Security and live cds

[pr1v 36]

I would like to know your opinion about security when using some linux live cd + airvpn VPN + browser without javascript to avoid malware.

 

When I am browsing the web with AirVPN I am not showing my real ip, and so I am avoiding many attacks. Using a linux live cd (knoppix or porteus for example) I suppose I can't receive malware, and if I receive it in ram memory then it will be all deleted when I finish, because nothing can be writen in a cd. It would be a very bad luck to receive malware just the minutes I am using it and be compromised in what I am doing (passwords, etc).

 

So, my question is: if these linux live-cds use an outdated browser and they have some vulnerabilities,  but I am using the browser without javascript, and if they are not offering an opened port outside, what are the possibilities to be hacked with malware?. Is it a safe solution to enter, for example, in our bank accounts?. I thought about network sniffing, but using AirVPN is an extra...

 

Opinions?

 

Thanks

[zhang888 1066]

The only attack surface you are mitigating using a live-cd is persistence of malware.

So that even after you are infected, a reboot will be enough to make your system clean again.

 

As for malware as a concept, a live-cd system and an installed image have no differences.

Both can be attacked by malware if you are not cautious enough, and if you have sensitive data

in your browser or memory, an elevated process (such as malware) can read that data.

 

Generally Linux live-cd's are safer because the variety of distributions and browser versions makes

exploitation a huge moving target. So in real life only highly targeted attacks can be successful,

or attacks on very common platforms with the same predictable setup, such as the Tor Browser

on Tails OS. Then a generic exploit can be successful impacting all users of the same OS image.

[pr1v 36]

Thank you zhang888.

But if I only use it to browse websites with AirVPN and without javascript, can I receive malware too?

[zhang888 1066]

The question should rather be not if you can, but what are the chances that you will.

To answer that question you have to be aware of all the risk factors.

 

While surfing without Javascript can be very effective against browser exploits, there

are plenty more low hanging fruits for attackers, such as the Flash Player, various Silverlight/Java

plugins, the PDF reader, Office documents (although this is more a Windows focused issue) etc.

Some recent attack scenarios included backdoored installations of various P2P software, and even

a successful attempt to backdoor a live Linux Mint distribution.

 

No VPN service can protect you from malware, as those attacks are not something happening in the

network layer at all, but are either conducted by software exploitation and/or social engineering.

This is why it is always better to rely on multiple factors of authentications for highly sensitive services,

turn on 2FA, restrict connections with a hardware token if your bank supports it, use multisig wallets

in case you use Bitcoin, etc.

[pr1v 36]

Yes, i avoid java and all the other plugins if I use the live-cd in something important. If I use flash I normally boot only to watch videos and nothing to be worried about. I load the flash plugin and the browser files from another drive, encrypted with gpg to avoid them to be changed while I don't use them (being disconnected from internet).

Thanks again!

[rainmakerraw 94]

That's all assuming your live CD is clean.... Linux Mint was distributing backdoored ISOs not long ago, after a hack. Always check and triple check, or better yet roll your own.

[pr1v 36]

Of course, I always check it