Bulletproof browser

[Guest Lester Weevils]

So I got a bad trojan somehow the other day on the win7 PC I program on. I only visit a few sites plus search links, have all browser bells'n'whistles turned off, and keep the antivirus and firewall up to date. It looks like something managed to come thru maybe on JavaScript on an ad on some random 'patriotic' website or whatever. However it came in it managed to find its way out of the sandbox and mess up the PC real well.

Think i've killed it off without installing from scratch after a couple days running lots of scanners. But ain't gonna use a work computer for internet any more. Takes several days to install from scratch and it ain't worth the risk.

Been trying to figure the best dedicated 'indestructible' browser. Something not easy to infect and easy to revert to a clean slate if it does get corrupted.

Been playing with my motorola Xoom to see if it would work. Maybe with a Bluetooth keyboard, or maybe too buggy even with a keyboard. Not that android 4.x is incredibly buggy but only takes a couple of bugs to drive you nuts. If it got hacked I think it could be fixed just by a hard reset.

Something i've played with in the past is running a browser in a virtual machine. That way if a VM gets corrupted just delete the file and run a fresh duplicate. Some have even made a Linux browser system burned to optical disc. Thataway the os can never get permanently corrupted. But tech changes too fast and it would be annoying to keep a nonrwriteable virtual browser up to date.

In addition, am beginning to wonder if a virtual machine is bulletproof enough that some hacker might be able to escape the sandbox and get to the host machine if running on a work computer.

So some kind of easy to reset sacrificial computer seems maybe the best option. Just need to decide what. A little bare bones win doze or Mac install maybe. A shoebox puter or laptop. Even a bare bones Mac install takes awhile to reload from backup, and reloading a win machine from backup you so often have to call some ms employee in India for permission to keep using the puter. Ubuntu would be tempting but I don't know enough Linux and don't want to turn it into a science project. Every time I've installed Ubuntu into a VM, it was tearing hair getting the thing updated. Too much to learn just to browse the web.

[Dolomite_supafly]

When I think all is lost I just do a restore back a few days. Genreally takes care of the problem. As a matter if fact if I can't fix it within a few boots I do a restore.

Dolomite

[sigmtnman]

Are you talking about a dedicated browsing physical machine? Not sure what version of ubuntu you tried, but the latest few have come a long way and the updates and everything else is real simple. I run kubuntu because I like kde better than gnome. Oracle's virtual box is great for VMs if you need to do windows stuff.

Edited August 15, 2012 by sigmtnman

[Romad7]

If you can make the switch to Mac I highly recommend it. Its not perfect but its still a ton better than Windows to me. I do use Sophos antivirus and OpenDNS/DNSCrypt so I am not a head in the sand Mac user. You could set up a Hackintosh for pretty cheap if you don't want to switch to Mac hardware, that would make a great dedicated browsing machine. iPad is another great option, I hardly get on my computer anymore since I got one.

For Windows I think Chrome is the best browser with OpenDNS setup on the network.

[Romad7]

When I think all is lost I just do a restore back a few days. Genreally takes care of the problem. As a matter if fact if I can't fix it within a few boots I do a restore.

Dolomite

This too, if you don't have an incremental backup system in place, do it immediately. Especially on a Windows PC. I love Time Machine on my Mac and Parallels for VMs if I want to use Windows for more risky browsing (not porn, I Torrented some old games that I used to own).

[Guest Lester Weevils]

When I think all is lost I just do a restore back a few days. Genreally takes care of the problem. As a matter if fact if I can't fix it within a few boots I do a restore.

Thanks Dolomite. I don't often get malware but am paranoid on the issue. This one just popped up "out of nowhere" while reading right wing web pages. Some of the right wing blogs make money with wall-to-wall ads advertising everything from preparation h to Obama, so a guess might be that one of the ads had a well-crafted payload but maybe it had been lurking a long time and just decided to become visible the other day. Some of them can rewrite the boot sector or patch the disk driver. I'm using a native RAID driver so maybe the driver hasn't been patched but don't have time to study such things. I have the antivirus program set up to daily update and daily full scan all files, so if the malware has been there awhile it is pretty sneaky anyway.

Ran the winders repair disc and over-wrote the drivers and rolled back before the last update, which cleared the inability to boot. Before that, it was booting into a blackmail screen instructing me to go get money on a cash card and contact them for further instructions to deliver them the money so I can get the computer back. Geez. Maybe I could get em to fly in from russia to pick up the money so I could pay em in lead.

Running one AV scan located one malware file after I could boot back to safe mode. Then running another AV scan found two more malware files. Then subsequent scans came back clean but it "real time" blocked and deleted a malware this afternoon before the file could take over the puter, so possibly there is something wedged down deep spawning the stuff. In which case I'll have to low-level format and reinstall from scratch, which only takes a few days, no big annoyance at all.

I'll just disconnect the machine from the internet and just use it for programming, and run full-scans repeatedly for awhile to see if malware keeps "coming out of the woodwork". In which case will reformat and start from scratch.

Are you talking about a dedicated browsing physical machine? Not sure what version of ubuntu you tried, but the latest few have come a long way and the updates and everything else is real simple. I run kubuntu because I like kde better than gnome. Oracle's virtual box is great for VMs if you need to do windows stuff.

Thanks sigmtnman. Dunno hardware or software. I've downloaded some pre-made ubuntu VM's but not lately. Maybe they are better. Every time, I'd run the VM, and then run the updater, which would download a bunch of files that I was supposed to install with the linux console. Which would be fine if I knew more than the crudest basics with unix command line operation. I don't mind learning stuff but if thats the only reason I need to learn it, then the easiest thing to do is not use ubuntu. Problem solved.

Leaning toward a dedicated sacrificial bait machine for browsing. Am beginning to think hackers are too smart to trust a VM. Remember awhile ago when there was some kind of security issue on TGO for a couple of days? I tried running a "disposable" ubuntu VM to browse TGO when it was unsafe to try out the concept. After a few hours, the ubuntu firewall alerted that something was trying to tunnel out thru the virtual ethernet ports. So it might be false confidence to think a hacker can be kept off the host machine and isolated in the VM if he's smart enough.

If you can make the switch to Mac I highly recommend it. Its not perfect but its still a ton better than Windows to me. I do use Sophos antivirus and OpenDNS/DNSCrypt so I am not a head in the sand Mac user. You could set up a Hackintosh for pretty cheap if you don't want to switch to Mac hardware, that would make a great dedicated browsing machine. iPad is another great option, I hardly get on my computer anymore since I got one.

For Windows I think Chrome is the best browser with OpenDNS setup on the network.

Thanks Romad7. I program Mac and winders but don't think I'm gonna program Mac any more because it drives me too crazy. Not well enough documented nowadays and they change everything too often. Its too much hassle. Got a Mac Pro which also runs a VMWare Fusion Vista Ultimate install with the PC programming tools. Have a macbook that also runs an XP Fusion install. Last few years the macbook is the dedicated quicken and turbotax machine. It is usually turned off, and never gets hooked up to internet except short sessions to run updates and occasionally do 5 minute sign-ons to check bank balances and such. That is my attempt at shielding any financial info. None of the other puters have any kind of financial info on them to steal, and the macbook is so rarely exposed to the internet I hope it is a low-profile target.

I got that motorola xoom last year to play with it, and its ok but had sat un-used for months. The android 4.x is pretty good but I need to test it with a bluetooth keyboard and mouse. Definitely can't use it for forum posts without a keyboard. Took forever to compose a couple of forum messages on the stupid thing. The android 4.x updates it installed when I drug it out a couple of days ago, added the ability to turn off most of google's big brother tracking features. Or at least there are controls you can click on which pretend to turn off big bro google. Maybe they are just dummy controls to make paranoid people feel better about google tracking everything you do while operating a computer running their os and apps. Is it paranoid if a person puts little bits of masking tape over all his laptop and phone cameras? At least I haven't desoldered the built-in mics yet, so maybe there is hope.

There are all kinds of little unix-capable tiny puters that will run off an sdram OS and such. Or maybe another macbook or small winders laptop. I generally prefer winders, bill gates being the least hostile big brother in my perception, and when it is working I like winders better than mac, in general. I've only been using/programming macs since 1986, and until about 1997 was convinced that macs are "best", and didn't even have a pc until 1995, so its not like I haven't had time to compare the relative virtues of each platform. I really do like the mac pro however, a fine piece of hardware. Unfortunately it looks like the new mac pro's have too many "specialized" ports, such as the new video card connections and such. And they have got as expensive a new cars.

[mikegideon]

Lester,

Have you thought about using Ghost? I'm sure you're scrupulous about backing up your code anyway. It doesn't take much time at all to restore from a Ghost image.

[Chadastrophic]

Two words: dedicated faptop.

Sent from my ADR6425LVW using Tapatalk 2

[Metalhead]

Two words: dedicated faptop.

Sent from my ADR6425LVW using Tapatalk 2

Haha, that's what I was thinking.

[JeffL]

Firefox, NoScript addon, Adblock Plus addon.

[Romad7]

Well you have plenty of options then, I think a VM is the best way to sandbox your computer. No browser is really going to give you that level of security by itself. Keeping your recreational browsing on a VM and work stuff on the main system is the way to go, I might even do that now that OSX can be put on a VM (since Lion at least). You could run a lot of VMs on that Mac Pro with no issues, that seems like the way to go.

Apple hardware is not cheap especially a Mac Pro, I have Mac Minis which is the most economical way to enjoy the Apple experience.

[TrickyNicky]

Ok so raise your hand if you opened this thread hoping to see a computer getting shot.

<raises hand>

[sigmtnman]

...

Thanks sigmtnman. Dunno hardware or software. I've downloaded some pre-made ubuntu VM's but not lately. Maybe they are better. Every time, I'd run the VM, and then run the updater, which would download a bunch of files that I was supposed to install with the linux console. Which would be fine if I knew more than the crudest basics with unix command line operation. I don't mind learning stuff but if thats the only reason I need to learn it, then the easiest thing to do is not use ubuntu. Problem solved.

Leaning toward a dedicated sacrificial bait machine for browsing. Am beginning to think hackers are too smart to trust a VM. Remember awhile ago when there was some kind of security issue on TGO for a couple of days? I tried running a "disposable" ubuntu VM to browse TGO when it was unsafe to try out the concept. After a few hours, the ubuntu firewall alerted that something was trying to tunnel out thru the virtual ethernet ports. So it might be false confidence to think a hacker can be kept off the host machine and isolated in the VM if he's smart enough.

...

With the latest few versions, all of the installs and updates are run from the gui. It has an update daemon (service) that will pop a window when updates are available and you just click through the update install, no need to use the console if you don't want to. Any operating system can be hacked, but with linux, firefox and no script, you will be pretty secure. The nice thing is everything is free, so all you need is the hardware. Load it up with openoffice, gimp and whatever else you need and you're all set.

Edited August 16, 2012 by sigmtnman

[Sam1]

When I think all is lost I just do a restore back a few days. Genreally takes care of the problem. As a matter if fact if I can't fix it within a few boots I do a restore.

Dolomite

usually a system restore will not remove the malware, it will only revert changes that have been made to the system. The malware can attack again at any time

[Sam1]

Some of the right wing blogs make money with wall-to-wall ads advertising everything from preparation h to Obama, so a guess might be that one of the ads had a well-crafted payload but maybe it had been lurking a long time and just decided to become visible the other day.

Usually something like that is a result of poisoning, it's the latest greatest tactic for scareware/crimeware. Nothing that the sites were probably aware of, there was actually just a massive case of a few thousand sites being hijacked showing up on Google images. If you viewed the pic it instantly started the redirection and changes to the system... Was a nasty little booger

[Guest Lester Weevils]

Have you thought about using Ghost? I'm sure you're scrupulous about backing up your code anyway. It doesn't take much time at all to restore from a Ghost image.

Thanks Mike. In the past I used PowerQuest Drive Image and also Ghost. Later on switched to Acronis True Image when the two old standby's didn't get to market quick enough on some MS innovation that broke DI and Ghost for awhile. Can't recall, maybe NT file system.

Back then before MS got so agressive with copy protection, I built the PC's with 2 or 3 front-mounted 5.25" removable drive bays and would keep a bunch of identical drives in cartridges. Every week I would mirror the boot drive from bay a to bay b, then put the bay a drive on the shelf, marked with a date of backup, and swap in the new-copied drive for the next week. That way I had several weeks of bootable full backups at any one time on the shelf. Quit doing that when MS "improved" windows to such a point that it would pitch a fit running a new-cloned copy, believing that I was stealing old Billy Gates blind with piracy and the FBI should immediately dispatch a swat anti-piracy hit squad. [joking] I liked that system, simple and multiply-redundant.

The problem nowadays is that I happen to need large amounts of files in the work set, and copying that much data is slow as christmas no matter how fast the modern hard drives. I have fairly fast drives but if you clone 300 gigs of files its gonna take awhile even copying from one internal drive to another, or from one dir to another dir on the same drive. Admittedly it doesn't take as much time as installing a bunch of stuff from scratch, but if the file set is big enough it can put you dead in the water for many hours waiting on a simple copy.

Some folks early on advocated partitioning of drives and putting the essential system files on relatively small easy to backup partitions. Maybe that is smart but the fallacy happens when a directory partition block gets munged and then the entire drive is unreadable, kinda negating the theoretical advantage of small system partitions if the error of a single block causes everything on the disk to be suddenly gone like a cool breeze. If the same drive was un-partitioned, failure of a single block can often be survived.

So anyway I probably do it all wrong, but if the problem is stealth viruses that might hide for a long time before they pop up and bite you, even if taking weekly redundant images, maybe your oldest image from months ago, maybe all your images have the virus in there hiding and it doesn't matter how many copies you have because all of em are infected.

All my drives nowadays are raid 1 pairs to minimize the liklihood of unrecoverable drive crash, plus external drives for occasional images, plus online backups. The MacPro also has an internal raid 1 for "time machine" automatic incremental backup. It is pretty bulletproof except fire, theft and malware. Unless the computers are burned up, stolen or intentionally hacked, the odds are pretty low that data will be lost or that I'll have to reinstall a bunch of crap from scratch.

The work machines are too big a house of cards to risk some east european idiot ruining em with a virus, merely because I want to read some right-wing blogger and some criminal can't think of anything more creative than try to break strangers' computers.

[analog_kidd]

I run a virtual machine on my desktop. I set the virtual disk to non-persistent, so if I power off the VM, it goes right back to a clean system. Once a month, I'll change the disk to persistent and boot it up to let it get patches and antivirus updates. Then I shut it down and make it non-persistent again. Anyway, I use this VM to browse the web, especially if I'm doing random searches to unfamiliar sites. If the VM gets hosed up, it as simple as powering it off to get back to a clean system.

[DaveTN]

Acronis True Image. Restore your computer to whenever you like. Reformats, reimages the drive, no need to reload OS or programs, takes about an hour on an average computer. Saved my butt a few times at home and at work.

[Guest nicemac]

Despite your reluctance to use a Mac, it is the perfect machine for what you want to do. Despite your hostility toward programming for the platform, it is huge and growing rapidly and has yet to ever have a real virus. Social engineering (you can't fix stupid) trickery stuff, yes, but a real virus, no.

I have been Mac-only since 1993. I have never owned anti-virus software. I have five Macs on my home network that is connected to Comcast right now with no anti-virus software. For years. No viruses. The argument that when the Mac gets more popular there will be viruses for it doesn't hold water. There are 50 million Macs in use in the USA alone. Windows XP had its first virus while the software was still in beta and only had a deployed user base of 14,000.

Configure a Mac and Dell identically and the Mac is almost always cheaper. Yep, you can buy an Acer or build your own computer cheaper than you can buy a new Mac. All I can say there is; you get exactly what you pay for…

[BryanP]

Firefox, NoScript addon, Adblock Plus addon.

This. This is how I browse everything, including "safe" places like TGO. NoScript is kind of annoying until you get used to figuring out what you need to allow on various sites to make them functional. It's also very informative to see just what some sites are pushing at you. By the way, you can also get similar functionality for Chrome if that's your preference.

One person I know refuses to use safe browsing habits and won't use things like NoScript either. He insists on Windows. My solution for him was a Lenovo laptop with a separate restore partition that you boot into with a a separate power button on the laptop. He stores all his files on an external drive, which I also set up with a bunch of apps from PortableApps. That way he just restores to a clean Win7 machine whenever he feels the need without losing anything.

[Romad7]

Despite your reluctance to use a Mac, it is the perfect machine for what you want to do. Despite your hostility toward programming for the platform, it is huge and growing rapidly and has yet to ever have a real virus. Social engineering (you can't fix stupid) trickery stuff, yes, but a real virus, no.

I have been Mac-only since 1993. I have never owned anti-virus software. I have five Macs on my home network that is connected to Comcast right now with no anti-virus software. For years. No viruses. The argument that when the Mac gets more popular there will be viruses for it doesn't hold water. There are 50 million Macs in use in the USA alone. Windows XP had its first virus while the software was still in beta and only had a deployed user base of 14,000.

Configure a Mac and Dell identically and the Mac is almost always cheaper. Yep, you can buy an Acer or build your own computer cheaper than you can buy a new Mac. All I can say there is; you get exactly what you pay for…

My only addition here is that you can be a "carrier" for Windows malware, that's the main reason I use an AV. All good points otherwise. Sophos actually alerted me to malware on one of my Windows VMs.

[Jonnin]

If you are worried about it, and ultra paranoid, a virutal machine is about as bulletproof as you can make it. If you treat the VM like your real hardware PC (that is, virus scanner, router, secure browser settings, etc), then even if you do get something you can just kill the VM session and start again, the virus is gone. Only a couple of viruses have crossed from VM to host, most cannot do this.

Another bulletproof trick is to use your older computer (whatever you last had before the current one) to browse, and do not browse with your real PC. A browser only computer gets infected, you restore it and ignore it, there is no real harm done.

There are guidelines for making a secure computer for government work. I think anyone can read those? Take a look at some stuff like this... http://www.sans.org/reading_room/whitepapers/casestudies/connecting-classified-network-internet-case-study_694

[mikegideon]

Acronis True Image. Restore your computer to whenever you like. Reformats, reimages the drive, no need to reload OS or programs, takes about an hour on an average computer. Saved my butt a few times at home and at work.

This. We use imaging software, and keep images for all the various hardware packages in the building. Because it's a business, all work data lives on file servers that are backed up daily. If something creeps into a machine (almost always sales people), we give the machine an enema, and reconnect them to their data. We maintain a large number of machines this way (probably over 100). It's not cost effective in terms of hardware cost AND user efficiency to use seperate machines for browsing. If we can keep that many machines, all that interact heavily on the internet, with a couple of IT guys, you should be able to adapt it to your own use.

I don't know what kind of code you're doing. Any code development I've seen requires it's own incremental backup scheme. When new code gets "sick", it's almost always self-inflicted

[Guest nysos]

I run a virtual machine on my desktop. I set the virtual disk to non-persistent, so if I power off the VM, it goes right back to a clean system. Once a month, I'll change the disk to persistent and boot it up to let it get patches and antivirus updates. Then I shut it down and make it non-persistent again. Anyway, I use this VM to browse the web, especially if I'm doing random searches to unfamiliar sites. If the VM gets hosed up, it as simple as powering it off to get back to a clean system.

This^^, or keep a snapshot of the VM to go back to.

For those that have suggested using system restore, malware can infect the restore points as well. First thing we do here when cleaning a virus machine is disable and delete all the restore points.

[Guest nysos]

If something creeps into a machine (almost always sales people), we give the machine an enema, and reconnect them to their data.

Active directory is a wonderful thing.