An investigative series I’ve been writing over the past three years about organized cyber crime gangs using malware to steal millions of dollars from small to mid-sized organizations has generated more than a few responses from business owners concerned about how best to protect themselves from this type of fraud.
I said this nearly three years ago, and it remains true: The simplest, most cost-effective answer I know of? Don’t use Microsoft Windows when accessing your bank account online. All of the malware used in the attacks I’ve written about is built for Windows. That’s not to say bad guys behind these online heists won’t get around to targeting Mac OS X, or users of other operating systems. Right now, there are no indications that they are doing this.
The quickest way to temporarily convert your Windows PC into a Linux system is to use a Live CD. This involves burning an downloadable image file to a CD, inserting the disc into your computer, and rebooting. If this sounds difficult, don’t worry, it’s not.
Here’s a step-by-step guide that should get you up and running in no time flat, with Puppy Linux, an extremely lightweight and fast version of Linux. If you’d prefer to try another distribution, there are dozens to choose from.
-Grab a copy of the latest Puppy Linux ISO file from this link. If you don’t have software for burning bootable images to disc (or don’t even know what a bootable image is), grab a copy of the free and fast ISOBurner software.
-Insert a blank CD, tell ISOBurner where to find the ISO file you just downloaded, and let the software write the file to the disc.
-Leaving the CD in your computer, reboot the PC. We next need to make sure that the computer knows to look to the CD drive first for a bootable operating system before it checks the hard drive, otherwise this LiveCD will never be recognized by the computer. When you start up your PC, take note of the text that flashes on the screen, and look for something that says “Press [some key] to enter setup” or “Press [some key] to enter startup.” Usually, the key you want will be F2 or the Delete or Escape (Esc) key.
When you figure out what key you need to press, press it repeatedly until the system BIOS screen is displayed. Your mouse will not work here, so you’ll need to rely on your keyboard. Look at the menu options at the top of the screen, and you should notice a menu named “Boot”. Hit the “right arrow” key until you’ve reached that screen listing your bootable devices. What you want to do here is move the CD-Rom/DVD Drive to the top of the list. Do this by selecting the down-arrow key until the CD-Rom option is highlighted, and the press the “+” key on your keyboard until the CD-Rom option is at the top. Then hit the F10 key, and confirm “yes” when asked if you want to save changes and exit, and the computer should reboot. If you’d done this step correctly, the computer should detect the CD image you just burned as a bootable operating system. [Unless you know what you’re doing here, it’s important not to make any other changes in the BIOS settings. If you accidentally do make a change that you want to undo, hit F10, and select the option “Exit without saving changes.” The computer will reboot, and you can try this step again.]
-My computer took about 90 seconds to boot up into the Puppy desktop, and it was ready to surf the Web. I should note that while Puppy includes support for wireless devices, the simplest approach is to connect your computer directly to your router via an ethernet cable.
-When you’re done, click the Puppy start menu, and select shut down or restart. To get back into Windows, simply eject the disc and reboot normally.
-If, after you’ve set up a Puppy Live CD, you decide you’d like to run Puppy off of a USB stick, follow these instructions, which make it a point-and-click exercise.
Possible future Krebs report – some case studies of small businesses that have switched to using a Live CD. … are there substantial inconveniences? How do they deal with the inconveniences, etc.
The main inconvenience that could rear it’s ugly head is that to get the full security benefit you have to disable storing files on the computers hard drive or portable storage. It doesn’t help to start with a clean OS on every boot if it gets infected over and over from some infected file. But that shifts your storage onto a network drive or cloud service the security of which you still need to verify. You may also find it highly desirable to make a custom disk with the settings and software that you need. And make sure that your users aren’t using outdated disks.
The Linux live CD’s I saw would not even mount the hard drive, let alone launch any hardware that is on it.
The biggest security risk is that live CD may not have the latest versions of the used software, the used software could have known weaknesses. But if you go to the banksite after booting , there is no real possibility to get infected as infections will disappear after closing down the system.
If paranoid enough, you could install an Linux OS used only for home banking. (Or less secure, a separate profile.) You could even set the firewall to talk only with your bank. But banking sites are not really helpful for this. They sometimes are hosted elsewhere and the addresses come out of a big range, changing every time. T
What boggles my mind is these cd’s require no password,access to everything ON THE HARD DRIVE …or wtf am i missing? What methods can be used to protect against live cd or USB?
If an attacker has physical access to your computer then your data will only be secure if it is robustly encrypted.
In days gone by, I believe it was possible to plug a USB stick into a “locked” windows PC and have it autorun a program that would slurp up anything it found without having to unlock the PC.
Yep! That is why using a “rescue disc” is called “Nuking them from space”! Also a very effective way to remove the worst malware – that is – if said malware doesn’t boot first. Even some rescue CDs, which are also a bootable CD, of course, cannot remove all malware, every time. So I guess if you want to protect the hard drive while using a LiveCD, you need to ask a malware author how they do it. *snicker smirk* 😀
OT:
The Gentleperson’s Guide To Forum Spies
http://cryptome.org/2012/07/gent-forum-spies.htm
Another excellent article! Your service to the community is very worthwhile!
WOW — Was this a record response, or what!
The german magazine c’t created Surfix and Bankix, two specially tailored live-cds based on ubuntu for secure surfing and banking.
Both have a modified Linux-kernel, which is unable to write to harddisks, get live-security updates, Surfix comes with Chrome, Thunderbird, etc. and Bankix includes Hibiscus for HBCI and other onlinebanking standards.
Surfix (german): http://www.heise.de/ct/projekte/c-t-Surfix-Sicher-im-Web-1380126.html
Bankix (german): http://www.heise.de/ct/projekte/Sicheres-Online-Banking-mit-Bankix-284099.html
I’ve found this RAM only linux very helpful. In fact it doesn’t even see the hard-drive of the computer it’s booted into. Very helpful for also web surfing at hotels, though I’d still not log into anything that requires a username/password on a hotel WIFI system.
More people are doing this, the only catch is that some banking sites and services like ShopSafe try to enforce using Internet Explorer.
p.s. great article Brian
Thanks for the hint about Puppy Linux Live CD. It installs very well and is very quick indeed, even on ancient hardware. Much easier than doing the usual Linux installation. It boots up very quickly after the initial startups. SeaMonkey is a decent web browser. I am delighted to have secure online banking for so little effort. Is one entitled to be a little complacent?
I use a Linux virtual machine w/Chrome and use that OS/browser ONLY for banking. Similar approach, with a bit more user-friendliness.
The problem with using a VM is that, if the host becomes compromised for any reason, malware can infect the VM. The VM’s “hard drive” is after all simply a file that the host can write to. There are programs to mount VM hard drives in the host OS, so it’s not difficult to mount the guest file system and inject files.
If you mix secure and insecure browsing on the same machine, use a VM for the insecure browsing. It’s harder to break out of VMs than into them.
This is a well thought out article that small and medium size business should take very seriously!
Another reason KrebsonSecurity is required reading for our staff and customers!
On Ubuntu’s site, just under the regular Desktop download link is the “Windows Installer” choice. This will easily install Ubuntu as a Windows boot manager option. It also becomes just an item in your Add / Remove programs list, and doesn’t replace the windows boot manager with its own, or require any special partition. It gives full cpu to linux when you boot into it (unlike a virtual machine), and is faster and easier than running from a CD.
I like the idea of a CD not being able to be modified by malware, but also like that a multiboot to linux allows me to keep the software updated. I image the whole thing with clonezilla for backup and I’m good to go.
Puppy linux may be neat to put on a USB stick. I’ll check it out as a traveling option.
A few additional remarks to my previous ones: Java and Adobe Flash are not enabled it appears (good thing). I prefer to give Sea Monkey a few tweaks in the privacy and security section, e.g. to restrict cookies to originating web site, tighten up on validation of certificates, delete all data on exit and so forth.
One can believe that Puppy Linux has been developed precisely for the purpose that Brian is advocating.
Puppy Linux is well thought out and executed. I especially like the realistic ‘Woof!’ on startup. This is the star feature of Puppy Linux 🙂
I have another solution that people might like.
Tabula Rasa
Virtual Appliance for Safe and Secure Internet Browsing.
Ideal for Online Banking and other important activities. Tabula Rasa uses an “immutable” or “non-persistent” disk so that no changes are saved at shutdown and no malware or exploits can be used against the system from session-to-session.
You can download it from its project site: http://sourceforge.net/p/tabularasa/wiki/Home/
Brian,
I have used Puppy Linux for a few years now as it works wonders with older systems hardware.
Recently I made the USB stick for my laptop which is nicer to use than a live CD.
My question: Is it okay to save the session on the USB stick and then use that PupSave file when doing the banking. If not a person would have to press F2 and choose to bypass it by booting in RAM again.
Thanks!
@Dave: “Is it okay to save the session on the USB stick and then use that PupSave file when doing the banking.”
This may be an issue of disagreement.
Puppy, being Linux, is naturally resistant to malware, simply because the vast majority of malware is designed for Microsoft Windows. Malware designed for Windows which arrives on a Linux system is unlikely to run or infect. If that were all that mattered, we might as well install Linux to a hard-drive instead of a DVD.
But Linux malware does exist. Although encountering Linux malware is “unlikely,” if that does happen, it may well run. After malware has subverted the OS, reaching out to write to a hard-drive or a USB flash drive is trivial, and is just one more tiny storage blink. We will have no reason to know, or worry, because Linux infection is “unlikely.”
In contrast, it is “impossible” to write to a DVD which is not in the slot.
Personally, I bought several versions of USB flash with write-protect switches. They work. But one of the requirements for a secure system is an ability to update the browser, and browser security add-on’s. So, sooner or later, we have to flip the switch, and then we are back to being a hard-drive in a stick. As soon as the switch is flipped, we might as well have not bothered with write protect.
Unlikely versus Impossible: that is the USB versus the DVD. But I suggest that we cannot afford “unlikely,” because we have no tools which guarantee to find any resulting infection. So whatever low probability of Linux malware there is, the more often we use that system, the more likely it is that the system will be infected, and we cannot expect to know. This is, of course, why so many Microsoft Windows systems are in fact infected, and do not know.
I have a SD card with a switch which works in normal use; BUT I also have a program which writes to the card with the switch in the off position. I don’t know if the same can be done with a USB stick.
@Chris B: “I have a SD card with a switch which works in normal use; BUT I also have a program which writes to the card with the switch in the off position.”
Sadly, the SD write-protect “switch” is not a connection which works internally, but is instead just a plastic tab, like on floppy discs. It is a mechanical signal to the socket interface, which then does whatever it does. It may just be a “don’t write” signal to the file system, which a subverted and “owned” OS could ignore. Apparently, ordinary programs can ignore it as well.
I think the manufacturer gets to make or imply whatever claims they want, as long as in some configuration the switch “works” in some way. In practice, we may not have that configuration, and also may not know that we do not.
Some of the write-protected USB flashies may depend upon the OS to prevent writes. It is not clear to me exactly where the USB interface enforces “do not write.” I fear it is just a signal from the USB device to the file system. But the condition we seek to overcome is that the OS has been subverted and owned, which means it does not have to interpret that signal, so, no write-protect for you! Or any of us.
I’m just guessing of course, but I always assumed the write protect USB sticks simply disabled one of the signal pins on the port circuit of the device itself. I really don’t know, but I’d think this would be considered negligent for a electronics engineer to ignore this design. I wouldn’t be surprised if many of the cheapie brands were simply a dummy switch.
Risks are becoming very low if you only visit the bank-site in readonly mode and sometimes even the update site. With a firewall, only allowing the known update sites, the malware would need to get in to the system of the Linux distribution to get you infected.
You can safely use a hard-drive and put a firewall to only talk to the banksite. Even with weaknesses, there is in practice no risk a not updated system will be infected. Even an infected system should be able to change the firewall setting before it could communicate with a control center, what it would probably need to do before being able to do anything malicious. Every few years a new installation of CD should be very safe.
The system can even be updated with the files of the “normal” system without connecting it directly to the internet. Some care should be taken that the partition is not accessible during other sessions. (Encryption?)
As anti-malware soft on Linux there are solutions. I happen to know ClamAV and the commercial but powerful FSAV.
But will this work with the systems running Windows 8, if Microsoft get their way with the UEFI (Unified Extensible Firmware Interface)?
As far as I’m concerned that remains to be seen whether it is a security enhancement; I really wonder if it even replaces the bios very well.
As long as the optical drive is compatible with UEFI, there shouldn’t be any reason you couldn’t boot from any image in the tray.
@JCitizen: I don’t think your assumption that any image can be booted from a CD on a UEFI machine is right. As I understand it, if SecureBoot is enabled, the system will refuse to boot any image that is not signed with a known valid cryptographic signature. Microsoft’s currently stated requirements for x86 based machines to be certified for Windows 8 say that SecureBoot must be enabled, and Microsoft’s signing keys must be installed. They also say that there should be a way to bypass SecureBoot, but only for x86 machines.
I have a blog post that discusses this in more detail:
http://richg74.wordpress.com/2012/07/08/boot-up-blues-new-improved/
Thanks Rich:
The code word is “compatible”; my understanding is that when you start building from a mother board with this technology, everything added to it has to be compatible with it, including the operating system and drivers.
I’ll try to go to the link and read more when I get some more time.
Thanks! 🙂
The U.S. Air Force has a secure Linux boot CD (it is intended for all military branches but is offered to everyone as freeware). They state that writes to the hard drive are explicitly prevented (and of course the CD is not writeable).
Someone commented that the fact that you cannot update the browser is a security risk (and that is certainly true). However if you religiously reboot the PC with this CD before going to a banking site this does not seem like a big concern (especially if you periodically burn the latest version of the CD).
http://www.spi.dod.mil/lipose.htm
(Or google it)
The project from the Air Force was designed to be a platform for federal telecommuters – not for banking. As such it permits local network sharing, includes FLASH and media players which are useful as a Windows replacement for telecommuters but not a great platform for banking. Also, the steps for producing the AF’s live USB are far too difficult for the typical PC user. Same problem with Puppy Linux.
Excellent article and for those desiring the convenience of USB flash, in a simple form, try Unetbootin:
http://unetbootin.sourceforge.net/
I’ve found this to be an extremely simple way of getting the convenience of a bootable USB with just about any distro on it.
I’ve used Ubuntu Live CD for my banking for a few years but based on Brian’s suggestion I decided to try a Slacko Puppy Live CD. At this point Puppy appears load faster than Ubuntu v11.10. However, I found the process Puppy requires to mount and unlock my Ironkey is involved and required considerable experimentation–I use Ironkey for banking passwords and files. Mounting and unlocking Ironkey under Ubuntu is a quick and easy process.
Why isn’t anyone recommending a Google Chromebook/Chromebox?
Initial cost is higher than a Linux CD but it seems it’d be an ideal machine to use for online banking.
I agree – but cost is king, and even I haven’t been able to bring myself to buy one. I’d like to try it, but the price is going to have to go down, before I jump. If previous makers have been able to sell netbooks for 100 to under 300 dollars, then they can too! I’m just not willing to pay the price yet – I do recommend it as one of many alternatives to SMBs, though.
I’m holding out for a Chromiumbook so I don’t have to login to Google.
Even though there are already 100 posts I have to add :
Excellent, Brian !
You describe not only what should be done, but also how to do it.
Thanks Brian. I followed your excellently detailed instructions and successfully created the CD.
However, trying to then create it on the USB stick via the link provided wasn’t successful. Their instruction “1.Follow the onscreen instructions which will walk you through the Puppy USB installation process” is wildly optimistic. All sorts of options come up on the way which mean nothing to someone as ignorant as I am. The upshot was the files got on the USB but I couldn’t boot from it.
Guess I’ll stick with the CD…
If I’m not mistaken, you can buy “Puppy on a stick”(my term), from On-Disc ready made – very reasonable prices too, I thought.
Very useful article. I haven’t used the Puppy distro very much, but it appears well suited to this use, and works well even on older hardware.
How would this apply where you have a bank that requires a code number in your computer, that has selected that computer is authorized to do online banking.
Woludn’t that create a problem if your using a Live-CD ?
@Jim: “How would this apply where you have a bank that requires a code number in your computer, that has selected that computer is authorized to do online banking.
Woludn’t that create a problem if your using a Live-CD ?”
That should be one of the advantages of Puppy: Not all DVD-boot systems are the same. Only the Puppies, as far as I know, allow the DVD to save configurations and updates.
The way this happens is that Puppy creates a new “session” on the “multi-session” ISO DVD. The multisession format is not a different physical disc, but a format which is created when the ISO is laid down. I suppose there are ways to do this elsewhere, but the easiest is just to put Puppy on a disc by whatever means, then run that Puppy to use the BurnIso2cd system, which *will* create a multisession DVD.
The first execution of an ISO disc is detected, and at the end the user is asked whether to generate a save file or save to CD (or DVD). Choose the CD, and the CD is set up for saving. It is possible for this first save to fail. If so, go back as far as you need to start over. Once this disc gets set up, everything gets much easier.
Further executions of that same disc now show a Save button on the desktop. When you come to the end of a session, Puppy will ask if it should save to the CD, but I suggest that this answer always be No. Instead, before ending, if you have something to save, use the Save button, and after the Save process finishes, click on the optical drive icon to “mount” that drive. When the file display comes up, look for a directory whose name is the current date and time. If it exists, the save was successful. If not, try again.
Normal operation probably does not mean a Save. I may Save every few weeks or sometimes not for months, but then do try to get everything up to date. In normal operation you can just turn off the power and so avoid all the end-of-session OS questions and selections.
Optical drives simply are not as reliable as hard drives, mainly because hard drives are based on “sectors” which can easily be read and replaced if they fail. In contrast, optical storage is based on a single continuous track, like an old vinyl LP record, except that CD’s and DVD’s start from the inside. The point is that it is not easy to correct a data error on a DVD write, because that really means a complete re-try, not just a sector re-write. This storage delay and complexity is an optical advantage against malware, in that it reveals itself with sound and light blinks in human time. That is much different than the tiny blink of a malware hard drive infection.
While using a live CD for banking is an excellent idea, I don’t think a security oriented blog should be recommending Puppy Linux. Puppy runs everything as root, otherwise known as the DOS security model. It probably doesn’t matter much for this specific case. The problem arises when people come to like it and use it in situations where the poor security comes back to bite them.
Most Linux distributions have a much more sensible underlying security model and I believe that a security blog should be steering potential users to a more secure distribution.
Security is about trade-offs. The point of this tutorial is to help people who want to use a more secure approach. But the harder you make this process, the less likely it will be that people will actually do it.
One commenter above suggested using an ultra-hardened LiveCD distribution produced by the US Air Force, but the instructions are far more complicated. I chose puppy because I’ve seen too many other Live CD distros have problems with different types of hardware or require hard-to-remember cheat codes to work right, or don’t play nice with networking without some initial voodoo.
From “A Neutral Look at Linux Operating Systems”:
Puppy is a single-user system. That is, the user always has root privileges. This is the same poor security model that gets Windows 9x users in so much trouble.
A slightly more difficult distribution that also has low system requirements is Damn Small Linux. DSL has a better security model than Puppy.
“Puppy is a single-user system. That is, the user always has root privileges. This is the same poor security model that gets Windows 9x users in so much trouble.”
While the “root security model” can be useful for multi-user or multi-account systems (e.g., servers), that model may not apply to single-user PC’s, and especially not to DVD-boot systems:
When a system has only one user, protecting that user is the most important task. Our issue is the user encountering malware, which then attacks the system. Those who abhor running as root are willing to accept the user losing everything, as long as the system is protected. But, in a single-user system, the system *is* the user, and any distinction is without difference. It is not a success to protect the system if the user is exposed or damaged.
In practice, user separation also does not help: privilege escalation attacks are common and continue despite repeated patching. Schemes to protect the system from user-level malware simply do not work, and experience implies they will never work. Operating systems are large and complex and always contain exploitable error.
In the particular case of DVD-boot systems, the situation is even clearer, because if the user has malware, protecting the system is irrelevant. Both the user and the system are cleaned at the same time by the same reboot.
Does not most PC hardware allow pressing F12 to choose boot device?
This would be easier than having to go through CMOS/BIOS setup.
You can create a bootable USB thumb drive using:
http://unetbootin.sourceforge.net/
which is unlikely to be infected and is easier to carry around for remote use: Just walk up to any nearby machine and boot to do your banking.
While less secure than RO media, this also has the advantage of allowing someone to store basic thing like the URL of a bank in their browser.
@Steve Lembark: “Just walk up to any nearby machine and boot to do your banking.”
Booting your own OS does not protect against hardware key-loggers.
“While less secure than RO media, this also has the advantage of allowing someone to store basic thing like the URL of a bank in their browser.”
Puppy Linux DOES allow the user to Save changed files BACK TO THE BOOT DVD. Upon reboot, the new files are copied to memory instead of the old ones. OF COURSE one can Save browser configurations.
The ease with which malware can change data in a USB flash drive should give everyone pause.
Why are we to assume that the source of the problem ALONE is Windows? Remember between your computer and the bank’s, a man in the middle could attack your traffic. And keyloggers can be inserted online.
@rino19ny: “Why are we to assume that the source of the problem ALONE is Windows?”
For the attacker, the greatest profit occurs when the most attack malwares get to their target, run, infect, and steal. As long as Microsoft Windows remains the largest platform, targeting anything else is a waste of effort.
“Remember between your computer and the bank’s, a man in the middle could attack your traffic.”
Secure Internet banking depends on SSL, which is almost universally in use. In general, SSL is very secure and does prevent man-in-the-middle attacks.
Unfortunately, a running bot can get at the conversation before encryption or after decryption and then send it off. So the user does need a clean system, despite the best cryptography.
“And keyloggers can be inserted online.”
“Keyloggers” are basically less-capable “bots.” We need ways to prevent, reject, or eliminate bots:
Prevent: Some forms of malware can be avoided with a firewall or anti-virus scans. Unfortunately, attackers have reacted by vastly increasing the numbers of malwares, by scanning malware before release to assure that it is not detected, and by “encrypting” malware infections with local keys. As a result, scanning is now largely ineffective.
Reject: For maximum profit, most malwares are written to run on the most common platform. While other platforms (Java, Android, plus popular applications) do begin to offer advantages, the largest by far is still Microsoft Windows. Simply using something other than the target platform generally causes attacks to fail.
Eliminate: A running bot places a remote bad actor in the machine where they can do anything at all. Any changes they make cannot be known, making guaranteed recovery impossible.
Prevent Infection: A bot can run malicious code without infecting a system. But the very point of a bot is to achieve infection and so run on future sessions.
Continued attempts to patch OS software and so prevent infection have been ineffective.
Malware infection can be prevented by booting from DVD. A USB flash drive is not a secure substitute.
I have yet to see a live CD that works on a wireless connection to let you contact the world wide web!
Regards,