I’ve just installed Ubuntu 10.4 under Sun Virtual Box. As I was playing and
surfing the web with it, I started thinking that this could be a much safer way
to surf, as what is happens on the virtual box stays on the virtual box, to
paraphrase Tom Hanks. Question: is this really as safe as I think?
Don’t get me wrong, using a virtual machine (or “VM”) can add a very
significant layer of security and safety, and can be an extremely useful
approach to increasing both.
But it’s not a perfect solution, and if its limitations aren’t considered it
can be quite dangerous simply by giving you a false sense of security in areas
that it doesn’t really help.
The simplest way to think of a VM is as just another computer on your network.
Yes, that computer is “virtual”, in that it’s really just a program running within your existing computer. The thing is, that “virtual machine” does such a good job of looking and acting like a separate machine, that’s often the best way of thinking about it.
So, the huge advantage of a VM is that you can have another computer without needing the additional hardware. On that other (virtual) machine you can run another operating system, like say a Unix variant such as Ubuntu. Within that virtual machine you’re not running Windows, and thus are not vulnerable to Windows-based malware.
That’s pretty significant. On your Windows machine you can set up a protected environment running some other operating system that’s not vulnerable to the vast majority of malware today. Some have gone so far as to say that this is the way you should do online banking – in a non-Windows environment.
But before we think all our problems are solved, let’s look at some areas of concern that remain:
social engineering – this is where you are the vulnerability. Responding to an email that demands your Hotmail account name and password – a phishing attempt – is “platform independent”. You can be taken by those types of schemes no matter what operating system you’re running, or where.
network exploits – these are technical and currently rare, but for example, if your router gets hacked to redirect you to a fake banking site, your non-Windows OS won’t give you any advantages.
browser exploits – “the browser is the new operating system” is something we’re starting to hear a little more often. What that means is that we do so much in our browser, and the browser provides so much functionality, that it’s pretty much an operating system unto itself. As a result, its vulnerabilities can often be targeted, once again regardless of underlying “real” operating system.
file transfer – what happens in a VM stays in a VM except if you copy it out. Even if you do all your browsing in a non-Windows based VM, you’re likely to eventually download something that you’ll want to place on the underlying Windows machine. If that file is infected with a Windows-based exploit, not only will you be copying it over, but it’s possible that by first downloading in a non-Windows VM and then copying to Windows you might bypass one phase of your anti-malware software.
network vulnerabilities – a VM is another machine, with its own virtual connection to your local area network. Depending on the VM technology and configuration that connection may or may not be protected by your underlying Windows security software. It’s also on the supposedly “safe side” of your router which is protecting you from internet-based network threats.
So, I’ll reiterate the thinking: treat it as if it was just another machine, and use all the security and safety steps that you would use setting up such a machine.
Don’t get me wrong – it’s an excellent approach to dealing with certain types of security issues. The primary advantage is that you can run a non-Windows operating system without having to purchase and manage another computer, and while still running Windows for other things that might require it. It can be cumbersome, and occasionally a little tricky to set up, but it can be quite valuable.
As long as you keep in mind what it does, and does not, protect you from.