Is linux safe for online banking?

finding specific ip on internet out of

Code:

Country                      Country code    Addresses     Per Person
United States                     US       1557.32 million     5.59
China                             CN        329.97 million     0.26
Japan                             JP        201.94 million     1.59
United Kingdom                    GB        123.92 million     2.08
Germany                           DE        119.38 million     1.45
South Korea                       KR        112.25 million     2.40
France                            FR         95.64 million     1.61
Canada                            CA         79.59 million     2.56
Italy                             IT         52.81 million     0.92
Brazil                            BR         52.76 million     0.31
Australia                         AU         47.76 million     2.53
Russian Federation                RU         45.39 million     0.31
Netherlands                       NL         45.29 million     2.85
Taiwan                            TW         35.39 million     1.59
India                             IN         34.79 million     0.03
Sweden                            SE         29.66 million     3.35
Spain                             ES         28.64 million     0.73
Mexico                            MX         26.30 million     0.27
South Africa                      ZA         21.86 million     0.54

 

Maybe it's time to change banks if it uses that many scripts per page

A live cd is no doubt fine, but completely unnecessary for home online banking with a reputable bank.

 

Another approach, and to be honest a lot simpler, would be to create a dedicated browser profile, and allow it to connect only to the bank IPs and domains, also restrict access only to port 443. Hopefully, not that many banks default to port 80. The beauty of it, is that, with Chromium/Chrome you can do it using a built-in mechanism. No need for firewall configurations. With Firefox, one can use extensions without having to resort to firewalls.

The approach mentioned above would have prevented that, regardless of the operating system.

 

That's true, and it would also prevent the re-direct of a victim's banking session cookie to the attacker in the event of a XSS attack, although any bank vulnerable to this (not able to properly sanitize the user's data in their server) is not worth dealing with.

 

If you run Firefox as a separate user (you can have a bank user) you can then use IPTables to restrict it to a single port. I'd still suggest Apparmor, as it's only a matter of "aa-enforce /etc/apparmor.d/*firefox*". but there's lots of ways to secure things on Linux.

 

hi
Hi
1. Yes Linux is secure for online banking.
Most evil scenarios include a compromised host, client/server based malware or attack, and in a very rare cased, bank server and data breach.
Linux is statistically sure against malwares (banking trojans, pwd stealers etc) if we consider that more than 95% of them targuet Windows platforms.
In a trusted environment there is no need to be paranoid about an attacker.
In a wireless network and is sensitive place (Hotel, congress, airport etc), attacks have technically more chance of success (wpa/wpa2 with PEAP auth. and even VPN PPTP).
In order to be a good defender, it sometimes require to be a good attacker, and in this case MiTM appears not difficult to detect and counter (if done with SSLSniff, a few firefox extensions and a browser proxy are enough).
In an easy way there is banking focused distro like bankix
http://www.heise.de/ct/projekte/Sicheres-Online-Banking-mit-Bankix-284099.html
But any good hardened distributions will be enough, VPN, browser extensions, virtual keyboard are a plus.

2.As far as i know there is no similar software like Trusteer for Linux OS.
Most client/server Security as a Service solutions like Trusteer provide a client to install on the host OS (mostly Windows), a secure or lockdown browser, encrypted network, DNS protection and in some case hardware authentication like smart cards for instance.
Solidcare is known for providing cross platforms solution, available for Linux
http://www.solidpass.com/
http://www.solidpass.com/platforms/linux-security-software.html
But the choice depends on each financial institution, and Trusteer is popular because it is not an expensive solution.

Most of all, this toppic has already circumscribed many times
https://www.wilderssecurity.com/search.php?searchid=4888208

Rgds

 

Even restricting iptables to the bank's ip addresses as well as port(s) is possible, if desired. With UFW it's along the lines of eg:

Code:

sudo ufw allow out proto tcp from any to xxx.xxx.xxx.xxx port 443

or to cover an ip range using a subnet mask:

Code:

sudo ufw allow out proto tcp from any to xxx.xxx.xxx.xxx/192 port 443

If someone's too intimidated by Apparmor, just using Firefox w/NoScript or even Chrome and the firewall rules should be plenty secure to say the least. The same approach is possible in Windows, too, of course.

 

OK, point taken if you're using a live CD. If you're using an installed operating system, then it's vital to keep it patched so that you don't get malware installed from other sources which would then take advantage of your banking session.

A live CD is not going to fall victim to persistent exploits like root kits or malware. But it will run an older version of a browser which could lead to session hijacking and credential theft. That happens entirely in the browser independent from the operating system, thus it's a good idea to keep your browser updated always (which you can't do in a live cd).

I've made this case about browser security several times on this forum, and it generally seems to fall on deaf ears. Maybe this will help:

http://web.nvd.nist.gov/view/vuln/search-results?query=firefox&search_type=all&cves=on

That's a list of 900+ vulnerabilities in various versions of Firefox. Most are operating-system agnostic. I don't know how many are being actively exploited in the wild, but I can guarantee that some of them are.

 

In a targeted attack the attacker always wins. Don't kid yourself. And yes, Miss swordfish knows your IP, mack_guy911... 300.156.68.5 right? lol

I strive to keep it real, so the reality is that everyone on this forum is incredibly unlikely to be targeted. You're way way way more likely to stumble across scripted malware out there that targets Windows. If you're not running Windows then obviously the exploit fails. That doesn't make you immune to browser or adobe or java exploits, however. If you run a system with this software fully patched then you've significantly reduced the potential for attacks that run on any kind of operating system.

<Oh God, I'm on a rant but I can't stop> You simply cannot argue that unpatched software is more secure than patched software. If you make that argument then you have utterly failed to understand how attacks happen.

 

BrandiCandi knows her ****, and she's entirely right about everything in the above post.

In the case of a LiveCD you're left with vulnerabilities that can potentially be known to attackers. Even in the event of faulty patches (ie: they aren't fully preventing the vulnerability or add new vulnerabilities) that's better than no patch, as attackers have to then rework the exploit.

In the case of a program full of known holes one only has to pull from work already out there to exploit them. Metasploit is proof of this - the bar for using Metasploit is set far lower than the bar for creating your own exploit code.

LiveCDs are out of date - they defeat the purpose of securing the system. Attackers lose persistence but it's only a matter of intercepting or infecting the right session.

It's the same reason Grsecurity only provides patches for the newest kernels. As they state, no matter how powerful the security mitigations in place (and PaX and Grsecurity are the most powerful) it can't make up for multiple vulnerabilities.

And if Grsecurity says it you should take note - that's Brad Spengler and PaX Team and they're responsible for everything that makes your computer secure today, just about.

If you're using an installed OS there's really not much excuse for not patching.

 

point taken

but i never seen a pached system in my life

http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html

http://www.mozilla.org/security/known-vulnerabilities/firefox.html

when i say old live cd i mean little old not ancient

for example LPS

also what is Guarantee of so call new is pached is really pached or not beta or Buggy with critical hole i have seen that many times so new called pached are more critical and vulnerable.


my point is

if you are good boy windows xp + NIS (or any decent security suite) more than enough for you my brother use only few sites which he use for work 7-10 years not even a single virus on his system

if you are paranoid about security best choose a bank which secure online banking fraud

and for shopping use online buy and pay cash at delivery

if you are bad boy who use to surf bad sites better dont use same os for banking thats my point

also i agree many other factors are there which include your hardware even you use most securest OS in the world your hardware(including your dongle/modem) is bugged at chip level then What

 

i completely agree with you

 

HI BrandiCandi,

Granted, in a live cd, you get whatever default browser came with it, but that should not stop you from upgrading your browser via the package manager (which installs a list of the browser's files) and after the live cd is fully booted, installing the latest browser from a tar'd set of its files - which is what I do in my daily setup from a saved version of the package installed files from a tarball of its files.

That way I am currently running Firefox 17.0 on an Ubuntu 11.04 Live CD environment which I have crafted my own tar'd file updates for more than just the Firefox browser by saving them on my hard drive and disabling the network (I simply do not turn on my router before I have completed my setup on top of the Live CD).

-- Tom

P.S. I always pay attention to browser security since it is the No. 1 Internet facing application that I run everyday, and update it accordingly as soon as a new version of Firefox is available to fix any security problems.

 

yes i agree with lotuseclat79 also you can install chrome for just one session of live cd form SL linux for example

or

USB install on pendrive tweak and update or install some other drive ........ use only for banking only whats your point of view on that @BrandiCandi


what i say is fresh system only for banking use not for day to day use


also i like to know 2 things is there write protected USB with hardware switch there like what we have on old floppy drives

also what addons you use on banking sites or as general

and how you scan links as linux is not running any web antivirus

i use

http://www.urlvoid.com/ and https://www.virustotal.com for online scanning

 

BrandiCandi and Hungry Man: you guys are correct IMO, but I can see why people would want a security strategy that doesn't require constant updates. Heck, I would love such a strategy, if it existed and actually worked, since:

- Keeping up with updates is a nuisance (on Windows anyway)
- Upgrading one's OS to a new version is a major nuisance (doubly for Windows)
- As software is updated, its hardware requirements tend to rapidly outpace a computer's capabilities (Ubuntu is a shining example of this).

The problem is, a working computer is a moving target, but for most people, what the computer actually does remains the same. Windows 2000 and Office 2003 can create and edit a DOC file just as well as Windows 7 and Office 2010; the major difference from a end user's standpoint is the latter's vastly increased hardware requirements.

Granted, some of this is due to useful features, including security features. But I think an inexperienced user could be forgiven for thinking that following the moving target wasn't worth it.

 

If we have vulnerability A and it's known, that vulnerability can be attacked by anyone once exploit code is released. If we then patch it and closed vulnerability A but introduce vulnerability B it's then up to the attackers to write new exploit code.

So even if your patch introduces a vulnerability it still pushes the time for attackers to exploit it further.

@GJ,

I can too. But it doesn't exist right now. You can always wait to update. As long as the 'time to patch' is shorter than the 'time to exploit' starting at the vulnerability's discovery you're fine. The issue is the discovery is usually behind the scenes so you're typically working from the 0day exploit to patch ASAP.

I don't think any system can exist that will remain extensible, non-intrusive, and secure without updates.

 

Nor do I, but I would like to see some middle ground between "without updates" and "hundreds of MB of updates every month."

(This is especially a problem on Windows, where updates are very frequent, incremental, rather large installers, and require reboots due to mandatory locks.)

 

Exactly. That's the idea of pushing the time a vulnerability is exploitable as far as possible. That way it isn't a matter of patching every few days as attackers get more vulnerabilities, you start piling on /GS, DEP, ASLR, and SEHOP and suddenly it's a week between exploitable vulnerabilities etc.

 

Personally, in the case of Windows, I think the biggest improvement would be a better update mechanism - maybe something along the lines of SUSE's delta updates.

... I'm wandering rather far afield though.

Re the OP - for now I think Linux is safe for online banking, provided you don't do anything dumb with it (e.g. banking over Wifi, or browsing Facebook in one tab/window while banking in another). It's safer than Windows insofar as dealing with malware, but how true that will be a few years down the road remains to be seen.

 

The browser is essentially the gateway. Secure it and the rest falls harmoniously into place This is why I can't help revert to the notion (always waffling between Firefox & Chrome ) that Firefox, even though by design is less secure as a browser than Chrome, with a properly managed NoScript plug-in and throw in AdBlock+ optionally, is superior in defense against the majority of Internet threats.

Stop the script and you stop the malware.

 

It does. You just have to reinstall your operating system after every session. How convenient would that be- reinstall Windows 7 daily. #winning

Most operating systems have automatic updates available. I have Windows & Ubuntu configured to auto update, and I really don't find it too terribly annoying.

As for upgrading the OS, I don't see the need unless the OS you're currently using is no longer supported. I run XP on one of my boxes and I'm perfectly content with it. It gets automatic updates (even adobe flash updates automatically- that was a recent change that I'm pleased with).

Really you can apply the law of averages to patching. If you're up to date on all patches on your system you're far better off. Like they say, when a bear is chasing you don't outrun the bear, just outrun your friend.

I guess if people want to update live sessions every time they use them that's cool. But it seems like a huge amount of work to me. I'm way too lazy for that.

I think some distros allow you to create a non-persistent live USB stick when you're first installing it on the stick. I haven't done it though so I'm not sure how to accomplish it.

addons for banking: nothing. If you have noscripts in firefox, choose a bank website at random and visit it. You'll see on the bottom bar how many scripts are running on the page. I've seen anywhere between 20 and 30. So I don't see the point of using NoScripts on a bank website.

addons for normal surfing: totally different story. In firefox I'd recommend noscripts and adblock plus, betterprivacy, and clickclean. Chrome probably has equivalents for most of those. I don't know how to lock down Internet Explorer so I just don't use it.

Scanning links... I don't scan them. Virus total is probably the best one I know about.If you've got NoScripts in FF or NotScripts in Chrome then you have significantly reduced attacks from malicious links. I guess I don't scan them, if I'm not sure about a link but I really want to click it then I'll click in sandboxie or a VM (and revert to a snapshot when I'm done). You could run wireshark when you click on a link to see if it generates crazy traffic.