Should I be concerned about virus and malware?

[Relztrah]

Tahrpup has breathed new life into my old Lenovo ThinkPad and I'm slowing learning how to use it. Most of the malicious software attacks seem to be Windows-based, and I feel more secure using Linux. But is this a false sense of security? I don't have an anti-malware or anti-virus installed, and from what I have read about Linux, they are not necessary.

I do online banking and I'm reluctant to access my bank's website and enter my username and password with no protection.

Any thoughts or suggestions are appreciated.

[RetroTechGuy]

Tahrpup has breathed new life into my old Lenovo ThinkPad and I'm slowing learning how to use it. Most of the malicious software attacks seem to be Windows-based, and I feel more secure using Linux. But is this a false sense of security? I don't have an anti-malware or anti-virus installed, and from what I have read about Linux, they are not necessary.

I do online banking and I'm reluctant to access my bank's website and enter my username and password with no protection.

Any thoughts or suggestions are appreciated.

Are you running a frugal install? If so, set up a second save file and use it only for banking, etc.

I have a "Main" and another called "Secure" -- the latter isn't used for general browsing -- only for banking, etc. I often make a copy of Main when testing new packages, or other operations that might destroy the save file,

I don't think that there's much to worry about virus-wise. Make sure that your browser is in secure mode...

In frugal mode, if you have 2 or more save files in the folder, it will ask which to load.

[Sylvander]

1.

I do online banking and I'm reluctant to access my bank's website and enter my username and password with no protection.

a. Use your tahrpup iso to make a multi-session DVD-RW disk...
Leave the session open, so you can save back to the disk.
b. With this disk you can:
b1. make any personalized changes, and save those changes.
If possible, do them all during the 1st session, so you can save all of the changes in a single save folder on the DVD-RW.
You can make further save folders if you like or need to.
The contents of save folders will normally be loaded at each startup, but specified folders can be chosen to not be loaded [e.g. if you suspect there may be corruption/infection in the files in the folder].
b2. After the initial personalizations, you will normally NOT SAVE any session changes [you will be offered the choice "to save or not to save" at shutdown/reboot].
b3. If you suspect the session has been hacked/infected, you can "improperly power-off" for instant shutdown, and since the Puppy is running totally in RAM, any/all nasties will be LOST, and the next session will be clean just like the previous one.
Since you use this disk to ONLY go to your banking website [no other wibsites visited, no emails fetched], your chances of being hacked/infected are probably NIL.
I've never had problems with this type of "safe" Puppy [nor any other] nor have I heard of anyone else having problems.
b4. I keep my [Acerose] "Password Vault" [Windows program][it's great, but I suggest you use a Linux vault] on a Flash Drive, and connect that only as/when needed [I use Puppy->WINE to run and access the contents for use].


2.

I don't have an anti-malware or anti-virus installed, and from what I have read about Linux, they are not necessary.

I agree it's probably un-necessary for Puppy, but still I install and use:
avast4workstation-1.0.8.pet
It's an on-demand scanner, than can scan whatever you tell it to [partition[s], folder[s], etc].
Works rather well; I like it.
There have been occasions when it found [and eliminated] infections on my Windows partition, but there are NEVER any found on my Puppy Linux partitions.

[8Geee]

I would like to add that you should not forget the browser. Make sure the browser is equipped NOT to allow ssl-2 or 3 AT ALL. Newer browsers can handle this... an example is Firefox versions 27 and up. Even these need noodling in about config, but can be done.

[Sylvander]

I should also mention that my desktop [used for online banking plus other stuff] is behind my routers' hardware firewall, and I also run the Puppy software firewall on all Puppies.

I've seen another person say he normally remasters his Puppy optical disk to include all personalisations, then CLOSES the burn, and runs it as a "live" disk with no provision for saving [no pupsave file].
This optical disk cannot be changed from outside during a session, so it's MOST SECURE.
Although the session could still be hacked.

[bigpup]

Linux malware is out there.
https://www.google.com/?gws_rd=ssl#q=linux+malware

However, using a live Puppy CD or USB that is only used for your banking and nothing else should be safe.
If you only connect to your bank and no other internet location.
Seems logical that the only place you would get malware would have to be from the bank web site.
We all hope the banks web site is malware free.

[rufwoof]

I boot read-only/ram/no savefile (Pupmode 5) each/every time. When I want to make any changes to puppy I just reboot, make the desired changes and then remaster.

Save everything else outside of puppy space (docs etc), use online email account, and for browsing I have a copy of Shinobar's portable Firefox for general browsing, but reboot and download the latest firefox directly from Mozilla for online banking (visiting no other web sites before or after).

Behind two router firewalls and also have Puppy firewall activated.

Reasonably confident that's pretty safe. At least a lot safer than a read/write system that's been used to visit here/there/everywhere before/after doing online banking activities.

For me the read only ram boot is the best feature of Puppy Linux. Having got used to that I can't see myself ever going back to a read/write (full install) - I hate how you have to be careful with where you go, what you do, what you install/change ... and make backup's etc... with a full install. With read only you can try/do what you like and a quick reboot has you back to how things were before. Takes a number of revise/remaster iterations until you get the puppy you want, but once there you remaster infrequently, run with the exact same code/applications time after time and updates/changes are only more likely to upset that stability rather than improve it.

My choice of Kernel, Puppy and applications all work really well with my hardware... and if it ain't broke there's no need to fix it (updates are unnecessary - excepting if there's a specific reason why you might want to update). The only exception I make is for Firefox as I prefer to run with the latest version as soon as it becomes available.

I use a old version of Flash, but have that deactivated (renamed) and only activate it for single specific cases/sites (BBC). Since youtube moved across to supporting HTML the need for flash has declined. As soon as the BBC start supporting HTML5 then most likely I'll remove flash entirely. I also have Noscript installed and Puppy's Adblock activated (Menu, Internet, Pup-Advert-Blocker).

[Sylvander]

For another possible solution, that you may find interesting, see:
Puli is a member of the Puppy Linux family: a high security, "kiosk" flavor of p666philb's tahrpup 6.0.2 CE, intended to boot from a USB pendrive and run safely even if the boot device is unplugged.
The Flash Drive can be unplugged once booted.

[8Geee]

You beat me to it Sylvander puli is a choice from what I have read.

[mikeb]

I do online banking and I'm reluctant to access my bank's website and enter my username and password with no protection.

I believe that https and its secure handshaking and encryption is designed to protect your exchange of data with the bank. Thats why its used.

Include a multipart question system of logging in rather than a username/password combination and life gets peachy as even if some how mysteriously some data saved in whatever peculiar way is stored on the computer its pretty useless to anyone who some how bizarrely is able to get at it.

mike

[bigpup]

I believe that https and its secure handshaking and encryption is designed to protect your exchange of data with the bank. Thats why its used.

That works for data transfer security between two points.

It does not stop a malware key-logger from getting the access log in information and password you used to access your account.

Several years ago, people who used our companies retirement system on line account access, got there access information stolen, by malware key-loggers that got on there personal computers.
malware key-loggers log every key stroke you make with your keyboard and send that information to whoever

Some people had there retirement checks sent to other locations and money sent to different accounts.

[mikeb]

hence my second statement...

So you saying its easy for a keylogger to get on linux then?
I don't need to guess how those people got their keyloggers .....and I believe there is no such mechanism present on Linux.

You also saying with a multipart login method that one set of login sequences will somehow work when the sequence is randomly changed each time?

I simply want backup for these statements that seem to suggest that we need to destroy our computers after each time we use internet banking....


mike

[8Geee]

There are four things in life that are certain

death
taxes
the resistance to them
stupidity

I have my doubts about the first three.

Why internet bank at all? The branches are all over the place.
The real mailbox is prolly only 100 feet away.
It seems the 'mail' using a check is a bit more secure, don't you think?
No, but wait, it takes too much time and a half-dollar... that must be it.

As easy as it sounds to install a keylogger, massive attacks at the financial site cannot protect you either. So it would seem both sides are vunerable. Thus the previous paragraph.

[greengeek]

I don't need to guess how those people got their keyloggers

I would never consider doing online banking from an internet cafe - even if they were running Linux - as there have been cases locally where hardware keyloggers were fitted between the keyboard and PC (They looked like an extension to the normal keyboard connector). Obviously not a risk at home.

However, I have always wondered if there is anyone looking carefully enough at Browser code to see if there are robust mechanisms for avoiding embedded keyloggers? Yes I know it sounds paranoid, but there is plenty of evidence that certain Windows code has been written by spies, so what protects Linux browser code?

In any case, recent hack attacks seem to have been at the server end - with passwords being stolen centrally, allowing account cleanouts. Best take your 3 pound retirement fund out and hide it in your teapot mike

To be honest though - there is very little that could be done to prevent a programme containing a keylogger - we often we use programmes like Libreoffice, Teamviewer, etc etc and of course we never check the code contents - so we are totally trusting the people who wrote those programmes. Who knows how trustworthy Java or JRE versions are?? And who knows how secure online webmail sites or cloud storage sites are? Security risks are often identified years after we start using our preferred software so we are never as well protected as we think.

We may never know if some of our information is captured and stored elsewhere. It depends on the motivation of those harvesting the data. Data breaches are often not detected at the time they occur.

[mikeb]

Ok checks/cheques are not accepted by many organisations now for starters. I don't even have a cheque book.

My nearest branch is in the next town... 12 miles/ a train journey away...and why the hell do i want to go there to pay someone anyway.

Internet banking can not only do payments of bills, there's money transfers and perhaps the handiest of them all..you can see your balance .... nearest cash machine is a mile away and they are often not up to date.
Best of all its available 24 HOURS a DAY..sorry but during the day I have other things to do other than running around visiting banks whose opening hours are limited anyway and they have nice queues to stand in. This is the 21st century isn't it as this stuff sounds Victorian...

been internet banking for 10 years..not a hitch and to repeat...my bank DO NOT USE PASSWORDs to login...guess its considered an insecure practise. Actually a popular system is to add a device to cash machines to grab the details of your plastic when you use it...debit/credit cards are more vulnerable...cheque books were even more so.... More chance of being mugged than work out how to log into me bank...even if you do you cannot do anything without the debit card AND a pin number even just to arrange a transfer...apart from that its as insecure as hell..

Ok key loggers in libreoffice...well lets just dump our machines now eh as it seems pointless having them with that way of thinking.

Hacking sites are a challenge anyway...much easier to use windows built in mechanisms to add and run software to hijack information.

mike

[Relztrah]

Tahrpup has breathed new life into my old Lenovo ThinkPad and I'm slowing learning how to use it. Most of the malicious software attacks seem to be Windows-based, and I feel more secure using Linux. But is this a false sense of security? I don't have an anti-malware or anti-virus installed, and from what I have read about Linux, they are not necessary.

I do online banking and I'm reluctant to access my bank's website and enter my username and password with no protection.

Any thoughts or suggestions are appreciated.

Are you running a frugal install? If so, set up a second save file and use it only for banking, etc.

I have a "Main" and another called "Secure" -- the latter isn't used for general browsing -- only for banking, etc. I often make a copy of Main when testing new packages, or other operations that might destroy the save file,

I don't think that there's much to worry about virus-wise. Make sure that your browser is in secure mode...

In frugal mode, if you have 2 or more save files in the folder, it will ask which to load.

Perhaps I should have provided more details. I did a full install and I use Google Chrome version 32.0.1700.77. I looked for security settings but did not find them. I am familiar with Google Chrome, but I'm not opposed to using Palemoon, Firefox or another browser if they are more secure.

[Relztrah]

For another possible solution, that you may find interesting, see:
Puli is a member of the Puppy Linux family: a high security, "kiosk" flavor of p666philb's tahrpup 6.0.2 CE, intended to boot from a USB pendrive and run safely even if the boot device is unplugged.
The Flash Drive can be unplugged once booted.

Thank you for the suggestion and link. This would be in place of using a live DVD as you recommend above, correct?

[Sylvander]

Thank you for the suggestion and link. This would be in place of using a live DVD as you recommend above, correct?

Correct.

If it were me, I'd try the multi-session DVD-RW first , and only after trying that give Puli on a Flash Drive a try [I've not tried this yet, don't have a spare Flash Drive].

[bark_bark_bark]

I am familiar with Google Chrome, but I'm not opposed to using Palemoon, Firefox or another browser if they are more secure.

Pale moon is more secure than chrome

[RetroTechGuy]

I am familiar with Google Chrome, but I'm not opposed to using Palemoon, Firefox or another browser if they are more secure.

Pale moon is more secure than chrome

And if you isolate your "secure" save file from general use, I wouldn't expect it to pick up any malware. It would primarily have to come from your bank or credit card web sites...

This means that you have to pay attention, and only use if for accessing your bank, credit cards, etc.

Then reboot and go back to your general purpose Puppy...

Also, make a backup of your "secure" Puppy, so you can simply copy it back to restore the original settings...