not sure, but I would certainly be cautious.

d)      Ask software vendors what information they access on your computer.  It will probably be buried somewhere in the microscopic, legalese print in the End-User License Agreement (EULA). That’s the annoying box you have to click through to install the software, where you accidentally agreed to sell your first-born child into slave labor for the next 25 years.  Yes, that one.  JUST KIDDING. But seriously: I don’t know about you, but I don’t read the EULAs, so I don’t know what I’m agreeing to.  Yikes!

e)       Be suspicious of online software delivery

f)       Run software that works within your security sandbox

f)       Uninstall software you don’t use

Security Concerns with Quicken

Suppose you run Quicken.  You enter your checkbook balance, and some checks that haven’t cleared the bank.  Then, you enter the password for your online account at the bank, and download your checking account history and/or your credit card history.

Now that you have synchronized your computer with your bank, Intuit (the makers of Quicken) could access all of that financial data too, if they wanted to.  Explanation: to display the data on the screen, Quicken has to be able to access the data.  To check for updates, Quicken has to access the Internet.  Would Quicken send any of my financial data across the Internet?  Apparently, more than one person has worried about that, so Intuit has written an answer, and posted it on their web site:

When Quicken does a software update, is it really doing an update, or is it stealing my financial info?

Another potential issue with Quicken is password vulnerabilities.  Note: this article is old (2002), and the issues may have already been fixed by Intuit.  Still, it shows that there is nothing magic about Quicken data protection, and that smart, determined people may figure out a way to extract your financial data from a Quicken data file.

Is Your Personal Financial Information Safe? Practical Lessons in Quicken Password Vulnerabilities

It is interesting food for thought.

What to do:

a)      If you don’t want anyone else accessing your financial data, put Quicken on a computer than doesn’t connects to the Internet.

b)      If you want to do banking over the Internet, it would be good to review the section about security sandboxes and weigh the risks.  All your programs can access your quicken data.  If you are careful to get software from reputable sources, you have less risk.  If not, I would NOT recommend doing banking over the Internet, and I would keep Quicken on a computer that doesn’t connect to the Internet.

Be Suspicious of Online Software Delivery

If you download software from the Internet, it is possible that the downloads have been tampered with by someone malicious.  Very unlikely, but it is possible.  Every once in a while, I hear a news report about some site being hacked, and the software on the site is now suspected of being tampered with.

Well, there are ways you can check the integrity of your downloads, and it is a good idea to do so.  For people who are security conscious, it is common to do.  Here are some articles about it:

http://searchsecurity.techtarget.com/tip/How-to-detect-software-tampering

http://lifehacker.com/247262/how-to-use-md5-sums-to-verify-downloaded-files

 

What to do:

a)      If you buy and download software over the Internet, ask your software vendor how to verify the integrity of the download.

b)      For geeks: Read about how MD5 can help you verify your software downloads.

 

Back to main article