Evils of VMWare and Security

sexion8 · September 2008

I was bored and in a rambling mode about VMWare...

http://www.infiltrated.net/?p=101#more-101

Comments, flames? Corrections, whippings?

astorrs · September 2008

"Comment awaiting moderation".

tiersten · September 2008

I don't see this as being a new problem or one that singles out VMware. You can download prebuilt HD images for most of the VM systems out there. Do you audit every CD and patch that you install? How about every software distribution?

Mr Evil Guy at <insert favourite or not so favourite software company here> might have put in a deliberate bug in their software that to initial inspection looks harmless but in reality totally screws security over. It doesn't even have to be Mr Evil Guy. Mr Government Agent might have convinced that software company to change something.

The NSAKEY in Windows that was alledgely to allow the NSA to sign their own crypto modules is a prime example of this. Whilst it would allow them to do that, it also gave them the power to distribute backdoored versions of the regular crypto modules which Windows would accept.

Debian had a serious flaw in their copy of OpenSSH. Some developer years ago thought that they should run OpenSSH through code checker tools. It gave a warning on one of the lines of code. Instead of fully working out what that line did, they just assumed it was pointless and commented it out. It was only found recently. In doing that, they significantly reduced the keyspace and made it possible to bruteforce keys without needing to spend a few billion years doing it.

In short, yes you should be wary of the VMware appliances you can download but I don't think you should be any less wary of the regular software you install.

astorrs · September 2008

tiersten wrote:

In short, yes you should be wary of the VMware appliances you can download but I don't think you should be any less wary of the regular software you install.

You had me up until here. The problem I have is that the developers of application XYZ in the past were responsible for making sure their application wasn't full of exploits - now they're being asked to make sure the entire system isn't. They are now responsible for o/s lockdown, patching, etc as well. I'm mostly concerned about appliances designed to sit in the DMZ - any vendor who previously sold a hardware appliance will have experience in hardening the o/s already, the challenge is with the vendors (typically small) who may not have the same level of experience.

sexion8 · September 2008

tiersten wrote:

Do you audit every CD and patch that you install? How about every software distribution?

Mr Evil Guy at <insert favourite or not so favourite software company here> might have put in a deliberate bug in their software that to initial inspection looks harmless but in reality totally screws security over. It doesn't even have to be Mr Evil Guy. Mr Government Agent might have convinced that software company to change something.

The NSAKEY in Windows that was alledgely to allow the NSA to sign their own crypto modules is a prime example of this. Whilst it would allow them to do that, it also gave them the power to distribute backdoored versions of the regular crypto modules which Windows would accept.

Debian had a serious flaw in their copy of OpenSSH. Some developer years ago thought that they should run OpenSSH through code checker tools. It gave a warning on one of the lines of code. Instead of fully working out what that line did, they just assumed it was pointless and commented it out. It was only found recently. In doing that, they significantly reduced the keyspace and made it possible to bruteforce keys without needing to spend a few billion years doing it.

In short, yes you should be wary of the VMware appliances you can download but I don't think you should be any less wary of the regular software you install.

Thanks for taking the time to answer so I will dissect your apples and oranges if I may be so bold.

As a matter of fact I do try to check installs when I make them, download them and apply patches. When I do so, things are in a controlled lab all the time no matter how **** this may seem. In fact in doing so, I rambled on about an MS process which didn't look too kosher:

Microsoft Discloses Government Backdoor on Windows Operating Systems
Wednesday, April 30th, 2008 @ 6:00 am | Privacy, News

Microsoft may have inadvertently disclosed a potential Microsoft backdoor for law enforcement earlier this week.
http://www.infiltrated.net/?p=91

I'm very vigilant about things I put on machines I tinker with often running it on a sniffed network alerting as to what is leaving, running Process Explorer, DLL List, etc. if on Windows, gdb, snoop/tcpdump if on Unix. So to answer your question, as a matter of fact I do watch. In fact if you knew me, you'd know for over 14 years I keep a consistent amount of terminals opened with real time network **** (tcpdump to be exact) along with tail -f'd logs in the background to see what's happening in my realm...

No on to your apples and your oranges... You're comparing two different things here a company and an anonymous user. For a company to attempt to do so, there is the potential backlash associated with being caught. So there is a little more trust we CAN have when it comes to installing vendor specific programs and patches. What you've misrepresented here is an attacker making a distro, no one checking what the attacker created and allowed the attacker to post it to the public domain. There is no backlash for the attacker. If done correctly, no one would even be able to determine who he or she is.

As for the ramblings on Debian, OpenSSH, etc., there are certain distributions I would not use any longer, Debian, Fedora, etc., if its been determined their machines were compromised. If you haven't forgotten or even known, aside from the Debian SSH melee, Debian had its root servers compromised as did Fedora. There is no guarantee someone didn't insert anything into their operating systems and rehash checksums. All one would need to do is change the checksums on a main server CVS, SVN doesn't matter, and everyone would be replicating tainted code.

Debian.org compromised
http://www.wiggy.net/debian/developer-securing/

Redhat and Debian compromised
http://news.cnet.com/8301-1009_3-10023565-83.html

Its called (and I will sound repetitive to those who read my posts) Extrusion Detection and its quite easy to set up in a lab. Take the block all concept of a firewall and reverse it in a lab. Block out all from leaving and set alerts on your system to see any changes in the way the machine behaves. Thrown on an IDS monitoring everything GOING OUT

Many people would be surprised at what their machines do when they turn them on, when the machines sit around idle, what their machines attempt to contact, etc. So the honest answer to your question on whether or not I look at things is two-fold... As a matter of fact I do watch what's going on as best as feasibly possible and have been doing so for years. Whether or not I'm capable of seeing everything is not measurable considering I only know about the attack vectors I know about, the rest is research, intuition, dumb luck.

In essence, you cannot seriously make an argument about a corporation - which stands to lose a lot more - versus a random attacker posting anonymously, a tainted distribution. Apples, oranges.

tiersten · September 2008

sexion8 wrote:

I'm very vigilant about things I put on machines I tinker with often running it on a sniffed network alerting as to what is leaving, running Process Explorer, DLL List, etc. if on Windows, gdb, snoop/tcpdump if on Unix. So to answer your question, as a matter of fact I do watch. In fact if you knew me, you'd know for over 14 years I keep a consistent amount of terminals opened with real time network **** (tcpdump to be exact) along with tail -f'd logs in the background to see what's happening in my realm...

Unless you sit there and disassemble every single item of software you're not going to know what is going on. Maybe it'll only do something bad once every 1000 runs and only if its a full moon at the time and its 4:39am.

sexion8 wrote:

No on to your apples and your oranges... You're comparing two different things here a company and an anonymous user. For a company to attempt to do so, there is the potential backlash associated with being caught.

Plausible deniability. Or in some cases, just blame it on a bad employee who has been fired/disciplined.

Asus has distributed cracking software, serial numbers and confidential documents on some of their recovery disks. The theory of why they're there is that as part of the Vista disc image maker, you can make it copy files from a flash drive into the image. Somebody must have had those other files on their flash drive when they ran it. Big corporation. They didn't check the recovery disc images. Whoever made it was using a PC that could have contained spyware, adware or god knows what else. It wasn't clean is all we know.

If you're that paranoid then how do you trust anybody? SSL certificates aren't 100%. People have managed to get a Microsoft labeled code signing cert issued before.

sexion8 wrote:

As for the ramblings on Debian, OpenSSH, etc., there are certain distributions I would not use any longer, Debian, Fedora, etc., if its been determined their machines were compromised. If you haven't forgotten or even known, aside from the Debian SSH melee, Debian had its root servers compromised as did Fedora. There is no guarantee someone didn't insert anything into their operating systems and rehash checksums. All one would need to do is change the checksums on a main server CVS, SVN doesn't matter, and everyone would be replicating tainted code.

Don't use Linux then. BitKeeper was broken into a few years back. Whoever did it tried to sneak in a backdoor into the Linux kernel code via the CVS gateway. At the time, the BitKeeper repo was the main tree.

sexion8 wrote:

In essence, you cannot seriously make an argument about a corporation - which stands to lose a lot more - versus a random attacker posting anonymously, a tainted distribution. Apples, oranges.

Because corporations never make a mistake and never have malicious employees working for them? You can't say that QA will catch it if it is a big flaw. ESX and the timebomb is a pretty big one and that got through to release.

sexion8 · September 2008

Comments inline

tiersten wrote:

Unless you sit there and disassemble every single item of software you're not going to know what is going on. Maybe it'll only do something bad once every 1000 runs and only if its a full moon at the time and its 4:39am.

Again, you should have paid attention to the post, I try to watch, I never said I do a complete audit period. I would have to be a glutton for punishment however, running whatever I'm running in a contained environment beats passively doing nothing at all.

tiersten wrote:

Plausible deniability. Or in some cases, just blame it on a bad employee who has been fired/disciplined.

This is a possibility, once bitten twice shy... How long do you think people would continue to take the vendor's word on it provided they'd gone through it before. I believe the odds are slim in the situation of yet another backdoor discovered on vendor OS' products would people continue to run them.

tiersten wrote:

Asus has distributed cracking software, serial numbers and confidential documents on some of their recovery disks.

Irrelevant, your throwing more apples and oranges into the mix. The original post consisted of an entire operating system. Not: What if I made a program and threw it into SourceForge and everyone copied it.

tiersten wrote:

If you're that paranoid then how do you trust anybody? SSL certificates aren't 100%. People have managed to get a Microsoft labeled code signing cert issued before.

Irrelevant as well. I could go on for days about protocols and why they shouldn't be trusted and this has nothing to do with paranoia, merely a "hey... guess what..." Nothing more nothing less. There was no introduction of broken protocols.

tiersten wrote:

Don't use Linux then. BitKeeper was broken into a few years back. Whoever did it tried to sneak in a backdoor into the Linux kernel code via the CVS gateway. At the time, the BitKeeper repo was the main tree.

What does not using Linux as a whole have to do with this? These were two distributions I mentioned and guess what... I don't use them anymore. Should I condemn Linux as a whole, Linux is Linux, Debian is Debian.

tiersten wrote:

Because corporations never make a mistake and never have malicious employees working for them? You can't say that QA will catch it if it is a big flaw. ESX and the timebomb is a pretty big one and that got through to release.

Your counterpoints are hard to understand where you're coming from. Corporations make some of the most horrendous mistakes however, you seem to have pointed out the fact that there is a quality assurance process going on. THIS is what you place some form of trust in. There is no QA going on when someone is uploading appliances to VMWare.

tiersten · September 2008

I give up. You just want to argue and I don't have the time to waste on this anymore.

sexion8 · September 2008

tiersten wrote:

I give up. You just want to argue and I don't have the time to waste on this anymore.

I'm definitely not arguing about anything, you stated your beliefs and I stated mine its called discourse. You're bringing things up that had nothing to do with the initial article so I responded to them, I didn't bring them up.

You brought up mentions of paranoia (irrelevant), broken protocols (irrelevant) and mentioned not using Linux. These things have nothing whatsoever to do with the original post, since you brought them up I gave you my response. Debates and discussion go a long way, I don't feel slighted, upset, angry, mad or any other emotion other than trying to understand where your coming from.