You are Here:
Linux Lite 4.6 Final has been released. See the Release Announcements section for more information.



Virtual Box security concerns

Author (Read 614 times)

0 Members and 1 Guest are viewing this topic.

Virtual Box security concerns
« on: August 16, 2019, 01:55:05 AM »
 

MS

  • Forum Regular
  • ***
  • 179
    Posts
  • Country: 00
  • Reputation: 8

  • Linux Lite: 4.6 64bit

  • CPU: Intel i7-7500U DualCore @ 2.7~3.5GHz

  • MEMORY: 8Gb

  • VIDEO CARD: Intel HD Graphics 620 / AMD Radeon R7 M445
Virtual Box is popular for it allows to run various operating systems and related software in a manner isolated from the base system and hardware, supporting the simulation in process. Nonetheless, I have some other concerns regarding the security in Virtual Box. These concerns address the Internet and web browsers. Namely, the simulated system run within Virtual Box is usually far less tight and maintained, compared to the native in use. When accessing the Internet through simulated environment, one may accidentally reveal personal data or account logins and passwords, while for certain being more prone to various kinds of attacks altogether. Even though, in case of emergency, the Virtual Box may be safely shut down any moment given, without making trouble to the physical machine in operationg, the information leaked through the Internet access, remains leaked.
Last Edit: August 16, 2019, 03:22:37 AM by MS
 


Re: Virtual Box security concerns
« Reply #1 on: August 16, 2019, 07:25:32 AM »
 

firenice03

  • Rockin' the FREE World
  • Platinum Level Poster
  • **********
  • 1127
    Posts
  • Country: us
  • Reputation: 222
  • Linux Lite Member

  • Linux Lite: 4.6 64bit

  • CPU: AMD E2//Atom X5//AMD Phenom II X2

  • MEMORY: 4Gb

  • VIDEO CARD: AMD Mullin Radeon R2//Intel//AMD/ATI RS880

Lets say you're referring to installing XP w/ IE6 in a guest VM. You are correct, I wouldn't use this set up to do my banking and taxes. Would I for nostalgia, sure. Would I connect to the internet - probably not.. That goes for LL 1.0.8 with Firefox 26.. Its out dated and would have potential security risks..

So how is the OS/Browser a security concern for the Hypervisor?
Whether Virtualbox, VMWare, Hyper-V, KVM, Parallels or ?? ?? 
Any OS in a VM needs to have its own security/update policy in place..

One could do their banking without problems if that's all the VM was used for -- but in roulette green comes up once in a while. I would also hope the bank site would inform the browser in use was outdated :)

In the same manner - you could have the most secure OS/Browser (i.e. Tails/TOR) current and updated. Running it on an XP OS host with a VMWare hypervisor inadvertently making the guest less secure (at certain layers)... Not truly isolated at the hardware layer, but OS's for the most part... But that's another rabbit hole..
Last Edit: August 16, 2019, 07:43:57 AM by firenice03
LL 4.6 UEFI 64 bit ASUS E402W - AMD E2 (Quad) 1.5Ghz  - 4GB - AMD Mullins Radeon R2
LL 4.6 64 bit HP 6005- AMD Phenom II X2 - 8GB - AMD/ATI RS880 (HD4200)
LL 4.4 UEFI 64 bit Test UEFI Kangaroo (Mobile Desktop) - Atom X5-Z8500 1.44Ghz - 2GB - Intel HD Graphics
LL 3.8 32 bit Dell Inspiron Mini - Atom N270 1.6Ghz - 1GB - Intel Mobile 945GSE Express
RETIRED LL 2.8 64 bit Dell Optiplex 160 (Thin) - Atom 230 1.6Ghz - 4GB-SiS 771/671 PCIE VGA
Running Linux Lite since LL2.2
 

Re: Virtual Box security concerns
« Reply #2 on: August 16, 2019, 02:06:53 PM »
 

MS

  • Forum Regular
  • ***
  • 179
    Posts
  • Country: 00
  • Reputation: 8

  • Linux Lite: 4.6 64bit

  • CPU: Intel i7-7500U DualCore @ 2.7~3.5GHz

  • MEMORY: 8Gb

  • VIDEO CARD: Intel HD Graphics 620 / AMD Radeon R7 M445
Simulated system works as a regular computer, but a lot of users could take it carelessly enough, failing to pay proper attention in terms of necessary updates and maintenance, perceiving the Virtual Box reality as some kind of toy. Well, it is a toy of a sort, but this toy may actually give you away, if that makes sense.
 

Re: Virtual Box security concerns
« Reply #3 on: August 16, 2019, 08:30:55 PM »
 

firenice03

  • Rockin' the FREE World
  • Platinum Level Poster
  • **********
  • 1127
    Posts
  • Country: us
  • Reputation: 222
  • Linux Lite Member

  • Linux Lite: 4.6 64bit

  • CPU: AMD E2//Atom X5//AMD Phenom II X2

  • MEMORY: 4Gb

  • VIDEO CARD: AMD Mullin Radeon R2//Intel//AMD/ATI RS880
Simulated system works as a regular computer, but a lot of users could take it carelessly enough, failing to pay proper attention in terms of necessary updates and maintenance, perceiving the Virtual Box reality as some kind of toy. Well, it is a toy of a sort, but this toy may actually give you away, if that makes sense.
Why pin to Virtual Box, its a hypervisor like the rest, VMWare has free version just as easily downloaded as are other open sourced... Windows 10 come with Hyper-V..
Its not Virtual Box or VMWare or KVM or XYZ.. It's virtualization; which can be used to test or trial or run an enterprise...  its a tool and tools need to be used properly...

Data Centers and Cloud(s) are full of virtual machines.. A VM is no different than a barebone than a container... PC's are computers, a man in the middle or a honey pot doesn't care about OS...
Sadly I have heard the phrase, "I'll run Windows on MAC and won't need AV software cause its a MAC... "

Phones and tablets are just as powerful "toys" and think of what some folks run on those, right next to their banking app...
Last Edit: August 16, 2019, 08:56:39 PM by firenice03
LL 4.6 UEFI 64 bit ASUS E402W - AMD E2 (Quad) 1.5Ghz  - 4GB - AMD Mullins Radeon R2
LL 4.6 64 bit HP 6005- AMD Phenom II X2 - 8GB - AMD/ATI RS880 (HD4200)
LL 4.4 UEFI 64 bit Test UEFI Kangaroo (Mobile Desktop) - Atom X5-Z8500 1.44Ghz - 2GB - Intel HD Graphics
LL 3.8 32 bit Dell Inspiron Mini - Atom N270 1.6Ghz - 1GB - Intel Mobile 945GSE Express
RETIRED LL 2.8 64 bit Dell Optiplex 160 (Thin) - Atom 230 1.6Ghz - 4GB-SiS 771/671 PCIE VGA
Running Linux Lite since LL2.2
 

Re: Virtual Box security concerns
« Reply #4 on: August 17, 2019, 12:54:47 AM »
 

MS

  • Forum Regular
  • ***
  • 179
    Posts
  • Country: 00
  • Reputation: 8

  • Linux Lite: 4.6 64bit

  • CPU: Intel i7-7500U DualCore @ 2.7~3.5GHz

  • MEMORY: 8Gb

  • VIDEO CARD: Intel HD Graphics 620 / AMD Radeon R7 M445
So, what is the conclusion? That tools, even if considered toys, should be used with proper awareness?

EDIT:

Contrary to what title of the thread could perhaps suggest these places around, I did not - due to lack of capability - point out any technical flaw of the Virtual Box. I am not a tech guy. I rather focus on sociological, logistical and methodological approach to certain tasks. First faulty link in operating any piece of machinery, is user, to be understood. There are no bulletproof solutions. But raising the awareness, could help.
Last Edit: August 17, 2019, 01:10:26 AM by MS
 

Re: Virtual Box security concerns
« Reply #5 on: August 17, 2019, 10:55:08 AM »
 

firenice03

  • Rockin' the FREE World
  • Platinum Level Poster
  • **********
  • 1127
    Posts
  • Country: us
  • Reputation: 222
  • Linux Lite Member

  • Linux Lite: 4.6 64bit

  • CPU: AMD E2//Atom X5//AMD Phenom II X2

  • MEMORY: 4Gb

  • VIDEO CARD: AMD Mullin Radeon R2//Intel//AMD/ATI RS880

So, what is the conclusion? That tools, even if considered toys, should be used with proper awareness?

Do both tools and toys come with safety warnings? Appropriate age usage (toys ages 8-11)?

YES... I wouldn't let an 5 yr old play a game for an adult (i.e. MA rating) or "use" a hammer...
Just as a hammer can hang a picture or build a house - some skill and knowledge involved. But can anyone make use of the tool SURE...


Contrary to what title of the thread could perhaps suggest these places around, I did not - due to lack of capability - point out any technical flaw of the Virtual Box. I am not a tech guy. I rather focus on sociological, logistical and methodological approach to certain tasks. First faulty link in operating any piece of machinery, is user, to be understood. There are no bulletproof solutions. But raising the awareness, could help.

Referencing Virtual Box as the culprit.. Virtual Box is the manufacture, virtualization is the tool..   formatting like --  i.e. technical flaw of virtualization..
Craftsman is a maker of tools - Hammer is a tool... Though realistically its not the virtualization its the installer of the OS in your post. The user of the tools...
User is using the hammer correctly, just using the wrong nails...
Virtualization the hammer --- the OS the nails


Every OS has a life span, where it no longer receives updates. These dates are published and usually "in your face" or easily found. Its up to the user to know this..
Milk has an expiration, just because its in your fridge.. is it still safe???  Just like an OS, the closer to the expiration the better your chances, at some point nobody's gonna drink it. 

;D
Last Edit: August 17, 2019, 10:56:47 AM by firenice03
LL 4.6 UEFI 64 bit ASUS E402W - AMD E2 (Quad) 1.5Ghz  - 4GB - AMD Mullins Radeon R2
LL 4.6 64 bit HP 6005- AMD Phenom II X2 - 8GB - AMD/ATI RS880 (HD4200)
LL 4.4 UEFI 64 bit Test UEFI Kangaroo (Mobile Desktop) - Atom X5-Z8500 1.44Ghz - 2GB - Intel HD Graphics
LL 3.8 32 bit Dell Inspiron Mini - Atom N270 1.6Ghz - 1GB - Intel Mobile 945GSE Express
RETIRED LL 2.8 64 bit Dell Optiplex 160 (Thin) - Atom 230 1.6Ghz - 4GB-SiS 771/671 PCIE VGA
Running Linux Lite since LL2.2
 

Re: Virtual Box security concerns
« Reply #6 on: August 17, 2019, 04:41:18 PM »
 

MS

  • Forum Regular
  • ***
  • 179
    Posts
  • Country: 00
  • Reputation: 8

  • Linux Lite: 4.6 64bit

  • CPU: Intel i7-7500U DualCore @ 2.7~3.5GHz

  • MEMORY: 8Gb

  • VIDEO CARD: Intel HD Graphics 620 / AMD Radeon R7 M445
I believe by the faulty OS you mean Windows XP as an example, which is decommissioned and therefore possibly vulnerable, nonetheless, what I actually mean is using Windows 10 - a supported OS - with faulty habits due to the illusion of being "safe" for operating within a simulation. Even though, majority of OSes force some kind of security measures by default, therefore, in the end, I guess it does take a decommissioned OS and some severely unupdated software to actually bring hazard.

I have lately spent some chunk of my spare time configuring the virtual Windows 10. Long time no see, Windows. Brings a tear to my eye. Memories. I realized though how much people relay on having become used to things. It is all about expectations and custom. It could by why I stick with Linux Lite and disliked GNOME Ubuntu back in the day. It was just too much different.

To make things clear, I also did take my time customizing Linux Lite, which runs native on the hardware.

By the way, do you imagine a world where one goes to a website of a certain company of choice and "orders" a PC of exactly this or that amount of RAM, capacity of hard drive, video memory, quantity and quality of computer cores, while just after the payment resolved, the ordered machine becomes available already in the manner of seconds? We talk about the world of cloud services, to be understood. Upgrading should come comparably swiftly as well.
Last Edit: August 17, 2019, 04:49:44 PM by MS
 

Re: Virtual Box security concerns
« Reply #7 on: August 17, 2019, 06:19:57 PM »
 

firenice03

  • Rockin' the FREE World
  • Platinum Level Poster
  • **********
  • 1127
    Posts
  • Country: us
  • Reputation: 222
  • Linux Lite Member

  • Linux Lite: 4.6 64bit

  • CPU: AMD E2//Atom X5//AMD Phenom II X2

  • MEMORY: 4Gb

  • VIDEO CARD: AMD Mullin Radeon R2//Intel//AMD/ATI RS880
Any non patched OS or updated app/browser can become vulnerability - how many smart phones haven't been patched/updated but are still in use...

By the way, do you imagine a world where one goes to a website of a certain company of choice and "orders" a PC of exactly this or that amount of RAM, capacity of hard drive, video memory, quantity and quality of computer cores, while just after the payment resolved, the ordered machine becomes available already in the manner of seconds? We talk about the world of cloud services, to be understood. Upgrading should come comparably swiftly as well.
It's coming - Desktop as a Service, you'll purchase a thin client and the OS will be VDI (Virtual Desktop Infrastructure), so its kinda here.
But yeah just like Office 365 your OS will be in the cloud. I can see in the enterprise not sure a home user thou.
Personally I like Samsung's DEX idea.. Having a Phone/Table that can be used as a PC. 

Depends on how many tools I need in my tool belt/toolbox - LOL.. Each tool or a Swiss army knife.. sometimes both...

LL 4.6 UEFI 64 bit ASUS E402W - AMD E2 (Quad) 1.5Ghz  - 4GB - AMD Mullins Radeon R2
LL 4.6 64 bit HP 6005- AMD Phenom II X2 - 8GB - AMD/ATI RS880 (HD4200)
LL 4.4 UEFI 64 bit Test UEFI Kangaroo (Mobile Desktop) - Atom X5-Z8500 1.44Ghz - 2GB - Intel HD Graphics
LL 3.8 32 bit Dell Inspiron Mini - Atom N270 1.6Ghz - 1GB - Intel Mobile 945GSE Express
RETIRED LL 2.8 64 bit Dell Optiplex 160 (Thin) - Atom 230 1.6Ghz - 4GB-SiS 771/671 PCIE VGA
Running Linux Lite since LL2.2
 

Re: Virtual Box security concerns
« Reply #8 on: August 17, 2019, 06:36:54 PM »
 

MS

  • Forum Regular
  • ***
  • 179
    Posts
  • Country: 00
  • Reputation: 8

  • Linux Lite: 4.6 64bit

  • CPU: Intel i7-7500U DualCore @ 2.7~3.5GHz

  • MEMORY: 8Gb

  • VIDEO CARD: Intel HD Graphics 620 / AMD Radeon R7 M445
Quote from: firenice03
I can see in the enterprise not sure a home user thou.
That is exactly the issue between Windows and Linux.
 

Re: Virtual Box security concerns
« Reply #9 on: August 17, 2019, 11:51:49 PM »
 

firenice03

  • Rockin' the FREE World
  • Platinum Level Poster
  • **********
  • 1127
    Posts
  • Country: us
  • Reputation: 222
  • Linux Lite Member

  • Linux Lite: 4.6 64bit

  • CPU: AMD E2//Atom X5//AMD Phenom II X2

  • MEMORY: 4Gb

  • VIDEO CARD: AMD Mullin Radeon R2//Intel//AMD/ATI RS880
Quote from: firenice03
I can see in the enterprise not sure a home user thou.
That is exactly the issue between Windows and Linux.

Kinda... but on a desktop I could see enterprise using VDI, licensing and hardware costs per user vs. home user 1 or 2 PC's with a subscription?? Why, tablets and phones are the device most home users use... Typical home user, internet and email...
LL 4.6 UEFI 64 bit ASUS E402W - AMD E2 (Quad) 1.5Ghz  - 4GB - AMD Mullins Radeon R2
LL 4.6 64 bit HP 6005- AMD Phenom II X2 - 8GB - AMD/ATI RS880 (HD4200)
LL 4.4 UEFI 64 bit Test UEFI Kangaroo (Mobile Desktop) - Atom X5-Z8500 1.44Ghz - 2GB - Intel HD Graphics
LL 3.8 32 bit Dell Inspiron Mini - Atom N270 1.6Ghz - 1GB - Intel Mobile 945GSE Express
RETIRED LL 2.8 64 bit Dell Optiplex 160 (Thin) - Atom 230 1.6Ghz - 4GB-SiS 771/671 PCIE VGA
Running Linux Lite since LL2.2
 

Re: Virtual Box security concerns
« Reply #10 on: August 19, 2019, 01:18:16 AM »
 

MS

  • Forum Regular
  • ***
  • 179
    Posts
  • Country: 00
  • Reputation: 8

  • Linux Lite: 4.6 64bit

  • CPU: Intel i7-7500U DualCore @ 2.7~3.5GHz

  • MEMORY: 8Gb

  • VIDEO CARD: Intel HD Graphics 620 / AMD Radeon R7 M445
You are right, virtual desktop service could make sense only for entities requiring beyond home user significant computational power, preferably without the need for Internet bandwidth usage adequate for media consumption. I can imagine science and research sector to benefit from that primarily. For the home user wanting to play high-end games, such solution would be like eating a bowl of soup with two spoons held simultaneously but separately. It only makes things harder, not easier, doubling or tripling the costs. First, the cost of virtual desktop service, second, the cost of a game, third, the cost of high speed Internet connection.

EDIT:

For the hardware, it is understandable that in terms of pure cloud service usage, one ought aim to pay as little as possible for bare - but comfortable - access requirements, since superfluous native hardware capabilities are most likely going to remain dormant. Therefore, in case one hops into the cloud service usage while owning a powerful PC, it is counted as a loss.
Last Edit: August 20, 2019, 01:36:28 AM by MS
 


Tags:
 


Linux Lite 4.6 Final has been released. See the Release Announcements section for more information.