Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Washington Post Says Use Linux To Avoid Bank Fraud

kdawson posted about 5 years ago | from the just-common-sense dept.

Security 422

christian.einfeldt writes "Washington Post Security Fix columnist Brian Krebs recommends that banking customers consider using a Linux LiveCD, rather than Microsoft Windows, to access their on-line banking. He tells a story of two businesses that lost $100K and $447K, respectively, when thieves — armed with malware on the company controller's PC — were able to intercept one of the controller's log-in codes, and then delay the controller from logging in. Krebs notes that he is not alone in recommending the use of non-Windows machines for banking; The Financial Services Information Sharing and Analysis Center, an industry group supported by some of the world's largest banks, recently issued guidelines urging businesses to carry out all online banking activities from 'a stand-alone, hardened, and completely locked down computer system from where regular e-mail and Web browsing [are] not possible.' Krebs concludes his article with a link to an earlier column in which he steps readers through the process of booting a Linux LiveCD to do their on-line banking." Police in Australia offer similar advice, according to an item sent in by reader The Mad Hatterz: "Detective Inspector Bruce van der Graaf from the Computer Crime Investigation Unit told the hearing that he uses two rules to protect himself from cybercriminals when banking online. The first rule, he said, was to never click on hyperlinks to the banking site and the second was to avoid Microsoft Windows."

Sorry! There are no comments related to the filter you selected.

What about the banks? (5, Insightful)

Profane MuthaFucka (574406) | about 5 years ago | (#29740385)

A little two factor authentication would be nice to see in American banks. Passwords just aren't adequate any more.

Re:What about the banks? (2, Interesting)

Shakrai (717556) | about 5 years ago | (#29740441)

And asking me for my Mother's maiden name is really that much better? Or how about showing me an image that I picked out but will soon ignore after seeing that it never changes?

I like the security token [wikipedia.org] concept myself. It doesn't rely on easy to figure out (Mother's maiden name, hospital you were born at, etc.) information and is easy enough that most lusers can figure it out quickly. I don't understand why more financial institutions haven't adopted them.

Re:What about the banks? (2, Insightful)

AvitarX (172628) | about 5 years ago | (#29740485)

Countrywide had a nice system.

I had to enter my user name, and then then the password screen came up, I would type in my password, and then click on one of about 40 images on the screen.

I had to click the one that was my image (this was rather than a sign in button).

Also, I think a security token can count as a second factor of authentication, and I agree on security questions, never help at all, and often I can't find options with an obvious answer (for myself).

Re:What about the banks? (4, Insightful)

FooAtWFU (699187) | about 5 years ago | (#29740491)

Security tokens are the second factor in two-factor authentication. The banks are just convinced that another-password is good enough, mostly because it's cheaper than doing it right.

Re:What about the banks? (3, Insightful)

greenbird (859670) | about 5 years ago | (#29740695)

mostly because it's cheaper than doing it right.

Of course it's cheaper than doing it right. They've managed to twist bank robbery do to their lack of adequate security into identity theft that they blame on the costumer and force the costumer to suffer all the financial consequences. It's the perfect scam. If you walk into the bank with a fake id and steal money it's never been blamed on the costumer.

Re:What about the banks? (1)

Gerzel (240421) | about 5 years ago | (#29740781)

No I'm pretty sure they'd call that Identity theft now too. Great way to shirk off responsibility while still charging for that same responsibility.

Re:What about the banks? (3, Funny)

Inner_Child (946194) | about 5 years ago | (#29740925)

What in the holy hell do people who make costumes have to do with any of this? I would be more concerned about the banks blaming things on their customers.

Re:What about the banks? (4, Informative)

schon (31600) | about 5 years ago | (#29740895)

And asking me for my Mother's maiden name is really that much better? Or how about showing me an image that I picked out but will soon ignore after seeing that it never changes?

Those are both the same factor, just like a user's password.

Security factors are

  1. something you know
  2. something you have
  3. something you are

In order to qualify as "two factor", you must have two of those (no, having two of the same factor doesn't count.)

So passwords, personal question, and favourite image are all examples of "something you know", and don't represent two-factor authentication.

The Security-token would be an example of "something you have", and thus combining them with a password would be two-factor authentication.

Re:What about the banks? (1)

AuMatar (183847) | about 5 years ago | (#29740921)

This has always struck me as a silly way to look at things.

Something you know- a piece of information shared between you and the bank
Something you have- whether it's an old school trick like a signet ring or a new fangled device that uses a hidden key to generate a random number, its still just a second piece of information that's shared between the two of you.
Something you are- whether it's a strand of DNA or a retinal scan, it's still just a piece of information shared between the two of you, except this one can't be changes.

It's all information. Some are slightly harder to get at, but not all that hard. If someone puts a gun to my head, they can have my keychain fob as well as my password, and a sample of DNA. And unless you're physically going to take those things yourself (ie walk into a bank), its still going to be condensed into binary and sent over the internet. I see minimal to no improved security from them over a second password.

Re:What about the banks? (5, Insightful)

nmb3000 (741169) | about 5 years ago | (#29740487)

A little two factor authentication would be nice to see in American banks. Passwords just aren't adequate any more.

And how would an n-factor authentication scheme help when software on your computer is logging keystrokes, mouse gestures, and capturing images of your screen and then sending them near realtime to the bad guys?

If your computer has been compromised in this fashion, you've already lost. For you car enthusiasts, it's like adding additional locks to the car doors -- it doesn't help if the windows (haha) are already broken.

Re:What about the banks? (0)

Anonymous Coward | about 5 years ago | (#29740547)

I liked your ... windows (haha) ... comment, but ... what if the one part in n-factor is onetime token (like securID and similar ones) ... ... just a thought, just a though

Re:What about the banks? (2, Funny)

Shakrai (717556) | about 5 years ago | (#29740549)

If your computer has been compromised in this fashion, you've already lost. For you car enthusiasts, it's like adding additional locks to the car doors -- it doesn't help if the windows (haha) are already broken.

What's the computer equivalent of the "This car protected by Smith & Wesson" bumper sticker?

Re:What about the banks? (3, Funny)

Tynin (634655) | about 5 years ago | (#29740591)

What's the computer equivalent of the "This car protected by Smith & Wesson" bumper sticker?

This computer is protected by retaliatory DoS attacks? I guess that is the best we can hope for until we work out a better implementation of PoIP (Punched over Internet Protocol).

Re:What about the banks? (0)

Anonymous Coward | about 5 years ago | (#29740675)

[SA]HatFullOfHollow would be proud.

Re:What about the banks? (1, Insightful)

Evil Shabazz (937088) | about 5 years ago | (#29740755)

If your computer has been compromised in this fashion, you've already lost. For you car enthusiasts, it's like adding additional locks to the car doors -- it doesn't help if the windows (haha) are already broken.

What's the computer equivalent of the "This car protected by Smith & Wesson" bumper sticker?

A Penguin.

Seriously. Because it doesn't matter what OS the computer is running, no matter how badass its security model is, when you have PHB's at the keyboard. Same for the Smith & Wesson: no matter how badass the gun is, that security is only as good as the guy with his finger on the trigger.

Re:What about the banks? (3, Funny)

JumpDrive (1437895) | about 5 years ago | (#29740883)

"This computer runs Windows 7"
The most secure operating system yet.
And it will stay that way , Mr Balmer, as long as you don't release it.

Re:What about the banks? (5, Interesting)

Cousarr (1117563) | about 5 years ago | (#29740659)

You realize that the way two factor security is supposed to work is that is requires you to know something and have something right? The way that two factor security is usually done from what I've seen is requiring a password that the client knows and a rolling code from a small device the client has. As long as a bank does not allow that same rolling code to be used twice it doesn't matter what kind of keystroke logging, mouse gesture capturing, or screen recording is used nor how fast it is sent to the bad guys.

For you car enthusiasts, it's like taking the engine with you when you leave the car. Even if the car is hot-wired, it's not going anywhere without that thing you still have.

Re:What about the banks? (4, Insightful)

DarkFencer (260473) | about 5 years ago | (#29740739)

Though I agree two factor authentication is useful, the 'taking the engine' analogy overestimates the difficulty of breaking through it.

All the scammers have to do is instead of recording your keystrokes, gesturing, etc., they display a 'fake' copy of the bank to you through whatever software they have installed on your computer. They take the information you think you are sending to your bank (but are sending to them instead) and instantly have their scripts login to the site from their own systems (or some other bot on the net).

If they prevent your initial login to the site from happening, they can use your username + password + rolling code themselves if their software auto logs in.

This of course requires a user to go to a phishing site (miscellaneous.scammersite.com or something more complex), or requires the phisher to own the user's computer enough that they can intercept their connections & deal with the SSL certificate issues) while the phisher's automated software automatically goes to the real miscellaneousbank.com site.

Re:What about the banks? (0, Redundant)

Thinboy00 (1190815) | about 5 years ago | (#29740715)

A little two factor authentication would be nice to see in American banks. Passwords just aren't adequate any more.

And how would an n-factor authentication scheme help when software on your computer is logging keystrokes, mouse gestures, and capturing images of your screen and then sending them near realtime to the bad guys?

If your computer has been compromised in this fashion, you've already lost. For you car enthusiasts, it's like adding additional locks to the car doors -- it doesn't help if the windows (haha) are already broken.

What if the token in question is a dongle? It could easily (these days) have several gigabytes of crypto, which you could use as a one-time pad or something... That's a lot of data to log/sniff...

Re:What about the banks? (5, Informative)

some_guy_88 (1306769) | about 5 years ago | (#29740737)

The Commonwealth bank in Australia (and probably many others) sends you a random code via SMS to your phone that you have to type back in to the site in order to transfer money to an account you've never transfered to before.

Re:What about the banks? (4, Interesting)

trawg (308495) | about 5 years ago | (#29740747)

And how would an n-factor authentication scheme help when software on your computer is logging keystrokes, mouse gestures, and capturing images of your screen and then sending them near realtime to the bad guys?

The way it works here with some banks in Australia is they send you a code via SMS when you try to issue a transfer from Internet banking. You need to enter the code into the website to continue the transaction. So the extra factor here of having the phone offers a pretty useful extra layer.

My bank doesn't offer it; I wish it did.

Re:What about the banks? (1, Insightful)

Anonymous Coward | about 5 years ago | (#29740807)

No it doesnt. You have to type in the code. On.an.infected.machine. The bad guys can STILL see that.

Read the lock analogy above. If you have an untrusted endpoint, no matter if you had a token, smartcard, sms message, or even other "2 factor methods" like geolocation, encrypted cookies, or velocity/risk weighting you would get hosed.

BTW, the bad guys can still screw you over because 1. Javascript based attacks to own your browser 2. they can still get your underlying data, because livecd's usually mount your disks. 3. Livecds are not updated much, so they grow stale, and susceptible to attack.

Re:What about the banks? (0)

Anonymous Coward | about 5 years ago | (#29740833)

liveCD mounts HD (only) when you want to install said liveCD to HD ... other times, it's not mounted (if it is, then the liveCD is no good)

Re:What about the banks? (1)

hidden (135234) | about 5 years ago | (#29740767)

Well, with a token generator (for example), the thief would only have a few minutes to login before the token changed... that would help considerably.

Of course, that means the banks somehow convincing everyone to carry a token generator... (could some of these "printing circuits on paper" things we've been seeing lately be used to put a token generator on your bank card?)

Re:What about the banks? (1)

mlts (1038732) | about 5 years ago | (#29740811)

That's when you use something like the IBM ZTIC which moves the confirmation of bank transactions to a dedicated device that is hooked up to the PC, but only uses the connection as a method to talk via an encrypted connection to the bank. Because the device and the bank's servers are using their own encrypted channel, the only thing a compromised PC can do is try to jam or block the connection.

I've also seen another third party make a similar authentication device where it doesn't just display an eight digit number on the screen, or act as a smart card, but have an allow or deny button on a standalone LCD screen to confirm things.

Re:What about the banks? (4, Insightful)

mjwx (966435) | about 5 years ago | (#29740903)

And how would an n-factor authentication scheme help when software on your computer is logging keystrokes, mouse gestures, and capturing images of your screen and then sending them near realtime to the bad guys?

Because a 2 factor authentication token like an RSA key changes every 10 or so seconds so by the time Bad Guy #1 has finished parsing that log the 2nd authentication factor is out of date. The far cheaper way of doing this which most banks in Australia have started using is a one time password sent to you via SMS. This password works one time only (hence we call it a one time password, geddit) so if the Bad Guys(TM) get the entire password in real time and are reading their logs in real time then they still cant use it as the password has already been used.

Yes it's a band aid solution but at least it's a decent kind of band aid. The alternative is complaining that it doesn't work and then having nothing happen because no one has a better practicable idea.

Re:What about the banks? (1, Informative)

Anonymous Coward | about 5 years ago | (#29740799)

The attack described in the bank heists were two-factor. The login basically had them wait for another rolling code to enter, and in the wait period, the thieves stole the money. SNAP!

Re:What about the banks? (4, Interesting)

jamstar7 (694492) | about 5 years ago | (#29740865)

A little two factor authentication would be nice to see in American banks. Passwords just aren't adequate any more.

Per TFA, the banks in the two cases mentioned in the summary used two factor authentication. The hackers' malware delayed their access, and the hackers used a VPN tunnel to access the bank through the compromised computer.

@Van der Graaf Generator (1)

markringen (1501853) | about 5 years ago | (#29740387)

it's just funny to say Van der Graaf Generator, hey look at what the Van der Graaf Generator is saying!

VM? (0)

0ld_d0g (923931) | about 5 years ago | (#29740391)

Why not just a VM running whatever OS you want?

Re:VM? (3, Informative)

Techman83 (949264) | about 5 years ago | (#29740421)

Keyloggers could still capture the input from the Host OS.

Re:VM? (1)

couchslug (175151) | about 5 years ago | (#29740515)

"Keyloggers could still capture the input from the Host OS."

Good reason to use a virtual keyboard in the VM.

Re:VM? (1)

Firehed (942385) | about 5 years ago | (#29740661)

Which you're clicking on with your compromised mouse input.

All that does is inconvenience you further.

Re:VM? (1)

grahamsz (150076) | about 5 years ago | (#29740663)

Wouldn't that just lead to a chain of mouse clicks that could be recorded my a mouse logger in the host os?

Re:VM? (1)

iamhassi (659463) | about 5 years ago | (#29740673)

"Keyloggers could still capture the input from the Host OS."

What about a Windows XP Live CD? [wikipedia.org] I can understand why businesses are afraid to run Linux, it's unfamiliar to their IT and their employees, but I don't understand why they still deal with XP running from hard drives.

Even 10+ yrs ago when I was in college they'd re-image the OS onto the hard drive within seconds over the network with every boot-up on PCs in the computer lab, and this was back on Pentium II PCs and 100mbit. Sounds like a pain for IT but it really made things much easier, just have one image of XP on a central server and update that and every PC that's rebooted throughout the entire campus pulls the same image over the network. Why don't they have a system like that? No virus or malware or problems with crashing, just reboot the PC and everything's back to normal.... hmm, actually this is starting to sound pretty good, I should do this at home.... thanks slashdot!

Re:VM? (1)

Techman83 (949264) | about 5 years ago | (#29740761)

"Keyloggers could still capture the input from the Host OS." What about a Windows XP Live CD? [wikipedia.org] I can understand why businesses are afraid to run Linux, it's unfamiliar to their IT and their employees, but I don't understand why they still deal with XP running from hard drives.

Does the licensing allow it? I don't think OEM licensing does. Maybe for Businesses with OBLs etc, but what about home users? What about getting a live disc, as far as I'm aware you have to create it, which isn't exactly hard(I use BartPE to speed up making our system images), but it isn't exactly a walk in the park, especially if you have painful network card drivers.

IMO, the path of least resistance in this scenario is certainly a linux LiveCD. Download, put in drive, boot up, open a browser and hey presto your banking.

Even 10+ yrs ago when I was in college they'd re-image the OS onto the hard drive within seconds over the network with every boot-up on PCs in the computer lab, and this was back on Pentium II PCs and 100mbit. Sounds like a pain for IT but it really made things much easier, just have one image of XP on a central server and update that and every PC that's rebooted throughout the entire campus pulls the same image over the network. Why don't they have a system like that? No virus or malware or problems with crashing, just reboot the PC and everything's back to normal.... hmm, actually this is starting to sound pretty good, I should do this at home.... thanks slashdot!

All well and good if all your PC's are in labs, doesn't quite work so well for a distributed work force. It's a battle we face at work and something we ponder everyday on how we can do it better.

Re:VM? (4, Insightful)

Straker Skunk (16970) | about 5 years ago | (#29740785)

What about a Windows XP Live CD?

"Sir, there are some gentlemen here who say they are from an organization called the BSA. They want to see the license certificates for those Windows CDs we've been handing out..."

Re:VM? (1)

functor0 (89014) | about 5 years ago | (#29740947)

Ok, so what about using the *host* OS for banking use, and the *guest* OS for daily use?

Re:VM? (5, Insightful)

shird (566377) | about 5 years ago | (#29740429)

Because as the author explains in the comments, key loggers can run at the low level device driver level. At this level, it can hook key presses in a VM just as well as the host OS.

It's a pain, because nobody wants to go to the trouble of rebooting twice for the sake of paying a few bills. But it's the only way to be sure of a clean environment, unless your BIOS has been hacked. It's at least one good argument for the trusted platform, TPM, or whatever it is. In theory you could be sure that you are running only un-altered digitally signed executables and nothing else.

Re:VM? (1)

BitterOak (537666) | about 5 years ago | (#29740465)

But it's the only way to be sure of a clean environment, unless your BIOS has been hacked.

But isn't that a rather serious problem? What if the keylogger is in the BIOS? Would a LiveCD help in that case? Is there any way to detect malware in the BIOS?

Re:VM? (4, Insightful)

fuzzyfuzzyfungus (1223518) | about 5 years ago | (#29740493)

Presumably, if one is handling enough money that 100K or 450K could be stolen, one could afford a second computer and a 2 way KVM switch.

That doesn't solve the "but joe user doesn't want to reboot just to get to his overdrawn checking account" problem; but with real computers routinely showing up for $300 and lower, it isn't exactly an extremist position to suggest banking from dedicated hardware for any nontrivial amount of money.

Re:VM? (1)

binarylarry (1338699) | about 5 years ago | (#29740899)

That's great and all until a hacker shows up and is like:

"Yo dawg! I heard you like DRM, so I put a TPM in your TPM!"

and then he has access to whatever he wants.

duh. (0)

Anonymous Coward | about 5 years ago | (#29740395)

title says it all

Car analogy incoming! (1)

Loomismeister (1589505) | about 5 years ago | (#29740431)

You could also avoid getting in a deadly crash by using the city's free buses to get to the bank, instead of driving your Jeep. My hole-filled analogy to online banking is that you don't necessarily need to drop the entire operating system in order to be safe while banking online. There must be a ton of idioms that support me on this.

Re:Car analogy incoming! (1)

Shakrai (717556) | about 5 years ago | (#29740447)

You could also avoid getting in a deadly crash by using the city's free buses to get to the bank,

You've never seen how the bus drivers around here drive ;)

And which city has "free" buses, anyway?

Just Linux? (1)

bughunter (10093) | about 5 years ago | (#29740435)

How about BSD?

Or even better, how about a modified build of BSD underneath a GUI based on a 25 year tradition of Human Interface Guidelines?

(Just askin')

Re:Just Linux? (4, Funny)

sqrt(2) (786011) | about 5 years ago | (#29740459)

We're trying to SAVE money here

Re:Just Linux? (1)

RiotingPacifist (1228016) | about 5 years ago | (#29740499)

BSD lacks any sort of inter process security, so BSD is not secure for the desktop (granted nobody makes use of these tools for the linux desktop (i plan on fixing this and becoming your god when i get round to it), but BSD doesn't even have them).

AFAIK it is also a lot harder to find signed BSD images where as almost all linux iso come with a sig to verify them against.

Note: I have nothing against BSD but it does have its deficiencies.

Re:Just Linux? (5, Insightful)

AvitarX (172628) | about 5 years ago | (#29740503)

I think the point is Boot CD, not Linux.

This would preclude any with an intelligent GUI (actually I am quite fond of Gnome at this point, but that wasn't what you meant).

If I am correct, using a Linux boot CD would make sense for Linux users too.

terrible advice (1)

QuantumG (50515) | about 5 years ago | (#29740455)

Ya, it stops key loggers, and that's great, but it aint going to do much for your browser security unless you keep your LiveCD up to date, and hey, who says your CD burning software isn't infected - implications on trusting trust and all.

Re:terrible advice (1)

wizardforce (1005805) | about 5 years ago | (#29740509)

Most of the problem is malware and the live cd protects against that threat very well. Also, if your cd burning software is so compromised that it some how manages to corrupt the live cd without the integrity checking program finding it then you probably shouldn't be banking on that computer anyway.

Re:terrible advice (4, Interesting)

fuzzyfuzzyfungus (1223518) | about 5 years ago | (#29740513)

Unless your browser is listening for incoming connections, or your bank is running third party banner ads(in which case, switch right the fuck yesterday), does a browser vulnerability really matter?

If you are using the LiveCD as a dedicated banking only environment, the only input your browser will see is your bank's website. If you can't trust user behavior, and want to really be sure, you could have it set to reject anything that doesn't have the bank's SSL cert. If your bank wants to 0wn you, you are already doomed. If no other site can reach your browser, your browser cannot be owned, no matter how buggy.

Re:terrible advice (akamai and cross site?) (0)

Anonymous Coward | about 5 years ago | (#29740585)

What about financial sites which use Akamai and javascript?

And require you allow javascript from Akamai....

Re:terrible advice (akamai and cross site?) (2, Interesting)

fuzzyfuzzyfungus (1223518) | about 5 years ago | (#29740725)

In the immediate term, that seems like a terrible plan. Akamai are a reputable outfit; but they carry stuff for all sorts of people. Any domain-level trust/validation mechanism isn't going to tell you very much about something from them. Barring a fix, the financial site should host their own javascript.

In the broader term, it might be worth looking into further cryptographic mechanisms. For instance, with debian packages, you can safely download from an untrusted mirror or an http mirror that might be subject to man-in-the-middle attack because the packages themselves are signed by the original distributor. Cryptographically, putting forged packages on a 3rd party mirror would be as difficult as man-in-the-middle attacking an SSLed connection to the original distributor. At worst, you disclose the fact that you downloaded package X to a hypothetical adversary(that isn't optimal; but it is far less than it might be).

If, for economic reasons, web sites that need to be secure wish to use 3rd party hosting for some of their material, a similar signing mechanism might be employed.

I connect to https://www.hypotheticalbank.com/ [hypotheticalbank.com] SSL assures me that I am in fact talking to the right people. hypotheticalbank.com says "Please obtain 'functionsandstuff.js' from '3rdpartyhosting.org', 'functionsandstuff.js' has been signed with our key and has SHA-1 hash XYZ, verify before loading." This would still be incrementally less secure than pure 1st party hosting, since 3rdpartyhosting.org can, by looking at my requests, infer that I am likely accessing hypotheticalbank.com at a given time; but it prevents an attacker, even if they control 3rdpartyhosting.org, from mucking with the code that my browser will end up executing.

Re:terrible advice (3, Interesting)

QuantumG (50515) | about 5 years ago | (#29740623)

sigh. Just off the top of my head I can think of about a dozen attacks one could direct against a bank user who thinks they're bulletproof because they're using a Linux LiveCD. For example, booting off a LiveCD won't save you from the truncated SSL cert attack that was demonstrated in the direction of PayPal the other day.. only having an up-to-date browser will do that. Encouraging people to use unpatched known-vulnerable software to do their banking just so they can avoid malware on their regularly patched machines makes no sense at all. Of course, that's the extreme case.. suggesting people use a LiveCD of Linux instead of an unpatched copy of Windows XP SP1 is a different kettle of fish.

Re:terrible advice (2, Interesting)

black3d (1648913) | about 5 years ago | (#29740735)

A dozen? I can only think of three. Excluding such fanciful attacks as "camera over the shoulder". Indeed, a forged cert combined with DNS poisoning could be used as a possible MITM attack. However, as in my post below, you can explore possible attack vectors for the sake of argument into infinite regression. Opposite to your argument is the fact that my bank always requires the latest version of Java to be installed to use its online banking. Each time Java is updated and my LiveCD thus becomes out-of-date, I'd be forced to burn a new LiveCD which would throw in all the browser security improvements that go along with it. My argument is, it's not "terrible advice". At worst, it's "good advice which could be improved upon."

Re:terrible advice (1)

QuantumG (50515) | about 5 years ago | (#29740775)

If you regularly have to create a LiveCD, and you're the kind of person who is susceptible to malware attack, then:

  1) You're not going to do it, and
  2) You're likely going to get owned during the LiveCD creation chain..

It kinda seems like all the value of using a LiveCD disappears as soon as you start trying to update it.. which is why I was bothering to object to suggesting to people that they use a LiveCD, as they necessarily contain software that is not patched up-to-date.

None of this is new BTW, it's just that a pundit has stumbled into this old discussion.

Re:terrible advice (1)

black3d (1648913) | about 5 years ago | (#29740845)

As you would expect, my explanation was from a hypothetical view of "if I was using the LiveCD method as discussed."

Personally I'm happy with the security I already have in place, which certainly doesn't involve LiveCDs, but this isn't meant to be a discussion on three-factor authentication or the like, it's about the pros and cons of a regular user using a LiveCD as opposed to their regular PC to log in.

I believe the benefits for the average user would outweight the risks. Certainly the idea can use an improvement - a possible business direction for some budding entrepreneur out there - however it's far better than the status quo users who are constantly, on a daily basis, infecting millions of machines worldwide with malware through their own ineptitude. And it is indeed malware and phising (both vectors which are mitigated through this method) which are the primary sources of the scourge of stolen information. If 99% of attacks are malware/phising and 1% are MITM, don't you also think it better for people to knock out those 99%?

If we see other vectors increasing in popularity, I'm certain we'll see the response from the security community increasing in equal measure. But remember - the users being focused on here are those who simply don't know any better. Though - I can see it coming already.

Email from: yourbank@internationalbanks.cc
Subject: Use LiveCDs to safeguard your internet banking!
Attachment: LiveCD.exe

Re:terrible advice (1)

lee1026 (876806) | about 5 years ago | (#29740907)

how about a physical keylogger? Live CD won't help there, as it is hardware, not software.

Re:terrible advice (1)

Amazing Quantum Man (458715) | about 5 years ago | (#29740745)

I thought the truncated SSL was only affecting those using the MS crypto library?

Re:terrible advice (3, Insightful)

Anonymous Coward | about 5 years ago | (#29740551)

Ya, it stops key loggers, and that's great

Yeah, it is great, because a huge part of on-line fraud is from keyloggers. Modern ones even record 'screencast' movies of you using your computer.

but it aint going to do much for your browser security unless you keep your LiveCD up to date

Between booting up and getting a DNS record for your bank how are they going to exploit a browser security problem? You could safely use unpatched IE5 to do online-banking. There might be some null-prefix type problems, but in reality going directly to your bank's site is pretty hard to get in between.

who says your CD burning software isn't infected - implications on trusting trust and all.

There are lots of different CD burning software, lots of different distributions, lots of AV software that might detect the modifications, and high risk of some paranoid geek with sha1 finding it out. Compared to just setting up a 'enter your password and win a free chocolate bar' site, it's not cost effective to do this.

Re:terrible advice (5, Insightful)

black3d (1648913) | about 5 years ago | (#29740555)

Browser security is only an issue if you're visiting other sites, in the same session, on the same boot, on your LiveCD. Browsers on LiveCDs don't magically download malware from the internet by themselves - you have to direct them to. And most conventional malware must install itself - which won't happen on a LiveCD. There are a very few flash/js based attacks that work live in the same session - but really, if your either (a) your bank has third-party inline flash ads or (b) you don't trust java content from your bank's own website, then why are you banking with them online?

And going as far as questioning whether your CD burning software is infected is ridiculous. You can't be any more certain that your mouse doesn't have imbedded circuitry tracing your movement pattens, or your keyboard doesn't have a keylogger built directly into it, or the aliens aren't tapping directly into your cablings electromagnetic intereference patterns to directly access your bank account as you do. You're going to extremes purely for the point of argument, but although it may have passed you by, it was established several thousands years ago that "nothing is certain".

If you can imagine up scenarios like malware built into your cd-burning software specifically to target LiveCDs being used for online banking, I can't fathom how you trust a banks own employees enough to actually keep your money with them instead of under the mattress.

Re:terrible advice (1)

grahamsz (150076) | about 5 years ago | (#29740687)

Honestly, you'd be as good if not better with a windows XP bootable PE disk. It's a factory minted CD that's been time tested.

Re:terrible advice (1)

John Hasler (414242) | about 5 years ago | (#29740723)

What does it cost? Where does Joe Ordinary get it? Does it include a current browser?

Re:terrible advice (4, Funny)

Draek (916851) | about 5 years ago | (#29740773)

hey, who says your CD burning software isn't infected - implications on trusting trust and all.

I understand there's only a fine line between safety and paranoia, but the idea of a CD burning software having been compromised to detect Linux LiveCD ISOs and add a software keylogger to the system included therein is so far up in 'paranoia' territory it already got full citizenship and is considering running for president against "Elvis is hidden in Area 51" and "9/11 was planned by Israel to draw the US into the middle east".

Re:terrible advice (1)

QuantumG (50515) | about 5 years ago | (#29740795)

Oh please, there's a lot of malware out there that checks to see if you're making a bootable CD and adds itself to the boot chain.

There's also malware out there that modifies your bios so it doesn't matter if you boot off a CD or a hard drive.

Re:terrible advice (2, Insightful)

jhol13 (1087781) | about 5 years ago | (#29740847)

How does those malware affect live Linuxes?

Its not just Linux, its trusted boot... (3, Interesting)

nweaver (113078) | about 5 years ago | (#29740457)

Its not just "linux vs Windows" but "trusted boot": All you need to rely on is that the live CD is OK and your BIOS is not corrupted and you can effectively safely connect to your bank.

I use it myself for my Schwab account, with the added bonus of there is enough math to show active traders lose big, so don't trade active, which goes into play here.

Re:Its not just Linux, its trusted boot... (1)

zindorsky (710179) | about 5 years ago | (#29740783)

Its not just "linux vs Windows" but "trusted boot": All you need to rely on is that the live CD is OK and your BIOS is not corrupted and you can effectively safely connect to your bank.

ORLY? What about hardware key stroke loggers? They do exist you know.

Re:Its not just Linux, its trusted boot... (1)

zindorsky (710179) | about 5 years ago | (#29740813)

Not to mention TEMPEST (http://en.wikipedia.org/wiki/TEMPEST)

Re:Its not just Linux, its trusted boot... (1)

slimjim8094 (941042) | about 5 years ago | (#29740933)

If either TEMPEST or hardware keystroke loggers are in play, I'd wager you have bigger problems than someone transferring your money around.

Alternate Headline (4, Insightful)

Minwee (522556) | about 5 years ago | (#29740467)

"Washington Post Urges Thieves To Distribute Linux LiveCDs"

A few racks full of CDs in a highly visible place, or even cheap preloaded USB drives delivered right to the mark's front door along with a friendly letter explaining how running Linux would help improve security and thwart The Bad Guys could make your job of stealing from the clueless even easier than before.

Re:Alternate Headline (2, Insightful)

fermion (181285) | about 5 years ago | (#29740751)

Exactly. The problem is that many users click on any thing that is bright and shiny. While some problems are caused without user interactions, other clearly come from users navigating towards "carefully constructed web pages". There is really no way to stop this. One CD with 'naked women version of secure linux' on it, and it would be open season for the office bank accounts.

The only real solution is to make banks liable for online bank fraud, just like credit cards are liable for credit fraud. The customer has to pay $50, the bank covers the rest. This is really the value of credit cards. You are using someone else's money, so they take the risk. Once it is your money, your are at risk even if the banks security is at fault.

Re:Alternate Headline (1)

mlts (1038732) | about 5 years ago | (#29740889)

That actually might be a viable attack vector. I could imagine someone giving out ready to install media for popular distributions, except that a few key binaries would be modified (including gpg so it would say that things are signed when they really are not.)

The main defense to this is for Linux distribution makers to make media with anti-counterfeit features like holograms, or for a person to burn the media themselves after checking that the signatures match on a machine they know is not compromised.

Or how about Websites being smart with NoScript? (0)

Anonymous Coward | about 5 years ago | (#29740473)

It would be great if a Website would give it's IP Address on every login prompt and not direct to any other domains for it's login process. Then with NoScript, allow what Applecodescript to execute and what domains may interoperate on the page. Instead, Washington Post gives a false generalization that a Linux live CD will defeat all Phishing attempts.

Typical dead-beat wrong journalism. The next thing you'll know, the New World Order crowd will arrive to demand everyone get a License to use a computer, and then I'll start the GNU World Oder crowd that will dispel the New World Order crowd's false legal representations of Statutory law.

To be safe... (3, Informative)

Antony-Kyre (807195) | about 5 years ago | (#29740495)

Well, don't do online banking.
Or, use a totally separate computer to do online banking. Only use the web browser to access one's bank account.
Or look for those "freeze" type software, which makes the harddrive essentially read only.
Also, it doesn't hurt to check which processes you are running, and whether any of those are unusual.

Re:To be safe... (0)

Anonymous Coward | about 5 years ago | (#29740629)

And while you're at it, you might want check each process's loaded dlls and file handles and each of their checksums and tcp connections. Not that any of that will help against a compromised OS or hardware.

Phishing already solved. (1, Interesting)

Anonymous Coward | about 5 years ago | (#29740561)

My bank implemented a system that asks you for three numbers from a physical card in addition to your regular password. This is so sucessful at blocking phishing attacks that such two-factor authentication has all but wiped out such security breaches to the point they now made it mandatory for all online banking. I have the inside word that they have not had a single case of sucessful (conventional) phishing since this has been introduced.

Re:Phishing already solved. (1)

grahamsz (150076) | about 5 years ago | (#29740729)

Can you clarify how that works? If it just asks you to enter the 3rd 9th and 12th digits from your card then it seems like it would be susceptible to a classic MIM attack

Free Software not Linux (1)

Statecraftsman (718862) | about 5 years ago | (#29740571)

There is nothing special about a "Linux LiveCD" that ensures that the programs on it can be trusted. Most distributions still include binary blobs in their corresponding source code that can bring the kinds of problems for which Microsoft Windows is advocated against in the article. Thankfully at this point, you can get machines that run a free bios, support wireless, and run 100% free software. Depending on the value of your target and the determination of your attacker there is a software solution for you.

The browser may be out of date (2, Insightful)

HalAtWork (926717) | about 5 years ago | (#29740587)

The browser on a LiveCD may be out of date. How about a USB flash drive that can save your ISP settings and can update the browser? Banks could distribute them for the price of the flash drive as a safer option for online banking.

Re:The browser may be out of date (1)

Mr. Roadkill (731328) | about 5 years ago | (#29740897)

Who cares if the browser on the LiveCD is out of date? What really matters is that it provides a known clean OS and browser. Provided they do their banking before visiting russianmafiasite.com they're safe.

Same goes with most of the rest of the software, especially these days when the machine is likely to be protected from the big bad internet to some extent by the ADSL router and the magic of NAT. If someone uses a two-year-old Ubuntu disc for their online banking (and only their banking), they're still safer than if they use XP and Internet Exploder for banking and surfing porn and downloading warez and downloading movies and...

A USB-based installation that allows the browser to be updated can also be subverted, at least in theory. The beauty of a LiveCD is that it's static.

Devil's advocate: Deepfreeze? (4, Insightful)

mlts (1038732) | about 5 years ago | (#29740603)

Devil's advocate here:

Of course, a diskless system running Linux would reduce the chance of malware on clients, but perhaps if a company is dependent on Windows, almost as good security (and I state almost) would be obtained from denying admin access and using something like DeepFreeze, Windows SteadyState, or similar?

Combine DeepFreeze with AppLocker, some decent enterprise antivirus utilities, BitLocker, and the usual physical and BIOS protection on a machine, and one can make a decently locked down terminal that can cleanly run Windows apps. Should additional software be needed, no need to install it, just use something like VMWare ThinApp and have it runnable from a central location.

There is nothing wrong with a diskless system and booting from a CD-ROM. However, unless one creates a custom image with reliable enterprise level auditing tools, it becomes difficult to extract data from a group of PCs (and this is important for larger businesses come tax season, or regulatory compliance), and it is definitely an issue to add or update software without a reboot, unless it is a precompiled binary on a central server that people run.

Also, instead of running live CDs, why not consider going to a vendor like Wyse and going with truly thin technology? This way, there is little to no fiddling with the client side. If a thin terminal has a problem, just swap it out for another one, chuck the old one in the RMA box and be done with it. This is arguably a lot easier than the cost for maintaining standard PCs [1].

[1]: I'm primarily intending enterprise level here. For some SMBs, it is a lot cheaper to go with a boot CD and a generic PC, but for larger companies, it may mean more futzing around with stuff for their IT staff, especially on the scale of thousands of endpoints. If I had a startup with a call center of 5 people, PCs are a lot more economical. However, 500 to 1000 people in a non-technical call center, then I'd take a serious look at thin terminals and a beefy internal network fabric.

it's not a matter of Linux vs. Windows... (2, Insightful)

SuperBanana (662181) | about 5 years ago | (#29740613)

...it's more a matter of a read-only medium. If people start doing this is greater numbers, all the evil people will do is start distributing hacked ISOs pretending they're legitimate. This also doesn't do much for machines which have been hacked at a BIOS/bootloader level. In fact, if the PC is set to boot to the hard drive and the trojan supervisor is smart and puts up a boot menu that looks bios-ish (ie, allowing you to select the boot device), 95% of users would never notice. So unless Linux LiveCDs start running checks to see if they're being virtualized, this isn't a very good safety net.

Also, honestly, how many people do you think check the MD5 sum on an ISO? Hell, I've never had a RedHat/Fedora disc that passed its self-check. I gave up on that ages ago.

Re:it's not a matter of Linux vs. Windows... (1)

mlts (1038732) | about 5 years ago | (#29740789)

I have always checked the PGP/gpg signature on any ISOs I download from anywhere, but once burned, this becomes a lot harder, as one can't just tell immediately if a disk has a copy of the OS that hasn't been touched.

Another round of attack, should some malware be able to get root-level would be to not bother with the ISO and similar to what the parent poster stated, perhaps install a modified BIOS. If an attacker is sophisticated, has a lot of intelligence on the business he or she wants to compromise, then they could write malware targeted just for that model of client PC alone, or perhaps just a device (like a keyboard with a flashable HID controller) to make it log keystrokes and store them in a safe place for easy retrieval later on.

What might be a solution would be to have motherboards with a flash drive of 32 to 64 GB directly on the board. Then someone can install or image an OS to this, and set it read only. This way, no external media readers would be needed, and a PC could pre-image the OS on there, and ship the machine with just the PS/2 keyboard. PS/2 mouse port monitor port, and a NIC (no USB connectors). However, at this stage, this is essentially a thin client with a custom OS.

SecureID token (0)

Anonymous Coward | about 5 years ago | (#29740641)

Out here in Singapore, DBS gives everyone a secure token. Its by far the safest way to bank online. No one save the most sophisticated of hackers could subvert a random number dependent login (definitely secure enough to keep away all the script kiddies).

A smart bank would be ALL over this... (4, Interesting)

davide marney (231845) | about 5 years ago | (#29740667)

A bank with any technical savvy would be immediately preparing a LiveCD/USB distro that boots as quickly as possible into a browser pre-configured with the bank's portal page set as the home page. The distro would contain nothing extraneous -- just enough for fast, safe banking. It would, of course, be thoroughly branded, but completely legit vis a vis source code and license notices. Give them away in the mail, or even sell USB drives.

Re:A smart bank would be ALL over this... (3, Insightful)

gapagos (1264716) | about 5 years ago | (#29740805)

Sorry to break it to you, but doing this would be marketing-suicide for any bank that does this.

All of its competitors, and 99.9% of its non-tech-savy client base (so 99.5% of its clients including the tech-savy ones) would interpreat it as:

"This bank is SO insecure that they push me to use some kind of complicated pc configuration everytime before I go to their website. What a pain in the ass. Why can't they pay for their security problems themselves? I'm switching to another bank."

A good bank should educate their clients about being responsible online, not make their online banking even more inconvenient.
A great bank should protect their client bank accounts even if their PCs and their accounts have been compromised.
An horrible bank is one that expects its users to go through a long and complicated process for their "safety", disreguarding the negative user experience in the process, like you're suggesting.

I realize you're suggesting it as an option, not a forced policy, but the mere existence of the option will make average joe panic about its security and take for granted it's almost mandatory or he's fucked.

This Story is Not Credible (0, Funny)

Anonymous Coward | about 5 years ago | (#29740709)

"Detective Inspector Bruce van der Graaf from the Computer Crime Investigation Unit told the hearing that he uses two rules to protect himself from cybercriminals when banking online. The first rule, he said, was to never click on hyperlinks to the banking site and the second was to avoid Microsoft Windows."

I mean look at this a cop is saying something reasonable and sensible. That quote is obviously faked and it calls the rest of the article into question.

Be Safe (0)

Anonymous Coward | about 5 years ago | (#29740749)

Tinfoil Hat Linux may be your best choice. THEY ARE WATCHING YOU.

Non-random bits on LiveCD can compromise security (1, Interesting)

QuantumV (1307135) | about 5 years ago | (#29740779)

Since a LiveCD doesn't save anything between reboots, it doesn't have a random seed that it keeps changing. Therefore the random number generator is initialized to the same state every time a system is booted (and probably to the same state for all computers using a specific LiveCD image). When the random number generator is in a predictable state, isn't the security of SSL essentially gone? To work around this, one can add some randomness to the random number generator on boot, but it is extra hassle. Something like "echo ssj s lsl sfi random hits on keyboard shdflsh sl fhlinaw nvnai dnsi >/dev/random"

Re:Non-random bits on LiveCD can compromise securi (1)

ceoyoyo (59147) | about 5 years ago | (#29740881)

If you're relying on a seed that's saved from boot to boot your random number generator is vulnerable anyway. At least use the startup time to provide all or part of the seed.

Re:Non-random bits on LiveCD can compromise securi (3, Informative)

PhrstBrn (751463) | about 5 years ago | (#29740945)

Huh? Random number generators can be seeded with other data from your hardware, such as the system clock time, reading PCI devices, or some random data off your hard drive. Every single time you reboot your system clock has changed. If you have a hard drive, the data on there has probably changed too, so you can just read some information off the drive at the block level (you don't need to mount it). Every user who uses a live CD has different hardware.

The problem is trivial at best to solve. It may not be the absolutely perfect solution, and probably not good enough if you need a true random number generator, but good enough for this purpose. You definitely won't be in the same state every time you reboot (at the very least the time changed).

What's safety? (1)

ndik (1186119) | about 5 years ago | (#29740797)

Nothing is safe, even with Linux. The banks however can do much more to prevent attacks by improving their processes, not to mention educating the common user.

Inept network admins (1)

realmolo (574068) | about 5 years ago | (#29740857)

Seriously. How in the WORLD was a keylogger installed on a bank machine?

This isn't rocket science. Securing Windows workstations is a problem that has been solved. Where are the IDS/IPS systems? Why are the users allowed to install ANYTHING? Why aren't they filtering the download of *any* executables from non-trusted sources?

The problem isn't Windows, the problem is the VAST majority of businesses that are running Windows aren't concerned about security. At least, not enough to pay for it (as in, paying competent admins and paying for the hardware/software necessary to secure the network).

In fact, in my experience, your average banks have some of the most insecure, cobbled-together, waiting-to-be-hacked systems around.

Excellent idea! (0)

Anonymous Coward | about 5 years ago | (#29740867)

I agree, make people use linux, that way they wont know how to do anything!

Less users on the internet = less botnets.

I see what your sayin, I got yer message.

LiveCDs? Way too risky! (1)

Interoperable (1651953) | about 5 years ago | (#29740927)

LiveCDs are far to insecure to even consider using. Tin Hat Linux [dyc.edu] is an improvement but it's still far too unsafe for me to use; not with the Illuminati hiding around every corner waiting to perform cold boot attacks. That's why I choose to live in the Google opt-out village [theonion.com] .

I use Linux (1)

MrKaos (858439) | about 5 years ago | (#29740931)

To avoid Windows.

I suppose I'm gonna get modded a troll for that...

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?