It’s Banking Day at the Ranch and a Linux Live CD is in the Saddle!

I’ve maintained for years, that I treat my Windows machines as if they have already been compromised – a position that has left me open to some criticism. I’ll take the criticism – I’d rather be safe than sorry.

If you’re a regular reader of Tech Thoughts Daily Net News column then, you’re probably aware that the following items from last week (below the break), are not in the least unusual. In fact, notification of security breaches, or unpatched vulnerabilities that are weeks or months old, are now commonplace.

A legitimate question is – how likely were you to have been affected by any of the unpatched flaws – as noted below – or, the scores of similar long-standing vulnerabilities published in Tech Thoughts Daily Net News over the last few years?

I’ll grant you that “not very likely”, is a reasonable assumption. Still, the question remains – how do you know that you’re not already compromised by a yet to be disclosed vulnerability? Something to think about.

————————————————————————————————–

Eight-month WordPress flaw responsible for Yahoo mail breach: Bitdefender – A cross-site scripting flaw that saw some Yahoo email users lose control of their accounts has now been traced back to a WordPress installation that was not patched for at least eight months.

Serious security holes fixed in Opera – but Mac App Store users left at risk again – It should go without saying that if you use Opera, you should update to version 12.13 as soon as possible. But… what if you didn’t get your copy of Opera from the official website? What if, instead, you acquired your version of Opera for Mac from Apple’s Mac App Store?

Symantec denies blame after Chinese govt hacks The New York Times – After one of the world’s most famous newspapers points the finger at Symantec for failing to protect its network against a four-month long Chinese cyberattack, the security firm returns fire -

Symantec:

“Turning on only the signature-based anti-virus components of endpoint solutions alone are not enough in a world that is changing daily from attacks and threats. We encourage customers to be very aggressive in deploying solutions that offer a combined approach to security.”

I found Symantec’s response more than interesting. This is the first time that I can recall, that a major security vendor has gone on record and suggested that their product, as a stand alone solution, should not be expected to identify and contain each and every conceivable threat.

I couldn’t agree more and, I have made that point consistently, for years.

—————————————————————————————————

Initially, I had no intention of writing such a long introduction to a simple review – but, my continuing disappointment in the computer technology industry as a whole, whose overall response to an epidemic of criminal activity, runs along the same lines as that old time movie – Jaws – in which one of the plot lines revolves around keeping people in the water (despite the evident danger from a Great White shark) since to do otherwise, would be bad for business, got the better of me. Perhaps not the best analogy – but, it works for me.

I have a sign on the wall above my desk that reads – Bullshit in = Bullshit out. I can’t think of a more fitting epitaph for the current state of affairs in an industry rife with misinformation, misdirection, hype, and sheer outrageous bullshit.

I’m not a gloom and doom guy – but, market forces are such, that a little crystal ball gazing has convinced me that the status quo is as stable as the Rock of Gibraltar. In other words, if you want to be safe on the Internet, then accept the fact that you’re on your own.

—————————————————————————————————

It’s Banking Day at the Ranch and a Linux Live CD is in the Saddle!

While connected to the Internet, just like you, I face exposure to Trojans, spyware, viruses, phishing scams, identity theft, scam artists, schemers and cyber crooks lurking in the shadows, just waiting to make me a victim. Even so, the odds of me picking up a malware infection, or being scammed, are fairly low. Am I just lucky, or is it more than that?

To some extent I might be lucky – but, it takes much more than luck to stay safe on the Internet. For me – it really boils down to prevention. Preventing cybercriminals from getting a foothold by being vigilant and adhering scrupulously to fundamental security precautions, including -

A fully patched operating system.

A robust firewall.

Automatically updated anti-virus and anti-spyware software.

Increased Internet Browser protection through selected add-ons.

Encryption where necessary.

and, most importantly never forgetting toStop. Think. Click.

Despite all those security precautions though, there’s one connected activity that still concerns me – online banking. Regardless of the fact that I choose my Internet banking provider based partially on it’s low profile, I’m not entirely relying on this low profile as a guarantee that cybercriminals will not target my provider.

The inescapable fact remains; I am my own best protection while conducting financial transactions on the Internet. Frankly, I’m not convinced that financial institutions are where they need to be when it comes to protecting their online customers.

Despite my best efforts, it’s possible that malicious code may be installed on my computer – ready to pounce on my banking user account names, and passwords. Which is why, I have long made it a practice to conduct my financial affairs on the Internet via a self-booting Linux Live CD. Since a Linux Live CD is read-only media, the environment (running entirely in RAM), should be more secure than Windows.

I’m not suggestion that Linux systems are impervious to malware (I know better than to make that claim) – but, since the majority of malware is Windows specific, banking online through a Linux Live CD should offer a more secure environment.

If you can click a mouse – then, you’re good to go. It’s that easy. Today’s Linux distros are not your Granny’s Linux.

I’m not suggesting that you replace your Windows operating system and jump with both feet into Linux. That’s impractical. What is not impractical however is – running with Linux on those occasions when you do your Internet banking.

Recommended Linux Live CDs:

Puppy Linux – A complete operating system with suite of GUI apps, only about 70 – 140MB, and boots directly off the CD. I should point out that Puppy is my personal favorite.

Damn Small LinuxDamn Small Linux is a very versatile 50MB mini desktop oriented Linux distribution.

Fedora – Fedora is a fast, stable, and powerful operating system for everyday use built by a worldwide community of friends. It’s completely free to use, study, and share.

Ubuntu – Fast, secure and easy-to-use.

Lightweight Portable Security (LPS) – A Linux distro from the US Department of Defense. Lightweight Portable Security (LPS) creates a secure end node from trusted media on almost any Intel-based computer (PC or Mac). LPS boots a thin Linux operating system from a CD or USB flash stick without mounting a local hard drive.

About these ads

24 Comments

Filed under Anti-Malware Tools, Online Banking, downloads, Linux, Live CDs

24 responses to “It’s Banking Day at the Ranch and a Linux Live CD is in the Saddle!

  1. Dave B.

    Hey Bill, security wise There’s probably not a better way to do online banking. The problem arises when people have to deal with the inconveniences. For those that use Quicken or a similar program, they would now have to fire up Linux, do their banking/pay bills, write down everything they did, reboot to Windows, run Quicken, and enter in all the stuff they wrote down. A minor inconvenience, but one that many people just don’t want to deal with. Also the fact that you’d have to answer your bank verification questions every time you visit their site. Add to that booting off the Live CD every time they want to make an online purchase or enter credit card info (if you’re gonna protect your bank account, you might as well protect your credit cards as well) it becomes pretty annoying to allot of people. A choice has to be made between security and convenience, and people will almost always choose convenience.

    • Hey Dave,

      A point well made – as per the usual.

      I’m familiar with that inconvenience – have to write down my transaction numbers every time I pay a bill, etc. A hassle to be sure – but, far less of a hassle than being stripped of my identity, or the limited cash in my accounts. :)

      Your observation – “A choice has to be made between security and convenience, and people will almost always choose convenience.” – sums it up. And that, is the issue for me. I don’t give a damn about the latest touchy feely technologies (stop the hype), when the practical basics of safety and security are relegated to the backwaters. Makes absolutely no sense to me.

      Stay warm my friend.

      Best,

      Bill

  2. Dave B.

    I’ve mentioned the Live CD option to clients who HAVE been targeted and lost money, even then convenience won out, makes you wonder sometimes.
    It’s nice and toasty here today, 22F :)

  3. For any one who is looking for almost absolute security, visit your bank in person. Most banks still have an actual address.
    For the rest, choose your weapons wisely, click the link and pray.

    • Hi Bob,

      A few months back I stopped in at my bank (hadn’t been in in over a year) and went unrecognized by the entire staff. Quite a contrast from the days when a weekly visit was the thing. No more “hi, how ya doing” – “how’re the kids.” I now make the effort to go in a least monthly.

      Best,

      Bill

  4. Hi Bill,

    I use Linux Mint exclusively on my laptop, have been doing for a couple of years now. I would never go back to Windows; yes I’m a convert.

    Recently however, I’ve begun to use the banking app on my Android tablet and also my Android phone. What precautions can I take while using those or is it better to just stick with the laptop and Linux for my banking. (I don’t actually ‘do’ any real banking with them, just check my balance occasionally.)

    Best Wishes,

    Paul

  5. Ever considered using a virtual machine to do your banking business on? Then switching between the live-CD and your OS isn’t that hard, you have the addition of being able to actually install the OS without wrecking your windows. There are some good free virtual machine systems out there.

    • Hey Niels,

      I haven’t actually. But following your suggestion, I’ll give that a try.

      Thanks for that.

      Best,

      Bill

    • Dave B.

      The problem with a VM is that it’s an installed OS that is subject to infection just like the host OS. A live CD is loaded from a read only medium so it can’t be modified, so in the off chance that you pick something up while banking (and you decide to just visit one or two sites while you’re on), all it takes is a reboot and you’re back to a clean slate.

  6. John Bent

    Hi Bill,

    With you 100% on not using either phone or tablet for any kind of financial transaction, including shopping. One reason is the huge risk of malware attack on Android o/s (don’t get me started on the reluctance of providers to update Android, I call it criminal). The other is the added risk posed by the very portability and convenience of these items. The more convenient to me, the more likely someone is to take advantage of the laziness that can engender.

    As you say, a little inconvenience is far preferable to someone hacking your account, or ripping off your kit to order and sending it to China or the Eastern bloc.

    Kind regards
    John

    • Hi John,

      You’ve made some good points. The convenience factor undoubtedly could lead to a very laissez faire attitude toward security. Hadn’t considered that.

      Best,

      Bill

  7. I have found two reasonably sure ways to avoid ID theft and bank theft: DO NOT bank online. Period. Move closer to the bank. (Sorry, Bill, my bank still says hi to me by name! although I’m never sure if this is because they know me, or because I owe them…) (The second? Make sure your bank knows you…, no that’s not it… lol) The second, less-appealing way to make yourself less of a magnet to ID theft? Lower your overall ‘credit score’… IF someone should try to use your ID for nefarious purposes, they won’t be approved and won’t be able to ‘take-you-to-the-cleaners’ (who btw missed a spot…) It’s NOT the best way, but it is effective… *khrys…

    • Hey Khrys,

      You’re right – not banking online eliminates the risk. Not convinced that lowering one’s credit score is appropriate – there are sure to be repercussions. On top of which, the bad guys will take what you’ve got – no matter how little or how much is in the account – according to Norton.

      I’ve had people point out that staying off the Internet entirely is the only sure way to avoid the bad guys. But, it’s not. In a recent case in which 500,000+ records of Canadian student loan recipients were “lost” – the data included banking info and social insurance numbers. This has now led to a class action lawsuit against the Canadian govt.

      Your cleaner sounds like my cleaner – she’s always missing a spot or two. :)

      Best,

      Bill

    • Dave B.

      Lower your credit score? Isn’t that a bit like destroying your car to keep someone from stealing it? Sure it won’t get stolen, but it’s also useless to you.

  8. Could you use VirtualBox, set it up with your Linux install of choice, take a snapshot and then when you boot it up and do your critical stuff, you can roll it back to original when you shut it down if you like?

    Since VB runs on top of your Windows, I don’t know if something infecting Windows that is tracking keystrokes would be able to see inside the VM or not. Does anyone know this?

    If not, it certainly would be faster than rebooting the whole machine to a Live CD, not to mention you can usually copy a file from the VM to the hard drive on the host machine.

  9. Mal

    Hey Bill,
    This subject is something I have been pondering on lately. Now that I can no longer (for the moment) get a decent antilogger application running on my machine, I am a tad (lots) worried about my online banking. Of course I have tried out Linux applications, and it is all quite foreign to me. Maybe I need to revisit this and make some effort to understand how it all works, I have read enough on the internet and your blog to know that most tech savvy people say this is the way for banking. Nothing is invincible but Linux seems to be much more secure for this than Windows.
    Good article, you must have been reading my mind (again).
    Cheers
    Mal

    • Hey Mal,

      Yep – revisit it. Take a ride with Puppy or Damn Small Linux. You don’t really need to get involved in the “wherefore or whys”.

      If you can click a mouse – really, you’re good to go. It’s that simple.

      Yes, I’ve been reading your mind – but, I won’t tell what else I found. :)

      Best,

      Bill