Avoid Windows Malware: Bank on a Live CD
http://voices.washingtonpost.com/securi ... nk_on.html
An investigative series I've been writing about organized cyber crime gangs stealing millions of dollars from small to mid-sized businesses has generated more than a few responses from business owners who were concerned about how best to protect themselves from this type of fraud.
The simplest, most cost-effective answer I know of? Don't use Microsoft Windows when accessing your bank account online.
I do not offer this recommendation lightly (and at the end of this column you'll find a link to another column wherein I explain an easy-to-use alternative). But I have interviewed dozens of victim companies that lost anywhere from $10,000 to $500,000 dollars because of a single malware infection. I have heard stories worthy of a screenplay about the myriad ways cyber crooks are evading nearly every security obstacle the banks put in their way.
But regardless of the methods used by the bank or the crooks, all of the attacks shared a single, undeniable common denominator: They succeeded because the bad guys were able to plant malicious software that gave them complete control over the victim's Windows computer.
Why is the operating system important? Virtually all of the data-stealing malware in circulation today is built to attack Windows systems, and will simply fail to run on non-Windows computers. Also, the Windows-based malware employed in each of these recent online attacks against businesses was so sophisticated that it made it extremely difficult for banks to tell the difference between a transaction initiated by their customers and a transfer set in motion by hackers who had hijacked that customer's PC.
I'm not the only one recommending commercial online banking customers consider accessing their accounts solely from non-Windows systems. The Financial Services Information Sharing and Analysis Center (FS-ISAC) - a industry group supported by some of the world's largest banks -- recently issued guidelines urging businesses to carry out all online banking activities form "a stand-alone, hardened and completely locked down computer system from where regular e-mail and Web browsing is not possible."
In direct response to this series reported and published by Security Fix, the SANS Technology Institute, a security research and education organization, challenged its students with creating a white paper to determine the most effective methods for small and mid-sized businesses to mitigate the threat from these types of attacks. Their conclusion? While there are multiple layers that of protection that businesses and banks could put in place, the cheapest and most foolproof solution is to use a read-only, bootable operating system, such as Knoppix, or Ubuntu. See the SANS report here (PDF).
Also known as "Live CDs," these are generally free, Linux-based operating systems that one can download and burn to a CD-Rom. The beauty of Live CD distributions is that they can be used to turn a Windows-based PC temporarily into a Linux computer, as Live CDs allow the user to boot into a Linux operating system without installing anything to the hard drive. Programs on a LiveCD are loaded into system memory, and any changes - such as browsing history or other activity -- are compeltely wiped away after the machine is shut down. To return to Windows, simply remove the Live CD from the drive and reboot.
More importantly, malware that is built to steal data from Windows-based systems won't load or work when the user is booting from LiveCD. Put simply: even if the Windows installation on the underlying hard drive is completely corrupted with a keystroke-logging virus or Trojan, that malware can't capture the victim's banking credentials if that user only transmits his or her credentials after booting up into one of these Live CDs.
The Arc of Steuben, a Bath N.Y.-based not-for-profit that provides care for developmentally disabled adults, has taken this advice to heart. In September, I wrote about how thieves had used malware to steal nearly $200,000 from the organization. Since then, the organization has restricted access to its online bank account to a Linux system on its network, according to an Oct. 1 report in the local Star Gazette.
"I would strongly recommend looking at whatever systems you're using if you're doing electronic banking," the Gazette quotes Bernie Burns, the Arc's executive director. "And if it is a Microsoft system, perhaps looking at something different."
Of course, a Mac computer would probably work just as well, but the focus here is on Windows users who may be looking for a cheap way to harden their existing setup to avoid malicious software.
If you've never used a Live CD and are interested in learning how, or if you just want to take a Linux operating system for a test drive, check out my tutorial on this topic here.