LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 02-05-2010, 04:36 AM   #1
robuust
LQ Newbie
 
Registered: Jul 2009
Posts: 13

Rep: Reputation: 0
Internet banking usb stick setup


I'm a Linux newbe, i've tried Ubuntu, Debian, and Fedora so far. My parents are using the same (windows) laptop for internet banking, as my little brother does for doing all sorts of dangerous things.

So I thought I'd create a persistent bootable linux usb stick just for internet banking.

It has to:
- be a stable and secure distribution.
- have a good automatic update manager.
- boot fast enough.
- easy to set up.

Any thoughts on which distro would suit my needs? I'm thinking of Ubuntu
Should I use firefox or chrome, or any other browser?
Should I use apparmor? How easy is this to set up?
Should I use a firewall like iptables? How easy is this to set up?
Should I disable unneeded services? Or doesn't this make my distro more secure?

Links to simple newbe guides to Linux security are appreciated.

Last edited by robuust; 02-05-2010 at 05:01 AM.
 
Old 02-05-2010, 09:30 AM   #2
Jim Bengtson
Member
 
Registered: Feb 2009
Location: Iowa
Distribution: Ubuntu 9.10
Posts: 164

Rep: Reputation: 38
Quote:
Any thoughts on which distro would suit my needs? I'm thinking of Ubuntu
Any major distro that has a live CD and come with a browser should work.

Quote:
Should I use firefox or chrome, or any other browser?
Depends more on your bank than anything else...if firefox and chrome both work, then it's really your personal preference that matters.

Quote:
Should I use apparmor?
Probably not necessary, but if you want to use it, Ubuntu 9.10 ships with an apparmor profile for firefox...you just have to enable it:
https://help.ubuntu.com/community/AppArmor#How%20can%20I%20enable%20AppArmor%20for%20Firefox?

Quote:
Should I use a firewall like iptables? How easy is this to set up?
If you're installing all of this on a USB stick, it's conceivable (though highly unlikely) that a cracker could modify the files on the stick, so a firewall would be a good thing. Ubuntu 9.10 ships with a firewall (ufw), but that's a command-line interface. A graphical interface is also available:
http://linuxbsdos.com/2009/11/07/ins...n-ubuntu-9-10/


Or you could just use the Live CD instead of a USB stick...the live CD media can't be modified, so you don't have to worry about a cracker changing your files, or catching a virus, since everything's in memory only, and it all goes away when you turn the PC off.

There's further discussion on this topic here.
 
1 members found this post helpful.
Old 02-05-2010, 09:48 AM   #3
robuust
LQ Newbie
 
Registered: Jul 2009
Posts: 13

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by Jim Bengtson View Post
Or you could just use the Live CD instead of a USB stick...the live CD media can't be modified, so you don't have to worry about a cracker changing your files, or catching a virus, since everything's in memory only, and it all goes away when you turn the PC off.
I've read about live CD's, but I'm not going to burn a new CD every time there's an update available.

What's worse, using a (most likely) outdated Ubuntu CD, or risk the chance of malware writing to my usb stick?
 
Old 02-05-2010, 10:58 AM   #4
Jim Bengtson
Member
 
Registered: Feb 2009
Location: Iowa
Distribution: Ubuntu 9.10
Posts: 164

Rep: Reputation: 38
Quote:
What's worse, using a (most likely) outdated Ubuntu CD, or risk the chance of malware writing to my usb stick?
That depends on how often you update your Ubuntu. I know that updates come out all the time for various and sundry Linux programs. The security updates are of particular concern, as you want to have your Linux PC secured against these holes. But many (perhaps all?) of these holes are not applicable to a LiveCD, as the media is not writable. Correct me if I'm wrong, but most security holes allow a cracker to take over root control of the PC and change, upload (keyloggers), or download files (password files, etc.). But on a LiveCD, you can't change the files, and the password is only valuable if you happen to be running the LiveCD at the time the cracker tries to log on.

So they can't install a keylogger onto your LiveCD, which means they can't capture your banking or password information by that means. They could still intercept your traffic to the bank, but that should be encrypted anyways (and I believe they try to crack encryption by changing your files to enable a man-in-the-middle attack...and they can't change your files on a LiveCD).

Therefore I don't think it's as imperative to install updates, even security updates, on a LiveCD as it is on a normal Linux PC.

So what's worse: using a (most likely) outdated Ubuntu CD that crackers can't touch, or risk the chance of malware writing to my usb stick?

You decide.
 
Old 02-05-2010, 11:17 AM   #5
linus72
Guru
 
Registered: Jan 2009
Location: Gordonsville-AKA Mayberry-Virginia
Distribution: PocketWriter/MinimalX
Posts: 5,059

Rep: Reputation: 330Reputation: 330Reputation: 330Reputation: 330
maybe check out Privatix
http://distrowatch.com/table.php?distribution=privatix

Incognito
http://distrowatch.com/table.php?distribution=incognito
 
Old 02-05-2010, 11:37 AM   #6
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
Lightbulb

Quote:
Originally Posted by robuust
It has to:
- be a stable and secure distribution.
- have a good automatic update manager.
- boot fast enough.
- easy to set up.

Any thoughts on which distro would suit my needs? I'm thinking of Ubuntu
Should I use firefox or chrome, or any other browser?
Should I use apparmor? How easy is this to set up?
Should I use a firewall like iptables? How easy is this to set up?
Should I disable unneeded services? Or doesn't this make my distro more secure?
Virtually any Linux live cd/usb distribution that comes with a web browser could fit that bill. But I wouldn't rely on the user (your parents) to run security updates.

A few possible considerations that I'd focus on:
  • Have your parents memorized their WPA2 password? If not, you might provide it, in a GnuPG or OpenSSL-encrypted file on the live distro.
  • Have your parents memorized their bank password(s)? Same as above.
  • Read-only media (cd) would be safer than read-write media (usb drive).
  • An iptables ruleset could drop all (new) inbound traffic, and allow only outbound traffic for DNS lookups and http/s.
  • You could further control http/s traffic by forcing them through a localhost http proxy, and setting up an ACL that only permits access to their bank's domain.

Sound good? On the other hand, if you're a complete beginner, simply having them use a Linux live cd for banking will be several orders of magnitude safer than their communal Windows laptop. (Even if you only burn an updated Linux live cd every year.)

Last edited by anomie; 02-05-2010 at 11:39 AM.
 
Old 02-05-2010, 11:43 AM   #7
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
If you use an SD card, you can use the read-only switch to disable writing. Also booting and running off a read-only media, there isn't as much worry about most exploits that pop up because it won't be able to become persistent. Even root can't write to a CD or an SD that has the write mode switched off.
 
1 members found this post helpful.
Old 02-06-2010, 06:44 AM   #8
repo
LQ 5k Club
 
Registered: May 2001
Location: Belgium
Distribution: Linux Mint
Posts: 8,501

Rep: Reputation: 883Reputation: 883Reputation: 883Reputation: 883Reputation: 883Reputation: 883Reputation: 883
How about running linux in a virtual machine ?
 
Old 02-06-2010, 10:41 AM   #9
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
repo: That may not work because if the machine is compromised, the cracker has access to the internet traffic of the host machine which the guest uses.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Slackware64-current installation via usb stick hangs before setup mr_mandrill Slackware - Installation 9 09-11-2009 09:21 AM
Internet banking setup robuust Linux - Security 7 07-10-2009 01:28 PM
how to setup Huawei E170 HSPA USB stick modem in fedora 8 uxan Fedora 1 05-04-2009 02:17 AM
Cannot setup wireless usb stick(possible problem with driver) eap Linux - Networking 3 12-28-2008 02:39 PM
how to setup mandrake 10.1 to boot from usb stick? s.mcclatchie Mandriva 1 12-31-2005 09:01 AM


All times are GMT -5. The time now is 09:22 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration