An investigative series I’ve been writing over the past three years about organized cyber crime gangs using malware to steal millions of dollars from small to mid-sized organizations has generated more than a few responses from business owners concerned about how best to protect themselves from this type of fraud.
I said this nearly three years ago, and it remains true: The simplest, most cost-effective answer I know of? Don’t use Microsoft Windows when accessing your bank account online. All of the malware used in the attacks I’ve written about is built for Windows. That’s not to say bad guys behind these online heists won’t get around to targeting Mac OS X, or users of other operating systems. Right now, there are no indications that they are doing this.
What the Puppy desktop looks like.
The quickest way to temporarily convert your Windows PC into a Linux system is to use a Live CD. This involves burning an downloadable image file to a CD, inserting the disc into your computer, and rebooting. If this sounds difficult, don’t worry, it’s not.
Here’s a step-by-step guide that should get you up and running in no time flat, with Puppy Linux, an extremely lightweight and fast version of Linux. If you’d prefer to try another distribution, there are dozens to choose from.
-Grab a copy of the latest Puppy Linux ISO file from this link. If you don’t have software for burning bootable images to disc (or don’t even know what a bootable image is), grab a copy of the free and fast ISOBurner software.
-Insert a blank CD, tell ISOBurner where to find the ISO file you just downloaded, and let the software write the file to the disc.
-Leaving the CD in your computer, reboot the PC. We next need to make sure that the computer knows to look to the CD drive first for a bootable operating system before it checks the hard drive, otherwise this LiveCD will never be recognized by the computer. When you start up your PC, take note of the text that flashes on the screen, and look for something that says “Press [some key] to enter setup” or “Press [some key] to enter startup.” Usually, the key you want will be F2 or the Delete or Escape (Esc) key.
When you figure out what key you need to press, press it repeatedly until the system BIOS screen is displayed. Your mouse will not work here, so you’ll need to rely on your keyboard. Look at the menu options at the top of the screen, and you should notice a menu named “Boot”. Hit the “right arrow” key until you’ve reached that screen listing your bootable devices. What you want to do here is move the CD-Rom/DVD Drive to the top of the list. Do this by selecting the down-arrow key until the CD-Rom option is highlighted, and the press the “+” key on your keyboard until the CD-Rom option is at the top. Then hit the F10 key, and confirm “yes” when asked if you want to save changes and exit, and the computer should reboot. If you’d done this step correctly, the computer should detect the CD image you just burned as a bootable operating system. [Unless you know what you’re doing here, it’s important not to make any other changes in the BIOS settings. If you accidentally do make a change that you want to undo, hit F10, and select the option “Exit without saving changes.” The computer will reboot, and you can try this step again.]
-My computer took about 90 seconds to boot up into the Puppy desktop, and it was ready to surf the Web. I should note that while Puppy includes support for wireless devices, the simplest approach is to connect your computer directly to your router via an ethernet cable.
-When you’re done, click the Puppy start menu, and select shut down or restart. To get back into Windows, simply eject the disc and reboot normally.
-If, after you’ve set up a Puppy Live CD, you decide you’d like to run Puppy off of a USB stick, follow these instructions, which make it a point-and-click exercise.
Don’t know about Puppy Linux [but will certainly check it out] but even Ubuntu allows for the live CD and arguably therefore also a USB stick, for whatever all that may be worth
A reader who works at a bank sent me the following comment to post on his behalf, since he was having trouble commenting. I’d be interested if other readers have ideas to address the issues he raises WRT the practical limitations of using a live cd.
==
From Mark:
I work for a bank and I got all excited about the idea of our business customers using a live CD for Internet banking, so I tested it. I used Unbuntu, just because it’s a name that is widely recognized. It worked really well, but there are some significant obstacles for adoption by businesses:
1. Uploading files. Businesses often upload ACH and other files to their bank through Internet banking. While booted to Linux, you can’t see any files on your hard drive or on any locations on your network. You could move the ACH file to the Linux system via a USB stick, but doing so could present an opportunity for a security breach.
2. You can’t print. Businesses print things from Internet banking sites, like file upload confirmations or bank statements. While booted to Linux, no print drivers are available.
3. It’s a pain. Many businesses visit their bank’s site multiple times a day. Using a live CD requires two reboots every time you visit – once to get to Linux and another to get back to Windows. Maybe Puppy Linux is faster, but it took me 10 minutes to boot my “experienced” HP laptop to Linux.
If you have any thoughts on how to mitigate items 1 and 2 I’d really appreciate hearing them. Security is great, but only when it can be reasonably adopted. If we handed out live CDs to our business customers, they would quickly stop using them.
Hi Mark (and Brian).
Ubuntu was never my favorite distro so I will reply as a PCLinuxOS user.
1) Yes You can see the Windows files while booted to Linux. At least with PCLinuxOS You can… It gives You FULL access to Fat32 / Fa16 / NTFS partitions from a LiveCD / LiveUSB level. How do I know – I use remastered PCLinuxOS iso + Avast home edition for Linux in a form of LiveCD to scan any Windows partitions and remove infections without having to deal with *ware hidden in the entanglement of the Windows registry.
2) Yes You can print – PCLinuxOS comes with a task-printing package pre-installed. It’s a meta package that contains most of the drivers for the Linux supported printers plus a configuration tool integrated with PCLinuxOS Control Center (modified Mandriva Drakx Tools).
3) This part could be true. It can be a major PITA to reboot to Linux several times a day but this solution however is something that I would recommend to a people that do care more about security rather then time. I understand that doing this 20 times a day is a problem but if You do it 1 – 3 times a day… should be no bother…
I know that some of You will disagree with me – I get it but PCLinuxOS really served me well for the last 5 years and I find it to be simple, user friendly, powerful and secured…
Regards.
Andrzej
Oh and one more thing that I completely forgot about… It gets better…
Entering
smb://192.168.0.1
in the address bar of the Dolphin file manager will connect You to the Windows share of the PC with the above IP and You will be asked for the network credentials to the resource. PCLinuxOS comes with a Samba client pre-installed too…
Regards.
Andrzej
Regarding items 1 and 2: This is a bit crude and involves use of a USB stick, but here goes. Puppy Linux includes a file encryption utility, bcrypt, located via the menu under Personal. More here:
http://bcrypt.sourceforge.net/
I encrypted a few files in Puppy Linux, copied the encrypted files to a USB stick, downloaded/installed bcrypt-1.1 on my Windows Vista PC, copied the encrypted files from the USB stick to the Vista PC and successfully unencrypted the files.
bcrypt under Windows is a command-line utility requiring the use of the Windows Command Prompt (cmd..exe) to encrypt or decrypt the files. This could definitely be a problem for some users. Puppy Linux, however, has a GUI for bcrypt that is very easy to use. One just drags and drops the file to be encrypted or decrypted from the file manager, ROX-Filer, to the bcrypt GUI.
1. Uploading files – encrypt the ACH and other files on the Windows PC prior to copying to the USB stick. One can copy the encrypted files from the USB stick to Puppy Linux and decrypt them.
2. You can’t print – encrypt banking statement and other files on Puppy Linux, copy the encrypted files to the USB stick, copy the encrypted files to the Windows PC, decrypt the files on the Windows PC. And print the files on the Windows PC.
Caution: Use a good password for encryption. ‘password’ would NOT be a good password. Since up to 56 characters are allowed for the password, a multi-word passphrase would be a very good idea (as long as it’s not on one’s Facebook page).
Question: Does bcrypt provide adequate encryption technology today?
Regarding item 3, “it’s a pain”, see my post here regarding a Linux LiveCD PC and KVM switch:
http://krebsonsecurity.com/2012/07/banking-on-a-live-cd/comment-page-1/#comment-88725
Mad Tux, a Linux system vendor no longer in business, used to sell a Linux LivePC. Similar concept.
(1) You’re overcomplicating this. If you want to go cross-platform, you can easily use GnuPG/GPG instead of the headache of bcrypt — then you’d have a GUI on both ends (for less technically savvy users). You could also encrypt the removable media itself, or make a “container” on it to hold multiple files (like a loop filesystem), via TrueCrypt (also cross-platform — also opensource, like gnupg, and even more user-friendly than GPG is). There’s no reason to make encryption unnecessarily complicated.
(2) People keep complaining about printer drivers but there are plenty of liveboot OSes out there with them. You could also use the handy print to PDF (or postscript, if it suits you more) available in most modern browsers and plenty of other applications (on linux or otherwise) and shuttle things back and forth as in (1).
(3) As for browsers themselves, one can almost always grab an updated copy of the portable version of (firefox/mozilla or other) for linux if there is some major upgrade or security hole. Or as I said, apt-get or yum will update specific packages without having to install the OS itself or grab extraneous packages you don’t care about to keep the bandwidth down.
It’s complicated because, in the spirit of Brian’s article, I’m trying to stick with what is available on the Puppy Linux LiveCD. For encryption, it;s bcrypt. Also, neither GnuPG/GPG nor TrueCrypt are available as packages for Puppy Linux. And even if they were available, a user would have two choices: 1) download, install and configure the alternate encryption software each time the LiveCD is run or 2) download, install and configure the alternate encryption software, create a remastered LiveCD and boot the remastered LiveCD in the future. Less technically savvy users would have plenty of trouble with these options too as they are also complicated.
As far as cross-platform encryption tools go, I’d rather have users familiar with Windows install Windows software to reach parity with Linux, than the other way around or have to install software on both platforms.
Perhaps Puppy Linux is not the best choice for a LiveCD if cross-platform file encryption is a requirement. Just for the record, there is a bcryptFE project at SourceForge, but the software is unfinished and was designed to run on Windows XP as Admin.
The U.S. Air Force Lightweight Portable Security (LPS) – Public LiveCD would probably be a better choice than Puppy Linux as it ships with a Java-based Encryption Wizard (EW) that runs on any platform that has the Java runtime environment installed. The EW provides a drag-and-drop interface which makes it very easy for the user.
Hi. Interesting article, as always.
As someone whose paranoia far exceeds their knowledge, I assume the download is the ‘Slacko Puppy’ rather than the ‘Lucid Puppy’. Could you confirm?
Thanks
Chris
Chris
Downloaded the Lucid Puppy and it works fine. I chose option 2 because of a preexisting Ubuntu installation.
+1 for pendrivelinux link ;), but I would like to recommend this one to follow
http://www.pendrivelinux.com/yumi-multiboot-usb-creator/
Actually it could be main article body, but in that case article will be too short: run YUMI, choose your usb drive, then select distrib you want to boot, check “download” and hit OK button ;).
With YUMI I did set up 10ish different Linux distribs on my 16Gb usb stick in an hour when I need to try different LiveCDs. It’s much easier to use than download\burn\cd boot routine.
Hi Alexey,
The problem with USB in general is things can be changed on disk (and hard write-protecting on USB fobs really isn’t there in most cases). The upside to a CD or DVD burn is that on-disk cannot be altered. I’d recommend at least obtaining a USB with write-protect, but for companies/corporations or (sorry to sound prejudicial) anybody banking with a LOT of money (the bigger target here, and the one with the bigger payoff for most people), it’s absolutely better to use totally non-rewriteable media.
If you have LOT of money – ask your ITSec service for strongly protected device dedicated only for online banking, even with commodity hardware like netbooks you can get pretty protected and working system. And it’s not a rocket science to setup one.
CD\DVD\USB and live boot is just cheap alternative with some advantages and disadvantages.
And sometimes you will be required to apply some changes on your OS, like java or browser security patching routine. USB will allow this, CD will not. In last case you ever will wait until distro-maintainer release “patched” version of OS ISO.
Of course, but you can still apt-get update or yum update and selectively get packages. Ultimately, though, you’d use something good enough, only use it for this purpose, and shut it down again. And yes of course if you had a lot of money you’d get the appropriate kind of USB, I was just assuming you were not forking out hundreds of dollars/euros/rubles/etc; most people will not. For most people, CD/DVD is the way to go.
If we are picking nits, I’d recommend a smaller and more secure out of the box distro for this but user-friendliness will obviously make people happier than something like a hardened OS. In this case, optimally, updates are less crucial for something you will only keep open for some minutes or hours at a time, and minimally — the point being not to mix this sort of online activity with other things you are doing.
If you’re getting malware off of the banking site itself (which is what a ‘solution’ like this is really meant for, right?), I’d argue you — and everybody else — would have much bigger problems (and the bank would have culpability, anyway)).
Im running Ubuntu 12.04 as a guest virtual machine running inside VirtualBox on a Win7 Prof 64bit Host with all current updates (2012 07 11).
Is this as secure as either a full Linux install or live cd?
If not, I guess I need to switch to linux.
No this is not as secure as a full Linux install or a Live CD for the simple reason that if your host OS is compromised and a key logger installed, the virtual system is still vulnerable.
I could see a password manager possibly bypassing the keylogger issue. Since the password being entered with the keyboard would not match the one being applied by the manager, a keylogger wouldn’t ever record the bank account password. The initial entry within the VM could be accomplished using an onscreen keyboard.
This will do nothing, of course, to prevent screencap malware from getting what one doesnt get outright from the keyboard itself (and most people do have keyboard integration with their VM program — hence why you can copy something in many VM host systems, and paste into a guest OS). The poster should at least turn off guest tools and integration of this manner, which is easy enough to do in preferences/settings in the VM program itself (I assume the poster is advanced enough to be able to find these options themself if he/she was capable of setting up the VM to begin with).
I’m not convinced Brian’s method will completely save the user, for the record (though obviously anything is better than nothing). There’s still the possibility of being compromised via a bootkit and/or ram-based malware, I believe, which is where a lot of the banking malware is heading. Ultimately you may be slave to your hardware (and RAM). The real danger is believing this makes you safe. It does however probably make you safeR.
Ed, I do this too, but I don’t use the Win7 hostOS for anything on the internet AND the rest of the network doesn’t have Windows either.
If the Win7 desktop is your daily-use-OS, then I think the risks of keyloggers and other malicious software sitting on your hostOS is pretty great and not worth risking your business bank accounts over.
Further, part of the security of using a LiveCD is that any malware that might be installed during your banking session would not be saved. Having an installed Ubuntu defeats this security feature. You could create another VM and only connect the LiveCD, no hard disk, to the VM, but that doesn’t solve the issue with a compromised hostOS.
I guess the real question comes down to, “If you knew someone would steal all the money in your bank account and the only way to prevent it was to boot up a LiveCD before attempting online banking, is that inconvienence worth the added safety?”
Nobody thinks it will happen to them, but it happens to people just like you and I all the time.
In short: No.
The virtual machine host is software, it sends messages to the guest for your keyboard and mouse actions. It gives the guest OS a place to paint a screen. All of this is available to other software on your computer, via a key logger / screen grabber.
Virtual Machine hosts also inject software into their guests (typically “guest additions”), which then runs as trusted (typically, I suppose it could run as untrusted, but that’d be silly). At some point, someone will write an “evil” guest addition which will do more amusing things like installing Zeus into the guest (I’m waiting to read about that here).
The source for VirtualBox is available, so people can read/learn how to do that, but even if it weren’t, the financial incentive is significant enough that people will do it for the closed source competition.
Most VMs also support remote access (VNC/RDP style), normally they wouldn’t allow concurrent access, but replacing that restriction wouldn’t be hard, or you could just change the UI so it uses a RDP session with a “Tee” to the VM.
The reason a CD is valuable is that any attack on your system (after you create your CD) isn’t able to affect your session*.
*An attack against your BIOS is an exception.
**an attacker could plan to SlipStream into your ISO / Burning process – but I owe Brian a directed post on that.
Actually, the last 2 Android submissions did not show up either on Android or here.
I therefore presume that I am persona non grata.
Have a nice day and best wishes with the blog.
Bruce
Rather than setup, some computer show boot menu to establish which drives the computer looks at.
The main shortcoming of live cds is they are slow, and if you are operating off a wireless connection, it can be hard to get it set up and useful since nothing is saved from session to session.
My computers are all dual boot (into Ubuntu because it is easy). But keeping up any Linux distro can be a pain because the boot menu can shift around whenever there is an new image update.
Dual boot is fine, but there is still a fatal weakness in the person in from of the computer screen. USE IT ONLY FOR BANKING-NOTHING ELSE. That way you can only get a virus from a repository or the bank itself.
Technically, dual boot isn’t fine.
I’ve dual (triple) booted Windows+Linux. My Windows system could read and write to my Linux ext2 volume (this was 1999, but ext3 and ext4 are extensions, and the general statement applies). Nothing prevents malware running as root/Administrator from searching for Linux partitions and doing amusing things to them. The lazy attack is probably adjusting the software updates source list and possibly adding a “hidden” browser extension. Sure you could be a properly paranoid user using Bastille/TripWire, but you’re advocating to people who have never heard of them, and the malware could detect and corrupt those too. If you don’t use a readonly boot medium to validate the system / logs, you haven’t helped anything, you’re just promoting false security – it may hold you for an extra year, but then you’ll think you’re secure when you really are vulnerable.
“My Windows system could read and write to my Linux ext2 volume (this was 1999, but ext3 and ext4 are extensions, and the general statement applies).”
The only way that is possible is if you have installed third party software on Windows that provides access to Linux file systems. Windows does not have this capability by default.
Linux, however, can read and write from Windows files systems. Most Linux distros now provide the ntfs-3g file system by default.
If you mean Windows has physical access to Linux file systems by default, that is trivially true. But again, whatever software is being run would have to understand the underlying Linux file system. I am unaware of any malware running on Windows which has this capability (although I wouldn’t be surprised if it existed.) 🙂
I’m not saying such malware necessarily exists today. Brian’s article is designed to encourage “best practices”. Relying on malware *not* to improve is foolhardy. If most corporate customers switch to dual booting, you’ll start seeing malware which integrates ext* r/w and mucking through to install what it needs on Linux volumes.
@Richard;
This doesn’t meet the criteria of malware with cross-platform reading capability, but is interesting non-the-less:
http://www.zdnet.com/cross-platform-trojan-checks-your-os-attacks-windows-mac-linux-7000000656/?edition=asia
Hi JCitizen.
If You are using LiveCD / LiveUSB in RO mode then I can see only 3 scenarios of getting infected by the crossplatform malware:
a) Iso that You have downloaded had the malware pre-installed
b) Bank’s website was infected / infecting
c) ID10T error… Usually occurs between the chair and the keyboard…
Why? The answer is simple. When using a temporary RO platform to make the Internet Banking more secure You won’t be surfing other (unrelated) websites while doing so. This would be (at least) counter productive. You are going directly to the bank’s website. So unless LiveCD / LiveUSB has malware already in it OR the bank’s website is infecting with crossplatform malware – You won’t get infected. To avoid malware infested ISO You have to download it from reliable source that is recommended by the iso creators (and this goes without saying) that You trust… just like You trust Microsoft when buying their product / license. You cannot avoid the second method of infection as You cannot avoid going to the bank’s website – BUT You can minimize the risk of getting infected… Make sure that the browser (and it’s plugins) are up-to-date. If You do not need java scripts / adobe flash content (some banks demand both O.o) then disable the plugins. As You are probably aware Linux by itself is pretty secure – crossplatform malware uses holes from (as a name suggests) another platform – to infect the machine. The most common vectors for a browser attacks are… Flash and Java scripts… So like I said – if You don’t need them – disable them before browsing. The third scenario – we cannot do anything about that but to inform and educate the less PC savvy users…
Regards.
Andrzej
You’ve missed an amusing attack point:
The router. We traditionally trust DNS is safe and reliable. If DNSchanger or a successor has attacked your router and it now participates in MITM attacks and you don’t type ‘https://’ when you try to visit your bank, then you’re at risk. The attack will persist across reboots of your Live CD.
A few years ago I did a quick survey of major banks to see how they used SSL, many didn’t redirect all traffic to https. If a user normally visits http://www.theirbank.com/ and their router is conspiring against them, it can deliver a browser exploit (or just link to a standard MITM).
—
Be thankful your bank doesn’t require Java (Some banks in Europe do).
I stand corrected kind Sir.
Regards.
Andrzej
Very good points timeless and Andrezj;
I was mostly trying to point to that link for newbies who may not know that just installing Linux is not necessarily always going to be the safest option. The more Linux is used, especially on smart phones, the more likely malware coders will look at an attack vector.
Of course the user/operator is always the problem, hence the clever social engineering used in this latest cross-platform attack, for Linux users. There are many newbies now enjoying the ease of Linux distros, like Ubuntu, that are standardized enough to attract novices into the community. The only problem is some of them have to have java to interact with the bank site, and they think their invincible, much like many Apple users mistakenly assume, and they can get cracked.
Comcast was sued not long ago for forcing easily compromised router/modem(brouter?) hardware on their clientele, and they were regularly compromised. My sister was a victim of this, but fortunately she hadn’t started online banking and shopping yet. She switched providers and went with the ZoneAlarm Z100G(discontinued), which was a very economical UTM appliance, and hasn’t had a problem since. Of course this appliance requires java(Sofaware uses Linux), but has an unsuccessful logon timeout with alert, and you can change the user ID to a custom value, and of course remote management is blocked, and she uses a very complicated password to logon to the gateway.
I’m still not happy with the modem/firewall her ISP provides, but at least it isn’t on the list of compromised devices that is rapidly growing.(yet)
I also like Rabid Howler Monkey’s use of LiveCD and a KVM switch to definitely encase the network for the dedicated PC that is used for such purposes. Something like this is a cheap easy solution for SMBs, or larger enterprise, that just can’t afford full time IT security specialists, or consultants.
@Mike: “The main shortcoming of live cds is they are slow,”
Not all live cd’s have that problem. (Actually, I prefer DVD’s, which are somewhat faster, and hold more.) Puppy Linux is held completely in memory, along with a range of basic applications. Booting does require reading everything into memory, which takes a minute or two, but then the DVD can be removed. Subsequent operation runs straight out of RAM, and is faster than a hard drive.
“and if you are operating off a wireless connection, it can be hard to get it set up and useful since nothing is saved from session to session.”
Puppy can save almost everything, automatically. It saves to the boot DVD. This is very different from a hard drive system, in that saving must be commanded, and previous information is not erased.
The idea is to reboot and do the minimum needed to get updates, then command a Save. This writes a new “session” on a multisession DVD. (I use a DVD+RW which can be erased and reused). Since this is optical storage, it is useful to mount the DVD for exploration after every save to assure that the new save directory is present and readable, and if not, save again.
At boot time, only the latest file versions are loaded (although earlier versions on the DVD are still accessible). It is possible to explore the boot DVD for possible problems, and void the last n saves, if necessary. Or, one can start over.
My puppy version from On-Disc, is trying a new trick in automatically asking the user if they want to save all data to a remote drive or flash stick. I am testing this when I get the chance, but it is still a work in progress according to the developers.
The live CD or dedicated computer are very good suggestions and layers, but you also should demand that your bank provide you with true out of band authentication (OOBA) that includes a phone call for verification. I still don’t understand why more banks aren’t doing this. My bank implemented it and it is very easy to use. If your bank isn’t offering OOBA, find a new bank!
Phone calls that are VOICE are a good out-of-band method.
Some malware these days can spoof SMS out-of-band authentication, however.
Can you please name your praiseworthy bank? We should be lauding such banks, not teasing people by hinting at their mere existence.
This is fine but how does MS new hardware issue fit into this puzzle. I see they have decreed that very shortly HW will need this little key option in order to be certified M$.
ole.
RedHat and Ubuntu have gotten signing keys. Others will too. Either direct from Microsoft or via RedHat/Ubuntu.
Or you could turn off the feature (you don’t plan to buy an ARM desktop anytime soon, right?).
I wouldn’t turn off the feature as it theoretically protects you from the equivalent of an attack on your BIOS (well, EFI, whatever, the beginning of the boot sequence).
I do not want to sound like a fanboy but… It’s not only the internet banking that one should use Linux for. Linux is great. I have been using PCLinuxOS distro for over 5 years now – works perfect and is much safer them Microsoft products. Stuxnet, Duqu, Flame – these are all Windows based viruses – the “Olympic Games” program would be much less successful and much harder to get in motion if government officials in Iran did not used Microsoft products on their machines on a daily basis. Most of the trojan horses / viruses used to retrieve Your banking credentials / credit card numbers are Windows based viruses… So yeah… I agree with Brian. Use Linux Livecd / LiveUSB to get Your banking done. If You use LiveUSB – use it in read only mode to avoid any data being stored – this way You always get fresh, clean and safe working environment. Also… Make sure You choose distribution with latest java / flash player versions.
PCLinuxOS is downloadable in a LiveCD form (and comes with a PCLinuxOS LiveUSB creator tool preinstalled), it’s stable, it’s fast and it has yet to disappoint me. Once installed it can be upgraded, tweaked AND remastered (term used to describe making .iso file from Your current installation) so basically after You have tweaked Your installation create iso from it, burn it to cd / dvd and You have a perfect secure and up-to-date portable banking base…
Regards.
Andrzej
I’m highly in favor of using a Live CD for banking, and thank you for providing a useful step-by-step for nontechnical users.
I realize the piece was written from a Windows perspective, abut since you mention Macs in the text, it might be a good idea to warn folks that this won’t work on a Mac.
While the instructions won’t, you can boot your Macintosh with other OSs from a CD/DVD. I’ve used OpenSolaris and Linux.
Brian’s instructions are specific to one type of BIOS, I think (question for a top post), anyway.
For those of you who are not IT savvy enough to follow Brian’s excellent instructions, you can purchase a locked down ironkey USB stick that is configured specifically for your bank.
I am not an ironkey representative and there may be other vendors who offer similar solutions, but for some businesses or even individuals this may make sense.
Personally, I use MacOS and a restricted browser image (one configured just for online banking and nothing else)
https://www.ironkey.com/trusted-access-banking
Brian: in days of old, there were a couple of BIOS vendors (Award, AMIBios) with slightly different menus and keys, did they standardize or are you just reporting from one (which)?
I suggest a few different keys for getting into the BIOS, depending on what kind of computer you have it may vary. I’ve never seen a menu that didn’t include the Boot column. Are you saying yours doesn’t? I’d be curious to know the steps you use to get into your bios. Sounds like it’s somewhat different.
The most common used keys are Del, F1, F2, F10.
Old IBM Thinkpad (in my case 600E) laptops need to have F1 or F2 pressed and hold for several seconds before they allow You to access bios.
Regards.
Andrzej
(last comment)
Microsoft let’s you build CD/DVD’s to install Windows where you can roll in updates – the process is called SlipStream’ing. Nothing prevents malware from recognizing an ISO Burner and detecting a Linux ISO and doing something similar. An Md5sum of the disk against the ISO isn’t safe from the computer where you did the burning. Nor can you trust the CD once burned. I think you’d want to check-sum in a second computer preferably one that hasn’t had the ISO on it.
Yes this is slightly paranoid, but a few years ago people assumed web banking was safe.
Or you can just buy the Live CD directly from the vendor (e.g., Ubuntu).
http://shop.canonical.com/product_info.php?products_id=976
Single CD = $7.26 ( £4.71)
Pack of 10 = $13.10 (£8.50 )
I do same, only at On-Disc; they have very reasonable S&H terms.
“Nothing prevents malware from recognizing an ISO Burner and detecting a Linux ISO and doing something similar. ”
No, but as I mentioned above I am unaware of ANY Windows-based malware which is capable of inserting malware into a Linux file system.
There are malware which can drop an appropriate malware package for either Windows or Linux, but these are extremely rare as well.
You’d have to be really under a direct attack for this sort of thing to happen. The mere fact that so few people would be doing this sort of thing prohibits the likely development of such a capability. If a significant percentage of people (or at least corporations) started using Linux to do banking such that the malware writers started losing money, then perhaps this sort of thing might be undertaken. More likely, however, is that more malware directly against Linux would be written rather than this round-about way of subverting Linux. Attempts to backdoor distros have been tried and probably would be tried more as well, but with likely limited success.
While I’m personally a fan of Linux, I suspect some business owners will not tolerate it (or the process of booting from USB). Personally, I would promote the use of a $500 dedicated and locked down Windows 7 machine that only allows access to the necessary URLs and denies everything else. It’s really not that hard to configure.
On the Puppy on USB front people might this useful – http://www.isotousb.com/
there are dozens to choose from
I’d suggest a very strong preference for AFRL’s LPS distro run on a USB stick, rather than a Puppy Live CD. Security on an untrusted box—the entire purpose behind booting Linux for personal banking—is baked into the design of LPS. Secure comms capabilities. No mounting local drives. Only utilize CPU and RAM. No persistence. No trust of the local box. No admin privileges granted or required.
LPS is the natural choice for secure comms on an untrusted box, and you’d be doing your readers an even greater service if you walked them a local live Linux boot using LPS as your main example for secure local computing.
@stvs: “there are dozens to choose from”
Not all “Live” Linux designs are the same. One fundamental distinction seems to be between “distributions” intended to be used as-is, with no user-update available, and other designs which allow user-update:
If the only use is to be for banking, update, per se, is less important. But you still have to depend upon eventual updates from somebody else, on their schedule. You still have to use the operating system and browser somebody else configured the way they imagine is most useful. For many users, they will be wrong.
In contrast, Puppy Linux supports user update through a unique and novel facility for writing changes back to the boot DVD. This is user-controlled, and does require a re-boot immediately before doing an update and Save, to assure that no malware is present.
Puppy Save allows the user to add operating system drivers for particular hardware (such as a modern video card), configure for particular printers and scanners, select a particular browser, configure it, add add-ons, update each piece separately as needed, and save the result as a new “session” on a multisession DVD. At boot time, only the new files are loaded into RAM, producing a fully-updated system.
Continuous changes in Web protocols and attacks mean that any particular fixed browser design cannot have the best security features. Browser security add-ons are thus particularly important for system security. Although each browser has various pluses and minuses, the Firefox browser supports, and I use, Addblock Plus, Certificate Patrol, Ghostery, NoScript, Perspectives, and Safe, among others. In particular, Safe simply puts a red frame around SSL (https://) pages; the frame then becomes part of the expected security environment when working.
“I’d suggest a very strong preference for AFRL’s LPS distro run on a USB stick, rather than a Puppy Live CD.”
As I pointed out in my response to the US Government,
http://www.nist.gov/itl/upload/Ritter_ADVISING-THE-GOVERNMENT-ON-BOTS.pdf
LPS has issues. Because it is of the “no user update” school (the last time I looked), LPS lacks hardware configuration, user browser configuration and browser security add-ons. I prefer the alternate approach.
The main problem of Live CDs is that you have to download and burn a new one each time there is a security upgrade for the browser (or a browser plugin/pdf viewer included to the CD). Many Live CDs allow sudo without a password so an attacker can trivially get root access and install malware on the main system on the hard disk after exploiting a browser vulnerability. Since security updates for web browsers are quit frequent, users would be required to update the live cd at least every few weeks in order to stay secure. Most users will obviously not do this and using an outdated Live CD can even increase the risk unless you remove the hard disk before running the Live CD.
If you only use the Live CD for banking you can still use an outdated browser safely under the assumption that the banking site is well secured and doesn’t try to exploit browser vulnerabilities.
@Ed Roberts:
From a theoretical point of view using a virtual machine doesn’t protect against attackers who have already infected the host system. However, most banking trojans out there only manipulate banking done from the infected host system itself and ignore the virtual machine you use for banking.
I think Jakob’s point is probably the most important. LiveCD’s are better than a continuous system IF you are continuously getting updated versions.
If you don’t keep on the bleeding edge with downloading new liveCD’s, you’re just picking your poisons. An old liveCD will not have a virus from your last browsing session, but may be vulnerable enough to get hacked by a MITM or other problem just during your banking session. A “normal” system might have been patched against that by virtue of easier, automated, regularly scheduled updates to it’s writable drive.
note, though, Jakob, that you may NOT be able to safely use an outdated browser if your system is vulnerable to a DNS poisoning attack, or several other problems where you THINK you are talking to your “safe” bank, but someone else is in the conversation. Or your LiveCD is running some other random easily compromised service; maybe a sendmail or http server… I know most don’t, but some do, and if this guide is for a newbie using a dartboard to select a linux distribution, they might get a poor option.
All that said, Linux is a smaller target area than windows, so a person is probably safer with EITHER a long-running linux system OR a liveCD; but for how long?
@greenup: “I think Jakob’s point is probably the most important. LiveCD’s are better than a continuous system IF you are continuously getting updated versions.”
Well, no: On the one hand we have a LiveDVD system which is “difficult or impossible” to infect. On the other hand we have a normal hard-drive system which very obviously can be infected. Are these equally “secure?”
Infection is our main problem because infection brings back malware on each session. That makes infection responsible for most malware execution time. A system which cannot be infected is a massive step toward limiting malware execution. More than that, reboot a LiveDVD system and all running malware, exposed or not, simply goes away. Most systems have nothing at all like that.
In the end, the risk from a lack of updates depends upon encountering malware code. Normally that comes from a hacked website, or Trojan email, or a USB flash drive. Do not do those things. Just do banking.
“If you don’t keep on the bleeding edge with downloading new liveCD’s,”
Not all LiveDVD systems are the same. Puppy Linux allows programs to be individually updated, and written back to the boot DVD in a new “session” in a multisession DVD. As a result, programs can be updated in pretty much the same way as on a hard-drive system, except for requiring booting immediately before doing updates and a Save.
“An old liveCD will not have a virus from your last browsing session, but may be vulnerable enough to get hacked by a MITM or other problem just during your banking session.”
Any alternative system will be at least as vulnerable as a LiveDVD, provided the DVD is updated periodically.
Yes, it is necessary for the user to boot immediately before banking, then do only banking, while banking.
The main problem is infection, not malware per se. Getting malware during a particular session is rare. Systems which support infection accumulate those rare possibilities into a certainty, and then an endless future reality.
@Terry Ritter:
are we talking apples to apples, apples to oranges, or apples to lawn gnomes?
“On the one hand [X] we have a LiveDVD system which is ‘difficult or impossible’ to infect. On the other hand [Y] we have a normal hard-drive system which very obviously can be infected.”
X still has a writable filesystem SOMEWHERE in order to operate. /tmp, at least. usually implemented in memory kinda like old ramdisks. It is usually cleared after each boot, but it still IS an area where a virus or trojan could be written during the session, and from there, execute. As you point out, some LiveDVD systems even will persist things via an additional session on the DVD. Good things? bad things? which ever. net benefit over Y? Zero.
Unless we are assuming Y is a windows box. I was looking at the question from as close to an “apples-to-apples” scenario as I could, which was X: Linux LiveDVD vs Y: Linux installation on a hard drive. we could think about Z: Windows installation of some kind, and agree that X or Y are much better than that.
“Any alternative system will be at least as vulnerable as a LiveDVD, *provided*the*DVD*is*updated* periodically.” (emphasis mine)
I think this embodies some of the point I was making: if you don’t do work to update the DVD regularly, you may wind up LESS secure than a box that doesn’t get a frequent brain-wipe through reboot, because “Y” could have the benefit of automatic security updates. (and this goes double for “X” that has some kind of persistent storage through dvd sessions, because that provides a place for infection, not just your banking data, to persist and come Back next LiveBoot)
One other bit about whether we are comparing apples to lawn gnomes: I am assuming that “Y” is ONLY used for banking, (as you say, “Do not do those things. Just do banking.”) to focus on the issue of whether it is the “LiveDVD” factor that is saving us.
Not that I really have a problem with LiveDVD’s, I just don’t think that they are a cure for this problem.
@greenup: “X still has a writable filesystem SOMEWHERE in order to operate.”
When malware *infects* a system, it does more than just run; it somehow changes that system so the malware payload will be invoked and run on future sessions. Normally the *infection* will be some sort of change to hard drive data, so on the next boot the changed system will be active. This *infection* process is trivial with a hard drive, but not even possible on a DVD-based system, unless the malware can write to the DVD.
Malware can *run* independent of infection, which is not great, but that same issue occurs in all systems. The fact that it does occur means that all the “frontend” protections, such as firewall, anti-vi scanning, browser, and browser security add-on’s, have failed. Addressing *infection* is additional protection beyond what a normal system offers.
Malware *infection* is a particularly important issue, because there is only a small and likely random possibility of new malware getting into any particular session:
* With a LiveDVD system, any malware which does get in has to find its way in again next time to run next time. In contrast,
* An infectable system *accumulates* the rare random possibility into a virtual certainty of *infection*; then the system remains *infected* for foreseeable future. Typically the malware may wait for a banking connection and then pounce.
“net benefit over Y? Zero.”
Net benefit over Y? Massive.
“if you don’t do work to update the DVD regularly, you may wind up LESS secure than a box that doesn’t get a frequent brain-wipe through reboot, because “Y” could have the benefit of automatic security updates.”
Most people would say that the “security” of their computer describes an overall risk. When we discuss improving “security,” a system vastly more secure in one way can afford some risks and still be more secure than another. It is necessary to compare the extent of each supposed problem.
If a system can be infected, it almost certainly will be, eventually. A DVD-based system avoids that risk almost completely. That is the difference.
How great is the risk of not having a security update, when all one is doing is going to the banking site and then, you know, banking? Where does the supposed attack come from? Usually it would be from some other website, or email, or a USB flash drive, so do not do that. Then where is the risk?
That said, we expect eventually to do things other than banking, and then we might like to have an updated browser and add-on’s. Updating is useful, and important enough to reject systems which make that difficult or impossible. But updating is not desperate.
“I am assuming that “Y” is ONLY used for banking,”
Yup.
Terry Ritter: “Where does the supposed attack come from? Usually it would be from some other website, or email, or a USB flash drive, so do not do that. Then where is the risk?”
Changing your Behavior while using the system CERTAINLY reduces your attack surface, but it does Not eliminate it. If your DNS is poisoned, maybe you are not going to your REAL bank website. Also, just BEING on the network is a hazard, if another host can craft a malformed packet that your system is vulnerable to. The TCP/IP stack could be your weakness. As just an example, back in 2007 someone demonstrated an attack on BSD’s IPv6 stack that allowed them to take over the whole machine, from sitting somewhere else on the network. (http://www.scmagazine.com/openbsd-flaw-exploits-ipv6-weakness/article/34753/)
Terry Ritter: “because there is only a small and likely random possibility of new malware getting into any particular session”
Internet Storm Center, 2004: “The average unpatched Windows PC lasts less than 20 minutes on the Internet before it’s compromised”.
That’s windows, but if malware writers targeted linux, it could follow the same path.
For Today, I will concede the point that this means that a not-necessarily-fresh read-only LiveDVD (X) running Linux will be safer than a standard Linux system (Y), or an up-datable Linux LiveDVD (which I will contend is equivalent to Y) because the time to attack is longer than a likely banking session. After that point is reached, I think that an automatically patched (writable) system (Y) would be as or more secure.
sorry about any “attitude” in the above response; woke up on the wrong side of the bed this morning.
My puppy linux runs completely in RAM. I’m pretty sure it can be updated per session. This shouldn’t take very long, but I reserve judgment until I get done testing this new version.
I know I have read that their are LiveCD distros that rapidly update every time you boot, making buying or burning new CDs necessary only once and a while. The process was reported as being very rapid indeed.
I use Key Scrambler. Doesn’t that protect no matter how I access my bank account? Of course, my system is fully protected with anti virus and all patches are up to date. I use Firefox and Chrome and avoid IE for my browsers.
It doesn’t protect against screen capture, session riding, or someone who may have remote control of your PC from using other brute force methods.
Keyscrambler is only on rung in the ladder of PC security. However for all SMBs with electronic banking, Brian’s plan is the most economical; and simple(yet very effective) to implement. Even then, I’d never do without a hardware firewall, I can’t imagine any business without that as a bottom line.
I used to use a Fedora USB but it stopped booting, I have no idea why. If I remember correctly I had to install flash on the drive to use it for my bank. Can you install flash on a CD?
“I had to install flash on the drive to use it for my bank.”
Wow…There’s a bank that is utterly clueless. Flash is riddled with security holes.
I suggest you switch banks because they’re idiots.
From the article:
“Don’t use Microsoft Windows when accessing your bank account online.
From the lead in to the article, one could presume that you are referring specifically to small and mid-sized organizations. Is this true? Or does this recommendation apply more generally and include consumers as well?
Thanks
Yes, my Live CD advice is generally geared toward small business owners who do not enjoy the same fraud protection guarantees that consumers have. But this advice could just as well keep consumers out of trouble: having to deal with crooks stealing money from your debit card/account is still a PITA, and may mean the temporary unavailability of funds while the bank investigates.
Two remaining issues:
1. User still has to type in bank url. Typos can lead to phishing sites. Some people don’t know how to type in a url.
2. Users have to remember and type in their passwords. Some people don’t know their password. Will lead to people using simple passwords.
Possible, and probably dumb, suggestions:
1. Create bank-specific live CDs. When it starts up it kicks off a browser that (only?) goes to one bank’s login page.
2. Companies like LastPass get in the business of distributing LiveCDs with their plug-in already in the browser.
I would throw these into the hat for Linux boot CD’s to secure Internet banking.
WebConveger – http://webconverger.org/ or http://webconverger.com/ – Browser only – can be modified to change the home page to your financial institution. We use them as Internet kiosks with modified home pages and use of proxy servers.
LPS – Lightweight Portable Security – http://www.spi.dod.mil/lipose.htm – Browser plus a whole lot more.
The BIGGEST problem with LiveCD’s though, is accounting packages. Quickbooks runs under windows, not linux, and in any case you would want a Writable location for continuous use of your data. This could be done with a usb stick, but then you have a significant extra complication, as well as a disease vector.
There are many ways to make a Windows PC more secure in your instance. [Isn’t there a Quickbooks for Apple? – I was sure my brother just bought it]
A combination of blended software and hardware defenses. See your local IT consultant.
The QuickBooks/Quicken issue is a dealbreaker for a lot of people and businesses. They aren’t logging into their bank via a browser at all.
If they didn’t care whether they could upload their data directly from Quickbooks, it would also be pointless to reboot with the live CD. If you’re rebooting 3 times a day, it quickly becomes less expensive as far as employee productivity to just have a separate PC that does nothing but interact with the banking website. But manually transferring accounting data between the two computer systems becomes hugely expensive in terms of employee time wasted.
Probably wouldn’t hurt to isolate it behind its own hardware firewall, or other physical isolation method on the LAN either.
Nice idea but no one will ever do it. I can’t even get my clients to stop using IE.
Regardless of all the comments, GREAT idea/process.
There are a number of general issues being conflated here.
First, the vast majority of malware is for Windows. As far as I know, there is NO banking malware written for Linux. So it doesn’t matter whether you use Linux on a Live CD, a USB, or installed on your hard drive. You’re not going to get infected TODAY and for the foreseeable future if you use Linux until enough people start using Linux for banking that it becomes profitable for malware writers to target Linux. The odds of that happening are very low.
Second, there are so many ways to breach security on a computer (not to mention the end user) that no one method is going to save you. Again, it becomes a question of cost-benefit for the end user and the malware writer or hacker.
Third, as rider says above, the vast majority of end users simply can’t cope with the notion of a Live CD or Linux. Probably even fewer small business owners can.
Fourth, you can also create Windows Live CDs which will provide you with much of the same benefit as a Linux Live CD. The problems are that creating a Windows Live CD is usually harder than creating a Linux one.
Also, there is the issue of a Windows Live CD possibly having vulnerabilities – although the much reduced attack surface of a crippled PE-based Windows XP or Windows 7 CD version makes that harder. You also cannot update a Windows Live CD easily unlike some Linux Live CDs.
But at least a Windows Live CD such as LiveXP can be made to look enough similar to a real Windows OS that an end user might be able to use it. And a lot of these Windows Live CDs come with system repair tools that can come in handy as well.
For years banks have entertained the idea of distributing a live Linux distro to their clients but virtually none have done it because off-the-shelf solutions aren’t a particularly good fit for the application. For instance;
1. Off-The-Shelf distros generally have public root passwords or all users are run with root privileges. Both are undesirable for banking.
2. Network sharing is often enabled by default allowing MITM attack
3. Firewalls are often disabled or not properly configured
4. Off-The-Shelf distros often include or allow use of packages like Flash known to be a vulnerability.
5. Making properly configured live USB’s is too complicated for most consumers and small business owners. Even Puppy Linux is a multi-stage CD to USB process and it takes technical skill configure a package properly.
Of course Linux afficianados can make a custom build for themselves, but for the rest of the world the solution must be point & click.
Fortunately there is already a security-hardened Linux distro made specifically for online banking. It’s called CyberShield-OS and it’s used for by small businesses in over 55 countries. It’s a free single file download that allows one to create a live CyberShield-OS USB or CD directly from Windows with a few mouse clicks. Once launched the entire platform is autoconfiguring with integral browser, firewalls and other features enabled. For enhanced security the USB is configured as non-persistent and it runs only in ramspace. Each use creates a trusted workspace for their bank session and it just works. For those that want added security they can get the write-protected USB version with software pre-installed. There are video tutorials that shows users how to do everything;
http://www.cybershieldsolutions.com
CyberShield-OS is the best example yet of a custom Linux distro ready to deliver the promise of “safe” banking to the masses.
Thanks for that Sandy. The videos are excellent and clear, even for those of us who are technologically-challenged…
That site has no web rep – it will take a while for me to trust them.
I use Ubuntu off a USB stick for my banking and online trading, etc.
For printing, I have to select my printer and install it whenever I need to print as it does not save anything. It takes some trial and error figuring which printer driver works.
There is always a price for security, but it is well worth it.
It seems to me that the simple solution to this is not to ask consumers to become technologists. That’s never going to happen among a significant part of the population. My Dad is 87 and I can’t imagine him attempting to boot from any CD, let alone Linux.
A good start would be to implement optional and inexpensive 2-factor authentication. Maybe offer people that, using something like a YubiKey, for $10 or $20 a year. Have a lower level of liability for those who opt in. Say the YubiKey costs the bank $10 and they charge consumers $20 – put the extra $10 into insurance for those who opt in.
Time for some creative thinking, but I don’t think Linux or any other boot-from-CD operating system is the answer for most people.
I didn’t think my clients would adopt my configurations and security apps either, but after they get hosed, they have a wonderful compliance record! ]:)
I’m a lot more forceful when talking to SMBs.
Using a Linux LiveCD for online banking doesn’t have to be disruptive. One can use a dedicated Linux LiveCD PC.
1. Turn a discarded PC into a Linux LiveCD PC – get your hands on a discarded PC, remove (or disconnect) the hard drive, place and leave the LiveCD in the CD tray until the iso is updated (every few months), download the new iso, burn it to a CD-R and replace the old CD-R
2. Get a KVM switch – use your Windows PC keyboard, monitor and mouse for both your Windows and Linux LiveCD PCs
Process: Boot the Linux LiveCD, set the KVM switch to the LiveCD PC, do your online banking, shut-down the LiveCD PC and set the KVM switch back to the Windows PC.
Clutter? Put the LiveCD PC on the floor beneath or next to your desk. Or even somewhere on your desk if it is a small-enough form-factor.
Alternatively, a discarded laptop or netbook could be placed in a desk drawer or on a shelf between uses and there’s no need for a KVM switch.
P.S. You might find that the LiveCD PC makes a good “surfboard”, especially if the LiveCD boots to RAM. Just remember to reboot the PC prior to conducting any online banking.