Dec 06, 2022
I want to talk about why you need virtualization/compartmentalization, but through the prism of portable apps. The reason behind this is twofold: I want to outline the potential uses and security benefits that portable apps bring, as well as to talk more about how one would go on about reducing that attack surface, and their respective risk, through compartmentalization and virtualization. These are great methods, and I dare say, it pays at least knowing a bit more about them.
Portable apps. We all know what these do (probably) but we may not be familiar with the how. This talk is freeform and example-based. Let's get to it.
For example, you might use compartmentalization with encryption by separating your stuff by its importance, like having an encrypted volume for each of those potential uses, by using different encryption keys for those volumes. You could also use a NAS where each volume is encrypted using a different encryption key. The more secure ones could be accessed on a need-to basis, only decrypting when you need the access to that specific volume, while you would continue using day to day volumes for other data that needn’t be that secure.
This is a very decent way to reduce the attack surface of your data. From the previous articles, you know how important this is, and you also know that the encryption key is not in the memory if the volume doesn’t get mounted. Also, if its not mounted it cant really be attacked. So, by using this type of virtual isolation in conjunction with encryption you’re actually doing quite a bit for your own security/privacy.
You can also make use of the hidden encrypted volumes… one other option for virtual isolation are portable apps, something we've all gathered here about. You can download the tools from portableapp.com or pendrives.com doesn’t really matter which one you choose (I'm sure there are others too), what matters is the fact that portable apps are self-contained, don’t require installation, and are not writing themselves inside your system. They are contained within the folder, and you could even copy/paste them to a desired destination and have another instance of the same app, that’s also self-contained, isolated, and more secure. You can even do this for the versions of the said app.
There are many great implications for your privacy/anonymity/security that stems from the portable apps. For example, let's say you’re using a regular web-browser… all the data related to the browser’s history is contained within your portable app (which is all within its folder) which makes for a great way to quickly even eliminate that if needed, and also, maybe more importantly, not spewing and writing all that forensically important data all over your OS. Simple, and quite secure.
What is nice about this approach is the fact you can gauge it to your liking, having the more ‘paranoid’ setups, and also the more lax ones, all in accordance with your own security needs.
Furthermore, should you just use this portable setup, you can also place that folder with your self-contained app on a more secure device, like for example an encrypted USB drive; and, there you have it, a much more secure setup, that you can also take with you and plug into another device, without having to lose any sleep over it.
Taking all this further, you can even add that hidden partition to your USB drive.
This is even better, as you well know, because the encrypted partition can’t be accessed at all before being decrypted. This little setup including a hidden volume, a self-contained app (stealthy too!) is already ahead of the curve – maybe even when compared to companies, but, the kicker for me here is that you can have 2, 3, or as many as instances of that specific application as you’d like, that are all self-contained, just by doing some copying and pasting. This is vital, because it basically enables you to create different security domains, profiles, aliases, anything you might need really, and it’s all nicely isolated/contained. The options here are many!
For our example with the browser, I’d like to add this also works for profiles so you can set up your browser’s profiles in any way you’d like, and still retain the ability to pop your USB into any machine and basically have your hardened browser available to you. This also works nicely in conjunction with the regular browser – if we’re talking private use – as you can have one that’s for your everyday stuff, and the other that’s ready to go but is living in a hidden place, securely configured, hardened, available for you to do some private browsing, should that matter. This is a great thing, because it might even keep you forensically ‘clean’ should you end up being scrutinized, since you’re not actually doing anything that’s of importance to anyone, right?
Another thing I want to mention that you can do all of this through the cloud-offered services, by storing your ready to go app in a cloud of your choice.This is a great way to have your app available anywhere, on any device, remotely… This would give you an extra layer of physical isolation. Since the app itself would not exist locally in this case, you could, potentially, escape the sphere of influence of your adversary, and that’s nothing to scoff at.
Lastly, you could also try some sandbox solutions, which are generally good from the security perspective, but are not that great for your privacy and anonymity. This is because of the infrastructure you’re using, but you’re not the owner of. However, you would again be able to enjoy both virtual and physical isolation which reduces your potential risk greatly.
As you can see, there are some caveats with all these options, but all of these should provide you with excellent protection against many types of attacks out there. With your going through other systems and isolating yourself in such a way, even if something were to get compromised, it still ends up contained within that instance you’ve set up, be it a VM, a VPC/server, anything. This is also a great way to browse the web.
When it comes to attacks, browser-based ones are definitely relevant, since we're all using them. So, with that in mind, this whole story above might even seem much more important, I hope!
It would be great if this conclusion could permeate all of my articles so that I needn’t repeat myself, but the main point I want to emphasize here is the fact that when I’m talking about adversaries, geographic sphere of influence, and similar terms that are within the field, I am not trying to write guides for evading 3-letter agencies, nor am I trying to condone anything illegal.
Think of all that as necessary! Yes, necessary, because as we all know, the same tactics are used by real threat actors, but also by activists, whistle-blowers, journalists, etc. I want us to explore those options together, so we can all learn how to protect ourselves better, and smarter, while online. That’s why we all need to be in the know. The bottom-line remains the same, and that is all about the choice, rather, what you choose to do with all that knowledge and technology.
This is key for me and is the main reason behind the topics I’m choosing to write about.
I hope this article spurred some imagination! Till next time!
Cover image by hmm 001
This talk is centered about one very cool thing you can add to your daily computer use, getting you a quick security win - portable apps. Discussed from the perspective of risk/attack surface reduction, through virtualization and/or compartmentalization.
Microsoft Windows Contacts (VCF/Contact/LDAP) syslink control href attribute escape vulnerability (CVE-2022-44666) (0day)j00sean (https://twitter.com/j00sean) July 11, 2023
CVE-2021-38294: Apache Storm Nimbus Command InjectionZeyad Abdelazim June 20, 2023
CVE-2023-21931 & CVE-2023-21839 RCE via post-deserializationMohammad Hussam Alzeyyat June 19, 2023
Have you missed them? The new reports feature is here!Noa Machter May 14, 2023
CVE-2021-45456 Apache Kylin RCE ExploitMohammad Hussam Alzeyyat April 30, 2023