http://voices.washingtonpost.com/securityfix/2009/10/avoid_windows_malware_bank_on.html

Wow!

It seems kind of annoying to reboot your computer every time you want to do online banking.

It'd make more sense to just have an active VirtualBox Ubuntu session you can switch to with one key click.

Actually, for Windows users, I'd just recommend creating a limited user account and using Firefox with NoScript.

Good advice, but I don't expect the average "Joe user" to be able to comprehend it.

I like Puppy Linux for live CD myself, though I haven't used it in a while.

Its not a problem if you used a secured WLAN connection and have a firewall running. Anti-phishing filter should reveal whether you are really on your bank's web page.

It good publicity for Ubuntu the article is directed at small business who can't afford to risk anything. Personally I would recommend dual booting over live cd because you don't have to pop a cd in or out.

Its not a problem if you used a secured WLAN connection and have a firewall running. Anti-phishing filter should reveal whether you are really on your bank's web page.
Read the article, this isn't about phishing. ;)

Still, it's a surprising article from a Washington based newspaper.

Still, it's a surprising article from a Washington based newspaper.

Yeah I wonder if it web only or if they printed it?

It seems kind of annoying to reboot your computer every time you want to do online banking.

It'd make more sense to just have an active VirtualBox Ubuntu session you can switch to with one key click.

Actually, for Windows users, I'd just recommend creating a limited user account and using Firefox with NoScript.

It's very kind of you to try to give a windows alternative, but realistically, booting into a live cd is really no inconvenience at all when faced with having your life savings cleaned out, or your entire years' profits stolen.

Security and stability is the reason i came to linux/unix and it the main reason that i will stay. Sure, FOSS can make you all warm and fuzzy inside, but hackers have to aim their sights at me specifically now. Not write some piece of **** code and then have some idiot forward it to me.

It seems kind of annoying to reboot your computer every time you want to do online banking.

It'd make more sense to just have an active VirtualBox Ubuntu session you can switch to with one key click.

Actually, for Windows users, I'd just recommend creating a limited user account and using Firefox with NoScript.

This is good advice, personally I just don't do on-line banking that makes it easiest to avoid problems.

It good publicity for Ubuntu the article is directed at small business who can't afford to risk anything. Personally I would recommend dual booting over live cd because you don't have to pop a cd in or out.

But then you still have to restart anyway and may possibly get into the habit of leaving valuable info on your machine. One suspect ppa could unravel it all. Then there is the eternal battle: physical access. The live cd with cookies turned off is a pure security option. No trace whatsoever.

Some have suggested virtualization, but it does little good if the host OS is insecure. The attacker can propagate malware to the virtual environment, infect the virtualization software, or simply probe the inputs and outputs of the system. Even a simple keylogger will not be hindered by virtualization.

A better approach would be to run the less secure OS within a virtual environment of a more secure OS, and do all banking from outside the virtual environment. Then the attacker has to target the secure OS (or the virtualization software) to get access.

Better still is the article's suggestion of using a live CD. The attacker either has to infect the computer within the session or somehow corrupt the CD image without being detected. These are significantly more difficult and costly attack vectors that would make you less of a target.

On the other hand, if the live CD is being created from one of the malware-infested computers then all bets are off. You'd better verify the CD on a secure computer.

It's very kind of you to try to give a windows alternative, but realistically, booting into a live cd is really no inconvenience at all when faced with having your life savings cleaned out, or your entire years' profits stolen.

Security and stability is the reason i came to linux/unix and it the main reason that i will stay. Sure, FOSS can make you all warm and fuzzy inside, but hackers have to aim their sights at me specifically now. Not write some piece of **** code and then have some idiot forward it to me. If I'm on Windows with a limited user account and Firefox with NoScript, I don't see how a Linux live CD makes my chances any lower of having my life savings cleaned out.

If you're really that paranoid, don't use online banking at all. Just go to the bank yourself.


Still, it's a surprising article from a Washington based newspaper. I was always under the impression The Washington Post is based out of Washington, D.C., and not not Washington state.

Better still is the article's suggestion of using a live CD. The attacker either has to infect the computer within the session or somehow corrupt the CD image without being detected. These are significantly more difficult and costly attack vectors that would make you less of a target. How is this "attacker" even getting in if all you're doing is visiting your bank's website? If your bank's web server is compromised, there are bigger problems you have than whether you use a live CD or a Windows installation to do your online banking.

If there were a way for an attacker to take advantage of this, though, she would just have to wait for this whole live-CD-for-online-banking phenomenon to become more popular and then take advantage of old Firefox cross-site scripting flaws. Yes, updated Firefoxes would have patched those, but people may be using older live CDs. Since the live CD will execute any sudo command without prompting for a password, your whole Windows installation is at the mercy of the attacker.

Again, this is all assuming the "attacker" actually has a way to attack.

I was always under the impression The Washington Post is based out of Washington, D.C., and not not Washington state.

I love you.

I know I'm veering off topic here, but:

Seriously, what's up with people calling Washington D.C "Washington"? It's too long? "D.C" is much shorter and yet doesn't confuse.

I was always under the impression The Washington Post is based out of Washington, D.C., and not not Washington state.

Oh, you're right :eek:.

m.........ubuntu makes e-banking safer......!

Going to the bank in person helps me

How is this "attacker" even getting in if all you're doing is visiting your bank's website? If your bank's web server is compromised, there are bigger problems you have than whether you use a live CD or a Windows installation to do your online banking.

I guess they'd have to exploit a security bug in the OS or the browser. It's significantly more difficult.

I know this article is about windows, but it seems some here are concerned about online banking with Linux? Should I be worried about banking with Linux?

If I'm on Windows with a limited user account and Firefox with NoScript, I don't see how a Linux live CD makes my chances any lower of having my life savings cleaned out.

If you're really that paranoid, don't use online banking at all. Just go to the bank yourself.


Although i also dislike when overzealous users tout linux as a cure-all. In this case it simply is. On the one hand, secure browsers(or so they say) such as firefox, Opera and Chromium within a malware/rootkit ridden platform. On the other, Secure browser within a read only FS where the only point of attack is capturing/intercepting the live session. If this habit was to be adopted, we would see a drastic drop in online banking fraud. Poor browsing habits non-withstanding.

Of course if this were to become widespread, we would see a drastic increase in 'newer! better! linux live cd's' with the malware built right in :) Human gullibility is what it is.

Although i also dislike when overzealous users tout linux as a cure-all. In this case it simply is. On the one hand, secure browsers(or so they say) such as firefox, Opera and Chromium within a malware/rootkit ridden platform. How is a limited user account on Windows with NoScripted Firefox "malware/rootkit ridden"?


On the other, Secure browser within a read only FS where the only point of attack is capturing/intercepting the live session. If this habit was to be adopted, we would see a drastic drop in online banking fraud. Poor browsing habits non-withstanding. That live session, if compromised, is pretty bad. It can run sudo commands without authentication, and it can easily mount NTFS drives as read/write.


Of course if this were to become widespread, we would see a drastic increase in 'newer! better! linux live cd's' with the malware built right in :) Human gullibility is what it is. Or, worse yet, people using old Linux live CDs with insecure (unpatched for vulnerabilities) versions of Firefox on them.

a good majority of people who have suffered this type of attack are those that can't help clicking those "Wow_this_is_a_great_pic.jpg.exe" files they get by email!

it's not the bank or the website thats infected, it's the users machine and the Trojan is sitting there waiting for any passwords to be typed in (so they get thousands of people infected with the Trojan but it only takes one or two of those infected to use on-line banking for them to profit)

a good majority of people who have suffered this type of attack are those that can't help clicking those "Wow_this_is_a_great_pic.jpg.exe" files they get by email!

it's not the bank or the website thats infected, it's the users machine and the Trojan is sitting there waiting for any passwords to be typed in (so they get thousands of people infected with the Trojan but it only takes one or two of those infected to use on-line banking for them to profit)
I agree. I love live CDs, but I'm not seeing why this is such great advice.

Basically, here are the ways your online banking experience can be compromised: You click on a phishing link or mistype your bank's proper URL Your computer is compromised and thus you have a keylogger or DNS poisoning or some other problem that has nothing to do directly with your bank Your bank's website is compromised There is some kind of buffer overflow or cross-site scripting vulnerability in your web browser that can steal your banking credentials while you have some other tab or other web browser open If you're the type of person to fall for phishing scams, you'll do that on live CDs also. That's a social engineering problem, not a technology problem.

If your computer is compromised, a live CD may help you in the short term for one particular task, but every time you boot into Windows, everything your privacy and security are over. Might as well reinstall Windows.

If your bank's website is compromised, then it doesn't matter how you access that site.

For browser flaws, actually a live CD may be a bad idea, because it may have an older version of Firefox that still has those flaws unpatched.

Maybe they could just ditch windows seeing as using an alternative OS fixes all their problems?

When doing my online Banking and other accounting I have a unique profile I use for this that is very locked down.

I can name MANY (large) banks/financial institutions that have websites that only run under Internet Explorer.

some have suggested virtualization, but it does little good if the host os is insecure. The attacker can propagate malware to the virtual environment, infect the virtualization software, or simply probe the inputs and outputs of the system. Even a simple keylogger will not be hindered by virtualization.

A better approach would be to run the less secure os within a virtual environment of a more secure os, and do all banking from outside the virtual environment. Then the attacker has to target the secure os (or the virtualization software) to get access.

Better still is the article's suggestion of using a live cd. The attacker either has to infect the computer within the session or somehow corrupt the cd image without being detected. These are significantly more difficult and costly attack vectors that would make you less of a target.

On the other hand, if the live cd is being created from one of the malware-infested computers then all bets are off. You'd better verify the cd on a secure computer.

+1

in most cases people find it too much bother to go to the trouble of installing a virtual OS (even though it saves time in the long run)

To some people it's easier to stick in a CD and reboot

As to why use a "liveCD".. easy:

It's a 'known quantity' a 'safe state of operation'. Since it's on CD it can't be changed or tampered with easily, you know what you have is exactly the same between the very first time you used it and the last. There are no lingering programs or scripts from previous uses to contaminate the system and if you DO for some reason get a trojan, virus or browser based exploit, once you shut down it's gone forever! You're clean the next time you use the LiveCD.

That's what it's safer

But saying that, everyone have their own ideas as to what is easier ^_^

peace!

Washington Post columnist Brian Krebs recommends that banking customers consider using a Ubuntu Linux LiveCD, rather than Microsoft Windows, to access their on-line banking. He tells a story of two businesses which lost $100,000 USD and $447,000 USD, respectively, when the thieves - armed with malware on the company controller's PC - were able to intercept one of those codes when the controller tried to log in, and then delay the controller from logging in. Krebs notes that The Financial Services Information Sharing and Analysis Center (FS-ISAC) - a industry group supported by some of the world's largest banks -- recently issued guidelines urging businesses to carry out all online banking activities form 'a stand-alone, hardened and completely locked down computer system from where regular e-mail and Web browsing is not possible.' Krebs concludes his article with a link to an earlier column in which he steps readers through the process of booting Ubuntu LiveCDs to do their on-line banking.

The link to the first column is here:

http://voices.washingtonpost.com/securityfix/2009/10/avoid_windows_malware_bank_on.html

Here is a compressed URL for that same story:

http://bit.ly/Gwulm

The link to the second column is here:

http://voices.washingtonpost.com/securityfix/2009/10/e-banking_on_a_locked_down_non.html

Here is the compressed URL for that second story:

http://is.gd/4ieV7

Oops, I forgot to subscribe to posts to this thread.

If you're really that paranoid, don't use online banking at all. Just go to the bank yourself.

Um, when you go to the bank to do your transactions, the teller uses the same secure connection to the main server that you access from home. There is no difference. You are no more secure going to the bank.

How is a limited user account on Windows with NoScripted Firefox "malware/rootkit ridden"?

That live session, if compromised, is pretty bad. It can run sudo commands without authentication, and it can easily mount NTFS drives as read/write.

Or, worse yet, people using old Linux live CDs with insecure (unpatched for vulnerabilities) versions of Firefox on them.

All points well taken, but remember aysiu the intended audience for this new banking habit is not typically the user that is going to have, let alone know how to set up nor deal with the inconveniences of a limited user account.

Why go through the trouble of *properly* creating a limited account when i can just pop a cd in a few times monthly and bank ? There are a lot of ifs buts and maybes, but this could and would help a lot of people.

Wow is right, a newspaper actually suggesting a Live CD for banking. It might be annoying to reboot every time to bank, but who knows, maybe it might make the person doing online banking curious about Linux and play around with it in addition to banking.

The live cd with cookies turned off is a pure security option. No trace whatsoever.
I considered the live CD to be just that... until I realized that the hard drive is mounted, in read/write mode, automatically. I know I can unmount it, but the Average Joe doesn't. If the hard drive is still writable, it would seem quite possible for an application to leave behind some traces. It might be unlikely, but still possible.

I use the Jaunty live CD on my Dell Latitude E5500.


... guidelines urging businesses to carry out all online banking activities form 'a stand-alone, hardened and completely locked down computer system from where regular e-mail and Web browsing is not possible.'

Ubuntu Live CD doesn't satisfy this condition. It's certainly not "completely locked down", since root commands are possible without authentication, as mentioned earlier. In addition, "regular" email (whatever that is) and web browsing are also possible.

Old news Rox

even older.....

http://www.itnews.com.au/News/157767,nsw-police-dont-use-windows-for-internet-banking.aspx

It seems kind of annoying to reboot your computer every time you want to do online banking.

It'd make more sense to just have an active VirtualBox Ubuntu session you can switch to with one key click.

Actually, for Windows users, I'd just recommend creating a limited user account and using Firefox with NoScript.

If a keylogger was installed on a MS machine, would booting an Ubuntu by VirtualBox avoid the password being stolen?

If a keylogger was installed on a MS machine, would booting an Ubuntu by VirtualBox avoid the password being stolen?
If a keylogger is installed on the Windows machine, then reinstall Windows.

If you're using a limited user account, as you should be, it's highly unlikely a keylogger is installed, but if it were, you could just create a new account and delete your old one (a lot faster than reinstalling Windows).

Better to prevent a security breach in the first place than try to employ workarounds once you're compromised.

If a keylogger is installed on the Windows machine, then reinstall Windows.

If you're using a limited user account, as you should be, it's highly unlikely a keylogger is installed, but if it were, you could just create a new account and delete your old one (a lot faster than reinstalling Windows).

Better to prevent a security breach in the first place than try to employ workarounds once you're compromised.

While properly securing the Windows is the preferred option, how many Windows users know how to properly lock down a Windows system?

Booting a Live GNU / linux CD is a simple and practical option for many unsophisticated Windows users. All they have to do to be safe is
1) Use a Live CD from a trusted source
2) Only use the live CD to visit their bank's site and reboot if they visit any other site
3) Properly verify the Bank's SSL certificate.
Even if the live CD is old and has a vulnerability, how can that vulnerability be exploited?

While properly securing the Windows is the preferred option, how many Windows users know how to properly lock down a Windows system?

Booting a Live GNU / linux CD is a simple and practical option for many unsophisticated Windows users. All they have to do to be safe is
1) Use a Live CD from a trusted source
2) Only use the live CD to visit their bank's site and reboot if they visit any other site
3) Properly verify the Bank's SSL certificate.
Even if the live CD is old and has a vulnerability, how can that vulnerability be exploited?

How many know how to find, download, burn then use a Linux live cd?

Even if the live CD is old and has a vulnerability, how can that vulnerability be exploited?

As the user boots up, he is not vulnerable unless there is some gaping hole in the network stack, and is has not been many relevant in that category the last 10 years.

Then the user opens his old browser with many security holes and goes to www.hisbankontheinternet.com He is still not vulnerable unless the bank`s website is cracked or the livecd has a vulnerability when it comes to resolving DNS or similar. Of course there is always the possibility of a man-in-the-middle attack, but that is what encryption is for.

Automounting if disks does not make one more vulnerable to attack, since mounting of disks is as easy as eating breakfast for a cracker who controls your system.

Maybe they could just ditch windows seeing as using an alternative OS fixes all their problems?

lol, this is funny stuff.

How many know how to find, download, burn then use a Linux live cd?

Zing!

I think what this is about is the main stream tech media growing "balls" to tell the emperor HE'S NAKED.

How many know how to find, download, burn then use a Linux live cd?

What would prevent a bank from distributing a GNU / Linux live CD to its customers as a security measure?

What would prevent a bank from distributing a GNU / Linux live CD to its customers as a security measure?
:idea: great idea.... I'll post an email to 'headquarter' of my bank with the those links (washingtonpost/zdnet) and the idea of yours...;)

Zing!

Never heard of him. :-k


What would prevent a bank from distributing a GNU / Linux live CD to its customers as a security measure?

££££££££££...just for starters.
It would probably make another great source of income for them in fact because you can rest assured that all costs involved, and then some, would be passed on to you the customer.

Never heard of him. :-k



££££££££££...just for starters.
It would probably make another great source of income for them in fact because you can rest assured that all costs involved, and then some, would be passed on to you the customer.

Not really! it might actually SAVE! the banks money (less fraud for a start).

Also not sure about US banks but in the UK some banks give their Internet users cheep Anti-Virus Subscription (Usually McAfee or Symantec you know the ones!).

The cost of getting Canonical to make up a custom LTS version with their banking links
(or a version that Canonical can create so that any bank can add their banking links to an image before burning) Would be minimal compaired to the cost of them getting the subsidised Anti-Virus deal with the AV Vendors. Then the banks (or Canonical's Ship'it) can burn off 1,000's of them cheaply, also since the actual cost of posting a CD is the same as the business class letters the usually send out, it would have minimal inpact on their Promotional cost.

Simples ^_^

i made a post in the comments section of that article.



Security Fix
Brian Krebs on computer and Internet security
Thank you for commenting.

Your comment has been received and held for approval by the blog owner.

Return to the original entry.

here is what i submitted:

Hi,

I'm a Linux user, and I created this account specifically to post some additional information and maybe clear up some misconceptions.

A *LOT* of links follow. To avoid information overload, feel free to pick and choose the ones that interest you, and go from there.

This is the standard catch-all *very* in depth link that goes over the primary differences between Linux and Windows:
http://linux.oneandoneis2.org/LNW.htm

Now that that is done,

Puppy Linux is indeed a great distribution, but by-and-far the two most well regarded Linux Distributions from an "easy to use" point of view (assuming you have a PC built in the last 7 years or so) are Ubuntu and Linux Mint.

http://www.ubuntu.com/
http://linuxmint.com/

Both can do everything described in this article from a Live CD.

Here is an outstanding tutorial on how to go about "Getting Ubuntu up and Running" that will apply exactly the same to Linux Mint and Ubuntu:

http://www.psychocats.net/ubuntu/getting

The commercial South African company behind Ubuntu will even mail you a Live CD for 100% free... you don't even need to pay for shipping!

here is the website:
https://shipit.ubuntu.com/

For people that want to peruse responses from actual day-to-day Linux users wherein the merits and flaws of this article are examined by many technically oriented people, take a look here:

http://ubuntuforums.org/showthread.php?t=1290400


For the poster above me that had problems getting his wireless to work, please take a look here:
https://wiki.ubuntu.com/HardwareSupport/


For anyone having *any* problems with Linux, consider that Linux has a *community* that loves helping folks out - even if all you want to do is use a Live CD for online banking:

1) Find a local Linux Users Group. http://www.linux.org/groups/usa/

2) Find the online discussion forum for your chosen distribution. I will link to Ubuntu's, but virtually every distribution has something very similar to this: http://ubuntuforums.org/

And, for a list of Linux Distributions, we have wikipedia:
http://en.wikipedia.org/wiki/List_of_Linux_distributions


Enjoy, and happy banking,

earthpig
Creator and Maintainer of Masonux ( http://sites.google.com/site/masonux/ )

how many know how to find, download, burn then use a linux live cd?
+9001

+9001

it's over nine thousand!!!!!!!!!!!!!

it's over nine thousand!!!!!!!!!!!!!
Good call.

Old news Rox

even older.....

http://www.itnews.com.au/News/157767,nsw-police-dont-use-windows-for-internet-banking.aspx

suggesting the iphone. lol!!!