UVM's Information Security Operations Team answers "Why?" Why?security

Visiting Questionable Websites (or, Using Your “Internet Hazmat Suit”)

National Cybersecurity Awareness Month is an annual opportunity for folks like us to encourage folks like you to adopt a simple, three-point approach to keeping yourself and your information safe online:


With each phishing campaign that’s conducted against UVM’s students, faculty, and staff, the Information Security Office receives dozens of notifications from astute members of the community who recognize the email messages for what they are: a scam aimed at co-opting someone’s legitimate access to UVM’s information resources.

Occasionally, these notifications include a comment like, “I knew the email was a phish, and clicked the link. Wow, was that ever a poor excuse for a website!” (or “…Wow, the site looked exactly like myUVM!”). While we appreciate the heads-up and certainly understand folks’ curiosity, the sad fact is that even the simple act of visiting one of these websites can cause trouble by forcing your browser to make unauthorized requests, instigating malware downloads, or even by commandeering your web browser for control by nefarious puppeteers.

What’s the astute-yet-curious Internet citizen to do?

In short: Leave it alone, unless you’re willing to undertake a fair amount of work. Seriously: The Bad Guys have gone out of their way to take Everything That’s Nice About the Internet and turn it against us.

You’re still here? OK, there are a few techniques that someone willing to go the extra mile (well, frankly, a few extra miles) can use to investigate suspicious sites in relative safety. But even all of these are only a hedge, and not a guarantee that nothing Bad will happen to your computer/mobile device/information. Caveat lector/Lasciate ogni speranza/Here be dragons, etc.:

The “one-time experiment” approach: A separate user account on your computer.

The easiest entrée into Fearless Acts of Internet Investigation involves becoming someone else…sort of. Modern computer operating systems (including Windows, OS X, and Linux) leverage the concept of the user account. Whether you know it or not, each time you use your own computer, you log in as a particular user (even if you don’t use a password). In most “consumer computing” cases, that user is also an administrator of the machine’s operating system, meaning that it is capable of doing just about anything to that computer including installing malware like viruses and keyloggers.

The trick to safely investigating suspicious Internet sites is to NOT have that capability. Here’s how to do it:

  • Be certain your OS, web browser, and anti-virus/malware protections are fully up-to-date. It would be sad to do all this work only to be nailed by something that’s already been addressed, no?
  • Copy the suspect link to a piece of paper. Seriously? Yes: Where we’re going, you won’t be able to copy/paste between “here” and “there”…
  • Create a non-administrator user account. On both Windows and OS X computers, this is called a “Standard” user.
  • Switch to this newly-created user account. The process differs between Windows and OS X.
  • Disable JavaScript, Java, Flash, and ActiveX in your web browser. This will address common avenues for “silent” delivery of downloads and remote control of your browser. Again, different processes for different browsers like Firefox, Chrome, Internet Explorer, and Safari. Search engines like Google, Bing, and company are your friend, here.
  • Visit the site. (You’ve been so patient!)
  • STOP if you are presented with prompts that request Administrator privileges or the installation of browser plugins. (We’re specifically trying to rob the website of these capabilities, remember? :-))

It’s important to note something here: In disabling all those browser capabilities/plugins (JavaScript, Flash, etc.), we’ve traded “fidelity” for “safety”. In other words, the site you visit may not look as intended without those bells and whistles enabled, so it could be difficult to tell whether it’s a clone of myuvm.uvm.edu, or trying to do something sneaky like turn your browser into a zombie. The antidote to this is the next method, below.

The “dedicated” approach: A virtual machine.

A “virtual machine” is basically a second computer running inside your computer’s operating system. The great thing about virtual machines is that they can generally be copied. So you can, say, create a very basic virtual Windows or Linux machine template on your Windows, Mac, or Linux computer, make a copy of it to use when visiting unsavory websites, and then throw it away when you’re done. The next time you find yourself itching to check out another questionable site, make another copy, use that, throw it away when done. A lot like a disposable hazmat suit!

Popular virtualization technologies for desktop computers include VMware products for Windows computers and Macs, VirtualBox for both, Parallels Desktop for Macs, and KVM and Xen for Linux. You could even try out one of the free cloud offerings from the likes of Amazon if you just want to dip your toe in the water without installing software on your own computer. (Please note that UVM doesn’t formally endorse or support any of these products, even though they may be in use by various units. Caveat emptor/your mileage may vary.)

The advantage of this method over the “separate user account” approach is that the isolation from your everyday operating system (known as the “host OS” in virtulization lingo) is more complete, so you can let the browser run active content (JavaScript, Flash, etc.) and get the “full website experience” with more confidence. This does make it important that you destroy the virtual machine when you’re done, since it’s basically a full-fledged computer which you’ve just exposed to a bunch of Internet contagion. Which means, if it does catch some Exotic Internet Flu, it will be an infected computer with access to other computers on your home network/UVM’s network/the Internet.

Wait: What about my phone/tablet?

Sadly, there aren’t a lot of great options here for mobile devices. For better or for worse, most mobile device operating systems (like Android, iOS, and Windows RT) only support one all-powerful user account, so the “create a non-administrator user” option is out. (Notable exception: Windows Surface tablets running Windows 8.) And while there are some “sandboxing” options that mimic running virtual machines on these devices, they’re generally part of expensive enterprise mobile device management packages. Certainly it’s possible to remotely control a virtual machine using special apps on your mobile device, but you still have to have a virtual machine to control.

So, as of this writing: Stick to a laptop or desktop computer. (But look for that to change in the future. Maybe.)

That’s pretty involved.

If both of those approaches seem like a bunch of work, it’s because they are. Over the last two decades, computer operating systems and web browsers have developed capabilities for the rapid acquisition (read: download) of content, convenient installation of software (easy-to-use administrator accounts), and a rich interactive experience (JavaScript and friends), and hacking techniques have evolved to take advantage of those capabilities for nefarious purposes. So, in order to have a truly safe experience when visiting potentially-dangerous websites, one really needs to short-circuit a whole bunch of features that the modern Internet user takes for granted.

Is it possible to do this? Yes, if you’re committed to taking appropriate precautions. Is it for everyone? We leave that up to you.

So, in conclusion…

We encourage you to STOP before clicking the link in that scam email.

Then THINK about what information you might be putting at risk by visiting that website on the device you’re currently using (your phone? tablet? laptop?) — How many passwords are saved on there? What’s in the files contained in its local storage? Have you logged into your bank using this device? Did you ever log off?

Finally, CONNECT only if you’ve taken the extensive precautions required in order to do so safely.

Questions or comments? Get it touch with us: iso@uvm.edu


Safe surfing,

Sam Hooker, for the Information Security Operations Team

Skip to toolbar