Back in September, I posted a note about attacks on the two-factor authentication systems used by some online banking sites. One of my recommendations has always been to use a dedicated, carefully configured PC for this function; a PC that is not used for general Web browsing, iTunes, Facebook, and everything else under the sun. I’ve also suggested that using an OS other than Windows — specifically, Linux — is a useful additional precaution.
Brian Krebs of the Washington Post has a post today in his “Security Fix” blog recommending the same thing. AS he points out, an easy way to try this, which can even be used on an ongoing basis, is to use a Linux Live CD. This is a bootable CD that contains a complete Linux distribution (the OS itself plus applications); the system is booted and run entirely from the CD, and the PC’s hard disk is not touched, unless the user takes positive action to do so. (Most of these Live CD distributions will optionally make Windows partitions on the hard disk accessible on a read-only basis.) Since everything runs from the CD, any malware that may have found its way onto the hard disk will never get a chance to run. (In any case, low-level Windows software, as most malware is, will not run on a Linux system anyway — the basic structure of the OS, the memory map, and system call interface are all very different in Linux.) Linux is free, has a robust security model, and is extremely stable and reliable. If you need to store data from one Live CD session to the next, a USB key generally works well.
Brian also has a good introductory piece on using the Ubuntu Linux Live CD in this way. I will mention that, besides the core Ubuntu distribution he discusses, there are two variants that some folks might find useful:
- Kubuntu Linux, which uses the KDE graphical desktop instead of the GNOME desktop used in stock Ubuntu. KDE’s interface is slightly more like the Windows interface than is GNOME’s.
- Xubuntu Linux, which uses the Xfce graphical desktop. This requires considerably less machine horsepower than either KDE or GNOME.
Both of these alternatives are “official” variants of Ubuntu. They use the same OS kernel and core facilities, and all three graphical user interfaces are based on the X Window system. Applications are also usable across all three variants; the Firefox Web browser and the OpenOffice.org productivity suite work in all three environments. (However, be forewarned that, if you are using Xubuntu on an older machine, OpenOffice may require a bit too much in the way of resources; in that case, the Gnumeric spreadsheet and AbiWord word processor that come with Xubuntu work well.)
As I’ve indicated before, I strongly endorse Brian’s recommendation. It is one of the easiest and most effective ways to make your use of critical Web applications safer.
Update, Wednesday, October 14, 15:35
I forgot to mention, when I posted this note, that the SANS Institute also has a report available [PDF], called “Protecting Your Business from Online Banking Fraud”, which discusses the use of a Live CD and other risk mitigation measures.