Solved [Solved] Secure environment

Hawk

Hawk

I have a Windows XP system that I frequent that the owner allows me to install programs on, but not modify the OS. The users of this system are not security conscious, and sometimes I must use this system to log onto my bank or government/military sites. Attempting to please my paranoia, I would like to get to a secure environment. I could use a bootable USB stick, but that would require me to dedicate one (hey, I'm poor) large enough to fit x11/xorg, java/openjdk7, security/opensc, and www/firefox (browser with PKCS #11 support). I would prefer an alternative method.

I have installed VirtualBox on this system and FreeBSD as a guest, thinking this would circumvent most malware that may be on the system. For key loggers, I simply use the on screen keyboard of the GUEST. The performance isn't great, but it's manageable.

As a novice to FreeBSD, I'm assuming that using a remote frame buffer over SSH would also do the trick, but from what little experience I have with RFB, the network latency wouldn't be much more advantageous over a performance degradation using virtualization. Or would this be a better solution security-wise?

Does using FreeBSD as a guest protect against malware on the host? Are there other considerations I should take into account? Are there other solutions I haven't considered (and I'm sure there's a butt-load of them)? Any improvements or suggestions are welcome.
 
Re: secure environment

Hawk said:
I have a Windows XP system that I frequent that the owner allows me to install programs on, but not modify the OS. The users of this system are not security conscious, and sometimes I must use this system to log onto my bank or government/military sites. Attempting to please my paranoia, I would like to get to a secure environment. I could use a bootable USB stick, but that would require me to dedicate one (hey, I'm poor) large enough to fit x11/xorg, java/openjdk7, security/opensc, and www/firefox (browser with PKCS #11 support). I would prefer an alternative method.

I have installed VirtualBox on this system and FreeBSD as a guest, thinking this would circumvent most malware that may be on the system. For key loggers, I simply use the on screen keyboard of the GUEST. The performance isn't great, but it's manageable.
Click to expand...
You need to check your system for keyloggers and other types of malware first. You are still leaving the base system open if you are only using an onscreen keyboard for the virtualized system. Have you thought about anyone else using the system who does not have the functional paranoia that you do being unaware of such dangers?

Hawk said:
As a novice to FreeBSD, I'm assuming that using a remote frame buffer over SSH would also do the trick, but from what little experience I have with rfb, the network latency wouldn't be much more advantageous over a performance degradation using virtualization. Or would this be a better solution security-wise?
Click to expand...
OpenSSH with X forwarding works without the need for remote frame buffering; but, anyone who wants has the right to their own system's configurations.
Hawk said:
Does using FreeBSD as a guest protect against malware on the host?
Click to expand...
Not as you may assume. Prevention of any malware on any host system is dependent upon your security practices for the base system. If the applications are directly run within and only within the guest system with the guest system being made secure, then those applications would be somewhat "safe" within reason.
Hawk said:
Are there other considerations I should take into account? Are there other solutions I haven't considered (and I'm sure there's a butt-load of them)? Any improvements or suggestions are welcome.
Click to expand...
 
Re: Secure environment

I understand having personal preferences, but an 8 GB flash drive costs about $5. :)
 
Re: Secure environment

--> Whenever I post from my phone, I am unable to use tags due to the lack of a right bracket on this browser. [ The tag buttons in the editor work just fine on a phone -- Mod. ]

Welcome to the world of the poor and the intelligent. There are a lot of us out there. What I have done is ask people to let me have the systems they throw away. You can also look on Craigslist for hardware. My opinion on virtualization is pretty open: learn the system on bare metal first then install to a virtual machine. Sometimes schools - colleges et al. - and businesses get rid of equipment. Try asking them. You also have the option of installing to a USB key. I had tried a virtual-to-bare-metal installation and did not take certain factors such as real versus virtualized hardware to mind.
 
Re: Secure environment

If the host is compromised, there is no way to be sure that a guest environment is private. The host has access to hardware and the input stream. Using an on-screen keyboard might make it a little harder, but it would not make the guest secure. Even if the key locations moved around randomly, the host could just record the bitmap and show what locations were touched.
 
Re: Secure environment

sossego said:
Have you thought about anyone else using the system who does not have the functional paranoia that you do being unaware of such dangers?
Click to expand...
The owner doesn't learn, despite having numerous compromised credit cards. I try suggesting to change the OS since nobody but me really upkeeps the system... they're hard headed.
wblock said:
If the host is compromised, there is no way to be sure that a guest environment is private. The host has access to hardware and the input stream. Using an on-screen keyboard might make it a little harder, but it would not make the guest secure. Even if the key locations moved around randomly, the host could just record the bitmap and show what locations were touched.
Click to expand...
Sounds like the most security/convenient balanced solution is to use a stick. Thanks, y'all.
 
Re: Secure environment

A hardware keylogger will easily grab everything typed. And just because one is not visible on the outside of the machine does not mean there isn't one inside. Even using your own computer in that location could be questionable, there might be a security camera aimed at the keyboard.

As they say, the question is not whether you are paranoid, but whether you are paranoid enough.
 
You must log in or register to reply here.
Back
Top