WEBVTT 00:00.910 --> 00:07.540 In this lecture, I'd like to talk about a really, really cool virtual machine type and cubes. 00:07.780 --> 00:13.300 The final type that we haven't spoke about yet is the disposable virtual machines. 00:13.990 --> 00:20.950 Now, as the name suggests, these machines are designed to allow you to run any files or any data or 00:20.950 --> 00:23.530 any websites that you really want to run. 00:23.530 --> 00:28.690 But at the same time, you're not sure whether you should trust this data or whether you should trust 00:28.690 --> 00:30.940 this file or website or not. 00:31.450 --> 00:38.530 The whole idea is when you start a disposable virtual machine, cubes will create this virtual machine, 00:38.530 --> 00:41.530 unlike what happens with all of the other machines. 00:41.560 --> 00:43.990 Cubes will start an existing machine. 00:44.000 --> 00:47.740 In the case of the disposable virtual machine, when you start one. 00:47.770 --> 00:51.310 Cubes will create a new virtual machine. 00:51.310 --> 00:52.450 You will use it. 00:52.450 --> 00:58.060 And then when you're done, when you turn it off, cubes completely destroys this machine. 00:58.060 --> 01:04.690 So the next time you start a disposable machine, you will start a completely new virtual machine. 01:05.200 --> 01:10.210 Now, just like all of the other virtual machines, this virtual machine is completely isolated. 01:10.210 --> 01:16.600 So if it gets compromised, if it gets hacked, it uses different resources and different file system. 01:16.600 --> 01:22.840 So it is very difficult for a hacker, even if he manages to hack into the disposable virtual machine 01:22.840 --> 01:27.970 to move on and hack into the other virtual machines that you have inside cubes. 01:28.300 --> 01:33.220 Not only that, as soon as you turn off this virtual machine, like I said, the whole virtual machine 01:33.220 --> 01:34.000 is destroyed. 01:34.000 --> 01:41.050 So even if they have some kind of a persistent malware, or even if they are trying to exit the disposable 01:41.050 --> 01:46.060 virtual machine and move somewhere else, their connection will be completely disconnected because the 01:46.060 --> 01:48.280 whole virtual machine will be destroyed. 01:49.440 --> 01:55.380 So over and over this, just like any other virtual machine we have inside cubes, you can see that 01:55.380 --> 02:01.020 we can launch a number of programs, mainly Firefox and the terminal, and then you can enter the cube 02:01.020 --> 02:01.770 settings. 02:02.520 --> 02:04.510 This is pretty much everything you'll need. 02:04.530 --> 02:08.940 So for example, let's say you're using your work virtual machine right here. 02:08.940 --> 02:13.230 So I have a Firefox instance in my work domain, as you can see here. 02:13.230 --> 02:20.160 And let's say you got an email that appears like it came from an address that you trust, whether it's 02:20.160 --> 02:25.230 a friend's address or an address of your boss or an address of a company that you work with. 02:25.260 --> 02:31.890 So you really want to click on a link that's inside this email, but at the same time, you're not sure 02:31.890 --> 02:34.530 if this link is safe to click on or not. 02:34.530 --> 02:39.630 Because keep in mind, hackers could have hacked into your boss or into your friend and then sent you 02:39.630 --> 02:40.530 that email. 02:40.560 --> 02:45.210 Or they can actually send emails that look like they're coming from other people. 02:45.210 --> 02:48.660 And I actually show how to do this in my social engineering course. 02:48.660 --> 02:53.790 And I showed this off in my talk at the Global Cybersecurity Summit in Orlando. 02:53.820 --> 02:57.720 I will include a link to the talk in the resources of this lecture. 02:57.720 --> 03:02.130 And if you're interested in my other courses, check out the bonus lecture, the last lecture of the 03:02.130 --> 03:08.370 course anyway, so you can get an email that looks like it's coming from an address that you trust, 03:08.370 --> 03:11.040 and the email could ask you to click on link. 03:11.040 --> 03:16.740 Now clicking on this link could result into you getting hacked, but at the same time, because you 03:16.740 --> 03:20.370 trust this address, you actually want to click on the link. 03:20.370 --> 03:27.300 So the best solution for this is to go and start Firefox inside a disposable virtual machine. 03:27.330 --> 03:30.840 Like I said, this will create a completely new virtual machine. 03:30.840 --> 03:35.850 And inside this completely new virtual machine, it will start a Firefox instant. 03:36.830 --> 03:37.520 And perfect. 03:37.520 --> 03:40.190 As you can see, we get a normal Firefox browser. 03:40.340 --> 03:44.420 So what you want to do is let's pretend that this is the email that you got. 03:44.450 --> 03:47.970 All you'll have to do is copy the link that you want to open. 03:47.990 --> 03:49.630 You don't want to open it in here. 03:49.640 --> 03:52.100 You just want to click on copy link location. 03:52.280 --> 03:56.960 This will copy it within the clipboard of this virtual machine of the work domain. 03:56.960 --> 04:03.890 So you'll have to do control shift C to put it in the global clipboard, go to the virtual machine where 04:03.890 --> 04:05.270 you want to paste it again. 04:05.270 --> 04:07.810 I covered this in details before, so I'm doing it quick. 04:07.820 --> 04:10.820 If you don't remember how to do it, go and revise that lecture. 04:10.910 --> 04:14.300 So we go to the virtual machine where we want to paste this text. 04:14.300 --> 04:20.990 We're going to do Control Shift V to paste it in the clipboard of this virtual machine and then Control 04:21.020 --> 04:23.420 V to paste it in my URL. 04:23.420 --> 04:28.850 And here, as you can see, and I have the link right now in here, so all I have to do is just hit 04:28.850 --> 04:37.250 enter and that'll load the link for me inside this completely isolated, disposable virtual machine. 04:37.250 --> 04:43.430 So let's assume that this link exploits some kind of a vulnerability that will allow the hacker to hack 04:43.430 --> 04:44.750 into my computer. 04:44.780 --> 04:50.840 They will gain control over this disposable virtual machine, but they won't be able to exit out of 04:50.840 --> 04:52.490 it and do anything else. 04:52.490 --> 04:59.660 And then as soon as I click on the X in here, the whole virtual machine will be shut down and it will 04:59.660 --> 05:00.560 be destroyed. 05:00.560 --> 05:07.460 So the next time I run a disposable virtual machine, I'll actually be running a completely new virtual 05:07.460 --> 05:13.880 machine that does not contain the malware, even if it was downloaded using the previous session. 05:14.660 --> 05:17.570 So that's really, really cool, but it doesn't stop there. 05:17.570 --> 05:22.580 Let's assume that you really want to open this file, but at the same time this file is downloaded from 05:22.580 --> 05:27.830 the internet or from an email, so you can't really trust it, even if it's coming from a trusted email. 05:27.830 --> 05:33.110 Like I said, someone could have hacked into the account that sent you the email, or someone could 05:33.110 --> 05:35.750 be pretending to be that email, but they're not. 05:36.020 --> 05:40.970 So if you really want to open this file, all you have to do is right click the file. 05:41.120 --> 05:48.830 Instead of clicking open with Lever Office, you want to go to view in a disposable virtual machine. 05:49.550 --> 05:55.250 Clicking on this will create a completely new virtual machine like we seen before, and then opens the 05:55.250 --> 05:58.280 file inside this disposable virtual machine. 05:58.280 --> 06:02.210 And once you close it, the whole virtual machine will be destroyed. 06:02.210 --> 06:07.790 The file will be removed from the virtual machine, and even if the file contained malware, the malware 06:07.790 --> 06:14.420 will not be able to exit that virtual machine and affect your work computer in here because again, 06:14.420 --> 06:17.270 they are two completely separate operating systems. 06:18.240 --> 06:20.830 Now, I'm not going to show you that because it's very simple. 06:20.850 --> 06:26.250 All you have to do is literally click on view in a disposable virtual machine, and it will work as 06:26.250 --> 06:27.120 expected. 06:27.150 --> 06:33.090 What I really want to show you and what I think is really cool is the edit in a disposable virtual machine 06:33.090 --> 06:33.780 option. 06:33.990 --> 06:40.800 So with this option, again, it will create a new disposable virtual machine, but it will open the 06:40.800 --> 06:42.150 file for editing. 06:42.150 --> 06:49.560 For me this way, not only I'll be able to read the file, I'll also be able to edit the file, save 06:49.560 --> 06:50.700 it, make changes to it. 06:50.700 --> 06:57.450 For example, if I was asked to fill something or to sign the file, I'll be able to do that. 06:57.450 --> 07:02.330 So for example, let's just type test and I'm going to do control as to save it. 07:02.340 --> 07:05.640 We'll keep it at Microsoft Word 97 format. 07:05.970 --> 07:12.630 And now I can go ahead and send this file back knowing that even if this file contained malware, it 07:12.630 --> 07:14.370 did not affect my domain. 07:15.180 --> 07:19.890 Now, just to show you you're not supposed to do this, but just to show you that the changes were saved, 07:19.890 --> 07:23.520 I'm going to double click this file just to open it here, just to save time. 07:23.940 --> 07:25.650 And we have it here. 07:25.860 --> 07:31.700 And as you can see what I added in here, test it saved and it is contained within the document. 07:31.710 --> 07:39.090 So this way, not only that, you can view documents safely, you can also edit them safely without 07:39.090 --> 07:42.420 affecting the security domain that you're working in. 07:43.980 --> 07:49.470 And if this wasn't enough, there is another really cool feature that you can do for images and for 07:49.470 --> 07:50.520 PDFs. 07:50.820 --> 07:57.540 This really cool feature allows you to not only view the file in a different disposable virtual machine, 07:57.540 --> 08:02.430 but you can also convert the file to a trusted PDF. 08:02.580 --> 08:08.340 So again, regardless of how you got this PDF, whether you got it from a friend, from an email, from 08:08.340 --> 08:12.760 the internet, let's assume that you have a PDF that you really, really want to run. 08:12.780 --> 08:16.860 What you can do is you can right click and view in a disposable virtual machine. 08:16.860 --> 08:17.740 That's fine. 08:17.760 --> 08:22.080 Or you can click on convert to a trusted PDF. 08:22.530 --> 08:27.480 What this will do is it will, first of all, create a new disposable virtual machine. 08:27.510 --> 08:30.690 It will copy the PDF to this new virtual machine. 08:30.750 --> 08:38.100 It will use a complex process in order to make sure that the PDF contains no malware and also completely 08:38.100 --> 08:43.590 destroy the PDF and convert the data and this PDF into images. 08:43.890 --> 08:46.920 At the end you'll notice we have a new file in here. 08:46.920 --> 08:52.830 This is called sample dot trusted dot pdf, so it added the word trusted to our pdf. 08:53.010 --> 08:58.730 And this pdf right here is a completely clean version of the original PDF. 08:58.740 --> 09:05.610 So not only that we can open this PDF in our current domain safely knowing that it contains no malware, 09:05.610 --> 09:08.220 but you can also go ahead and send it to others. 09:08.220 --> 09:11.580 So let's assume you need to send this to a colleague or to a friend. 09:11.580 --> 09:18.030 But you're not sure if this PDF is clean, then this way you can clean the PDF and make sure that it 09:18.030 --> 09:19.560 contains no malware. 09:20.070 --> 09:22.980 At the same time, you can find the original PDF. 09:22.980 --> 09:30.120 If you go to home and scroll down, you'll see we have a new directory called Cubes Untrusted PDFs, 09:30.360 --> 09:36.390 and in here you'll see the original PDF that we converted to a trusted pdf. 09:37.700 --> 09:39.000 So that's it for now. 09:39.020 --> 09:45.770 I think this is a really, really cool feature in Cubes and it can really prevent a lot of attacks because 09:45.770 --> 09:51.620 like I said, hackers can hack into your friends or into your colleagues or into other companies accounts 09:51.620 --> 09:56.240 and then social engineer you into clicking on links or downloading files. 09:56.240 --> 09:58.370 And this happens all the time in companies. 09:58.370 --> 10:03.080 And like I said, I showed off a lot of these scenarios in my global cybersecurity summit. 10:03.080 --> 10:05.600 So if you're interested, go have a look on that. 10:05.600 --> 10:10.970 I will include the link to the video in the resources and basically at the end of it, a lot of people 10:10.970 --> 10:13.190 were asking, so how can we prevent this? 10:13.190 --> 10:17.180 Well, the only solution is, first of all, education, educate the employees. 10:17.180 --> 10:23.240 But at the same time, like I said, you might get a file or document or a link from someone that you 10:23.240 --> 10:23.810 trust. 10:23.810 --> 10:28.640 And even though you might think that this could be suspicious, at the same time, you forget if you're 10:28.640 --> 10:33.320 getting this from your boss or if you're getting this from a company that you do business with, you 10:33.320 --> 10:35.390 really need to open the file anyway. 10:35.780 --> 10:40.520 Or if you're a security researcher again, in many cases you want to open the file anyway. 10:40.520 --> 10:44.780 So this is a really, really good way of handling untrusted files.