Big security risk with global sharing

Discussion in 'Parallels Desktop for Mac' started by goron, Jan 24, 2007.

  1. cetuma

    cetuma

    Messages:
    40
    Read level access to the root of the drive would provide harvesting capabilities. Then again, so does having a FAT32 bootcamp partition within OSX. Just like I enjoy being able to access my whole windows file system within OSX, I enjoy having the same capabilities within Windows.

    I do agree that users should be aware, and when this comes out of beta that it should be right there in the help file for that section.

    I'm not worried about harvesting though. Very little leaves my system without my knowedge, and even less makes it out of my network at home. When i'm in the office where security budgets are higher than my home network, control is even tighter. I doubt the same holds true for most people, so the option to restrict to just the users home folder would be appropriate. Then it would be similiar to only having access to Windows 'My Documents' (plus a little more application stuff) in Windows.

    Either way, people do need to be aware that running a computer presents security risks. Not that OSX is secure, but MS does have the most malware associated with it, and users need to understand the risk they are undertaking anytime they operate within windows.
     
  2. djsmmcp

    djsmmcp

    Messages:
    3
    Thanks.

    It seems to come down to this: There is no question the default settings put key system files at risk of easy deletion. No one can really say there is no risk at all by exposing your entire Mac OS file structure to Windows in this way, by default, with no notification that this is the case.

    Some just don't think it's that big of a risk. I happen to find it beyond my comfort level. I really wonder: If this software were written by Microsoft, would people be so laissez-faire with regard to the potential consequences of the global file sharing being enabled.

    I'm not here to say there aren't other risks to OS X also (in response to drval's comment), nor am I here to say this is the most serious security risk one can undertake in computing. Careless or reckless computing has its own consequences on any platform. But these files are all exposed and delete-able from Windows by default when you install the beta, and the consequences of either not knowing this, not recognizing the implications of this, or both, are more than I'm willing to accept given the usefulness of this program.

    So, I disabled the global file share. Were a friend or family member to install this RC2, I'd take the time to let them know and encourage them to disable the file sharing as well.

    I happen to believe Parallels should notify users as a matter of course of the potential consequences of full exposure of their OS X system files to Windows, but they're not doing so at this time, for whatever reason.

    That's why I'm glad this forum is here for them to hear from their customers.

    [​IMG]
     
  3. drval

    drval

    Messages:
    490
    Let's just try one more time to inject a little bit of rationality in this.

    You install a software program that allows for interoperability -- with WIndows -- so this allows for all of the issues relevant to Windows to become cogent for your system. Of course it does. And this is why it's important to follow all of the guidelines for using Windows IF you choose to install this piece of software. I've not seen ANY articles that talk about either Parallels or Boot Camp or any other similar programs (ie those allow any form of interoperability) that don't also clearlys say -- protect your system like its a Windows system because it IS a Windows system once you've done that install.

    Yes, disabling Global Sharing is ONE WAY to minimize the problems but if you think that will really in and of itself completely preclude any and all attacks, I think you haven't really considered all of the relevant variables.

    For me and I suspect for the vast majority of users, transparent inter-operability is a critical and highly valuable feature. For others it is irrelevant or non-desirable and they can disable it if they want to do so. i would also suggest, however, and FWIW that regardless of which way that setting is used, all users of any VM should be treating their systems AS IF they were full-blown Windows systems. Use the same fundamental approach to increasing safety and security that would be used on any native Windows system.

    It is NOT doing that which will likely create the problems.

    Those of us who use Windows on a daily basis for mission critical appications know how to deal with the security issues -- and that information is freely available on the web.

    Yes, there is a difference in philosphy that is involved in this. I think information is great -- that's the cornerstone of what I do, ie provide information. Promoting fear is something else yet again at least IMO.
     
  4. betatester

    betatester

    Messages:
    15
    False. According to many sources, including this excellent article in Wired Magazine:

    http://www.wired.com/wired/archive/14.11/botnet.html

    zombies and botnets are outstripping the ability of the most advanced securities analysts to detect and shut down, much less prevent. Estimates of the number of Windows computers infected range from 25% to 50%. This is not for want of security software, but because that software is incapable of detecting these zombies and spam bots. Running a suite of security products, no matter how advanced, doesn't provide security.

    So what about all those millions of people who are running full protection on their machines and are infected. Do they too deserve what they get? Sounds to me like blaming the victim.

    This compounds the errors of your previous statement. VMWare's beta has already shown that it is possible to have full duplex drag and drop capability without exposing the entire host file system to the guest. So in fact, it is not a matter of sacrificing functionality for "a few ignorant people." It's a matter of Parallels being more scrupulous about the security of users' machines and working harder to find a solution rather than pretending that the problem doesn't exist in the first place.

    It's time to stop apologizing for Parallels, blaming supposedly ignorant and careless users, and hold the company to the standards that every other virtualized operating system already meets, as dkp has pointed out. That goes as much for you, as an experienced user as it is for senior sycophants who cannot bear to admit that perhaps the emperor isn't fully clothed.
     
  5. dkp

    dkp

    Messages:
    1,367
    Do you believe any of the scenarios I've suggested are impossible? This is different from probable, understand. You've never said. Because if even one is possible then it is a risk and all risk has to be considered.

    I have concluded that you and I face the same risk if we open our Mac systems up via Parallels. You have chosen to ignore that risk, I have not. And then you have gone on a campaign to dull the senses of each reader with unsupportable claims, placating us with baseless soothing tones, indoctrinating us, in fact, with empty assurances and defending a methodology the competition has demonstrated is unnecessary.

    You know there's a risk, we all know now there is a risk, and banging the soundless drum of deception about it, voicing conversation controlling accusations, and attempting to sweep the issue aside won't work. In fact you are assisting the voice of reason in this by keeping the topic prominantly on the front page of this forum. For that I thank you.
     
  6. cetuma

    cetuma

    Messages:
    40
    1. Interesting article. Still comes to the fact that software like CSA is going to prevent a bot from loading or running. It's going to have to change a file hash or write to a directory that wasn't permitted. Or, even hidden is going to have to run an unauthorized process. The software is out there to protect a system. Antivirus is nothing more than that, antivirus. That does not include trojans, bots, or a plethora of other malware. Traffic on a network can easily be stopped. There are several IPS containment devices capable to detecting unauthorized traffic. A bot can't work if it can't communicate even unidirectionally.

    2. I'm not sure how those millions who are properly implementing security are getting infections. I have been using a Mac since 1984, and Windows since 1995, and I have never had issues or detected any sort of malware on my systems. - Does this mean I haven't been affected? Can't guarantee it, but most software leaves some sort of trace it's there. Whether increased processor use, or unaccounted for traffic. I haven't seen anything of the like yet. Actually, that is an incorrect statement. I have at several time put unprotected Windows system on the net to act as honeypots. I also ensure those systems are contained from the rest of my network.

    3. If I could, i'd rather have raw access to my drives in every VM session, rather than some scaled back capabillity that is going to reduce my drive access times and potentially my abililty to manipulate a file structe as I would like. I like the way parallels is handling their file access. This isn't apologizing for them. I want to maintain the ability to perform things as I am doing them now. So perhaps you want VMWare's method of file access. GREAT! That's what competition is all about. If you like the feature set of VMWare better, then by all means go aheadd and use it instead. All i'm saying is don't force me to change the implementation I like because somebody can't handle that flexibility. - Reminds me of some of the programming fights in the 80's and 90's. For instance, Pascal vs. C. Some people liked C because of it's ability to work with a variable in any form. Others found it better to typecast and reduce their errors. For them, Pascal and other packages work better. I liked C because of it's robust capabilites at the time. Pick and choose your VM application. I'm using Parallels because i've been very impressed thus far with how they do things - especially when compared to VMware.
     
    Last edited: Feb 9, 2007
  7. cetuma

    cetuma

    Messages:
    40
    Some people acknowledge risks and move on - comfortable in the manner with which the mitigate them. Others dwell on those risks, and never find peace in their life.

    The world is insecure. For all I know I could (get hit by a bus, get a nuke dropped on me, collapse from exhaustion, etc...) as soon as I walk out the door or sooner. The only difference is I have far better things to dwell my mind on than constantly thinking of all the threat vectors. I'm going to continue to jump out of airplanes, risk asphixation underwater, and use my computer to it's fullest ability because I enjoy living life rather than being scared of it.

    The point is, there are risks out there. Being aware of a risk allows us to make a conscious decision on how we wish to deal with that threat vector. We can accept, avoid, mitigate, or transfer that risk. In this case of global file sharing, I accept that risk because to me the benefits are worth it. To some degree I mitigate that risk by using additional tools, but ultimately I accept that risk. Others who find it to be an issue could avoid that risk by not using or not turning on that feature. They are all acceptable methods based on an individuals or organizations comfort zone.

    So yes, it is important that there is a level of awareness of the risk, but that is all that is necessary. I'm not a fan of chicken little. A meteor could destroy this entire planet in an instant, but that's not going to change how i live my daily life.
     
  8. dkp

    dkp

    Messages:
    1,367
    We're not talking about destroying the planet - we're discussing Parallels' responsibility to provide information to the end users regarding their product security and risks. Parallels is aware of the importance of system isolation and even mentions it on their home page, paragraph 1:

    Can you identify for the readers here what conditions must prevail for this quote to be true and factual? Hint: You must disable global sharing which, as you know, is enabled by default. I'm damned if I can find any fault in asking for this clarification from the vendor. Can you? I don't even think it is an unreasonable request. Do you?

    Things to think about:

    http://www.crn.com/sections/breakin...YWYH5CQSNDBGCKH0CJUMEKJVN?articleId=165700440

    http://www.techweb.com/wire/security/54201306
     
    Last edited: Feb 9, 2007
  9. cetuma

    cetuma

    Messages:
    40
    The key to this quote being true lies in the end of the sentence. isolated virtual machine. The only way a windows machine is going to be secure is if it is isolated from the internet. Even disabling global sharing is not going to make that windows box secure if it's connected to the net. Regardless, when you turn on global file sharing, your virtual machine is no longer isolated. It now is able to communicate with another host. So again, the key here is isolated.

    Nope, I find no fault in ever asking for clarification. One also must remember that this is not GA code, and as such documentation is often done last for a product release. Products change too much. So the fact they don't mention it now does not bother me. If they were to neglect mentioning it in the final documentation, then I may find issue with it. Regardless, if you're that worried about security, then you should only run GA code.
     
  10. betatester

    betatester

    Messages:
    15
    The concept of isolation as used by DKP (and Parallels) is not absolute. The question is that of the isolation of the virtual machine from the host. As you have correctly pointed out, the running of a VM on the host in itself diminishes isolation in the absolute sense; and one can imagine some kind of virus or worm that would be targeted at VM's, and would destroy the host, simply because the two coexist on the same machine. But when global sharing is enabled, a big wide door is opened that fundamentally diminishes the isolation between the two, and substantively decreases security.

    Thus are therefore two issues involved: 1) The fact that Parallels does this by default, and without warning the user. 2) The fact that opening this door is not necessary in order to enable duplex (aka global) drag and drop.

    The problem here is that Parallels sees no problem with the current implementation, and has stated as much in these forums. Thus, there is no reason to believe that they will include any kind of warning in the release version, nor that they will spend the extra time to figure out how to implement this feature without compromising security--which we already know to be possible.

    That said, I hope you are right that they will put warnings, both in the documentation, and in dialogue boxes when enabling this feature. But based upon their public statements, I am not holding my breath.
     
  11. drval

    drval

    Messages:
    490
    OK, let's put a little more sanity back into this thread. "Isolated" means isolated -- think level 4 bio containment as true isolation. That would mean not connecting your computer to the internet NOR bringing in any removable media unless those media had been adequately screened BEFORE connecting them to your system.

    Now unless I'm completely mistaken, I don't see how such an isolated computer could possibly pose any problem whether or not Global Sharing is enabled.

    If you believe that Global Sharing should be developed in a different way than the way in which Parallels is proceeding then start up your own company then develop and deploy a competing product -- or use a competing product.
     
  12. djsmmcp

    djsmmcp

    Messages:
    3
    drval: Just to be clear, do you think I was promoting fear, or somehow was not rational? You might have been referencing someone else, but since your reply was directly below mine, I dunno.

    Not that it matters much for furthering this discussion, but as a Windows user for the past 12 years who just recently began using a Mac, I do keep my Windows install on my VM patched, with AV and anti-spyware running, and unneeded services disabled. I also run on a limited user account and avoid downloads and software installs that are not needed.

    None of these best practices preclude any of the key Mac OS files from being removed from within the VMs installation inadvertently or by malware. Disabling global sharing is the only way to truly make that scenario impossible. Unless I'm missing something.

    I've never tried to say Parallels is inherently unsafe, just that without proper knowledge of its capability to delete files that its not supposed to affect, which thus far the Parallels team has not chosen to advise upon, one could do a lot of damage to their OS X installation unwittingly and without the ability to fix it.

    So, the questions remain: Does the parallels team think this is a significant risk or not, and does it merit some kind of advisory when enabling this feature to let people know of that risk?

    I'm not here to argue whether your opinion, expertise, or style of computing is inferior to mine. I know better than to start deleting Mac OS system files from within Windows and I'm not going to let my Windows install be compromised in such a way that malware or a virus could do it.

    None of this changes my concern as a customer that users should be alerted more clearly to the possibility that it could still happen.

     
    Last edited: Feb 9, 2007
  13. dkp

    dkp

    Messages:
    1,367
    Anyone who agrees with this:

    then also has to agree with this (Paraphrasing Parallels' statement):

    Which ever applies depends upon the state of the global share and since the default is to have it enabled, the default condition out of the box is the second statement. I don't expect to see it on any brochures, of course, but it is a fact.
     
  14. cetuma

    cetuma

    Messages:
    40
    This is not an absolute. I can install bootcamp, install WinXP SP2, then load up Visual Studio and it's libraries, and SQL server, and leave the global file sharing on, then it does not reduce the security of my OS X system at all. I can develop all the windows apps I want to develop within VS.NET, and I don't even have to load Antivirus, antispyware, antitrojan, or any other security software on that windows load. And I will STILL be no less secure within OS X than not running the virtual system. In fact, until I begin to load 3rd party software and / or enable networking, then there is absolutely no increased security risk with OSX, unless one of those MS applications run the risk of corrupting the overall system. In theory, yes that is a possible increased security risk - after all it is MS.
     
  15. dkp

    dkp

    Messages:
    1,367
    Interesting. I don't use Bootcamp so don't know what you see when you open the global share in Windows - what in fact do you see?
     
  16. joem

    joem

    Messages:
    1,247
    Whether the VM is secure or not isn't the issue. The issue is whether the host is secure. If Parallels claims the VM is isolated, that means from the host, not from the Internet.

    I REQUIRE a sandbox. This means that VMs are totally isolated from one another, and that the host is totally isolated from anything that code running in a VM can do. Nothing else is acceptable.

    Drag and drop is a handy feature, and CAN be implemented without compromising isolation since VMWare has done it. I believe that implementing drag and drop the way Parallels has done it is a mistake, and making the claim that the VM is isolated when global sharing is enabled by default is inaccurate, and irresponsible.

    I call on Parallels to change this implementation before the next release, either by doing the job properly and implementing drag and drop without the unnecessary global share, or by turning it off by default, and clearly documenting the risks of turning it on. Since I test malware now and then, these risks are substantial.

    If VMWare releases a product that supports full USB passthrough, and drag and drop without compromising isolation, I will switch and start recommending VMWare unless Parallels provides the same required capabilities.

    I bought Parallels assuming I was going to be able to run Windows in an isolated VM. I have no need or desire for "integration" and I think it's a completely different concept that has no business being called a virtual machine -- it should be called a Windows subsystem for the Mac.

    I know there are people who are only concerned with how the product looks and don't much seem to care how it works, or even, it seems, whether it works, as long as the drop shadows are in the right places. This isn't me. I need to switch between operating systems, not combine them. Combining them removes the main advantage of the Mac which, IMNSHO, is security. I don't want my Mac to be a Windows machine. I want a Windows VM and the concepts are chalk and cheese (totally different for those whose first language isn't English).

    It seems that this thread has degenerated into a discussion among cats and dogs over whether dog food or cat food is better. Dog food is better for dogs and cat food is better for cats. Parallels promised isolation; the industry standard for virtual machines is isolation and has been since the 1960's IBM mainframes; Parallels needs to deliver what they promised. Global share violates that promise, and is unnecessary to accomplish the purpose.
     
  17. rhind

    rhind

    Messages:
    84
    You can use drag and drop without global file sharing turned on. Disable it, and try it. That is how I use it. In the first builds it was implemented without the global file sharing. When they added global file sharing they made it the default, but disabling it just causes it to use the previous method.

    I do think that parallels should have (or should to for the final version, this is an rc still) put a warning up before enabling the global share.

    My VM usually runs using bridged networking so it appears as another machine on my network. But on my host OS X I don't even have file sharing enabled (and hence the firewall blocks it also) but this is bypassing the firewall without asking you.

    I don't think people would be happy if other programs bypassed the firewall or opened ports on it without permission, and I don't see Parallels as any different. I'm quite happy for the global share to be there, just should warn the users before it is enabled by default so they have a chance to cancel it.

    Cheers

    Russell
     
  18. joem

    joem

    Messages:
    1,247
    Bridged networking doesn't bypass the Mac firewall. It connects between the firewall and the NIC, bridging the NIC. the firewall still protects OSX.
     
  19. rhind

    rhind

    Messages:
    84
    Yes but global file sharing *does* bypass the OS X fire wall and that was my point.

    Cheers

    Russell
     
  20. joem

    joem

    Messages:
    1,247
    Is that because it doesn't go through the network?
     

Share This Page