A different topic: online banking security.
I have become interested in this, because I am a user of online banking services myself, and because of an increased number of incidents, involving decent banks.
Personally, I do business with a number of banks. I only use online banking when a few basic requirements are met:
- It is all web based
- No installation of local functionality (applet, ActiveX) is required
- No Java involved on the client
- Security is partially based on external, real world items like a randomizer, hash value calculator and codes. About the codes: a code I only know, and never have to enter in the web dialogue.
With this set of requirements, I believe it is pretty secure to do online banking. Basic (but thorough) computer security measures remain required. This can be summarized as:
- Prevent unwanted visits from the internet to my own network: firewall
- Prevent all kinds of executable code and programs to be active on my computer without my consent: virus and spyware prevention, detection and removal
- Prevent executable code and programs to contact the outside world from my computer. This is of particular importance when trying to prevent the online banking session from being tampered. Can be realized with a good firewall.
- Prevent myself from sending data to websites pretending to be my online banking portal. This stretches from not answering phishing mails to checking the url related to a secure http session.
- Keep myself and the systems up to date. Automatic updates, read the security bulletins by software vendors and banks (and act upon it), read other security publications.
Still, I want to stay ahead of the enemy. Many people have been thinking about this, and a frequently heard approach is this:
- Startup the pc from a cd / dvd, including OS and all required software (internet browser). The cd / dvd is a read-only medium that should contain a minimalistic OS together with related software, from a trusted source.
- Connect to the online banking portal, perform the actions, and shut the whole lot down
- Reboot the pc, but then in the usual way.
Using this method, all data related to the online banking session is forgotten after reboot (provided that the bootable cd is only allowed to use the computer's hard drive as a ram disk). It also prevents malicious sowftare from being persistent on your computer. Please note that I am taking big steps here: there are many potential risks and threats to take into consideration.
What I have been checking so far, is:
- What possibilities are there to start an operating system (including a graphical desktop / frontend) entirely from a cd or a dvd?
- What possibilities do I have to customize this? For example, I would like to burn fixed network and proxy settings on this bootable cd, that comply with my LAN
- Which applications can I include on the bootable cd and how do I do this?
This is what I want to do:
- Create a custom, bootable cd that starts without using the hard disk (except as a ram disk)
- Have network connectivity by default, using fixed network settings for my network
- Have a good personal firewall configured and started from the bootable cd, providing basic security and web access control
- Give the pc, when booted from cd, a fixed, unique IP-address. The other components in my network will take care that this pc (using this IP-address) can only visit the online banking portals. The portals have been closed for access by other devices on my network.
- All without having to load additional settings after booting from cd.
So, we need to have a set of OS and applications that can do this, and do have the possibility to customize the settings and make a new bootable cd out of this.
Possibilities:
- Windows based. That would require a “Windows Preloaded Environment“. This is available, but not to the general public. Basically the only option is a product called BartPE, that allows for making customized bootable cd's that contain a bootable version of Windows. I tried this, and found some problems with packaging drivers for my hardware.
- Linux based. There are many Linux Live products, that boot from cd. Most of the products boot without any problem, including loading the correct drivers. There is one product that seems very promising: Puppy Linux:
- Boots from a cd. A number of versions have been prepared, ranging from minimalistic to complete.
- When booted from cd, it provides a wizard-like application that lets you compose a customized, bootable cd. Very powerful.
Incomplete research results in BoothCD. A Linux live-cd implementing a web-kiosk. Upon boot, a closed system is started, only capable of showing a Firefox-screen. The built-in proxy server allows for black lists and white lists. The product is based on Knoppix, DSL and various open source Linux applications. Configuration of the web kiosk is done via remastering of the live-cd. For more information, visit http://sourceforge.net/projects/boothbox