Computerworld: "use Ubuntu live CD for banking"

Discussion in 'all things UNIX' started by mvario, Mar 26, 2010.

Thread Status:
Not open for further replies.
  1. mvario

    mvario Registered Member

    Joined:
    Sep 16, 2008
    Posts:
    339
    Location:
    Haddonfield, IL
  2. linuxforall

    linuxforall Registered Member

    Joined:
    Feb 6, 2010
    Posts:
    2,136
    It doesn't surprise me at all that I would come to this. A Ubuntu live pen drive would be a far more convenient option as well, its quicker to boot and u can save some data if need be.
     
  3. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    the problem is if exploits are found for ubuntu you would need to get a new live cd to correct it.

    one of the stupid points of that acticle is "A bootable CD works because it's isolated from the host PC environment. Malware on the host can't touch it - and any malware picked up when running from the CD-ROM goes away once the CD is ejected. "When you eject the CD you have removed everything off the machine"

    if there is a keylogger when using the live cd it can log username and passwords and once you shutdown the live cd all evidence of the keylogger is gone.

    the only consumers that will use the ubuntu live cd for internet banking are the security conscious/paranoid which wont need to.

    maybe someone will create a very secure barebones live cd designed for internet banking.
     
    Last edited: Mar 28, 2010
  4. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,091
    Hi lodore,

    If exploits are found for ubuntu you wouldn't need to get a new live cd to correct it, you would only need to either update your live cd session with a security fix (package(s)) and then save the files related to the package fix(es) on your hard drive. The next live cd session, tar the saved files into place from the hard drive after booting up the live cd.

    Live CDs are typically not writable, and when you power down your computer, if malware got into memory, unless you mount your hard drive and the malware can stealthily save itself to the hard drive, it is expunged (since it only resides in RAM) at power down.

    Also, if the keylogger does not realize it is not on a hard drive and only in memory it would have to send the stolen username/passwords to a remote site (not impossible), but then again, not very likely unless the malware writer is more than just a script kiddy that bought the malware and doesn't know how to modify the malware to make it smarter.

    -- Tom
     
  5. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    Hey Tom,
    most people wouldnt know how to store the fixes on their harddrive so the livecd can see them. people would simply use that livecd with the exploit until they find out a new version of ubuntu is out. thats my main point.
     
  6. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    Iodore, I am one of those. Would you care to briefly describe the procedure in layman's terms ? Thanks .
     
  7. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    Hello Ocky,
    Until tom's post i didnt know you could do that with livecd's and im busy today so havent had time to research it.
     
  8. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    I will also see if I can find some info as I am not sure about the methodology as described by Tom.
     
  9. NoIos

    NoIos Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    607
    Nothing new really. I have been using this method ( and imagine many many others ) since years....
    I would not worry for the exploits too. Banking sessions are really short.
    The idea of a usb flash key or updating the live cd is a no go, since then more security issues may arise for non experienced users. The live cd should be not be writeable. The banks could update their live cds and provide them for download.

    I had posted a few days ago https://www.wilderssecurity.com/showthread.php?p=1646271#post1646271
    how I consider the ideal usage of a live cd for online banking ( nothing special but this is how I usually do it ).
     
  10. linuxforall

    linuxforall Registered Member

    Joined:
    Feb 6, 2010
    Posts:
    2,136
    You can lock live usb thumb drive or set persistent data to none. The usb boots way faster than pesky live CD and also netbooks don't come with CDROM drives.
     
  11. ad67

    ad67 Registered Member

    Joined:
    Dec 16, 2006
    Posts:
    29
    Two issues concern me Re using a livecd for banking;

    First, I have tried a few livecd's recently and I am able to access (read/write) my NTFS partitions without any password required - I do not know how to change this.

    Secondly, I sometimes download statements and confirmations and need to save them; if I save to a USB drive, would that be a security risk?
     
  12. linuxforall

    linuxforall Registered Member

    Joined:
    Feb 6, 2010
    Posts:
    2,136

    Make a separate encrypted folder in your USB for those documents and statements.
     
  13. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,091
    Hi Ocky,

    Since mid-June 2006 when my WinXP Pro SP2 bogarted for the second time (apparently I need to do a parallel re-install to recover), I have been using Ubuntu Live CDs exclusively as my daily working environment - starting with 6.06 and now on 9.10.

    I have built scripts that do the following:
    setup (Live CD OS and Linux device determination+getting initialization script), now mainly used for time localization), initialization (tars package files previously installed from hard drive and initializes iptables firewall rules), saving and reinstalling FF profile before/after sessions, alias bash macro for mounting hard drive w/older installed Linux (no longer used), and scripts for gathering the files from installed packages and tarballing them for subsequent re-installation into a new Live CD session (takes only a minute).

    I'll look for the thread in which I described some of these in another forum and post the link so you can read it and get the ideas it involves.

    I have yet to burn my work to a USB, but look forward to it when I solve some more pressing problems regarding the creation of a PAE Live CD (I have 4GB RAM w/an i686 cpu).

    Found the links with a couple of others for those interested in making a more secure iptables environment in Linux:
    Secure Surfing in a Live CD Environment at: http://forums.techguy.org/linux-unix/685358-secure-surfing-live-cd-environment.html
    Iptables-tutorial 1.2.2 (the nuts and bolts) + more at: http://forums.techguy.org/linux-unix/689241-iptables-tutorial-1-2-2-a.html
    Ubuntu iptables HowTo at: http://forums.techguy.org/linux-unix/687057-ubuntu-iptables-howto.html
    Block brute force attacks with iptables at: http://kevin.vanzonneveld.net/techblog/article/block_brute_force_attacks_with_iptables/
    Note: I authored the first link only and the other referenced links link to other articles by other authors well worth your time.
    Note: I no longer use 56k dial up, but subscribe to a faster service these days.

    -- Tom
     
    Last edited: Mar 29, 2010
  14. linuxforall

    linuxforall Registered Member

    Joined:
    Feb 6, 2010
    Posts:
    2,136
    Why not use x64 Ubuntu and not bother with PAE kernel?
     
  15. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,091
    Hi linuxforall,

    Yes, its possible, but as it turns out the pae packages provided for x86 should, but sadly do not in a Live CD environment, detect 4GB properly - only 3GB. Essentially, you have to recompile the Linux kernel with 64GB High Memory, and deactivate kernel debugging to build a new header and kernel package for 3.6.31-20-58 (latest version).

    The issue is that Canonical never tests to see if their packages would work in a Live CD during their QA cycle - you have to reboot the machine (not possible w/Live CD) - then maybe,for over 4GB, but not just a 4GB. As a last resort when all else fails - I will try it.

    Update: When attempting to boot the ubuntu-9.10-desktop-amd54.iso I got the following message:
    This kernel requires an x86-64 CPU, but only detected an i686 CPU. Unable to boot - please use a kernel appropriate for your CPU.

    And that is why I have to recompile the 2.6.31-20.58 kernel image and headers packages for the 32-bit i686 cpu w/64 bit High Memory option w/o kernel debugging turned on due to CD iso file size restrictions. I muffed my first try - install order was reversed and I got some error messages, so I need to go back and get it right this time - if possible at all.

    -- Tom
     
    Last edited: Mar 31, 2010
Loading...
Thread Status:
Not open for further replies.