Virtualization as security

Virtual computer, real security

There are many ways to keep your computer secure. Your own behavior affects it a lot and we at F-Secure are happy to help protecting you with our products. But there are also many tools that can improve your security even if that wasn’t their initial purpose. Melissa and Sean described how you can use separate browsers to lower the risk for human errors. Virtualization is another technology that can improve security as a side effect. It’s a like the separate browsers idea, but takes it a lot further. Read on to learn more.

Virtualization in computing means to simulate something with software. What we talk about here is to create a whole virtual computer inside a real computer. It’s complex under the hood, but there are luckily easy products that can be used by almost anyone. This technology is by the way used extensively in the software industry. Huge number of virtual computers can be used to process data or test software. A large portion of the Internet is also provided by virtual servers.

But how can this improve my security? Most malware is made for profit and interfering with your on-line banking is a common payload. But what if you run your on-line banking on a separate computer? Buying another machine costs money and consumes space, but that can be solved by using a virtual computer instead. That virtual machine would only be used for banking, nothing else. A malware infection could happen if your guard is down and you open a malicious file in the mail. Or surf to a site witch is infected with a drive-by download. Both cases could infect your real computer, but the malware can’t see what you are doing with the bank inside the virtual machine. One could also use the opposite strategy. Use a virtual machine when doing something risky, like looking for downloads on shady servers. A previously made snapshot can easily be restored if something bad hits the virtual machine.

An additional benefit is that this gives you an excellent opportunity to play around with different operating systems. Install Linux/Windows/OS X just to become familiar with them. Do you have some hardware which driver won’t work in your new machine? No problem, install a virtual machine with an older operating system.

OK, sounds like a good idea. But can I do it? Here’s what it takes.

  1. You need a fairly new and powerful computer. Especially the amount of RAM memory is critical. You are usually OK with 8 GB, but more is desirable. This is probably a bad idea if you have less. (This depends a lot on what operating system you are running and what you want to run in the virtual machines.)
  2. You need to download and install a virtualization product. Two good alternatives are VirtualBox by Oracle (free) and VMWare Player by VMWare (free for personal use).
  3. You need to have an installation media for the operating system you want to run in the virtual machine. This is easy for Linux as you can download the installer freely from the net. Hint: Google: download linux.
  4. You need to know how to install an operating system. This is not as nerdy as it sounds. Modern operating systems have easy installers that most people are able to use. And don’t worry if you make a mistake. It’s just a virtual machine and you can go back to the beginning at any time without losing anything (except some time).

I’m not going to provide detailed instructions for this. That depends too much on which virtualization product and operating system you use. And it would beside that be like reinventing the wheel. You will find plenty of step-by-step instructions by Googling for what you want to do, for example “install Linux in VirtualBox”.

But for your convenience, here’s an overview of the process.

  1. Select one of the virtualization products and ensure that your computer meets its system requirements.
  2. Download and install the virtualization product.
  3. Ensure that you have an installation media for the operating system you want to use and any keycodes etc. that may be needed during installation. The media can be a physical disk or USB-memory, or a disk stored as an image file. The virtualization software can mount disk image files as a device in the virtual machine and there’s no need to burn a disk for this purpose.
  4. Now follow the instructions you found on the net. They will help you create the virtual machine, mount the installation media in it and go through the operating system installation.
  5. After this you can use the virtualization product’s console to start the virtual machine when needed. It shows up full-screen or in a window depending on the settings. Inside it you can do what you want, install programs surf the net, etc.
  6. For the banking virtual computer you just need to install the browser of your choice, make sure it’s updated and patched and make your bank the home page. Don’t install anything else unless it really is needed for the banking connection and don’t use this virtual machine for anything else.
  7. You can create multiple virtual machines, but be careful if you try to run them at once. Your computer may not have what it takes. As said, RAM memory is the critical resource here.

Safe surfing,

Edited to add: It is of course a good habit to exercise the same basic security measurements inside virtual machines as in real computers. Turn on the operating system’s update function, install your anti-virus program and make sure your browser is kept up to date. Doing just banking with the virtual machine reduces the risk a lot, but this is good advice even in that case. And needless to say, the virtual machine’s armor is essential if you use it for high-risk tasks. Thanks Dima for providing feedback.

More posts from this topic


What is a supercookie and why is it more important than you think?

Many techie terms in the headlines lately. Supercookies, supertrackers, HTTP headers and X-UIDH. If you just skim the news you will learn that this is some kind of new threat against our privacy. But what is it really? Let’s dig a bit deeper. We will discover that this is an issue of surprisingly big importance. Cookies are already familiar to most of us. These are small pieces of information that a web server can ask our browser to store. They are very useful for identifying users and managing sessions. They are designed with security and privacy in mind, and users can control how these cookies are used. In short, they are essential, they can be a privacy problem but we have tools to manage that threat. What’s said above is good for us ordinary folks, but not so good for advertisers. Users get more and more privacy-aware and execute their ability to opt out from too excessive tracking. The mobile device revolution has also changed the game. More and more of our Internet access is done through apps instead of the browser. This is like using a separate “browser” for all the services we use, and this makes it a lot harder to get an overall picture of our surfing habits. And that’s exactly what advertisers want, advertising is like a lottery with bad odds unless they know who’s watching the ad. A new generation of supercookies (* were developed to fight this trend. It is a piece of information that is inserted in your web traffic by your broadband provider. Its purpose is to identify the user from whom the traffic comes. And to generate revenue for the broadband provider by selling information about who you really are to the advertisers. These supercookies are typically used on mobile broadband connections where the subscription is personal, meaning that all traffic on it comes from a single person. So why are supercookies bad? They are inserted in the traffic without your consent and you have no way to opt out. They are not visible at all on your device so there is no way to control them by using browser settings or special tools. They are designed to support advertisers and generate revenue for the mobile broadband provider. Your need for privacy has not been a design goal. They are not domain-specific like ordinary cookies. They are broadcasted to any site you communicate with. They were designed to remain secret. They are hidden in an obscure part of the header information that very few web administrators need to touch. There are two ways to pay for Internet services, with money or by letting someone profile you for marketing purposes. This system combines both. You are utilized for marketing profit by someone you pay money to. But what can and should I do as an ordinary user? Despite the name, this kind of supercookies are technically totally different from ordinary cookies. The privacy challenges related with ordinary cookies are still there and need to be managed. Supercookies have not replaced them. Whatever you do to manage ordinary cookies, keep doing it. Supercookies are only used by some mobile broadband providers. Verizon and AT&T have been most in the headlines, but at least AT&T seems to be ramping down as a result of the bad press. Some other operators are affected as well. If you use a device with a mobile broadband connection, you can test if your provider inserts them. Go to this page while connected over the device’s own data connection, not WiFi. Check what comes after “Broadcast UID:”. This field should be empty. If not, then your broadband provider uses supercookies. Changing provider is one way to get rid of them. Another way is to use a VPN-service. This will encapsulate all your traffic in an encrypted connection, which is impossible to tamper with. We happen to have a great offering for you, F-secure Freedome. Needless to say, using Freedome on your mobile device is a good idea even if you are not affected by these supercookies. Check the site for more details. Last but not least. Even if you’re unaffected, as most of you probably are, this is a great reminder of how important net neutrality is. It means that any carrier that deliver your network traffic should do that only, and not manipulate it for their own profit. This kind of tampering is one evil trick, throttling to extort money from other businesses is another. We take neutrality and equal handling for granted on many other common resources in our society. The road network, the postal service, delivery of electricity, etc. Internet is already a backbone in society and will grow even more important in the future. Maintaining neutrality and fair rules in this network is of paramount importance for our future society.   Safe surfing, Micke   PS. The bad press has already made AT&T drop the supercookies, which is great. All others involved mobile broadband providers may have done the same by the time you are reading this. But this is still an excellent example of why net neutrality is important and need to be guaranteed by legislation.     (* This article uses the simplified term supercookie for the X-UIDH -based tracker values used by Verizon, AT&T and others in November 2014. Supercookie may in other contexts refer to other types of cookie-like objects. The common factor is that a supercookie is more persistent and harder to get rid of than an ordinary cookie.   Image by Jer Thorp  

Nov 18, 2014

5 ways to get ready to ask Mikko anything

It's like a press conference anyone can join from anywhere. And even if you don't have a question, you can upvote the ones you don't like and downvote the ones you do. President Obama did one. Snoop Dogg/Snoop Lion did one. An astronaut did one from outer space. And our Mikko Hypponen will sit down for his second Reddit AMA on December 2 at 9 AM ET. If you have something you've wanted to ask him about online security, great. If not, here are five resources that document some of Mikko's more than two decades in the security industry to prod you or prepare you. 1. Check out this 2004 profile of his work from Vanity Fair. 2. Watch his 3 talks that have been featured on [protected-iframe id="7579bbf790267cc081ac7d92d951262c-10874323-9129869" info="" width="640" height="360" frameborder="0" scrolling="no" webkitallowfullscreen="" mozallowfullscreen="" allowfullscreen=""] [protected-iframe id="fdf818f4afa2f7dcb179c5516c44918c-10874323-9129869" info="" width="640" height="360" frameborder="0" scrolling="no" webkitallowfullscreen="" mozallowfullscreen="" allowfullscreen=""] [protected-iframe id="54be2fe9bce28ae991becbe3d4291e56-10874323-9129869" info="" width="640" height="360" frameborder="0" scrolling="no" webkitallowfullscreen="" mozallowfullscreen="" allowfullscreen=""] 3. Check out his first AMA, which took place just after his first talk at TEDglobal was published. 4. Take a trip to Pakistan with Mikko to meet the creators of the first PC virus. [protected-iframe id="8c0605f62076aa901ed165dbd3f4fcd7-10874323-9129869" info="//" width="640" height="360"] 5. To get a sense of what he's been thinking about recently, watch his most recent talk at Black Hat "Governments as Malware Creators". [protected-iframe id="54b24406f022e81b15ad6dadf2adfc93-10874323-9129869" info="//" width="640" height="360"] BONUS: Make sure you follow him on Twitter to get a constant stream of insight about online security, privacy and classic arcade games. Cheers, Sandra

Nov 14, 2014
F-Secure employee wins Inventor of the Year

20 Patents in 14 Years: How An Award-Winning Inventor Finds His Groove

We wouldn't be F-Secure without the talented and passionate researchers in our Labs. And today we'd like you to meet one whose inquisitive nature has driven him to become an inventor - and a prolific one at that. In his 14-year career with F-Secure, Jarno Niemelä has racked up an impressive 20 patents to his name and has filed 100 patent applications in total. His achievements recently won the title of "Salaried Inventor of 2014" from a group of Finnish inventors' organizations. I sat down to chat with Jarno about where he gets his ideas, and his advice for others. What area do your inventions focus on? I mostly focus on methods to help detect malware on a system, or methods of preventing malware from entering the system in the first place. How do your ideas come about? Inventions mostly happen in the evening when I'm not at work, and not even trying to think about it. I'll be working on some problem at work, and usually a day or two later, when I'm doing something totally unrelated on my own time, it hits me. I understand the problem and come up with a solution. The gym is a really good place for inventions. What motivates you to keep on inventing new solutions?   Inventions just happen, pretty much. Whenever I'm able to define a problem, I'm usually always able to come up with a solution. I am lucky to be researching in areas with problems that others have not yet solved. I'll be honest, I don't really like patents that much personally. The fact is though, that companies without patents would pretty much be at the mercy of the competitors. So in my view, patents are basically company self defense. Patents keep things in balance. Were you curious about things growing up? I've always kind of been inventive. You cannot learn to become an inventor, it's either something that's in your nature or it's not. And then you need to hone the talent and learn how to work within the patent framework. Another thing that is very important is good basic education and knowledge about the field. I owe a lot to Metropolia University of Applied Sciences where I studied for my engineering degree. Do you have any advice for people who have this inventive nature and are interested in filing patents? It all starts from defining and understanding the problem. Without a thorough understanding of the problem, you can't come up with a solution. Also, when it comes to patents, it's important to know what has previously been done in your area, and be clear in exactly how your invention is different from those. Otherwise your patent can be easily rejected by the patent examiner. And finally, patents are a long process so you need patience. It can take three to five years to get a patent approved. So this is not for hasty people. What is that rock you're holding? It's my trophy, a piece of Finnish bedrock! Inventors are the bedrock of new products. Do you have any certain goals for your inventions? Before I retire I would like to have at least 50 patents to my name. - Well, he's off to a great start. Congratulations, Jarno! Follow Jarno on Twitter  

Nov 12, 2014