161

As an investigative journalist I receive each day dozens of messages, many of which contain PDF documents. But I'm worried about some of the potentially malicious consequences of blindly opening them and getting my computer compromised. In the past, before I started working in investigative journalism, I was using virustotal.com to analyze all files (including PDFs) coming to my inbox, but that's not possible in this case as the files will be sent to them when they're meant to be confidential before release. And I heard that antivirus solutions are not 100% foolproof.

What is the safest way to deal with loads of incoming PDF files, some of which could potentially be malicious?

user
  • 152
  • 9
Tom the journalist
  • 1,389
  • 2
  • 9
  • 9
  • 1
    I've seen app virtualisation used to do this (app-v/citrix etc.), however now that browsers come with their own readers built in, it's not going to be watertight. – Neil P Feb 14 '17 at 12:34
  • 1
    Given the level of malicious activity & spear-fishing reported, your concern may be warranted. When you do setup a secure system (Qubes OS sounds good) it would probably be worth at that time *wiping & rebuilding your current system* to rule out it already being compromised. – Thomas W Feb 15 '17 at 03:02
  • 1
    Assuming you receive the PDF files by email, how about getting/auto-forwarding it to a Gmail inbox. You can then view the PDF attachment within your browser without having actually download it – mvark Feb 16 '17 at 09:24
  • 1
    I'm writing this assuming that someones life could depend on your work. Against whom you are trying to defense? As soon as there are government agencies "in the game" you must be prepared that they throw 0-day exploits worth hundreds of thousand dollar in your direction. If you are feeling that this could be the case, i'd recommend to not put to much trust in technology in general and security software in particular. Try to reduce technical complexity as much as possible since this will reduce the attack surface. QubesOS is an elegant solution for many problems but it's also very complex. – Noir Feb 17 '17 at 01:37
  • 1
    @mvark terrible advice. You do know that everything you see from the browser is actually downloaded to your PC (even for a moment), or else you wouldn't be able to visualize it, right? – BgrWorker Feb 17 '17 at 16:26
  • 3
    @BgrWorker Gmail renders the PDF server-side; it's not downloaded _as a PDF_. But this breaks confidentiality _worse_ than sending it to VirusTotal. – zwol Feb 20 '17 at 13:21
  • 14
    I want to express my respect that you invest time and thought into the hassle that is computer security even though it's no primary requisite of your non-technical job as a journalist. – David Foerster Feb 20 '17 at 13:28
  • @zwol I was not aware of that, I assumed it was using the integrated pdf reader. The fact that it breaks confidentiality is a bit weak, considering OP already has all of his documents as mail attachments, unless he's hosting a mail server himself – BgrWorker Feb 20 '17 at 13:28
  • @BgrWorker Hosting his own mail server (using something like [SecureDrop](https://securedrop.org/)) is _table stakes_ for investigative journalism in 2017. – zwol Feb 20 '17 at 13:30
  • @BgrWorker The PDF content shown within the browser when you preview a PDF attachment is still HTML. You can verify this by inspecting the source through browser Dev Tools. Also refer to these related answers - http://security.stackexchange.com/a/12007/13133 , http://security.stackexchange.com/a/97918/13133 Do you have any proof to substantiate your claim that it is dangerous? Have you heard of any one's PC getting infected after they previewed a PDF (assuming it is infected) within Gmail? – mvark Feb 20 '17 at 14:54
  • @mvark As I already replied to zwol, I was not aware of Gmail rendering PDFs serverside. As you didn't specify why it was safe, I wrongly assumed it was downloaded and rendered by the browser as other providers do (my bad, I should've checked). I would've removed my comment, but I hate breaking the comment flow deleting one in the middle. – BgrWorker Feb 20 '17 at 15:00
  • If you are really worried about being infected, just avoid the risk entirely and don't accept PDFs or anything digital at all. Ask people to mail you instead and then destroy the documents when you are done. – oldmud0 Feb 20 '17 at 20:14
  • @NeilP Secure built-in reader? Are you sure about that? It is probably better than using Adobe which includes Flash and active content within pdfs. https://www.rapid7.com/db/modules/exploit/multi/browser/firefox_pdfjs_privilege_escalation – NoBugs Feb 21 '17 at 03:20
  • @NoBugs Quite the opposite, I'm saying you'd need to consider options so that a sandbox can't be circumvented by a user accidentally opening the file in Edge instead. – Neil P Feb 21 '17 at 09:18
  • 2
    @Tom if you are interested in Qubes OS and dont want to spend time in trying to install it then consider buying a Qubes OS Certified Laptop https://www.qubes-os.org/doc/certified-laptops/ which comes preinstalled with Qubes OS. – enigma Feb 26 '17 at 15:58

14 Answers14

164

I think the safest option for you would be to use Qubes OS with its built in DisposableVMs functionality, and its “Convert to Trusted PDF” tool.

What is Qubes OS?

Qubes is an operating system where it's all based on virtual machines. You can think of it as if you had different isolated ‘computers’ inside yours. So that way you can compartmentalize your digital life into different domains, so that you can have a ‘computer’ where you only do work related stuff, another ‘computer’ that is offline and where you store your password database and your PGP keys, and another ‘computer’ that is specifically dedicated for untrusted browsing... The possibilities are countless, and the only limit is your RAM and basically how much different ‘computers’ can be loaded at once. To insure that all these ‘computers’ are properly isolated from each other, and that they can't break to your host (called ‘dom0’ for domain 0) and thereby control all of your machine, Qubes uses the Xen hypervisor,[1] which is the same piece of software that is relied upon by many major hosting providers to isolate websites and services from each other such as Amazon EC2, IBM, Linode... Another cool thing is that each one of your ‘computers’ has a special color that is reflected in the windows' borders. So you can choose red for the untrusted ‘computer’, and blue for your work ‘computer’ (see for example picture below). Thus in practice it becomes really easy to see which domain you're working at. So let's say now that some nasty malware gets into your untrusted virtual machine, then it can't break and infect other virtual machines that may contain sensitive information unless it has an exploit that can use a vulnerability in Xen to break into dom0 (which is very rare), something that significantly raises the bar of security (before one would only need to deploy malware to your machine before controlling everything), and it will protect you from most attackers except the most resourced and sophisticated ones.

What are DisposableVMs?

The other answer mentioned that you can use a burner laptop. A Disposable Virtual Machine is kind of the same except that you're not bound by physical constraints: you have infinitely many disposable VMs at your wish. All it takes to create one is a click, and after you're done the virtual machine is destroyed. Pretty cool, huh? Qubes comes with a Thunderbird extension that lets you open file attachments in DisposableVMs, so that can be pretty useful for your needs.[2]

enter image description here

(Credits: Micah Lee)

What's that “Convert to Trusted PDF” you were talking about?

Let's say you found an interesting document, and let's say that you had an offline virtual machine specifically dedicated for storing and opening documents. Of course, you can directly send that document to that VM, but there could still be a chance that this document is malicious and may try for instance to delete all of your files (a behavior that you wouldn't notice in the short-lived DisposableVM). But you can also convert it into what's called a ‘Trusted PDF’. You send the file to a different VM, then you open the file manager, navigate to the directory of the file, right-click and choose “Convert to Trusted PDF”, and then send the file back to the VM where you collect your documents. But what does it exactly do? The “Convert to Trusted PDF” tool creates a new DisposableVM, puts the file there, and then transform it via a parser (that runs in the DisposableVM) that basically takes the RGB value of each pixel and leaves anything else. It's a bit like opening the PDF in an isolated environment and then ‘screenshoting it’ if you will. The file obviously gets much bigger, if I recall it transformed when I tested a 10Mb PDF into a 400Mb one. You can get much more details on that in this blogpost by security researcher and Qubes OS creator Joanna Rutkowska.


[1] : The Qubes OS team are working on making it possible to support other hypervisors (such as KVM) so that you can not only choose different systems to run on your VMs, but also the very hypervisor that runs these virtual machines.
[2] : You also additionaly need to configure an option so that the DisposableVM-that is generated once you click on “Open in DispVM”-will be offline, so that they can't get your IP address. To do that: "By default, if a DisposableVM is created (by Open in DispVM or Run in DispVM) from within a VM that is not connected to the Tor gateway, the new DisposableVM may route its traffic over clearnet. This is because DisposableVMs inherit their NetVMs from the calling VM (or the calling VM's dispvm_netvm setting if different). The dispvm_netvm setting can be configured per VM by: dom0 → Qubes VM Manager → VM Settings → Advanced → NetVM for DispVM." You'll need to set it to none so that it isn't connected to any network VM and wont have any Internet access.
[3] : Edit: This answer mentions Subgraph OS, hopefully when a Subgraph template VM is created for Qubes you could use it with Qubes, making thus exploits much harder, and thanks to the integrated sandbox it would require another sandbox escape exploit as well as a Xen exploit to compromise your entire machine.

user139336
  • 506
  • 1
  • 4
  • 10
  • 2
    Note that by default VMs can still access the internet; one of the uses of malicious PDFs is to expose the IP address of the reader. – Tgr Feb 17 '17 at 04:52
  • 1
    @Tgr I confirm. "By default, if a DisposableVM is created (by `Open in DispVM` or `Run in DispVM`) from within a VM that is not connected to the Tor gateway, the new DisposableVM may route its traffic over clearnet. This is because DisposableVMs inherit their `NetVMs` from the calling VM (or the calling VM's `dispvm_netvm` setting if different). The `dispvm_netvm` setting can be configured per VM by: `dom0 → Qubes VM Manager → VM Settings → Advanced → NetVM for DispVM`." This shouldn't be an issue by default if one configured their email VM on `whonix-ws` which routes all traffic through Tor. – user139336 Feb 17 '17 at 19:06
  • @Tgr But again this is Security StackExchange not Qubes StackExchange so I wanted to make my answer more focused on the security side :) – user139336 Feb 17 '17 at 19:07
  • 1
    E.g. for an investigative journalist collecting information in an authoritarian regime, that regime being able to track down their physical location by mailing them a specially crafted PDF is a pretty essential security vulnerability. I guess Tor protects you against that though. – Tgr Feb 17 '17 at 20:04
  • 2
    @Tgr Yeah, and as I said one can set the `dispvm_netvm` property so that the DisposableVM be offline with no network. This should be better than with Tor. – user139336 Feb 17 '17 at 20:51
  • @Tgr I added that to the answer as a footnote. – user139336 Feb 20 '17 at 12:07
  • While I really adore this answer, it's still worth noting that many VM managers support snapshots (along with disabling network and other essential features), essentially nullifying threat of "delete all files" attacks. If your's doesn't, live Linux images don't use hard drive anyways. – val is still with Monica Aug 13 '20 at 02:46
18

Safest would probably be a burner device. Grab a cheap laptop, and a mobile internet dongle, use it to download the documents, and manually copy across any contents to your main computer (literally retyping would be safest, if you're particularly worried). Since it's not on your network, it shouldn't be able to cause problems even if it got infected, and you'd be able to wipe it or just bin it if you have any particularly evil malware sent to you.

If you need actual contents from the files (e.g. embedded images), one option would be to install a PDF print driver on your burner device, and to print the incoming PDF files using it - this will generate PDF output, but, in theory, just the visual components. Printers don't tend to need script elements, hence they can be safely dropped. Bear in mind that some PDF printer drivers spot when you provide a PDF, and just pass it through unmodified - test before relying on it! Once you've got a clean PDF, email it back to yourself, and check with a virus scanner on your main machine before opening. Note that this doesn't completely eliminate the possibility of malware getting through, but should minimise the chances.

Matthew
  • 27,263
  • 7
  • 89
  • 101
  • I don't understand this well, should I use a burner device and connect to my email client there and download them in that device? – Tom the journalist Feb 14 '17 at 10:29
  • That's right. If you were particularly unlucky, you could potentially pick up some malware which affected your email account, but it would be unusual. For extra caution, forward them from your main email account to a burner account, and connect to that from the burner device. That would avoid any chance of any particularly sneaky malware being able to get your real mail login details. That might be over-paranoid though... – Matthew Feb 14 '17 at 10:33
  • But I'd have to download them first before forwarding them, isn't it? Couldn't that potentially be a risk? – Tom the journalist Feb 14 '17 at 10:53
  • Depends on your email system. If you've got a system which supports server-side rules, could have an automatic forwarding rule for all PDF files, or all PDF files from specific addresses. Most web interfaces also allow for forwarding without opening attachments (even things like OWA for internal mail servers). Downloading and not opening attachments should be relatively safe, as long as scripting is disabled in your mail client. – Matthew Feb 14 '17 at 11:01
  • 5
    I'd also nuke the burner device regularly even if nothing evil has been noticed. If you're under targeted attack, you wouldn't probably notice it anyway. It also puts its user into mindset that nothing personal should be stored there. – eis Feb 14 '17 at 11:14
  • 3
    What about transformation to image formats and then sending it to yourself ? That seems a lot more practical than just retyping it. – HopefullyHelpful Feb 14 '17 at 12:59
  • 1
    Depends what you need to transfer - for a few quotes, typing is easy enough. For pages, yeah, OCR is the way to go – Matthew Feb 14 '17 at 13:15
  • 4
    Rather than a pdf printer, you could use ghostscript (for example) to write an image file. Unlike an arbitary printer driver, gs will do as it's told. – Chris H Feb 14 '17 at 13:15
  • @ChrisH Even better idea - forgot about Ghostscript. I have seen a few PDFs it won't open, mostly with Adobe-only features in, but not that many, given the number of PDFs I've opened with it. – Matthew Feb 14 '17 at 13:37
  • 1
    @Matthew I've [created pdfs that gs can't handle](http://tex.stackexchange.com/a/347014/28808) but the use of graphics was close to a pathological case. Adobe choked on that file as well. – Chris H Feb 14 '17 at 13:41
  • 1
    @Matthew also Adobe-only features ~= Adobe-only vulnerabilities; just by interpreting the pdf through something that doesn't do scripting, you're reducing the attack surface – Chris H Feb 14 '17 at 15:34
  • @Matthew I think you are not taking into account the danger of holding a compromised device in an enterprise setting (burner or not). Once a pdf file will infect the burner device, network isolation is a must. – MiaoHatola Feb 14 '17 at 20:38
  • 1
    @MiaoHatola Read the first paragraph - I specifically mention it not being on the network. – Matthew Feb 14 '17 at 20:46
  • @Matthew Whoops! I've missed that. This makes this a complete answer in my opinion. You get my upvote. – MiaoHatola Feb 14 '17 at 20:53
13

So, I try to stick with these concerns in the "land of reasonable". With every security issue there is a balance of secure v.s. safe. For example, you could buy a laptop, read one PDF loaded from the web mail side of your email provider, re type any content you need on a "main computer" then destroy the laptop starting all over again with a new laptop. That would be pretty secure. Also costly, and a giant pain.

So back to a "reasonable" approach.

First, use Linux and a up to date PDF reader. By doing so you have really reduced your exposure. There are not as many viruses written for Linux as there are for windows. That alone will protect you quite a bit. The viruses that do work on Linux are more complicated to implement. Again reducing your exposure.

Next use a Virtual machine that supports snap-shotting. The idea is that you setup your Linux OS inside a virtual machine host (like VirtualBox) get it all setup then, "Snapshot" the state.

You can then do all your "risky" work inside the virtual machine. Using isolation options, I don't know of any virus that can "escape" the virtual machine and get to the host machine (doesn't mean they're not out there, just means it's more rare, and more complicated for the attacker).

At the end of the day, or any time during the day when you think you have gotten a virus, then you "revert" the machine to the previous snapshot. All the changes and data that "happened" after your snapshot are undone, including any work, viruses, etc.

During the day, you can open a PDF, scan it with ClamAV (or the like), copy and paste what you need, or what ever you need to do with the PDF files, so long as your Virtual Machine exists in isolation. That means that you don't give the virtual machine access to the host machine. You use something like email to transfer the files. Maybe FTP between the host and the virtual machine. Something, but not direct integration. Not dropbox either. Something where if you're going to transfer the file, then you're only going to transfer that one file after you're pretty sure it's safe. If you're using a Linux host and a Linux guest then scp is a great choice.

This gives you a "pretty secure", disposable environment, to check your questionable PDFs out, with the ability to "undo" damage that may happen, without having to really change much in your work flow.

Virtual machine hosts and guests can be almost any OS including Windows. Keep in mind that if you have a Linux guest and a Windows host the Linux virtual machine may not even be susceptible to a virus that is in the PDF that a Windows machine will be susceptible to. Scanning with an anti-virus scanner is important, no matter the OS combo in use.

forest
  • 65,613
  • 20
  • 208
  • 262
coteyr
  • 1,546
  • 9
  • 12
  • 7
    My only concern is that an investigative journalist needs to worry not just about run-of-the-mill viruses (for which the bar is "just be a less attractive target than your neighbour"), but may be actively targeted. In that case, if the attacker knows he is using Linux, he will be sent PDFs targeting Linux vulnerabilities. I *think* that not using Acrobat is still worthwhile, but it doesn't buy quite as much as you might hope. – Martin Bonner supports Monica Feb 15 '17 at 12:25
  • 2
    Which is why I say use the VM AND Linux AND up to date reader. Each one is only a part of the solution and not the entire solution. – coteyr Feb 15 '17 at 12:45
  • 3
    It was: "By doing so you have really reduced your exposure" that I was commenting on. My point is that for an ordinary user trying to browse porn safely, that is probably true; for an investigative journalist, less so. – Martin Bonner supports Monica Feb 15 '17 at 12:57
7

Using CubeOS and disposable VMs is a good approach.

Some other options (which can be combined with the CubeOS/DisVM one) :

Disarm the PDF

You can use ghostscript for that :

gs -dNOPAUSE -dBATCH -sDEVICE=tiffg4 \
  -dDownsampleMonoImages=false \
  -dDownsampleGrayImages=false \
  -dDownsampleColorImages=false \
  -r200 \
  -sOutputFile="$OUTFILE" -c .setpdfwrite -f "$FILE"
tiff2pdf -o "${OUTFILE%.*}.pdf" "$OUTFILE"

This pair of commands will render your PDF as an image, then embed this image in a PDF.

Detect suspicious PDF

Didier Stevens, a fellow belgian InfoSec researcher, wrote excellent tools to detect malicious PDF files. Look for one called pdfid.py

This tool analyses the content of the PDF to detect potentially malicious ones.

Basically, a PDF containing JavaScript or Auto-Open URLs should be considered suspicious.

Protect your tools

Whichever option you select, your tools can become the target of your threat agent. Patch them frequently and run them in a disposable / isolated environment.

jfs
  • 71
  • 2
  • QubesOS was already mentioned, though some of the other tools sound interesting. What are the functional differences, if any between using ghostscript and the built in "Convert to Trusted PDF" tool in Qubes, as mentioned in [this answer](http://security.stackexchange.com/a/151315/72874)? Does pdfid.py work similarly ordinary AV scanning? – timuzhti Feb 21 '17 at 09:34
4

Converting all the PDFs to some more "passive" format - maybe TIFF or postscript - could be done in batch, in a restricted account either on the local machine or on some linux box/VM. An exploit/malware being carried along into a different file format is very unlikely.

Files that are purely malicious will not even render that way; any exploit targeted at popular PDF viewers probably will not work with scripted conversion tools (which will mostly be based on the ghostscript engine); and the restricted account will keep a successful exploit from doing much damage.

A normal user account on an up-to-date linux machine is very difficult to "break out of" - do make sure that this machine doesn't have unregulated internet access though, since network access is the hardest to control.

If disclosure of the contents of the valid PDFs would have dire consequences, make sure only one PDF at a time is accessible to the account running the interpreter at a given time (eg by copying the file into a staging location from yet another user account, running the interpreter via su/sudo (not sudo to root!), then taking the result file away. Rinse, repeat.

Oh, and: Keep the original files away from any (especially Windows) PCs that are set up to do previews of files in Explorer, in email clients or similar frontends!

rackandboneman
  • 975
  • 4
  • 9
  • 5
    Postscript isn't passive. – Ben Voigt Feb 14 '17 at 15:30
  • If it was a postscript document directly received from an outside source - yes. Something written by your locally installed converter that rendered a pdf and wrote the result as a ps file is very unlikely to retain active malicious content. So, more passive as I said, not absolutely passive (I am well aware that postscript is actually a turing complete programming language). – rackandboneman Feb 14 '17 at 17:56
  • 1
    Because arbitrary postscript can be embedded in a PDF, it seems unwise to rely on a PDF->PS converter outputting only "clean" newly created postscript, as it may include some of the postscript code present at the input. Even if it passes through a "Postscript Creator" virtual printer. – Ben Voigt Feb 14 '17 at 19:18
  • To extend the comment by @Ben, if you're heading down this route, make sure you write (or thoroughly inspect) the converter before using it in this way. You might want to choose SVG instead (but beware that some SVG processors have JavaScript interpreters, so you might not be much better off). – Toby Speight Feb 15 '17 at 08:51
2

Depending on your threat model, even the "burner device" or virtual machine approach might not be sufficient. If an attacker is looking to identify your location, or even if a spammer wants to validate that your email address is active, then having the PDF phone home after being opened will expose you. Crafty PDFs might even contain worms to infect other machines, though I've never seen that in the wild.

Thus, after downloading the PDF, you may need to disconnect the device from the network before opening it.

dotancohen
  • 3,696
  • 3
  • 25
  • 34
1

I think Qubes OS is a great option, but you should also take a look into Subgraph OS (Note: It still is in its alpha version as of 2-2017, you should probably wait until a more stable version comes out to rely on it for strong security). It ships by default with a Linux kernel hardened with Grsecurity/PaX, and it has by default sandboxes around at-risk applications such as a PDF reader (Evince). Because of the kernel hardening, most exploits against the PDF reader would be mitigated. If however they're successful, then the attacker is still limited to the sandbox (Oz) in which the PDF runs,

The sandbox prevents Evince from accessing sensitive files on the computer, such as your encryption keys, email, personal documents, etc. Evince only requires access to the PDF(s) it is reading and some other files it needs to operate normally.

The sandbox also limits the types of actions that an attacker can do, such as limiting the system calls that an application (running in user-space) can make to ask the kernel (running in kernel-space) to do things such as read and write files, communicate over the network, etc., using a Linux feature called seccomp. Thus for example the sandbox also prevents the PDF reader (Evince) from connecting to the Internet, which protects you from an attacker who wants to get your IP address to discover your location.

You can get the full documentation on how to open PDF files in Subgraph OS here.

user140466
  • 19
  • 3
0

I would recommend a "isolated" device only for downloading and opening the pdfs. Ie. not connected to the rest of your network.

Then print it (paper can't transmit malware).

After that you could scan it, then you have a copy in image format. The printer should be isolated and connected only to the contaminated device aswell in this case. The scanner can be connected to the rest of your network.

If you want a faster workflow you could just transform them to images and then send them to yourself if you need to view them somewhere else, though you have to gurantee that the mail is not infected in some way. No links/images/javascript injected and the file format isn't executable or pdf.

Which means that the receiving end needs to view only text no html or javascript.

HopefullyHelpful
  • 1,254
  • 1
  • 12
  • 17
  • I'm still worried about the possibility of the file contaminating my computer in the download -> copy to USB process... – Tom the journalist Feb 14 '17 at 13:35
  • 1
    @Tomthejournalist: Where in this answer does "USB" even appear?! – user21820 Feb 14 '17 at 13:39
  • It's implicitly there when you assume that the device to open the PDF's is isolated, cause the PDF needs to get there first. Either that or the image file output of the process. – HopefullyHelpful Feb 14 '17 at 13:40
  • @user21820 how do you move a file to a device isolated from the rest of your network? I suppose you could use a floppy disk if you really wanted to. – Captain Man Feb 14 '17 at 15:54
  • @CaptainMan: It clearly says "not connected to the rest of your network", not "not connected to the internet"... – user21820 Feb 15 '17 at 03:04
  • Copying/moving a file should not be a security risk on any operating system. The PDF reader is not involved. Be aware that download links on websites could potentially activate some JavaScript. – Oskar Skog Feb 26 '17 at 12:19
0

This is a weaker (user-level) answer using firejail and xpdf, and maybe cpulimit:

firejail [...options...] xpdf suspicious.pdf

It's unclear to me what the best options would be for suspect PDF files. These seem to work, and would probably disable most nastiness:

firejail  --caps.drop=all  --machine-id  --net=none  --nonewprivs  \
          --memory-deny-write-execute --overlay-tmpfs  --seccomp \
          xpdf suspicious.pdf

If there's worry that the suspect PDF is also a CPU hog, prefix the first line with:

cpulimit -c 1 -l 10 -m -- \

Which would further restrict firejail and its child processes to using 10% of one CPU.

agc
  • 131
  • 4
-1

All the answers above seem feasible, but tbh, it seems much simpler to buy a really cheap laptop that functions as a kind-of burner, remove the hard drive (hence cheap), download a non-persistent os (linux is awesome!) on a thumbdrive (from personal computer), plug in usb and configure boot sequence, access your email (from thumbdrive), download pdf, disable wifi connection (preferably physically), open pdf, do work, terminate all non-relevant processes (if you need to reconnect) or reboot, hence destroying any viruses that could have been downloaded. The reason I have you remove your hard drive is so that the virus doesn't attempt to save everything (including itself) to another drive that isn't effected by the wipe.

PMARINA
  • 117
  • 3
  • 1
    Good idea, especially for someone who needs this routinely for professional reasons it might be worth buying cheap hardware. I'd like to add two things: 1) "disable wifi physically" is often nigh impossible. I'd suggest to use a cable, so you never need to connect to a wifi network (then the device never contains its password), or perhaps even remove the wifi chip (often fairly easy). And 2) I'd overwrite the stick or sd card after use, not terminate processes or reboot. – Luc Feb 26 '17 at 15:13
  • @Luc some computers have wifi switches that actually disable the chip (not a signal to software), but probably not the newer computers we see nowadays. Cable would be safer though; you're absolutely right. If it's a nonpersistant system, idk if any virus could remain and be executable. Finally, if you ever find that you're being infected or think something's wrong, overwriting is the way to go. You might also consider removing the battery and forcing the computer to run as a desktop (something goes bad, you pull power) – PMARINA Feb 27 '17 at 03:33
-1

I would recommend buying a cheap Android phone (they're around 50$ nowadays) and using it to open documents. Send your files to the cloud and then download them into your Android phone. That way your computer stays remarkably safe from damage from malicious PDFs.

user140270
  • 15
  • 1
  • @OskarSkog Factory reset does not protect against malware that uses exploits to get root. Flashing it might be more reliable, though I can't say exactly how reliable. – Luc Feb 26 '17 at 15:15
  • Take the battery out. That will limit the time the malware can be spreading from the phone. – Oskar Skog Feb 26 '17 at 20:18
  • 1
    Why the down votes? This is such a simple but efficient solution: the only thing the PDFs could affect is a phone that isn't used for anything but this specific purpose. – Oskar Skog Feb 26 '17 at 20:21
  • A firewall on a separate WiFi for that phone could be used to restrict malware from spreading from the phone. If you can't set it up, take the battery out whenever you aren't using that phone. Remember to never use that phone for anything else. – Oskar Skog Feb 26 '17 at 20:23
-3

Open the files in a sandbox.

If you're infected, the infection should be contained and you can reset this virtual environment.

Edit:

A sandbox is a virtual environment which you can create and remove at will, like a virtual desktop where you can do anything and then reset it back to the initial stage.

Infected? Simply reset.

Avast antivirus (paid version) for example has a sandbox solution which allows you to right click on the file and open it in a sandbox.

There are tons of solutions like this, another example is Sandboxie

Edit 2:

Removed the MD5 suggestion, it's inferior to the sandbox solution.

FatSecurity
  • 507
  • 3
  • 8
  • I mentioned virustotal in the post and why it's not convenient for this type of work. Your second proposal is interesting, can you please add more details to it? – Tom the journalist Feb 14 '17 at 10:24
  • Regarding VT - when you convert the file to a hash, it's a one way conversion and VT doesn't receive your files. It's not bulletproof from malware (because not all hashes are known to VT), but it's bulletproof from leaking. Regarding the sandbox solution: a sandbox is a virtual environment which you can create and remove at will, like a virtual desktop where you can do anything and then reset it back to the initial stage. Infected? Just reset. Avast antivirus (paid version) for example has a sandbox solution which allows you to right click on the file and open it in a sandbox. – FatSecurity Feb 14 '17 at 10:29
  • 8
    But the PDF would be unique, it most probably wont be in virustotal database. Thanks for your clarifications regarding the sandbox, I will look into that. – Tom the journalist Feb 14 '17 at 10:32
  • That's why I say it's not bulletproof, but then again - if someone is attempting to infect you with malware they might not go through the effort of creating a unique file for you. Changing the file name won't result in a different MD5 hash, only changing the file's content. – FatSecurity Feb 14 '17 at 10:35
  • @AntivirusExpert but pdfs are perfectly capable of having content change randomly on the fly to defeat this sort of scanning (as has been done for years or even decades in .exe etc. malware). I've just tested and you can replace header data using something as trivial as `sed`; this would change the MD5sum. You would have to assume that a malware creator could and would do that. Not to mention that the source might make it unique in this threat model – Chris H Feb 14 '17 at 13:13
  • @ChrisH You're right, it's not bulletproof. A Sandbox is the better solution. I changed my answer to reflect that. – FatSecurity Feb 14 '17 at 13:53
-6

Use OpenBSD or FreeBSD, they have been designed to be as secure as possible. They also don't require much technical knowledge. Using docker containers to handle PDF files would be ultra safe.

  • The PDF readers on FreeBSD are probably as vulnerable as the ones on Linux, they're most likely compiled from the same source. OpenBSD is tougher against specific attack techniques but not immune to the threat. – Oskar Skog Feb 26 '17 at 12:11
  • 1
    "They also don't require much technical knowledge." Depends on who you are. I have not been able to install X on FreeBSD, so rendering PDFs will be very difficult. And I have a lot more technical knowledge than the average Joe. – Oskar Skog Feb 26 '17 at 12:13
-6

Just use an Ubuntu Touch smartphone. Unlike Android and iOS, it is not very popular, so there are fewer people looking for exploits. Thus, there is a lower probability of getting exploited by malicious PDFs. It's not just Ubuntu Touch, you can use any mobile OS that is not popular.

Jedi
  • 3,936
  • 2
  • 24
  • 42
  • 3
    Welcome to Information Security SE. Recommending this kind of security through obscurity is unlikely to be foolproof, especially since OP seems like he may be subjected to targeted attacks. "Not popular" implies many other things apart from "few exploits in the wild". – Jedi Feb 26 '17 at 14:35