Wednesday, September 3, 2014

Proper way to run TOR and TAILS in a Virtual Machine

Note: This post is for informational purposes only. I use Tails/Tors for network analysis and intrusion detection of my network for academic purposes.

Tails is a TOR based amnesic based operating system.  It is basically a Live-CD/USB operating system that gets you on to the TOR based Onion network for complete privacy. The normal usage is to run it off a CD or USB. Virtual Machines are not recommended but people do it anyways. I won't get into the debate or discuss the merit of running it via live boot USB versus running it in a VM. The basic argument against the VM's premise is if the host hypervisor is compromised, you are not truly anonymous. Furthermore, keyloggers, remote desktop can cause problems. Lastly, most VM's bridge or NAT networking can potentially leak info.

If you are going to run it in a VM, I have some suggestions. Hence, the topic of this blog post.

First of all, you want to have much isolation as possible. Most Hypervisors allow you to dedicate specific hardware to the guest operating system. Never share anything. This includes soundcards, bluetooth, and most importantly ethernet/wi-fi devices.

For the sake of this post, I am using Mac OSX and VMWare Fusion. However, the concepts and principles apply to Windows, Linux or VirtualBox.

When you create your guest, try not to store it on your drive.If you do store it on your drive, encrypt it. And encrypt it again. My main hard drive has file fault but I go even further and store my image in an Encrypted container. In this case a DMG.

I can then go toss my DMG image into an encrypted USB stick.
Then go another step further and use VMware's built-in encryption to protect the VM file.

(be sure to enable it to ON!)

Since the whole guest will be relatively small, I strongly suggest throwing it on a USB stick. You don't want anything on your host.

Now to the VM itself. Clean it up.

I then remove everything I do not need. Remove the Sound Card. Disable the bluetooth sharing.
Everything except USB.  If you need sound, I have a solution for that later.

Most importantly, remove the hard drive as you don't need it. You will be booting from the ISO file. Your VM files should be less than 2MB.

Now, lets beging the isolation process.
Disable the Network Adapter.
Yes. Disable the network adapter.

In fact, you can disable all networking on your host computer. When you bridge or NAT, you cannot truly mask your host's computer with advance sniffing. Your host computer doesn't even need to be physically connected to the network.

Now, if you disable networking, how do you get on the Internet or have any networking?
This is the important piece of info. Get yourself some cheap NIC devices.  USB ethernet dongles, wi-fi sticks. Treat them like disposable SIM cards you have on disposable phones. The MAC ethernet addresses of those devices will be unique and will not trace back to your computer. 

No bridging. Not NAT traversal. Complete isolation from the host. If you no longer have a need for the NIC, simply throw it away and get a new one. That last tip is for the paranoid.

Under your USB settings, you will want the guest operating system to "own" the particular device.
In this case, my portable USB dongle. Since Tails uses Debian, I've notice most USB network and wireless dongles work out of the box including the ASIX 88179 USB 3.0 gigabit dongle.

Once you boot into TAILS, you'll see the USB network adapters as if they were native to the TAILS operating system.

 I would also do a simple ifconfig to verify you are indeed using the hardware.

Another cool thing you can do is dedicate a separate USB mouse/keyboard to the Virtual Machine. This should eliminate one of the key concerns of running Tails inside a VM - potential keylogging from the Host. As for sound, since you disabled sharing from the host, you can use a USB sound DAC if you really want sound inside Tails. Again, you need to give dedicated USB ownership to the guest.

Here I use a Motorola LapDock. I dedicate a separate full screen display to my VM and use the built in keyboard/trackpad. The key entries are unknown to  my host Macbook Pro. Also pictured is an Apple 10/100 USB dongle that also works very well with Tails.

Now back to my disclaimer on the top of this post. This is for informational purposes. I've been evaluating Tails/Tor to see if anyone on our network can go un-detected. We've provisioned Kali intrusion boxes; sniffed network with Wireshark/Ethereal and we are still testing. I have to say, I am very impressed and scared at the same time.