Slashdot Mirror
Knoppix Used in Internet Banking Solution
renai42 writes "Australian company Cybersource says it's currently talking to two domestic banks about providing Knoppix-based bootable CDs to consumers to ensure Internet banking security. The company says at least one bank will probably use the CDs in at least one sector of its operations. Cybersource envisages that banks will re-brand its product and provide the CDs alongside other marketing material."
To surf with knoppix you have to be using a cable/DSL ethernet modem or router, or have a supported dial-up modem and the ability to configure it.
I suppose this is geared to internet cafe use? In which case you have to hope the network's set up in a way that doesnt require password authentication...
Nevertheless, a great idea and I hope it works
I have been a user for about 10 years. This ends Feb 2014. The site's been ruined. I'm off. Dice, FU
Sounds like an interesting challenge certainly, but let me guess the bank's thinking behind this move..
If you use their traditional online banking service from a PC not booted using their CD, and subsequently get defrauded somehow, this will enable them to say "Ahhh.. but you weren't using our special software!", and ignore your complaint.
How.. nice.
http://twitter.com/onion2k
In NZ they barely even attempt to inform their customers about security. It's quite sad here.
It's hard to strive for greatness when surrounded by the mediocre.
until the network administrators find a serious vulnerability and have to burn/press about 35602638023862 new cds to patch it.
I can hardly keep track of an ATM card, now you're expecting me to carry around a big honking CD all the time?
Pass
when the bank customer takes this CD home and boots it on their OEM with the WInModem they wont ba able to get online (atleast it will be secure that way)...
Politics is Treachery, Religion is Brainwashing
There wont be key-loggers, virus infested OS's Active X, IE, blah, blah, blah. At least this is a step in the right direction.
...says... it's talking... one bank will probably use... envisages...
and from TFA: Banks eye bootable Linux CDs
wake me up when something happens, ok?
A step in the right direction.
But it seems odd to me that if someone wants a one-trick secure browser solution, he'd use anything other than OpenBSD.
If you sit down and do the analysis (without regard to "religion" or fashion), and say, "I only need a secure browser," you'll likely pick a BSD and it will likely be either NetBSD (hw support) or OpenBSD (security).
I did a similar analysis, and came to this conclusion, after attempting to dispassionately evaluate the options.
http://www.thebricktestament.com/the_law/when_to_
Boot from a tiny partition of Linux on a CC sized cd. Give it duel use and let all customers have it available.
The other security features on the credit card could be put onto the CD to ensure authenticity.
liqbase
This sounds like a great idea, provided that the Knoppix can be user-friendly enough to figure out how to boot up.
... reminds you of the Apple II days, where you had to boot half of the operating system off a floppy every time you turned on the computer.
There's really no surefire way to ensure that a user's harddrive-installed OS is secure for banking. Considering the staggering variety of adware/spyware/viruses on machines today, it must be quite easy for a malicious malware creator to make a program that hijacks name resolution (change DNS servers, or the HOSTS file) for perfect phishing, or they could install a keystroke logger, or whatever else. If they got their bank-website-hijacking malware on machines in whatever way all today's adware stuff gets on, they could easily phish thousands of bank transactions every day.
The prevalence of malware seems to indicate that people can't control or trust the programs on their own hard drives. If that's the case, they can't trust any of their online interactions. Since Knoppix kills your harddrive and all its flexibility, it's much more secure.
What would be funny is if more and more institutions started demanding the use of bootable OS's. Our PC's would be reduced to a BIOS, monitor, and keyboard
-Brendan
If the only browser on this cd was text based it would be funny to see how people would cope.
Cds can be as small as your credit card, besides being much more secure.
But wait, how will one patch the CDs in case any security holes are found ? Rewritable CDs wont help either...
Public Service announcement:
All ATM's will now dispense Kash the new qt improved version of cash.
This is good if it takes off. It should encourage banks to make their online systems Mozilla friendly. My bank supports it to some extent but most of the "advanced" features rely on IE5.5+
When I say "advanced", I mean checking standing orders, direct debits, paying bills, ordering cheque books, everything other than 'your balance is..'
Andrew
If implemented properly, this would be a great thing. Assuming they can get around the wide range of hardware people use, without requiring much technological knowledge from the user, this is a much more secure way than windows. Keep in mind that the same people who are infected with 1000x spyware programs and don't seem to care are the same kind of people who have little idea how a computer works. This would have to be as user-friendly as possible to not scare off users or prevent people from using it. I bet this fails, but someone else takes the idea and makes a better version of it and it will take off. Does the average user know how to boot from a CD?
Even if this article is a bit dated, it's very relevant. I find it interesting because he talks some about the economics behind managing risks like those cited.
m es/2000-06-01.html
http://www.sims.berkeley.edu/~hal/people/hal/NYTi
Dr. Varian's writings are in general quite interesting. He is quite able in his discussions of economics for people without a background in the field, like myself.
http://www.welton.it/davidw/
Complete with full source code and build instructions.
SELINUX extensions, too, if they can manage it.
The bank is in the business of banking. Frauds against them or their customers get in the way of the business. Anything they can do to reduce losses and increase customer confidence should be goodness.
GPL is on their side, and should make it cheap and effective.
Hopefully nobody will force the customers to use it. Just provide it as an option.
Pile of Linux-for-Windows ISOs ... mostly Knoppix derivatives ... here http://home.btconnect.com/chrisandcarolyn/torrents /
Do things like http://home.btconnect.com/chrisandcarolyn/knoppix3 8-for-windows.png
Let you use the WinModem. But subject you to the Windows keystroke loggers. What you win on the swings, you lose on the roundabouts. Oh well.
Hi, I'm not informed much about American and other foreign banks, but here in The Netherlands it works the following:
(Almost all) The banks over here use a kind of calculator device. You insert your pass into it. Your normal pass you use for withdrawal from ATM's....
You type in your PIN code and hit 'OK'. On the website of the bank you have to type 2 things. Your account number and the key generated after you hit 'OK' on the device. This key is different every X seconds (I don't know the interval).
This matches with the interval the bank has running. This combination of pass ID, PIN code, account number and the interval is key to have access. You need all of them to get in.
The websites session times out after about 2 minutes when there is no action anymore.
If you want to transfer money, you get another screen. You have to insert the number shown on the screen into the device. After you hit 'OK', another number is shown on the device, you type this in the inputbox of the website. After it is verified, the transfer will be processed.
If the amount to fransfer is higher than X, you have to process 2 numbers on the device and submit the generated numbers on the website.
This is all done on HTTPS and works with most browsers.
I believe this is one of the most secure methods I can imagine. It is not flawless maybe, but it works and there is much needed to hijack information from the sessions. Without the device, the pass and the account number one can do nothing. Without the PIN you still go nowhere....
The device is small, portable and lightweight. Internet cafe's, at the office, at HotSpots, anywhere you can use 'safe' banking this way. As long as the banks website is online and within reach (no stupid proxies or whatever).
Just my view on banking online....
Dear CitiKnoppix Customer,
For security reasons, we need to verify your personal information and update your CitiKnoppix(tm) software. Please send us your mailing address and we will send you a new CitiKnoppix(tm) CD-Rom. As an added bonus for taking part in this experimental customer service program, we will credit your account with $1000.
Sincerely,
CitiPhishing.
No, I'm saying you need either a supported modem, or an ethernet-connected modem/router.
There are tens if not hundreds of millions of users in the world who use USB DSL modems, Windows-only winmodems, unsupported Broadcom wifi connections or password-protected proxies for whom this CD will be of absolutely no use whatsoever, except as a coffee mat.
I have been a user for about 10 years. This ends Feb 2014. The site's been ruined. I'm off. Dice, FU
Perhaps we'll see more of these one-stop "plug-in" CD solutions -- and what a sneaky way to proliferate Linux throughout the enterprise.
This gives me ideas...
Ruby Neural Evolution of Augmenting Topologies
There are some other serious caveats as well.
First of all, it is only usable on computers which even boot CD's from the BIOS. If the CD boot option is disabled, it's not much use.
Even worse is when add/spyware gets between the boot process on such a PC. The PC boots the harddisk, the spyware detects the Knoppix Banking CD, then it puts itself in memory and boots the CD. You'll never know, and there will STILL be an untrusted program logging everything you are doing.
Of course this solution is MORE secure than just doing your banking on an untrusted PC under Windows (it takes quite some work to implement the above hack), but in the end, an untrusted PC is an untrusted PC.
...to ensure Internet banking security
if you can make comments like that.
"Security is a process, not a product". Its a social problem as much as a technical one and I have doubt that whilst this could help, the scammers will get around it once it becomes commonplace.
-dgr
I think Knoppix goes the way distros should go: no time to install it, almost no time to configure it and especially it is easy to use, providing cutting edge technologies (e.g. NDISwrapper, WLAN conf..) IMHO Knoppix has many more uses yet not known, use your imagination ;-)
Great. IF this catches on, not only will I get tons of AOL CD's, but I will get tons of banking CD's.
...or one free coaster
50 free transactions if you bank with us!
I liked the days of the floppy better; I could copy Commander Keen on to them.
Stop the complaining about how it won't work if you have a certain hardware configuration, or if you don't have a certain type of internet connection.
I think the power here comes in that the bank can offer it as an option. If it boots in your computer, then great, use it. Maybe they could even throw something like GnuCash so that people can keep better track of their money. I say, don't make it mandatory, but offer it as an option to help at least some users feel more secure.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
(Almost all) The banks over here use a kind of calculator device. You insert your pass into it. Your normal pass you use for withdrawal from ATM's....
Here is Luxembourg, banks are too cheap for handing out these calculator thingies. Instead they use a scratch-off plastic card with 16 alphanumeric digits on it. When logging in to their service, the site choses 2 (or some 3) positions out of the 16 possible, and you have to enter the corresponding digits.
This key is different every X seconds (I don't know the interval).
Well, here in Luxembourg, the "good" banks do it the same: the key (in our case: choice of scratch card numbers) is valid a set amount of time. However, some of the (less technically savy banks) propose you a different choice of digits each time you hit reload... so a thief who has sniffed some numbers (but not all) can just keep on hitting reload until the bank asks for numbers that he has... not good!
If you want to transfer money, you get another screen. You have to insert the number shown on the screen into the device. After you hit 'OK', another number is shown on the device, you type this in the inputbox of the website. After it is verified, the transfer will be processed.
Our banks do not have this additional security yet... (Apart from maybe Cortal-Consors. I know their German operation has such a system).
This is all done on HTTPS...
In Luxembourg too. No bank is foolish enough to use plain http. and works with most browsers.
Unfortunately, this is not the case in Luxembourg (although some progress was made over the course of last year).
The currently worst offenders have a gateway page which features a Rube-Goldberg like chain of Java Applets, Java Script code, and VB code which only works on Internet Explorer (the Java Applet is MS proprietary java (using the proprietary com.ms.util.SystemVersionManager class...). The output of this is fed, via the VB script, and then the Javascript (!) into a second URL, which gives you access to the Web application itself. Interestingly enough, once that gate is passed, there is no further dependancy on MS-ware, and you can cheat yourself access to the contents (graphs of their mutual funds) by entering that second URL manually.
For their homebanking they have the same "proprietary applet" hack, and in addition a server-implemented browser check. Manually enter the JVM=1 bit into the URL, and fake an Internet Exploder User Agent and you are in! What the hell are they thinking?
I believe this is one of the most secure methods I can imagine. It is not flawless maybe, but it works and there is much needed to hijack information from the sessions. Without the device, the pass and the account number one can do nothing. Without the PIN you still go nowhere....
Indeed, the number generated by the device makes it secure even against keystroke loggers that may be installed (but don't challenge your luck either...)
Say no to software patents.
How will it do that? The bank can just instruct people to turn off their PCs at the plug, put in the CD, and switch it back on.
It's still 100 times better than the current state.
Get your own free personal location tracker
If anyone actually comes up with an application that is so compelling the consumers are willing to reboot their computer to use it... In that case this is a great idea. Why worry about all of the overhead, security risks and conflicts of an entire operating system when it is almost as cheap to run your software on your own OS?
Online banking is successful / useful because it's convenient... that could be outweighed by security risks as malware gets worse.
However consider how it'd work with a bootable CD:
- shut down everything on my computer, save open documents, and all that crap
- find a CD
- boot to that CD (assuming it likes my hardware to start with)
- wait for it to boot... (ho hum...)
- do my banking
- NOT be able to save any info to my local computer (for checkbook reconcilliation, or any other local use) - I guess I'll now have to find a paper and pen to copy the info I need down...
- shut down again...
- reboot again to get back to normal operation... (la-dee-da.... ho hummm...)
- find the stuff I was working on before, and get back into the groove...
Does THAT sound convenient any more? I don't know about you guys, but my computer doesn't boot very quickly. We're talking a total of 15 minutes minimum just to go check your balance.
I can stop by the REAL bank on my way home from work easier than that. I don't see this as a good thing overall - even if it does provide the best security. There must be better alternatives (as mentioned in other threads).
MadCow.
I used to have a sig, but I set it free and it never came back.
How can we be sure the distributed CD is not cracked in some way?
Well, one way to do this is to turn of the "boot from CD" option in the BIOS (which in many cases the spyware could easily do). Or in many cases (especially internet cafe's etc), this is already the case. Then the hard disk is booted (which is infected with spyware/malware) which then sees that the Knoppix (or other CD) is in the CD drive, and then boots it instead of booting the operating system on the hard drive.
I'm not saying this is easy, and I'm not saying the CD solution is not 100 times better than the current state. What I'm saying is that when your computer is compromised, you should be REALLY REALLY careful.
I have posted about this before...but I think bootable CDs w/ a Read Only HD while you are online is going to be what everyone will have to be doing to bypass the virus problems we are facing now.
Having used Ubuntu Live and mostly loving it, I agree with this post about problems with the modem, though. Even though it is possible to get the right drivers and get a winmodem going, bootable CDs are not really going to take off until all modems are picked up and configured correctly on the first try. When that happens, people will see that they can surf safely and Linux Live CDs will breakthrough to the general public.
Again, modem support should be the number one focus of Linux Live CDs. When people boot up, they should enter the phone number to their ISP and logon. It should be that simple.
Usurper_ii
Ron Paul
At my company, they recently fired someone one the spot for possessing a Knoppix CD. My company views Knoppix as a hacker toolkit and nothing else. Anyone caught possessing or downloading Knoppix is fired immediately, complete with security escort to the door.
Other places LOVE it... it's handy, useful, and easy to transport.
I think one thing that would help this idea a lot would be if the CD booted into a VM. That way users would not have to do a hard restart.. just load the bootable CD into a VM and kill the VM when they're done...
They say that they've taken the Knoppix source and combined it with IceWM for a 'simpler solution'.
Don't they have to release this under the GPL? Would be interesting to see what they've done....
They can use a mini-cd, the ones shaped like a business card, if thats not enough room for knoppix, then use a mini-dvd in businesscard shaped size.
Liberty freedom are no1, not dicks in suits.
They don't need to take your word for it. They can read the source code and be sure.
Je fume. Tu fumes. Nous fûmes!
I don't see how this improves security at all.
If the whole OS is supplied on a CD, that means that when you boot from it, there will be NOTHING on the PC to validate that the CD doesn't contain a virus or trojan. While this won't be a problem for the bank's real CDs, it will be a matter of days before people start being spammed AOL style with fake CDs though their doors which look exactly like the ones their bank sent out and some with a covering later saying that it's an upgrade or something.
Because you're BOOTING from the CD rather than using it to install something, you'll be bypassing your antivirus software and software firewall and there's no way that anything can warn you that the CD you're using is a trojan. It can litterally slip in right though your letterbox and into your CD-ROM drive without any checks whereas downloaded or web based applications have to go through your firewall and be scanned by your virus scanner in order to get onto your machine.
The CD could be set up to transfer your money into some else's account and because it was done by your machine on your IP with your user/pass it will be very difficult to pursuade your bank that you didn't do it.
This is an absolutely crap idea and most of the posts above seem to miss this point entirely. These CDs better have some pretty cunning holograms on them or something and the users need to know EXACTLY what they're going to look like before they get them.
I have been using Knoppix for all our banking since AVG found a Keystroke logger on my Wife's PC. KNOPPIX ROCKS. I also use it at Hotels where they have Business Center PC's.
Knoppix is not just a good start, it is a GREAT start to solving the problems of infected Client PC's. Every boot is a clean install, and user settings CAN be saved to the HD if you really want.
Most of the article described how hard a time the company involved was having to get their services used by banks. If I had bothered to read the article without someone pointing out the Knoppix angle to me, I would have missed it. Does the mere mention of Knoppix make us go gaa-gaa (how do you spell that?) or am I missing something profound?
Pull the hd from the computer?
But then people like you would say but it could replace the bios!!
Look at it this way if we are talking about the US icbms, then yes this a danger, but it is still an increes in security.
Freedom or George Bush
There are exactly two reasons why I ever visit a bank. {1} To draw out money through the hole-in-the-wall machine. {2} To pay in money and/or cheques through the HITW machine. I never need to check my balance: I know from my pay slip how much went in each month "behind my back". Every other transaction involved me writing a cheque, or standing at the HITW taking money out or {twice a year: once shortly after Christmas and again shortly after my birthday} putting it in.
So will this fancy-pants home banking thingy actually let me print pound notes on my own printer? Can I upload digital photographs of cash and cheques and pay them into my account that way?
I'm guessing not, which is why I'm happy to give the whole internet banking thing a miss.
Je fume. Tu fumes. Nous fûmes!
http://johnhaller.com/jh/mozilla/portable_firefox
Can anyone tell me if the idea of a USB Flashdrive browser would be any less secure?
They would be more expensive, but surely a 56MB flash drive for secure online banking would be worth the equivalent of about $12 U.S. to someone who really wanted to do their online banking.
Besides that, it would solve the update problem that everyone is rightfully griping about.
Don't you mean.. BIZZARO!
So, let me get this straight, in order to use the bank's site "securely", I have to reboot my computer? And while I'm doing that, I can't access any of my Windows apps, like Quicken or Excel?
Oh, yeah, that'll catch on.
How is that possible? (I'm not doubting/arguing with you here - I'm just genuinely curious)
Get your own free personal location tracker
Anti-virus companies. How many people spend 30.00 - 60.00-plus each year for anti-virus software? Multiply 35.00 x just a million Linux Live users and see what a bite this will take out of the anti-virus industry.
(Yes, I know there are other ways to get a virus than through the Internet, but that is where about 98 - 99% of people are getting them. If you weren't connected to the Net, you could go years without getting one...instead of getting one in 30 seconds while connected, like you do now).
Usurper_ii
Ron Paul
Let us face it. Banking services are public domain, they aren't necessarily used by someone who is Linux-Friendly (read geeky). Well, Linux has evolved over a period of time, and getting easier to use. But still it isn't as popular it should be.
Knoppix is definately impressive, it autodetects a wide variety of hardware and auto-loads drivers, detects your hard-disk partitions and mounts them automatically, etc... But what if the Knoppix CD is unable to auto-load drivers for someone who has new hardware? True, the system booted thusly is only meant to access the banks website with firefox included in the cd (It will of course be a custom distro) - but given the possibility that the new hardware is a Wireless Network Card or a WinModem - the users only means of accessing the internet, The whole scheme will collapse upon itself. The bank will have to set-up a cd pressing dept and keep continually mailing CDs with updated driver sets (Okay, it can be a request only feature as well)
Or if due to some reason the system cannot successfully boot itself with the CD. The helpdesk will have loads of issues if that happens?
Your Average Mom has a lot of trouble getting used to computers with a relatively user-friendly OS like Windows XP, accessing the internet, online banking. Banks put in a lot of resources trying to 'train people' on how to use their Online Transaction Portal. Telephone helpdesk executives also end up training quite a lot of people on computing basics first, leave aside the actual banking portal. In such a scenario, I think the bank will hava a huge problem training un-geeky users on setting up their Modem/Static IP on NAT (Many ISPs use simple UTP cabling for a MAN - it just reguires configuring your ethernet adapter to ISP supplied values and then run a special ISP supplied authentication app for loginng in. What if that app is Win32 only?). There could be endless problems
Secondly, forcing someone to use Linux+Firefox for a purpose which could technically be done with any browser+os combo, is just what people hate some banking/e-commerce sites for (the ones which do not follow web-standards, but abide by MS Standards). Except, that it would be a different browser & different OS - but the esame thing essentially
I think, it will be a looong time before this comes around
Vulturo, Prince Of Darkness
Are their any machines sold where the default isn't to automaticly boot from CD? I mean how would those damn "windows restore" CD's work then?
With windose you could probably set the auto run to automaticly reboot into Linux.
Think Deeply.
Every WinModem I've encountered in the last three years have worked out if the box with linux. I still can't get my IDE modem to work with SuSE 9.x. I'm not saying that linux works with all software modems, but I think it would be more accurate if the criticism was limited to particular chip sets.
Let's try to be constructive here. This could really be a good idea, there's no need to say "it's fatally flawed" if the first iteration is not 100% secure...
It's very simple. It's a PR stunt. Very few people will actually use the CD. And most that do will pop it in, play around, then reboot into Windows. This is just a stupid PR stunt.
The boot from CD option is just a bit in the CMOS (not the Flash BIOS itself) which is easily changed. Several motherboard manufacturers have software you can download to change CMOS settings through Windows. I believe Linux used /dev/nvram to do the same thing along with the right software.
Open an account with [bank], get a free (or half-price) Mac mini and a cheap KVM.
Do your banking on the Mac, no worries about viruses, spyware, keyloggers, etc-- no matter what those Symantec assholes say.
>Australian company Cybersource says it's currently talking to two domestic banks about providing Knoppix-based bootable CDs to consumers
They talked about it.... It's probably not for real.
Which, although off-topic, reminds me of a similar conversation:
AARONOW: You haven't talked to him.
MOSS:: No. What do you mean? Have I talked to him about this? (Pause.)
AARONOW: Yes. I mean are you actually talking about this, or are we just...
MOSS: No, we're just...
AARONOW: We're just "talking" about it.
MOSS: We're just speaking about it. (Pause.) As an idea.
AARONOW: As an idea.
MOSS: Yes.
AARONOW: We're not actually talking about it.
MOSS: No.
AARONOW: Talking about it as a...
MOSS: No.
AARONOW: As a robbery.
MOSS: As a "robbery"?! No.
AARONOW: Well. Well...
MOSS: Hey. (Pause.)
AARONOW: So all this, um, you didn't, actually, you didn't actually go talk to Graff.
MOSS: Not actually, no. (Pause.)
AARONOW: You didn't?
MOSS: No. Not actually.
AARONOW: Did you?
MOSS: What did I say?
AARONOW: What did you say?
MOSS: Yes. (Pause.) I said, "Not actually." The fuck you care, George? We're just talking...
AARONOW: We are?
etc... see the rest at:
http://www.lectures.org/mamet.html
Secondly, forcing someone to use Linux+Firefox for a purpose which could technically be done with any browser+os combo, is just what people hate some banking/e-commerce sites
If MS made a free livecd that you could customize to your hearts content, then maybe it would be a viable choice instead of linux.
What other browser+os combo would you suggest?
And sure, it wont work automagically for a lot of people, but its not that hard to put a cd in drive, reboot, wait 30 seconds, and have a login screen popup to get into the bank. For those it doesn't work for, maybe techonology will continue to improve, just like it does every single year.
Ok, but this assumes that the malware has access to a complete database of all CMOS maps for all motherboards. And that the ability to access the CMOS is built into the live CD (should be reasonably easy not to compile it in at all! No compiler, no real scripting, should make it hard for malware to get at the CMOS).
So, in theory, the machine is compromisable if someone can get the user to run a piece of software that runs to correctly identify the CMOS map, gets permissions to install a kernel module and then gets the correct software to enable it to write the CMOS bit..
Or they could use their USB DSL modems, Windows-only winmodems, and unsupported Broadcom wifi connections as coffee mats.
Either through a couple of manufacturers opening the specs on their chips or referance boards, or via reverse engineering the windows or Mac drivers.
Even old BeOS 5 had drivers for 2 winmodem chip manufacturers/referance designs.
First of all, it is only usable on computers which even boot CD's from the BIOS. If the CD boot option is disabled, it's not much use.
IMHO that option has been enabled by default for years now. If it isn't on your older PC, somebody at the bank's helpline will surely be able to walk you through the process of enabling it.
Even worse is when add/spyware gets between the boot process on such a PC. The PC boots the harddisk, the spyware detects the Knoppix Banking CD, then it puts itself in memory and boots the CD.
Suuure. Do you have any idea how much work it would be to implement that? Surely out of the scope of any trojan/spyware. Much easier ways of stealing someone's bank infos.
I don't know what your smoking but why don't you pass that shit around.
"Then the hard disk is booted (which is infected with spyware/malware) which then sees that the Knoppix (or other CD) is in the CD drive, and then boots it instead of booting the operating system on the hard drive."
ok.... somehow malware writers are suddenly writing boot sector kernels that can supercede any operating system and run in front of any operating system..... the malware writers are not that talented, they just happen to have a wide pool of fish that all have the same weakness.
secondly lets say this malware "is loaded" at bootup when windows is loading, it then supercedes the winnt kernel to boot from a cd that it doesn't have a chance of working in? windows programs don't run under linux. windows malware rarely works with anything but internet explorer. So why would they go to all the effort of superceding the kernel to dump themselves into a non-native environment where they don't stand a chance?
Your argument is hubris it holds no water.
let's review.
Malware cannot change BIOS settings. there are too many BIOS' for such an undertaking to be worthwhile by the malware programmer....
let's say they did go after BIOS settings to disable the CD boot option. What would the malware creators gain from doing that?
Malware cannot supercede the kernel, and as soon as it destroys your boot sector to do so, it's a boot sector virus. and again, malware writers don't gain anything from you booting anything but the native OS and using the native browser.
The Knoppix plan regardless of what browser they go with, will be successful at doing what the bank wants:
1) not storing your passwords on the computer Hard drive
2) currently not targetted by malware. (that could be a long time out. malware and virus writers like the easy way out that windows and internet explorer give them.)
I'm doing something much like this. For my employer I'm remastering Knoppix for our homeworkers.
The idea is that we hand out CD's to anyone who wants to remotly connect to our netwerk, eg for a citrix session. The user boots the CD, and is automatically directed towards the correct login screen. Because it's knoppix we know Java works, and there are no keyloggers or other malware installed.
We also plan to use those cd's in our laptops instead of harddisks. If a laptop gets stolen there will be no secret documents or passwords on the harddisk, because their is none.
We don't have to protect our users from virii and spyware. If they klik on a "wrong" link, nothing happens that can't be solved by a reboot.
BanKnoppix! csh baby!
I guess the banks would have to make the source available. Does releasing the source code include all of the bank-specific information such branded graphics, etc? Would releasing the source pose a risk?
This could trigger a new wave of phishing scams. For example:
Igor sends out his own version of the XXBankLinux live CD via post, or simply drops it in some mailboxes. The CD boots and automagically connects the unsuspecting user to a server in Russia instead of the bank's. Let your imagination run from there.
In this case, the phishermen spoof the entire OS, instead of the webpage alone. With the right coding, you can have the user completly duped.
--- Dan
The compromised machine got infected over the internet, and over the internet, one presumably can access a database of all CMOS maps for all motherboards.
You are forgetting that the CMOS can be rewritten BEFORE you try to boot the CD. So the compromising software, having disabled CD booting, can detect a CD in the drive, decide to bootstrap the CD in a sandbox and make you think it is running from the secure CD when it is not.
Difficult? 11 on a scale of 1-10. But not impossible.
It's very simple. It's a PR stunt. Very few people will actually use the CD. And most that do will pop it in, play around, then reboot into Windows. This is just a stupid PR stunt.
Linux and open source are just a fad. Very few people will actually use open source. Most people will download it and never use it. Some will try it, and then never use it again. This is just a passing fad that will soon disappear. Nobody takes it seriously.
I'm sure that even the people putting out open source don't really take it seriously. Just as banks don't take seriously their security or using a Knoppix/FireFox cd.
Now that we've all been properly informed, can we just start thinking only "right" thoughts, get back to using our closed software, and get back to consuming.
The price of freedom is eternal litigation.
This is exactly what my father do for online banking. He remove the hard disk and boot from Knoppix.
He have a removable hard disk trays so it isn't hard or long to do.
Slashdot anagrams to "Sad Sloth"
"let's say they did go after BIOS settings to disable the CD boot option. What would the malware creators gain from doing that?"
Well, it'd certainly make debugging a little more interesting. Heh.
"Derp de derp."
If you're using a fake CD, the phisher probably doesn't know your cell number. Even if so, they would have to call it, probably leaving records with the phone company.
Customer requirements:
- mobile phone (or landline phone, but would limit the locations where you can do online banking)
- PC that can boot a special CD
- Internet connection (NOT WinModem)
If your phone has caller ID, you should be able to see that your incomming phone call is comming from the bank's server.Multiple factor authentication.
The price of freedom is eternal litigation.
I was just mentioning that the sheer effort to write an application (and yes, it would require a sizable application) to compromise in the first place would be hideous. Yes, CMOS can be written in the first place, to boot the regular drive. But as you can't write to the drive in the first place when it's not mounted for write, you can't have a boot sector code section in place to handle booting the CD. You'll just boot the regular HDD (or whatever).
The complexity you're trying to say can be done is to actuall rewrite the flash ram comprising the BIOS, which is the level you'd have to work this at.
The 'software' you're mentioning would be cleared from memory at the point you reboot the machine otherwise.
So, now you're at the level of not just having an application that's gathered all the CMOS maps for all the bios revisions of all the motherboards out there, you also have to have a working, patched bios that you can upload after inserting a kernel module by dint of a security hole in a browser from a non-priveliged user for each and every board out there. And has code to run a virtual machine from this area of flash ram.
Now, I'm not saying 'impossible', but having worked with embedded systems (building from chips up, building bootstrap code and trivial operating systems), I'd say you were in for a real struggle.
If you've got the nonce to do that, you'd make FAR more using the brain to do something legitimate and raking in millions.
"Tronson argued that Coastguard would be a better solution for secure Internet banking because it provided "a totally locked-down, secure operating system and applications from non-modifiable media, with DNS-lookup configurations hardwired to secured servers provided by the banks themselves".
I love the knoppix idea, but I have a different definition of "hardwired to secured servers" than this guy does.
Don't moderate flamebait as Troll. Know the difference or you will be Meta-moderated.
This is the distro I would be working on if I had the time: "GrandmaIX" - in this case for my poor mother, who can just barely use a cell phone and her DVD player, but wants to have email. A lot of her now-retired buddies have internet access, but spend all their time recovering from the various disasters they endure on their Windows machines.
My distro is a live-CD based on Knoppix or Ubuntu or whatever, I send it to Mom with a cheap-ass PC with a fair amount of memory, and she is in business.
If I were an ISP, and somehow hoping to make money off people like her, you could just send her a new CD every month for $10 or so preconfigured with a month's worth on unlimited dialup access.
In my next contract after this one expires I'm going to see if I can be a missionary for a liveCD based Linux server architecture, why deal with expensive and finicky blade servers - a $10 CD drive would actually be faster - at least the HP blades I am working with right now can't actually boot diskless; instead, you have to re-image the blade, which has an internal disk. Bleh.
Give a man a fish and you have fed him for today. Teach a man to fish, and he'll say "WHERE'S MY FISH, YOU IDIOT?"
American Bank is offerring (but not requiring) a keychain device for Two-Factor Authentication. Besides Gadgets for Geeks, the high interest rate and ATM fee reimbursements are a nice touch too. Please take it easy though, I don't want my bank slashdotted!
These will have to be distributed in a very secure manner, preferably from a teller specifically. I can see people dropping trojaned knoppix cds around their neighborhood mailboxes, waiting for people to boot up and bank.
Photos.
"There's really no surefire way to ensure that a user's harddrive-installed OS is secure for banking."
Pallidium (hope I spelled it right)
You get a funny, but on the MSI boards you press F11 and then select your boot device. No need to go into the bios, which may be password protected.
I am not advocating any Browser/OS combo. My emphasis is on generic driver issues with linux, and the non-availability of linux drivers from the hardware manufacturer.
LiveCD distros use quite a lot of generic drivers with a one size fits all (Or maybe a set of generic sizes) approach. The problem shall not be with instertig the cd and waiting for 30 seconds, it will be configuring the internet connection (clearly stated, that the internet will be the users existing internet connection - everyone isn't on DHCP btw, so configuring that will definately require some understanding) or hardware detection issues.
If the bank has a CD only approach to online banking, it will leave other customers who are unable to use the cd because of these problems and the inability to fix them due to their newbie status, in a lurch. And maybe they will bank with somebody else then.
I'm not saying it cannot be done / absolutely. Im just stating that it will take a VERY LONG time to come around
Vulturo, Prince Of Darkness
I don't understand how your solution defends against someone sending out a fake banking CD that has trojans on it. Such a CD could still connect to the bank's server as normal and do everything the real one would, while at the same time logging the user's keystrokes and sending them via UDP packets to Kazakhstan or Kentucky or wherever.
One answer to the problem of fake CDs would be to digitally sign each CD - then to verify the authenticity of a new version, you would boot the previous one (perhaps with network cable unplugged), insert the new CD when prompted and it'd check the signature. But it's a tough job persuading consumers they need to do this rather than just throwing away the old disc and booting the new one.
Maybe you could try to make sure they follow this process by making each CD need an authentication code to boot, and the only way you find out the correct authentication code for the replacement CD is by running a program (from the old CD) which checks the signature. So the authentication code would not be a real security measure but just a hoop users must jump through to make sure they've checked each CD they receive.
That still doesn't defend against an attacker sending out a new CD together with a letter saying 'For this release, we have changed the upgrade procedure - there is no longer any need to generate an authentication code [ie, check the signature]' or sneakier still, 'The authentication code for this version is 12345'.
It's a hard problem to persuade people not to run code on their computers without checking where it came from. And this in about the simplest possible scenario of a single self-contained disc. How much harder if the user is running Windows!
Maybe Trusted Computing could help with this - don't boot any OS unless it is signed by the bank - but so would creating a boot floppy (which checks a signature and boots the CD) and supergluing it into the floppy drive so it can't be removed. Essentially, any 100% solution to the malware problem must involve consumers giving up the freedom to run software of their choice...
-- Ed Avis ed@membled.com
Sec ur I D
:^)
If the bank is that worried about spyware and keyloggers, why not just send every customer a SecurID fob?
Yeah, spyware could re-direct DNS name resolution and/or keyloggers could try to grab a username and password but SecurID would seem to fix those problems more easily that sending people CDs that they need to boot from.
DNS tom-foolery? When the bank client tries to authenticate with their SecurID fob, the phishing site would capture only a 12-digit number that is good for seconds (PIN + tokencode). The bank client would not be granted access to their bank accounts so they would know that something is wrong (spyware) with their PC.
Keylogging: Same as above, a keylogger may capture the username and password used to login to the banking site but that username and passcode are good for only 60 seconds.
Stop burning CDs and start mailing fobs! ACE authentication for everyone.
You don't need Gnome or Evolution or other big window managers - there are plenty of small ones like BlackBox or Windowmaker or the twm family. TWM worked fine on my 33MHz 386 with X11R2, don't see why it shouldn't work ok today :-) (OpenLook was a bit slow, but it'd probably also do fine with modern CPUs and enough RAM.)
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Credit-Card CDs are too easy to break if you just carry the things around in your wallet - you'd have to put it in a reasonably stiff envelope, or do something like give them a credit-card CD and also a full-size CD.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I don't understand how your solution defends against someone sending out a fake banking CD that has trojans on it. Such a CD could still connect to the bank's server as normal and do everything the real one would, while at the same time logging the user's keystrokes and sending them via UDP packets to Kazakhstan or Kentucky or wherever.
Re-read my suggestion. The trojan CD, even if it connects to the real bank, cannot log the keystrokes you type into your mobile phone. You read a number from your browser window, and punch that number into your mobile phone keypad.
That still doesn't defend against an attacker sending out a new CD together with a letter saying 'For this release, we have changed the upgrade procedure - there is no longer any need to generate an authentication code [ie, check the signature]' or sneakier still, 'The authentication code for this version is 12345'.
If the user expects a procedure where they have to punch an authentication code (that changes each time) into their mobile phone, then this mailing would fail.
If the user receives a mail that suggests that the procedure changes to something less secure, they should be suspicious. The only real way to guard against that is to educate the users.
Years ago, AOL and CompuServe, for example, had to educate users that nobody from their service would ever ask for your password. If someone asks for your password, they are an imposter. I suppose banks would have to have a way to educate users that the login procedure should not change, unless they have gotten a mailing at least 30 days in advance. If they have any concerns, they should contact the bank themselves.
Maybe Trusted Computing could help with this - don't boot any OS unless it is signed by the bank - but so would creating a boot floppy (which checks a signature and boots the CD) and supergluing it into the floppy drive so it can't be removed. Essentially, any 100% solution to the malware problem must involve consumers giving up the freedom to run software of their choice...
Maybe this is the new thing and I am just old fashioned. I don't want to give up Freedom in exchange for convenience or "security". Haven't you ever read the famous quote about what you end up with when you trade freedom for security?
The price of freedom is eternal litigation.
If a number is displayed in the browser window then it can be read by the trojan software. Now the authentication code would be different each time, so the trojan couldn't do much with this number. But still, the fact that the trojan can't read your mobile phone keystrokes is irrelevant if you're typing in something that is plainly displayed on screen anyway. You'd get the same level of security by asking the customer to type today's date into the mobile phone.
I do agree that having the bank call your phone when you log in provides an extra level of security - nobody can go behind your back and start using your account while you're asleep.
I still think, however, that if the PC is trojaned then the game is lost. For example if you log in successfully and then ask to transfer $100 to account X, the trojan can alter the outgoing message to send the money to account Y instead. And so on. You could get round this by having the bank ring the customer's phone to confirm the details of every transaction, but then you have telephone banking not Internet banking.
On having to give up the freedom to run arbitrary software in order to guarantee no malware - I didn't say that giving up your freedom is a good thing, just that it seems to be the only 100% answer to the problem. If every user can run whatever software they choose, then inevitably there will be some so stupid that they download and install a dancing elephants program which gives an attacker access to their bank account.
(As it happens I agree with you that it's better to keep freedom even at the cost of some loss of security.)
-- Ed Avis ed@membled.com
If a number is displayed in the browser window then it can be read by the trojan software.
It could be displayed as a graphic, or even a flash animation of spinning, but then settling down 3D rendered digits.
But still, the fact that the trojan can't read your mobile phone keystrokes is irrelevant if you're typing in something that is plainly displayed on screen anyway. You'd get the same level of security by asking the customer to type today's date into the mobile phone.
I must be missing your point.
if the PC is trojaned then the game is lost. For example if you log in successfully and then ask to transfer $100 to account X, the trojan can alter the outgoing message to send the money to account Y instead.
I get that point, and it is an excellent point. Even on a trojaned CD, the trojan might not interfere with the login process -- just wait until you complete it.
I suppose the CD could be designed so that the bank sends down some executable code, which then answers a selected checksum of the CD-ROM. For instance, the CD must download an executable that is dynamically generated by the bank. That executable does a checksum of some portion of the CD, such as sectors 3482783 thru 5686874, and then report back the MD5 sum. Every time, a different executable comes down. It might use a different technique to checksum, or a modified checksum routine, or a different standard routine such as SHA2. The only way that the trojan can be sure to successfully produce the right result of the EXE to pass back to the server, is to have all of the bytes of the genuine CD available. Even if the CD's software, kernel, userspace and browser takes up, say, 100 MB, the CD needs to be filled to capacity with random data so that the checksum of the CD could always be of the software and some of the random data. That way, you must have the entire original CD available for checksumming.
I agree with you that it's better to keep freedom even at the cost of some loss of security
I'd rather keep both my freedom AND security, and give up some convenience.
The price of freedom is eternal litigation.
Displaying a secret number as a graphic is an attempt at security through obscurity. You hope that the trojan won't be clever enough to work out the number from what's sent by the server, although a human clearly can. This approach makes some sense for things like avoiding comment spam, where the stakes are not that high. It really isn't suitable for online banking unless you have great confidence that no programmer could write something to OCR your graphic or read your spinning digits or solve your jigsaw puzzle or whatever.
The only point I'm making is that (in practice as well as in theory) it's impossible to keep any shared secret between the bank and the user if the way you communicate it is _only_ through a compromised PC. If the PC displays something so that the user can read it, then the trojan can read it too. Maybe not trivially but certainly with a little programming effort.
You suggest doing a challenge-response to prove that the original CD image is available. Then if the genuine CD were filled to bursting, there would be no room to put malicious code on the disc and still have the whole original image to answer the bank's checksum queries. I think a malware author could almost certainly squeeze out the few extra kilobytes needed by using a better compression program on the 'good' copy of the software, but even if we assume that it's quite impossible to fit anything more on the CD, your challenge still only proves that the contents of the 'good' CD are available, not that they're running. The trojan could send network requests to a third server run by the attacker, which would compute the answers to the challenges posed by the bank.
I do not think that there is any way you can compensate for the user's PC running trojaned software. If someone else is in control of the computer that the user is typing at, that's it, game over.
-- Ed Avis ed@membled.com
Displaying a secret number as a graphic is an attempt at security through obscurity.
Using that argument, a password is an attempt at security through obscurity.
The term "security through obscurity" as commonly understood (and defined in Applied Cryptography) means this. Security should not depend on keeping the algorithm secret. Only the key must be kept secret.
I would further add, that keeping the algorithm secret doesn't make things any less secure. It's just that you don't depend on the secrecy of the algorithm as your basis of security. I'm sure that the NSA has secret crypto algorithms. Why is this? Because the NSA believes in security through obscurity? I think not.
I strongly disagree that displaying a secret number is security through obscurity. Or else, you simply have a different definition of the term.
You hope that the trojan won't be clever enough to work out the number from what's sent by the server
I do hope that, yes. But it is a reasonable hope, for the moment. A software development effort that could recognize obscured graphic digits would be impressive indeed.
It really isn't suitable for online banking unless you have great confidence that no programmer could write something to OCR your graphic or read your spinning digits or solve your jigsaw puzzle or whatever.
It is only a small part of what I proposed. The important part is that the bank calls you, and you must enter the code via. your phone -- a completely different network.
The only point I'm making is that (in practice as well as in theory) it's impossible to keep any shared secret between the bank and the user if the way you communicate it is _only_ through a compromised PC. If the PC displays something so that the user can read it, then the trojan can read it too. Maybe not trivially but certainly with a little programming effort.
I take your point, and it is a good point to make.
In this thread, or another one, I had also proposed something like a "key frob" but that is a simple java midlet in your mobile phone. All phones nowdays can run have custom java midlets installed -- even the cheapo ones they give away with service activation.
A custom app in your phone, communicating with the bank via. a compromised PC, can still manage to correctly verify your identity. The secret is not communicated. The secret is in two places (1) the bank server, (2) your mobile phone java midlet. The only information communicated is a frob-generated key based on the current time, or some kind of challenge/response that you punch into the phone, and then take its response and re-key it back (or over the phone network). Also, a java midlet can directly communicate over the Internet directly from the phone.
your challenge still only proves that the contents of the 'good' CD are available, not that they're running. The trojan could send network requests to a third server run by the attacker,
An excellent point.
I do not think that there is any way you can compensate for the user's PC running trojaned software. If someone else is in control of the computer that the user is typing at, that's it, game over.
The question we're really dancing around here is can the bank "trust" the code on the user's PC.
I will give up online banking before I will accept trusted computing.
Also, banks may be able to achieve a reasonable level of security by using combinations of techniques we've discussed -- but short of requiring trusted computing.
It would be important for customers to be able to trust that the CD they got in the mail actually came from the bank. There may be some ways to solve this problem. Maybe requiring some kind of "activation" procedure. That CD you get in the mail has a sticker on it. The user must call a troll-free number to "activate" the CD. In so doing, the user enters a n
The price of freedom is eternal litigation.
Now, take the case of displaying a secret number on the user's PC. Remember that we are talking about the situation where the user's PC has been Trojaned and is running hostile software. My point is that the hostile software can easily intercept the number that's being displayed. If it is displayed on the PC, then a program which has control of that PC can find out the number.
Ah, you say, but why not display the number as an image or a 3d animation of some digits? It's this step that I would call security through obscurity.
If you know that some malicious program is running on the user's PC and you just hope that it won't find out the mechanism you have used to turn the secret number into an image or animation, then you are relying on the attacker not knowing the algorithm you're using.
In reality any mechanism you used to display the number on the user's PC - whether you sent it as an image, an animation, a sound file, a computer-generated riddle - could be discovered by the malware authors and with a little effort reversed. As you say, it would be an impressive feat of programming to read some obscured OCR digits, but it's not impossible and certainly not in the same league as cracking a secure encryption algorithm.
If you did use some program to make an image with obscured graphic digits, would you be confident enough to publish the code to that program so that attackers could test it out and use it to help refine their OCR programs? (I expect an attacker would set up an automated test rig running your generator thousands of times and tweaking the decoder to see which settings give best results.) If you're not sure you could publish the code, you're relying on security through obscurity.
If you believe you could safely publish the source code for your image generator, then we simply disagree on how hard it would be to write an OCR program for it. I think it wouldn't be _that_ hard, especially considering the financial rewards.Yes this is the important part, and that's why I suggested just keeping this part and requring the user to type in today's date in the phone. Never mind the business of trying to send a secret code to the user's PC, because that will not be secret anyway (if the PC is running malware).Yes. Then you have a secure communication between your phone and the bank. Effectively you have telephone banking. You might as well cut out the PC altogether. (You do still have the problem of users installing trojan software on their mobile phones...)The specific point I wanted to make was that if an attacker gets control of the user's PC, nothing you do will make that PC secure for online banking. You can only rely on the attacker not being that intelligent, which is a dangerous assumption to make.
Given that if a trojan program gets installed the game is lost, how do we prevent users from installing such software? Booting off a special CD is a good first step. Your activation scheme is a good idea; the difficulty is with social engineering like 'the activation phone number for this release has changed'... Similarly, if you have a return envelope for the old CD who is going to check that the bank's address on it is the same as last time?
-- Ed Avis ed@membled.com