Computerworld: "use Ubuntu live CD for banking"

Can Ubuntu save online banking?
http://blogs.computerworld.com/15815/can_ubuntu_save_online_banking

 

It doesn't surprise me at all that I would come to this. A Ubuntu live pen drive would be a far more convenient option as well, its quicker to boot and u can save some data if need be.

 

the problem is if exploits are found for ubuntu you would need to get a new live cd to correct it.

one of the stupid points of that acticle is "A bootable CD works because it's isolated from the host PC environment. Malware on the host can't touch it - and any malware picked up when running from the CD-ROM goes away once the CD is ejected. "When you eject the CD you have removed everything off the machine"

if there is a keylogger when using the live cd it can log username and passwords and once you shutdown the live cd all evidence of the keylogger is gone.

the only consumers that will use the ubuntu live cd for internet banking are the security conscious/paranoid which wont need to.

maybe someone will create a very secure barebones live cd designed for internet banking.

 

Hi lodore,

If exploits are found for ubuntu you wouldn't need to get a new live cd to correct it, you would only need to either update your live cd session with a security fix (package(s)) and then save the files related to the package fix(es) on your hard drive. The next live cd session, tar the saved files into place from the hard drive after booting up the live cd.

Live CDs are typically not writable, and when you power down your computer, if malware got into memory, unless you mount your hard drive and the malware can stealthily save itself to the hard drive, it is expunged (since it only resides in RAM) at power down.

Also, if the keylogger does not realize it is not on a hard drive and only in memory it would have to send the stolen username/passwords to a remote site (not impossible), but then again, not very likely unless the malware writer is more than just a script kiddy that bought the malware and doesn't know how to modify the malware to make it smarter.

-- Tom

 

Hey Tom,
most people wouldnt know how to store the fixes on their harddrive so the livecd can see them. people would simply use that livecd with the exploit until they find out a new version of ubuntu is out. thats my main point.

 

Iodore, I am one of those. Would you care to briefly describe the procedure in layman's terms ? Thanks .

 

Hello Ocky,
Until tom's post i didnt know you could do that with livecd's and im busy today so havent had time to research it.

 

I will also see if I can find some info as I am not sure about the methodology as described by Tom.

 

Nothing new really. I have been using this method ( and imagine many many others ) since years....
I would not worry for the exploits too. Banking sessions are really short.
The idea of a usb flash key or updating the live cd is a no go, since then more security issues may arise for non experienced users. The live cd should be not be writeable. The banks could update their live cds and provide them for download.

I had posted a few days ago https://www.wilderssecurity.com/showthread.php?p=1646271#post1646271
how I consider the ideal usage of a live cd for online banking ( nothing special but this is how I usually do it ).

 

You can lock live usb thumb drive or set persistent data to none. The usb boots way faster than pesky live CD and also netbooks don't come with CDROM drives.

 

Two issues concern me Re using a livecd for banking;

First, I have tried a few livecd's recently and I am able to access (read/write) my NTFS partitions without any password required - I do not know how to change this.

Secondly, I sometimes download statements and confirmations and need to save them; if I save to a USB drive, would that be a security risk?

 

Make a separate encrypted folder in your USB for those documents and statements.

 

Hi Ocky,

Since mid-June 2006 when my WinXP Pro SP2 bogarted for the second time (apparently I need to do a parallel re-install to recover), I have been using Ubuntu Live CDs exclusively as my daily working environment - starting with 6.06 and now on 9.10.

I have built scripts that do the following:
setup (Live CD OS and Linux device determination+getting initialization script), now mainly used for time localization), initialization (tars package files previously installed from hard drive and initializes iptables firewall rules), saving and reinstalling FF profile before/after sessions, alias bash macro for mounting hard drive w/older installed Linux (no longer used), and scripts for gathering the files from installed packages and tarballing them for subsequent re-installation into a new Live CD session (takes only a minute).

I'll look for the thread in which I described some of these in another forum and post the link so you can read it and get the ideas it involves.

I have yet to burn my work to a USB, but look forward to it when I solve some more pressing problems regarding the creation of a PAE Live CD (I have 4GB RAM w/an i686 cpu).

Found the links with a couple of others for those interested in making a more secure iptables environment in Linux:
Secure Surfing in a Live CD Environment at: http://forums.techguy.org/linux-unix/685358-secure-surfing-live-cd-environment.html
Iptables-tutorial 1.2.2 (the nuts and bolts) + more at: http://forums.techguy.org/linux-unix/689241-iptables-tutorial-1-2-2-a.html
Ubuntu iptables HowTo at: http://forums.techguy.org/linux-unix/687057-ubuntu-iptables-howto.html
Block brute force attacks with iptables at: http://kevin.vanzonneveld.net/techblog/article/block_brute_force_attacks_with_iptables/
Note: I authored the first link only and the other referenced links link to other articles by other authors well worth your time.
Note: I no longer use 56k dial up, but subscribe to a faster service these days.

-- Tom

 

Why not use x64 Ubuntu and not bother with PAE kernel?

 

Hi linuxforall,

Yes, its possible, but as it turns out the pae packages provided for x86 should, but sadly do not in a Live CD environment, detect 4GB properly - only 3GB. Essentially, you have to recompile the Linux kernel with 64GB High Memory, and deactivate kernel debugging to build a new header and kernel package for 3.6.31-20-58 (latest version).

The issue is that Canonical never tests to see if their packages would work in a Live CD during their QA cycle - you have to reboot the machine (not possible w/Live CD) - then maybe,for over 4GB, but not just a 4GB. As a last resort when all else fails - I will try it.

Update: When attempting to boot the ubuntu-9.10-desktop-amd54.iso I got the following message:
This kernel requires an x86-64 CPU, but only detected an i686 CPU. Unable to boot - please use a kernel appropriate for your CPU.

And that is why I have to recompile the 2.6.31-20.58 kernel image and headers packages for the 32-bit i686 cpu w/64 bit High Memory option w/o kernel debugging turned on due to CD iso file size restrictions. I muffed my first try - install order was reversed and I got some error messages, so I need to go back and get it right this time - if possible at all.

-- Tom