Slashdot Mirror
Washington Post Says Use Linux To Avoid Bank Fraud
christian.einfeldt writes "Washington Post Security Fix columnist Brian Krebs recommends that banking customers consider using a Linux LiveCD, rather than Microsoft Windows, to access their on-line banking. He tells a story of two businesses that lost $100K and $447K, respectively, when thieves — armed with malware on the company controller's PC — were able to intercept one of the controller's log-in codes, and then delay the controller from logging in. Krebs notes that he is not alone in recommending the use of non-Windows machines for banking; The Financial Services Information Sharing and Analysis Center, an industry group supported by some of the world's largest banks, recently issued guidelines urging businesses to carry out all online banking activities from 'a stand-alone, hardened, and completely locked down computer system from where regular e-mail and Web browsing [are] not possible.' Krebs concludes his article with a link to an earlier column in which he steps readers through the process of booting a Linux LiveCD to do their on-line banking." Police in Australia offer similar advice, according to an item sent in by reader The Mad Hatterz: "Detective Inspector Bruce van der Graaf from the Computer Crime Investigation Unit told the hearing that he uses two rules to protect himself from cybercriminals when banking online. The first rule, he said, was to never click on hyperlinks to the banking site and the second was to avoid Microsoft Windows."
A little two factor authentication would be nice to see in American banks. Passwords just aren't adequate any more.
Fascism trolls keeping me up every night. When I starts a preachin', he HITS ME WITH HIS REICH!
Keyloggers could still capture the input from the Host OS.
# cat
Damn, my RAM is full of cats. MEOW!!
Because as the author explains in the comments, key loggers can run at the low level device driver level. At this level, it can hook key presses in a VM just as well as the host OS.
It's a pain, because nobody wants to go to the trouble of rebooting twice for the sake of paying a few bills. But it's the only way to be sure of a clean environment, unless your BIOS has been hacked. It's at least one good argument for the trusted platform, TPM, or whatever it is. In theory you could be sure that you are running only un-altered digitally signed executables and nothing else.
I.O.U One Sig.
Its not just "linux vs Windows" but "trusted boot": All you need to rely on is that the live CD is OK and your BIOS is not corrupted and you can effectively safely connect to your bank.
I use it myself for my Schwab account, with the added bonus of there is enough math to show active traders lose big, so don't trade active, which goes into play here.
Test your net with Netalyzr
We're trying to SAVE money here
If you build it, nerds will come. Soylentnews.org
"Washington Post Urges Thieves To Distribute Linux LiveCDs"
A few racks full of CDs in a highly visible place, or even cheap preloaded USB drives delivered right to the mark's front door along with a friendly letter explaining how running Linux would help improve security and thwart The Bad Guys could make your job of stealing from the clueless even easier than before.
Presumably, if one is handling enough money that 100K or 450K could be stolen, one could afford a second computer and a 2 way KVM switch.
That doesn't solve the "but joe user doesn't want to reboot just to get to his overdrawn checking account" problem; but with real computers routinely showing up for $300 and lower, it isn't exactly an extremist position to suggest banking from dedicated hardware for any nontrivial amount of money.
Well, don't do online banking.
Or, use a totally separate computer to do online banking. Only use the web browser to access one's bank account.
Or look for those "freeze" type software, which makes the harddrive essentially read only.
Also, it doesn't hurt to check which processes you are running, and whether any of those are unusual.
I think the point is Boot CD, not Linux.
This would preclude any with an intelligent GUI (actually I am quite fond of Gnome at this point, but that wasn't what you meant).
If I am correct, using a Linux boot CD would make sense for Linux users too.
Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
Unless your browser is listening for incoming connections, or your bank is running third party banner ads(in which case, switch right the fuck yesterday), does a browser vulnerability really matter?
If you are using the LiveCD as a dedicated banking only environment, the only input your browser will see is your bank's website. If you can't trust user behavior, and want to really be sure, you could have it set to reject anything that doesn't have the bank's SSL cert. If your bank wants to 0wn you, you are already doomed. If no other site can reach your browser, your browser cannot be owned, no matter how buggy.
Ya, it stops key loggers, and that's great
Yeah, it is great, because a huge part of on-line fraud is from keyloggers. Modern ones even record 'screencast' movies of you using your computer.
but it aint going to do much for your browser security unless you keep your LiveCD up to date
Between booting up and getting a DNS record for your bank how are they going to exploit a browser security problem? You could safely use unpatched IE5 to do online-banking. There might be some null-prefix type problems, but in reality going directly to your bank's site is pretty hard to get in between.
who says your CD burning software isn't infected - implications on trusting trust and all.
There are lots of different CD burning software, lots of different distributions, lots of AV software that might detect the modifications, and high risk of some paranoid geek with sha1 finding it out. Compared to just setting up a 'enter your password and win a free chocolate bar' site, it's not cost effective to do this.
Browser security is only an issue if you're visiting other sites, in the same session, on the same boot, on your LiveCD. Browsers on LiveCDs don't magically download malware from the internet by themselves - you have to direct them to. And most conventional malware must install itself - which won't happen on a LiveCD. There are a very few flash/js based attacks that work live in the same session - but really, if your either (a) your bank has third-party inline flash ads or (b) you don't trust java content from your bank's own website, then why are you banking with them online?
And going as far as questioning whether your CD burning software is infected is ridiculous. You can't be any more certain that your mouse doesn't have imbedded circuitry tracing your movement pattens, or your keyboard doesn't have a keylogger built directly into it, or the aliens aren't tapping directly into your cablings electromagnetic intereference patterns to directly access your bank account as you do. You're going to extremes purely for the point of argument, but although it may have passed you by, it was established several thousands years ago that "nothing is certain".
If you can imagine up scenarios like malware built into your cd-burning software specifically to target LiveCDs being used for online banking, I can't fathom how you trust a banks own employees enough to actually keep your money with them instead of under the mattress.
"The true measure of a person is how they act when they know they won't get caught." - DSRilk
The browser on a LiveCD may be out of date. How about a USB flash drive that can save your ISP settings and can update the browser? Banks could distribute them for the price of the flash drive as a safer option for online banking.
Twinstiq, game news
Devil's advocate here:
Of course, a diskless system running Linux would reduce the chance of malware on clients, but perhaps if a company is dependent on Windows, almost as good security (and I state almost) would be obtained from denying admin access and using something like DeepFreeze, Windows SteadyState, or similar?
Combine DeepFreeze with AppLocker, some decent enterprise antivirus utilities, BitLocker, and the usual physical and BIOS protection on a machine, and one can make a decently locked down terminal that can cleanly run Windows apps. Should additional software be needed, no need to install it, just use something like VMWare ThinApp and have it runnable from a central location.
There is nothing wrong with a diskless system and booting from a CD-ROM. However, unless one creates a custom image with reliable enterprise level auditing tools, it becomes difficult to extract data from a group of PCs (and this is important for larger businesses come tax season, or regulatory compliance), and it is definitely an issue to add or update software without a reboot, unless it is a precompiled binary on a central server that people run.
Also, instead of running live CDs, why not consider going to a vendor like Wyse and going with truly thin technology? This way, there is little to no fiddling with the client side. If a thin terminal has a problem, just swap it out for another one, chuck the old one in the RMA box and be done with it. This is arguably a lot easier than the cost for maintaining standard PCs [1].
[1]: I'm primarily intending enterprise level here. For some SMBs, it is a lot cheaper to go with a boot CD and a generic PC, but for larger companies, it may mean more futzing around with stuff for their IT staff, especially on the scale of thousands of endpoints. If I had a startup with a call center of 5 people, PCs are a lot more economical. However, 500 to 1000 people in a non-technical call center, then I'd take a serious look at thin terminals and a beefy internal network fabric.
Also, honestly, how many people do you think check the MD5 sum on an ISO? Hell, I've never had a RedHat/Fedora disc that passed its self-check. I gave up on that ages ago.
Please help metamoderate.
sigh. Just off the top of my head I can think of about a dozen attacks one could direct against a bank user who thinks they're bulletproof because they're using a Linux LiveCD. For example, booting off a LiveCD won't save you from the truncated SSL cert attack that was demonstrated in the direction of PayPal the other day.. only having an up-to-date browser will do that. Encouraging people to use unpatched known-vulnerable software to do their banking just so they can avoid malware on their regularly patched machines makes no sense at all. Of course, that's the extreme case.. suggesting people use a LiveCD of Linux instead of an unpatched copy of Windows XP SP1 is a different kettle of fish.
How we know is more important than what we know.
A bank with any technical savvy would be immediately preparing a LiveCD/USB distro that boots as quickly as possible into a browser pre-configured with the bank's portal page set as the home page. The distro would contain nothing extraneous -- just enough for fast, safe banking. It would, of course, be thoroughly branded, but completely legit vis a vis source code and license notices. Give them away in the mail, or even sell USB drives.
"We receive as friendly that which agrees with, we resist with dislike that which opposes us" - Faraday
In the immediate term, that seems like a terrible plan. Akamai are a reputable outfit; but they carry stuff for all sorts of people. Any domain-level trust/validation mechanism isn't going to tell you very much about something from them. Barring a fix, the financial site should host their own javascript.
In the broader term, it might be worth looking into further cryptographic mechanisms. For instance, with debian packages, you can safely download from an untrusted mirror or an http mirror that might be subject to man-in-the-middle attack because the packages themselves are signed by the original distributor. Cryptographically, putting forged packages on a 3rd party mirror would be as difficult as man-in-the-middle attacking an SSLed connection to the original distributor. At worst, you disclose the fact that you downloaded package X to a hypothetical adversary(that isn't optimal; but it is far less than it might be).
If, for economic reasons, web sites that need to be secure wish to use 3rd party hosting for some of their material, a similar signing mechanism might be employed.
I connect to https://www.hypotheticalbank.com/ SSL assures me that I am in fact talking to the right people. hypotheticalbank.com says "Please obtain 'functionsandstuff.js' from '3rdpartyhosting.org', 'functionsandstuff.js' has been signed with our key and has SHA-1 hash XYZ, verify before loading." This would still be incrementally less secure than pure 1st party hosting, since 3rdpartyhosting.org can, by looking at my requests, infer that I am likely accessing hypotheticalbank.com at a given time; but it prevents an attacker, even if they control 3rdpartyhosting.org, from mucking with the code that my browser will end up executing.
A dozen? I can only think of three. Excluding such fanciful attacks as "camera over the shoulder". Indeed, a forged cert combined with DNS poisoning could be used as a possible MITM attack. However, as in my post below, you can explore possible attack vectors for the sake of argument into infinite regression. Opposite to your argument is the fact that my bank always requires the latest version of Java to be installed to use its online banking. Each time Java is updated and my LiveCD thus becomes out-of-date, I'd be forced to burn a new LiveCD which would throw in all the browser security improvements that go along with it. My argument is, it's not "terrible advice". At worst, it's "good advice which could be improved upon."
"The true measure of a person is how they act when they know they won't get caught." - DSRilk
hey, who says your CD burning software isn't infected - implications on trusting trust and all.
I understand there's only a fine line between safety and paranoia, but the idea of a CD burning software having been compromised to detect Linux LiveCD ISOs and add a software keylogger to the system included therein is so far up in 'paranoia' territory it already got full citizenship and is considering running for president against "Elvis is hidden in Area 51" and "9/11 was planned by Israel to draw the US into the middle east".
No problem is insoluble in all conceivable circumstances.
What about a Windows XP Live CD?
"Sir, there are some gentlemen here who say they are from an organization called the BSA. They want to see the license certificates for those Windows CDs we've been handing out..."
iSKUNK!
Comment removed based on user account deletion
How does those malware affect live Linuxes?
Huh? Random number generators can be seeded with other data from your hardware, such as the system clock time, reading PCI devices, or some random data off your hard drive. Every single time you reboot your system clock has changed. If you have a hard drive, the data on there has probably changed too, so you can just read some information off the drive at the block level (you don't need to mount it). Every user who uses a live CD has different hardware.
The problem is trivial at best to solve. It may not be the absolutely perfect solution, and probably not good enough if you need a true random number generator, but good enough for this purpose. You definitely won't be in the same state every time you reboot (at the very least the time changed).
Yes, because everyone else has patched the bug.. Microsoft hasn't. But if you're using a LiveCD from before they patched the bug, then you are no more protected than the bozos using IE5.
How we know is more important than what we know.
Not Linux. Randomness comes from the time (hardware, persistent), but also from the randomness of network traffic and other driver miscellanea such as HDD head seek times, mouse movements, keystrokes, CPU temperature data, electrical noise on the power supply (with the right hardware)...
I can't say for sure, but I think Linux actually has the most secure random-number generator of any OS - excluding dedicated hardware. Enough that it can probably be fairly called true RNG instead for PRNG, as long as you use /dev/random instead of urandom.
I have developed a truly marvelous proof of this comment, which this signature is too narrow to contain.
My battery is dead, you ignorant clod!
Actually, something like that happened at the Montreal Casino. The machines were shut down every day, so they would end up generating the same sequence of numbers. A guy named Daniel Corriveau noticed, played the numbers, won $600,000.
He initially claimed that he used chaos theory, and the casino claimed it was a bad random number generator. The reality was that the cmos batteries had been removed during development to make testing easier, and nobody put them back in, so every day, they started with the same seed. Simple incompetence. They paid the money after 2 weeks.
So in the case of a properly designed security token, it ISN'T just data on the Internet. The reason is that it isn't as though the "something you have" is a card with a number on it or the like. If that were the case then yes, discover the data and you are good. However they don't work like that. There are two related systems that I've seen:
1) A card that gives you a number. What happens is when you want to log in, you push a button on the card/device and it hands you a number. However the number isn't fixed, it changes with time. You need the right number for the right time. The way it works is a crypto system. It uses the time and a key in the device to provide the output. The other end then can calculate the correct number needed. The only want to get the number is to have the device, or find out what the key is on the particular device.
2) A challenge/response system. Here you plug in a USB key or smart chip. The device you are connecting to then sends a challenge to your device, usually something in the form of "Sign/encrypt this message." Then again, public key crypto comes in to play. Your device encrypts the challenge or signs it or whatever and sends it back. The server checks that result against what it ought to get. If the answer is right, in you go.
In either case, the only way to get the data is to either find out the key, or to get your hands on the device. A simple intercept won't do it.
As for your "gun to the head" thing, well of course that gets around it. There is NO SUCH THING as perfect, unbreakable security. I think some geeks delude themselves in to thinking there is because you can build a computer that is at least seemingly perfectly secure. However in the real world there is no such thing as perfect security. There is only security that is better than what anyone is going to try.
I mean I can secure against your gun to my head thing: I hire armed, trained, guards. You try to come at me with a gun, they take you out. So you can counter that, you get trained snipers to kill them at long range. So I counter by traveling only in secure armored vehicles, so you counter by kidnapping my family, so I counter by securing the too, and so on. However at some point, I got past what you could reasonably do, and more importantly what you'd reasonably do. In fact, with good two factor authentication, I am already past it. You will not come and put a gun to my head to get at my bank account. The money isn't worth the risk. So I don't need to worry about that kind of attack. My security is good enough.
That's all it is ever about. That's even what it is in the case of extreme security. The government does not delude itself in to thinking that having tons of armed guys around, say, the CIA headquarters makes it impervious to attack. There are always ways to attack it. So why bother? Because it makes it impervious to any attack that anyone might actually be able to try to pull off. Yes, in theory you could find a way to kill all the guards, take the right people hostage, etc, etc. In reality, you couldn't even come close, you know this, and thus you won't even try.
It is secure against REAL threats, and that is what matters. Same deal applies to your bank account, however since you are protecting a small amount of money and not national secrets, two factor authentication and some vigilance on your part will suffice, armed guards are not necessary.
Browser security is only an issue if you're visiting other sites, in the same session, on the same boot, on your LiveCD.
Wrong. Any security compromise on the same boot lends a possibility of compromising that session. Not all vulnerabilities will lead to that, but some can.
And going as far as questioning whether your CD burning software is infected is ridiculous. You can't be any more certain that your mouse doesn't have imbedded circuitry tracing your movement pattens, or your keyboard doesn't have a keylogger built directly into it,
No, the question is not whether the software came pre-0wned. The question is, once this practice becomes widespread, won't malware authors target the ISO downloading and/or CD burning process? If malware attaches itself to Nero, and Nero injects something into your shiny new livecd, what are you going to do? Ask it to verify itself?
or the aliens aren't tapping directly into your cablings electromagnetic intereference patterns to directly access your bank account as you do. You're going to extremes purely for the point of argument,
Which is exactly what you just did, right there.
See, keyboards with embedded keyloggers do exist, though mostly as proof of concept. While I'm not sure a mouse-movement-logging-mouse exists, it's not hard to imagine how one might be built.
There isn't any convincing evidence that aliens exist, and if they are here, we have no idea how they could be monitoring our thoughts.
All beside the point, of course, which is that this truly is security through obscurity, in two ways:
First, because it'd be much harder to write malware that compromises all burning software and rootkits your new LiveCD and rootkits your current Windows system such that you won't be able to detect the rootkit on the LiveCD...
But "harder" just means, they won't do it until it's worth it -- it's an obvious vulnerability.
The second kind of security through obscurity is the fact that this technique is relatively obscure -- that is, not well known. If users never use LiveCDs a lot, this will probably work well, because someone fishing for account info will go for your neighbor's (who accesses his bank from IE6) rather than you.
But neither kind is actually secure.
Don't thank God, thank a doctor!
For example, Mainland China, where all banks use the super-secure ActiveX technology to build their own authentication systems...
Most distributions still include binary blobs in their corresponding source code that can bring the kinds of problems for which Microsoft Windows is advocated against in the article.
You won't find the word "proprietary", "open source", or "source code" in the article. The reason Windows is advocated against is simple: Malware is written to target Windows. Malware could as easily be written to target any operating system which is vulnerable.
Thankfully at this point, you can get machines that run a free bios, support wireless, and run 100% free software.
And 100% proprietary hardware, unless you've got schematics for all of it.
Never mind that you're connecting to a webserver running the bank's proprietary software...
Thankfully at this point, you can get machines that run a free bios, support wireless, and run 100% free software.
Which you've of course scrutinized every single line for security vulnerabilities... ...what's that? You haven't?
Why is it that you think free software is inherently more trustworthy than proprietary software, in that way? Or that the binary blobs in question are inherently compromising your security?
And, conversely, if you're a valuable enough target that you can afford to (and should) scrutinize every line, wouldn't you also have a budget to enroll in Microsoft's "Shared Source" program, and gain full access to the Windows source code, also?
No, you're right, there's nothing special about a "Linux LiveCD". But the magic word here isn't Linux, or even the implied "Free Software", but "LiveCD". From the point of view of the article, it could be a Windows PE disc, it's just that Linux CDs are free (as in beer), and Windows offers no real advantage in an environment which will only run a web browser.
I agree with many of the goals of software freedom, and I agree a solid open source process can yield more robust software than a closed one. But not every article with the word "Linux" is an appropriate place to bring it up. You sound kind of like this guy.
Don't thank God, thank a doctor!
Yes the title says it all.
We need to keep it simple people.
Facts:
1. Banks are keeping their costs down, they are not issuing hardware to all of their customers to generate one time keys.
2. Most people (more than 90%) run windows.
3. That the average user can not be sure that their computer running a Microsoft OS has NOT been compromised in some way.
4. A Linux LiveCD is able to solve the problem.
Put the CD in, reboot the computer, open Firefox, type in the URL for the bank and enter your user name and password. Simple and secure. Reboot and you are back to Windows. Nothing stored, nothing cached, and nothing saved.
When I say simple and secure. I am talking real world Joe six-pack security. If you have decided to bank online you have already given up worrying about DNS poisoning, compromised routers, man-in-the-middle attacks. If you don't want to spend the money for a Mac or a new PC just for banking, a Linux Live CD is a great choice. Not to mention you know it is secure, because you can't infect a live CD.
vi +
My bank (Bank of America) has optional two factor authentication. The way it works is you specify what it is used for. So login is an option (off by default when you get it), login on an unrecognized computer is an option (on by default when you get it), money transfer, adding a new bill pay recipient and so on. Now it asks you each time for the code when you do any of these things. So if you had everything on and logged in from a new computer you'd have to enter the code first to validate the new computer (along with answering a question). Then you'd have to enter a new code to actually do a login. You'd have to then enter a third code to add someone new to billpay. You choose when it asks (and for that matter if you want to use it in the first place).
So they already do as you suggest. Really, two factor security with banks is pretty good. It's not perfect, but no security is. However, it'll stop nearly all the attacks you can think of. You have to get MUCH more complex to get around it. Well, the harder you make a target, the less tempting that target is.
After all if someone has $5000 in savings and you can steal that with a 4 line Perl script, a thief probably find that worth it. However if to get the same $5000 you need a series of extremely complex custom programs that aren't even guaranteed to work and maybe increase your risk of exposure, well perhaps that $5000 isn't so worth it after all.
Compare it to money on the street. If there's a $100 bill laying on a bench with nobody around, maybe you just pocket it. Easy, risk free money. If that same $100 has a camera watching it, a strong guy by it, and a snarling dog on a chain near it, you probalby give it a miss. Could you take out the camera, guard, and the dog? Maybe, but it probalby really isn't worth the risk.
What in the holy hell do people who make costumes have to do with any of this?
If you are going to rob a bank anonymously you absolutely need a costumer. The costumer is the person who dresses up the bank robber in his archetypal stripped shirt and handkerchief mask. Costumers are typically blond with big... ideas.
"No fear. No envy. No meanness." Liam Clancy
And that they have it to hand when they're doing the transfer. I suppose you could say that anyone who's doing internet banking is likely to have one but even so, it seems a bit presumptuous.
Yes, a hardened single-purpose Windows machine is almost as resilient as a Live CD. Almost. It is also infinitely harder to set up correctly and significantly less useful all those times you aren't banking. It is understandable why it is not the solution recommended for non-technical users or people who only want one computer.
Beyond multi-factor authentication, there's another fundamental problem with many Bank websites. They only work in IE. It's difficult to convince non-power-users to drop a bank and go with another that works in Konqueror or even Firefox. This is especially a problem in a non-US country where every bank has the same problem.
I'm confused, are you supporting or disagreeing with my post?
Not Linux. Randomness comes from the time (hardware, persistent), but also from the randomness of network traffic and other driver miscellanea such as HDD head seek times, mouse movements, keystrokes, CPU temperature data, electrical noise on the power supply (with the right hardware)...
If you start the LiveCD only to use online banking there isn't much time between the startup and the time you need randomness for a secret key. The question is if there is enough time to gather sufficient entropy from the environment.
Others have suggested to seed with the current time, but that is easy to guess for an attacker. Netscape's original SSL implementation was broken because the PRNG used only the current time (in microseconds) and the PID as a random seed ([1], [2]).
[1]: http://marc.info/?l=bugtraq&m=87602167418753&w=2
[2]: http://www.cs.berkeley.edu/~daw/papers/ddj-netscape.html
But the banking system here, requires the use of single use numbers for each online banking transaction. Your bank provides you with a unique sheet of them and if you lose it, you have to request a new one. Nor are credit cards popular with German consumers. Sites such as Amazon.de allow payment by bank transfer (Uberweisung). You can manually complete the transactions slip and give to your bank or do the same thing with your online banking. Any issue and the transfer has to be reversed. There are an awful lot more banks too - one just around the corner from me and at least three within a few minutes walk with real people working there and very, very friendly managers - if you're liquid!
Posts, MyBio or Sig, may contain satire, sarcasm, bolded nouns be sardonic or even witty & be Church of SD
OK. I'll wait for actual implementation.
P.S. I have been waiting for the invasion of Linux viruses for over 15 years, how long you expect I need to wait for this?
If you are trying to be safe, you have to realize that 'safe' is a probability, not a certainty. What is the frequency of this vulnerability relative to the frequency of compromised computers? If you want absolute safety,well you can't. If you decide to bank in person, you have to drive to the bank - risking your life by getting behind the wheel. If the average user has a choice between using his 'regular' browser that was downloading free porn and free photoshop via some torrent, or using a clean browser from a bootable CD, I'm willing to bet long odds that the frequency of attack will go way down with the live CD option. A frequently updated Live CD would seem to be a fairly practical solution for most users. I would also suggest that a bank supplied live cd that prevents surfing to other sites would be even better. The CD could have a jailed browser and a jailed 'something you have' key/value map that allows the bank to ask you for the value for their key. There may still be attacks, but the frequency with such a 2-factor authentication must be quite low, but not zero.
Think global, act loco
Like I suggested in August: http://slashdot.org/comments.pl?sid=1347481&cid=29198657&art_pos=4
The banks should distribute a locked down version themselves. Then they can even build in extra authentication in the browser and minimise other programms with possible weaknesses
---