0

I have two computers and the goal is to move a functionality of a given file from computer A to computer B. The file is supposed to have a certain known functionality but it potentially could expose additional unwanted behavior. How to safely exchange the desired functionality of the file between the computers?

I believe that a question asked on such a general level might not have a single correct answer, therefore given the ambiguousness I would like to ask if there are perhaps some good practices and measures to be taken?

Aside from the general view, I would like to ask the same question in a very specific context.

I am thinking about doing some freelancing for small companies which most likely would mostly mean Excel VBA related programming. In such a case I would be developing spreadsheets on my computer and then I would need to transfer the files to a client. Whatever the measures I would take to keep my computers sterile I don't think it's a safe approach to assume that I can do that 100% of the time due to whatever reasons. Besides I can think of scenarios in which I am 100% sterile but a client's network is under a constant hacker's silent supervision and once the hacker discovers that there is a 3rd party sending files to the client, they may strike doing some damage and for at least initial time "framing" me into it.

So for example I have an Excel file with a procedure creating a "test.txt" file on a user's desktop. Is it possible to send the file (or functionality) safely to the client assuming that my computer is infected with an unknown malware?

The solution I thought of here is not sending a file, but instead a mail with a short instruction with a logic (of course more verbose) how to recreate the file:

  • Create an empty Excel file
  • Open Excel VBA IDE, add a module, paste the code
  • Save as .xlsm

Sadly, it seems very crude and perhaps repelling to potential clients. Also it does not really protect me from the “framing” scenario.

soquestions
  • 3
  • 2
  • 2
    I think you are overthinking the problem. There is no 100% security, neither in IT nor in real life. Instead you try to reduce the risks. To do this you must first need to know what the **realistic** risks are for you. And then you can try to reduce these with the help of money, time, knowledge, procedures... . At the moment you are mostly at the level of some high level theoretical risks. I think you must first find out what your real risks are before finding ways to address the risks. – Steffen Ullrich Apr 18 '16 at 19:23
  • It is unclear to me what you are trying to protect against. Are you afraid of malware running on your computer? If so, how could you trust your email not to be hacked as well? Malware can likely modify your copy buffer, so you can't even copy-and-paste code without being sure that it wasn't modified. Come up with a list of explicit concerns and then they can be evaluated for likelihood and protection. – Neil Smithline Apr 18 '16 at 19:39
  • If there was a fool-proof solution to this, then anti-virus products would use this solution on all files that your computer received, and you wouldn't get infected to start with. – Macil Apr 18 '16 at 20:33

1 Answers1

1

Question is strange, but here is an alternative approach. Sure you can keep your machine clean 100% of the time. Create a virtualized hardened host, take a snapshot, do your work, send your work, close virtualized host. Never use the host for ANYONE, not even connecting to the Internet, you could save your work on a USB send it from another machine. When you go back to do your work, revert the snapshot problem solved.

From a realistic perspective though, Steffen already laid out the risk based approach. If you cannot trust your own network, surfing habits, then you have more to worry about. In a sanitized environment (as mentioned above) there is no mechanism to introduce any risk if the virtualized host is never networked. You could go as far as mounting a shared folder to transfer data to a networked machine, but then you're back to square one train of thought: "then I am networked and vulnerable." From a virtualized/non-networked machine, I fail to see how anything could be introduced without any iota of networking (ethernet, wireless, bluetooth, etc)

munkeyoto
  • 8,682
  • 16
  • 31