While connected to the Internet, just like you, I face exposure to Trojans, spyware, viruses, phishing scams, identity theft, scam artists, schemers and cyber crooks lurking in the shadows, just waiting to make me a victim. Even so, the odds of me picking up a malware infection, or being scammed, are low – not 0% but…… Am I just lucky, or is it more than that?
Well, to some extent I might be lucky – but, it takes much more than luck to stay safe on the Internet. For me – it really boils down to prevention. Preventing cybercriminals from getting a foothold by being vigilant and adhering scrupulously to fundamental security precautions, including –
A fully patched operating system.
A robust firewall.
Automatically updated anti-virus and anti-spyware software
An aggressive HIPS (host intrusion prevention system).
Increased Internet Browser protection through selected add-ons.
and, most importantly never forgetting to – Stop. Think. Click.
Despite all those security precautions though, there’s one connected activity that still concerns me – online banking. Regardless of the fact that I choose my Internet banking provider based partially on its low profile (four branches as opposed to the usual 3,000/5,000 branches common in Canadian banking), I’m not entirely relying on this low profile as a guarantee that cybercriminals will not target my provider.
The inescapable fact remains; I am my own best protection while conducting financial transactions on the Internet. Frankly, I’m not convinced that financial institutions are where they need to be when it comes to protecting their online customers.
Despite my best efforts it’s possible (though unlikely), that malicious code may be installed on my computer – ready to pounce on my banking user account names, and passwords. Which is why, I have long made it a practice to conduct my financial affairs on the Internet via a self-booting Linux Live CD running Firefox. Since a Linux Live CD is read-only media, the environment (running entirely in RAM), will be much more secure than Windows.
Yes, I admit that it’s a pain to shut down and reboot just to complete an online financial transaction but, I’d rather be safe than sorry – I’m into an ounce of prevention. Since the majority of malware is Windows specific, banking online through a Linux Live CD is my ounce of prevention.
Recommended Linux Live CDs:
Lightweight Portable Security (LPS) – A Linux distro from the US Department of Defense.
Ubuntu – fast, secure and easy-to-use.
Puppy Linux – A complete operating system with suite of GUI apps, only about 70 – 140MB, and boots directly off the CD.
KNOPPIX – Live Linux file system on CD.
If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.
Bill Mullins' Weblog - Tech Thoughts 
hi bill
is it possible to run 2 os at the same time? i am using vista.
Hi Kenneth,
I don’t think you really mean “is it possible to run 2 os at the same time” since the answer is, no. I’ll assume what you really mean is – is it possible to install Linux and Windows to the same Hard Drive and then run one or the other – the answer is yes.
Ubuntu is well suited to a dual boot installation. Follow the instructions at – Ubuntu Documentation
Bill
Pingback: Secure Your Online Banking With A Linux Live CD | Bill Mullins … | Investing
Possibly this is a dumb question Bill…
Can something similar be done via a memory stick
If “yes”‘ then can it be done on a public PC (e.g. in a library ?)
Hi Michael,
Not a dumb question, at all.
Yes indeed, most Live CDs can easily be installed to a stick. See – Boot and run Linux from a USB flash memory stick
Finding a public PC where rebooting isn’t a problem is a problem. Most public computers (a library for example), are booted from the network. I often read that a live CD can be booted on a public machine, but I’ve never seen one.
Best,
Bill
Hi Bill:
Is it OK to download Ubuntu and run it next to Windows, or do I need a separate CD to achieve banking security? Should I just use it for banking and nothing else, to be safe? (Sounds sort of like Slashtop, which I wasn’t able to install on my computer.) Thanks-
Hi Charlie,
My primary home system is a dual boot machine using Win 7 and Ubuntu. On a dual boot system, Linux will have access to the Windows partition – a good thing since it allows me to fiddle with Windows through Linux. But, in a perfect world, it’s better that this not be the case while you do your online banking (possible malware activation). Personally, I stick with a live CD – no access to the HD. . Not that I have bags of money, but what I have I want to keep.
It’s true, that in many countries victims of banking malware attacks have limited liability but, more often now I’m seeing banks take the position that if a customer has been negligent – then, their out of luck. It’s their loss. Expect to see much more of this.
Best,
Bill
Hey Bill,
That is a smart step as if one use installed linux that too can be infected,I need to test few downloads I think its possible that malware writers may bind up windows+linux viruses (as linux is gaining popularity because people think that its immune to viruses)in a torrent file so that even if someone downloads virus binded torrent in linux it gets infected,hmmm one more test in my list
Regards
Hey Neeraj,
Agreed. Binding Win/Linux malware is a logical step for the bad guys. Makes good economic sense to do so.
I do all my financials online – banking, paying bills, etc., so for me – a Live Linux CD is the only way to do so safely.
Best,
Bill
Yeah but I personally think that as if now malwares of ubuntu(as mostly people use ubuntu because of easy to use interface) would be more incomparison to fedora though both are linux but extensions are different rpm and deb(still not sure as I am new to programming).I dont like ubuntu but love backtrack which is based on ubuntu though still learning it and try latest fedora its just awesome in GUI as well like windows 7
Hey Neeraj,
Depends really, on what the malware is designed to attack. Malware designed to attack through the Linux Kernel (this was an issue late last year), could be successful in all distros – assuming all are using the same Kernel.
Thanks for the tip on BackTrack – I see it has a Forensic mode. Will definitely check this further.
Best,
Bill
Hi Bill,
There is some free software available and it’s use is suggested by several banks. Here’s the link: http://www.trusteer.com/product/trusteer-rapport
It has many benefits including the option to configure Trusteer Rapport to work with any website that you need to sign in to.
I tried it but didn’t much like the fact that it seemed to run through my browser at all times even when I didn’t need it. There was no easy way to shut it down. I guess that for people who are not too technically minded it would be a good solution to secure connections to online banking sites!
Hi Chris,
Thanks for the link.
I took a look at this a couple of years ago and I agree with your assessment – good for the less tech-savvy. Still, not a bullet-proof solution so, I’ll stick with the Live CD approach. 🙂
Bill
Hey Bill,
Definitely food for though, as I do online banking too. What I normally do is run all internet activities in virtualization, and financial transactions in normal mode. This way, I know the machine is clean (as far as possible) when I log into my bank. But like you said, any extra protection is useful, so I think I will try out the Linux route.
As far as Trusteer is concerned, I tried this out a long way back. I found it took up lots of memory and slowed down my machine. I told them this on their feedback page and uninstalled it. They then asked me, twice, to allow them to remotely connect to my machine as they insisted they could fix this “problem”. I don’t like the idea of ANYONE connecting to my computer to play around with settings, so they lost me right there.
Cheers
Hey Mal,
Hmm, like your logic – sounds pretty tight to me. Yeah, take the Linux route for a bit and see what you think.
As far as Trusteer goes – as I understand it (and this may be old info), it’s live all the time so little wonder it eats up resources. It should only come into play specifically on a banking site.
Gotta agree, it would be a frosty Friday before I allowed a remote connect. Waaay outside my comfort zone.
Best,
Bill
TRUSTEER
I looked up Rapport: in mid-2010 4.5M UK bank customers had it on their PCs/MACs. I’m guessing that 20% of UK non-business online banking transactions must involve Rapport. If your computer is “on”, then Rapport is “on” too. It offers a feature to partner banks called Flashlight. If you ‘phone your bank & say “I wuz robbed online” the bank will immediately ask you to install Flashlight while you are still on the ‘phone. It can detect malware, browser tampering, PC OS, version number of apps & whether antivirus software was up-to-date. I think we all know that this software will give the banks the means to show that it’s the customer who left the keys in the ignition… Also I can imagine some simple social engineering scams involving Rapport
LINUX on a STICK
It worked ! I bumped into a few problems with drivers & my router, but I got there in the end. Thank you Bill.
Amusingly my bank log-in page (not my browser) offered a check box to remember my details ~ how weird is that ? Time for a new bank
Hi Michael,
Yeah, that sounds like a nice round percentage. That always on feature is a turn off for me – one more developer I’m expected to unilaterally trust. No thanks.
I do agree that Flashlight is a double edged sword which can be used as an “out”. We’ll’ see much, much more of this, I expect.
A log-in page offering to remember details? Now there’s an organization that has a real handle on good security practices lol!!
Good to hear you got a boot USB up and running. Take a bow!!! 🙂
Best,
Bill
Hi Bill,
This is a really great idea.
Do you know which is the fastest booting Live CD that can get the job done?
Also, would it be necessary to mount the main harddisk to save files into it, e.g. confirmation of transactions performed?
Thanks.
Hey JBE,
As you know, loading from a CD is always slow compared to booting from a HD. Still, I haven’t seen a Live CD that was unreasonably slow. Although, Lightweight Portable Security (LPS) loads slower than most.
Saving a confirmation of transaction is an issue for me, since I have to manually copy the confirmation number to the hard copy of the respective bills. Not a big issue, but… Mind you, the objective here is not allowing access to the HD. So, what are you going to do? 🙂
Bill
Not being able to securely save the confirmation messages will indeed be a problem as I need these as proof of payment.
Frankly, I was hoping that you would give me the solution. Unfortunately I personally do not have an answer to this. Would it be possible to somehow email the page/file to ourselves? Or perhaps save the page/file into Dropbox and pick it up later when back in the “regular” OS?
Would that work?
Hey JBE,
Having all the answers would be ideal – but, I don’t. As I said earlier, simply posting the confirmation number to the bill works for me, but obviously not for you.
While your proposed solutions work within Windows – depending on the Browser (or, Browser add-ons), they will not work on a Linux Live CD. On the other hand – if you were running Ubuntu (on a dual boot basis), for example – capturing a screen shot of the confirmation notice with the built-in screen capture utility, and saving it to the HD is possible.
I’m aware of the reasons why my financial institutions doesn’t provide email confirmation of bill payment, but I’m curious as to why yours doesn’t.
Bill
Hi Bill,
Will give your suggestion (screen capture) a try when I get the chance.
Thanks.
Hey JBE,
It seems like a poor substitute for the real thing, but….
Bill
Hi Bill,
I’m going to give this a try, but I was wondering, is there a way to keep it updated with security fixes ext. Or is it a matter of downloading and burning the whole package again when a new version appears. Great Weblog, by the way, always informative and helpful – many thanks.
Hi Robosimm,
Installed Linux systems are updated regularly with security fixes – and, certain Linux rescue disks, depending on functionality, as well. As you’ve ascertained though, the type of Live CDs we’re discussing here, are not. Instead, new releases do require that the downloading/burning process be repeated.
Good to have you on board.
Bill
Hey Bill
Having been an unfortunate victim (although I still don’t know if the PC was involved since I’ve never found any virus) I’ve begun the move to Linux. Big learning curve to handle, but it’s worth the effort – only wish it wasn’t this reason that finally gave me the kick I needed to start trying to swtich.
Few questions:
1) Would installing Linux (Ubuntu 11.04) on a new hard drive be safe enough? Virus scans from Linux of the Windows drive reveal nothing bad.
2) Any danger if I added WINE at some point? There’s a few things that need IE (long story!) but does that create any addition risks?
3) What about virtual machine within Linux? Is that even possible – and if so is that safer?
4) How easy is it to rip my own Live CD of my current up-to-date Ubuntu version? If that’s a 15 minute job then it’s worth the effort.
Great blog – once I work out how to subscribe in Linux I’ll be doing that!! 🙂
Chris
Hi Chris,
Yes, running from an installed version of Ubuntu (for an aware user), is acceptable. I do this often.
Configured properly WINE shouldn’t impact security risks.
Running virtually within Linux is easy. – take a look at VirtualBox Safer? Frankly, I’m not sure I see the point.
Number 4 is interesting. You can in fact do some magic with the freeware tool ISO Workshop – not sure it’s worth the effort though.
Bill
Thanks for the reply Bill
“aware user” is a bit frightening! I’m a real newbie when it comes to Linux, although I’ve been experimenting with computers (including coding) for around 25 years.
So I’m either a dangerous newbie (too much knowledge is a dangerous thing) or the perfect newbie (I know how to screw things up so I avoid it) – not sure which I am to be honest! 🙂 Windows dulls the senses since it “just works”…expect if it’s simple for my mum to go online via wifi then it’s perhaps too simple (mum would be the target for the up-to-date Live CD).
So am I safe enough to use Linux whilst avoiding making glaring security mistakes? Possibly – if you don’t run as root then you’re 90% there? Sorry – an unfair question, but hopefully you follow the point.
Re: VM – I’ve heard a fair bit of talk about a VM being the best balance between security and practicality. When it comes to banking security > everything quite frankly, but it was worth mentioning.
Chris
Hi Chris,
I think you’re well ahead of the game from a security perspective. Often, it’s not so much what we know that counts; it’s whether we have the wit to ask the right questions that really matters.
Bill