Washington Post computer columnist Brian Krebs posted an October 12 article (picked up by Slashdot the following day) urging small and medium-sized businesses to protect their bank accounts by accessing online banking through a Linux live CD instead of a Windows workstation, due to the abundance of sophisticated malware targeting the Windows operating system. He points out that a live CD eliminates the Windows malware issue, plus it wipes the system RAM clean when shut down. Some commenters correctly pointed out that virtually all Linux OSes only mount modern (i.e. NTFS-formatted) Windows hard drives and partitions in read-only mode, so malicious software and hacking attempts can’t “flow” down to the Windows OS.
I applaud Krebs’ push to educate users about information security. But he may also lead those same users to a dangerous (and wrong) conclusion — that Linux live CDs are an end-all solution to online banking.
The major flaw in this is the MITM attack, and the blame can be placed on PEBKAC. Got it?
Home users may only have one computer hooked up to residential DSL/cable/FTTP, in which case a “man-in-the-middle” (MITM) attack isn’t possible with a live CD; there’s nothing that can be placed in the middle, unless you make the case for one of the ISP’s DNS servers getting hijacked or someone in your subnet spewing spoofed DNS or ARP packets (both are unlikely), and even if the Windows system were hijacked, it’s not active with the live CD running. However, business users (who certainly have multiple workstations) and some home users are at risk; if any computer in the subnet (workstation or server-class) has been compromised and is an active MITM, you’re toast.
MITM is simple — listen to the network, intercept every communication, and force all of the traffic to go through a single point where it can be monitored, analyzed, and even modified. A primitive example: ssume a network has two workstations and a cable/DSL router. The workstations go through the router to get to the Internet, and the workstations use the router as their DNS server, which in turn uses the ISP’s DNS server. A user types in bankofamerica.com — the workstation asks for the address of the router (the way out to the Internet) and then asks the router for the address of bankofamerica.com. Ordinarily, the router asks the ISP’s DNS server and returns an answer, e.g. 1.2.3.4. If the second workstation were compromised and conducting an active MITM attack, that workstation would be flooding the internal network with data stating that it is the router, a tactic known as masquerading. When the first workstation asks for the router’s address, the second workstation pre-empts its response and the first then asks the second for the address to bankofamerica.com. Instead of answering 1.2.3.4, it answers 20.30.40.50, the address of a Russian hacker. Not only is the second workstation redirecting bankofamerica.com, it is getting all of the first workstation’s traffic and can even modify it. Notice that there is no discussion of operating systems or live CDs — that’s because MITM bypasses these issues.
All it takes is a single compromised computer inside the network (specifically, the subnet) for this sense of security to be torn apart. To make matters worse, it isn’t limited by operating system or purpose. This is where PEBKAC — human error — comes in. Computers get compromised because we intentionally do something risky (download …stuff… on Kazaa while connected directly to the cable modem on Windows XP SP1) or unintentionally circumvent good security practices (place a workstation into a router/firewall’s DMZ before verifying that the workstation’s firewall is configured correctly and turned on) and give the bad guys an easy way in.
There are no end-all solutions in information security. There will always be some level of risk that must be accepted, and in general, a higher level of mitigation yields more complications and annoynaces, leading to a higher chance that someone tries to bend the rules. Just remember: if you can access your data, someone (or something) has to be able to equally access it at the other end to do anything useful with it.
