Avoid Windows Malware: Bank on a Live CD

An investigative series I've been writing about organized cyber crime gangs stealing millions of dollars from small to mid-sized businesses has generated more than a few responses from business owners who were concerned about how best to protect themselves from this type of fraud.

The simplest, most cost-effective answer I know of? Don't use Microsoft Windows when accessing your bank account online.

I do not offer this recommendation lightly (and at the end of this column you'll find a link to another column wherein I explain an easy-to-use alternative). But I have interviewed dozens of victim companies that lost anywhere from $10,000 to $500,000 dollars because of a single malware infection. I have heard stories worthy of a screenplay about the myriad ways cyber crooks are evading nearly every security obstacle the banks put in their way.

But regardless of the methods used by the bank or the crooks, all of the attacks shared a single, undeniable common denominator: They succeeded because the bad guys were able to plant malicious software that gave them complete control over the victim's Windows computer.

Why is the operating system important? Virtually all of the data-stealing malware in circulation today is built to attack Windows systems, and will simply fail to run on non-Windows computers. Also, the Windows-based malware employed in each of these recent online attacks against businesses was so sophisticated that it made it extremely difficult for banks to tell the difference between a transaction initiated by their customers and a transfer set in motion by hackers who had hijacked that customer's PC.

The now-infamous hack against Bullitt County, Ky. illustrated how thieves use malware to defeat two of the major lines of defense commonly used by banks to thwart unauthorized activity. Many banks offer customers the option for so-called "dual controls" - requiring at least two authorized employees to sign off on any money transfers. In that attack, thieves used malware planted on the treasurer's system to effectively add themselves as an authorized approver of transactions.

Banks also often keep track of the Internet addresses used by their customers, and erect additional security measures when those customers access their online accounts via unfamiliar addresses or computers. In the case of Bullitt County and at least three other victims I've interviewed in the past three months, the attackers used their malicious software to route their connection to the bank's Web site by tunneling through the victim's own Internet address and computer.

Malicious software also is helping thieves defeat so-called two-factor authentication, which generally involves requiring online banking customers to enter something they have in addition to their user name and password, such as the code generated by a key fob that creates a new, six-digit number that changes every 30 seconds.

Over the past two months, I wrote about the plight of two companies that were victims of online bank fraud despite the fact that their banks required the use of these security tokens.

David Johnston, owner of Modesto, Calif. based Sign Designs, lost nearly $100,000 on July 23 due to Windows-based malware. Johnston's bank requires customers to enter the code from a Vasco security token. But the thieves - armed with malware on the company controller's PC - were able to intercept one of those codes when the controller tried to log in, and then delay the controller from logging in. Indeed, Johnston said the company's computer logs show that the controller logged into the system while the series of thefts was already in progress.

Thieves used the same approach to steal $447,000 from Ferma Corp., a demolition firm in Santa Maria, Calif. whose bank also required customers to enter a code from a security token.

I'm not the only one recommending commercial online banking customers consider accessing their accounts solely from non-Windows systems. The Financial Services Information Sharing and Analysis Center (FS-ISAC) - a industry group supported by some of the world's largest banks -- recently issued guidelines urging businesses to carry out all online banking activities form "a stand-alone, hardened and completely locked down computer system from where regular e-mail and Web browsing is not possible."

In direct response to this series reported and published by Security Fix, the SANS Technology Institute, a security research and education organization, challenged its students with creating a white paper to determine the most effective methods for small and mid-sized businesses to mitigate the threat from these types of attacks. Their conclusion? While there are multiple layers that of protection that businesses and banks could put in place, the cheapest and most foolproof solution is to use a read-only, bootable operating system, such as Knoppix, or Ubuntu. See the SANS report here (PDF).

Also known as "Live CDs," these are generally free, Linux-based operating systems that one can download and burn to a CD-Rom. The beauty of Live CD distributions is that they can be used to turn a Windows-based PC temporarily into a Linux computer, as Live CDs allow the user to boot into a Linux operating system without installing anything to the hard drive. Programs on a LiveCD are loaded into system memory, and any changes - such as browsing history or other activity -- are compeltely wiped away after the machine is shut down. To return to Windows, simply remove the Live CD from the drive and reboot.

More importantly, malware that is built to steal data from Windows-based systems won't load or work when the user is booting from LiveCD. Put simply: even if the Windows installation on the underlying hard drive is completely corrupted with a keystroke-logging virus or Trojan, that malware can't capture the victim's banking credentials if that user only transmits his or her credentials after booting up into one of these Live CDs.

The Arc of Steuben, a Bath N.Y.-based not-for-profit that provides care for developmentally disabled adults, has taken this advice to heart. In September, I wrote about how thieves had used malware to steal nearly $200,000 from the organization. Since then, the organization has restricted access to its online bank account to a Linux system on its network, according to an Oct. 1 report in the local Star Gazette.

"I would strongly recommend looking at whatever systems you're using if you're doing electronic banking," the Gazette quotes Bernie Burns, the Arc's executive director. "And if it is a Microsoft system, perhaps looking at something different."

Of course, a Mac computer would probably work just as well, but the focus here is on Windows users who may be looking for a cheap way to harden their existing setup to avoid malicious software.

If you've never used a Live CD and are interested in learning how, or if you just want to take a Linux operating system for a test drive, check out my tutorial on this topic here.