Slashdot Mirror
Washington Post Says Use Linux To Avoid Bank Fraud
christian.einfeldt writes "Washington Post Security Fix columnist Brian Krebs recommends that banking customers consider using a Linux LiveCD, rather than Microsoft Windows, to access their on-line banking. He tells a story of two businesses that lost $100K and $447K, respectively, when thieves — armed with malware on the company controller's PC — were able to intercept one of the controller's log-in codes, and then delay the controller from logging in. Krebs notes that he is not alone in recommending the use of non-Windows machines for banking; The Financial Services Information Sharing and Analysis Center, an industry group supported by some of the world's largest banks, recently issued guidelines urging businesses to carry out all online banking activities from 'a stand-alone, hardened, and completely locked down computer system from where regular e-mail and Web browsing [are] not possible.' Krebs concludes his article with a link to an earlier column in which he steps readers through the process of booting a Linux LiveCD to do their on-line banking." Police in Australia offer similar advice, according to an item sent in by reader The Mad Hatterz: "Detective Inspector Bruce van der Graaf from the Computer Crime Investigation Unit told the hearing that he uses two rules to protect himself from cybercriminals when banking online. The first rule, he said, was to never click on hyperlinks to the banking site and the second was to avoid Microsoft Windows."
A little two factor authentication would be nice to see in American banks. Passwords just aren't adequate any more.
Fascism trolls keeping me up every night. When I starts a preachin', he HITS ME WITH HIS REICH!
Because as the author explains in the comments, key loggers can run at the low level device driver level. At this level, it can hook key presses in a VM just as well as the host OS.
It's a pain, because nobody wants to go to the trouble of rebooting twice for the sake of paying a few bills. But it's the only way to be sure of a clean environment, unless your BIOS has been hacked. It's at least one good argument for the trusted platform, TPM, or whatever it is. In theory you could be sure that you are running only un-altered digitally signed executables and nothing else.
I.O.U One Sig.
"Washington Post Urges Thieves To Distribute Linux LiveCDs"
A few racks full of CDs in a highly visible place, or even cheap preloaded USB drives delivered right to the mark's front door along with a friendly letter explaining how running Linux would help improve security and thwart The Bad Guys could make your job of stealing from the clueless even easier than before.
Presumably, if one is handling enough money that 100K or 450K could be stolen, one could afford a second computer and a 2 way KVM switch.
That doesn't solve the "but joe user doesn't want to reboot just to get to his overdrawn checking account" problem; but with real computers routinely showing up for $300 and lower, it isn't exactly an extremist position to suggest banking from dedicated hardware for any nontrivial amount of money.
I think the point is Boot CD, not Linux.
This would preclude any with an intelligent GUI (actually I am quite fond of Gnome at this point, but that wasn't what you meant).
If I am correct, using a Linux boot CD would make sense for Linux users too.
Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
Browser security is only an issue if you're visiting other sites, in the same session, on the same boot, on your LiveCD. Browsers on LiveCDs don't magically download malware from the internet by themselves - you have to direct them to. And most conventional malware must install itself - which won't happen on a LiveCD. There are a very few flash/js based attacks that work live in the same session - but really, if your either (a) your bank has third-party inline flash ads or (b) you don't trust java content from your bank's own website, then why are you banking with them online?
And going as far as questioning whether your CD burning software is infected is ridiculous. You can't be any more certain that your mouse doesn't have imbedded circuitry tracing your movement pattens, or your keyboard doesn't have a keylogger built directly into it, or the aliens aren't tapping directly into your cablings electromagnetic intereference patterns to directly access your bank account as you do. You're going to extremes purely for the point of argument, but although it may have passed you by, it was established several thousands years ago that "nothing is certain".
If you can imagine up scenarios like malware built into your cd-burning software specifically to target LiveCDs being used for online banking, I can't fathom how you trust a banks own employees enough to actually keep your money with them instead of under the mattress.
"The true measure of a person is how they act when they know they won't get caught." - DSRilk
Devil's advocate here:
Of course, a diskless system running Linux would reduce the chance of malware on clients, but perhaps if a company is dependent on Windows, almost as good security (and I state almost) would be obtained from denying admin access and using something like DeepFreeze, Windows SteadyState, or similar?
Combine DeepFreeze with AppLocker, some decent enterprise antivirus utilities, BitLocker, and the usual physical and BIOS protection on a machine, and one can make a decently locked down terminal that can cleanly run Windows apps. Should additional software be needed, no need to install it, just use something like VMWare ThinApp and have it runnable from a central location.
There is nothing wrong with a diskless system and booting from a CD-ROM. However, unless one creates a custom image with reliable enterprise level auditing tools, it becomes difficult to extract data from a group of PCs (and this is important for larger businesses come tax season, or regulatory compliance), and it is definitely an issue to add or update software without a reboot, unless it is a precompiled binary on a central server that people run.
Also, instead of running live CDs, why not consider going to a vendor like Wyse and going with truly thin technology? This way, there is little to no fiddling with the client side. If a thin terminal has a problem, just swap it out for another one, chuck the old one in the RMA box and be done with it. This is arguably a lot easier than the cost for maintaining standard PCs [1].
[1]: I'm primarily intending enterprise level here. For some SMBs, it is a lot cheaper to go with a boot CD and a generic PC, but for larger companies, it may mean more futzing around with stuff for their IT staff, especially on the scale of thousands of endpoints. If I had a startup with a call center of 5 people, PCs are a lot more economical. However, 500 to 1000 people in a non-technical call center, then I'd take a serious look at thin terminals and a beefy internal network fabric.
What about a Windows XP Live CD?
"Sir, there are some gentlemen here who say they are from an organization called the BSA. They want to see the license certificates for those Windows CDs we've been handing out..."
iSKUNK!
Not Linux. Randomness comes from the time (hardware, persistent), but also from the randomness of network traffic and other driver miscellanea such as HDD head seek times, mouse movements, keystrokes, CPU temperature data, electrical noise on the power supply (with the right hardware)...
I can't say for sure, but I think Linux actually has the most secure random-number generator of any OS - excluding dedicated hardware. Enough that it can probably be fairly called true RNG instead for PRNG, as long as you use /dev/random instead of urandom.
I have developed a truly marvelous proof of this comment, which this signature is too narrow to contain.