Virtualization as security

Virtual computer, real security

There are many ways to keep your computer secure. Your own behavior affects it a lot and we at F-Secure are happy to help protecting you with our products. But there are also many tools that can improve your security even if that wasn’t their initial purpose. Melissa and Sean described how you can use separate browsers to lower the risk for human errors. Virtualization is another technology that can improve security as a side effect. It’s a like the separate browsers idea, but takes it a lot further. Read on to learn more.

Virtualization in computing means to simulate something with software. What we talk about here is to create a whole virtual computer inside a real computer. It’s complex under the hood, but there are luckily easy products that can be used by almost anyone. This technology is by the way used extensively in the software industry. Huge number of virtual computers can be used to process data or test software. A large portion of the Internet is also provided by virtual servers.

But how can this improve my security? Most malware is made for profit and interfering with your on-line banking is a common payload. But what if you run your on-line banking on a separate computer? Buying another machine costs money and consumes space, but that can be solved by using a virtual computer instead. That virtual machine would only be used for banking, nothing else. A malware infection could happen if your guard is down and you open a malicious file in the mail. Or surf to a site witch is infected with a drive-by download. Both cases could infect your real computer, but the malware can’t see what you are doing with the bank inside the virtual machine. One could also use the opposite strategy. Use a virtual machine when doing something risky, like looking for downloads on shady servers. A previously made snapshot can easily be restored if something bad hits the virtual machine.

An additional benefit is that this gives you an excellent opportunity to play around with different operating systems. Install Linux/Windows/OS X just to become familiar with them. Do you have some hardware which driver won’t work in your new machine? No problem, install a virtual machine with an older operating system.

OK, sounds like a good idea. But can I do it? Here’s what it takes.

  1. You need a fairly new and powerful computer. Especially the amount of RAM memory is critical. You are usually OK with 8 GB, but more is desirable. This is probably a bad idea if you have less. (This depends a lot on what operating system you are running and what you want to run in the virtual machines.)
  2. You need to download and install a virtualization product. Two good alternatives are VirtualBox by Oracle (free) and VMWare Player by VMWare (free for personal use).
  3. You need to have an installation media for the operating system you want to run in the virtual machine. This is easy for Linux as you can download the installer freely from the net. Hint: Google: download linux.
  4. You need to know how to install an operating system. This is not as nerdy as it sounds. Modern operating systems have easy installers that most people are able to use. And don’t worry if you make a mistake. It’s just a virtual machine and you can go back to the beginning at any time without losing anything (except some time).

I’m not going to provide detailed instructions for this. That depends too much on which virtualization product and operating system you use. And it would beside that be like reinventing the wheel. You will find plenty of step-by-step instructions by Googling for what you want to do, for example “install Linux in VirtualBox”.

But for your convenience, here’s an overview of the process.

  1. Select one of the virtualization products and ensure that your computer meets its system requirements.
  2. Download and install the virtualization product.
  3. Ensure that you have an installation media for the operating system you want to use and any keycodes etc. that may be needed during installation. The media can be a physical disk or USB-memory, or a disk stored as an image file. The virtualization software can mount disk image files as a device in the virtual machine and there’s no need to burn a disk for this purpose.
  4. Now follow the instructions you found on the net. They will help you create the virtual machine, mount the installation media in it and go through the operating system installation.
  5. After this you can use the virtualization product’s console to start the virtual machine when needed. It shows up full-screen or in a window depending on the settings. Inside it you can do what you want, install programs surf the net, etc.
  6. For the banking virtual computer you just need to install the browser of your choice, make sure it’s updated and patched and make your bank the home page. Don’t install anything else unless it really is needed for the banking connection and don’t use this virtual machine for anything else.
  7. You can create multiple virtual machines, but be careful if you try to run them at once. Your computer may not have what it takes. As said, RAM memory is the critical resource here.

Safe surfing,

Edited to add: It is of course a good habit to exercise the same basic security measurements inside virtual machines as in real computers. Turn on the operating system’s update function, install your anti-virus program and make sure your browser is kept up to date. Doing just banking with the virtual machine reduces the risk a lot, but this is good advice even in that case. And needless to say, the virtual machine’s armor is essential if you use it for high-risk tasks. Thanks Dima for providing feedback.

More posts from this topic


Why Cameron hates WhatsApp so much

It’s a well-known fact that UK’s Prime Minister David Cameron doesn’t care much about peoples’ privacy. Recently he has been driving the so called Snooper’s Charter that would give authorities expanded surveillance powers, which got additional fuel from the Paris attacks. It is said that terrorists want to tear down the Western society and lifestyle. And Cameron definitively puts himself in the same camp with statements like this: “In our country, do we want to allow a means of communication between people which we cannot read? No, we must not.” David Cameron Note that he didn’t say terrorists, he said people. Kudos for the honesty. It’s a fact that terrorist blend in with the rest of the population and any attempt to weaken their security affects all of us. And it should be a no-brainer that a nation where the government can listen in on everybody is bad, at least if you have read Orwell’s Nineteen Eighty-Four. But why does WhatsApp occur over and over as an example of something that gives the snoops grey hair? It’s a mainstream instant messenger app that wasn’t built for security. There are also similar apps that focus on security and privacy, like Telegram, Signal and Wickr. Why isn’t Cameron raging about them? The answer is both simple and very significant. But it may not be obvious at fist. Internet was by default insecure and you had to use tools to fix that. The pre-Snowden era was the golden age for agencies tapping into the Internet backbone. Everything was open and unencrypted, except the really interesting stuff. Encryption itself became a signal that someone was of interest, and the authorities could use other means to find out what that person was up to. More and more encryption is being built in by default now when we, thanks to Snowden, know the real state of things. A secured connection between client and server is becoming the norm for communication services. And many services are deploying end-to-end encryption. That means that messages are secured and opened by the communicating devices, not by the servers. Stuff stored on the servers are thus also safe from snoops. So yes, people with Cameron’s mindset have a real problem here. Correctly implemented end-to-end encryption can be next to impossible to break. But there’s still one important thing that tapping the wire can reveal. That’s what communication tool you are using, and this is the important point. WhatsApp is a mainstream messenger with security. Telegram, Signal and Wickr are security messengers used by only a small group people with special needs. Traffic from both WhatsApp and Signal, for example, are encrypted. But the fact that you are using Signal is the important point. You stick out, just like encryption-users before. WhatsApp is the prime target of Cameron’s wrath mainly because it is showing us how security will be implemented in the future. We are quickly moving towards a net where security is built in. Everyone will get decent security by default and minding your security will not make you a suspect anymore. And that’s great! We all need protection in a world with escalating cyber criminality. WhatsApp is by no means a perfect security solution. The implementation of end-to-end encryption started in late 2014 and is still far from complete. The handling of metadata about users and communication is not very secure. And there are tricks the wire-snoops can use to map peoples’ network of contacts. So check it out thoroughly before you start using it for really hot stuff. But they seem to be on the path to become something unique. Among the first communication solutions that are easy to use, popular and secure by default. Apple's iMessage is another example. So easy that many are using it without knowing it, when they think they are sending SMS-messages. But iMessage’s security is unfortunately not flawless either.   Safe surfing, Micke   PS. Yes, weakening security IS a bad idea. An excellent example is the TSA luggage locks, that have a master key that *used to be* secret.   Image by Sam Azgor

November 26, 2015
Secure Wordpress site, mobile blogging, tablet by the bay

This is why you need to protect your WordPress username and password

If you run a Wordpress site, you know that criminals around the world would love to use it to spread malware. Last month, F-Secure Labs spike in "Flash redirectors" that automatically redirect the visitor to a site with the goal of infecting them with malware, in this case the Angler exploit kit. The source was compromised websites -- specifically Wordpress sites. This isn't a new find for the Labs but what is unique is one of the tactics of the attack -- seeking out Wordpress usernames. Why? "After obtaining the username, the only thing that the attacker would need to figure out is the password," Patricia from The Labs explains. "The tool used by the attacker attempted around 1200 passwords before it was able to successfully login." If you happen to have one of those passwords, bam. You site is serving up malware, which is not only harmful to your visitors, it can cost you tons of traffic as Google delists you. Keeping your server and plugins up to date is essential for avoiding most attacks. Beyond that, this attack points to the need to both protect your Wordpress username AND always use a unique, strong password. "Furthermore, in order to defend against this kind of WordPress attack, you should not use a WordPress admin account for publishing anything," Patricia notes. You can also protect your server from enumeration attacks that discover the usernames of your bloggers. To see how to do that, visit our News from the Labs blog. It's pretty amazing what people can figure out about you with just your login and password. But when you're running a website, which can be part or all of your livelihood, the only way to keep from handing criminals the key to your front door is to make sure your password can't be figured out by anyone but you. And turn on two-step authentication if you haven't already. Cheers, Jason

November 26, 2015

POLL – Is it OK for security products to collect data from your device?

We have a dilemma, and maybe you want to help us. I have written a lot about privacy and the trust relationship between users and software vendors. Users must trust the vendor to not misuse data that the software handles, but they have very poor abilities to base that trust on any facts. The vendor’s reputation is usually the most tangible thing available. Vendors can be split into two camps based on their business model. The providers of “free” services, like Facebook and Google, must collect comprehensive data about the users to be able to run targeted marketing. The other camp, where we at F-Secure are, sells products that you pay money for. This camp does not have the need to profile users, so the privacy-threats should be smaller. But is that the whole picture? No, not really. Vendors of paid products do not have the need to profile users for marketing. But there is still a lot of data on customers’ devices that may be relevant. The devices’ technical configuration is of course relevant when prioritizing maintenance. And knowing what features actually are used helps plan future releases. And we in the security field have additional interests. The prevalence of both clean and malicious files is important, as well as patterns related to malicious attacks. Just to name a few things. One of our primary goals is to guard your privacy. But we could on the other hand benefit from data on your device. Or to be precise, you could benefit from letting us use that data as it contributes to better protection overall. So that’s our dilemma. How to utilize this data in a way that won’t put your privacy in jeopardy? And how to maintain trust? How to convince you that data we collect really is used to improve your protection? Our policy for this is outlined here, and the anti-malware product’s data transfer is documented in detail in this document. In short, we only upload data necessary to produce the service, we focus on technical data and won’t take personal data, we use hashing of the data when feasible and we anonymize data so we can’t tell whom it came from. The trend is clearly towards lighter devices that rely more on cloud services. Our answer to that is Security Cloud. It enables devices to off-load tasks to the cloud and benefit from data collected from the whole community. But to keep up with the threats we must develop Security Cloud constantly. And that also means that we will need more info about what happens on your device. That’s why I would like to check what your opinion about data upload is. How do you feel about Security Cloud using data from your device to improve the overall security for all users? Do you trust us when we say that we apply strict rules to the data upload to guard your privacy?   [polldaddy poll=9196371]   Safe surfing, Micke   Image by  

November 24, 2015