Setting up an investments only PC

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
User avatar
Topic Author
dual
Posts: 701
Joined: Mon Feb 26, 2007 7:02 pm

Setting up an investments only PC

Post by dual »

I recently set up an investments-only PC and I am looking for ideas to make it as secure as practical. I use the PC only to access online investment companies' and banks' websites. No email or web access to any other websites. I did access Shields-UP during the set up. Otherwise I did my online research for setting up the Linux on another PC.

Here is what I did:

1. I installed Linux on a laptop from a live CD that I downloaded on another computer. I chose Linux to make me a harder target for internet breakins.

I am concerned that a laptop is more easily stolen during a break-in to my house and I will consider buying an inexpensive desktop if there are good reasons to believe that thieves could access my accounts on the laptop. Both root and my user account have "good" passwords. I keep my investment account access information and passwords in a Linux file using an obscure personal information manager program with password access. I prefer to use the password safe approach because it allows me use long, random passwords and account names.

Finding a good Linux distro and configuring it was a PITA. I tried Ubuntu (Xubuntu to be exact) and it did not set up networking correctly. I finally settled on PCLinuxOS. I had some trouble with the video driver since I want to connect a full-size monitor to the VGA port of the laptop. I ended up using the simplest generic driver (VESA IIRC).

2. I use a hardware router firewall and I closed down all the Linux ports with the Linux firewall from the PCLinuxOS system configuration utility. I tested at the Shields-up website and it says all my ports except one for email are shut down. I do not do email on the computer so I hope this is tolerable. I do not know how to shut down that port.

3. I changed my domain name server (DNS) to google DNS. I tried OpenDNS but the darn site kept failing and displaying my information (like a password!) in the address block of the browser. I changed my passwords after I changed over to google DNS.

4. I installed Firefox and then the adblock, noscripts and flashblock addons. I guess the last is superfluous because I did not install Flash and so far have not had any problems using investment websites. Vanguard does not display the investment allocation pie chart on the home page but I can live with that.

5. I run Firefox from the user account, not root.

My experience so far has been good. Of course, I never had problems on my Windows system. There are a few weird glitches like the Vanguard website does not ask challenge questions when I log in from Linux but the other websites like Fidelity work flawessly.

I am interested in ideas and suggestions for increasing my online security. I do change passwords every few months. I change account names on websites that allow me to do it easily. I will try to change the account name on my Vanguard accounts although the process seems pretty involved.
cacophony
Posts: 605
Joined: Tue Oct 16, 2007 9:12 pm

Re: Setting up an investments only PC

Post by cacophony »

To be honest it seems a bit overkill.

But a few important points that I didn't see mentioned are:

Turn computer off (or put to sleep) when not in use
Use an ethernet connection instead of wifi
Make sure automatic updates are enabled for your OS and applications

You might want to consider removing Java and Flash from the system entirely.

Also, look for unnecessary services/processes that can be disabled for your particular OS. For example, in Windows XP there are a bunch of obvious ones:
Turned off Remote Assistance (in System)
Turned off Simple File Sharing (in Folder Options)
Disabling the following services: Remote Registry, Secondary Logon, Remote Desktop Help Session Manager, NetMeeting Remote Desktop Sharing

You could also call Vanguard (and other financial institutions) to ask what they can do on their side to increase security for your account.
Last edited by cacophony on Sat Mar 24, 2012 1:39 pm, edited 1 time in total.
livesoft
Posts: 75145
Joined: Thu Mar 01, 2007 8:00 pm

Re: Setting up an investments only PC

Post by livesoft »

I thought Chrome was a more secure browser than Firefox.
Wiki This signature message sponsored by sscritic: Learn to fish.
User avatar
LadyGeek
Site Admin
Posts: 69963
Joined: Sat Dec 20, 2008 5:34 pm
Location: Philadelphia
Contact:

Re: Setting up an investments only PC

Post by LadyGeek »

I'm sorry, but you missed two glaring security holes:

1. The hard drive is unencrypted. If there is any sensitive data stored on this drive, you are toast.

If I have physical possession of your PC, I'm in. How? The easiest way possible - boot with any Linux Live CD and become root. Done. In fact, I can do the same trick with a Windows PC - Linux reads NTFS just fine. From a live CD, the hard drive is just a bunch of data with no security whatsoever.

The problem is one of managing data, not hardware or operating systems. All you need to do is put all your sensitive data in an encrypted file and it's protected no matter what hardware or OS it resides on. See: TrueCrypt, it runs on MS Windows, Linux, and Mac.

2. Your "investments only PC" is sharing a connection with your other PCs, which may be on at the same time? Consider that the other PCs may have malware on them, which will find your investments PC regardless. The only thing protecting computers which share a network is the integrity of each PC's firewall. Differentiation between internal and external networks is not important from this perspective. Both Linux and MS Windows software firewalls are adequate - as long as they are enabled and configured correctly.

BTW, using Linux doesn't make things harder to break in than MS Windows. You can do the same thing in MS Windows by using the Guest account.
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.
Muchtolearn
Posts: 1563
Joined: Sun Dec 25, 2011 10:41 am

Re: Setting up an investments only PC

Post by Muchtolearn »

What is the purpose of this exercise?
User avatar
CaliJim
Posts: 3050
Joined: Sun Feb 28, 2010 8:47 pm
Location: California, near the beach

Re: Setting up an investments only PC

Post by CaliJim »

cacophony wrote:Make sure automatic updates are enabled for your OS and applications
heehee. reminds me of an old, true story about a hacker sys admin type from UC Berkely who has hired by the Dept of Navy to try to break into a hand coded and compiled, every line inspected, hardened, secure, complex password protected DEC-1000 located at a secure facility. No modems. No network connections. The 'only' access was via terminals in a locked room. After a week, he told the Navy he had hacked in. When asked by the Navy to prove he had hacked the system, he told them to let him sit in front of one of the terminals. He was allowed in to the terminal room, but not the machine room where the console was, and he immediately logged in with root privs.

Turns out he had sent the Navy what looked like an official looking software update distribution tape with a new assembly language compiler on it. Tape had both source code and executable for the compiler. The Navy inspected the new compiler's code, recompiled it (using the supplied, new, and HACKED compiler),and installed it. They then recompiled the entire system, as instructed in the rogue, official looking, software update cover letter. The new compiler embedded back doors into every single program on the system.
-calijim- | | For more info, click this Wiki
User avatar
CaliJim
Posts: 3050
Joined: Sun Feb 28, 2010 8:47 pm
Location: California, near the beach

Re: Setting up an investments only PC

Post by CaliJim »

If I was a large government, I'd have my programmers contributing code to every open source software project, just so, you know....
-calijim- | | For more info, click this Wiki
User avatar
Topic Author
dual
Posts: 701
Joined: Mon Feb 26, 2007 7:02 pm

Re: Setting up an investments only PC

Post by dual »

Thanks for the inputs:
LadyGeek wrote:I'm sorry, but you missed two glaring security holes:

1. The hard drive is unencrypted. If there is any sensitive data stored on this drive, you are toast.
The only sensitive data on the system is the account names/passwords file, which is encrypted.
2. Your "investments only PC" is sharing a connection with your other PCs, which may be on at the same time?
Yes, I have other PCs on the network and they are on at the same time. As I mentioned, I set up the Linux firewall to close all ports and refuse all connection attempts.
BTW, using Linux doesn't make things harder to break in than MS Windows. You can do the same thing in MS Windows by using the Guest account.
I am not sure what you mean by this. My reason for choosing Linux is that this makes it harder for any malware that somehow gets on an investment website to propagate onto my computer.
User avatar
Topic Author
dual
Posts: 701
Joined: Mon Feb 26, 2007 7:02 pm

Re: Setting up an investments only PC

Post by dual »

Muchtolearn wrote:What is the purpose of this exercise?
The purpose is to reduce the chances of my investment accounts being robbed by criminals using malware such as keyloggers and other trojans that get on my computer from my use of the computer for non-investment purposes.
User avatar
Topic Author
dual
Posts: 701
Joined: Mon Feb 26, 2007 7:02 pm

Re: Setting up an investments only PC

Post by dual »

CaliJim wrote:If I was a large government, I'd have my programmers contributing code to every open source software project, just so, you know....
As compared to non-open source where all criminals need to do is to get someone into a private company or set up one themselves? With open-source the code can and is examined by people and this increases the chances of detecting malware.
User avatar
LadyGeek
Site Admin
Posts: 69963
Joined: Sat Dec 20, 2008 5:34 pm
Location: Philadelphia
Contact:

Re: Setting up an investments only PC

Post by LadyGeek »

dual wrote:
LadyGeek wrote:BTW, using Linux doesn't make things harder to break in than MS Windows. You can do the same thing in MS Windows by using the Guest account.
I am not sure what you mean by this. My reason for choosing Linux is that this makes it harder for any malware that somehow gets on an investment website to propagate onto my computer.
Linux is often said to be less vulnerable than an MS Windows PC because 1) it has so much less market exposure than MS Windows - it's not worth the hassle to hack and 2) by default, it runs with minimal privileges - it's very difficult to modify system settings.

Your concern is the path from (investing website) to (your PC). In between the two is your web browser. What does it run? Javascript and possibly a Flash plug-in; both present security risks. The web browser runs these applications on the installed OS. What contains them? Access privileges.

In this case, both Linux (as a non-root account) and the MS Windows Guest account will limit access to system settings. This is why I said using the MS Windows Guest account is just as good as Linux. Combined with the lesser target profile compared with MS Windows, Linux will be better from this perspective.

There's also another work-around- running from a Virtual Machine Manager (I'm not familiar with the latest ones everyone is using). Security conscious users also run web browsers as a self-contained sandbox within the OS, which provides additional protection. You can also use Firefox's Private Browsing mode to help from this perspective (IE also has one). It's not quite the same as a true VMM, but any additional protection helps.
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.
cacophony
Posts: 605
Joined: Tue Oct 16, 2007 9:12 pm

Re: Setting up an investments only PC

Post by cacophony »

If I recall Vanguard can setup your account to only allow money transfers out of account with a notarized letter (this doesn't apply to checks though).
You can also setup a separate password that's required for when you do transactions over the phone.
Something to consider perhaps?
fareastwarriors
Posts: 1288
Joined: Tue Feb 14, 2012 12:31 pm

Re: Setting up an investments only PC

Post by fareastwarriors »

Your PC might be super secured on your side but the other end might not be (Vanguard, banks, or others). But I guess it's good to be safe...
User avatar
Topic Author
dual
Posts: 701
Joined: Mon Feb 26, 2007 7:02 pm

Re: Setting up an investments only PC

Post by dual »

LadyGeek wrote: Your concern is the path from (investing website) to (your PC). In between the two is your web browser. What does it run? Javascript and possibly a Flash plug-in; both present security risks. The web browser runs these applications on the installed OS. What contains them? Access privileges.

In this case, both Linux (as a non-root account) and the MS Windows Guest account will limit access to system settings. This is why I said using the MS Windows Guest account is just as good as Linux. Combined with the lesser target profile compared with MS Windows, Linux will be better from this perspective.
I agree that those are important concerns. I do not have flash installed and, as I mentioned, so far all the investment websites have been usable without it. In fact, if an investment website does require Flash to function, I would consider that a major risk and I would stop using the website and do transactions by paper or telephone.

I have the noscript addon to Firefox installed. BTW, that is the reason that I chose Firefox over Chrome because my understanding is that the architecture of Chrome makes blocking it difficult. I have found that some sites do not require javascript but others do require it to function so I keep it enabled through noscript.

I also do the internet access through a non-root account (with a password).
User avatar
Topic Author
dual
Posts: 701
Joined: Mon Feb 26, 2007 7:02 pm

Re: Setting up an investments only PC

Post by dual »

fareastwarriors wrote:Your PC might be super secured on your side but the other end might not be (Vanguard, banks, or others). But I guess it's good to be safe...
That is true but most companies will reimburse my losses if the access came through their site. By using an investments-only PC, I think I bolster my case that it is their leak and make it easier to get them to pay up.
Mudpuppy
Posts: 6666
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: Setting up an investments only PC

Post by Mudpuppy »

Don't trust the Linux firewall to protect you. Make sure that all Internet daemons (servers) are either uninstalled or configured to NOT start automatically on boot. This limits the ability for worms that target common server programs (which include Linux server programs) to get on your system. Even if the firewall turns out to have a vulnerability, they can't get anywhere if there's no server daemon to connect to.

Linux has built-in device encryption through the cryptsetup program (dm-crypt library: http://en.wikipedia.org/wiki/Dm-crypt). Use it. It provides another layer of protection beyond a single file encryption should the laptop be stolen. It will also allow you to encrypt the swap, cache and temporary files space, where information might "leak" from the browser program. It takes a little configuration to set up, but it's very easy to use once set up (just have to supply the encrypted device passphrase while booting in the simplest configuration option). There's no reason not to use it.

Chrome has some issues with its highly touted sandboxing routine that have recently come to light, so I would say it's on par with Firefox until those issues are addressed. You should add Ghostery to your Firefox add-ons to block web-tracking code. Additionally, set Firefox to delete everything cached on exit by going to Edit->Preferences (Tools->Options for those on Windows) and selecting "Clear history when Firefox closes". Now, if you set it to also clear Cookies and Offline Data, Vanguard will ask you the security questions on each login since they identify your machine via a cookie saved on your side. Do NOT clear "site preferences" as that also clears which sites you've blocked for setting cookies.
tomforshort
Posts: 25
Joined: Mon Jan 16, 2012 12:54 pm

Re: Setting up an investments only PC

Post by tomforshort »

I would echo the sentiment that it is better to disable server daemons than just firewall their respective ports.

If the email port that you mentioned is port 25, then it is likely the sendmail daemon running on you system. I have no idea why modern Linux distros still enable that by default. To see if it is running, try 'ps -ef | grep sendmail'. If it is running, then google how to disable it on you distro. In Fedora, it can be disabled via 'chkconfig sendmail off'. After a reboot, the port should not be open and the daemon should not be running.

You can see open ports by running the following:

[tomforshort@localhost ~]$ netstat -atu | grep LISTEN
tcp 0 0 localhost.localdomain:ipp *:* LISTEN
...

If it gives you a name instead of a port number (i.e., ipp above), then check the file /etc/services to find the actual port, which in this case is:

ipp 631/tcp # Internet Printing Protocol

In this fashion, you can go through identifying and shutting down open services. If ever you cannot find what program is responsible for a port being open, then you can run lsof (list open files; you may need to install this) as root in something like the following fashion:

[tomforshort@localhost ~]$ sudo lsof | grep TCP
cupsd 1419 root 6u IPv6 12982 0t0 TCP localhost6.localdomain6:ipp (LISTEN)
cupsd 1419 root 7u IPv4 12983 0t0 TCP localhost.localdomain:ipp (LISTEN)

So, cupsd is running as root and listening on port 631. That is a printing service, but it can be shut down if no printing support is desired (or if you are willing to manually enable it just when you want to print something).
Mudpuppy
Posts: 6666
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: Setting up an investments only PC

Post by Mudpuppy »

tomforshort wrote:I would echo the sentiment that it is better to disable server daemons than just firewall their respective ports.

If the email port that you mentioned is port 25, then it is likely the sendmail daemon running on you system. I have no idea why modern Linux distros still enable that by default. To see if it is running, try 'ps -ef | grep sendmail'. If it is running, then google how to disable it on you distro. In Fedora, it can be disabled via 'chkconfig sendmail off'. After a reboot, the port should not be open and the daemon should not be running.

You can see open ports by running the following:

[tomforshort@localhost ~]$ netstat -atu | grep LISTEN
tcp 0 0 localhost.localdomain:ipp *:* LISTEN
...

If it gives you a name instead of a port number (i.e., ipp above), then check the file /etc/services to find the actual port, which in this case is:

ipp 631/tcp # Internet Printing Protocol

In this fashion, you can go through identifying and shutting down open services. If ever you cannot find what program is responsible for a port being open, then you can run lsof (list open files; you may need to install this) as root in something like the following fashion:

[tomforshort@localhost ~]$ sudo lsof | grep TCP
cupsd 1419 root 6u IPv6 12982 0t0 TCP localhost6.localdomain6:ipp (LISTEN)
cupsd 1419 root 7u IPv4 12983 0t0 TCP localhost.localdomain:ipp (LISTEN)

So, cupsd is running as root and listening on port 631. That is a printing service, but it can be shut down if no printing support is desired (or if you are willing to manually enable it just when you want to print something).
There is an easier method to find both the numerical port number and the process information about the daemon listening on that port:

Code: Select all

root@localhost:~# netstat -antp | grep LISTEN
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      3571/vmnet-natd 
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      3417/dnsmasq    
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      3428/cupsd
....
The -n option tells netstat to just display numerical values. The -p option (only works as root) tells netstat to display the process associated with that entry.

To explain the fields from the first line, "tcp" means IPv4, "0 0.0.0.0:80" means all IPv4 addresses associated with this machine on port 80, and "3571/vmnet-natd" means process ID (PID) 3571 which is named vmnet-natd. This means VMware's NAT subroutine is forwarding all requests to port 80 (web server) on all interfaces on the machine to my web server virtual machine.

You also see that dnsmasq and cupsd are listening on 127.0.0.1, which is the local loopback device. That address is ONLY accessible to users on the local machine, so any such entries do not need to be disabled. In my example, cupsd provides printing to the local users and dnsmasq provides caching DNS services to the local machine.

If the PID and name are not enough for you to know what the daemon is, you can run ps aux to get the full command line that started the daemon:

Code: Select all

root@localhost:~# ps aux | grep 3571 | grep -v grep
root      3571  0.1  0.0   3348  1092 ?        S     2011 187:43 /usr/bin/vmnet-natd -s 6 -m /etc/vmware/vmnet8/nat.mac -c /etc/vmware/vmnet8/nat/nat.conf
Now we see that PID 3571 is being run as root and the full path to the server is /usr/bin/vmnet-natd. We also see the full set of options it is running with, which we could correlate to the man page or online documentation for that daemon.
User avatar
magellan
Posts: 3483
Joined: Fri Mar 09, 2007 4:12 pm

Re: Setting up an investments only PC

Post by magellan »

You might also consider dumping Adobe Reader if you have it. Aside from the OS, the three most targeted/vulnerable applications on PCs are Adobe Flash, Adobe Reader, and Java.

If you get rid of all three of these, you knock out 60-70% of the exploits built into canned exploit kits like Zeus. For a normal machine this might be overkill and a royal pain, but for a custom investments only machine, it probably makes sense. If you need a PDF viewer on that machine, you might consider a linux PDF viewer that's less popular.

This probably isn't a huge deal since Adobe Reader for Linux has a tiny market share an is less likely to be specifically targeted. Although it's possible that it might have vulnerabilities that can be exploited on both windows and Linux.

Jim
Muchtolearn
Posts: 1563
Joined: Sun Dec 25, 2011 10:41 am

Re: Setting up an investments only PC

Post by Muchtolearn »

dual wrote:
Muchtolearn wrote:What is the purpose of this exercise?
The purpose is to reduce the chances of my investment accounts being robbed by criminals using malware such as keyloggers and other trojans that get on my computer from my use of the computer for non-investment purposes.
Its much easier for them to get it by hacking the banks and Vanguard directly. You do realize this is way beyond what is "normal" behavior. I assume none of your other activities in life or work are like this or you will have much bigger problems than getting hacked. I mean that as a helpful suggestion, not as an attack. I will leave you be now.
Muchtolearn
Posts: 1563
Joined: Sun Dec 25, 2011 10:41 am

Re: Setting up an investments only PC

Post by Muchtolearn »

dual wrote:
fareastwarriors wrote:Your PC might be super secured on your side but the other end might not be (Vanguard, banks, or others). But I guess it's good to be safe...
That is true but most companies will reimburse my losses if the access came through their site. By using an investments-only PC, I think I bolster my case that it is their leak and make it easier to get them to pay up.
One more point. If any change is made to an address, Vanguard will not send funds to that address for 2 weeks and send you a letter confirming the change. Ditto setting up new bank accounts to link to your Vanguard accounts. They know what they are doing. Maybe its easier to just log in to Vanguard daily and check transaction history and ditto for your bank checking account/credit cards.
tibbitts
Posts: 12845
Joined: Tue Feb 27, 2007 6:50 pm

Re: Setting up an investments only PC

Post by tibbitts »

If I was that concerned about online access, I'd just disable it instead of going to such extremes.

Paul
User avatar
magellan
Posts: 3483
Joined: Fri Mar 09, 2007 4:12 pm

Re: Setting up an investments only PC

Post by magellan »

Muchtolearn wrote:You do realize this is way beyond what is "normal" behavior.
Actually, while this may not be typical for home users, the OP's approach is considered best-practice in the security business.

Even if a financial loss from a compromise is ultimately repaid by the financial institution, the experience would undoubtedly be a major hassle, perhaps even traumatic.

Security practices always revolve around a cost vs benefit tradeoff. My guess is that the way the OP has set this up, the cost is quite low and I could easily see this passing muster from a cost-benefit standpoint.

Jim
User avatar
Topic Author
dual
Posts: 701
Joined: Mon Feb 26, 2007 7:02 pm

Re: Setting up an investments only PC

Post by dual »

magellan wrote:the cost is quite low and I could easily see this passing muster from a cost-benefit standpoint.
It has been for me. I had no out of pocket expense. I had the laptop and PCLinuxOS is free. I spent some time on it but I wanted to learn more about Linux anyway.

If others do not want to bother with installing Linux, I think the main advantage of this approach is that you only use the PC for investments and you do not expose it to malware as you are accessing the internet for your other activities. So a PC with windows or Apple OS would also serve IMO. If you want to go further, you could re-install the operating system and all its updates. Then, only install the minimum software you need. For me a browser and my password safe.

My investments PC is in a corner of my home office and if I need to access online investment websites, I turn it on and work at it. Otherwise, the computer is turned off and I use my main computer for my other work.
User avatar
Boglenaut
Posts: 3090
Joined: Mon Mar 23, 2009 7:41 pm

Re: Setting up an investments only PC

Post by Boglenaut »

Muchtolearn wrote:You do realize this is way beyond what is "normal" behavior.

I disagree. 2.5 years ago when I did this people thought I was extreme. Since then I have been seeing more and more people following suit.

Given that the PC was never designed for secure transactions, do you really want to stake your life savings on some hacker knowing some little flaw in the software?

Sure, the may hack VG, but at least you can control your end.

It sure is a lot easier having a dedicated machine than worrying about any link you click or e-mail to open.

Cost is near zero... an old XP desktop will do nicely. This machine cannot get a virus when it is not turned on.
User avatar
Boglenaut
Posts: 3090
Joined: Mon Mar 23, 2009 7:41 pm

Re: Setting up an investments only PC

Post by Boglenaut »

Dual,

Good move. I did this and it makes life easier. Just make sure to discipline yourself. I did a clean install and NEVER browse. PW protect so family members don't use it to browse. Avoid temptation to use e-mail, browse, etc.

I worry less every time I read some new hacker trick.

I think NOT doing a dedicated machine is the crazy behavior. :sharebeer
Mudpuppy
Posts: 6666
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: Setting up an investments only PC

Post by Mudpuppy »

Muchtolearn wrote:Its much easier for them to get it by hacking the banks and Vanguard directly. You do realize this is way beyond what is "normal" behavior. I assume none of your other activities in life or work are like this or you will have much bigger problems than getting hacked. I mean that as a helpful
suggestion, not as an attack. I will leave you be now.
As with the other two responses, I will disagree with this statement. If it were easier to hack banks directly, we would not see software such as Zeus obtaining prominence. Online hackers are no longer script kiddies chasing low-hanging fruit for "fame". They are professionals out to make money in the most expeditious manner.

This "abnormal" behavior (in your terms) is relatively easy to set up, relatively cheap to use, and blocks the majority of methods currently in use. It obeys fundamental tenants of computer security: the principle of least privilege, the principle of least common mechanism, and the principle of fail-safe defaults. If only more people approached their home computer security in this way, instead of being criticized for it...
tibbitts
Posts: 12845
Joined: Tue Feb 27, 2007 6:50 pm

Re: Setting up an investments only PC

Post by tibbitts »

Mudpuppy wrote:
Muchtolearn wrote:Its much easier for them to get it by hacking the banks and Vanguard directly. You do realize this is way beyond what is "normal" behavior. I assume none of your other activities in life or work are like this or you will have much bigger problems than getting hacked. I mean that as a helpful
suggestion, not as an attack. I will leave you be now.
As with the other two responses, I will disagree with this statement. If it were easier to hack banks directly, we would not see software such as Zeus obtaining prominence. Online hackers are no longer script kiddies chasing low-hanging fruit for "fame". They are professionals out to make money in the most expeditious manner.

This "abnormal" behavior (in your terms) is relatively easy to set up, relatively cheap to use, and blocks the majority of methods currently in use. It obeys fundamental tenants of computer security: the principle of least privilege, the principle of least common mechanism, and the principle of fail-safe defaults. If only more people approached their home computer security in this way, instead of being criticized for it...
Merits notwithstanding, it's misleading to say this is easy to set up. Note the "PITA" in the original post. It's probably easy if software is a hobby for you, or if you work in IT. But even then it's not necessarily cheap in terms of time commitment.

Paul
Mudpuppy
Posts: 6666
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: Setting up an investments only PC

Post by Mudpuppy »

tibbitts wrote:Merits notwithstanding, it's misleading to say this is easy to set up. Note the "PITA" in the original post. It's probably easy if software is a hobby for you, or if you work in IT. But even then it's not necessarily cheap in terms of time commitment.
It's pretty easy to take a spare machine, install any old OS on it, and only use that machine for investing and banking websites. The OP is taking it a step up from that by learning an OS that is relatively new to the OP, which is where the "PITA" comes in to play. Learning anything new is always a bit of a struggle. But the principles of least privilege and separation of common mechanism can be assured via just having a separate, dedicated machine for the task of banking (or using a virtual machine for all the random web browsing and emailing one does).
User avatar
rob
Posts: 3495
Joined: Mon Feb 19, 2007 6:49 pm
Location: Here

Re: Setting up an investments only PC

Post by rob »

Wow... Well... The only way to GUARANTEE no issues is NOT connect to a network with any peer that has internet access; preferably no network at all. Grab a stand alone - laptop or desktop - do NOT connect any network to it, encrypt the entire drive, info is downloaded on another machine into text files - manually transferred to your stand alone PC using a secure flash drive or alike, scanned for viruses and then inputted into the stand alone software. It's a tad inconvenient but amazingly secure.
| Rob | Its a dangerous business going out your front door. - J.R.R.Tolkien
User avatar
FNK
Posts: 1360
Joined: Tue May 17, 2011 7:01 pm

Re: Setting up an investments only PC

Post by FNK »

Only one problem... if you want the most secure PC possible, you don't want Linux, you want OpenBSD.

Have fun.
User avatar
Ice-9
Posts: 1526
Joined: Wed Oct 15, 2008 12:40 pm
Location: Rockville, MD

Re: Setting up an investments only PC

Post by Ice-9 »

Novice question for the experts: How does the dedicated-finances-PC approach compare with the booting-from-LiveCD-when-doing-online-finances approach?

My newbie instincts have me thinking the LiveCD approach, starting with a fresh OS again each reboot with nothing ever written to disk, might have certain advantages. Some I've talked with about this think waiting five to six minutes to boot from CD is too extreme, but I don't really find it terribly inconvenient if it really increases security.
User avatar
LadyGeek
Site Admin
Posts: 69963
Joined: Sat Dec 20, 2008 5:34 pm
Location: Philadelphia
Contact:

Re: Setting up an investments only PC

Post by LadyGeek »

(BTW, excellent Linux info. I use Fedora, but shared dual-boot with Win 7.)

To the live CD question, the problem is how to save the data you download. A live CD (or live "USB" stick) is usually run from a PC with a resident hard drive. e.g. the "C:" drive. When you boot from CD/USB, that hard drive is just a bunch of data with no security on it whatsoever. If you treat the internet as an "untrusted" source and data gets stored on the hard drive, you've bypassed your security. The next time you boot from the hard drive, that untrusted source can run (if it's executable malware).
CaliJim wrote:heehee. reminds me of an old, true story about a hacker sys admin type from UC Berkely who has hired by the Dept of Navy to try to break into a hand coded and compiled, every line inspected, hardened, secure, complex password protected DEC-1000 located at a secure facility...
CaliJim's point is one that's often overlooked and which I've mentioned earlier in the thread - don't forget about physical access. What if you have a guest come over and use the PC? They bring a live CD with them and have full run of the hard drive. Or, suppose the PC is stolen? Same deal. Live CD and they have all your data. That's why I stress that the problem is one of data protection - encrypt with a trusted program and secure passphrase / password. The hardware / OS security is only part of the solution, data encryption completes it.
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.
jebmke
Posts: 12259
Joined: Thu Apr 05, 2007 2:44 pm
Location: Delmarva Peninsula

Re: Setting up an investments only PC

Post by jebmke »

Two years ago, my company laptop suddenly stopped letting me use it. It would not recognize me at logon. When I called IT, they found that somehow, my entire existence in all their systems, including active directory, was gone. For control reasons, they couldn't just make a new me. They needed HR to authorize the creation of a new me. In the meantime, I needed my files!

Knowing it would take HR a minimum of 7-10 days to get anything done, I whipped out my Live CD of Ubuntu, booted my laptop, easily reached all my data which I copied quickly to a USB drive so I could continue working on my un-secured, personal desktop.
When you discover that you are riding a dead horse, the best strategy is to dismount.
tibbitts
Posts: 12845
Joined: Tue Feb 27, 2007 6:50 pm

Re: Setting up an investments only PC

Post by tibbitts »

Ice-9 wrote:Novice question for the experts: How does the dedicated-finances-PC approach compare with the booting-from-LiveCD-when-doing-online-finances approach?

My newbie instincts have me thinking the LiveCD approach, starting with a fresh OS again each reboot with nothing ever written to disk, might have certain advantages. Some I've talked with about this think waiting five to six minutes to boot from CD is too extreme, but I don't really find it terribly inconvenient if it really increases security.
One difference between the dedicated PC and LiveCD is that the LiveCD will be more likely to be missing security updates that the dedicated PC will have. Or, should have - unless you disable security updates on your dedicated PC, ironically in the name of security.

I rarely save data from financial sites, so that aspect of a LiveCD wouldn't be much of an issue for me.

Paul
User avatar
Topic Author
dual
Posts: 701
Joined: Mon Feb 26, 2007 7:02 pm

Re: Setting up an investments only PC

Post by dual »

rob wrote:Wow... Well... The only way to GUARANTEE no issues is NOT connect to a network
The only guaranteed things in life are death and taxes, and I am not so sure about death :D .

But to mix metaphors, the alternative to playing on the freeway is not to stay at home and hide under your bed. You can go and play in a secure playground with fences to keep traffic out. That does not guarantee you will not be run over but it sure puts the odds in our favor.
tibbitts
Posts: 12845
Joined: Tue Feb 27, 2007 6:50 pm

Re: Setting up an investments only PC

Post by tibbitts »

Mudpuppy wrote:
tibbitts wrote:Merits notwithstanding, it's misleading to say this is easy to set up. Note the "PITA" in the original post. It's probably easy if software is a hobby for you, or if you work in IT. But even then it's not necessarily cheap in terms of time commitment.
It's pretty easy to take a spare machine, install any old OS on it, and only use that machine for investing and banking websites. The OP is taking it a step up from that by learning an OS that is relatively new to the OP, which is where the "PITA" comes in to play. Learning anything new is always a bit of a struggle. But the principles of least privilege and separation of common mechanism can be assured via just having a separate, dedicated machine for the task of banking (or using a virtual machine for all the random web browsing and emailing one does).
True, there's less issue with just having another, separate computer for restricted use. But setting up a vm would pretty quickly enter into PITA territory for a lot of people (maybe not your typical forum member, but forum members aren't very typical of the general population.)

Paul
User avatar
Ice-9
Posts: 1526
Joined: Wed Oct 15, 2008 12:40 pm
Location: Rockville, MD

Re: Setting up an investments only PC

Post by Ice-9 »

LadyGeek wrote:(BTW, excellent Linux info. I use Fedora, but shared dual-boot with Win 7.)

To the live CD question, the problem is how to save the data you download. A live CD (or live "USB" stick) is usually run from a PC with a resident hard drive. e.g. the "C:" drive. When you boot from CD/USB, that hard drive is just a bunch of data with no security on it whatsoever. If you treat the internet as an "untrusted" source and data gets stored on the hard drive, you've bypassed your security. The next time you boot from the hard drive, that untrusted source can run (if it's executable malware).
CaliJim wrote:heehee. reminds me of an old, true story about a hacker sys admin type from UC Berkely who has hired by the Dept of Navy to try to break into a hand coded and compiled, every line inspected, hardened, secure, complex password protected DEC-1000 located at a secure facility...
CaliJim's point is one that's often overlooked and which I've mentioned earlier in the thread - don't forget about physical access. What if you have a guest come over and use the PC? They bring a live CD with them and have full run of the hard drive. Or, suppose the PC is stolen? Same deal. Live CD and they have all your data. That's why I stress that the problem is one of data protection - encrypt with a trusted program and secure passphrase / password. The hardware / OS security is only part of the solution, data encryption completes it.

LadyGeek, thank you for the thoughtful reply. I see sensitive data that I have stored as a separate issue, which I have addressed by moving all files with SS#s or account numbers to an encrypted USB stick, and then backing up to an encrypted folder on an external drive. I try to keep anything sensitive off the hard drive.

What I was hoping to address with the Live CD was the threat of man-in-the-browser, keystroke loggers, or other malware specifically while I'm accessing financial websites. For the last month or so, I've been using the Live CD for this and nothing else. The Live CD I've been using, Lightweight Portable Security, doesn't mount the hard drive and includes encryption software, so I can save any PDF statements from the financial websites to a USB stick.

Tibbits, thank you as well. The webpage for the Live CD I've been using, distributed by the military, says they plan to release quarterly updates. This of course requires me as the user to manually go to the website to download the updates, but I can set up a tickler in my calendar software to remind me to do that. I see your point though that a dedicated PC would get the updates sooner.

In any case, I've only been taking the Live CD approach for a month, and was curious if there were any other advantages to setting up the dedicated PC versus this approach. Like the OP, I've been enjoying learning about Linux, and might actually enjoy the challenge of such a project. But I wonder if the Live CD isn't more effective, with the exception of less frequent and manual software updates.
User avatar
Cosmo
Posts: 1254
Joined: Mon Mar 05, 2007 9:46 pm

Re: Setting up an investments only PC

Post by Cosmo »

dual wrote:I recently set up an investments-only PC and I am looking for ideas to make it as secure as practical. I use the PC only to access online investment companies' and banks' websites. No email or web access to any other websites. I did access Shields-UP during the set up. Otherwise I did my online research for setting up the Linux on another PC.

Here is what I did:

1. I installed Linux on a laptop from a live CD that I downloaded on another computer. I chose Linux to make me a harder target for internet breakins.

I am concerned that a laptop is more easily stolen during a break-in to my house and I will consider buying an inexpensive desktop if there are good reasons to believe that thieves could access my accounts on the laptop. Both root and my user account have "good" passwords. I keep my investment account access information and passwords in a Linux file using an obscure personal information manager program with password access. I prefer to use the password safe approach because it allows me use long, random passwords and account names.

Finding a good Linux distro and configuring it was a PITA. I tried Ubuntu (Xubuntu to be exact) and it did not set up networking correctly. I finally settled on PCLinuxOS. I had some trouble with the video driver since I want to connect a full-size monitor to the VGA port of the laptop. I ended up using the simplest generic driver (VESA IIRC).

2. I use a hardware router firewall and I closed down all the Linux ports with the Linux firewall from the PCLinuxOS system configuration utility. I tested at the Shields-up website and it says all my ports except one for email are shut down. I do not do email on the computer so I hope this is tolerable. I do not know how to shut down that port.

3. I changed my domain name server (DNS) to google DNS. I tried OpenDNS but the darn site kept failing and displaying my information (like a password!) in the address block of the browser. I changed my passwords after I changed over to google DNS.

4. I installed Firefox and then the adblock, noscripts and flashblock addons. I guess the last is superfluous because I did not install Flash and so far have not had any problems using investment websites. Vanguard does not display the investment allocation pie chart on the home page but I can live with that.

5. I run Firefox from the user account, not root.

My experience so far has been good. Of course, I never had problems on my Windows system. There are a few weird glitches like the Vanguard website does not ask challenge questions when I log in from Linux but the other websites like Fidelity work flawessly.

I am interested in ideas and suggestions for increasing my online security. I do change passwords every few months. I change account names on websites that allow me to do it easily. I will try to change the account name on my Vanguard accounts although the process seems pretty involved.
I also agree that this is overkill. Question for the OP; did you by any chance go out to eat and pay for the bill with a credit card? How about a shopping trip? Was any credit card pulled out for this? The fact is, despite all the potential cyber threats, you are far more likely to have compromises made to your accounts due to some of the low-tech crimes out there than some sophisticated organized effort over the Internet. And as others pointed out, it doesn't matter how strong of a barrier you put out there, it is only as strong as some of the bank's and institution's existing protective measures in place.

Cosmo
User avatar
Random Musings
Posts: 5908
Joined: Thu Feb 22, 2007 4:24 pm
Location: Pennsylvania

Re: Setting up an investments only PC

Post by Random Musings »

Hopefully, there won't be any potential of people rooting through your snail mail.

RM
I figure the odds be fifty-fifty I just might have something to say. FZ
SPG8
Posts: 357
Joined: Tue Mar 29, 2011 10:27 am

Re: Setting up an investments only PC

Post by SPG8 »

As an aside, anyone know the frequency of such fraud?

How often are victims not reimbursed?

Are these measures being taken against things happening right now, or potential eventualities?

Thanks
User avatar
LadyGeek
Site Admin
Posts: 69963
Joined: Sat Dec 20, 2008 5:34 pm
Location: Philadelphia
Contact:

Re: Setting up an investments only PC

Post by LadyGeek »

The frequency of a fraud doesn't matter. The idea is to make yourself as inconspicous and an unlikely target to the best of your abilities. The analogy is walking in a crowd down a busy street. Who's the likely target? The one not paying attention with a hand full of cash as he stands next to the ATM machine. Walk softly and carry a big stick.
Cosmo wrote: Question for the OP; did you by any chance go out to eat and pay for the bill with a credit card? How about a shopping trip? Was any credit card pulled out for this? The fact is, despite all the potential cyber threats, you are far more likely to have compromises made to your accounts due to some of the low-tech crimes out there than some sophisticated organized effort over the Internet. And as others pointed out, it doesn't matter how strong of a barrier you put out there, it is only as strong as some of the bank's and institution's existing protective measures in place.
This is a good point. When you pay by credit card, never let it out of your site. You do what you can, it's as simple as just paying attention to your surroundings.

I agree, the strength of the barrier is as strong as the institution. However, security measures on the business side are never made public, as it tips the hand to the crooks. You do everything on your side, they do everything on their side.
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.
User avatar
magellan
Posts: 3483
Joined: Fri Mar 09, 2007 4:12 pm

Re: Setting up an investments only PC

Post by magellan »

SPG8 wrote:How often are victims not reimbursed?
If the fraud happens to a US bank account, The Electronic Funds Transfer Act, Regulation E generally protects consumers and requires banks to eat the loss as long as the consumer follows a few basic rules. This protection doesn't cover investment accounts, but the major mutual fund companies like Fidelity and Vanguard have their own stated policies that generally promise to reimburse consumers for online fraud (with various caveats).
Are these measures being taken against things happening right now, or potential eventualities?
Here's one case of an attack on consumer accounts using email phishing. There's very little published about consumers suffering actual losses from online cyber attaks. This is speculation on my part, but I think there are two reasons for this. The first is that since nearly all online consumer bank fraud is reimbursed, it doesn't make the news or result in litigation. The second reason is that I suspect any voluntary settlements that investment companies make in cases of fraud probably come with gag orders. If I were running a mutual fund, that's what I'd do to keep my firm's name out of the news.

The cases we know the most about are cases where businesses and municipalities suffer big losses from cyber attacks that aren't reimbursed and the firm sues the bank (business accounts aren't protected by Regulation E). There are dozens or more of these in the news and in the court system that we know about. I suspect there are many many more cases that we don't know about where the banks offer a partial settlement to keep the case out of the news.

Here are some example cases:

fire-alarm-company-burned-by-e-banking-fraud
ddos-attacks-spell-gameover-for-banks-victims-in-cyber-heists
title-firm-sues-bank-over-207k-cyberheist
ethieves-steal-217k-from-arena-firm
judge-nixes-patcos-ebanking-fraud-case
calif-co-sues-bank-over-465k-ebanking-heist
comerica-phish-foiled-2-factor-protection
fbi-investigating-cyber-theft-of-139000-from-pittsford-ny
escrow-co-sues-bank-over-440k-cyber-theft
hackers-steal-600000-from-brigantine-nj
cyber-thieves-steal-nearly-1000000-from-university-of-virginia-college

Jim
donttreadonme
Posts: 71
Joined: Sun May 15, 2011 8:30 am

Re: Setting up an investments only PC

Post by donttreadonme »

I'm sorry everyone, but this thread is beyond ridiculous. Worrying this much about online transactions is a waste of your time. Every day millions, if not billions of dollars in transactions are executed over the same HTTPS connection that you get when you log into Vanguard or any other secure website and you are presented with an SSL certificate. Anything you do in addition to verifying that SSL certificate will only marginally increase your security. If your credit card or banking info still gets compromised, just contact your financial institution and they will resolve the problem - most of the time with no skin off your back.

As others have said, on a personal level you should be more worried about carrying cash in your wallet or giving your credit card to the waiter at the restaurant. For anyone who is still worried about online financial activities, I suggest reading Beyond Fear by Bruce Schneier. http://www.amazon.com/Beyond-Fear-Think ... 0387026207

For what it's worth, I have a BS in Information Assurance. Also Security+ certification and Certified Ethical Hacker. I'm sure there are some other infosec guys on here too that also have some common sense.
User avatar
magellan
Posts: 3483
Joined: Fri Mar 09, 2007 4:12 pm

Re: Setting up an investments only PC

Post by magellan »

donttreadonme wrote:I'm sorry everyone, but this thread is beyond ridiculous....

For what it's worth, I have a BS in Information Assurance. Also Security+ certification and Certified Ethical Hacker. I'm sure there are some other infosec guys on here too that also have some common sense.
I'm not exactly sure what your point is, but I also spent a good part of my career in the business, including running an R&D organization at a network security firm. Are you saying that people shouldn't worry about their computers getting infected with viruses?

We're talking about viruses that compromise the trust relationship between a computer user and their financial institution. We're not speculating about the robustness of the SSL protocol or the security certificate infrastructure. I'm sure you learned in school that once a computer is compromised with a virus, it's usually trivial for the entity with control of the computer to insert itself into the (unencrypted) communications stream between the user and their financial institution.

Malware kits that criminals can customize are available on the black market and have been successfully used in numerous attacks (again the protocols are not compromised, it's the users' computers that get hacked and let the bad-guys in). These attacks have resulted in millions of dollars of losses for the organizations that suffered the attacks. I posted links with the details of many of these cases.

What part of all this do you think is ridiculous?

Jim
Last edited by magellan on Mon Mar 26, 2012 1:32 pm, edited 3 times in total.
KyleAAA
Posts: 8759
Joined: Wed Jul 01, 2009 5:35 pm
Contact:

Re: Setting up an investments only PC

Post by KyleAAA »

magellan wrote: What part of all this do you think is ridiculous?
I think he means that even the worst case scenario isn't bad enough in most cases to justify the effort.
User avatar
magellan
Posts: 3483
Joined: Fri Mar 09, 2007 4:12 pm

Re: Setting up an investments only PC

Post by magellan »

KyleAAA wrote:
magellan wrote: What part of all this do you think is ridiculous?
I think he means that even the worst case scenario isn't bad enough in most cases to justify the effort.
If we were only talking about consumer bank and credit card accounts, I'd probably agree. The protection that consumers have with these accounts is statutory and has been well tested through precedents.

We do know that small business owners are definitely exposed and need to be extra cautious online. For investment accounts, the legal situation is somewhat murky and there are very few consumer protection laws or legal precedents. IMO, for these cases the level of exposure is at least somewhat uncertain.

Reasonable people can certainly differ. However, I don't think it's fair to call the OP ridiculous for taking this small extra precaution.

Jim
donttreadonme
Posts: 71
Joined: Sun May 15, 2011 8:30 am

Re: Setting up an investments only PC

Post by donttreadonme »

magellan wrote: Are you saying that people shouldn't worry about their computers getting infected with viruses?

We're talking about viruses that compromise the trust relationship between a computer user and their financial institution. We're not speculating about the robustness of the SSL protocol or the security certificate infrastructure. I'm sure you learned in school that once a computer is compromised with a virus, it's usually trivial for the entity with control of the computer to insert itself into the (unencrypted) communications stream between the user and their financial institution.

Malware kits that criminals can customize are available on the black market and have been successfully used in numerous attacks (again the protocols are not compromised, it's the users' computers that get hacked and let the bad-guys in). These attacks have resulted in millions of dollars of losses for the organizations that suffered the attacks. I posted links with the details of many of these cases.
No, that's not what I'm saying. Everyone should use antivirus. No need for straw man arguments.

I'm very aware of rootkits and backdoors, but that's also not the point. I'm sure you learned in school that the amount of money, time, and effort you put into securing your systems should be appropriate for the risk you want to mitigate. In our case, US laws (such as the one Jim mentioned) requiring credit card and other financial institutions to secure their own systems takes care of a large chunk of worries for the consumer. We are not liable for fraud - the financial institution is.
magellan wrote: Reasonable people can certainly differ. However, I don't think it's fair to call the OP ridiculous for taking this small extra precaution.
I disagree, and I wouldn't call this a "small extra precaution". There's a reason I suggested the book Beyond Fear as it provides a baseline for understanding risk and probabilities in relation to infosec. If you all want to worry about something, you should worry about driving your car every day. After all, it's the most dangerous thing we do on a regular basis and losing your life is much more serious than a temporary financial loss whether it be due to hackers or a drop in the market.
User avatar
magellan
Posts: 3483
Joined: Fri Mar 09, 2007 4:12 pm

Re: Setting up an investments only PC

Post by magellan »

donttreadonme wrote:We are not liable for fraud - the financial institution is.
To the best of my knowledge, this is simply not true when it comes to non-bank non-credit card financial institutions. The OP took these steps specifically to secure access to investment accounts.

I cited the the law that covers banks, but I'm certain that it doesn't apply to non-bank financial institutions. Can you cite a consumer protection law that covers online fraud on investment accounts?

Jim
donttreadonme
Posts: 71
Joined: Sun May 15, 2011 8:30 am

Re: Setting up an investments only PC

Post by donttreadonme »

magellan wrote: I cited the the law that covers banks, but I'm certain that it doesn't apply to non-bank financial institutions. Can you cite a consumer protection law that covers online fraud on investment accounts?

Jim
You are correct. Does everything else I've said check out with you? I'm quite certain that more people have lost money in their investment accounts to market swings than fraud wouldn't you agree?
Post Reply