Security

Albert <> writes:

> Todd H. wrote:
>> <snip>
>>
>> All you can do is take steps to minimize risk. *Web surfing is best
>> done in a throw away virtual machine (using vmware, vmware player or
>> the like) that gets refreshed at regular intervals back to a known
>> clean state. *This presents a pretty significant barrier to the
>> infection of your host operating system and storage media from the
>> threats you're concerned about. * If they infect the virtual machine,
>> it's blown away and refreshed regularly, and you're in better shape.
>
> So if they infect the virtual machine which was in a "clean state" a
> few seconds ago, but the virtual machine has no access to hardware
> (except for the mouse and keyboard on the host), then malware is
> restricted to the virtual machine, right?

Yup. This is how malware analysts take apart malicious or potentially
malicious code (though malware can detect when its being run in a
virtual machine and do something different, and there are hardware
virtualization techniques that are more transparent).

> All that's left is to detect this malware before I allow the guest
> access to hardware that stores data, right?

No need to both with detection. Assume it's infected to high heaven.
Just roll back the VM to a clean state ever 30 minutes or so.


--
Todd H.
http://www.toddh.net/

Todd H.

Todd H. wrote:
> <snip>
> Yup. *This is how malware analysts take apart malicious or potentially
> malicious code (though malware can detect when its being run in a
> virtual machine and do something different, and there are hardware
> virtualization techniques that are more transparent).

What do people mean when they describe something as 'transparent' in
this context? I'm not sure what the last phrase means...

Albert

From: "Albert" <>

| Todd H. wrote:
>> <snip>
>> Yup. This is how malware analysts take apart malicious or potentially
>> malicious code (though malware can detect when its being run in a
>> virtual machine and do something different, and there are hardware
>> virtualization techniques that are more transparent).

| What do people mean when they describe something as 'transparent' in
| this context? I'm not sure what the last phrase means...

You can see right through their malcious nature and actions bypassing obfuscation
attempts.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

David H. Lipman

Albert <> writes:

> Todd H. wrote:
>> <snip>
>> Yup. *This is how malware analysts take apart malicious or potentially
>> malicious code (though malware can detect when its being run in a
>> virtual machine and do something different, and there are hardware
>> virtualization techniques that are more transparent).
>
> What do people mean when they describe something as 'transparent' in
> this context? I'm not sure what the last phrase means...

i.e. there are far fewer clues inside the virtual machine to let a
program be able to detect that it's inside a virtual machine.

I'm thinking of Dinaburg and Royal's Xen-based Ether hardware
virtualization. http://ether.gtisc.gatech.edu/

--
Todd H.
http://www.toddh.net/

Todd H.

Randy Yates <> writes:
> I wonder if you can install a virtual machine under a virtual machine?
> A la "Thirteenth Floor"? If so, could it be somehow leveraged to
> this problem?

before 370 was announced (or even built) there was project at the
science center to simulate the 370 architecture (in cp67) (which was
somewhat different than the 360 architecture, some new instructions,
virtual memory hardware tables had different format, etc).

the problem was that the science center cp67 time-sharing service also
had numerous (non-employee) users (students and others) from various
educational institutions (harvard, mit, bu, etc) in the boston/cambridge
area. as a result, there was lots of security concerns that the effort
would leak (confidential) information about unannounced products.

so the decision was made that the modifications (for 370 virtual
machines) were made to version of cp67 system that ran in a 360/67
virtual machine (kept isolated from what the non-employees had access
to).

then a different cp67 was modified to run on 370 machine (using the new
instructions and building the 370 virtual memory tables ... rather than
the 360 virtual memory tables). the result was:

360/67 hardware
-> cp/67 running on real 360/67 providing 360 virtual machines
-> cp/67 running in 360 virtual machine providing 370 virtual machines
-> cp/67 running in 370 virtual machine providing 370 virtual machine
-> cms running in 370 virtual machine

all of this was operational and in regular use a year before there was
engineering 370s with virtual memory hardware support (circa 1970)
.... and while non-employees also had online access to the same,
underlying (unmodified) cp67 virtual machine system (running on the real
360/67 hardware).

"real" virtual machine implementations are recursive.

there was an incident where information about 370 virtual memory was
leaked ... but it didn't involve the above effort. an internal
confidential document was copied and made it into the hands of somebody
from the press. there was an investigation attempting to identify who
leaked the information. one of the results were that all the corporate
copying machines were modified so that they left (unique) identifiable
mark on paper copies (indicating which machine made the copy).

--
40+yrs virtualization experience (since Jan6, online at home since Mar1970

Anne & Lynn Wheeler

1. Can a computer get malware if all it does is get AV and SAS updates?
2. When I installed SAS Pro I accidentally selected the option for
allowing just the admin to run it; how do I enable it for all users?

Albert

Albert wrote:
> 1. Can a computer get malware if all it does is get AV and SAS updates?

If talking hypothetically and any computer in general, and not knowing
any other details, of course the answer will be an unqualified yes.

> 2. When I installed SAS Pro I accidentally selected the option for
> allowing just the admin to run it; how do I enable it for all users?

Preserve your SAS' personal upgrade licensing information. Then
uninstall & reinstall.

--
1PW

1PW

Albert <> writes:

> 1. Can a computer get malware if all it does is get AV and SAS
> updates?

Certainly. But how likely? That depends.

How is the machine physically secured? Who can, say, get at its USB
ports? CD drive? Console? What OS is it? What else is on the LAN
with that computer? What else can initiate any sort of network
connection to the computer? What services are running on the
computer? Have they been kept up to date? Do they have unpatched
vulnerabilities? How is it known that the computer only does those 2
things? Do administrators ever do anything else with the machine?

> 2. When I installed SAS Pro I accidentally selected the option for
> allowing just the admin to run it; how do I enable it for all users?

[cheerfully deferred]

Best Regards,
--
Todd H.
http://www.toddh.net/

Todd H.

Todd H. wrote:
> How is the machine physically secured?

What do you mean by "physically secured"?

> Who can, say, get at its USB ports? Console?

Only me.

> What OS is it?

To be Windows 7.

> What else is on the LAN with that computer? What else can initiate
> any sort of network connection to the computer?

Nothing else.

> What services are running on the computer? Have they been kept up
> to date? Do they have unpatched vulnerabilities?

An AV, SAS and probably Sun VirtualBox.

> How is it known that the computer only does those 2 things?

Because I said so.

Albert

Albert <> writes:

> Todd H. wrote:
>> How is the machine physically secured?
>
> What do you mean by "physically secured"?

Your original post didn't mention if we were talking about a server in
a rack, or under a desk, in an office, in a private residence, etc.
Physical security = who can put their hands on the box. Because if
someone can touch the box, they can own it.

>> Who can, say, get at its USB ports? Console?
>
> Only me.

Then that cuts out a lot of worries about attacks from people with
physical access to the box.

>> What OS is it?
>
> To be Windows 7.
>
>> What else is on the LAN with that computer? What else can initiate
>> any sort of network connection to the computer?
>
> Nothing else.

If it's the only machine on the lan, and that lan is firewalled off
from the Internet, and only getting SAS and AV updates, then indeed
your attack surface is very very small. You can then basically cross
network based attacks off the worry list. And as you dont' have a
user running internet based apps like web browsers chat clients or
peer to peer stuff on it, that cuts out all client-side attacks from
the worry list as well. About all you'd have to worry about is the
security of DNS to the SAS and AV update servers to avoid any arcane
man in the middle rougue update attack that might possibly be
envisioned, but I'd say those odds are quite small.

>> What services are running on the computer? Have they been kept up
>> to date? Do they have unpatched vulnerabilities?
>
> An AV, SAS and probably Sun VirtualBox.
>
>> How is it known that the computer only does those 2 things?
>
> Because I said so.

Sounds like if this is to be Windows 7 and you don't have the OS and
machine together yet, that you don't know exactly what services are
really running on the computer, just what things you plan to put on
the box. So, please, don't be an snide asshole when people are trying
to help you for free.

Technically, "Because I said so" doesn't tell you the same things a
port scan, list of running services pasted into a posting, or network
vulnerability tool would in terms of what you think you know about
what services are being offered by this machine (such as SMBv2 and its
(unpatched by vendor?) vulnerability. Then again we just had a patch
Tuesday so maybe they fixed that big ah-**** with smbv2. At any rate,
the services that are listing turns out to be a moot point since
you're in the very unusual situation of this one box being all alone
on the LAN, therefore the threats to its listening services from other
devices aren't really anything to worry about.

In summary: Your proposed setup seems poised to be a pretty tough
target, if the assumptions you've put forward all turn out accurate.

But I suspect that if this is a single machine in your home(?) all
alone on the LAN, you might be doing some web surfing from it? If so,
then that'd probably be the primary vector for getting infected.

Best Regards,
--
Todd H.
http://www.toddh.net/

Todd H.