Latest trend - Linux Boot CDs for Online Banking
Thu, 10/15/2009 - 11:00
I posted this on the Pauldotcom mailing list and was also interested in what you guys think about this too.
Seems that a few people in the public arena have started spreading the word about using a Linux Boot CD is the most secure way to do Internet Banking now :-0
Not just one source either:
http://www.itnews.com.au/News/157767,nsw-police-dont-use-windows-for-int...
http://blogs.zdnet.com/hardware/?p=5813&tag=nl.e589
http://blogs.techrepublic.com.com/security/?p=2492&tag=nl.e036
http://voices.washingtonpost.com/securityfix/2009/10/avoid_windows_malwa...
http://voices.washingtonpost.com/securityfix/2009/10/e-banking_on_a_lock...
http://sunbeltblog.blogspot.com/2009/10/erosion-of-trust-for-online-bank...
Am I right in saying this is actually a bad thing?
I've listened to Paul and the gang go on about using live CDs such as Backtrack and so forth is a bad thing due to components being out of date and vulnerable - use them in a test network for research and education.
So imagine people doing this and not updating the live CD for say 6 months or never and suppose they leave the thing running for a week or even worse all the time. In addition this does not mitigate against DNS spoofing, browser XSS and so forth, right?
What do you guys think about this latest trend and what do you think the risks really are with this scenario?
Fri, 11/06/2009 - 16:31
#2
First I must say I am a big
First I must say I am a big Linux/Ubuntu fan boi, but I agree somewhat. If everyone used Linux, Linux would be where the viruses are, all-be-it the architecture is more solid and security more ingrained, there are still holes.
You could just use something like microsofts steady state: http://www.microsoft.com/windows/products/winfamily/sharedaccess/default...
It basically allows you to snapshot your OS, so you could revert to this snapshot and do your banking, then revert to another you store somewhere.
I don't mind the dedicated OS for the bank idea but it is just not feasible, it is too much work to what everyone has become used to being easy.
Personally I run specific lockdowns on any OS I run which would complicate things for malware and malicious code.
In windows this involves complex local software policies that basically whitelist applications that I know are good, and also allow my computer to only access sites via a proxy server, so no direct IP. Of course it is not going to stop proxy aware malware that I have whitelisted but that would be difficult. I also use different browsers for different tasks, firefox with no script is good for most sites (stops xss, malicious javascript etc). But I also use a different browser with reduced rights (microsofts dropped rights is useful for that) for bank and work stuff.
Same with linux, non-executable /home /tmp /etc solves most malicious code that hasn't been given super user access.
It is still always going to come back to usability versus security, my systems are not easy enough to use for the average user, they can't just sit down and install the smiley toolbar they want. They can't even if they learn how to whitelist an install file, work out why then the install file extracts another install executable and another then runs them from an arbitrary location, which fails due to rights or policy. People are always going to go the easier route if the risk is negligable and it is getting negligable now, with current systems even with windows.
I think it's a great idea if you know how to configure your system to boot off read only media and get online, but really, if you know how to do that you're not likely to get hit anyway.
That said, the idea, fundamentally, is solid.
If you're loading up from read only media like a CD/DVD every time, who cares if it's vulnerable? The sort of people who are security conscious enough to do this won't leave a bootable image running in memory for a week... besides, if you're flushing malware every seven days you're way ahead of the pack.
That's not my concern... but let's think about how you'd expand on the concept.
Let's extend this idea and think about whether it would work on a larger scale -- what if the banks sent customers an online-banking OS on a disc?
It would be possible to lock the browser to only be usable on the bank's website... in fact, why would you even need a browser? Why not just have a custom online banking app? How would you infect that OS if that's ALL it can do? Making any badware persistant would be more or less impossible, so this would certainly give users a security boost. (Unless, of course, you managed to do nasty things at a firmware level...)
This idea by no means foolproof, but would really give customers a better level of protection.
But it's still an awful concept will never happen, for good reason. Can you imagine how many users will be ringing up the bank and asking why their CD isn't booting? Helpdesks will be flooded with calls... "How do I change the boot order? It installs but I can't get network connectivity!!!" etc etc.
And if the user is running their PPoE client (or equivalent) on their actual desktop, then it will be a dead-set pain in the ass to get working.
So while Detective Inspector Bruce Van der Graaf (who is, apparently, a talented amateur opera singer... no shit) is happy to play around with CD-bootable operating systems, if you try to expand this out to the general population it's a disaster.
Think of the NAB Internet banking login javascript keyboard thingy -- you have to click your password in.
They had that on their site back in the late 90s (or early naughties) and wound up removing it for a long time becuase when customers' browsers flunked out their helpdesk would ring. They were spending more on support than they were losing (back then) on online banking fraud.
Even if you did get this bootable media thing happening, the bad guys would figure ways around it... think of a Blue Pill style of Hypervisor malware that boots first off your HDD, loads a keylogger, then looks for a CD. If it finds one, it boots it into the VM. (This is just the first way around it that I can think of.)
Don't even get me started on the whole "don't use Microsoft" argument. Sheesh. If we were all using Ubuntu, guess which platform the malware would be running on... FFS...