[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Is there a way to use internet in a sandbox environment? (Linux)



I am giving a scenario: (Devices: PC Hard Disk having important files for offline use, USB Device for data transfer and Mobile Device which has internet connection)

1. I have a hard disk that is offline (Linux OS).

2. I use a mobile device for internet, gather some data and transfer that to a usb device (via OTG).

3. I have to mount the usb device to the hard disk since I need the gathered data.

4. Give read and write permission to the usb.

5. I copy the gathered data from usb to the hard disk. Use/process the data as per needs.

6. I write some data back to the usb if needed.

7. Connect usb to the mobile device if needed.



Data from mobile --> usb --> Hard disk

Data from Hard disk --> usb --> Mobile



How do I make sure that only the hard disk can read and write to the usb device and prevent the usb to read/write any hard disk data so that the files on the hard disk are always safe?








---- On Tue, 26 Mar 2019 16:21:52 -0700 Ben Tasker <ben@xxxxxxxxxxxxxxx> wrote ----



Nothing is 100% safe, but by instituting isolation you'll have raised the

bar.



For "something" to escape your internet VM would require some kind of

hypervisor exploit. Technically there is the potential for rowhammer style

attacks from within that VM, but for the forseeable future that'd likely

mean a pretty targeted attack.



Basically it all depends on your threat model. Some prefer to boot tails

from read only media on a system with no disks, others don't need that

level so are willing to sacrifice a little security in the name of

convenience.



There's a lot more to opsec than just the browser you're running too.



That said, you specifically mentioned concerns about malware, so a simple

VM could well be enough for you (or even a multi-vm setup like Qubes to

reduce the risk of data leaks). You could also have a disconnected VM for

"offline" stuff, but it'd probably be overkill for most people.







On Tue, 26 Mar 2019, 10:52 npdflr, <mailto:npdflr@xxxxxxxx> wrote:



> Thanks Ben Tasker for the information.

>

>

>

> Regarding KVM:

>

> If I use two KVMs one for offline use and other for online use then would

> you say that the KVM used for offline use is 100% safe? (as KVM basically

> is a hardware-assisted virtualization)

>

>

>

>

>

> ---- On Sun, 24 Mar 2019 15:51:27 -0700 Ben Tasker <mailto:ben@xxxxxxxxxxxxxxx>

> wrote ----

>

>

>

> Most browsers actually already do exactly this and run tabs inside a

>

> sandbox.

>

>

>

> If you wanted to restrict that further, you could look at chrooting or

>

> using docker. Or take it a step further and use a full blown VM (whether

>

> that's KVM or something like Virtualbox).

>

>

>

> But don't, please, follow the suggestion of using root for routine

>

> non-internet tasks. You should use privileged accounts only when you

>

> actually require that level of privilege. Also keep in mind that while

>

> malware running as an unpriviliged user cannot (generally) hose the system,

>

> it can still steal/corrupt whatever data that user has access to. Unless

>

> this is a shared system, you probably care more about that data than the OS

>

> files themselves.

>

>

>

>

>

>

>

> On Sun, 24 Mar 2019, 13:27 npdflr, <mailto:mailto:npdflr@xxxxxxxx> wrote:

>

>

>

> > Using internet in a sandbox environment would be ideal to prevent

>

> > viruses/theft.

>

> >

>

> >

>

> >

>

> > I am posting some links related to this topic.

>

> >

>

> >

>

> >

>

> > 1) Discussion on stackexchange:

>

> >

> https://security.stackexchange.com/questions/35373/how-to-make-sandbox-only-internet-access

>

> >

>

> >

>

> >

>

> > 2) Using hypervisor/kvm to connect to the internet. Hypervisor

>

> > Technologies:

>

> >

> https://opensourceforu.com/2016/03/the-top-open-source-hypervisor-technologies/

>

> >

>

> >

>

> >

>

> >

>

> > 3) Virtual Desktop: https://help.comodo.com/topic-72-1-522-6274-.html

>

> >

>

> >

>

> >

>

> > 4) Another way would be to block internet for the root user in Linux and

>

> > allowing internet only for other users. In this way, one is using root

> for

>

> > offline activities and other users for online activities (just like a

>

> > sandbox environment).

>

> >

>

> >

>

> >

>

> > But it looks like if you enable internet connection for non-root user

> then

>

> > the root user is automatically connected to the internet (I maybe wrong).

>

> >

>

> > I have tried using some commands from the below links replacing

> "USERNAME"

>

> > with "root" (THERE MAYBE RISK INVOLVED IN DOING SO) but I had to restart

>

> > the system to enable the internet connection again.

>

> >

>

> >

>

> >

> https://askubuntu.com/questions/223434/how-to-disable-internet-for-a-user-on-a-system

>

> >

>

> >

>

> >

> https://www.cyberciti.biz/tips/block-outgoing-network-access-for-a-single-user-from-my-server-using-iptables.html

>

> >

>

> >

>

> >

>

> >

>

> >

>

> > Any suggestions?

>

> >

>

> >

>

> >

>

> > Thank you.

>

> > --

>

> > tor-talk mailing list - mailto:mailto:tor-talk@xxxxxxxxxxxxxxxxxxxx

>

> > To unsubscribe or change other settings go to

>

> > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

>

> >

>

> --

>

> tor-talk mailing list - mailto:mailto:tor-talk@xxxxxxxxxxxxxxxxxxxx

>

> To unsubscribe or change other settings go to

>

> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

> --

> tor-talk mailing list - mailto:tor-talk@xxxxxxxxxxxxxxxxxxxx

> To unsubscribe or change other settings go to

> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

>

-- 

tor-talk mailing list - mailto:tor-talk@xxxxxxxxxxxxxxxxxxxx

To unsubscribe or change other settings go to

https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk