Seeking Advice in Using Firefox for Netbanking

Discussion in 'privacy technology' started by truthseeker, Aug 29, 2008.

Thread Status:
Not open for further replies.
  1. truthseeker

    truthseeker Former Poster

    Joined:
    Jan 26, 2008
    Posts:
    977
    I am using Firefox for all my netbanking.

    I run Ubuntu as guest and Vista is my Host, using Virtualbox.

    I use Ubuntu Firefox to access all my bank websites, my credit card data and transfer money etc.

    What exactly do I need to be concerned about? Keyloggers? Sniffers?

    Is there anything else that can affect my guest Ubuntu activity and steal my Banking login details?

    Thanks so much for any advice.
     
  2. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    This is your threat model:

    1) None, or Bad encryption which would allow a Man In The Middle to watch your transactions.

    2) That your ISP is not really showing you your bank, but another website designed to look like your bank and thus perform Cross Site Scripting attacks. This can be thwarted with requiring SSL and performing OCSP/Revoke lookups on the certificate.

    3) Man In The Browser Attacks whereby a website you visit can implant a bug in your browser to monitor everything it sees and send back that information, even if you are using HTTPS.

    4) Attacks from your host OS against your guest OS to monitor the transactions taking place inside it, or manipulating/injecting the stream leaving it. Turn off bridging with the network adapter, and make sure the bank uses HTTPS the whole time.

    ------------------ THEREFORE -----------------

    1) Use a clean OS VM every time and only visit the bank website that you trust, and do not allow it to run scripts if possible.

    2) Make sure the connection is HTTPS the whole time you are logged into the bank.
     
  3. truthseeker

    truthseeker Former Poster

    Joined:
    Jan 26, 2008
    Posts:
    977
    Ouch, there seems to be some concerns for sure.

    But yeah, I run a clean OS as far as I know, many well known programs report my PC as clean. And I use Noscript addon in firefox and I will make sure it's always HTTPS.

    Thanks XeroBank. :thumb:
     
  4. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,980
    Location:
    U.S.A.
  5. truthseeker

    truthseeker Former Poster

    Joined:
    Jan 26, 2008
    Posts:
    977
    I am not using wireless broadband, so I guess that Eavesdropping link is not applicable to me.

    regarding perspectives, can that link be trusted? Why isn't Perspectives at the offical firefox addon website?

    What if the Perspectives FF addon was really written by student criminal hackers and is a nasty script that points your browser to criminal websites that then obtain your personal details?

    Could be a trojan or a security extension in disguise.
     
    Last edited: Aug 30, 2008
  6. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,980
    Location:
    U.S.A.
    thruthseeker, first, the program was written by the Carnegie Mellon's School of Computer Science, developed by David Andersen (Assistant Professor of Computer Science), Adrian Perrig (Associate Professor of Electrical and Computer Engineering) and Dan Wendlandt (a Ph.D. student in computer science). If you are going to tell that these 3 individuals are possible hackers, risking the reputation of a world renown institution such as Carnegie Mellon, then disconnect from the Internet right now because you won't we able to trust anyone in this world.

    The reason why the add-on is not on FF is that it was just launched August 25th: Carnegie Mellon System Thwarts Internet Eavesdropping Available as Free Download for Firefox Browser. In time, I'm sure FF will welcome it.
     
  7. truthseeker

    truthseeker Former Poster

    Joined:
    Jan 26, 2008
    Posts:
    977
    Well, I do not trust anyone in the world. I don't even trust myself 100%.

    If a human being is approached by large criminal organisations and offered a large amount of money, humans will risk everything.

    Just because someone works for a well known or reputable place, doesn't mean anything. History has shown that even in some of the biggest and well known and reputable companies and organisations, a person has committed crimes and ripped of the public and its shareholders.

    You are dealing with humans here my friend, don't underestimate the lenghts some people will go to make money, it's called greed.

    A world renown institution such as Carnegie Mellon is never immune from having people work in it that could commit law breaking acts such as writing a piece of software that will redirect a person to a criminal website that looks like the banks website.

    Don't so be so naive and gullible. Must be cautious of everyone, no matter where they work and no matter who they are.
     
  8. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,980
    Location:
    U.S.A.
    truthseeker, I'll leave you with these thoughts. As a 60 year old man, and a Vietnam Vet to boot, I have seen first hand what human beings are capable of doing to each other and how institutions have taken advantage of human beings to further their agendas. I'm willing to cut people a little slack because in the course of my life, I have also met many wonderful people who bent over backwards to help other human beings. I have been in the depths of hell and life is not as bleak as you think it is. Always take care of yourself first, then help others do the same and maybe, maybe, we will all receive redemption someday. Learn to trust yourself and the world can become your oyster. Take care.
     
  9. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    There sure seems to be a lot of fluff and little explanation on how this wonderful addon works. Let me explain it real quick in plain english:

    1. You request a website.
    2. This addon sees your request.
    3. It then notifies other servers of your request.
    4. They all do a request at the same time.
    5. If they get back different results, someone may be injecting / MITM either you or them.

    The bottom line is that it is a plugin that spies on you, and tells CM what you are doing. That doesn't sound so awesome to me.
     
  10. truthseeker

    truthseeker Former Poster

    Joined:
    Jan 26, 2008
    Posts:
    977
    I agree that there are many wonderful people in the world. My point is this... you can never be 100% certain who the wonder people are, and who is trying to deceive you or trick you for their personal gain.

    I do not even trust myself 100%, and would never trust anyone else completely. I am cautious of everyone and do my due-diligence into everyone I deal with. And even then I am very very cautious.
     
  11. truthseeker

    truthseeker Former Poster

    Joined:
    Jan 26, 2008
    Posts:
    977
    I agree. And the other thing that concerns me is that any updates etc to the plugin could be doing anything in the future.

    And I am in congruent thought with you when you said, "That doesn't sound so awesome to me." It just adds another "spy" in the link.
     
  12. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    Maybe its time you started with your own book on trust and the meaning of life...

    More seriously, being a world class academic organisation does give it more credibility. It is a matter of signalling.
     
  13. truthseeker

    truthseeker Former Poster

    Joined:
    Jan 26, 2008
    Posts:
    977
    How do you know with certainty that I haven't already completed a book on trust and the meaning of life? :)

    Sure, it does give it more credibility than a few guys in a garage. However, history has proven that many "credible" people and organisations have been infected with deceptive conduct.
     
  14. halcyon

    halcyon Registered Member

    Joined:
    May 14, 2003
    Posts:
    373
    Truthseeker,

    using your logic.

    Why should we give you _any_ ideas, because you could be a security crack looking for new attack types by gathering ideas and information from well protected users.

    See where this ends?

    End of useful security discussion. Trust nobody. Live alone. Don't even speak to anyone. Become a hermit. Move onto Himalayas.
     
  15. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    You could have, but you might have trouble getting it published. Just stick to your guns, us a live cd and ssl connection.
     
  16. truthseeker

    truthseeker Former Poster

    Joined:
    Jan 26, 2008
    Posts:
    977
    Not entirely. But to be cautious and do extensive due-diligence and research, especially when it involves financial and personal issues.
     
  17. truthseeker

    truthseeker Former Poster

    Joined:
    Jan 26, 2008
    Posts:
    977
    Yeah, at the end of the day, the Linux LiveCD is the way to go I think. Good point. And manually enter all my banks websites and hope that it hasn't been hijacked.
     
  18. halcyon

    halcyon Registered Member

    Joined:
    May 14, 2003
    Posts:
    373
    Is there any way to defend against DNS poisoning and other man-in-the-middle attacks in this scenario?

    I think the already mentioned Perspectives Firefox add-on could help in this regard (while of course, it creates its own set of problems).

    Of course, if one is so diligent about security, it should be easy to profile 'perspectives' dll network behavior for one month and see what it does. I'm sure somebody's disassembling the pre-compiled version as I write this. The source code is also freely available.

    In fact, for better or worse, I think similar kind of distributed white-hat network app will be needed for ordinary users/browsers, because otherwise it looks like the criminals are winning. Whether it ends up being something that universities cooked up (like Perspectives), a Microsoft only solution or something else - I don't know. But I see evolution pushing us to that direction - or to extinction of online safety in any reasonable manner for ordinary users at least.

    Overall I think it's easier to keep one's own system clean and hard enough to hack so that online banking can be as safe as manageable for a well-versed security aware person.

    But in regards to MITM-attacks, which currently are fortunately that common as of yet, it is much more difficult. IMHO. YMMV. ETC.
     
  19. truthseeker

    truthseeker Former Poster

    Joined:
    Jan 26, 2008
    Posts:
    977
    Thanks for your input halcyon, appreciate it, Cheers.
     
Loading...
Thread Status:
Not open for further replies.