ISF Logo   IS Forum
Forum Index Register Members List Events Mark Forums Read Help

Go Back   International Skeptics Forum » General Topics » Computers and the Internet
 


Welcome to the International Skeptics Forum, where we discuss skepticism, critical thinking, the paranormal and science in a friendly but lively way. You are currently viewing the forum as a guest, which means you are missing out on discussing matters that are of interest to you. Please consider registering so you can gain full use of the forum features and interact with other Members. Registration is simple, fast and free! Click here to register today.
Reply
Old 2nd October 2019, 01:58 AM   #1
Darat
Lackey
Administrator
 
Darat's Avatar
 
Join Date: Aug 2001
Location: South East, UK
Posts: 87,610
Email, dangerous attachments etc.

There is a thread in the Science section about a university being "hacked" and the major weakness the hackers exploited was getting people to open and/or preview an attachment in an email.

That's got me a thinking. With the ease of virtualisation on Windows 10 would it be possible to build a email client that the preview window is actually a virtual Windows 10 instance? Would this not be a good firewall between your actual installation and malicious emails?

I can see some issues with attachments needing to be saved onto your PC, but I can think of a few ways to overcome that issue.

Would this idea work or am I a cup of The TEA away from waking up?
__________________
I wish I knew how to quit you
Darat is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 2nd October 2019, 03:02 AM   #2
Wudang
BOFH
 
Wudang's Avatar
 
Join Date: Jun 2003
Location: People's Republic of South Yorkshire
Posts: 11,979
One way would be to run a mail client inside a VM using email account A then if safe it gets forwarded to B which has a filter in place to only accept emails from A.
It would need some refinement including B stripping the A headers off to revert it to the original email but all doable - just ripping strings apart.
__________________
"Your deepest pools, like your deepest politicians and philosophers, often turn out more shallow than expected." Walter Scott.
Wudang is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 2nd October 2019, 04:40 AM   #3
rjh01
Gentleman of leisure
Tagger
 
rjh01's Avatar
 
Join Date: May 2005
Location: Flying around in the sky
Posts: 24,829
If Microsoft thought about such issues they could easily solve most security issues. For example in order to update Windows you need to produce the next number in a sequence known only to Microsoft. This number would be unique to each machine.
Edit. IBM solved such things in the 1980s.
__________________
This signature is for rent.
rjh01 is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 2nd October 2019, 07:22 AM   #4
theprestige
Penultimate Amazing
 
Join Date: Aug 2007
Posts: 38,335
Originally Posted by Darat View Post
There is a thread in the Science section about a university being "hacked" and the major weakness the hackers exploited was getting people to open and/or preview an attachment in an email.

That's got me a thinking. With the ease of virtualisation on Windows 10 would it be possible to build a email client that the preview window is actually a virtual Windows 10 instance? Would this not be a good firewall between your actual installation and malicious emails?

I can see some issues with attachments needing to be saved onto your PC, but I can think of a few ways to overcome that issue.

Would this idea work or am I a cup of The TEA away from waking up?
The result would be that instead of taking over your main machine, it would take over your VM. First thing I'd do is develop a virus that causes mail VMs to green light other viruses. Second thing I'd do is quietly infect as many mail VMs as possible. Third thing I'd do is go on the dark web and hire out my network of infected VMs to other people for delivering their own payloads to the host systems.

Fourth thing I'd do is to target the VM development shop directly, and see if I can get them to ship contaminated VMs to begin with. Fifth thing I'd do is sell my tech to the Chinese. Sixth thing I'd do is use my network of contaminated VMs as the platform for my next project. And then sell that tech to the Chinese.
theprestige is online now   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 2nd October 2019, 11:35 AM   #5
smartcooky
Penultimate Amazing
 
smartcooky's Avatar
 
Join Date: Oct 2012
Location: Nelson, New Zealand
Posts: 12,500
Originally Posted by theprestige View Post
The result would be that instead of taking over your main machine, it would take over your VM..
Design the system such the the mail VM is only started when you start your email client on the main machine. When the email client is closed, the VM is terminated. A virus running in the VM cannot keep running if its plug is pulled - that is why counter-scammers use it to fool scammers.
__________________
“Give me your tired, your poor, your huddled masses yearning to breathe free, the wretched refuse of your teeming shore - if they're white!"
If you don't like my posts, my opinions, or my directness then put me on your ignore list.
This will be of benefit to both of us; you won't have to take umbrage at my posts, and I won't have to waste my time talking to you... simples! !
smartcooky is online now   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 2nd October 2019, 11:47 AM   #6
theprestige
Penultimate Amazing
 
Join Date: Aug 2007
Posts: 38,335
Originally Posted by smartcooky View Post
Design the system such the the mail VM is only started when you start your email client on the main machine. When the email client is closed, the VM is terminated. A virus running in the VM cannot keep running if its plug is pulled - that is why counter-scammers use it to fool scammers.
Step 1: Infect the running VM with the Greenlight virus.

Step 2: Use the Greenlight virus to greenlight a virus that contaminates the VM image at rest.

Both viruses can be part of the same payload, so they both go into action while the mail client is still running. (Also, I usually restart my mail client once a week or so, and leave it running for days at a time. That's a pretty big window through which to shove a lot of viruses into my running VM.)

After that, every time they start their mail client, it'll launch a contaminated VM, and Robert's your mother's brother!
theprestige is online now   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 2nd October 2019, 11:50 AM   #7
smartcooky
Penultimate Amazing
 
smartcooky's Avatar
 
Join Date: Oct 2012
Location: Nelson, New Zealand
Posts: 12,500
Originally Posted by theprestige View Post
Step 1: Infect the running VM with the Greenlight virus.

Step 2: Use the Greenlight virus to greenlight a virus that contaminates the VM image at rest.

Both viruses can be part of the same payload, so they both go into action while the mail client is still running. (Also, I usually restart my mail client once a week or so, and leave it running for days at a time. That's a pretty big window through which to shove a lot of viruses into my running VM.)

After that, every time they start their mail client, it'll launch a contaminated VM, and Robert's your mother's brother!

I've never heard of the "Greenlight Virus" Nothing on the web about it. Is it something new?
__________________
“Give me your tired, your poor, your huddled masses yearning to breathe free, the wretched refuse of your teeming shore - if they're white!"
If you don't like my posts, my opinions, or my directness then put me on your ignore list.
This will be of benefit to both of us; you won't have to take umbrage at my posts, and I won't have to waste my time talking to you... simples! !
smartcooky is online now   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 2nd October 2019, 02:02 PM   #8
theprestige
Penultimate Amazing
 
Join Date: Aug 2007
Posts: 38,335
Originally Posted by smartcooky View Post
I've never heard of the "Greenlight Virus" Nothing on the web about it. Is it something new?
It's the hypothetical virus I described in my previous post, that causes your email VM to not properly quarantine malicious code, but rather pass it on to the host system to work its harm.
theprestige is online now   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 2nd October 2019, 02:30 PM   #9
smartcooky
Penultimate Amazing
 
smartcooky's Avatar
 
Join Date: Oct 2012
Location: Nelson, New Zealand
Posts: 12,500
Originally Posted by theprestige View Post
It's the hypothetical virus I described in my previous post, that causes your email VM to not properly quarantine malicious code, but rather pass it on to the host system to work its harm.

OK, I'm still not understanding how a virus can contaminate a VM "at rest". Surely the VM just runs from an exe. file (with associated .dlls) - that exe file would not be running when "at rest", so the virus would not be running.

I was under the impression that open files cannot be written to, even by a virus. If the VM is running, then the .exe and .dll files cannot be written to, therefore the virus cannot contaminate them.

What am I missing?
__________________
“Give me your tired, your poor, your huddled masses yearning to breathe free, the wretched refuse of your teeming shore - if they're white!"
If you don't like my posts, my opinions, or my directness then put me on your ignore list.
This will be of benefit to both of us; you won't have to take umbrage at my posts, and I won't have to waste my time talking to you... simples! !

Last edited by smartcooky; 2nd October 2019 at 02:35 PM.
smartcooky is online now   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 2nd October 2019, 02:39 PM   #10
theprestige
Penultimate Amazing
 
Join Date: Aug 2007
Posts: 38,335
A VM image at rest is just a bunch of files. Replace or modify the files, and you've preemptively taken control of every VM instance launched from those files. This is way better than waiting for an instance to launch and then trying to get control of it.
theprestige is online now   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 2nd October 2019, 03:07 PM   #11
smartcooky
Penultimate Amazing
 
smartcooky's Avatar
 
Join Date: Oct 2012
Location: Nelson, New Zealand
Posts: 12,500
Originally Posted by theprestige View Post
A VM image at rest is just a bunch of files. Replace or modify the files, and you've preemptively taken control of every VM instance launched from those files. This is way better than waiting for an instance to launch and then trying to get control of it.
OK, I'm really not trying be be thick here, but wouldn't those files reside outside the VM, and therefore, not be accessible from inside the VM. I was under the impression that anything inside the VM resides only in RAM, and that it cannot access anything on the physical HDD (uses a ramdisk to emulate an HDD). When the VM is turned off, all those files disappear and the virus with it.

Isn't the whole idea of a VM to be totally isolated from the real world machine. This how YouTuber Jim Browning manages to allow scammers to connect to his virtual machine (using Team Viewer) while he browses around inside the scammers machine collecting the names and addresses of people the scammer has scammed previously.
__________________
“Give me your tired, your poor, your huddled masses yearning to breathe free, the wretched refuse of your teeming shore - if they're white!"
If you don't like my posts, my opinions, or my directness then put me on your ignore list.
This will be of benefit to both of us; you won't have to take umbrage at my posts, and I won't have to waste my time talking to you... simples! !
smartcooky is online now   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 3rd October 2019, 12:16 AM   #12
Wudang
BOFH
 
Wudang's Avatar
 
Join Date: Jun 2003
Location: People's Republic of South Yorkshire
Posts: 11,979
Interesting article on how malware can detect if it's running in a VMWare VM and what steps to take to defeat that.
https://resources.infosecinstitute.c...overview/#gref
__________________
"Your deepest pools, like your deepest politicians and philosophers, often turn out more shallow than expected." Walter Scott.
Wudang is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 3rd October 2019, 06:06 PM   #13
grmcdorman
Graduate Poster
 
Join Date: Mar 2007
Posts: 1,265
In theory, a virtual machine can be isolated from the physical computer ("host") running it. It can also be set such that all changes are discarded when it's shut down.

However, in practice there have been exploits, both hypothesized and demonstrated, that under some conditions have allowed the applications inside the VM to discover and even modify the host. Some of the CPU-based exploits fall into this category.

The main drawback to this proposed filtering scheme is that you have to recognize what's safe and what's not. In my view, it ends up being not terribly different from any other filtering scheme; it's not usually the filter that is compromised, it's that the attackers discover a new way of bypassing the filter - and, by using social engineering, get the users to activate the malicious payload. Isolated filtering in a VM, IMO, isn't going to fix that.
__________________
"Hello. My name is Inigo Skywalker. You are my father. Prepare to die."
grmcdorman is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 4th October 2019, 12:22 AM   #14
a_unique_person
Director of Hatcheries and Conditioning
 
a_unique_person's Avatar
 
Join Date: Jul 2002
Location: Waiting for the pod bay door to open.
Posts: 41,046
I'm betting that the computers that are getting infected are not up to date with their patches and/or OS. Security on win 10 is vastly improved now over older versions of windows. I was shocked to go to my bank four years ago to enquire about a loan only to see they used windows XP.
__________________
Continually pushing the boundaries of mediocrity.
Everything is possible, but not everything is probable.
For if a man pretend to me that God hath spoken to him supernaturally, and immediately, and I make doubt of it, I cannot easily perceive what argument he can produce to oblige me to believe it. Hobbes
a_unique_person is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 4th October 2019, 06:32 AM   #15
theprestige
Penultimate Amazing
 
Join Date: Aug 2007
Posts: 38,335
Originally Posted by a_unique_person View Post
I'm betting that the computers that are getting infected are not up to date with their patches and/or OS. Security on win 10 is vastly improved now over older versions of windows. I was shocked to go to my bank four years ago to enquire about a loan only to see they used windows XP.
Banks are a special case. Having worked in bank IT, I forgive them a lot of tech debt.

Last edited by theprestige; 4th October 2019 at 06:57 AM.
theprestige is online now   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 4th October 2019, 06:50 AM   #16
Wudang
BOFH
 
Wudang's Avatar
 
Join Date: Jun 2003
Location: People's Republic of South Yorkshire
Posts: 11,979
Originally Posted by theprestige View Post
Bank are a special case. Having worked in bank IT, I forgive them a lot of tech debt.
Ditto. You have to have done it to believe it.
__________________
"Your deepest pools, like your deepest politicians and philosophers, often turn out more shallow than expected." Walter Scott.
Wudang is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 4th October 2019, 08:43 AM   #17
Elagabalus
Illuminator
 
Join Date: Dec 2013
Posts: 4,879
OK, what's dangerous attachments' complete email address so I can send them the etc.? I'm guessing something like TheRealDangerousAttachments@AOL.com?
Elagabalus is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 4th October 2019, 09:14 AM   #18
catsmate
No longer the 1
 
catsmate's Avatar
 
Join Date: Apr 2007
Posts: 21,080
Originally Posted by Darat View Post
There is a thread in the Science section about a university being "hacked" and the major weakness the hackers exploited was getting people to open and/or preview an attachment in an email.

That's got me a thinking. With the ease of virtualisation on Windows 10 would it be possible to build a email client that the preview window is actually a virtual Windows 10 instance? Would this not be a good firewall between your actual installation and malicious emails?

I can see some issues with attachments needing to be saved onto your PC, but I can think of a few ways to overcome that issue.

Would this idea work or am I a cup of The TEA away from waking up?
The malware could spread unless the VM was completely isolated; which it can't be to send and receive email.
__________________
As human right is always something given, it always in reality reduces to the right which men give, "concede," to each other. If the right to existence is conceded to new-born children, then they have the right; if it is not conceded to them, as was the case among the Spartans and ancient Romans, then they do not have it. For only society can give or concede it to them; they themselves cannot take it, or give it to themselves.
catsmate is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 4th October 2019, 09:25 AM   #19
theprestige
Penultimate Amazing
 
Join Date: Aug 2007
Posts: 38,335
Originally Posted by smartcooky View Post
OK, I'm really not trying be be thick here, but wouldn't those files reside outside the VM, and therefore, not be accessible from inside the VM. I was under the impression that anything inside the VM resides only in RAM, and that it cannot access anything on the physical HDD (uses a ramdisk to emulate an HDD). When the VM is turned off, all those files disappear and the virus with it.
No worries.

Here's how I think of it: The purpose of the email-VM is to act as a gatekeeper and prevent malicious code from infecting the host machine. If it is possible to compromise the gatekeeping function of the VM, then in my opinion the next step is to exploit the compromised gatekeeper and get malicious code onto the host machine.

And the way I see it, the very first piece of code you want to pass through the compromised gatekeeper is code that gets onto the host machine and compromises the gatekeeper's source image. That way even if they tear down the running VM and replace it with a fresh one from the image, your compromise is still in effect and you can still get at the host machine via the fresh VM.

Quote:
Isn't the whole idea of a VM to be totally isolated from the real world machine. This how YouTuber Jim Browning manages to allow scammers to connect to his virtual machine (using Team Viewer) while he browses around inside the scammers machine collecting the names and addresses of people the scammer has scammed previously.
The basic idea of a VM is to make more efficient use of idle system resources by subdividing them into discrete operating environments. There are many different ways to implement this, with greater or lesser interaction between the VM environment and the host environment.

Also, it doesn't matter how segregated the email VM is, if I can open an infected Word doc safely in the VM, then save it to my hard drive and open it on the host machine directly. Which is why step one has to be to compromise the running VM itself. Once you've done that, all the segregation in the world won't protect the host machine.
theprestige is online now   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 10th October 2019, 09:41 AM   #20
plague311
Great minds think...
 
plague311's Avatar
 
Join Date: Dec 2011
Location: North Dakota
Posts: 6,705
Originally Posted by catsmate View Post
The malware could spread unless the VM was completely isolated; which it can't be to send and receive email.
Sure it could. Sandboxing VM's isn't too tough, and if you're familiar with networks\routers you can give your "email opening machine" it's own network with firewall rules blocking it from any other LAN.

I have a sandboxed linux box at home that I use to open emails, mess with virus's, etc. Just put it on it's own host using a raspberry pi, or an old PC.

I guess it all depends on how savvy you are or how you'd like to do it.
__________________
"Circumcision and death threats go together like milk and cookies." - William Parcher

“There are times when the mind is dealt such a blow it hides itself in insanity. While this may not seem beneficial, it is. There are times when reality is nothing but pain, and to escape that pain the mind must leave reality behind.” - Patrick Rothfuss
plague311 is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 10th October 2019, 10:17 AM   #21
rdwight
Muse
 
rdwight's Avatar
 
Join Date: Dec 2016
Posts: 538
Simplistic but wouldn't just only accepting text based emails as opposed to html based be easiest? Especially in regards to users with more access. No more risk of open/preview emails executing anything.

The main thing people don't seem to realize how vulnerable any system is due to stupid people. Back in the days of AOL being a juggernaut, they had many security systems in place. I remember they had a 6 digit numerical code that changed every minute or so on certain accounts for security at one point for logins. Sounds pretty secure right? Still didn't stop social hackers from getting in.

Mass password crackers would find these specific accounts that required them, loading it as the master account would give a break down of every other sub account under it. Same security measure used on dad's work account as his kids and wife's under him. That was just one flaw but you can imagine it wasn't hard to overcome even something like this with a little work.
rdwight is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 10th October 2019, 01:57 PM   #22
novaphile
Quester of Doglets
Moderator
 
novaphile's Avatar
 
Join Date: Dec 2009
Posts: 1,967
Originally Posted by rdwight View Post
Simplistic but wouldn't just only accepting text based emails as opposed to html based be easiest? Especially in regards to users with more access. No more risk of open/preview emails executing anything.
In the past, I used to use the registry setting that would force all emails to display as text. Unfortunately the setting no longer works.

The current fad of embedding and running code in everything is full of suck.
__________________
We would be better, and braver, to engage in enquiry, rather than indulge in the idle fancy, that we already know -- Plato.
novaphile is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 10th October 2019, 02:34 PM   #23
theprestige
Penultimate Amazing
 
Join Date: Aug 2007
Posts: 38,335
Originally Posted by rdwight View Post
Simplistic but wouldn't just only accepting text based emails as opposed to html based be easiest?
I don't think it's the HTML that's the problem. It's that the email client is able to execute instructions contained in the emails it receives. This goes far beyond simple HTML rendering (which isn't really that risky in and of itself).

You'd have to go back to plain text emails. No markup, no formatting, no macros...
theprestige is online now   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 10th October 2019, 03:48 PM   #24
JimOfAllTrades
Muse
 
Join Date: Aug 2011
Posts: 548
I use a email preview program that just shows the contents of the emails as text. It doesn't download any images, render any HTML, execute any code, it just shows a text version of email in my inbox. It lets delete or bounce (bounce goes back with a bad email address code).

Then after I clean out the junk with that, I download to my normal email client.
JimOfAllTrades is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 10th October 2019, 06:09 PM   #25
rjh01
Gentleman of leisure
Tagger
 
rjh01's Avatar
 
Join Date: May 2005
Location: Flying around in the sky
Posts: 24,829
Originally Posted by plague311 View Post
Sure it could. Sandboxing VM's isn't too tough, and if you're familiar with networks\routers you can give your "email opening machine" it's own network with firewall rules blocking it from any other LAN.

I have a sandboxed linux box at home that I use to open emails, mess with virus's, etc. Just put it on it's own host using a raspberry pi, or an old PC.

I guess it all depends on how savvy you are or how you'd like to do it.
I wonder how that would go? Have a computer that is basically several raspberry pis all linked together, controlled by another raspberry pi. If one gets a virus it can be purged.
__________________
This signature is for rent.
rjh01 is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 11th October 2019, 06:36 AM   #26
plague311
Great minds think...
 
plague311's Avatar
 
Join Date: Dec 2011
Location: North Dakota
Posts: 6,705
Originally Posted by rjh01 View Post
I wonder how that would go? Have a computer that is basically several raspberry pis all linked together, controlled by another raspberry pi. If one gets a virus it can be purged.
I guess I'm not sure what you mean.

What would you need more than 1 raspberry pi for? The new 4's are actually pretty potent with up to 4 GB of RAM, quad core processor, mini hdmi, etc. They're basically just a laptop in a much smaller form factor.

Throw a linux OS on there, and you're good to go. Put it on a DMZ with no access to your local network and open all the emails you want.
__________________
"Circumcision and death threats go together like milk and cookies." - William Parcher

“There are times when the mind is dealt such a blow it hides itself in insanity. While this may not seem beneficial, it is. There are times when reality is nothing but pain, and to escape that pain the mind must leave reality behind.” - Patrick Rothfuss
plague311 is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Reply

International Skeptics Forum » General Topics » Computers and the Internet

Bookmarks

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -7. The time now is 08:35 PM.
Powered by vBulletin. Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.

This forum began as part of the James Randi Education Foundation (JREF). However, the forum now exists as
an independent entity with no affiliation with or endorsement by the JREF, including the section in reference to "JREF" topics.

Disclaimer: Messages posted in the Forum are solely the opinion of their authors.