Network News

X My Profile
View More Activity

E-Banking on a Locked Down (Non-Microsoft) PC

In past Live Online chats and blog posts, I've mentioned any easy way to temporarily convert a Windows PC into a Linux-based computer in order to ensure that your online banking credentials positively can't be swiped by password-stealing malicious software. What follows is a brief tutorial on how to do that with Ubuntu, one of the more popular bootable Linux installations.

Also known as "Live CDs," these are generally free, Linux-based operating systems that one can download and burn to a CD-Rom or DVD. The beauty of Live CDs is that they can be used to turn a Windows based PC into a provisional Linux computer, as Live CDs allow the user to boot into a Linux operating system without installing anything to the hard drive. Programs on a LiveCD are loaded into system memory, and any changes - such as browsing history or other activity -- are completely wiped away after the machine is shut down. To return to Windows, simply remove the CD from the drive and reboot.

More importantly, malware that is built to steal data from Windows-based systems simply won't load or work when the user is booting from LiveCD. Even if the Windows installation on the underlying hard drive is completely corrupted with a keystroke-logging virus or Trojan, the malware can't capture the victim's banking credentials if that user only transmits his user name and password after booting up into one of these Live CDs.

There are dozens -- if not hundreds of these LiveCD distributions -- each with their own flavor or focus: Some try to be as small or lightweight as possible, others - like Backtrack - focus on offering some of the best open source hacking and security tools available. For this project, however, I'm showcasing Ubuntu because it is relatively easy to use and appears to play nicely with a broad range of computer hardware.

A few words of advice before you proceed with this project:

-LiveCDs are easiest to use on desktop PCs. Loading a LiveCD on a laptop sometimes works fine, but often it's a bit of a hassle to get it to boot up or network properly, requiring the use of cryptic "cheat codes" and a lot of trial and error, in my experience.

-If you do decide to try this on a laptop, I'd urge you to plug the notebook into a router via an networking cable, as opposed to trying to access the Web with the LiveCD using a wireless connection. Networking a laptop on a wireless connection while using an LiveCD distribution may be relatively painless if you are not on an encrypted (WEP or WPA/WPA2) wireless network, but attempting to do this on an encrypted network is not for the Linux newbie.

-I conceived this tutorial as a way to help business owners feel safer about banking online, given the ability of many malware strains to evade standard security tools, such as desktop anti-virus software. Consumers who have their online bank account cleaned out because of a keystroke-sniffing Trojan usually are made whole by their bank (provided they don't wait more than 10 business days before reporting the fraud). Not so for businesses, which generally are responsible for any such losses. I'm not saying it's impossible to bank online securely with a Windows PC: This advice is aimed at those who would rather not leave anything to chance.

-The steps described below may sound like a lot of work, but most of what I'll describe only has to be done once, and from then on you can quickly boot into your Ubuntu Live CD whenever you need to.

With that, let's move on. To grab this package, visit the Ubuntu site, pick the nearest download location, and download the file when prompted (the file name should end in ".iso"). Go make a sandwich, or water your plants or something. This may take a while, depending on your Internet connection speed.

After you've download the file, burn the image to CD-Rom or DVD. If you don't know how to burn an image file to CD or don't know whether you have a program to do so, download something like Ashampoo Burning Studio Free. Once you've installed it, start the program and select "create/burn disc images." Locate the .iso file you just downloaded, and follow the prompts to burn the image to the disc.

When the burn is complete, just keep the disc in the drive. We next need to make sure that the computer knows to look to the CD drive first for a bootable operating system before it checks the hard drive, otherwise this LiveCD will never be recognized by the computer. When you start up your PC, take note of the text that flashes on the screen, and look for something that says "Press [some key] to enter setup" or "Press [some key] to enter startup." Usually, the key you want will be F2, or the Delete or Escape (Esc) key.

When you figure out what key you need to press, press it repeatedly until the system BIOS screen is displayed. Your mouse will not work here, so you'll need to rely on your keyboard. Look at the menu options at the top of the screen, and you should notice a menu named "Boot". Hit the "right arrow" key until you've reached that screen listing your bootable devices. What you want to do here is move the CD-Rom/DVD Drive to the top of the list. Do this by selecting the down-arrow key until the CD-Rom option is highlighted, and the press the "+" key on your keyboard until the CD-Rom option is at the top. Then hit the F10 key, and confirm "yes" when asked if you want to save changes and exit, and the computer should reboot. If you'd done this step correctly, the computer should detect the CD image you just burned as a bootable operating system. [Unless you know what you're doing here, it's important not to make any other changes in the BIOS settings. If you accidentally do make a change that you want to undo, hit F10, and select the option "Exit without saving changes." The computer will reboot, and you can try this step again.]

ubunt1.JPG

When you first boot into the Unbuntu CD, it will ask you to select your language. On the next screen, you'll notice that the default option - "Try Ubuntu without any change to your computer" - is already selected. Hit the "return" or "enter" key on your keyboard to proceed safely.

unbunt2.JPG

The CD will probably spin for a few minutes while the operating system figures out all the drivers it will need to load to support the hardware on your computer. Eventually, it should load up a graphical desktop environment similar to the one pictured in the screen shot below.

ubuntubofa.JPG

From here, you should be able to just click on the Firefox icon, and when the browser pops up, enter the address of your bank's site and log on.

Note that depending on where you live, the Ubuntu installation may not accurately detect your time zone (when I booted up Ubuntu to take these screen shots, the Ubuntu desktop was four hours ahead of my actual time zone. I mention this because some banks will detect the discrepancy based upon your Internet address, which gives fairly accurate information about which part of the country you are when you log in. If you find that after passing your credentials to your bank that you are asked for additional verification details, it may be because the system clock is not correct. To fix this, simply right-click on the time as displayed in the upper portion of the screen, and select "Adjust Date and Time." Your changes will remain in effect until you shut down or log off the LiveCD session.

ubuntime.JPG

When you're done using the Live CD, you can safely power down the machine, or reboot and eject the CD immediately if you want to return to Windows.

By Brian Krebs  |  October 12, 2009; 1:59 PM ET
Categories:  Fraud , Latest Warnings , Safety Tips , Small Business Victims  | Tags: live cd, online banking, ubuntu  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Comcast Trials Browser Alerts for Bot-Infected Customer PCs
Next: Avoid Windows Malware: Bank on a Live CD

Comments

One thing that some may not expect is that they don't actually know the web address of their banking site (especially if you have a few to check), as they may use bookmarks to get them there. So you might want to write those down on paper before you load up a live CD.

Posted by: josef2 | October 12, 2009 3:17 PM | Report abuse

An easy way to get your bookmarks from one computer to another is to send them to yourself on a webmail account, or store them in an online (private!) doc. You can also use services like delicious to maintain a portable list of bookmarks.

Posted by: mrklingon | October 12, 2009 3:37 PM | Report abuse

Some banks still need a username and password, you would have to write them down to insert them when needed. Now, be careful with those papers where the username & passwords are written down. I suggest having a USB only for this purpose (store this info) and keep it safe or even better, divide the password in two: one that is easy to remember and one that is kept inside the USB; if USB is stolen, no problem.

Posted by: FaustoCG | October 12, 2009 5:22 PM | Report abuse

Do the same caveats about Windows and key loggers apply if one only downloads banking data through Quicken (and thus not through a Windows-based web browser)? The passwords for financial institutions are stored in a password vault in Quicken and are not keyed in when accessing data from said institutions.

Posted by: dilerman | October 12, 2009 6:08 PM | Report abuse

If your PC can be booted off a USB disk (in which case USB will be listed in the BIOS screen), it is also possible to put the Live Linux distribution on a USB stick, eliminating the need for a CD.

Most distributions have an option to create a bootable USB drive. The advantage is that it is faster and it's usually possible to also create a home directory on the drive, so that things like bookmarks and wireless configuration parameters can be stored (in fact, it can be argued that this feature works too well because you're not starting with a clean slate, but you're still running Linux).

Posted by: nl01 | October 12, 2009 7:06 PM | Report abuse

There is one huge problem, though: many bank and credit card Web sites require a cookie the first time an individual computer logs on. If cookies are not enabled on the CD, this will prevent a user from logging in at all; if the CD somehow stores its session cookies in RAM, it will lose them after each reboot.

Even with that caveat, this is an important idea... it's too bad most PC owners are too helpless (or perhaps to complacent and incautious) to go through this relatively minor trouble.

Microsoft should offer Windows 7 on a bootable CD- or DVD-ROM... hey, wait, the Windows 7 OPK just came out today. I wonder if I can create a custom Windows PE DVD that runs Firefox?

Posted by: williehorton | October 12, 2009 8:53 PM | Report abuse

This is a great service to retail, business, and government bank account owners. Those who implement it will be safe, so it should be viewed as a form of cheap insurance to avoid financial losses. As commented above, a lot of people will fail to implement it through ignorance, inconvenience, or laziness. An alternative is to take an old or decommissioned system and install Ubuntu on that system and mandate that only that computer be used for online banking transactions. Adding

127.0.0.1 www.yourbank'sname.com

to the Windows host file on all Windows computers will ensure that no windows computer is used for browser based online banking transactions.

For those who think that Linux is too complex or friendly enough, they should buy an Apple computer. Macs should support Quicken and other Intuit software. Linux users would need WINE (Crossover Office is one commercial spinoff of WINE) to install Quicken software. However, if WINE is installed, some of the protection Linux offers is lost since Windows malware may be able to run on Linux via WINE, though the possibility is rather low.

Posted by: jbmoore61 | October 13, 2009 4:12 AM | Report abuse

Hey, that's good advice.
Just a little something that could make this process easier in the long-run is to install ubuntu on a dedicated USB key, as described in www.pendrivelinux.com. This way, booting will be fast and information may be stored on the USB operating system.

Posted by: azuelosn | October 13, 2009 8:40 AM | Report abuse

All the comments so far are great ancillary tips or guidance, but the real thanks goes to Brian Krebs for taking the time and trouble to make this as simple as possible. Way to go, BK! Another stroke (and he has several to his credit) to make the online experience as safe as possible!

Posted by: peterpallesen | October 13, 2009 8:47 AM | Report abuse

@williehorton
You're right, banking (or any other transaction-oriented) sites are very likely to require cookies, since HTTP itself is a stateless protocol. So the user *may* need to enable cookies after booting from the Live CD, depending on the default settings for the browser.

The Live CDs work by creating a small RAM disk to hold (among other things) the user's home directory, where the cookie file is generally stored. So cookies will disappear when the machine is rebooted -- but that, I think, is just what you want. It prevents you from accidentally forgetting to log out.

Posted by: richg74 | October 13, 2009 12:07 PM | Report abuse

I have long used the Debian distribution of Linux. Four or five years ago, my banks adopted new policies that, in their words "are optimized for Windows XP". I have tried, without success, to find a full service bank near me that does not have this insecure policy.

Posted by: bobhilliard | October 13, 2009 12:10 PM | Report abuse

Brian, thanks for posting this. I encourage people I know to use Linux for PC banking and other sensitive applications, and articles like this are a great help.

A couple of other quick suggestions:
-- The use of USB keys for booting has been mentioned, and that can be a good alternative. Even if your PC won't boot from a USB key, most Live CDs will allow you to mount (access) a USB key if you want to be able to save a file, for example.
-- Besides the mainline Ubuntu Live CD that Brian describes, there are two "official" variants. Kubuntu uses the KDE desktop environment, which some may find more congenial than the GNOME desktop that is used in core Ubuntu. Xubuntu uses the Xfce desktop, which is much less resource-hungry than either GNOME or KDE, and may breathe unexpected new life into older PCs.

Download / info links:
Kubuntu: http://www.kubuntu.org/
Xubuntu: http://www.xubuntu.org/

Both the variants use the same core OS, and can draw from the same pool of applications.

Rich Gibbs

Posted by: richg74 | October 13, 2009 12:17 PM | Report abuse

The live cd is fun to get a good quick feel for Linux Ubuntu but if you really want to experience it you need to dual boot your system. After a few months you be amaze at how little you use Windows anymore. After six months you probably be looking at saving disk space by nuking Windows right out of your computer!

Posted by: johnupnorth | October 13, 2009 1:54 PM | Report abuse

Brian,
thanks for the write-up.

I have a few questions,

1) the ubuntu disk is a 700 MB monster, how well will this work on a win XP machine with 500MB ram?

2) Is this session running as the root superuser?

3) Is there a way to "lock down" the hard disk? The only flaw I see in this method is that the live OS as root has the power to modify the contents of the hard disk,

Including the master boot record.


Short of unplugging the hard disk from the motherboard (as recommended by the puppy linux support boards) there has got to be a way to keep someone from jamming a WINDOWS-based root kit in the MBR during the live linux session that then compromises the installed windows OS.

Otherwise this is the safest but not completely safe way to proceed.

Keep up the good work.


Tulsa, OK

Posted by: noaccount | October 13, 2009 2:08 PM | Report abuse

@noaccount
I hope Brian will forgive me for jumping in. To address your questions:

1. It will work fine. The CD includes not only the OS,but also applications, a raft of device drivers, configuration files, documentation, etc. I have booted and run a Ubuntu live CD on a 384 MB PC without problems.

2. It does NOT run as root, and in fact, the root account has no password on the live CD, so you cannot log in as root. You must use the 'sudo(8)' command to execute anything that requires root access.

3. By default, existing hard disk partitions, and the raw disk device, are only accessible read-only. In order to re-mount them read-write, the malware would have to execute a 'sudo mount ...' command, which would require entry of your password.

Although I think that the Puppy folks are probably correct that the only absolutely safe protection is an air gap, I think you're reasonably safe with the Live CD approach Brian has suggested.

Posted by: richg74 | October 13, 2009 2:41 PM | Report abuse

Does Ubuntu support IE? My credit union right now only supports IE for bill pay.

Posted by: Bartolo1 | October 13, 2009 7:39 PM | Report abuse

I just wanted to add, that if you don't have a CD or DVD burner, you can order various Linux distributions (including Ubuntu) from various vendors. I've used on-disk.com. It costs just a few dollars and they deliver the DVD in a few days.

Posted by: diotima2 | October 13, 2009 9:16 PM | Report abuse

@noaccount: you asked...

1) the ubuntu disk is a 700 MB monster, how well will this work on a win XP machine with 500MB ram?

--

it doesn't quite work like that. the main bottleneck on most linux Live CDs is the fact that CDs aren't the fastest media out there, and there's a lot going on from the CD when you're running an operating system off of it. the OS only uses a fraction of what's on the CD at any time, and the physical RAM on your system is mainly used as swap space -- that is, as a place for temporary filesystems, processes, etc.

Most linux Live distros will run just fine on 512mb of RAM, though increasing the amount of physical RAM probably will give you increased performance with a Live CD, to a degree.

---

2) Is this session running as the root superuser?

---

some *please* correct me if I am wrong, but I believe Ubuntu by default does not run applications as root or superuser. "sudo" is usually the command you need to issue at the command line if you want an application or script to run under root/superuser privileges.

---

3) Is there a way to "lock down" the hard disk? The only flaw I see in this method is that the live OS as root has the power to modify the contents of the hard disk,

Including the master boot record.


Short of unplugging the hard disk from the motherboard (as recommended by the puppy linux support boards) there has got to be a way to keep someone from jamming a WINDOWS-based root kit in the MBR during the live linux session that then compromises the installed windows OS.

Otherwise this is the safest but not completely safe way to proceed.

---

no disrespect intended, but i think at some point one has to disconnect the electrodes from one's tin-foil hats. the majority of the cyber crime today is perpetrated at the least protected; but more importantly, it is mostly automated.

in the case of the attacks against the businesses i've described over and over again these past few months, the attacks were automated up to the point where the crooks discovered they had a "live one," someone at a business whose machine had been compromised. only then did the fraudsters take an interest.

it's hard to argue with the notion put forth by several readers here that it's theoretically possible to hack a user who's browsing their bank's site with a Live CD, but as I said in my Live Online chat last week, I think the average person using a Live CD to access their bank accounts has a better chance of getting hit by lightning than getting hit by malware that will steal their banking credentials through the browser.

Posted by: BTKrebs | October 13, 2009 11:32 PM | Report abuse

Ubuntu is roughly the slowest booting live CD out there. Others are much faster. Puppy Linux is a great one and includes Firefox 3.5.* Also, if your computer is fairly new (newer than about 2002), it is likely to boot from USB. Booting from a live USB is usually much faster than a live CD.

Posted by: neversaylie | October 14, 2009 12:18 AM | Report abuse

I have also used on-disk.com, but I got a copy of Linux pre-installed on an SD memory card which I can use with many different laptops. Their prices for SD cards and USB flash drives are higher than for DVDs, but netbooks and other laptops don't have optical drives. And, CDs are just so slooooow.

Brian's comment about "disconnect the electrodes from one's tin-foil hats" is right. There may be some obscure way to impact the hard drive from a bootable copy of Linux, but the point is that it makes you HUGELY safer than any copy of Windows. In my opinion, it makes you safer than Mac users too.

Without question, a bootable copy of Linux is the best combination of safety, ease of use and price.

Posted by: MichaelsPostingID | October 14, 2009 12:56 AM | Report abuse

Rules for fraud at Chase bank:

Re: "Consumers who have their online bank account cleaned out because of a keystroke-sniffing Trojan usually are made whole by their bank (provided they don't wait more than 10 business days before reporting the fraud)."

The rule at Chase bank is 2 days, not 10. See

https://www.chase.com/ccp/index.jsp?pg_name=ccpmapp/individuals/online_services/page/online_guarantee

which says consumers are protected "100% of any unauthorized online use of your consumer deposit account if you tell us within two days of your discovery of the usage."

But underneath that are more rules. If you don't logout of their website, you are responsible for fraud. Likewise, if you are "negligent handling of your User ID and Password" you could end up broke.

Posted by: MichaelsPostingID | October 14, 2009 1:01 AM | Report abuse

This is from a reader named Shannon who had trouble posting this comment:

Actually this might not be that hard to setup....

You could easily install the free VirtualBox in Windows: http://www.virtualbox.org/wiki/Downloads

Then simply have the financial people do a fresh bootup to an Ubuntu Live CD in the Virtual Box (could just point to the .iso file, no cd needed) - for when they need to process something on a banking site. Then each time they're finishined - shutdown down the live cd instance and next time start anew.

Posted by: BTKrebs | October 14, 2009 11:08 AM | Report abuse

Much as I love VirtualBox, if you've got a keylogger installed on your windows based machine, then running ubuntu inside virtual box won't help you, since the keylogger will still be able to capture passwords, etc.

Posted by: unawino | October 14, 2009 11:38 AM | Report abuse

@unawino -- you're absolutely correct. i stated as much in the other blog post that went with this tutorial, in response to a reader there who also proposed a virtual machine on top of Windows

Posted by: BTKrebs | October 14, 2009 12:14 PM | Report abuse

Great article Brian, Thank You!

What a great way to expose the uninitiated to Linux
in a constructive manner.

Posted by: rufus7 | October 14, 2009 12:25 PM | Report abuse

Brian,
again thanks for the work.

No disrespect taken from your response, In fact I'm happy to say I am a fan of your work AND will continue to recommend your column to people that might benefit.

The comment section contains a very good signal to noise ratio that I find helpful.


For example,


@Richg74, thanks for the explanation.

Am I correct in interpreting your answer to mean that a person browsing as a regular user on a installed Ubuntu system has about the same level of protection?

In other words, if I have a up-to-date installed ubuntu system, is there any reason to go live when banking?

final observation,
I am positive that many at MS headquarters view linux and mac users as a tin foil brigade.

I ain't ashamed to be in the BK brigade

Posted by: noaccount | October 14, 2009 3:02 PM | Report abuse

Puppy Linux is the only live linux OS
that you can boot and then reburn your saved settings and back to the original boot cd or dvd.
Unique to Puppy....multisession.

When you boot Puppy you then can take the cd out...because you are running in memory.
Amazing speed.

The burning program we recommend
for Windows users is BurnCDCC.
free...small and fast.
Burn no higher than 32 speed.

I will post no links as they are probably not allowed.

But if you search cthisbear whirlpool
you should find How to use Puppy posts.
Especially How to Rescue Windows.

Official Puppy releases are now 105 megs
of goodies. A big bang for no bucks.

Chris.

Posted by: cthisbear | October 14, 2009 6:05 PM | Report abuse

4 hours, eh? It's probably showing your system time, which is usually set to UTC.

Posted by: macoafi | October 14, 2009 11:16 PM | Report abuse

@noaccount (BTW, you're most welcome!)
"In other words, if I have a up-to-date installed ubuntu system, is there any reason to go live when banking?"

Well, I use Ubuntu all the time on both my laptop and desktop machines, which I also use for banking. So I think there's not any huge advantage to "go live" if you already have a well-configured Linux setup on a machine you trust.

What I mean by that last comment is that part of your security is related to the physical security of your machine. Any experienced hacker or sysadmin will tell you that physical access usually trumps ordinary security. So I think my machines in my office are OK, but I would not ever do banking on a public PC. And if you're concerned about snooping, one advantage of "going live" is that, generally, the record of your session disappears when you reboot (since it only existed on a RAM disk).

I have set up banking systems for a few people; generally, I think the most secure solution is a dedicated PC running a slimmed-down Linux distro with *only* the required software installed. But that's probably overkill in many cases.

Posted by: richg74 | October 16, 2009 3:54 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company