Network News

X My Profile
View More Activity

Avoid Windows Malware: Bank on a Live CD

An investigative series I've been writing about organized cyber crime gangs stealing millions of dollars from small to mid-sized businesses has generated more than a few responses from business owners who were concerned about how best to protect themselves from this type of fraud.

The simplest, most cost-effective answer I know of? Don't use Microsoft Windows when accessing your bank account online.

I do not offer this recommendation lightly (and at the end of this column you'll find a link to another column wherein I explain an easy-to-use alternative). But I have interviewed dozens of victim companies that lost anywhere from $10,000 to $500,000 dollars because of a single malware infection. I have heard stories worthy of a screenplay about the myriad ways cyber crooks are evading nearly every security obstacle the banks put in their way.

But regardless of the methods used by the bank or the crooks, all of the attacks shared a single, undeniable common denominator: They succeeded because the bad guys were able to plant malicious software that gave them complete control over the victim's Windows computer.

Why is the operating system important? Virtually all of the data-stealing malware in circulation today is built to attack Windows systems, and will simply fail to run on non-Windows computers. Also, the Windows-based malware employed in each of these recent online attacks against businesses was so sophisticated that it made it extremely difficult for banks to tell the difference between a transaction initiated by their customers and a transfer set in motion by hackers who had hijacked that customer's PC.

The now-infamous hack against Bullitt County, Ky. illustrated how thieves use malware to defeat two of the major lines of defense commonly used by banks to thwart unauthorized activity. Many banks offer customers the option for so-called "dual controls" - requiring at least two authorized employees to sign off on any money transfers. In that attack, thieves used malware planted on the treasurer's system to effectively add themselves as an authorized approver of transactions.

Banks also often keep track of the Internet addresses used by their customers, and erect additional security measures when those customers access their online accounts via unfamiliar addresses or computers. In the case of Bullitt County and at least three other victims I've interviewed in the past three months, the attackers used their malicious software to route their connection to the bank's Web site by tunneling through the victim's own Internet address and computer.

Malicious software also is helping thieves defeat so-called two-factor authentication, which generally involves requiring online banking customers to enter something they have in addition to their user name and password, such as the code generated by a key fob that creates a new, six-digit number that changes every 30 seconds.

Over the past two months, I wrote about the plight of two companies that were victims of online bank fraud despite the fact that their banks required the use of these security tokens.

David Johnston, owner of Modesto, Calif. based Sign Designs, lost nearly $100,000 on July 23 due to Windows-based malware. Johnston's bank requires customers to enter the code from a Vasco security token. But the thieves - armed with malware on the company controller's PC - were able to intercept one of those codes when the controller tried to log in, and then delay the controller from logging in. Indeed, Johnston said the company's computer logs show that the controller logged into the system while the series of thefts was already in progress.

Thieves used the same approach to steal $447,000 from Ferma Corp., a demolition firm in Santa Maria, Calif. whose bank also required customers to enter a code from a security token.

I'm not the only one recommending commercial online banking customers consider accessing their accounts solely from non-Windows systems. The Financial Services Information Sharing and Analysis Center (FS-ISAC) - a industry group supported by some of the world's largest banks -- recently issued guidelines urging businesses to carry out all online banking activities form "a stand-alone, hardened and completely locked down computer system from where regular e-mail and Web browsing is not possible."

In direct response to this series reported and published by Security Fix, the SANS Technology Institute, a security research and education organization, challenged its students with creating a white paper to determine the most effective methods for small and mid-sized businesses to mitigate the threat from these types of attacks. Their conclusion? While there are multiple layers that of protection that businesses and banks could put in place, the cheapest and most foolproof solution is to use a read-only, bootable operating system, such as Knoppix, or Ubuntu. See the SANS report here (PDF).

Also known as "Live CDs," these are generally free, Linux-based operating systems that one can download and burn to a CD-Rom. The beauty of Live CD distributions is that they can be used to turn a Windows-based PC temporarily into a Linux computer, as Live CDs allow the user to boot into a Linux operating system without installing anything to the hard drive. Programs on a LiveCD are loaded into system memory, and any changes - such as browsing history or other activity -- are compeltely wiped away after the machine is shut down. To return to Windows, simply remove the Live CD from the drive and reboot.

More importantly, malware that is built to steal data from Windows-based systems won't load or work when the user is booting from LiveCD. Put simply: even if the Windows installation on the underlying hard drive is completely corrupted with a keystroke-logging virus or Trojan, that malware can't capture the victim's banking credentials if that user only transmits his or her credentials after booting up into one of these Live CDs.

The Arc of Steuben, a Bath N.Y.-based not-for-profit that provides care for developmentally disabled adults, has taken this advice to heart. In September, I wrote about how thieves had used malware to steal nearly $200,000 from the organization. Since then, the organization has restricted access to its online bank account to a Linux system on its network, according to an Oct. 1 report in the local Star Gazette.

"I would strongly recommend looking at whatever systems you're using if you're doing electronic banking," the Gazette quotes Bernie Burns, the Arc's executive director. "And if it is a Microsoft system, perhaps looking at something different."

Of course, a Mac computer would probably work just as well, but the focus here is on Windows users who may be looking for a cheap way to harden their existing setup to avoid malicious software.

If you've never used a Live CD and are interested in learning how, or if you just want to take a Linux operating system for a test drive, check out my tutorial on this topic here.

By Brian Krebs  |  October 12, 2009; 2:00 PM ET
Categories:  Fraud , Latest Warnings , Safety Tips , Small Business Victims , Web Fraud 2.0  | Tags: live cd, ubuntu, windows  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: E-Banking on a Locked Down (Non-Microsoft) PC
Next: Microsoft Issues Record Number of Security Updates

Comments

The last line should be hyperlinked to the previous column, but for now you can click on "E-Banking on a Locked Down (Non-Microsoft) PC" to the right of "Previous".

Posted by: Hemisphire | October 12, 2009 3:24 PM | Report abuse

Nice article BK. I'm not certain about how a virus caught during a Live CD session wouldn't jump to the hard-drive. Are there no drivers included in the Linux Build to mount a hard-drive? Thanks

Posted by: dward__ | October 12, 2009 3:30 PM | Report abuse

@hemisphere -- Thanks. I've added the link.

@dward -- You can certainly mount the underlying hard drive from a LiveCD if you want to, but I'm not aware of malware for Windows that will jump down through a LiveCD session and down into the Windows hard drive.

Posted by: BTKrebs | October 12, 2009 3:33 PM | Report abuse

A live CD is one way true but a new company called Encryptakey.com has a usb drive preloaded with the operating system and all the standard software the common user would need such as MS office, firefox, IE, outlook, etc. You plug it in, reboot your comupter and surf to your hearts content. Since the computer's hard drive is powered down and the thumb drive's OS is read only. There is no infection to your system.

Posted by: Hilbert | October 12, 2009 3:44 PM | Report abuse

Hope this idea takes hold in a big way, that other bloggers and media outlets talk it up. Especially if this happens, it will be interesting to watch the reaction from Redmond. I've alread sent the link to any business associate to whom it might be relevant.

Posted by: featheredge99 | October 12, 2009 3:44 PM | Report abuse

As effective as a Live CD is at reducing one's attack surface, no solution is perfectly secure. Users of a Live CD would do well to confine their web browsing to ONLY their online banking and NOTHING ELSE.

By visiting other websites before or during (multiple tabs/windows) online banking one can suffer from a man-in-the-browser attack. If Live CD users simply browse to ONLY their bank website, the odds of a man-in-the-browser attack are extremely low.

Users that DO visit OTHER sites can greatly reduce risks by simply quitting and restarting their web browser application, effectively flushing nasty applets out.

There's another class of attacks possible, Code Injection, but frankly on a Linux Live CD, I consider this so extremely unlikely (today) that its not worth discussing further.

There is one more attack vector that MIGHT be of concern. But honestly, Linux is not my thing. I'd have to do some homework. So, to those Linux folk here I ask, how might a drive-by download attack, the launch of an arbitrary executable, be able to run, and couldn't the selected Linux distro readily be configured to snuff these avenues out? For perspective though, this secondary subject is pretty rarified, as I expect there are few if any active exploits of Linux or Linux web browsers that could facilitate a drive-by.

Cheers,

Eirik Iverson

Posted by: eiverson1 | October 12, 2009 4:01 PM | Report abuse

@dward
There are two things that would keep a Windows virus from "jumping" to the hard drive. First, if the Windows partition is mounted (accessible) at all, it is generally mounted read-only. On a Linux system, even the administrator (super-user) cannot write to a read-only device. (The admin could re-mount it read/write, but that must be done as a separate step.) Second, and more important, code meant for Windows, especially low-level code as malware generally is, just won't run at all under Linux; it is internally a very different OS with different system calls, etc.

Posted by: richg74 | October 12, 2009 4:31 PM | Report abuse

Extremely intereseting. Two issues:
1.- I would recommend using a recent version of Linux, just in case. That would include recent solutions to vulnerabilities (maybe not the latest from 'todat', but it's better than having a distro from some years ago).
2.- What about virtual machines? If I have a compromised Windows but inside it I load a clean Windows virtual machine, what's the result in your opinion? Would a malicious code still be able to do harm if that virtual machine is patched and with AV and it's only used to online banking?
Keep up the good work.

Posted by: FaustoCG | October 12, 2009 5:14 PM | Report abuse

@FaustoCG -- I meant to address the virtual machine issue in my story, because I knew someone would ask.

Much of the malware for Windows that steals passwords and so on does so by hooking the keyboard at a fundamental level. It would be impossible to say one way or the other whether the approach you describe would defeat these threats, but I can only say that the way I describe eliminates that possibility. I would not want people to go through all the trouble of running a Linux OS inside of a VM on top of Windows if the malware on the underlying Windows OS were able to compromise the whole thing.

Posted by: BTKrebs | October 12, 2009 5:20 PM | Report abuse

Assuming one does move to Linux as described here, what steps need to be taken on Windows systems to permanently "cleanse" them after online banking has been used on it, to remove the traces permanently? Just cookies? Multi-browser super cookies? Registry?

Posted by: axialinfo | October 12, 2009 6:29 PM | Report abuse

Some Windows malware perform DNS spoofing/ARP poisoning/DHCP spoofing, so even a LiveCD won't help you if you're on a network with some infected Windows machines.

Posted by: neversaylie | October 12, 2009 7:50 PM | Report abuse

Re: my above comment – 

Unless, of course, the user is savvy enough to notice that their banking session isn't properly SSLized, e.g. the sslstrip attack. But research has shown that users very rarely notice the absence of security indicators.

Posted by: neversaylie | October 12, 2009 7:52 PM | Report abuse

" Put simply: even if the Windows installation on the underlying hard drive is completely corrupted with a keystroke-logging virus or Trojan, that malware can't capture the victim's banking credentials if that user only transmits his or her credentials after booting up into one of these Live CDs."

It might be prudent to drop the first two words of this sentence.

Posted by: DasparGothador | October 12, 2009 9:03 PM | Report abuse

Live CD? Reboot your computer every time you need to access your bank account?

For the love your sanity, switch to Macs people -- end the insanity once and for all.

Posted by: todorov | October 12, 2009 9:58 PM | Report abuse

Brian

Thanks a lot. Will also try Shampoo Burning Software sans the upgrade -- presume I don't need it, though you might comment if worth while.

I've copied and forwarded this item to numerous friends thruout the country. I'm sure you don't mind. LOL

Posted by: brucerealtor@gmail.com | October 13, 2009 4:18 AM | Report abuse

Linux is not immune from drive by attacks via browsers, but most attacks are going for Windows based systems since Windows computers are the most plentiful. Windows based attacks will fail on a Linux system unless WINE is installed and IE is being used as the browser via WINE. I have commented on the tutorial below and added a little bit of additional advice to enhance this technique's implementation. Mr. Krebs is giving people the best advice possible. Compare that to the FS-ISAC advice which is not entirely practical for the reason that one is likely to use a browser to access their bank account be it a business, government, or individual consumer even on a hardened system. You can harden a Windows computer all you want, but it will still be vulnerable via the network through file sharing or the browser. The weakest link in this chain of theft is the customer's Windows computer, so don't use Windows.

That said, a Linux system will be vulnerable to a Man-in-the-Middle Attack. Do not connect to your bank from an embedded link in a bank email message unless you are certain that the email is authentic. If in doubt, don't use that link. Logon via the bank's main page and check your account that way. Never disclose your username, password, account numbers, or any financial information via email.

Posted by: jbmoore61 | October 13, 2009 4:47 AM | Report abuse

I've recently come across an app called Keystroke Interference that claims to foil keylogging by interposing a random stream of fake strokes before any logger can have a look. A possible aid to safe online banking, etc. ?

Posted by: CTguy | October 13, 2009 9:11 AM | Report abuse

@CTguy: Re: Keystroke Interference; I wouldn't trust such an application. Malware can capture information other than keystrokes, by hooking the SSL form submission, etc.

Not to mention that the application sounds suspicious that they would even propose such a solution to thwart malware.

Posted by: moike | October 13, 2009 10:44 AM | Report abuse

Nice article Brian.

I had to chuckle that you rule out using Apple products because spending $1300 for a computer is too expensive a fix to losing $100K or more. My mom would have called that penny-wise and pound-foolish.

Posted by: johnbusteed | October 13, 2009 10:57 AM | Report abuse

Hi moike, To my knowledge, Keystroke Interference makes no claim other than jamming keylogging. As to its bona fides, I found it reviewed at download.cnet.

Posted by: CTguy | October 13, 2009 11:37 AM | Report abuse

I'd prefer people not switch to using a Mac. The more popular it becomes the more likely a target of criminals. Keep me safe, buy and use Windows.

Posted by: kkrimmer | October 13, 2009 11:43 AM | Report abuse

I agree with Johnbusteed, that to not seriously suggest a Mac as a solution (they start at $599 for the Mini, BTW) is certainly pound-foolish.

When I think of all my friends on Windows computers I can't think of many who could seriously consider your LiveCD solution. It's a non-starter for most folks whose computer skills begin and end at right-clicking. The notion that they could burn an ISO and mount a LiveCD, especially given the challenges especially to laptop owners, is absurd.

There really is NO reason for the average person to own a Windows PC today. If their job does not specifically require the use of a PC, then buying a Windows box, even if they save a couple hundred bucks, is asking for many more hundreds of dollars of pain down the road. I know, I fix them and there is no end of pain in sight. Do yourself a favor, buy a Mac, then if you need to run Windows do it in Parallels on a Virtual Machine. It's easy and very Mac-like.

Then if your Windows install gets a virus (and it will), delete it and start over, no harm, no foul.

Macs today are essentially Intel PCs built to a higher standard and running a rock-solid OS that is virus-free. Think about that folks, Virus-Free. No Antivirus software to install or keep up-to-date and every time one of these panic alerts for Windows Viruses is announced, you can smile and keep surfing.

Posted by: joeldm | October 13, 2009 11:43 AM | Report abuse

I like the idea of using Linux, but my bank website doesn't work correctly unless I'm using IE.

Posted by: qonder | October 13, 2009 12:34 PM | Report abuse

I have no enter key, bare with me. Who would simply boot up into a live cd just to do online banking? Do you realize how inconvenient that is? Online banking is there for the sole purpose of convenience. This won't be taken in for the fact that it would take a while to boot up into a live cd and hope it has drivers to take advantage of your nic right away. As for these live cd's, seeing as this article mostly focuses on somehow infecting the live cd, they run as root. So if it were to infect a linux box, the live cd will happily open a root prompt to load that nice ntfs file system with full rights (that's right, most live cd's come with the ability to mount that windows partition with rwx). As for the virtual machines, that's a great idea. Considering these keyloggers that "work on a fundamental level" aren't going to be logging things through the virtual machine. And if it is, nothing you do is going to prevent it, because that would be a hardware keylogger. Give it a shot if you don't believe me. Again, however, this is taking time and is being an inconvenience. To battle against the man-in-the-browser attacks, run your browser in no-plugin mode inside of something like sandboxie. Takes care of worrying if you'll be infected through visiting websites (flush on close) and no plugin (or activeX controller in IE) will try and modify your payload or sniff your packets. But, again, the most fundamental attacks are where the attacker is on your network, in which case you're f*cked no matter what you do. As for this Mac guy above me, you kids can stop saying that now as 10.6, or "Snow Leopard" has a built-in scanner for two different variants of malware for macs (or adware, I don't remember as no one really cares about Macs besides the Mac zealots).

Posted by: nightsshadow | October 13, 2009 12:35 PM | Report abuse

Excellent column

Even the Live CD solution is imperfect - routers too are vulnerable and need to have default passwords changed and firmware updated.

Posted by: danx1000 | October 13, 2009 12:48 PM | Report abuse

joeldm :

I hope you do not believe that MAC OS is "virus free" because there is something special about its implementation. MAC OS is not "virus free" it is more like "virus ignored" because there aren't enough MACs out there (yet) to make it cost effective as a target for the bad guys.

No system is totally immune from a virus attack. Before the days of PCs, UNIX systems were the big targets. Its all a matter of what system is the most common. That is the one the bad guys attack.

Posted by: boomer5 | October 13, 2009 1:06 PM | Report abuse

For the past year I have been playing around with Ubuntu and starting to like it. But for those Windows user who are dedicated to Microsoft or just afraid to learn a new OS, how about Microsoft Windows SteadyState? From what I read, you can set up a clean machine with what you need on it and be able to protect it by activating the right tools within Windows SteadyState. There is an option within Windows SteadyState that protects the hard drive. If you have SteadyState loaded with the hard drive protection enable, it will allow you to run you computer in a normal manner. The protection comes in when you reboot your machine, all the activity is not saved. You can permanently apply updates to any software that you have and you can have a section set aside to keep documents that you want to keep. It might worth looking in to and to take it for a test run.

Posted by: toddlane | October 13, 2009 1:10 PM | Report abuse

A live CD is simply a dedicated computer for an application. The idea of constantly rebooting from the regular operating system to the live cd operating system is not practical. A live cd is practical on a dedicated system since hardware cost are currently so low.

It always is amazing that companies and banks do not use dedicated systems for for such high risk operations as transferring of money since the cost of computers today are so low.

Posted by: bsallamack | October 13, 2009 1:10 PM | Report abuse

Absolutely ridiculous and irresponsible article!

Posted by: HeatlessSun1 | October 13, 2009 1:25 PM | Report abuse

Nice article BK. I'm not certain about how a virus caught during a Live CD session wouldn't jump to the hard-drive. Are there no drivers included in the Linux Build to mount a hard-drive? Thanks

Posted by: dward__
################
A live CD contains all of the programs and files required by the operating system and the application bank program. The operating system only uses the programs on the CD. Live CD systems are slow but this would not be a problem when there is only a single application.

The programs on a live CD can not be corrupted by a virus since they can not be modified. While the operating program is running programs in memory can be corrupted but restart will restore the operating system without corrupted programs.

Think in terms of the original pc's that had no disk drives and the entire operating system was always loaded from a floppy disk.

The live Linux CD's allow the live CD to be a standalone system, but many of these live CD's allow the user to expand the system and mount from other storage. This is an option and not a requirement.

Posted by: bsallamack | October 13, 2009 2:30 PM | Report abuse

Live CD is a good solution, but is not necessary with a good network management. Even Live CDs must be combined with network level enforcement, because just telling your employees to use Live CD might not work. Use network access controls to block access to banking websites from Windows PCs, and allow access only from Live CDs.

But, how's this for a solution: Why not go one step further and secure the network with the firewall and a proxy server that only allows communication to pre-approved web sites. No personal web-browsing or email while working! That will eliminate the delivery of malware as employees can only go to sites that are needed for business. And kill floppy/USB ports too.

Do you think it's too harsh? I don't think so, as the owner of a business I would be upset if my employees picked up a virus while surfing some random websites.

There's another problem which must be addressed. The access of corp. banking websites from home. This needs to be worked out between you and your bank. Ask your bank to restrict IP address ranges to only your corp. office.

Posted by: sctrl | October 13, 2009 3:05 PM | Report abuse

So, Mr. Krebs, you're saying that grandma is savvy enough to use Linux for banking and shopping, then switching back Windows for everything else? For the type of use such a typical user might use a computer for, why isn't the Mac Mini a good, inexpensive option for her? She doesn't need a Mac Pro tower or MacBook Pro. I just don't see the average computer user (read: non-computer geek) fumbling around with Linux Live CDs. I don't think the average computer user will ever use Linux en masse, even for security reasons (it will be either Windows or Mac OS X), and that's assuming they have even heard of Linux (which they probably haven't).

Posted by: marlonhollis | October 13, 2009 3:06 PM | Report abuse

Linux is not immune from drive by attacks via browsers, but most attacks are going for Windows based systems since Windows computers are the most plentiful.
########################
This is not a question of Linux versus Windows or Apple, but rather a limited operating system with a limited application.
This approach would work if there was a Live Windows Cd or a Live Apple Cd where the operating system and application are strictly dependent upon the contents of the CD or an external memory device that can not be modified by outside sources.

When the operating system or application are dependent upon disk drives, the disk drives can be modified by hackers.

Systems that are dependent upon disk drives need to be protected by systems that check that programs or parts of the operating system stored on the disk drives have not been modified. This is done by signature checking of files. Doing this requires that the program that checks the files can not be modified and that the list of signatures indicating non modification can not be modified.

Even this is not totally safe since a hacker can introduce a program that uses a bank program by simulating a user entering keystrokes. Once the password is known the hacker program can simply start the bank program on the user's computer and send the keystrokes signals to transfer funds. The bank program has no way of knowing that it is being activated by a computer program and not a human being. The only way to prevent this type of attack is for the operating system to only allow authorized programs.

Security is difficult. Linux does have an advantage over Windows in that it is easier to develop security measures. The Registry on Windows makes the system less secure. Windows also makes it difficult to monitor and change boot start up programs. Without security measures Linux is as unsafe as Windows. Apple is using a unix type system and should be easier to make secure than Windows.

Currently only dedicated systems are secure. The idea of Live CD systems offer the opportunity of easily building secure dedicated system at very reasonable costs. A dedicated Live CD system would prevent the modification of programs and also prevent hackers from adding a program that started the dedicated application with automated keystrokes.


Posted by: bsallamack | October 13, 2009 3:18 PM | Report abuse

A live CD is one way true but a new company called Encryptakey.com has a usb drive preloaded with the operating system and all the standard software the common user would need such as MS office, firefox, IE, outlook, etc. You plug it in, reboot your comupter and surf to your hearts content. Since the computer's hard drive is powered down and the thumb drive's OS is read only. There is no infection to your system.

Posted by: Hilbert
###################
If this is true how does the user run Office to store a document? Where are these documents stored if the usb drive is read only. I believe that Outlook also requires storage for emails.
A system like this in interacting with the internet would also require storage.
Most of the programs you mentioned require storage for preferences, etc.

Read only devices are secure but it is difficult to believe that a device can be read only and run applications that require permanent storage.

Surfing to your heart's content also would not prevent scams that do not require modifying programs. Being read only also would not prevent hackers that access programs in memory to obtain passwords.

Posted by: bsallamack | October 13, 2009 3:33 PM | Report abuse

@marlonharris -- If you read the article, I took pains to say why I was recommending these steps: For *business* users, specifically small to mid-sized businesses that can't afford to lose a million dollars in a day because of a single virus infection. As I stated, Grandma doesn't need to do this because the bank will make her whole if she gets her account cleaned out.

Posted by: BTKrebs | October 13, 2009 3:36 PM | Report abuse

a industry group supported by some of the world's largest banks -- recently issued guidelines urging businesses to carry out all online banking activities form "a stand-alone, hardened and completely locked down computer system from where regular e-mail and Web browsing is not possible."
#####################
I love Banks. First they convince their customers to use these wonderful online services and then later they warn them of the dangers of using online services.

Years ago the Ad Council in NYC used to run ads on Subways that stated "Computers will not take your job."

A few years later the Ad Council was running ads that stated "What will you do when computers take your job?.

Posted by: bsallamack | October 13, 2009 3:42 PM | Report abuse

we don't sweat because corporate runs an alternative operating system, namely eComStation (ie OS/2 v4.5.5). windows runs in virtual pc for OS/2 for the two apps that need it.

Posted by: wesco1 | October 13, 2009 3:58 PM | Report abuse

I think a lot of people here are missing the point.

@The "use a Mac" comments: Sure, switching entirely to Mac would make you less susceptible to Viruses. So would switching entirely to Linux. (And nobody has yet convinced me that Mac OSX is any easier for Windows users than Ubuntu.) Sure, $600 is a small price to pay to potentially save hundreds of thousands of dollars, but $0 is an even smaller price to pay for THE SAME LEVEL OF PROTECTION.

@The "too inconvenient" comments: As another person pointed out, computers are cheap. There is no reason you can't use a second computer to run your LiveCD and perform your secure banking.

@The virtual machine comments: Virtual machines are still running on top of the Host OS. VM's don't have direct access to the hardware, instead the Host kernel talks to the hardware and passes messages to the Virtual machines. If the keylogger hooks into the keyboard drivers on the Host system it will still record keystrokes which are being sent to the Virtual Machine.

@The "Mac are Virus-free": ...do you own Apple stock? Brian Krebs has reported on a virus targeting the Mac earlier this year.
http://voices.washingtonpost.com/securityfix/2009/04/worlds_first_mac_botnet_hardly.html
http://voices.washingtonpost.com/securityfix/2009/01/pirated_iwork_software_infects.html

It's well-known that there are Viruses targeting Mac users (albeit far fewer than those targeting Windows) so making claims of "Virus-Free" is, in my opinion, misleading and irresponsible.

Posted by: dragonwisard | October 13, 2009 4:10 PM | Report abuse

It is unfortunate that we have to go to these lengths, but my feeling is that this is a correct approach. At least for the time being...

One thing I have used in the past to disinfect computers is a sort of live-CD called BartPE. A bootable CD that runs essentially runs a lightweight windows. There are plugins for many things, including Firefox. The very same disc I have used in the past for disinfecting machines could just as easily be used for online banking.

I really wish that Microsoft had an official supported mechanism for creating a bootable CD. The BartPE tool essentially requires that you have your original Microsoft CD handy, and it takes bits and pieces from it to build the CD image.

I keep wondering whether a VM would be secure enough for online banking. I am guessing that there currently isn't any malware that knows how to infect a virtual disk, but if people started to use a VM for banking you can be sure that the bad guys would figure out how to plant viruses on the VM as well.

Posted by: jackrussell252521 | October 13, 2009 4:53 PM | Report abuse


Hmm, hadn't thought of keyloggers on the host machine. OK, VMs are definitely out.

Given how cheap netbooks are these days, it seems that one could get a netbook with Linux and use that.

Posted by: jackrussell252521 | October 13, 2009 5:06 PM | Report abuse

@dissers of Mac OS X as an alternative,

The so-called "viruses" mentioned are in reality trojan horses that folks willingly load onto their Macs. The iWork trojan was implanted in a pirated version of iWork, thus the only people who infected their computers did so by attempting to steal from Apple.

As for the myth of 'security via obscurity,' we Mac users have been hearing this for the EIGHT years OS X has been around. This is a bogus argument.

My family and I have had at least one Mac connected to the Intertubes 24 hours/day for the past fifteen years, and we've had exactly ZERO issues with malware and have done so without wasting one single CPU cycle running anti-virus software.

We rest comfortably knowing our computing experience is the safest and most secure there is...because we run Macs.

Posted by: arnoldziffel | October 13, 2009 5:11 PM | Report abuse

As far as "jumping" to an unmounted drive, all of my Windows drives are NTSF, including filers on my Linux boxes (for legacy reasons). But my Ubuntu 8.04 does not support NTFS out-of-the-box. So unless the LiveCD version does, there is no way to mount and use the drive.

Posted by: Rational4vr | October 13, 2009 5:51 PM | Report abuse

We rest comfortably knowing our computing experience is the safest and most secure there is...because we run Macs.

Posted by: arnoldziffel
#######################
From what you wrote I would not be surprised if hackers start using their ill gotten gains to start attacking Macs.

The best users to attack are those that keep their machines always on, have no protection, and are totally unconcerned about computer security on the internet because they think they are invulnerable.

Posted by: bsallamack | October 13, 2009 6:05 PM | Report abuse

What Quonder said about only IE being supported. At my credit union's on-line banking, Opera can deal with the account access, but bill paying requires IE. Damn!

Posted by: Bartolo1 | October 13, 2009 6:30 PM | Report abuse

Given how cheap netbooks are these days, it seems that one could get a netbook with Linux and use that.

Posted by: jackrussell252521
#########################
This is correct.

All that is needed for a bank to create a Linux Live CD from a readily available Live CD. Fully legal to then modify this CD by stripping out unnecessary programs and files. Linux is nice since everything is legal.

The bank application user interface could be as simple as console interface or even a gui generated by tcl/tk. The program contacts the bank server with a specific ip number and the user provides the account number and password. As further security the bank server checks the mac number of the pc. The user program includes the ability to "print" to a usb drive so that there can be a record of transactions. This is one way use of the usb drive so no security risk. The Live Cd system should also have the function where the user can remove the cd without causing a shutdown. Another nice feature would be that the business user would not have a fixed ip address. Always nice for security. In reality a dial up would be better than using a cable connection.

Total cost about $300 for pc usb drive that acts as "printer" and the cost of electricity.

Posted by: bsallamack | October 13, 2009 6:45 PM | Report abuse

On interesting thought.

It is not that Live CD's are so safe but rather that normal pc's whether Windows, Linux, or Apple are so unsafe when connected to the internet.

Posted by: bsallamack | October 13, 2009 6:51 PM | Report abuse

It seems I spend 25% of my PC time researching current threats and vulnerabilities, and another 25% patching them up. To Redmond: Windows is getting so annoying to use, it is almost not worth having a PC anymore. Maybe my Dad is right...standing in the teller line at the bank may not be so bad after all.

Posted by: B1nm90 | October 13, 2009 7:11 PM | Report abuse

A live CD is one way true but a new company called Encryptakey.com has a usb drive preloaded with the operating system and all the standard software the common user would need such as MS office, firefox, IE, outlook, etc.
################
A check of this company reveals that the operating system is Linux and thus is limited to Microsoft software running under Linux.

This is not revolutionary as you can build or download Linux Live on a usb drive and use it on any computer where the bios allows booting from a removable storage device.

The company has done work to prevent core programs but this will protect users from other types of internet attacks.

Posted by: bsallamack | October 13, 2009 7:12 PM | Report abuse

"I would strongly recommend looking at whatever systems you're using if you're doing electronic banking," the Gazette quotes Bernie Burns, the Arc's executive director. "And if it is a Microsoft system, perhaps looking at something different."
############################
I see there is a lot of confusion about the benefits of a Live CD.

A Live CD will not prevent a hacker from hacking into a system. Many computer are connected to the internet through cable companies where hackers will periodically go through the list of ip addresses used by cable company. If hackers know one of a companies ip addresses they usually can find the other ip addresses used by the company.

In reality companies should not be using normal internet connection to perform money transfers or pay bills on any computer. The only safe way to perform these functions is if banks set up dedicated programs and systems that are so safe they guarantee these systems. If you are accessing your bank over the internet to transfer money in the same way you access the Washington Post you probably will lose money.

A live CD is a good idea for the banks to sets up a dedicated system, it is not a method that will automatically guarantees that it is safe to use the internet to transfer money. Banks set up expensive and dedicated systems to transfer their money to other banks.

Hackers will quickly develop methods to deal with accessing the internet with a Live CD. All linux code is public domain and this makes it easy to look at the code and find weak points.

Save worry and your money and use a local bank where you can go to transfer money until banks create systems that are guaranteed to be safe to use.

A live Linux CD may be x percent safer than a normal Windows system but there is still the (100 -x) percent possibility you might lose money.

Posted by: bsallamack | October 13, 2009 7:50 PM | Report abuse

Since reading Kerbs' articles (and having the %*&$ scared out of me), I have switched to exclusively using an Ubuntu LiveCD for my business account (I still use Windows for my personal bank accounts).

Is it a little bit inconvenient to reboot? Sure. Is it worth the inconvenience? Definitely. Was it hard to get setup? No, not even slightly difficult.

Getting set up with the LiveCD initially was *totally* painless. I was up and running in five minutes. Graphics, network, even sound (!) drivers worked right out of the box. I was embarassed that I had not tried the LiveCD years earlier.

My main observation about using LiveCD's for business online banking is that CD Drives are actually kind of slow for booting up. I need to start looking for some alternative media (read-only flash RAM?) that would make the reboot faster.

Posted by: sw11231 | October 13, 2009 7:59 PM | Report abuse

I would think about using any cheap pc with a Live Linux cd as a dedicated bank box. 1:Remove all drives except an optical drive. 2:Use a din type keyboard and mouse. 3:Connect a Parallel or serial printer for printed reports of the transactions. 4: All usb ports and fw ports would be disabled. 5: Connect thru a modem or at least secure the pc from the network with a software or hardware firewall and deal with a bank which only connects to a specific mac address from the pc. 6: Hardest part: Secure a live cd that has been hardened for this pc and application and will allow only calls to the banks or banks. Also perhaps flush memory on logoff, shutdown and at a predetermined time if someone forgets to shut down. Someone else probably can add some more restictions but the idea is to get something pretty reliable and cheap.

Posted by: junque_man | October 13, 2009 8:06 PM | Report abuse

The biggest single problem with this article is that its fundamental premise is bogus. See for example, the aricle "IE, Chrome, Safari duped by bogus PayPal SSL cert" at http://www.theregister.co.uk/2009/10/05/fraudulent_paypay_certificate_published/

Posted by: tyronej | October 13, 2009 8:36 PM | Report abuse

@ bsallamack,

If we were using Windows, your comments would be right on the mark.

As for being somehow at risk for a malware attack, I visit trusted sites and don't install questionable software. This has taken care of us for the entire time we've been connected to the Internets.

Give Macs a try, and you never go back to 'dohs!

Posted by: arnoldziffel | October 13, 2009 10:25 PM | Report abuse

Welcome to the club Brian. Back in August, I also recommended booting to Linux for online banking

Consider Linux for Secure Online Banking
http://www.esecurityplanet.com/features/article.php/3834031/Consider-Linux-for-Secure-Online-Banking.htm

and then again argued this point last month

Crimeware gets worse - How to avoid being robbed by your PC
http://blogs.computerworld.com/14806/crimeware_gets_worse_how_to_avoid_being_robbed_by_your_pc

People can argue why Linux is safer, but whatever the reason, it is safer.

@neversaylie
You point is well taken about man in the middle attacks that strip out the "S" from HTTPS. One thing you can do is make this more visually obvious by forcing Firefox to display a green address bar for all secure HTTPS web pages. To see how to do this see

http://blogs.computerworld.com/make_firefox_flag_secure_web_pages_as_green

@toddlane
There are problems with SteadyState. First, you can get infected with malware at 1PM, do online banking at 2PM and then reboot the computer at 3PM. Yes, at 4PM the computer is clean, but there is still a risk. Also, SteadyState is not a simple trivial thing. It has lots of options and takes some time to get up to speed on. Booting to Linux is easier, in my experience.

To the people who suggested virtual machines, let me add that they are a big deal. Complex software that makes many changes to the host/native OS. Booting Linux makes no changes to your copy of Windows. And data can leak between the host and guest OSs either by accident, mis-configuration or bugs in the VM software. Also, some malware takes screen shots of the infected computer, something that I doubt you would be protected from when running software inside a virtual machine.

Posted by: MichaelsPostingID | October 14, 2009 12:10 AM | Report abuse

The chances of infecting linux are extremely slim regardless of whether a live CD is used or not. This is because:

* Linux is modular and many parts of it can be swapped out for another or removed altogether.
* Development happens in the open. This means that developers go through extra effort to write better and more secure code since it is for everyone else to see.
* User is not logged as an administrator (or root). Thus, even if the user's browser is compromised, it will not be able to install or compromise the OS unless the user explicitly grants admin privilege.

My point is that if one uses Linux as the primary operating system and then uses Windows via a virtual machine (or Wine), they will have nearly the same protection from Malware as using a LiveCD and rebooting each time they wish to do banking.

This way, you get the best of both worlds: convenience and safety.

Posted by: neversaylie | October 14, 2009 1:44 AM | Report abuse

@arnoldziffel: I wasn't dissing the Mac. But I do think you're being foolishly optimistic about your security. The iWorks trojan isn't the only known malware to affect Macs, and in today's world of "cloud computing" where users spend most of their time in the browser exploits don't even have to be host-specific. A JavaScript or XSS attack could potentially threaten [i]any[/i] web user regardless of their OS. As Google pushes to make "the web" the new platform du jour they're the malware game is changing from targeting the OS to targeting the browser. And guess what, Mac's browsers aren't all that different from Windows'. Safari and Chrome both use Webkit, and even Mac users are migrating to Firefox. If your Browser is compromised the Reality Distortion Field won't save you.

I've been running Linux for more than a decade and I can make a similar boasts about lack of viruses. In fact, I know I have systems that are on 24/7 because I operate a number of public servers. But just because attacks that target Linux are rare in comparison to Windows doesn't mean I don't take sensible precautions like using strict permissions, restrictive firewalls, and filesystem monitoring to make sure my systems _stay_ clean.

The thing about keyloggers is they don't want to be found. If you don't even bother to scan your systems you could be infected and not even know it. I'm sure you feel smug in your blind ignorance, but history has shown that overconfidence in ones security is one of the most dangerous security vulnerabilities.

Posted by: dragonwisard | October 14, 2009 2:02 AM | Report abuse

Using Mac, Linux, BSD (or anything with fewer in-the-wild vulnerabilities than Windows) is a smart first step. But you shouldn't stop there.

Always use layers of security to mitigate your potential risk. Recognize that there is more than one potential attack vector.

If someone had physical access, are you secure?

If someone physically stole you Mac, is your data secure?

If someone was sniffing your network, are you secure?

If they performed a man-in-the middle attack, are you secure?

If a remote exploit was released that targets OSX, what protections do you have against getting infected? Or if infected, how secure is your data?

Posted by: dragonwisard | October 14, 2009 2:16 AM | Report abuse

Very scary but good information.
At least it looks like IBM has something in the works to prevent some of these malware attacks.
http://blogs.techrepublic.com.com/security/?p=2492

Posted by: greatsmith | October 14, 2009 3:56 PM | Report abuse

SUPERB! See my wholehearted endorsement of your idea here:

Jeff Yablon
President & CEO
Answer Guy and Virtual VIP Computer Support, Business Change Coaching and Virtual Assistant Services

Posted by: jeffyablon | October 14, 2009 5:11 PM | Report abuse

@tyronej, the article you linked to describes another winblows security issue, notice how it repeatedly claims those browsers are vulnerable because of a M$ exploit. Booting from a live CD (particularly from any OS that isn't from Redmond) *WOULD* protect you in that case as well. Was that your point?

Posted by: dalkorian | October 14, 2009 6:59 PM | Report abuse

Why not install a 2nd bootable Windows partition and use a partition manager to hide all others when you boot into it. Then only use that as a banking OS and only access bank websites from it and thats all.

Shouldn't this be fairly safe and practical for most users.

I think Windows license allows a 2nd install as long as only one is in use at a time.

I have witness how people in my family use a computer and how unaware they are of its risks and seen many a machine infected with malware, but this article while true is not very practical for Joe six pack and many others out there computing with a firewall that they always click allow on or not allow since they have no idea what they should do.

Posted by: jeff69 | October 15, 2009 7:56 PM | Report abuse

Or better yet, why doesn't MS allow OEM to create a 2nd partition for a second copy of the OS that users are to only use for secure payment transactions and then maybe have it were the browser on this OS only allows certain MS approved URL domains, that is banking, paypal, ebay, etc. And have the OS to be non-writable except for cookie and cache areas.

So in effect they are giving users a second OS to boot into for only their financial transactions. I know most families who would not mind the extra hassle of this if they knew how secure it was.

Posted by: jeff69 | October 15, 2009 8:01 PM | Report abuse

Seven years ago I left MS for Linux for the same reasons stated in the article. I keep MS in VBox for specialized apps, never on the Web. Users using MS are being deceived by PC manufacturers, who owe the best to their customers. True, Knoppix is the best Live CD out there.

Posted by: previso | October 16, 2009 6:34 AM | Report abuse

I think the biggest value to doing your online banking with a LiveCD is to use it READ ONLY. Meaning no links to the hard drive (mounts) and if you want some sort of storage space while in the LiveCD session, temporarily mount a USB flash drive.

For me, the whole intent here would to be to boot up in read only mode with the LiveCD, go the the online banking site, login, do what needs to be done, shutdown and everything goes away.

Now I can safely go back to Windows and not worry about any possibility of being intercepted by 'bad guys' during the online banking session.

This type of surfing (LiveCD) can also be very beneficial if you need to go to a site you are not sure is trustworthy. I wouldn't do that on the same boot where I went to my online banking though. ;-)

Posted by: lilbambi | October 16, 2009 11:40 AM | Report abuse

BTW: I linked to your article over at the new Technorati user generated content here Brian:

http://technorati.com/technology/article/how-to-be-safer-while-banking/

Yours is an outstanding article and I thought it was very important!

Posted by: lilbambi | October 16, 2009 11:44 AM | Report abuse

Many thanks and much appreciation to BTK for bringing the security issues with banking online to our attention. Although much of the concern is directed at businesses, I think individual users could benefit from backing away from Windows for financial transactions.

Per suggestions from BTK and after doing the usual online research romp, I decided to make a Live CD for the Puppy Linux 4.3 operating system. I use Windows XP Media on a Toshiba laptop with 2G ram with the Verizon Fios wireless network. I had no previous experience with linux at all. I wouldn't recognize a linux kernel if it presented me with a winning lottery ticket!

BTK said that Live CD was a dicier venture for laptops than for desktops. I haven't yet found a way for Puppy to recognize my wireless network or my wireless printer. So, I run the Live CD with my computer wired to my router and my printer connected to my computer. The included Seamonkey web browser is reminiscent of firefox and the firewall is very easy to configure. In my opinion, running Puppy Linux via Live CD gives such peace of mind, that the slight inconvenience of switching operating systems just doesn't matter. It is so cool that I can check my finances via linux, pop out the cd, and get right back to Windows for everything else.

That said, a heads up: for some reason the oft-recomended free Burncdcc program for burning the necessary iso image onto cd, did not work for me. Another free recommended program, CDBurner XP, worked much better and is even compatible with Windows 7.

Also, for true linux newbies (like me) the best "get up and running" tutorial (IMHO) is from Alex Gotev, available on puppylinux.org. Other tutorials and manuals were not especially helpful, or sometimes, downright confusing.

Posted by: kadenmor | October 16, 2009 8:22 PM | Report abuse

Lively discussion among geeks here, but it would be interesting to hear from the target audience - business users. I think the article could be very useful in convincing them to try out this method - that is probably the hard part, they would probably have someone around capable of burning a CD (or running a script to put the distro onto a USB key).

Posted by: nl01 | October 17, 2009 1:22 AM | Report abuse

Any ideas on the security of using ASUS' "Express Gate". This is basically an mini-os on the BIOS. It does save some stuff to the hard drive, but not likely in anywhere that people would look.

Posted by: nookane | October 19, 2009 6:38 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company