1 00:00:01,468 --> 00:00:03,444 If you're using a virtual machine 2 00:00:03,469 --> 00:00:06,135 you need to make sure that it is secure, 3 00:00:06,206 --> 00:00:08,757 or in other words, it needs to be hardened. 4 00:00:09,405 --> 00:00:11,857 We've already discussed physical isolation, 5 00:00:11,913 --> 00:00:14,163 so let's just revisit that quickly. 6 00:00:14,258 --> 00:00:16,915 You can have physical isolation 7 00:00:16,940 --> 00:00:18,925 in order to give you physical hardening. 8 00:00:19,405 --> 00:00:22,161 You could use a dedicated secure device 9 00:00:22,193 --> 00:00:24,474 as the host for the guest VM, 10 00:00:24,516 --> 00:00:26,523 giving you physical isolation. 11 00:00:26,730 --> 00:00:29,222 Both the host and the guest will be hardened 12 00:00:29,341 --> 00:00:33,181 and a separate device used for day to day use. 13 00:00:33,236 --> 00:00:36,223 The day to day use device is more likely 14 00:00:36,325 --> 00:00:38,781 to be attacked and get compromised. 15 00:00:39,175 --> 00:00:43,875 The secure device, used less often and for more trusted tasks, 16 00:00:44,111 --> 00:00:45,973 meaning the host operating system 17 00:00:45,998 --> 00:00:49,252 and the guest operating system on the secure device, 18 00:00:49,381 --> 00:00:51,294 are more likely to remain safe. 19 00:00:51,714 --> 00:00:53,925 Other physical measures that you can use. 20 00:00:54,230 --> 00:00:59,859 Using a USB network dongle instead of the host network adapter, 21 00:01:00,009 --> 00:01:03,777 as discussed already in the area on physical isolation. 22 00:01:03,952 --> 00:01:08,519 You can place the VM on a separate network to the host 23 00:01:08,643 --> 00:01:12,254 or for virtual isolation via a VLAN. 24 00:01:12,492 --> 00:01:15,892 This is to help mitigate attacks that come from the network, 25 00:01:16,238 --> 00:01:17,839 from the virtual machines. 26 00:01:18,992 --> 00:01:20,068 Virtual machine leaks. 27 00:01:20,093 --> 00:01:23,941 As we've discussed, virtual machines can create 28 00:01:23,966 --> 00:01:27,614 on the host operating system unwanted log files, 29 00:01:27,653 --> 00:01:31,537 discaching and other evidence of the activity 30 00:01:31,562 --> 00:01:33,575 of your virtual machine guest, 31 00:01:33,600 --> 00:01:38,835 even if it's a live operating system like Tails or there is no virtual disk. 32 00:01:39,524 --> 00:01:43,192 Like in this example where you see that there is no virtual disk, 33 00:01:43,414 --> 00:01:46,805 it's difficult to know all of what is created 34 00:01:46,892 --> 00:01:50,492 by your hypervisor on your host operating system. 35 00:01:50,598 --> 00:01:52,908 So one approach to deal with this problem, 36 00:01:53,074 --> 00:01:55,960 of all the unwanted host data, would be to use 37 00:01:56,079 --> 00:01:58,668 whole disk encryption on the host machine 38 00:01:58,739 --> 00:02:01,683 as the mitigation against these leaks. 39 00:02:01,992 --> 00:02:05,723 If you have significant adversaries and high consequences, 40 00:02:05,786 --> 00:02:08,242 this would always be recommended anyway, 41 00:02:08,353 --> 00:02:10,785 and we discuss more on disk encryption 42 00:02:10,856 --> 00:02:14,790 and file encryption in its own section and we go into quite a lot of detail. 43 00:02:15,026 --> 00:02:18,285 So defense against leaks or one of the defenses against leaks, 44 00:02:18,579 --> 00:02:19,962 whole disk encryption. 45 00:02:20,683 --> 00:02:24,339 Not only can we do whole disk encryption to prevent the leaking, 46 00:02:24,387 --> 00:02:28,659 we could even create a whole hidden operating system 47 00:02:28,929 --> 00:02:32,022 from which we have the hypervisor installed 48 00:02:32,047 --> 00:02:34,094 and the guest VM running. 49 00:02:34,230 --> 00:02:38,782 This makes even finding or knowing that leaks exist difficult 50 00:02:38,869 --> 00:02:41,650 and it also provides plausible deniability. 51 00:02:41,809 --> 00:02:45,654 But of course this only protects you when the machine is switched off, 52 00:02:45,879 --> 00:02:49,744 as the encryption keys are stored in memory when the machine is on. 53 00:02:50,516 --> 00:02:54,533 Another possible mitigation against unwanted storage on the host 54 00:02:54,595 --> 00:02:59,207 leaks from discaching is to disable or delete the caching. 55 00:02:59,318 --> 00:03:03,157 Host operating systems usually use virtual memory called swapping 56 00:03:03,182 --> 00:03:06,350 or paging which copies part of the RAM to the hard disk. 57 00:03:06,500 --> 00:03:09,373 There are also modes like sleeping and hibernating. 58 00:03:09,444 --> 00:03:12,873 It's possible to disable this functionality 59 00:03:13,103 --> 00:03:15,496 to prevent it from being stored to disk, 60 00:03:15,873 --> 00:03:17,976 but you should do this at your own risk 61 00:03:18,001 --> 00:03:22,595 as it’s possible that it can cause problems with your host operating system. 62 00:03:22,786 --> 00:03:25,801 And we do cover more on clearing the page 63 00:03:25,826 --> 00:03:29,296 and swap in the section on evidence elimination. 64 00:03:29,460 --> 00:03:32,709 So if that's something that interests you, check out that section. 65 00:03:33,659 --> 00:03:35,817 Moving away from leaks now 66 00:03:36,151 --> 00:03:39,672 and on to protecting the data within the virtual machine. 67 00:03:39,802 --> 00:03:41,684 You can enable encryption 68 00:03:41,845 --> 00:03:46,011 using the hypervisor for each of the individual virtual machines, 69 00:03:46,183 --> 00:03:48,444 but obviously again this only protects them 70 00:03:48,516 --> 00:03:50,017 when they are switched off. 71 00:03:50,460 --> 00:03:53,567 Using the hypervisor’s encryption is probably 72 00:03:53,623 --> 00:03:56,651 a less tried and tested solution 73 00:03:56,690 --> 00:03:59,859 than encrypting the operating system itself 74 00:03:59,910 --> 00:04:04,926 using more well-known encryption technology such as LUKS, 75 00:04:05,143 --> 00:04:08,462 FileVault 2, Bitlocker, and VeraCrypt 76 00:04:08,683 --> 00:04:12,370 which have been subject to more public and community scrutiny 77 00:04:12,421 --> 00:04:15,437 than perhaps the hyperdriver encryption has. 78 00:04:15,778 --> 00:04:17,898 Enabling both encryption in the hyperdriver 79 00:04:17,923 --> 00:04:19,708 and within the operating system 80 00:04:19,817 --> 00:04:22,452 will slow down your virtual machine, 81 00:04:22,532 --> 00:04:24,877 but does give you defense in depth. 82 00:04:25,563 --> 00:04:28,494 You want to reduce the attack surface of your hypervisor 83 00:04:28,565 --> 00:04:31,307 and here are some of the features that you might consider removing. 84 00:04:31,683 --> 00:04:34,953 You might want to disable the audio and the microphone, 85 00:04:35,706 --> 00:04:38,194 and not specific to virtual machines, 86 00:04:38,274 --> 00:04:40,666 you might want to cover your webcam with tape, 87 00:04:41,762 --> 00:04:43,899 disable shared folders, 88 00:04:44,937 --> 00:04:47,776 disable drag and drop and clipboard, 89 00:04:49,349 --> 00:04:53,143 don't enable video acceleration, 3D acceleration, 90 00:04:54,722 --> 00:04:57,008 and do not enable serial ports. 91 00:04:58,556 --> 00:05:01,774 If you can, do not install VirtualBox Guest Addition 92 00:05:01,799 --> 00:05:04,695 or VMWare Tools or equivalent. 93 00:05:04,872 --> 00:05:06,594 That gives the operating system 94 00:05:06,722 --> 00:05:08,773 more access to the hypervisor 95 00:05:08,976 --> 00:05:12,672 and it gives a guest access to more of the host like the microphone 96 00:05:12,897 --> 00:05:14,668 and increases the attack vector. 97 00:05:17,063 --> 00:05:21,737 You want to remove the floppy drive and remove any CD or DVD drives. 98 00:05:23,230 --> 00:05:25,137 If it's a Live operating system, 99 00:05:25,365 --> 00:05:27,703 you want to remove any virtual disks. 100 00:05:29,397 --> 00:05:32,227 Do not attach USB devices if you can help it, 101 00:05:32,341 --> 00:05:34,428 perhaps the network dongle, 102 00:05:34,634 --> 00:05:36,468 but nothing else if you can avoid it. 103 00:05:36,556 --> 00:05:40,369 Disable the USB controller which is enabled by default. 104 00:05:42,452 --> 00:05:44,645 When you disable the USB controller, 105 00:05:44,677 --> 00:05:48,703 this requires you setting the pointing device to be a PS/2 mouse 106 00:05:49,032 --> 00:05:50,492 so that your mouse will work. 107 00:05:52,309 --> 00:05:54,690 Do not enable remote display server, 108 00:05:55,849 --> 00:06:00,024 do not enable I/O APIC or EFI. 109 00:06:02,476 --> 00:06:07,127 Enable PAE/NX, NX is in fact a security feature. 110 00:06:07,405 --> 00:06:12,020 NX helps your processor guard the PC from attacks from malware. 111 00:06:13,032 --> 00:06:15,135 And remove anything that's not used. 112 00:06:17,333 --> 00:06:20,755 If you are concerned about someone getting a hold of your device 113 00:06:20,780 --> 00:06:22,610 and local forensics, 114 00:06:22,674 --> 00:06:28,505 then use non-persistent operating systems like live CDs, live USBs 115 00:06:28,672 --> 00:06:31,016 and don't add virtual storage 116 00:06:31,167 --> 00:06:33,119 when setting up the virtual machine. 117 00:06:36,555 --> 00:06:40,741 You can create your own custom live operating system, 118 00:06:40,929 --> 00:06:42,316 so you go about installing 119 00:06:42,341 --> 00:06:44,549 whatever operating system it is that you want, 120 00:06:44,626 --> 00:06:46,524 configuring it in the way that you want, 121 00:06:46,802 --> 00:06:50,095 and then you can convert the virtual disk to an ISO 122 00:06:50,341 --> 00:06:53,532 and then boot from the ISO as a live CD. 123 00:06:54,010 --> 00:06:55,328 If you look at this thing here, 124 00:06:55,353 --> 00:06:58,854 this talks through converting a virtual disk image to an ISO. 125 00:06:59,921 --> 00:07:03,667 You can use VMware snapshots to create non-persistence. 126 00:07:03,976 --> 00:07:07,023 You can use these snapshots for security 127 00:07:07,048 --> 00:07:11,262 for evidence elimination by establishing a securely 128 00:07:11,334 --> 00:07:14,583 updated virtual machine that has never performed 129 00:07:14,619 --> 00:07:18,499 any other activity than what you want it to have performed 130 00:07:18,534 --> 00:07:20,368 and then snapshot that VM. 131 00:07:20,794 --> 00:07:23,952 So for example, here would be the clean 132 00:07:24,071 --> 00:07:26,881 VM with no evidence and no history. 133 00:07:27,635 --> 00:07:30,942 This is your current state where you perform your activities, 134 00:07:31,159 --> 00:07:33,541 then after you’ve performed your activities 135 00:07:33,857 --> 00:07:35,036 you restore 136 00:07:36,180 --> 00:07:39,136 back to the original clean VM. 137 00:07:39,209 --> 00:07:41,550 This'll remove any malicious malware, 138 00:07:41,595 --> 00:07:45,734 it'll remove history, tracking, or any evidence of activity. 139 00:07:46,059 --> 00:07:48,485 This is not a perfect solution to remove evidence 140 00:07:48,619 --> 00:07:51,077 due to the previously discussed possibilities 141 00:07:51,102 --> 00:07:53,649 of data leakage remaining on the host, 142 00:07:53,770 --> 00:07:57,803 but it is a reasonably good solution for basic non-persistence. 143 00:07:59,056 --> 00:08:00,594 There's some security issues 144 00:08:00,619 --> 00:08:04,271 around the power saving features of your devices. 145 00:08:04,516 --> 00:08:08,190 If you pause or suspend your device 146 00:08:08,278 --> 00:08:10,589 when you have an encrypted virtual machine, 147 00:08:10,651 --> 00:08:14,115 the encryption keys are stored on the hard disk. 148 00:08:14,242 --> 00:08:17,285 This isn't safe unless you retain 149 00:08:17,518 --> 00:08:20,328 full physical control over the device. 150 00:08:20,836 --> 00:08:24,253 Again, in the same light, if you hibernate your laptop 151 00:08:24,343 --> 00:08:26,399 with whole disk encryption, 152 00:08:26,557 --> 00:08:29,916 the encryption keys are stored on the hard disk. 153 00:08:30,151 --> 00:08:32,073 This isn't a virtual machine issue, 154 00:08:32,175 --> 00:08:33,766 but this isn't safe either 155 00:08:33,846 --> 00:08:36,656 unless you maintain control over the device. 156 00:08:37,254 --> 00:08:39,889 If you put your laptop into sleep or standby, 157 00:08:40,063 --> 00:08:43,600 any whole disk encryption keys will be stored in memory. 158 00:08:43,751 --> 00:08:46,366 Again, this isn't safe unless you retain 159 00:08:46,501 --> 00:08:48,866 physical control over the device. 160 00:08:49,144 --> 00:08:52,345 If you're using encryption, either with a hypervisor 161 00:08:52,405 --> 00:08:54,499 or with a guest operating system, 162 00:08:54,675 --> 00:08:56,582 or with a host operating system, 163 00:08:56,651 --> 00:08:59,696 it is best for all of the operating systems, 164 00:08:59,746 --> 00:09:01,334 the guest and the host, 165 00:09:01,556 --> 00:09:04,786 to be logged out and shut down and switched off, 166 00:09:05,071 --> 00:09:09,187 fully switched off, not paused, not suspended, not hibernated. 167 00:09:09,325 --> 00:09:14,071 This way, the decryption keys are not stored on disk anywhere.