I guess I'm in the minority on this one, because I see using Live CD's for banking as a terrific move that adds a lot of security.
Here are my reasons: 1)It's not practical to target the 'environment', because that means infiltrating an organization like Canonical for example and somehow getting a piece of malware pushed all the way through the testing and production channels onto the end product. That's not realistic option for attackers in my opinion. 2)The live environment is only used for banking - no google, no e-mail, no cnn - only banking. This means one web browser, one tab, just banking. This means that cross site scripting is impossible unless the bank's website gets attacked and has a stored XSS shoved into it. In that case it wouldn't matter if you were using a live cd or not, because your in trouble. I really only see two down sides: 1)The Live CD environments don't have the level of logging that a persistent OS does - this can be mitigated through good network logging procedures. 2)Patches - Live CD's become dated quickly - however, with a good default policies on the Live CD you can mitigate some of this risk (firewall doesn't allow inbound traffic that isn't related or established for example). On Mon, Oct 19, 2009 at 3:49 AM, Jim Halfpenny <[email protected]> wrote: > > > 2009/10/18 Dale Stirling <[email protected]> >> >> This is definatly a short term fix as I this becomes a major trend it >> will just shift the attackers focus to the OS's on these live CD's. >> >> Then we are in the same position that we are now having users that >> have a false sence of security from a quick fix that had a limited >> life span. >> >> As said before I think a patched system and user education are the way to >> go. >> > > I can see where the banks are coming from with this, since it may be > possible to safely useĀ a computer infected with current banking trojans > when booting from a live CD. Penetration into the market will probably be > low so malware pushers may not target this platform. However, even if this > were an minimal environment which auto-updated on boot up I reckon this > would be too slow for Joe Blow. I have doubts whether people would reboot > into a different OS in order to gain some additional security. > > Jim > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
