Quest for a good boot CD for Internet banking

NOTE: post updated Jan 3 2008

In all likelihood, you, or someone close to you, has a computer that is infected with a Trojan horse program. Current estimates are that at least 50% of home computers running Microsoft Windows are infected. These programs, such as the Gozi Trojan I described here, are being used to steal identity information, such as bank account numbers and passwords. And, the bad guys are getting very good at using that information to create forged bank cards and to conduct fraudulent transactions with your money.

Even careful Internet users are at risk. When a new computer is connected to the Internet, it will be attacked by active scanners within 5 minutes and any vulnerabilities will be exploited. Newer Trojans can also infect users when they simply visit compromised web sites, without the knowledge of the web site owner or the end user. Anti-virus software is not completely effective in detecting these bad programs, and new Trojans are launched every day.

So, how can we continue to do financial transactions, such as Internet banking, in the face of these threats? The problem is that the personal computer is a general purpose machine that is good for banking, but it also can be used for lots of other things at the same time, such as running Trojan programs. What we need is a computer that will only do Internet banking when we are doing financial transactions.

One practical solution is to reconfigure your computer for financial transactions so that there is less likelihood that it will be running bad programs during your banking session. This is where “boot CDs” (also called Live CDs) come in. By starting the computer with a boot CD, we can configure it in a way that is safer for financial transactions. We can start a fresh operating system and a clean Internet browser and, since CDs are read-only devices, the CD can never get infected and will always be clean. At least one bank is starting to distribute Live CDs to their customers.

I am currently looking for Live CDs that are suitable for Internet banking. I don’t know of any Live CDs that provide a Windows environment, and Windows computers can be infected very quickly, so I am looking at Linux. Most of the major Linux distributions will boot and run from the CD. These Live CDs tend to start a complete, full-featured Linux environment in order to show off all the features of the distribution, and to support a full install on the hard drive. This slows down the boot time and makes for a complicated, unfamiliar user interface. What we need is a minimalistic Live CD that only starts the programs we need to do our Internet banking.

Over the past few weeks I have acquired a collection of Live CDs, and quickly developed a list of requirements:

  • easy enough to use so that I can give them away and not receive phone calls when things go wrong
  • quick boot up
  • automatic configuration of the network
  • automatic launch of the browser, or at least obvious to find
  • a familiar browser, such as Firefox 2
  • should have browser extensions installed, at least Flash and PDF

When trying Live CDs with these characteristics, I have also uncovered a number of problems areas:

  • doesn’t work on all machines. I use both brand new Dell computers and old, generic ones. Some of the Live CDs don’t work on all the computers I try them on, most notable the Dells
  • low screen resolutions, sometimes as low as 640 X 480, with now way to make changes. Resolution should be at least 1024 X 768 and, ideally, be easily adjusted by the user at boot time, or once the system is started
  • monitor refresh rates greater than 60 Hz. Many distributions only support a 60 Hz refresh rate, which works on LCD screens but looks terrible on older CRT monitors.
  • bad browser fonts. The default fonts used within Firefox often look terrible in Linux distributions until the user configures the computer and browser. The Live CD should come with a good set of fonts.
  • support for wireless networks. Most Live CDs can automatically detect and configured a wired network, but I have yet to find one that will work with a wireless network. This is crucial for people using laptops.

Here are the Live CDs I have found so far, with some comments. I group them into small, special purpose offerings, and large Linux distributions. I am updating the list and the comments as I learn more.

Small Environments

  • Webconverger 2.14 (http://webconverger.com/) is my current favorite. It boots quickly and restricts the user to a Firefox browser. It seems to do a good job at setting the monitor to the maximum resolution and refresh rate. In fact, on one test machine I would have preferred 1024 x 768 on the cheap monitor instead of the 1280 x 1024 that was chosen, but the display was good. (On another new Dell machine, however, the resolution was set to 640 x 480 instead of the 1280 x 1024 that the LCD can display.) Flash, PDFs, and sound seem to work. My only complaints are that some of the familiar shortcut keys don’t work in the browser: CTRL-+ and CTRL– for controlling the font size, CTRL-T and CTRL-W for creating and closing tabs, and CTRL-K to get to the search form, and CTRL-L for moving to the address bar.

    UPDATE: Webconverger 2.36 tried on Jan 3 2008: I just tried out this boot CD on a number of machines and it worked great. It did a good job of selecting a video resolution and frame rate on different types of monitors. I did run into a problem booting an HP Compaq desktop machine, but a quick Google search showed that this model has problems with all Linux distributions until you add acpi=off to the boot parameters. This is now easy to do in Webconverger.

  • cl33n (http://cl33n.com/) boots quickly and launches Firefox automatically. In fact, it will only run Firefox. This environment works well, but it will not refresh the screen faster than 60 Hz and so does not handle CRT monitors. Also, sound does not work for me and Flash is not installed, but it can be.
  • Damn Small Linux (http://www.damnsmalllinux.org/) did not work on my newest Dell machines and suffers from the 60 Hz problem
  • KioskCD (http://www.kioskcd.com/) have not tried it yet
  • Hospitality Machine Kiosk 1.0 (http://www.hospitalitymachine.co.uk/HospitalityMachineKiosk.htm) had problems on both machines I tested it on. On one machine it could not do a DHCP configuration on the network, similar to the SLAX offering. Most other environments do work on this machine. On the second machine the software would not boot, complaining that it could not find the Knoppix file system. (Note: I ran into the same problems with version 1.1.)
  • SLAX 5.1.81.1 (http://www.slax.org) boots into text mode and requires the user to login as root. The user then runs xconf and startx to bringup the graphical environment, which does result in a good resolution and refresh rate. The browser is Konqueror, which is rather unfamiliar. On one of my test systems, the network was not configured using DHCP.

Complete Distributions

  • Dreamlinux 2.2 RC3 (http://www.dreamlinux.com.br/english/index.html) is good at handling screen resolutions and refresh rates. During the boot process, the user is asked to choose the resolution and the refresh rate is automatically set correctly for LCD and CRT monitors. This is a complete Linux environment so the interface is a bit complex, but the Firefox browser is easy to find, the fonts are OK, Flash is installed, and sound works. It appears that a PDF viewer is not configured in Firefox by default, however. If you can handle choosing the resolution at boot time and a full Linux interface, I recommend this one.
  • Knoppix (http://www.knoppix.org/) is a full Linux environment with a large collection of system and network tools designed for advanced users. I was able to set screen resolutions that I like and the system works well.
  • Adiosweb 7.3 (http://os.cqu.edu.au/adios/adiosweb.html) is very close to a full Linux environment. The user has to make two rounds of decisions at boot time, and then login using a obscure password. The screen resolution was OK at startup and is configurable through the GUI interface. The fonts used within the web browser were not ideal, but this might be a good choice.

If you have any comments on these solutions or you know of other boot CDs to try, please let me know.

32 thoughts on “Quest for a good boot CD for Internet banking”

  1. Update on Dreamlinux: it does not appear to come with a PDF viewer enabled in Firefox, so I am not able to view bank statements. Not good.

  2. Pingback: Natalian » Blog Archive » Localized Webconverger

  3. I use SimplyMepis and it work fine for me.

    Perhaps should you look “vmware player” or “vmware server”, it could be a good alternative to boot cd but without reboot ๐Ÿ˜‰

    Yves.

  4. @ Yves

    I tried Mepis a while ago and liked the distribution, but I have not tried it as a Live CD recently.

    The problem with VMware, other than complexity for naive users, is that if the host PC is deeply infected with a key logger, it may not offer protection.

    If anybody knows more about the vulnerability of virtual machines to key loggers and other attacks on the host machine, I would love to hear about it.

  5. I too have checked out Dreamlinux and am leaning towards this one for my live CD of choice. Yes out of the box it does not come installed with a pdf viewer but you did not mention one of the very strong points to this distro, perhaps you are not aware of it. Dreamlinux is a mix of Debian with Morphix, the developers of Dreamlinux have enhanced and re written some of the scripts found in Morphix used for remastering your live CD using the scripting language Ruby; They call the application MkDistro LiveRemaster. I have not used it yet but am going to give it a try tomorrow. It seems to be very easy to use and also looks to be very polished. They also have several very well written tutorials on the use of many of the utilities provided in Dreamlinux. You can modify the distro during a live session by adding and removing software and even drivers and then using this application burn your personalized version of Dreamlinux. Before I do mine I want to learn more about Tor and include that.
    Robert

  6. @robert3353

    Let us know how you make out with customizing your own version of a Dreamlinux Live CD. Configuring one with all the tools needed for safe banking would be valuable.

  7. Ad Keyloggers: I think it would be nice if some of these ditros provided on-screen-keyboard.

    For paranoics with possibility to scramble characters ๐Ÿ™‚

  8. Andrew,

    I realize this article is a bit old, but it was just posted at Calendar Of Updates (http://www.dozleng.com/updates/index.php?showtopic=15784).

    I know you said you didn’t find any Windows Live CDs out there, but did you explore Windows Live CD builders?

    Bart’s PE Builder and WinBuilder are two that work at building a fully graphical, fully networked PE image of Windows (usually, but not limited to, XP) that could also be a great alternative, especially for those with no *nix experience as well as for those few institutions that still demand IE / any other Trident based browser / Any ActiveX enabled browser to conduct banking.

    Just a though.

  9. Hi Andrew

    Just wondering why you can’t use 60Hz refresh? I wouldn’t use it all the time, but just for a banking session I don’t see what’s wrong with it.

    -fred

  10. @freddyzdead

    Thanks for the comment.

    Yes, you could use a boot CD at 60Hz video refresh rate, but it really does look awful on some CRT monitors.

    On one of my monitors at home, a large warning message about a non-recommended refresh rate is displayed and must be dismissed by pushing a button on the monitor before you can continue.

    Also, if we are going to ask people to use a boot CD for Internet banking, I would want it to be as convenient as possible and it should look as good as their normal system. If it does not, then there is going to be resistance to using it.

  11. Pingback: Andrew Patrick » Another Trojan program for Internet banking fraud

  12. A highly secure browser that boots from CD is a great idea. I’ve experimented with Webconverger, and it seems to work pretty well. Tougher experiments to come! I’ll keep in touch.

  13. Great public service you have performed here. The rootkit and web site exploit situation is exploding. Antivirus and Internet Security software can no longer keep up and are causing a false sense of security, at best.

    The last rootkit my laptop was infected with could not be removed safely – I had to wipe the drive clean and re-image. And I was lucky to even know it was there – most people don’t know they are infected. I was looking for a better solution such as Ironkey (Ironkey.com) and SmartRestart (http://www.smart-restart.com/) but those require a lot of setup and self-training to implemenet well. The boot CD is the answer for the average user and can be created and used quickly.

    I belive once the mass public becomes aware of how unsafe windows and the internet really are, your work will get all the recognition it deserves!

    Why isn’t there more mainstream media coverage for this massive problem?

  14. Kevin Mottershead

    I’m fond of BeaFanatiIX (formerly Beatrix) which is based on Knoppix. Basic linux package and apps roled up into a 200MB package. Boots on most anything including old hardware/laptops. http://bea.cabarel.com/

  15. Thanks for an interesting and updated blog!
    I think I’ll try Webconverger on a USB stick that the possibility to switch on write protection.
    Any suggestions anybody?

    Must say that Dreamlinux’s LiveRemaster is a very interesting concept. Maybe it also give you the possibility to apply security patches for a “Live USB”.

  16. I just tested the Ubuntu live CD on my Dell laptop (about 12months old).. it worked great.. Wireless was picked up straight away..

    Now my question is.. if all your doing is visiting a bank site, and with no where to store a virus.. is there any way someone could hack into your system?

  17. @Amit P

    Thanks for the comment. Using a Boot CD protects you from some forms of attacks (i.e., malware on your computer), but it does not provide 100% protection. Attacks that take place during the authentication and transactions with the bank, such as man-in-the-middle attacks, are still possible. Attacks based on DNS poisoning, where you end up at a false bank site, are still possible. And, if the Boot CD was built with faulty software, then there could be problems.

    So, the protection is not 100% fool-proof, but it is still much better than using a normal, possibly-infected PC.

  18. I’ve updated HospitalityMachine & HospitalityMachineKiosk some time ago, and rolled another distro for schools using a kiosk environmant (www.school-machine.org.uk). Both are being used successfully in various organisations & businesses. Feel free to have a look if interested!

  19. Pingback: Report: 48% of 22 million scanned computers infected with malware | Zero Day | ZDNet.com

  20. Interesting choices of LiveCd’s.

    There is an existing resource that is constantly updated
    http://distrowatch.com/dwres.php?resource=cd

    Dsl seems to have stalled a little but TinyCore is developing fast and seems designed for this type of use.

    Ubuntu would seem an obvious choice given that familiarity of interface is a stated goal. The FireFox icon is easy to spot. Lots of magazines give hints&tips about Ubuntu often alongside their Windows articles. Ubuntu does have a lot of extras you probably don’t need just to login to your bank, such as being able to easily open Office documents and email but these give more reason to use the Live Cd (or a full dual-boot install alongside Windows) & hence gain more familiarity with it.

    Knoppix is excellent at hardware detection so it handles a huge variety of different setups and can run on fairly old machines. It’s quite pretty to watch while its booting up. Wolvix is possibly an easier off-shoot of Slax & has a gui rather than command-line (so does Slax now), again it has excellent hardware detection, not quite as good as Knoppix tho. For really ancient machines such as PII there is always Puppy.

    For screenshots and details …
    http://distrowatch.com/table.php?distribution=ubuntu
    http://distrowatch.com/table.php?distribution=knoppix
    http://distrowatch.com/table.php?distribution=wolvix
    http://distrowatch.com/table.php?distribution=puppy
    or just try the main page at DistroWatch and navigate from there
    http://distrowatch.com

    Ubuntu and knoppix are safer and of course all boot-times have dropped drastically even in the last 6months

    Good luck and regards from
    Tom ๐Ÿ™‚

  21. I’m with phantomlistener. I’ve used Puppy Linux for almost 3 years now and love it. I’m using an old 800 mhz machine with 512MB of RAM and it runs like a greyhound. Take THAT, Windows 7!

    The one limitation of Puppy for this purpose is that it does not come with Firefox (though there are derivatives of Puppy that do). It comes with Mozilla Seamonkey, which is a community-supported continuation of the former Mozilla Suite. I will say that I can log into my bank’s online banking with it with no problem. In addition, there *are* install files available for installing Firefox, Opera and some other browsers. Puppy can create a file on your hard drive for storing settings, installed programs and such so you don’t have to wait for it to redetect hardware every time. And of course, you still get the greatly enhanced security (built-in from the ground up) of the Linux operating system.

  22. I’m amazed that there are not many more recent posts to this, given the seriousness of the issue and the wide-spread prevalence of online banking. I have used Puppy and Knoppix LiveCD and with some finagling, you can get the job done. There are a couple of problems. One is that my bank insists that there be a cookie on my computer or it will reject my login until I authenticate receipt of a special code via either email or my cell phone. So many steps, so little time. What a pain! The second problem is that I often use my online banking and my MS Money program at the same time. Oh, I know I can use open source financial software, instead. But you start to see the problem with having to install stuff everytime and/or getting software to run each time. Anyway, I’m not clever enough to get all this on one fine LiveCD but it would sure be nice. I have not yet checked on http://www.school-machine.org.uk but I’m curious enough to do so soon, Regards, all.

  23. For those new to the scene, or even old-time Puppy Linux users, you can configure your complete system, including network, firewall, printer, and any other setups.

    You can also get Puppy Linux variations (“puplets”) with programs such as OpenOffice which has an XLS-compatible spreadsheet program.

    (Note: On an older computer (especially Compaqs) you may get bad video after boot using Xorg video. Simply reboot and choose Vesa video.)

    For the Mozilla-based browser:

    Open /etc/fstab with a text editor and add these lines at the bottom:
    # Set 256MB RAM drive for tmp
    tmpfs /tmp tmpfs size=256M,noatime,mode=1777 0 0

    In your Mozilla-based browser’s address bar, type in:
    about:config
    Right-click in the main window and choose Add, String.
    Type in: browser.cache.disk.parent_directory
    For the value enter: /tmp/ff_cache

    Then, in Tools, Options, Network, set the browser to use a proxy (of 0.0.0.0) for all protocols, and add in exceptions for your bank’s site(s). Close your browser.

    Now open a terminal and ping your bank’s sites, including all of the sites used when you login/work with your account. Then edit your /etc/hosts file to include all of these IP addresses and URIs, each on a separate line. (if the bank changes it’s IP addresses later on, you will have to re-do this portion.)

    Then save that whole thing to an ISO file on the hard drive, USB, whatever by using the System, Remaster Puppy live-cd menu choice.

    Reboot Puppy Linux and make sure you save your personalized file to hard drive/USB/whatever.

    After reboot, open Multimedia, ISOMaster, open the ISO file and copy the /mnt/home/pupsave.* file into the ISO file.

    Burn that Puppy (no pun intended…) to CD, remove all drives on the computer other than the CD drive and Viola! You’ll be about as secure as you can get.

    It will run on any computer you can throw at it with 512MB of RAM or more, and will be freaking fast.

  24. Michael McDonald

    Andrew and Kai, thank you! I love the LiveCD distro http://webconverger.org/. It worked better for Internet Banking than the other Linux LiveCDs that I tried.

    Ubuntu and PCLinux worked fine but I found the install options too risky. My attempt to customize my Ubuntu LiveCD wasn’t successful (I am still trying).

    Knoppix is good LiveCD but it wasn’t as well suited for Internet Banking as webconverger.

    I had no trouble going to my Internet Banking sites. I love that Flash is preloaded. It is so easy to use that my Mom could use it. To shut off Webconverger, I just had to press the power button. I love the fact that there is no way that a user could inadvertantly install Linux on their hard drive (Ubuntu, PCLinux and others with “install” options).

    I will try the other features that you mentioned this weekend: pdf viewer; shortcut keys: CTRL-+ and CTRLโ€“ for controlling the font size, CTRL-T and CTRL-W for creating and closing tabs, and CTRL-K to get to the search form, and CTRL-L for moving to the address bar.

  25. I have had my remastered Linux version running in my pub for a couple of years now.

    It’s based on PCLinuxOS, and has been remastered to be a locked down kiosk type environment. I’ve posted above a couple of times, but to make things easy: http://www.hospitalitymachine.co.uk & http://www.school-machine.org.uk (navigate to the kiosk version in both cases).

    I have HospitalityMachineKiosk running in my bar on public terminals, and they have never given me any problems! I initially had insufficient RAM which resulted in the browser resetting/crashing, but I have since upgraded (1 GB), and things run smoothly.

    And as has been mentioned above by other posters, there is indeed a need for secure browsing environments. And a kiosk environment (as long as it is ‘true’ kiosk, with a fully locked down desktop, and a browser that is completely reset/flushed when closed) is ideal, so much so that if any members of our staff want to do banking or similar on the private, back office network, I direct them to the public kiosk terminals – they are THAT secure! ๐Ÿ™‚

  26. I’ve been using Linux Mint 9 live dvd.
    It works very well on my five year old Dell as well as on my T43 laptop.

Leave a Comment

Your email address will not be published. Required fields are marked *