Virtualization as security

Virtual computer, real security

There are many ways to keep your computer secure. Your own behavior affects it a lot and we at F-Secure are happy to help protecting you with our products. But there are also many tools that can improve your security even if that wasn’t their initial purpose. Melissa and Sean described how you can use separate browsers to lower the risk for human errors. Virtualization is another technology that can improve security as a side effect. It’s a like the separate browsers idea, but takes it a lot further. Read on to learn more.

Virtualization in computing means to simulate something with software. What we talk about here is to create a whole virtual computer inside a real computer. It’s complex under the hood, but there are luckily easy products that can be used by almost anyone. This technology is by the way used extensively in the software industry. Huge number of virtual computers can be used to process data or test software. A large portion of the Internet is also provided by virtual servers.

But how can this improve my security? Most malware is made for profit and interfering with your on-line banking is a common payload. But what if you run your on-line banking on a separate computer? Buying another machine costs money and consumes space, but that can be solved by using a virtual computer instead. That virtual machine would only be used for banking, nothing else. A malware infection could happen if your guard is down and you open a malicious file in the mail. Or surf to a site witch is infected with a drive-by download. Both cases could infect your real computer, but the malware can’t see what you are doing with the bank inside the virtual machine. One could also use the opposite strategy. Use a virtual machine when doing something risky, like looking for downloads on shady servers. A previously made snapshot can easily be restored if something bad hits the virtual machine.

An additional benefit is that this gives you an excellent opportunity to play around with different operating systems. Install Linux/Windows/OS X just to become familiar with them. Do you have some hardware which driver won’t work in your new machine? No problem, install a virtual machine with an older operating system.

OK, sounds like a good idea. But can I do it? Here’s what it takes.

  1. You need a fairly new and powerful computer. Especially the amount of RAM memory is critical. You are usually OK with 8 GB, but more is desirable. This is probably a bad idea if you have less. (This depends a lot on what operating system you are running and what you want to run in the virtual machines.)
  2. You need to download and install a virtualization product. Two good alternatives are VirtualBox by Oracle (free) and VMWare Player by VMWare (free for personal use).
  3. You need to have an installation media for the operating system you want to run in the virtual machine. This is easy for Linux as you can download the installer freely from the net. Hint: Google: download linux.
  4. You need to know how to install an operating system. This is not as nerdy as it sounds. Modern operating systems have easy installers that most people are able to use. And don’t worry if you make a mistake. It’s just a virtual machine and you can go back to the beginning at any time without losing anything (except some time).

I’m not going to provide detailed instructions for this. That depends too much on which virtualization product and operating system you use. And it would beside that be like reinventing the wheel. You will find plenty of step-by-step instructions by Googling for what you want to do, for example “install Linux in VirtualBox”.

But for your convenience, here’s an overview of the process.

  1. Select one of the virtualization products and ensure that your computer meets its system requirements.
  2. Download and install the virtualization product.
  3. Ensure that you have an installation media for the operating system you want to use and any keycodes etc. that may be needed during installation. The media can be a physical disk or USB-memory, or a disk stored as an image file. The virtualization software can mount disk image files as a device in the virtual machine and there’s no need to burn a disk for this purpose.
  4. Now follow the instructions you found on the net. They will help you create the virtual machine, mount the installation media in it and go through the operating system installation.
  5. After this you can use the virtualization product’s console to start the virtual machine when needed. It shows up full-screen or in a window depending on the settings. Inside it you can do what you want, install programs surf the net, etc.
  6. For the banking virtual computer you just need to install the browser of your choice, make sure it’s updated and patched and make your bank the home page. Don’t install anything else unless it really is needed for the banking connection and don’t use this virtual machine for anything else.
  7. You can create multiple virtual machines, but be careful if you try to run them at once. Your computer may not have what it takes. As said, RAM memory is the critical resource here.

Safe surfing,
Micke

Edited to add: It is of course a good habit to exercise the same basic security measurements inside virtual machines as in real computers. Turn on the operating system’s update function, install your anti-virus program and make sure your browser is kept up to date. Doing just banking with the virtual machine reduces the risk a lot, but this is good advice even in that case. And needless to say, the virtual machine’s armor is essential if you use it for high-risk tasks. Thanks Dima for providing feedback.

More posts from this topic

Juhannus

How To Prepare Yourself and Your Phone For Juhannus

In Finland, there is this thing called juhannus. A few years ago, our former colleague Hetta described it like this: Well, Midsummer – or juhannus – as it is called in Finnish, is one of the most important public holidays in our calendar. It is celebrated, as you probably guessed, close to the dates of the Summer Solstice, when day is at its longest in the northern hemisphere. Finland being so far up north, the sun doesn’t set on juhannus at all. Considering that in the winter we get the never ending night, it’s no surprise we celebrate the sun not setting. So what do Finns do to celebrate juhannus? I already told you we flock to our summer cottages, but what then? We decorate the cottage with birch branches to celebrate the summer, we stock up on new potatoes which are just now in season and strawberries as well. We fire up the barbecue and eat grilled sausages to our hearts content. We burn bonfires that rival with the unsetting sun. And we get drunk. If that isn't vivid enough, this video may help: [protected-iframe id="f18649f0b62adf8eb1ec638fa5066050-10874323-9129869" info="https://www.facebook.com/plugins/video.php?href=https%3A%2F%2Fwww.facebook.com%2Fsuomifinland100%2Fvideos%2F1278272918868972%2F&show_text=0&width=560" width="560" height="315" frameborder="0" style="border: none; overflow: hidden;" scrolling="no"] And because the celebration is just so... celebratory, it's easy to lose your phone. So here are a few ways to prepare yourself for a party that lasts all night. 1. Don't use 5683 as your passcode. That spells love and it's also one of the first passcodes anyone trying to crack into your phone will try. So use something much more creative -- and use a 6-digit code if you can on your iPhone. You can also encrypt your Android. 2. Write down your IMEI number. If you lose your phone, you're going to need this so make sure you have it written down somewhere safe. 3. Back your content up. This makes your life a lot easier if your party goes too well and it's pretty simple on any iOS device. Just make sure you're using a strong, unique password for your iCloud account. Unfortunately on an Android phone, you'll have to use a third-party app. 4. Maybe just leave it home. Enjoy being with your friends and assume that they'll get the pictures you need to refresh your memory. And while you're out you can give your phone a quick internal "clean" with our free Boost app. [Image by Janne Hellsten | Flickr]

June 22, 2016
instagram bug hunter, mikko and jani, young hacker

10-Year-Old Who Took Home $10,000 Instagram Bug Bounty Visits F-Secure Labs

Mikko Hyppönen -- our Chief Research Officer and probably the most famous code warrior ever to come out of Finland -- likes to point out that he was born the same year as the internet. Jani -- the ten-year-old from Helsinki who made international news by earning Instagram's top bug bounty prize for uncovering a security flaw in the photo-sharing site -- was born a couple a years after Facebook was invented in 2004 and just four years before Instagram went online in 2010. And he's already made some history. Jani discovered a flaw in the site that would have allowed him -- or anyone -- to delete content from any user from the site, even stars with tens of millions of followers including Taylor Swift, Selena Gomez and Beyonce. Like any good white-hat hacker he didn't take advantage of the vulnerability. Instead, he reported the bug to Facebook, which now owns the app, directly. His maturity paid off. Even though he is not technically old enough to use the site according Instagram's terms and conditions, he's become the youngest person ever to win a $10,000 bug bounty, which he's used to purchase a soccer ball, a bike and other essential gear for being ten. To celebrate his feat, F-Secure Labs invited Jani to visit our headquarters for a hamburger and a tour. The visit gave our experts a chance to share their stories about how they were drawn to cybersecurity. Mikko learned to love computers from his mother who was in the industry. Päivi was guided into the field by her father and discovered that she has a passion for rooting out spam.  When Tomi was a kid striving to learn the rules of the coin games his friends played so he could hack them and win, he recognized that he didn't see the world like everyone else. Jani has already discovered the same thing. Though he finds plenty of time for school and playing with his friends, he spends 2-3 hours during his off days hunting for vulnerabilities and looking out for new bug bounty programs -- like our own -- that allow him to test his skills. How did he find the vulnerability in Instagram? First he created two accounts. He posted a comment using one account and then just using the publicly available content id number he was able to delete the comment using the other. Immediately he recognized the potential for such a flaw to be exploited. Mikko and Tomi were impressed by how Jani used Linux and Burp Suite --  a tool that pros like the analysts in our Labs use to analyze network traffic -- to help identify the bug. While he used to be interested in a career in video games, Jani says he's now thinking about becoming a cybersecurity specialist. Mikko and Tomi advised him to finish school and stay on the right side of the law. They also invited him to spend a week or two working at the Labs to see how he likes the job, when he's old enough. He's planning on taking them up on the offer, saying that F-Secure looks like a "fun and cool" place to work. Nice. We're always looking for new talent and even Mikko may retire one day.  

June 22, 2016
BY