Any vulnerabilities to the Linux Live CD's for banking?

Discussion in 'other anti-malware software' started by jfd15, Jan 10, 2008.

Thread Status:
Not open for further replies.
  1. jfd15

    jfd15 Registered Member

    Joined:
    Oct 12, 2007
    Posts:
    234
    Location:
    Sacramento, CA
    Thinking about using the various Live CD's for online banking and stuff....
    Was wondering what possible vulnerabilities there might be to that....

    are there any hardware based viruses or trojans etc. out there in the wild that would defeat this?
     
  2. Jomsviking

    Jomsviking Registered Member

    Joined:
    Apr 16, 2007
    Posts:
    55
    A good commercial hardware keylogger can be a problem; some are easily detectable through simple inspection, some are not.
    Always inspect thoroughly the computers you deal with and, LiveCD or not, never conduct financial activities on public computers.

    If the computer is yours and/or you are sure no hardware keyloggers are in action, Linux LiveCDs are a sensible choice, though they have one downfall: the apps there are "frozen" at the versions they had when the CD was recorded, and vulnerabilities in those apps might have been discovered since the time of recording; provided you type the adresses of the banks' safe sites and don't follow any links, and use one LiveCD session just for the banking operations, this shoudn't be much of a problem.

    You can also give some thought to the idea of a sandbox, like DefenseWall, which has a "Go Banking" mode.
     
  3. atlantis

    atlantis Registered Member

    Joined:
    Nov 30, 2006
    Posts:
    20
    what if it`s Firefox with KeyScrambler on pen drive U3 ? . Any vulnerabilities ?
     
  4. Jomsviking

    Jomsviking Registered Member

    Joined:
    Apr 16, 2007
    Posts:
    55
    I don't have practical experience with U3, so I can not speak.
    Searching the internet, it seems that U3 drives can be made bootable, although they are not so by default; if U3 drives interact with the host hard disk, they will be more at risk than a Live CD. Bootable or not, hardware keyloggers will always represent a menace. The essential advantage of U3 seems to be portability of apps and keeping of settings and documents in an easy way, not necessarily security. But, again, I have no direct experience with U3, so...
    One would also have to have in account the effiency of Keyscrambler against the various software keylogging methods.
     
  5. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    What if someone is looking over your shoulder while you are banking. Truth be told, live linux is a great idea. I don't know where you intend to use it. Is it at home or in an internet cafe. The later could have hardware key loggers, but its a remote chance as software does it almost for free. If traveling carry several different live CD's and hope one works on the machine in front of you, and the owner of the place does not get upset about you booting his pc's.
     
  6. atlantis

    atlantis Registered Member

    Joined:
    Nov 30, 2006
    Posts:
    20
    travels, internet caffe

    U3

    '' New technology from a company called U3 allows a drive to store and, when plugged into any PC, securely run applications - without leaving a trace of data on the host computer. The applications (which must be U3-compliant), data, and personal settings all reside on the portable drive, permitting you to temporarily turn any Windows 2000 or XP system into a personal workstation without threat to your privacy.
    ..
    When you're done, you click an eject button on the menu to safely remove the device (although if no apps on the drive are open and you aren't copying any data onto the drive, you should be able to simply unplug it without problems). As promised, the drive left no traces of the applications on our test PC, apart from the device number that any USB drive leaves in the Windows Registry when plugged in''

    http://pcworld.about.com/magazine/2312p030id123266.htm

    ''KeyScrambler Personal encrypts your keystrokes at the kernel driver level to protect your login information from keyloggers.

    When you type on your keyboard, the keys travel along a path within the operating system before it arrives at your browser. Keyloggers plant themselves along this path and observe and record your keystrokes. The collected information is then sent to the criminals who will use it to steal from you.

    KeyScrambler defeats keyloggers by encrypting your keystrokes at the keyboard driver level, deep within the operating system. When the encrypted keystrokes reach your browser, KeyScrambler then decrypts them so you see exactly the keys you've typed. Keyloggers can only record the encrypted keys, which are completely indecipherable.''

    http://www.qfxsoftware.com/learn_more.htm

    Using U3 and KeyScrambler in Firefox how good I`m protected?
    (URL banking adress in Bookmarks)

    regards
    :)
     
    Last edited: Jan 12, 2008
  7. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,702
    Hello,

    Just a question: what's the security level of your bank site? Do they force you to use token keys? If they do, case closed. You don't need anything. Even if you have a keylogger present, your sessions are no good without the token ...

    It's up to the bank and physical security of login to make sure the customers are safe, at the very least.

    And even if this is not the case, why such paranoia. The chances of you getting nobbed while doing online banking is no higher or lower than someone hijacking your credit card while paying in kmart...

    Mrk
     
  8. jfd15

    jfd15 Registered Member

    Joined:
    Oct 12, 2007
    Posts:
    234
    Location:
    Sacramento, CA

    just using on my own machine...not worried about hw keyloggers...am only worried about malware on my machine that i dont find, so i thought the Live CD, as was mentioned elsewhere on here, might be interesting idea..

    yea, could be paranoia, thought i could just find any easy foolproof way not have to worry about any malware again...i dont know what token keys are, wells fargo just asks for login name and password, dont know what else they using although they did freeze my online banking when someone
    tried logging in from an IP out of the country(which i think was just me using a free vpn service)...would just be nice to know i have one method where malware has no chance
     
    Last edited: Jan 12, 2008
  9. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,787
    I think your idea is good. With Linux in general, malware is a non-issue. And with a live cd, it's even less likely that anything will go wrong. I don't think you can go wrong with this idea....
     
  10. jfd15

    jfd15 Registered Member

    Joined:
    Oct 12, 2007
    Posts:
    234
    Location:
    Sacramento, CA

    thanks i think ill use it....wish i could say the idea was mine but i saw someone
    else on here refer to the idea a few weeks ago
     
  11. Jomsviking

    Jomsviking Registered Member

    Joined:
    Apr 16, 2007
    Posts:
    55
    If the USB drive interacts with the registry in the OS, there are a number of other interaction possibilities. It would be possible for malware to take advantage of this. If the U3 is made bootable, the situation may be different, I don't know.
    I would say that, from a security point of view, it is best to resort to Linux Live CDs and avoid loading the machine's OS when working in an untrusted environment.
     
Thread Status:
Not open for further replies.