LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Internet banking usb stick setup (http://www.linuxquestions.org/questions/linux-security-4/internet-banking-usb-stick-setup-787198/)

robuust 02-05-2010 04:36 AM

Internet banking usb stick setup
 
I'm a Linux newbe, i've tried Ubuntu, Debian, and Fedora so far. My parents are using the same (windows) laptop for internet banking, as my little brother does for doing all sorts of dangerous things.

So I thought I'd create a persistent bootable linux usb stick just for internet banking.

It has to:
- be a stable and secure distribution.
- have a good automatic update manager.
- boot fast enough.
- easy to set up.

Any thoughts on which distro would suit my needs? I'm thinking of Ubuntu
Should I use firefox or chrome, or any other browser?
Should I use apparmor? How easy is this to set up?
Should I use a firewall like iptables? How easy is this to set up?
Should I disable unneeded services? Or doesn't this make my distro more secure?

Links to simple newbe guides to Linux security are appreciated.

Jim Bengtson 02-05-2010 09:30 AM

Quote:

Any thoughts on which distro would suit my needs? I'm thinking of Ubuntu
Any major distro that has a live CD and come with a browser should work.

Quote:

Should I use firefox or chrome, or any other browser?
Depends more on your bank than anything else...if firefox and chrome both work, then it's really your personal preference that matters.

Quote:

Should I use apparmor?
Probably not necessary, but if you want to use it, Ubuntu 9.10 ships with an apparmor profile for firefox...you just have to enable it:
https://help.ubuntu.com/community/AppArmor#How%20can%20I%20enable%20AppArmor%20for%20Firefox?

Quote:

Should I use a firewall like iptables? How easy is this to set up?
If you're installing all of this on a USB stick, it's conceivable (though highly unlikely) that a cracker could modify the files on the stick, so a firewall would be a good thing. Ubuntu 9.10 ships with a firewall (ufw), but that's a command-line interface. A graphical interface is also available:
http://linuxbsdos.com/2009/11/07/ins...n-ubuntu-9-10/


Or you could just use the Live CD instead of a USB stick...the live CD media can't be modified, so you don't have to worry about a cracker changing your files, or catching a virus, since everything's in memory only, and it all goes away when you turn the PC off.

There's further discussion on this topic here.

robuust 02-05-2010 09:48 AM

Quote:

Originally Posted by Jim Bengtson (Post 3853879)
Or you could just use the Live CD instead of a USB stick...the live CD media can't be modified, so you don't have to worry about a cracker changing your files, or catching a virus, since everything's in memory only, and it all goes away when you turn the PC off.

I've read about live CD's, but I'm not going to burn a new CD every time there's an update available.

What's worse, using a (most likely) outdated Ubuntu CD, or risk the chance of malware writing to my usb stick?

Jim Bengtson 02-05-2010 10:58 AM

Quote:

What's worse, using a (most likely) outdated Ubuntu CD, or risk the chance of malware writing to my usb stick?
That depends on how often you update your Ubuntu. I know that updates come out all the time for various and sundry Linux programs. The security updates are of particular concern, as you want to have your Linux PC secured against these holes. But many (perhaps all?) of these holes are not applicable to a LiveCD, as the media is not writable. Correct me if I'm wrong, but most security holes allow a cracker to take over root control of the PC and change, upload (keyloggers), or download files (password files, etc.). But on a LiveCD, you can't change the files, and the password is only valuable if you happen to be running the LiveCD at the time the cracker tries to log on.

So they can't install a keylogger onto your LiveCD, which means they can't capture your banking or password information by that means. They could still intercept your traffic to the bank, but that should be encrypted anyways (and I believe they try to crack encryption by changing your files to enable a man-in-the-middle attack...and they can't change your files on a LiveCD).

Therefore I don't think it's as imperative to install updates, even security updates, on a LiveCD as it is on a normal Linux PC.

So what's worse: using a (most likely) outdated Ubuntu CD that crackers can't touch, or risk the chance of malware writing to my usb stick?

You decide.

linus72 02-05-2010 11:17 AM

maybe check out Privatix
http://distrowatch.com/table.php?distribution=privatix

Incognito
http://distrowatch.com/table.php?distribution=incognito

anomie 02-05-2010 11:37 AM

Quote:

Originally Posted by robuust
It has to:
- be a stable and secure distribution.
- have a good automatic update manager.
- boot fast enough.
- easy to set up.

Any thoughts on which distro would suit my needs? I'm thinking of Ubuntu
Should I use firefox or chrome, or any other browser?
Should I use apparmor? How easy is this to set up?
Should I use a firewall like iptables? How easy is this to set up?
Should I disable unneeded services? Or doesn't this make my distro more secure?

Virtually any Linux live cd/usb distribution that comes with a web browser could fit that bill. But I wouldn't rely on the user (your parents) to run security updates.

A few possible considerations that I'd focus on:
  • Have your parents memorized their WPA2 password? If not, you might provide it, in a GnuPG or OpenSSL-encrypted file on the live distro.
  • Have your parents memorized their bank password(s)? Same as above.
  • Read-only media (cd) would be safer than read-write media (usb drive).
  • An iptables ruleset could drop all (new) inbound traffic, and allow only outbound traffic for DNS lookups and http/s.
  • You could further control http/s traffic by forcing them through a localhost http proxy, and setting up an ACL that only permits access to their bank's domain.

Sound good? On the other hand, if you're a complete beginner, simply having them use a Linux live cd for banking will be several orders of magnitude safer than their communal Windows laptop. (Even if you only burn an updated Linux live cd every year.)

jschiwal 02-05-2010 11:43 AM

If you use an SD card, you can use the read-only switch to disable writing. Also booting and running off a read-only media, there isn't as much worry about most exploits that pop up because it won't be able to become persistent. Even root can't write to a CD or an SD that has the write mode switched off.

repo 02-06-2010 06:44 AM

How about running linux in a virtual machine ?

jschiwal 02-06-2010 10:41 AM

repo: That may not work because if the machine is compromised, the cracker has access to the internet traffic of the host machine which the guest uses.


All times are GMT -5. The time now is 11:47 AM.