Announcement

Collapse
No announcement yet.

Most secure web browsing without sacrificing functionality?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • NeverDie
    replied
    Perhaps there's no need for Windows 8.1 Pro after all. I haven't tried this yet, but it looks as though Hyper-V Server 2012 is available for free: http://blogs.technet...tion-itpro.aspx

    Leave a comment:


  • NeverDie
    replied
    It turns out Ubuntu and its derivatives like Lubuntu will boot with UEFI set to boot Windows 8.1. Many other Linux's won't, at least not without non-trivial effort. Anyhow, I'd just as soon not set the UEFI to legacy, just in case the secure boot really does work at preventing rootkits from taking over the MBR (or whatever the MBR equivalent is called these days).

    So, I got VirtualBox working last night (actually more like a proof of concept) with Windows 8.1 as the host operating system and Lunbuntu as the guest operating system. VirtualBox doesn't seem to release the hard drive space it reserves for the virtual machine, even after I discard the VM and instruct it to delete all associated files, so I eventually ran out of hard drive space after creating and destroying a bunch of virtual machines. I thought I would go through Windows to reclaim the space, but it seems well hidden, even after setting Windows "folder options" to reveal everything.

    So, the usual two steps forward, one step back. I'll also need to buy more memory if I go this route.

    Leave a comment:


  • Jebus
    replied
    Nothing is unexploitable short of pulling the network cables.

    A correctly configured hosts file, including all the lan puters and excluding the list of bad urls allow dnsmasq to always route traffic to the correct host.

    I'm pretty sure there is no value in hacking our systems with a sophisticated attack such as poisoning your providers DNS cache.

    It's the ad's and the associated scripts that foul most users browsers.

    Leave a comment:


  • Pete
    replied
    Think this is a repost from a few months ago...

    DNS Spoofing

    Leave a comment:


  • Jebus
    replied
    A rules based firewall is your filter. A hosts file protects your lan when it is setup to exclude known malware sites. A secure caching DNS server speeds things up and keeps all page requsts channeled through your routers rules set and hosts file.

    Watch your router log when you request a page with your browser. Some pages have over a hundred url's requested.

    The whole reason that we all see browser slowdown is the extreme amount of ad url's that come flying through your router to your PC when you request a web page with your browser.
    Sites don't care if they are spurious url's, they get paid for the ad's.
    Stopping those url's @ your router with a hosts file redirecting the url request to null or 0.0.0.0 goes a long ways towards stopping malware and improving page load times. A caching DNS server speeds up repeated url lookups.

    I have been setup this way for over 15 years. I never have to "rebuild" a malware damaged PC and I have excellent page load times with 2272 Kbps dsl.

    Leave a comment:


  • NeverDie
    replied
    Originally posted by Jebus View Post
    Why not just protect your lan with another nat layer on a linux distro using an old pc and two lan cards.

    Freesco comes to mind.

    Use it as a secure caching DNS server, add a hosts file package, and configure it's rules based firewall your way.

    Has an http server, ftp server, DDNS server, everything.

    I rarely ever have any browsing malware, rarely scan with MWB.

    The bad url hosts file auto updates weekly from the package script.

    And no ads on my lan...
    Interesting suggestion. I'm not sure if I understand what you're proposing though. Is it more than a NAT, or does it filter things as well? Perhaps inserting some kind of high speed filter into the network would yield faster browsing than bottlenecking browsers that run on less capable CPU browsers with the extra burden of running security software.

    In the end, though, does it really buy any more security than the typical "internet security" packages installed on home PC's? I was kinda hoping to get higher security and faster browsing all at once. Maybe that's asking too much.

    With incredibly sophisticated malware seemingly more common, I'm finding it harder than it used to be to figure out a reasonable solution.

    Leave a comment:


  • Jebus
    replied
    Why not just protect your lan with another nat layer on a linux distro using an old pc and two lan cards.

    Freesco comes to mind.

    Use it as a secure caching DNS server, add a hosts file package, and configure it's rules based firewall your way.

    Has an http server, ftp server, DDNS server, everything.

    I rarely ever have any browsing malware, rarely scan with MWB.

    The bad url hosts file auto updates weekly from the package script.

    And no ads on my lan...

    Leave a comment:


  • S-F
    replied
    As far as I know all versions of Windows have a built in functionality to wipe the user profile after log off. It's used in public places like libraries where they rent computer time by the hour and the like. Maybe it's only on the "pro" versions.

    Leave a comment:


  • NeverDie
    replied
    Here's yet another idea: utilize an "instant restore" backup, such as is allegedly offered by some of the "continuous data protection" backup software packages. For instance, Rollback Rx does require a reboot, but aside from that, it claims the time to rollback to whatever time you pick is instant. I can't vouch for that, as I haven't yet tried it, but the reviews on amazon are very high (so high that I'm wondering whether they were rigged): http://www.amazon.com/RollBack-Rx-PR...pr_product_top

    For present purposes, the problem with most backup/restore products is that restore is very lengthy, so it probably wouldn't get used as often as it should.

    However, doing an "instant restore" might be an acceptable alternative to running everything in a VM, as the results might be similar.

    Anyone here have experience with any high quality "instant restore" CDP software?

    Leave a comment:


  • NeverDie
    replied
    After looking into it further, I decided I was going to try VirtualBox instead of Hyper-V, since Hyper-V requires running Windows 8 Pro (= $100 upgrade per computer). This article outlines the method I was going to try using VirtualBox:
    http://lightpointsecurity.com/conten...ruses-for-free

    Then I notice at the end of the article that the company offers a service where they let you use their virtual machines for this exact purpose at a cost of $6/month. If it works, it's a sensible model, as the cost of VM's could be amortized over a user base. They offer a free trial, so I'll probably try it. I don't know if that particular company will do a good job at it, but if not, maybe some other company does. If it turns out to be too laggy, though, it won't be worth it. In that case, having some kind of in-home "server of virtual machines" that could be shared among all the home's computers would perhaps make more sense than putting VM's on every computer, and it would likely minimize the lagginess. In theory, Microsoft wants an additional license for every virtual machine that runs Windows (even if the host computer already has a license for windows!), so the cost of spreading it around could be quite high, though lagginess close to nil.

    Anyone here tried doing that? I don't imagine it would be much different than connecting to a remote desktop using XVNC or the like.

    Leave a comment:


  • NeverDie
    replied
    I'm finding that with the advent of UEFI, there's a significant increase in hassle involved in switching between a boot USB drive and Windows 8.1. I have to toggle "legacy"mode to boot from the USB, and I have to toggle-on UEFI before booting Windows 8.1. It may actually tilt the balance in favor of doing virtual machines....

    Leave a comment:


  • NeverDie
    replied
    I did try the Chrome OS, but it looks as though google doesn't really make it available directly anymore. The image that's available through some European company is over a year old. It might be different if you're on an actual chromebox instead of just downloading the software.

    Anyhow, the boot-up time is a real impediment to use. Also, the chrome (in the Vanilla distro that I downloaded) doesn't seem to be upgradeable to current Chrome releases, so that's an unfavorable a security hole.

    Also tried puppy linux. Once booted it's very fast, but it was 40-50 seconds to boot it from a usb 3.0 flash drive. It's nonstandard linux using a non-standard browser. I could imagine using it, but I think my wife would probably dislike the unfamiliarity of it.

    I tried Mint, but I didn't see anything special about it.

    I'll try out Chrome on Ubuntu (should offer easier/better installation and I'm hoping updatability) too. If that doesn't click, then I'll probably look into the Virtual Machine solutions.

    Leave a comment:


  • NeverDie
    replied
    I hadn't realized it until just now, but allegedly Windows 8.1 Pro comes with Hyper-V already inside it: http://technet.microsoft.com/library/hh857623.aspx

    I imagine that should make creating an isolated windows vm fairly easy. You can even run a "guest operating system" such as Linux within it.

    Allegedly Hyper-V is also in Windows 10 Technical Preview, so that would be another (free) way to try it out.
    Last edited by NeverDie; January 3, 2015, 05:05 PM.

    Leave a comment:


  • NeverDie
    replied
    Originally posted by Cleavitt76 View Post

    As far as I remember, Chrome OS wasn't a target in that competition.
    Confirmed. According to https://nakedsecurity.sophos.com/201...nd-win-150000/ "Note that the underlying platform is the 64-bit version of Windows 8.1 in all cases, unless you're taking on Apple's Safari browser."

    Leave a comment:


  • Cleavitt76
    replied
    Originally posted by NeverDie View Post
    Interesting info! You make an interesting case with your pwn2own example. I'd feel safer if there were a guaranteed way to detect a penetration if it were to occur, but if there is no guaranteed way (?), you have a compelling argument. I'm going to take a closer look into it. Thanks for the nudge!

    Meanwhile, I just re-wrote option #3, which I then bolded (see OP above) just to demark what changed, based on recent reading about Chrome OS. Did Chrome OS get owned in pwn2own? You've got me curious. I'd like to look into that as well and cross off my list everything which got owned in those types of competitions. Prior to your post I was only peripherally aware those competitions existed, so, again, thanks for the pointer.
    Unfortunately, it's hard to find the detailed results because the website has been taken offline. There are articles, but they only have partial coverage of the results and they don't go into details about the severity of the vulnerabilities.

    As far as I remember, Chrome OS wasn't a target in that competition. The focus tends to be on the most common configurations out there and I don't think Chrome OS has enough market share at this point. Having said that, it would probably make for a fairly difficult target because there isn't much functionality to exploit.

    Chrome browser, IE (standard), and Safari were all in line with each other. They were each exploited, but the exploits weren't easy or plentiful. FireFox, Adobe Acrobat, and Android OS stood out as being compromised quite a few times if I recall correctly. IE 11 + EMET was not successfully compromised.

    The only other thing I would add to your list of security measures is to consider launching the browser under the context of a non-admin user and perhaps even a dedicated "web browsing" user account. Most attacks end up being executed as the user account that the browser process is running under. Using a non-admin user limits or completely invalidates the system level damage that can be done by most exploits. Using an account other than your own prevents most exploits from being able to damage your account, user config, or personal files. Some modern browsers run under a non-admin context even if the user account has admin privileges. I know that IE 10 and 11 do this. I think Chrome may do it too, but I'm not positive.

    Leave a comment:

Working...
X