Modernizing Authentication — What It Takes to Transform Secure Access
In August I wrote an article here that suggested that rather than doing online banking from a Windows computer, a much safer approach is to re-boot using Linux (either from a CD, USB flash drive or a memory card) and running Firefox under Linux to access banking websites.
Now, a consensus seems to be forming behind this idea.
For months, Brian Krebs has been writing in the Washington Post about companies, municipalities and school districts that suffered large losses due to online banking fraud. The impetus for my article came from one of his first stories.
After interviewing businesses that suffered these losses, Krebs would inevitably be asked by the owners of the business about protecting themselves going forward. Addressing this in a recent column, he said:
"The simplest, most cost-effective answer I know of? Don't use Microsoft Windows when accessing your bank account online. I do not offer this recommendation lightly ... But I have interviewed dozens of victim companies that lost anywhere from $10,000 to $500,000 dollars because of a single malware infection. I have heard stories worthy of a screenplay about the myriad ways cyber crooks are evading nearly every security obstacle the banks put in their way ... all of the attacks shared a single, undeniable common denominator: They succeeded because the bad guys were able to plant malicious software that gave them complete control over the victim's Windows computer."
The rest of the column goes on to discuss security measures taken by assorted banks and how the bad guys breached every one of them.
Antivirus and Anti-spyware Software
If you think anti-virus and/or anti-spyware software will protect a Windows computer, think again. You are certainly safer running anti-malware software but you are not safe. As Randy Abrams of ESET put it recently, "There was a day that anti-virus software could protect you against almost all of the viruses in the world, but that day was significantly more than a decade ago."
Anti-malware software is only one line of defense, and it cannot be your only defense. Whether anti-malware software protects you 10% of the time or 90% of the time, everyone agrees that it cannot protect you 100% of the time.
In one case that Krebs wrote about, the malware that drained the bank account first infected the computer a year earlier, despite antivirus software. When I'm called on to clean up an infected computer, I always run a handful of anti-virus and anti-spyware programs. Normally, the third, fourth and fifth scans find malware that the first few products missed.
The amount of malware targeting Windows is staggering.
Just days after my previous article on online banking was published, Trend Micro reported that "... in the first six months of 2008 ... 253.4 million systems were infected with malware. The comparable volume for 2009 is almost double at 491.2 million." The same blog posting says that AV-Test.org is finding more than a million new malware samples every month. In the good old days of 2007, they only had 5,490,000 samples of malware.
This is not scare mongering designed to push Linux (certainly Trend Micro didn't offer those numbers to promote Linux). I have no stake in promoting or knocking any particular operating system. I have used Windows XP for years and will continue to do so. But Linux strikes me, and others, as a perfect environment for running Firefox to do online banking.
Windows computers can certainly be run safely and securely. However, in my opinion, doing so takes too much work and requires too much technical experience. Non-techies don't have a fighting chance.
A few months ago, the Clampi Trojan was getting a lot of press coverage. At the time, I wrote Defending against the Clampi Trojan, showing various techniques to protect a Windows computer from Clampi. It's a long list, too long, and it's far from complete. Just one item on the list, keeping all the installed software up to date is, in and of itself, all but impossible for non-techies.
Along these lines, see my blog posting - Are you competent to run Windows safely? Even if you pass the test, think of everyone you know that runs Windows. Would they pass?
Man In The Browser
If you think the concern about Windows security is overdone, consider the hidden programs running inside Internet Explorer.
From IE7, go to Tools -> Manage Add-ons -> Enable or Disable Add-ons, and then look at the four sub-categories of add-ons. From IE8, go to Tools -> Manage Add-ons and review the various add-ons of each type (for Toolbars and Extensions, be sure to show all).
Chances are you won't know what most of these add-on programs are, or what they do. Yet they run inside Internet Explorer. Even if you trust Microsoft, many of these programs come from third parties. You are implicitly trusting these programs every time you visit a website.
Dangerous software inside your web browser is not limited to Internet Explorer. Just today, I was running Firefox on a Windows XP machine when the browser popped up a warning about an unsafe plug-in. In this case, Firefox was smart enough to disable the vulnerable software on its own - very impressive. The vulnerable, buggy software had been installed by Microsoft during an update to the .NET framework component of Windows.
According to Finjan, the URLZone Trojan does its nastiness after burrowing its way into your web browser (it attacks IE, Firefox and other browsers). This gives it total access to web pages coming and going. For example, after transferring money out of an account, it will modify the returned web page from the bank to show a larger balance, thus hiding the outbound transfer(s) it generated.
It's not just the browser, it's Windows itself that can't be trusted.
Someone wanting no part of Linux can instead opt for a dedicated banking computer. Whether real or virtual, this would be an instance of Windows that starts out with a fresh, clean, full installation of the operating system followed by its service packs and subsequent patches. Then anti-malware software would be installed and a two-way firewall.
The only software installed on the machine would be that necessary for banking. Email, for example, should be avoided. In fact, applications that aren't needed should be un-installed (good-bye Outlook Express) and services that aren't needed should be disabled. If at all possible, the system should be run from a restricted user ID.
In August, Krebs wrote that this approach was suggested the a banking industry group, The Financial Services Information Sharing and Analysis Center. Back in July, Joe Stewart of SecureWorks also suggested this approach for defending against the Clampi Trojan.
To further avoid malware infection, the system could have all changes wiped out every time it shuts down. This is easily done in a virtual machine and can be implemented on a real computer using software such as Deep Freeze or Microsoft's SteadyState.
The problem with backing out all changes is that the anti-malware software can't update itself. Likewise, it will have to be turned off occasionally to allow the operating system and other software to apply patches.
A less intrusive option for avoiding new infections is Sandboxie, which I wrote about last time.
This is certainly a reasonable approach, but it may be unrealistic for many people and businesses. And, even taking all these steps, it's not obviously safer than re-booting to run Linux. Nor is it easier.
Brian Krebs and I are far from the only ones recommending Firefox under Linux for online banking.
Even Joe Stewart said "Businesses may even consider using an alternative operating system for workstations accessing sensitive or financial accounts."
In making his case, Krebs pointed to a 32-page SANS Technology Institute white paper, Protecting Your Business from Online Banking Fraud that says:
"The paper provides a number of possible ways to mitigate these types of attacks. A defense in-depth approach is used to provide multiple mitigation recommendations. The number one recommended mitigation is to use a read-only bootable alternative media (ROBAM) as an isolated environment for financial transactions."
In other words, boot Linux off a CD.
The paper discusses additional defensive steps: protecting the email address of the comptroller, network protection, endpoint protection, virtual machines, awareness training, policy changes and monitoring financial transactions. Interestingly, it doesnt mention running as a restricted user. All this recalls my earlier point - keeping a Windows computer secure can be too much work to be realistic.
Just a few days ago, ZDNet blogger Adrian Kingsley-Hughes cited the Krebs recommendation for Linux and concluded: "Im going one step further, and suggesting that no one use Windows for either banking or online shopping. Period."
To someone with a single computer, following this advice means shutting down Windows, booting Linux, doing online banking, then restarting Windows. A hassle for sure. But, to Kingsley-Hughes, "... the risk of using Windows outweighs the convenience."
Over at TechRepublic.com Michael Kassner has been writing about crimeware recently. He started out asking how safe it is, then he offered more details on how online banking crimeware works. His most recent article on the topic examined assorted solutions for safe online banking.
As for himself, he says "I plan on using a LiveCD from now on when I am doing any kind online banking or retail transaction. That way, I know the operating system is not compromised. Its going to be a pain, but I do not see any other recourse at this time."
The articles by Kassner and Kingsley-Hughes generated hundreds of reader comments. One often-discussed solution is to do online banking from inside a Linux virtual machine to isolate it from a possibly infected copy of Windows.p>Perhaps the biggest problem with this approach is keystroke logging. If the host operating system is infected with a keystroke logger, it should still be able to see all the keystrokes, including passwords, as they start out in the host system before being transmitted to the virtual guest system.
Also, some malware sniffs network traffic and thus could see data coming into and out of the virtual machine. And data can go back/forth between the host and guest operating systems, be it by normal file sharing, a special feature of the Virtual Machine software or a bug.
Banking from within a Linux virtual machine is unquestionably safer than from Windows, but it's not as safe as booting Linux from a CD, USB flash drive or SD memory card. And the hassle factor may even be higher.
Phishing and Linux
While Linux, in and of itself, does nothing to protect you from phishing emails, you can be protected by not doing email while running Linux.
Randy Abrams, the Director of Technical Education at ESET (the company behind NOD32) recently said "NEVER click on a hyperlink to your Banks Website. If you receive an email from your bank, that you are positive, beyond any doubt, came from your bank, do not click on any hyperlinks. The rule is NEVER click on hyperlinks to your banks web site."
Why such caution? Better safe than sorry, for one. It can be very hard to determine if an email message is legitimate. The FROM address, for example, is easily forged. Copying images from a bank website into an email message is also trivial.
And the bad guys have lots of experience with scams making things look legit and reasonable is their stock in trade. You can practice detecting scams at the SonicWALL Phishing and Spam IQ Quiz.
Links in email messages can appear to go one place, but actually take you somewhere else. Long ago I documented some of the technical tricks employed to do this on the Links that Lie page on my personal website.
For online banking, the safest approach is to start out at your banks website by typing in the home page address manually.
Even FBI Director Robert Mueller recently admitted that he almost fell for a phishing scam after reading an email message that appeared to come from his bank. As he put it "They had mimicked the e-mails that the bank would ordinarily send out to its customers; they'd mimicked them very well." He came clean to his wife and tried to pass it off as a "teachable moment." She would have none of that and no longer lets him do online banking with their money.
It's a cute, funny story, except for this. Mueller is quoted as saying that he considers online banking "very safe." I disagree.
Online Banking Protections
Lets assume the worst has happened: an online banking account is victimized by fraud and funds are transferred out of the account by malicious software and/or people.
The rules for who gets left holding the bag, are different for businesses and consumers. Brian Krebs wrote about companies that suffered real, substantial losses. In some cases, banks agreed to cover some of the losses, but they didn't have to.
If you do online banking, you would be well served to read the fine print.
Consumers that bank with Chase, for example, are covered for unauthorized online use of a deposit account, if they inform Chase within two days of discovering the usage. What if you get a bank statement in the mail on Monday, open it on Friday and call Chase on Friday? Is that the same day you discovered it or does the clock start ticking on Monday?
Chase will not cover losses resulting from "Failing to completely exit the service when you're done with your session or away from your computer" or if you are "negligent handling of your User ID and Password."
Anyone can download a copy of Linux for free and burn it to a CD. In fact, Canonical, the company behind Ubuntu, will go so far as to ship you a CD for free.
You can also make your own bootable copy of Linux on a USB flash drive or memory card. But, if you'd rather not, you can order many different Linux distributions on either a CD, USB flash drive, CF card or SD card at On-Disk.com.
But which Linux? There are more distributions than grains of sand on a beach (in Linux lingo a distribution is a version or an edition). I suggest Ubuntu simply because its mainstream. The SANS white paper argued for Xubuntu. The most important thing you need to know is that not all distributions include Firefox. Both Ubuntu and Xubuntu ship with Firefox pre-installed.
Nothing is Perfect
Even if you bank exclusively from Linux, setting up alerts offers an extra level of safety. Check if your bank can automatically send you an email or text message whenever money over a certain amount leaves your account or when your account falls below a certain dollar amount.
Randy Abrams points out that booting Linux from a CD will not protect you from hardware based keystroke loggers. But, then he says "If you have a hardware keystroke logger on your computer you have much bigger problems." Indeed.
And Firefox is still Firefox, even running under Linux. For maximum safety, only access one website at a time. With multiple tabs open, there's always a chance that one site can peek into activity in another tab.
Firefox under Linux is also vulnerable to malicious DNS servers. The best defense against this is changing the password in your router to foil automated software that exploits the default router password. I also suggest configuring your router to use DNS servers from OpenDNS rather than the DNS servers from your ISP. OpenDNS offers assorted enhanced protections.
When Linux is running from bootable media (CD, USB flash drive, memory card) it may be able to see the files on the internal hard drive (depending on the distribution). For maximum safety, you can logically dis-mount the hard drive from within Linux, making it invisible to any malicious or compromised websites.
In conclusion, let me point out that software can only do so much. I've been blogging for a while on Defensive Computing and have always felt that education was a big part of it. Forced to summarize Defensive Computing in as few words as possible, it would be "always be skeptical."