SBN

Who do you trust?

I came up in the network / security industry with the concept of "trust no one" at the forefront of my brain.  Well, trust no one until you have been given assurance that you should trust someone or something.

So, do you trust "Virtual Disk Images" downloaded off the internet?  Would you download an image from VMWare’s Virtual Market Place or a web site called ThoughtPolice.com?

Have no clue about what I am talking about?

Well, one of the cool things about virtualizaiton is that servers and desktops now have the ability to go mobile.  They can be copied from place to place and even be downloaded off the internet.  This capability makes it easy for you to get a server up and running. 

Remember the days when you had to install a Novell 3.11 server from 20-30 floppy disks?  It was painful wasnt it?  Worse than watching paint dry.  You had to stare at a screen and wait for the next prompt to change the floppy disk.  Then you would get to a question to enter some information that you didn’t have a clue about and then have to rush to grab the manual.

Well, now with virtualization you or someone else can go through the installation process and once the server is  installed, you can replicate it without having to ever install it again.

The problem with the above sentence is "someone else".  Again, I trust no one else and I definitely don’t trust someone I don’t know installing a Linux server and publishing it on the internet for me to use.

But there are many people out there in the world that are ok with downloading "Virtual Disk Images" off the internet and placing them either in lab environments or production environments.  The problem with this is that anyone could create a Virtual Disk Image of the latest Fedora Linux operating system, purposely embed a trojan or virus in it and make it readily available on VMWare’s Virtual Market Place or sites like ThoughtPolice.com

   Click Me                Click MeThoughtpolicegraphic
Virtualmarketplace
 

An unsuspecting, trusting individual could then download that "Virtual Disk Image", run it inside their VMWare environment and the next thing you hear is there data center or lab is attacked.

Downloading these virtual disk images are more dangerous than downloading a file off the internet or clicking on an attachment in an email from an unknown sender.  Why do I say this?  Because downloading a virtual disk image is a FULL ON operating system with many applications in it.  If a hacker has control of a full operating system they can do things like schedule attacks that happen in the middle of the night, port scan your network for information and email the results to a BotNet Master and even run a packet capture of traffic and FTP that to a BotNet master.  Imagine the possibilities and imagine being able to run any application not just a small file attachment.  An application buried in a directory somewhere on the Virtual Disk Image.

Did I just bum you out and paint another picture of doom and gloom?

Well, its not all doom and gloom.  Knowledge is power as they say and now with this knowledge you should think twice before downloading an image off the internet and use it without fully checking it out.  Fully checking it out means running anti-virus software INSIDE the image and making sure you have VM to VM aware firewalls within your virtual environment to isolate traffic flows between VM’s.

Lastly, I think downloading these images is pretty cool and would love to be able to take advantage of someone else watching the paint dry during an installation however, I think there needs to be a "Verisign" of Virtual Disk Images.  This way someone who you trust can do the work of inspecting these images for me.

-JP

*** This is a Security Bloggers Network syndicated blog from Security In The Virtual World authored by JOHN PETERSON. Read the original post at: https://vmwaresecurity.typepad.com/security_in_the_virtual_w/2008/02/who-do-you-trus.html