ALL MAJOR CONSUMER operating systems, including Windows, Mac OS X, and Linux, are way too easy to hack. One mishap — opening the wrong email attachment, installing malware that pretends to be Flash, not updating your software quickly enough — and you’ve given the keys to the kingdom to an attacker.
If that attacker gets the ability to run programs of their choice on your computer, as they often aim to do, they have access to all of your files. They can start logging your keystrokes, taking screenshots, and even listening to your microphone and watching through your webcam.
But it’s possible to isolate the most risky files and programs from other parts of your computer. Using virtualization software, the same technology that powers much of so-called cloud computing, it’s possible for you to protect your system even as you open attachments that might be sketchy, visit websites that you’re not too sure about — porn sites, torrent sites, pirated TV and sports sites — or test out software downloaded from random websites. You can also use this technology to ensure that your anonymous online activity remains anonymous, safeguarding the privacy protections offered by Tor by ensuring that absolutely all internet traffic gets routed through it — even if your software, like Tor Browser or Pidgin, gets hacked specifically to bypass Tor.
In this column, I’m going to start with a simple primer on virtual machines, including how to install the Ubuntu distribution of Linux in one of them, and I encourage you to follow along. Then I’m going to outline a handful of ways you can use virtual machines to reduce your risk of getting hacked, and go over some security caveats. Then I’m going to show off Whonix, an operating system you can run in a virtual machine to maximize your online anonymity; it’s ideal for maintaining a secret identity. And finally I’m going to give a brief overview of Qubes, an operating system that’s more secure than most anything currently available, and takes isolation security to its logical limits.
A virtual machine (VM) is a fake computer running inside your real computer. Each VM gets to use a chunk of your computer’s memory while it’s running and has its own virtual hard drive, which is just a file on your real hard drive. You can install operating systems in them and you can install and run software in them. You can save snapshots before you do something potentially dangerous and restore the snapshot when you’re done, returning your VM to its previous state.
In virtualization lingo, the operating system that you’re running right now is called your “host,” and every VM that you run is a “guest.” If a guest VM gets hacked, your host remains safe. For this reason, security researchers often use VMs to study viruses: They unleash them on their guest VMs to safely monitor what they’re trying to do and how they work, without risking their host computer. They “isolate” the viruses from the rest of their computer.
For this article I’m going to be using virtualization software called VirtualBox. It’s open source and free to download. VirtualBox is available for Windows, Mac OS X, and Linux. Go ahead and download and install a copy if you’d like to follow along.
I’m using a Mac host, and I’m going to start by installing the Ubuntu operating system, version 15.04 to be precise, in my VM. Generally speaking, it’s simpler to start off by installing a Linux distribution in your virtual machine, since Linux is free software. You can install as many Linux virtual machines as you want, wherever you want — an easy setup to deal with.
If you want to test a piece of software for Windows or Mac OS X inside a virtual machine to see if it’s malicious, you can also install those operating systems inside of a VM. But there are legal restrictions. For example, while OS X can be installed on up to two virtual machines for free, you have to be on a Mac when you do so. On Windows, you’ll likely need to buy separate Windows licenses for each VM. Here are instructions for installing Mac OS X in a VM and for installing Windows 10 in a VM.
While the steps below are written and illustrated using an Ubuntu virtual machine on a Mac, you can still follow along if you’re running Windows or Linux. And don’t worry about breaking anything; you can always delete your VM and start over. That’s the beauty of VMs: You get infinite lives, in the parlance of videogames, so it’s a great way to experiment and learn.
Now open VirtualBox and click “New” to create a new VM. I’m calling my VM “ubuntu-test.”
You get to choose how much memory your new VM will have and you get to create a new virtual hard disk for it. Whatever resources you allocate to your VM will not be available to other programs on your computer. I’m sticking with the defaults, 768MB of memory and an 8GB hard drive. You can just click through with all of the default options too if you want, or you can give your VM more resources. Finally, click “Create” to create your new VM.
The next step is to install Ubuntu. With my “ubuntu-test” VM selected, I click “Start” to boot it up. Since the virtual machine is brand new, it prompts me to insert an operating system installation disk. Of course, I don’t actually need a “disk.” Instead I can just find and select the disk image file (in this case, “ubuntu-15.04-desktop-amd64.iso”) and click “Start.”
Now the VM begins to boot to the Ubuntu disk. Notice that if you click in the virtual machine window, VirtualBox will warn you that the VM will “capture” your mouse and keyboard input, which means that when you move the mouse and type on your keyboard you’ll be doing this inside your guest VM rather than on your host machine. You can press the “host key” to make your mouse and keyboard control your regular computer again. On a Mac, the host key is the left “Command” key, and on Windows and Linux, it’s the right “Ctrl” key.
The Ubuntu disk has finished booting. I’m going to click “Install Ubuntu” and follow the simple instructions. I’m choosing “Erase disk and install Ubuntu” (don’t worry, I’m only erasing the virtual machine’s virtual disk, not my actual hard drive). I’m going to make up a username and password to log in to this VM, and then I’m going to let it finish installing. When it’s finally done, the VM will reboot into my freshly installed operating system. (After installing Ubuntu, my VM failed to shut down all the way while it was rebooting. If that happens to you as well, click the Machine menu and choose Reset to force your VM to restart.)
Now that I’ve booted up and logged in to my Ubuntu VM, I’m going to update all of the software. Always keep your software up to date, even in VMs!
To update all of the software in Ubuntu, I’m running the “Software Updater” program, typing my password, and letting it do its thing. Since I just installed this operating system and have never done updates, it might take a while to download and install everything.
When it’s finally done updating the existing software, it’s time to install VirtualBox “Guest Additions.” Guest Additions aren’t required, but they allow you to do some nice things, like resize your VM window, share your clipboard between your host machine and your guest machine, and set up shared folders so that your guest VM can access specific files on your host.
In order to install Guest Additions you need to insert a virtual CD, which contains the software, into your VM. You can do this by clicking the “Devices” menu at the very top of the screen, from within the VirtualBox program, and choosing “Insert Guest Additions CD image.” It will pop up a dialog asking for permission to install. Click “Run” on the pop-up dialog, and VirtualBox will open a new window showing the install progress. When it’s finished, reboot your VM. You can do this by clicking the gear in the top right, clicking Shut Down, and then clicking Restart.
With “Guest Additions” installed in my VM, I can resize the window like any other windows on my host machine.
I can also share the clipboard between the host and guest VM by clicking the “Devices” menu at the top of my screen, from within the VirtualBox program, and going to “Shared Clipboard.” The choices are “Disabled,” “Host to Guest,” “Guest to Host,” or “Bidirectional.” It’s best to keep this set to “Disabled” unless you need to copy and paste between your guest VM and your host. You can always temporarily enable clipboard sharing and then disable it again when you’re done.
Sharing files is slightly more complex. First, you need to add your user to the “vboxsf” group in your VM (don’t worry if you don’t understand what this means). Click on the Ubuntu logo in the top left, type “terminal,” and click on the Terminal icon to open a terminal in your VM. Then type:
sudo usermod -a -G vboxsf $(whoami)
You’ll also have to type the password for your user account in Ubuntu in the VM, the one you set up earlier. Then shut down your VM all the way.
In the VirtualBox window, choose your VM and click “Settings,” and move to the “Shared Folders” tab. Click the “+” icon to add a folder to share with your VM. I’m sharing a folder called vbox_share in my Documents folder. This way, if I need to copy files to or from my VM, I have a place to drop those files.
Inside my Ubuntu VM, I can access the shared folder by viewing “/media/sf_vbox_share.” I can get to that by opening the Files app (there’s a launcher icon for it on the left), clicking Computer in the left panel, double-clicking the “media” folder, then double-clicking the “sf_vbox_share” folder. Inside my OS X host machine I can access the same folder by viewing “vbox_share” in my “Documents” folder.
Now that we have a VM, let’s start doing some things that might be risky if we weren’t isolating them.
Before doing something that you think might break your VM, or might infect it with malware, you might want to save a snapshot of it so you can restore it when you’re done. You can save a snapshot by clicking VirtualBox’s “Machine” menu at the top of your screen, and choosing “Take Snapshot.”
Below are just a few examples of some ways you can use VMs to increase the security of your computer. In the end, virtualization is a tool that has many different uses, so feel free to be creative.
One of the easiest ways to get hacked is by opening a malicious document. Attackers might email you a booby-trapped “document” hoping that you’ll open it. If you do, the file would exploit a flaw in your operating system or in software like Adobe Reader or Microsoft Word, thus allowing the attacker to take over your computer.
It’s not always clear which documents are safe and which are malicious. A clever attacker could pretend to invite you to a conference that you’re interested in, and attach a malicious file masquerading as the schedule to that conference, or they could pretend to recruit you for your dream job, and attach something that looks like a job description — or they could entice you in any number of other ways. It’s safest simply not to open any attachments or click on any links in emails, but this isn’t feasible, especially for journalists or activists who are actively soliciting sources.
These attacks are not theoretical. My colleague Morgan Marquis-Boire pointed out a few real-world examples that he helped analyze: Vietnamese democracy activist Ngoc Thu‘s computer was hacked when she opened malware she found in her email; the Committee to Protect Journalists’ executive director, Joel Simon, was also emailed malware, though he didn’t install it; the Moroccan news website Mamkafinch.com received an enticing tip through its contact form that included a link that, when opened, took over the journalist’s computer using Hacking Team malware; and a report from 2014 showed that journalists from 21 of the world’s top 25 news organizations were likely emailed malware by state-sponsored hackers.
You might also find files online that you’d really like to look at but aren’t sure are safe. For example, documents in the Hacking Team email archive. You probably shouldn’t trust those, but you might want to look at them anyway.
Here’s an email where Hacking Team employees appear to be discussing giving a demo of their hacking services to an Egyptian defense contractor. I don’t speak Italian so I don’t entirely understand what this email thread is about, but the attachment is called “Exploit.docx.” Seems legit (*cough*).
If I try opening this dubious file in Chrome, my browser throws a security warning, and for good reason! Any attachments downloaded from the Hacking Team archive might try to, ahem, hack you.
Instead, I’m going to right-click on the document and save it to my vbox_share folder (clicking through Chrome’s warning, because I plan to view this documents in isolation).
Now, back in my VM, I can see the document.
To be extra safe, before opening this documents I’m going to disconnect my VM from the internet. I click the “Devices” menu at the top of the screen, choose “Network,” and uncheck “Connect Network Adapter.” This way, when I open the document, if it tries to hack my VM and connect to a command and control server, or even just phone home to alert the document owner that it’s been opened, it won’t be able to. It’s a good idea to do this whenever you open a suspicious document inside a VM.
Here it is. The document actually appears just to be an email thread pasted into Word. Regardless, I’m glad I didn’t open it on my host machine.
On your regular computer, for day-to-day use, it’s always a good idea to harden your web browser. Installing browser add-ons that block ads and malware, and making Flash click-to-play, goes a long way toward blocking software that might try to take over your computer through your web browser.
But even doing all of these things, there’s no guarantee that you won’t get hacked just by loading a website. If you’re going to visit a website that you think might put you at higher risk of getting hacked, you might want to visit that website inside of a VM. You can even set up a dedicated VM just for this purpose. (If you turned networking off in the previous step, you can enable it again by clicking the “Devices” menu, going to “Network,” and checking “Connect Network Adapter.”)
Inside my VM I decided to search for “Mr. Robot streaming” and found myriad pirated streaming websites. Here’s a screenshot of one of them. See that box that’s telling me my Flash Player is out of date, with a helpful link to update it? That’s not actually a real Flash update, that’s malware.
In the scheme of things, this malware is on the tame side — it’s not trying to read my email or watch through my webcam, but it’s still nothing that anyone would ever actually want installed on their computers. But even if it were way worse, it would first have to escape from the VM that it’s trapped in before it could do those things. To completely get rid of it I can restore my VM from a snapshot, or I can delete the VM altogether and create a new one.
All programs contain bugs, and these bugs can get exploited to take over our computers. The easiest way not to get hacked is not to use computers, but that’s not an option; we still have to run programs.
Some programs have much bigger attack surfaces than others. For example, libpurple, the underlying code that powers the encrypted chat programs Pidgin and Adium, has been heavily criticized for its old, bloated, and likely buggy source code that was originally written in 1998 (many critical libpurple bugs have been fixed in recent years, so it’s currently in much better shape than it used be). Yet if you want to have encrypted chat conversations on a computer, you don’t have a lot of options but to use it.
If there’s a piece of software that you depend on, but you think running it on your host machine will increase your chances of getting hacked, you can set up a dedicated VM for running that program.
If your dedicated chat VM gets hacked through a Pidgin exploit, for example, the attack will be contained. The attacker will be able to spy on the encrypted chat conversation you have in Pidgin, but that’s it. They won’t be able to access other files on your computer. They won’t be able to see what passwords you’ve saved in your web browser, or listen through your microphone, or read your email, or anything else.
All software has bugs, and this includes virtualization software. While isolating dangerous activity inside of a VM considerably reduces the chance of getting your regular computer system hacked, it doesn’t make it impossible.
If your VM gets hacked, it’s feasible that the attacker could then escape your VM in order to run and alter programs freely on your host machine. In order to do this, your attacker must have an exploit against your virtualization software. These bugs are rare but do happen.
You should also be careful with how you use the VirtualBox clipboard sharing and file sharing features I described above. For example, if someone has hacked a VM that has Shared Clipboard set to “Host to Guest” or “Bidirectional,” the attacker could spy on what you’ve copied to your clipboard on your host machine — for example, a password.
Tor’s flagship product, Tor Browser, does an excellent job of hiding your IP address from websites you visit and hiding what websites you’re visiting from anyone monitoring your internet activity.
But Tor Browser, like all other software, has bugs. If you visit a website in Tor Browser, the website could hypothetically exploit a severe bug to force your computer to make an internet connection to the attacker outside of the Tor network, letting them learn your real IP address and identity. This is exactly how the FBI deanonymized Tor Browser users who visited websites hosted by Freedom Hosting in September 2013. The FBI exploited a bug that was present in older versions of Tor Browser (it didn’t work against users who promptly update their software) in order to hack them and ultimately deanonymize them. (In this case, the FBI was attempting to attack people who allegedly had links to child pornography, but it also presented Tor Browser-hacking malware to users of legitimate websites hosted by Freedom Hosting, including the free anonymous email service TorMail.)
Whonix uses two VMs, called Whonix-Gateway and Whonix-Workstation, to maximize anonymity protections. The gateway VM acts as the upstream internet provider for the workstation VM, and it forces all network traffic to go over the Tor network. The workstation VM is where you use Tor Browser, as well as any other software that you wish to use anonymously. If you get hacked, for example with a Tor Browser exploit like the one that the FBI used, not only is the attacker contained inside of this VM and unable to access your host machine, but the attacker can’t deanonymize you either. All network connections that the attacker makes will go through the gateway VM, which forces them to go through Tor.
Whonix is great because you can be confident that everything you do in the workstation VM is anonymously going through the Tor network. That means that hackers won’t be able to deanonymize you, unless they can escape from your VM. You can use chat software like XChat to connect to IRC servers anonymously, or Pidgin to connect to Jabber servers for anonymous encrypted chats, or Icedove and Enigmail to send anonymous, encrypted email.
But keep in mind that Whonix, like other virtual machine-based security, can’t protect you if your host machine gets hacked or seized. If you are using Whonix to anonymously send documents to a journalist, and you become a suspect in a leak investigation, your Whonix VMs might contain evidence that can be used against you.
It’s slightly complicated to get started with Whonix, but there’s a lot of documentation on the Whonix website, and if you have questions feel free to post them in the comments. Let’s get started!
Head over to the Whonix VirtualBox download page and download a copy of Whonix-Gateway and Whonix-Workstation (a total of 3.1GB, so it might take some time). It’s also a good idea to verify the PGP signatures, but that’s outside the scope of this post.
Once you’ve downloaded them, open VirtualBox, click the “File” menu at the top, and click “Import Appliance.” Browse for the Whonix-Gateway file you just downloaded, and click “Continue.”
Now click “Import,” read the warnings, and click “Agree.” Your Whonix gateway VM will automatically get set up. Repeat these same steps with the Whonix-Workstation. When you’re done, you’ll have two new VMs in VirtualBox.
Start both Whonix-Gateway and Whonix-Workstation. You need to leave the gateway VM open in the background or else the workstation VM won’t have internet access, but you’ll do most of your work in the workstation.
When the gateway VM has finished booting for the first time, you’ll need to configure it. Click through the “Whonix Setup Wizard” to enable Tor and automatic updates.
Now it’s time to starting using Whonix. In the workstation VM, go ahead and open Tor Browser. It will automatically download and install it the first time you try opening it. Once it opens, you can browse the web anonymously, and remain anonymous even if Tor Browser gets hacked.
Since all software has bugs, wouldn’t it be safest to isolate each program in its own VM? Qubes is an operating system that does just that, and does it in a way that’s much more usable and more secure than is possible using virtualization software like VirtualBox or VMWare in a traditional operating system.
In Qubes, your host machine runs a graphical desktop environment, and that’s just about it — your host machine doesn’t even have internet access. You run all of the rest of your software inside of Linux or Windows VMs. Qubes also has great support for Whonix. If you use Whonix inside of Qubes, your host machine has a much smaller attack surface than if you were using a traditional operating system.
Qubes makes it easy to manage separate VMs for your different “security domains.” For example, you can create a work VM that you use to check your work email and log in to work-related accounts, and a separate personal VM that you use to log in to Facebook and keep track of your photos. You can create an untrusted VM that you use for everyday web surfing, and a vault VM (that doesn’t have networking enabled) that you use to store sensitive files like your password database, or secret documents that you’re working on. And you can right-click on any document to open it in a “disposable VM,” a VM that gets created simply to view this document, and then deleted again when you close the document.
I’ve written about Qubes in the past, and I encourage you to read more about it if you’re interested. But it’s not for the faint of heart. Not yet, at least. For one thing, you can’t test it in a VM like you can most operating systems because it needs to run VMs of its own, and you don’t want to accidentally break the universe (just kidding; it just doesn’t work).
And while it has an active development community and a growing user base, Qubes is not easy to use for non-power users. I don’t recommend you switch to it yet unless you’re already comfortable troubleshooting Linux problems from the command line. In Qubes, simple problems like how to install a new program or take a screenshot can have steep learning curves for the uninitiated. But all that said, if you are using Qubes, you can turn your computer into an incredibly intricate and secure fortress unlike anything that’s possible with a traditional operating system.
Finally, all software has bugs, and this includes Qubes as well as Xen, the virtualization software that powers Qubes. Even if you’re running Qubes, and promptly update all your software, and carefully isolate everything, and only open documents in disposable VMs, and do all of your browsing in Tor Browser inside of a Whonix workstation, it’s still possible for your host machine to get hacked if your attacker has lots of resources, patience, and zero day exploits.
Normally it’s cheap and easy for an attacker to take over your computer. But by isolating the parts of your computer that get attacked within VMs, you can make taking over your computer difficult, expensive, and, with any luck, not worth it.