Using a live distro for security-sensitive tasks

[labbe5]

Trying-live-distros asks: I have been told it is a good idea to use a live Linux distro for secure tasks, like banking. But doesn't software on a live distro get out of date? I know I could update some software every time I use the disc, but is this safe?

DistroWatch answers: The benefit of using a live distribution, particularly one run from read-only media, for security-sensitive tasks is that it gives you an isolated, clean slate. The idea is that it is unlikely the live media has been compromised by malware, a backdoor, a malicious local user, or a keylogger and that should mean you are working with a clean environment. The theory is that, by comparison, it is more likely your day-to-day operating system has picked up some form of malware or been remotely hijacked and the live media is hopefully giving you a fresh start.

The concern that software on the live media may be out of date and could be compromised by an attacker is valid. It is possible a malicious website could take over an unpatched web browser, or an attacker could take advantage of a remote security hole in your distribution, particularly if the live media has not been updated in a while.

With that being said, if you are working with a live environment that does not run any network services (or is behind a firewall) and you update all available packages before you use the web browser, then there are very few avenues an attacker can use to compromise your live session. At that point, about the only method of attack is through a kernel exploit (since the kernel on most distributions is not updated without a reboot) or new browser flaw and it is relatively unlikely that will be a problem if you are only using the live session long enough to do some on-line banking.
https://distrowatch.com/weekly.php?issue=20190401#qa

Containers, such as Firejail, will add another layer of security.

Further reading :
Wiping web browser changes from the system
https://distrowatch.com/weekly.php?issue=20190506#qa

[tallboy]

At least I did one thing right, then!

I think there was a high-ranking police officer in Australia, that many years ago said that the only safe OS for online banking, was a live Puppylinux.

[Lobster]

@tallboy it was
Detective Inspector Bruce van der Graaf from the Computer Crime Investigation Unit

http://www.puppylinux.org/wikka/security

Puppy Linux
Bank on it

[Burn_IT]

He was a bright spark!!
I bet he charged a lot of people!!

[tallboy]

Good find, labbe5, this is definitely a subject of increasing relevance.
Thank you for the link, Lobster, I couldn't remember where I had seen it.

You should also consider the advantages in a frugal install, very well explained by mikeslr in this brilliant post: http://murga-linux.com/puppy/viewtopic. ... 89#1023489

[rufwoof]

At each boot on a HDD frugal installed I run a crude (quick) checksum against the MBR, grldr, vmlinuz, initrd, main sfs, save sfs. As good as booting from read-only IMO as to validating that you've booted a clean session. If I then go direct to a bank web site, nowhere else before or after the attack vectors are relatively low. Personally I'd rather banks offered ssh based connections but most dont (??) and many seemingly fall short on even securing https

[tallboy]

moved to Here is a modern Puppy running from a live multisession CD-R

[purple379]

I worry about a "Man in the Middle" with a VPN if - I was like at a hotel. Where they also have me use their DNS, and then substitute a different certificate to validate. Having the open source of the VPN to create their own version. Maybe I am not making sense. Think Chinese government at five star hotel in PRC.

However breaking into a VPN which is using TLS is not easy. Not something I know how to do at all. So use a well chosen VPN, some are free. As is noted in the Security notes about VPN, why should one trust a VPN one has not paid, as they have to make money somewhere.

Insofar as implementing a VPN; Some VPN's in Linux have issues with the DNS protocol IPv6. Windows Apps for VPN's fix this on their own. In Linux, well, you might look it up, as their are several different means to do so.

Someone spoke of problems of creating a Multi-Session Puppy on optical Disc. I do not know the ins-and-outs of this today (4-5-2019). Years ago, I discovered that I had troubles creating a Multi-Session Puppy if I tried to use a burner on a laptop. Something about the Laptop optical drive hardware used a USB connection or something.

If I created a Multi-Session Puppy on a Tower, I could then use that disc on my laptop and if would do saves/not saves exactly as described in the documentation. Therefore, one can use which ever Puppy one wants on a Multi-Session optical disc.

My bank, refuses to connect to my bank account if the IP is not local. Which translates to I have difficulty using Tor in that a randomly assigned exit node might be in Europe. I can't argue with the bank. Not only do the clerks not know what I am trying to describe. The bank is probably right to deny the connection. I am not sure what they would do with a Phone App that only gives my bank balance requires.

[rufwoof]

My bank, refuses to connect to my bank account if the IP is not local. Which translates to I have difficulty using Tor in that a randomly assigned exit node might be in Europe.

Not sure I'd trust Onions or Garlic enough to route to my bank via Tor. That said I no little about Tor - don't use it as instead I just ssh into other servers for obscurity purposes.

[purple379]

That is if I say am at a WiFi, someone might intercept my signal, and then add their computer between me, and wherever I am connecting.

I had read that Firefox addon was used to hack into the movie studio, where they acquired all kinds of personal emails, financial data, and movies which had yet to be released to the public. I dunno.

In the case of Banking, could have been used, by a rank amateur to get your login information, watch while you go to your bank account.

That is why one might use a VPN. I am not sure what you are doing when you say to https:// to a server. Realize that https:// is what a "Man in the Middle" breaks thru.

I am not sure whether this kind of addon is always prevented now by Browsers. ?? However, someone, somewhere will find another means to do the same kind of MiM things.

I do understand your thought of not trusting Tor though. Sometimes I feel the same. For the record, one can set the exit server in Tor to be somewhere closer to one. I have never tried setting the Exit Node, trusting a VPN over that use of Tor. If one supposed that one's adversary was the NSA, rumor is that the NSA can intercept everything through many of the Tor Nodes. But the NSA only has to ask the bank for your info. The NSA is not likely to steal money out of our bank accounts.

None of what I have said discounts the primary statement that one of the safest ways to contact one's bank, or financial institution is a multi-session Disc. Use it to just get on, login, then logoff. Limit what else might try to steal information in the same session. I am saying the obvious all of you know. Need coffee.

[Lobster]

@labbe5

Do you feel Kodachi is a good bet for everyday security or is Puppy sufficient?

Are tinfoil hat trackers available for tracking uber-paranoids?

He was a bright spark!!
I bet he charged a lot of people!!

Oh he was called Van De Graf ...
I gets it now

[tallboy]

Oh he was called Van De Graf ...

That was a very clever one by Burn_IT! Took me some time too!

[mavrothal]

here is some interesting data, regarding browser vulnerabilities only (let alone other OS vulnerabilities).
50 per day for the past 2 years.
ie you better not be targeted, live or not.
However, precautions agains "drive-by hacking" are still wise.

[rufwoof]

I worry about a "Man in the Middle"

Pretty much my first net action after bootup is establishment of ssh links using private/public key authentication (tmux started, that connects to a couple of other servers and another reverse sshfs from my data server that 'looks' for me appearing online and reverse sshfs mounts a data folder) ... that with strict host key checking set is pretty much invulnerable to MiM. Any failure in that (those) connection(s) would be a big red flag warning. Even if I did accept the warning screen saying that "the keys have changed, continue ...", my data mount wouldn't (being automated), so there'd be no local data folder available. Unlike https where the attacker may be able to generate certificates from a certificate authority trusted by the client (typical attack mode used by governments against https), with ssh pubic/private keys there's no third party involved).

Yes the MiM could through pass ssh on the basis/assumption that they couldn't penetrate that and just attack other protocols, but its not good practice to route sensitive content from a public/open location anyway (don't do online banking from a wifi cafe, and if you do buy cinema/whatever online tickets for later that day, only use a disposable low limit credit card to do so). Also in paranoid/concerned situations you could compare possible differences in dns/ip's between what was indicated locally to that indicated when checked through (one of) the secure ssh link(s).

[Smithy]

I keep getting this:

[watchdog]

@Smithy

Read:

http://www.murga-linux.com/puppy/viewto ... 86#1015386

[rufwoof]

ssh is more invulnerable to man-in-middle exploits when you use keys. You have the private key, server has your public key, once set up you also have the .ssh/known_hosts entry. No other third parties involved.

I've been setting up a open ssh server, that currently is only online whenever my PC is booted, but my intent is to drop that into a low power consumption, small scale device at some point to leave on as a 24/7 server. If active you can access it via (note the -t parameter when using interactive (terminal))

Code: Select all

ssh -t -p 443 ssh@ssh.ddnsfree.com

Some of the functions currently supported are to get your IP

Code: Select all

ssh -p 443 ssh@ssh.ddnsfree.com myip

look up a dns - for instance to return the IP used by google.com ...

Code: Select all

ssh -p 443 ssh@ssh.ddnsfree.com dns google.com

There's no password or key required, open access. However there are instructions in the help pages as to how to set up a key based only access, which once set up just requires entering

Code: Select all

ssh ssh

to gain access using keys, which if that connects OK without warnings means that there's no man-in-middle exploit involved. Anything else (warnings) suggests a potential attack is involved. Useful as quick and easy test when you net connect in a internet cafe. Connect, run ssh ssh and if it warns that keys or known hosts have changed then just disconnect and move on.

It was running on the standard ssh port 22 , but I've moved it over to port 443 which is usually used by https as internet cafe's are less inclined to block https in their firewall (whilst they might block ssh (port 22)).

Doesn't support sftp, doesn't support scp ... as I don't want others uploading to that box. It does however support selective downloading via ssh (ssh and scp are fundamentally the same anyway), but to support Windows10 downloads are delivered as base64 encoded 'text'. For instance

Code: Select all

ssh -p 443 ssh@ssh.ddnsfree.com wavtest >wav.b64

downloads a base64 encoded .wav file. Once downloaded in Windows10 you can run

Code: Select all

certutil -decode wav.b64 wav.wav

to restore the binary i.e. then play wav.wav with whatever .wav file player you might use. Under Linux you decode base64 using something like

Code: Select all

base64 -d wav.b64 >wav.wav

which you can then play using play wav.wav ... or whatever .wav file player you prefer to use.

Haven't touched Windows for years (since XP), but did have access to a box earlier and tested it and all seemingly works OK. I did have to install PowerShell OpenSSH to get a command line ssh program running on the box (again details of how to do that are in the help pages).

Once you become more familiar with cli/ssh then I'd suggest installing and getting familiar with tmux as after that you can use the likes of hashbang.sh to get a free account that has internet (text browsers), irssi (IRC), mail ...etc. which in turn means you can access many things from a internet cafe through a secure ssh tunnel. A nice thing about tmux is that you can detach, leaving things running, and then later log back in again and reattach to carry on where you left off. Nice for IRC for instance, as others only see the email/IP of the ssh server, not your PC's IP, and you can just leave chat channels open, without having to reconnect to the irc server/channel again (ctrl-b d ... to detatch, tmux attach command to reattach).

Getting back on topic. even a LiveCD boot could be using a cracked router/dns. Running some simple tasks such as outlined above is a means to potentially detect if domain name IP's are different (dubious) or a man-in-middle type exploit might be evident.

[Smithy]

Watchdog, thanks, I forgot to put JRB's excellent discovery in a build I was using, Ruffwoof, that is hardline stuff! Could be very useful for those that need a very tight ship.

[rufwoof]

Thanks Smithy.

I have a basic chat up and running, but not anywhere near as I'd like it yet.

Code: Select all

ssh -t -p 443 ssh@ssh.ddnsfree.com chat

No IP's or any other details shown, you just pick a nickname upon entering, any (up to) 8 character nic, exit/re-enter again and change that to anything you like - doesn't even have to be unique, and post whatever. Currently that formats lines so they word wrap, but if adapted could conceptually display a encrypted base64 encoded file content. So a poster could hop through several ssh servers to obscure their real location/identity, as could a recipient. If only the sender and receiver know the nic posted under and assuming strong encryption of the base64 posting known only by them, then that's a potential means to anonymously post/receive (assuming moderate to high usage) secure content between two individuals.

[Smithy]

Great, I would think the terminal is an ideal medium for chat and transfer etc.
As long as it is dead easy to use.