does a virtual machine provide data security?

The place for all kinds of software for all kinds of operating systems.

Moderator: Dposcorp

does a virtual machine provide data security?

Postposted on Tue Dec 20, 2011 7:25 pm

My Yahoo email account was hacked recently and this put a good little scare into me w/r/t PC security in general. After the hack, my wife and I had all our credit cards reissued and have changed all of our passwords for retail, banking and other financial accounts. So far so good, nothing weird has shown up in any statements. But this got me to thinking about potentially better proactive methods. Specifically - if I need to transmit financial data online, would running that browser in a virtual machine provide protection from common malware in the host OS? I've considered setting up a dedicated box for financials, but would prefer to avoid the clutter if possible. Thanks for any advice along these lines.
This problem was caused by Windows, which was created by Microsoft Corporation.
sluggo
Gerbil Jedi
Gold subscriber
 
 
Posts: 1542
Joined: Wed Feb 16, 2005 8:44 pm
Location: under the table and dreaming

Re: does a virtual machine provide data security?

Postposted on Tue Dec 20, 2011 7:45 pm

You're looking at it backwards. If you really want that kind of security (and the bother that goes with it) you want to do your general web usage in the VM and then do your financial stuff in the host OS, or possibly in another VM. In general if something can compromise your host OS it can get into stuff running on it as well.

Rather than going whole-hog with a VM, you might want to look at Sandboxie, which will sandbox a web browser or any other program so that in theory it can't get out. It's significantly less bother (and expense, if you have to buy another Windows license for a VM), and if you pay for the registered version you can have one sandbox per program.
Think for yourself, schmuck!
i5-2500K@4.3|Asus P8P67-LE|8GB DDR3-1600|Powercolor R7850 2G|1.5TB 7200.11|1988 Model M|Saitek X-45 & P880|Logitech MX 518|Dell 2209WA|Sennheiser PC151|Asus Xonar DX
bthylafh
Grand Gerbil Poohbah
 
Posts: 3165
Joined: Mon Dec 29, 2003 11:55 pm
Location: Southwest Missouri, USA

Re: does a virtual machine provide data security?

Postposted on Wed Dec 21, 2011 10:18 am

A keylogger or packet sniffer in the host OS could theoretically still steal personal data from sessions in the guest OS, since the I/O is still getting routed through the host OS. While doing what you propose will likely give you some benefit in terms of increased security, as bthylafh notes what you really want to wall off is the stuff that is most likely to be infected, not the stuff you want to secure. Once the host is infected, all bets are off.
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 37705
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: does a virtual machine provide data security?

Postposted on Wed Dec 21, 2011 11:39 am

I would also suggest using a non-persistent VM so that any changes are discarded when you turn it off.

You might also look at using something like KeePass http://keepass.info/ to securely store complex passwords for the various sites you may use. An old school way would be to print all your secure passwords and store them physically in a safe.
equivicus
Gerbil First Class
 
Posts: 117
Joined: Mon Jan 02, 2006 1:57 pm
Location: Houston, Texas

Re: does a virtual machine provide data security?

Postposted on Wed Dec 21, 2011 12:41 pm

While a VM has potential to help might malware and financial fraud at the local PC level, I personally worry more about the other end of the payments channel. Sure, I may enter my credentials and payment info on a clean box using Transport Layer Security of some sorts, thus protecting my info in transit from my box to a remote server somewhere...but then once the merchant and/or payment processor has the data, all bets are off as far as I am concerned. Does the merchant store the payment/card data? Is it on an unencrypted network share? Is it on a backend database server somewhere with loose DB and NTFS permissions? Does the merchant share data with vendors or other third parties with lax security practices? Even if the merchant is supposedly PCI compliant, there are still often many glaring security holes. I will say that having worked in community banking and information security for the last 10 years, my views are somewhat cynical and biased. :wink: Security is often difficult, and data touches many, many hands these days due to so much outsourcing.
Pagey
Graphmaster Gerbil
 
Posts: 1416
Joined: Thu Dec 29, 2005 10:29 am
Location: Middle TN

Re: does a virtual machine provide data security?

Postposted on Wed Dec 21, 2011 1:31 pm

Pagey wrote:Even if the merchant is supposedly PCI compliant, there are still often many glaring security holes. I will say that having worked in community banking and information security for the last 10 years, my views are somewhat cynical and biased. :wink: Security is often difficult, and data touches many, many hands these days due to so much outsourcing.

Since PCI standards don't require encryption for internal data transmission, only external, there's still no guarantee that your data will not be spraying all around the grocery store.

And you're no more cynical than someone who's been in the regulatory side of this for more than 15 years now.
It is one of the blessings of old friends that you can afford to be stupid with them. Ralph Waldo Emerson.
Captain Ned
Global Moderator
Gold subscriber
 
 
Posts: 20264
Joined: Wed Jan 16, 2002 7:00 pm
Location: Vermont, USA

Re: does a virtual machine provide data security?

Postposted on Wed Dec 21, 2011 5:20 pm

sluggo wrote:But this got me to thinking about potentially better proactive methods.

If you don't already use Malwarebytes Anti-Malware, I recommend you buy a license and install it alongside the Anti Virus you use today. It's generally not advised to run two AVs in parallel, but MBAM was designed for that, and is known to be lightweight. The free version is good for cleaning infected PCs--many folks know that--but the paid version adds proactive protection with lifetime updates which significantly improves your resident protection since you have two AVs monitoring the system instead of only one. That's two products made by different teams of researchers using different algorithms, signature databases etc. The license is normally $20-25 but it frequently goes on sale, and recently it's been as low as $10. To be notified in real-time you can create a deal alert on Slickdeals.
yehuda
Gerbil
 
Posts: 51
Joined: Wed Jun 06, 2007 1:33 pm


Return to General Software

Who is online

Users browsing this forum: No registered users and 3 guests