Browser Separation with Integration using VirtualBox

Posted by Rob on 25 April 2016, 6:55 am

Seamless window integration of two separate operating systems, with isolated network stacks.

Ransomware poses a real risk to every day web surfers. There are multipule attack vectors, drive by downloads, compromised sites and malvertising to name just a few are all huge areas of risk. This leads some to want seperation or sand boxing of their web browser, either for some of their browsing or all of it.

The main motivation here is separation for risk reduction and security, not privacy/anonymity.

With browser security under screwtany, things are improving however with problem after problem with 3rd party addons and browser plugins, scripting issues, 3rd party code includes and so on, the web is full of risk areas before you even consider malvertising compromised sites or cross site scripting.

Moving beyond ad or script blocking

sandpit By utilising VirtualBox, you can build a (mostly) separate computer for your browser. Minimising risk through separation using a Virtual Machine Sandbox.

Whilst using a physically separate computer provides better security to your ‘main’ system, it is impractical in the majority of cases. Creating a Virtual Machine sandbox, with some clearly understood elements of integration between the two systems provides much better functionality and end user experience, whilst maintaining a significantly higher level of security.

Why not other approaches?

As a former user of No Script, I became a little tired of picking through the many scripts to try and unpick what web developers were thinking in a drive to make the sites function again. I was also very aware of a quick ‘allow all on this page’ one lazy day could undo years of time consuming script inspection. This is not the solution for the faint hearted and not something I could recommend to may.

Ad Blocking? Ok so this protects against some threats such as Malvertising, however it does not address any other risk factors and therefore leaves massive areas for bad actors within the browser. We are also now in a world of Ad Blockers, Ad Block Blockers and Ad Block Blocker Blockers.

Sandboxing via Sandboxie? This does not stop the browser reading files on your system.

Physically separate system? Ok, but lets face it, who runs a separate PC for ALL of their browsing…. not many. If you are doing any amount of browsing from your PC then this option could help secure the browsing.

What do I need?

You will need to download and install VirtualBox. You will also need either a Windows Licence and media, or a copy of Linux. I have used both Windows and Ubuntu in this browser isolation technique successfully. I recommend having an ISO image of the disk for easy build and rebuild should you wish.

Configuring Virtual Box

Once you have created a basic Virtual Machine selecting either the Windows or Linux templates, you will need to make some changes. These adjust the security and functionality. Some improve security and separation, whilst others create openings between the Virtual Machine and your host computer.

Which of these changes you make is personal preference, and down to your use case and requirements. For example, if your worried about malware within the browser reading clipboard content on the host OS, or if you are worried about file encryption malware.

When you access web content, you are likely going to want to download files. If your then going to need these on your ‘main’ system, you will need a seamless way to export these files. Consider setting up a share between the VM and your host system. You should create a sub folder for this, and share this to protect your other files and the rest of your host PC from any security risks. Eg: have a temporary downloads folder, accessible from both systems.

When configuring your networking, you have several options.

NAT – The VM will share your PC’s IP address. However your PC and the Browser will each have an IP address on an internal NAT network. You will need to factor in host firewall security.
Bridged – Your host PC will push the browser VM to the main network (either wired or wireless depending on your configuration). You will then be able to protect the two systems from each other as if they were separate network devices. Review your hosts Windows Firewall security configuration. (Likely the best option)
Internal – Not appropriate.
USB – See below, under “Looking for better network separation?”

You will then need to install either Windows or Linux. eg: Ubuntu. In this case, I have installed Windows 7.

Whichever OS you install, you can install the guest tools to unlock integration including clipboard and folder sharing. Even if you do not want these features, you can switch them on and off, the tools will help ensure your guest VM behaves correctly.

Consider how you wish to interact with your browser, eg: you may wish to copy links from the host to the guest… or you may wish to copy webpage text from the guest to the host. Set this to your requirements, just remember that if the guest can read your host clipboard, then it can read your clipboard all the time. This type of risk is reduced later with read only disks and snapshot reverts.

As per the above, configure a set sub folder to be shared with the VM if you want to seamlessly move files. However if you share too much, the guest browser VM will have access to it.

Once you have your system installed, updated and correctly configured it is best to take a snapshot. This will save the state of the system by creating a differencing image file, where any new disk writes are stored. Your live VM will behave normally but you will be able to revert to the snapshot.

Once you are up and running you will find you need to patch / update your browser and browser guest operating system. I would recommend when you need to do this, you revert the VM to a known clean snapshot, perform the updates and take a new snapshot. Once you are happy all is well you should delete any snapshots that are no longer required as managing these will be come more complex and slow performance over time.

When you want to refresh your browser, eg: clean the session, drop any malware stuff etc from the guest OS, then revert to a known clean snapshot. You may choose to do this daily, and/or after visiting untrusted content etc etc.

Investigate the display modes to play with seamless window integration.

Looking for better network separation?

If you would like even clearer network separation, then consider this. VirtualBox is loading a USB kernel driver into your host OS. So remove all the network cards from the VM, now the system does not share the host systems network adaptor at all. Now connect a USB Ethernet Adaptor to the PC, and create a USB filter.

Immutable images vs Snapshots

My original option was to use the VirtualBox immutable image setting for the main guest drive, and then the differencing file would be automatically thrown away when the system went through a full power off and power on cycle. (All changes are lost when the virtual machine is powered on the next time, as this is when the temporary differencing file is removed). I noticed issues however where this was not removing the differencing files correctly and I was ending up with several, or I would revert the image to ‘normal’ mode to install updates, and these updates would go into a differencing image. I therefore recommend snapshots at this time, which also helps keep this straight forward as you will need to be used to reverting and creating new snapshot for the patch/update process.

Thoughts?

Would like to here your thoughts and ideas, please comment below.

VeraCrypt takes a minute to pre-boot authenticate

Posted by Rob on 23 April 2016, 10:02 pm

VeraCrypt is a free disk encryption software, that is based on TrueCrypt 7.1a.

If you are suffering slow boot up with VeraCrypt, you password takes ages to be accepted or slow pre boot authentication then read on…

When I first tested VeraCrypt with Windows 10, I had problems with it taking around a minute to process the password in the pre-boot environment. After a couple of boots, I wondered if this was really a workable potion at this time.

I then found this was due to the “Personal Iterations Multiplier”, PIM. It is a parameter that was introduced in VeraCrypt 1.12 and whose value controls the number of iterations used by the header key derivation function.

As shown in the screenshots, it is possible to set this value as you wish, some quick tests showed setting the value to 1 took less than a second. Therefore, I recommend reviewing the documentation and then selecting an appropriate value if you are suffering from this problem.

https://veracrypt.codeplex.com/wikipage?title=Personal%20Iterations%20Multiplier%20%28PIM%29

letsencrypt quick setup – Ubuntu and Apache

Posted by Rob on 24 February 2016, 7:53 pm

Note to self following a quick setup on a development box….

Setup:

apt-get install git
git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
cd /opt/letsencrypt
./letsencrypt-auto --apache -d example.com -d www.example.com --email admin@example.com --agree-tos

To renew:

/opt/letsencrypt/letsencrypt-auto renew

Quick cron hack for renewals:

echo "/opt/letsencrypt/letsencrypt-auto renew" >> /etc/cron.daily/letsencrypt-cron.sh
chmod +x /etc/cron.daily/letsencrypt-cron.sh

Test with:

/etc/cron.daily/letsencrypt-cron.sh

Thanks to Adam for the head start: https://www.adamcouch.co.uk/2016/02/20/lets-encrypt/
More here: https://letsencrypt.org/

Installing perl Mail::Sender

Posted by Rob on 24 February 2016, 6:46 am

Another note to self:

perl -MCPAN -e 'install Mail::Sender'

More background here: https://wiki.openoffice.org/wiki/CPAN_install

Installing dig in Ubuntu

Posted by Rob on 23 February 2016, 9:11 pm

Note to self:

When wanting to install dig on Ubuntu, use:

apt-get install dnsutils

Windows Media Creation Tools

Posted by Rob on 3 February 2016, 7:27 pm

Note to self, and to you… 🙂 Some quick links to:

Microsoft Windows Media Creation Tools

Windows 7 (Media Download) – https://www.microsoft.com/en-gb/software-download/windows7
Windows 8.1 – http://go.microsoft.com/fwlink/p/?LinkId=510815
Windows 10 – http://go.microsoft.com/fwlink/?LinkId=691209

Windows USB/DVD Download tool
The Windows USB/DVD Download tool allows you to create a copy of your Windows 7/8 ISO file on a USB flash drive or a DVD. To create a bootable DVD or USB flash drive, download the ISO file and then run the Windows 7 USB/DVD Download tool. Once this is done, you can install Windows 7 or Windows 8 directly from the USB flash drive or DVD.

https://www.microsoft.com/en-us/download/windows-usb-dvd-download-tool
http://wudt.codeplex.com/

Windows 7 – Updating Windows Update
For those looking to do an in place upgrade from a new Windows 7 system to Windows 10, you may need to update windows update. See this page.

Implementing Security Zones with Home Routers for the IoT early years

Posted by Rob on 1 February 2016, 11:04 pm

With the inevitable increase of internet connected devices, mainly due to the surge in Internet of Things (IoT) products, the number of vulnerable (or potentially vulnerable) devices is ever increasing. Today we have everything from internet connected thermostats and door bells to toy dolls and cars.

Security zones with home NAT/Firewall routers

NOTE: All references to router(s) in this article refer to a home / consumer grade NAT/Firewall router designed to be placed on a home internet feed, therefore it will have a stateful packet inspection firewall, it does not just route traffic.

If you’re worried about the security implications of next generation devices within your network, then implementing security zones within your small (most likely home) network could be a route forward. I first stumbled across this technique 3 years ago when it had been implemented within a small business in an attempt to create additional access points to improve WiFi coverage. They were running into connectivity issues between systems, inadvertently caused by the zones they had accidentally created. However, if implemented carefully, and tested to ensure it is functioning as expected, it may prove a useful tool.

In this example, there are three home / consumer routers that have been connected together to provide differing security levels. As a photo does not clearly describe the number networks created and their relationships, this is drawn out in logical form.

You should remember that this post makes some assumptions around the default behaviour of your routers, and you should complete some tests to ensure the separation is as expected.

This same setup could also be created with less or more routers, to suit your requirements (most likely two routers). Also remember that different routers have different feature sets and therefore may provide more or less networks per router than covered here. It is worth noting that whilst this is a low cost and practical solution for the home network with security aware users or specific segmentation requirements, it is not a large enterprise solution.

This logical view shows the networks created by the 3 router configuration, this allows you to see the inter-network connectivity in a two router configuration, eg: RED and GREEN, but also in larger 3+ router designs.

Implementing Security Zones with Home Routers

The RED network is formed by the LAN behind the initial router connected to the internet feed. This is the lowest security zone in the design other than the internet zone itself, and its resources are subject to access from higher security zones.

The GREEN and YELLOW networks sit at the same security level as each other, therefore access between them is blocked as they are created by separate routers (at the same level). They are both able to access the RED network, and the Internet zone.

Within each coloured area, there are several networks created, these are:

WIRED – The Ethernet sockets on the router, or any cabled devices connected to them.
WIFI – The internal wireless network offered by the router.
GUEST – The optional guest wireless network feature available on some routers.
Others? Yes, there could be more, consider a router with additional wireless networks available to configure, or a DMZ network socket for example. You would need to review how these work on the model of router you have, and maybe draw your own basic logical diagram.

Same router – network security zones

Access between WIRED and WIFI networks on the same router is normally allowed and unrestricted. Some routers provide ‘Wireless isolation’ which is designed to block inter-device access on the same wireless network. In some cases this blocks access to wired devices and all other wireless devices, in others access to wired devices is ALLOWED however access to other wireless devices is blocked. If you wish to utilise wireless isolation on a wireless network, check the manufactures manual and perform some tests to ensure you’re familiar with the implementation.

Access between the GUEST wireless network and the WIRED and WIFI networks should be blocked by the router, however remember that in the case of the GREEN and YELLOW GUEST networks, they are likely to be able to access the RED WIRED and WIFI networks.

More detail on zones

Detail on zone boundaries – Click to enlarge

Deploying devices into a 2 router design

When deploying devices into this design, you will need to consider what they need access to, what needs access to them and also what access you want to ensure is blocked. This will help you select an appropriate network zone, so let’s consider some example devices and zones:

Trusted Laptops GREEN WIFI
Printer RED WIRED
Wired PVR / Hard disk Recorder RED WIRED
Wireless TV GREEN WIFI
Tablets GREEN WIFI
Phones GREEN WIFI
Visitor/Guests RED GUEST
Thermostat GREEN GUEST
Door Bell GREEN GUEST

As we want no access to our trusted laptops from guests or untrusted devices, we will connect the trusted laptops to the GREEN WIFI network. It’s likely phones and tablets may fall into the same zone, so they will here. But if you want to block their access to internal network resources, eg a NAS, then consider connecting them to a different zone, eg: GREEN GUEST.

We want to connect our IoT devices, they require no access to our computers, just to the internet. Therefore we will connect these to the GREEN GUEST network, with isolation enabled.

In order to cater for our visitors/guests, we would like them to connect to a network that is also isolated, but if we provide them with the same passphrase as our IoT devices (GREEN GUEST), it will become harder to change. Therefore we will give them access to the RED GUEST wireless network. This will separate the untrusted devices across two guest networks, the ‘owned’ IoT devices onto the GREEN GUEST and visitors on to the RED GUEST, neither should be able to access the other. We can now enable wireless isolation to protect every guest from every other guest, and every IoT device from every other IoT device.

Should we want devices that we can make connections to, but those devices can’t connect to internal GREEN WIFI devices then these can be connected to the RED WIRED or WIFI network. Access will be allowed outbound through the green router for GREEN WIRED and WIFI devices, into the RED network but access from a RED device to a GREEN would be blocked by default. Placing the PVR and Printer into the RED WIFI or WIRED zones allows green devices to connect to view recordings or print files, but does not allow a compromised printer of PVR firmware access to the internal GREEN network by default.

Adding a 3rd router (YELLOW) into the design would create additional networks if required.

Closing thoughts

You should note that this is only as secure as the router firmware and its configuration. In most situations, you will be able to add rules that bypass the security covered here.

In summary, chaining or stacking home/consumer routers can provide an interesting array of networks with differing security characteristics, which can be used to build interesting home networks. It is also a great way to learn about how some of these security features work and interact.

In a future post I will be exploring this network segmentation / zoning using a different approach. Stay tuned.

VeraCrypt on Windows 10 64bit, now TrueCrypt has gone

Posted by Rob on 30 December 2015, 8:49 pm

VeraCrypt fails to encrypt system partition If you have upgraded to Windows 10, it is likely you will run into problems enabling full disk encryption / system encryption with VeraCrypt due to the GPT configuration of your disk.

If your prepared to reload your computer, you can achieve full disk encryption, on Windows 10 home, at no cost. (Providing your disk is less than 2TB)

First of all, I will assume your happy to upgrade your system to Windows 10, this is available to you at no cost till Mid-2016. If you would rather stick with an earlier version of Windows, that’s fine, you will just need to adjust the below instructions slightly to suit your situation.

0. Backup
1. Upgrade to Windows 10.
2. Check you have a GPT disk, if you have an MBR, you do not need this guide.
Windows 10 GPT Disk
3. Check Windows 10 activated successfully, if you don’t, you could run into big issues later.

4. Create Windows 10 media, it is important to get the right media, compare with the system information that’s available when you check the activation status. Select ‘Download the tool now’ on the Microsoft media creation page for Windows 10: https://www.microsoft.com/en-gb/software-download/windows10
5. Backup, again. Separately to the first.
6. Reboot your system and use the special key to enter setup, likely to be F2, F11, Delete or similar.
7. Disable secure boot, and switch from UEFI/EFI to legacy mode.
NOTE: Disabling secure boot does have some implaications (out of scope of this article), however you can not have this and VeraCrypt at the time of writing.
8. Boot from the media you created, this may require a further change in setup or a seperate special key, for example F12 is sometimes used for ‘boot menu’.
9. Start the Windows 10 installation, you can skip the licence key if you do not have one and your system sucessfully activated following an upgrade to Windows 10.
10. You will need to delete all the partitions from your system. This will destroy all of your data and programes. I have warned you, and you have been advised to backup twice already.
11. Once all partitions have been removed, you can create a new one, most likely the entire disk. Note that this only works for disks below 2TB.
12. Complete the Windows 10 installation by following the onscreen instructions.
13. Once the system boots into windows, ensure its connected to the internet and that Windows 10 has activated sucessfully.
14. Install VeraCrypt and attempt system disk encryption.

Your done.

The need for Full Disk Encryption (FDE) / System Encryption

Posted by Rob on 29 December 2015, 8:16 pm

With the increasing number of mobile computing devices the fixed desktop PC in the home has been on the decrease, in favour of a mix of mobile platforms. Whilst a number of people use their mobile or tablet devices for browsing the web, there is a large number of laptops in use which do not feature the common mobile ‘switch on’ storage encryption.

The need

The need full disk encryption to protect data at rest on laptop (and desktop) devices has never been so important. The largest concern for most security aware users, is the risk to their personal data through opportunistic theft of their device. Whether this be on a train, from a car or even their home.

You can protect against data loss through failure or device theft through good backups, however protecting the confidentiality of stored data requires Full Disk Encryption and strong passwords.

What is FDE / System Encryption?

“Disk encryption is a technology which protects information by converting it into unreadable code that cannot be deciphered easily by unauthorized people. Disk encryption uses disk encryption software or hardware to encrypt every bit of data that goes on a disk or disk volume. Disk encryption prevents unauthorized access to data storage.

Expressions full disk encryption (FDE) or whole disk encryption often signify that everything on disk is encrypted – including the programs that can encrypt bootable operating system partitions – when part of the disk is necessarily not encrypted. On systems that use a master boot record (MBR), that part of the disk remains non encrypted. Some hardware-based full disk encryption systems can truly encrypt an entire boot disk, including the MBR.” Wikipedia, 29 Dec 2015

Encryption Options

To encrypt a Windows 10 system you have 2 choices, BitLocker or 3rd party encryption software. BitLocker is made by Microsoft and included with Windows 10 Pro, therefore if your a home user you would need to pay to upgrade from home to pro. There are a number of 3rd party software options, and I am not going to attempt to cover them all, however they fall in to two broad categories. Free (as in beer), some of which are also Free as is (Freedom, Free and Open Source Software FOSS), and commercial where you would need to part with your hard earned cash.

Truecrypt

I will mention Truecrypt first… A favourite no-cost solution for a large number of users was Truecrypt, however recently the project has been shelved by the developers and is no longer being maintained. Therefore it is advisable lo look at alternatives.

VeraCrypt

The VeraCrypt project describe the protect as: “VeraCrypt is a free disk encryption software brought to you by IDRIX (https://www.idrix.fr) and that is based on TrueCrypt 7.1a.”. They have taken the truecrypt source code and have continued to develop it, resolving issues identified during the Truecrypt audit, and are looking to continue building features.

The GPT problem

One of the core problems with some of these encryption solutions today is the lack of support for GPT, its likely if you are a Windows 8, 8.1 or 10 user, that you have a GUID Partition Table (GPT).

Solutions like VeraCrypt will not currently work for you on a system with a GPT drive (correct at time of writing, Dec 15). However there are some options….

See my next blog item: VeraCrypt Full Disk Encryption on Windows 10 (Coming soon)

Please feel free to comment below.

Windows 8.1 System with failed drive

Posted by Rob on 21 December 2015, 7:47 pm

Windows Installation Media Creation Tool

So the drive has failed (or you have reloaded with Linux) and you now need to get Windows 8.1 reinstalled. No rescue media to hand, and no recovery partition available. Its time to reach for the Windows Installation Media Creation Tool. A great tool that enables you to create an ISO or boot USB from any working PC, to create media that you can use to rebuild your troubled device.

All being well your licence information will be stored in UEFI (from when your system was built) and you will be back up and running with no need to panic about keys.

You can grab it here: http://windows.microsoft.com/en-gb/windows-8/create-reset-refresh-media

JERVIS DOT WS

A techie’s thoughts and opinions on anything & everything that comes to mind, with a lean towards security