Does qubes protect against all firmware viruses ?

[tomas.s...@gmail.com]

I understand, that Qubes compartmentalizes OS and parts of OS don't have access to other parts of the OS. So even if you had virus in your firmware of a network card, it wouldn't matter. I know firmware viruses are rare, but still better safe than sorry. I am looking for safe OS to do online banking from. If i use live usb of QUBES, does that protect me against all firmware viruses ? I wonder. Even there is like 0.2% chance of being infected with it. Also i can't disable all my disks in BIOS, could that be problem ? I mean if i use live-usb and don't boot my main OS, when usb is plugged in. So my main OS can't compromise Qubes. And even if disks were enabled and i boot up Qubes from live usb, i am not sure if it could get infected, because these viruses has to be loaded somehow right ? But if they are passively on the disk and you launch 2nd OS from live-usb, not sure if it could get infected like this. I wanted to dedicate my old pc for online banking, but Qubes doesn't work there.

[Mark Fernandes]

I recently did a personal study that covered at least some of these issues. Ppl can also contribute to the study which is now public and in the form of a wiki.

On Monday, 8 June 2020 19:00:17 UTC+1, tomas.s...@gmail.com wrote:

... I know firmware viruses are rare, but still better safe than sorry. I am looking for safe OS to do online banking from. If i use live usb of QUBES, does that protect me against all firmware viruses ? ... 

My opinion is that it probably doesn't when you suspect you may already have firmware viruses. If you know you are clean (including that the USB memory stick is also clean from firmware malware [because USB memory sticks can also have firmware malware]), then you'll probably be safe if you only use Qubes.

A live DVD of Qubes is likely more safe than a live USB memory stick of Qubes—see here.

For users not literate with the technical aspects of computing, who want to do online banking securely and safely, I would advise purchasing a brand new Chromebook using random physical selection at a physical computer store. Chromebooks appear to be quite secure in comparison to many other kinds of devices generally labelled as computers (I don't include smartphones in this comparison, and I don't know so much about which smartphone one should choose for online banking).

If you are more technically minded, and want to do online banking, it still might be the case that other "better" solutions are inappropriate for you, in the sense that they are all "overkill" solutions. Banks often refund monies stolen through fraud... However, if you are more technically minded, it probably is a good idea to look through the aforementioned study (the contents page can be accessed here).

Some info on the security of BIOS/UEFI firmware (from the study ) is documented here.

 

Also i can't disable all my disks in BIOS, could that be problem ? .... So my main OS can't compromise Qubes. ...

Would recommend physical disconnection of unused disks when dual-booting. As I think mentioned elsewhere in these mailing lists, you can do that by just taking out the power cable of the respective disks. See here for more information.

 

... I wanted to dedicate my old pc for online banking, but Qubes doesn't work there.

Might be a good idea to do such dedication. It can be good from a security perspective because of the isolation of the device from other systems you use. You could consider using the freely-available CloudReady OS,  which is something like ChromeOS (used on Chromebooks) for non-Chromebook devices. I've successfully installed CloudReady on an old Toshiba laptop.

Kind regards,

Mark Fernandes

[Catacombs]

On Monday, June 8, 2020 at 1:00:17 PM UTC-5, tomas.s...@gmail.com wrote:

I understand, that Qubes compartmentalizes OS and parts of OS don't have access to other parts of the OS. So even if you had virus in your firmware of a network card, it wouldn't matter. I know firmware viruses are rare, but still better safe than sorry. I am looking for safe OS to do online banking from. If i use live usb of QUBES, does that protect me against all firmware viruses ? I wonder. Even there is like 0.2% chance of being infected with it. Also i can't disable all my disks in BIOS, could that be problem ? I mean if i use live-usb and don't boot my main OS, when usb is plugged in. So my main OS can't compromise Qubes. And even if disks were enabled and i boot up Qubes from live usb, i am not sure if it could get infected, because these viruses has to be loaded somehow right ? But if they are passively on the disk and you launch 2nd OS from live-usb, not sure if it could get infected like this. I wanted to dedicate my old pc for online banking, but Qubes doesn't work there.

You might rather look at those webpages which talk about "Threat Model."  Who you might be contending with.   There is, of course, the possibility that what you are referring to is the fact Intel main processors have modems which might allow Intel to change the firmware code without your knowing it.  I have been told, by someone who is much more knowledgeable about these things, that there are no instances of Intel ever having done that.   There are some possible problems with USB Keyboards. 

You might ask your bank.  I suspect in any case, what you might be more interested in is reading about VPN's.   Some more expensive that others.  As someone said, don't trust a free VPN, they have to make their money somewhere, still I use the free version of ProtonVPN. 

Hardware that is produced with the goal of no Firmware intrusion includes - https://puri.sm/  the qubes certified hardware,  https://www.qubes-os.org/doc/certified-hardware/,  notice the Hardware Compatibility List,  https://www.qubes-os.org/hcl/

I guess that is off the subject. 

If you use a VPN-  My bank checks the IP of the address the login comes from.  If the VPN server is say in New York, a thousand miles away, it will not let me login.  Bank reasons I should have told them I was traveling.  You might find difficulty using Tor, or Whonix to login to your bank. 

[Catacombs]

I should mention, using a credit card can insulate you from risk.  The big risk of using a bank account is allowing someone to have the checking account number itself, the one on the bottom of all your checks. 

Puppy Linux has a number of Live versions which actually do not have a root, but whose security in the case of a bank account is derived from loading a new fresh version of OS at each re-boot.  If one completely power downs the computer after each bank session, and does not save the partition each time, then.  No way can software get in around you.  Installing a VPN to use with one of the distros of Puppy Linux can be problematic though.   Puppy Linux has a friendly forum.  I think you might start with Easy OS, create a multi-save DVD.  Boot then do your banking, power down.  

Not perfect.  If you are a geek type, then use Qubes.  No doubt Qubes is superior in several ways.

[tomas.s...@gmail.com]

Well that's the problem indeed, knowing if you are clean from firmware viruses in the first place. But i don't suspect i have firmware viruses and i have new pc. It takes a lot of time and money and no one would bother to infect specific user. I am no one. It could be used in attacks on multi peoples, or if already some firmware virus existed someone could use it i guess, i don't really know. Even probability is low. I am just acting responsibly about this. If i can use Qubes, than why not right. So if i use Qubes, using ROM optical disk in external mechanic. So i should be generally safe, (nothing is perfect), even if i got firmware viruses afterwards ? I can't unplug disks and disable all of them in BIOS, i am using NVME and it is blocked by GPU vertical mount and it was insane to plug it in the first place and doing that each time, it is not feasible. So if i boot from live CD, not sure if viruses on hard disks could do anything. And i won't be booting from Windows when live CD is in and it would be ROM and i'll use external CD mechanic.

Also i don't know what i was saying previously, but i can't dedicate old pc for banking at least with Qubes, it doesn't work there. So i would be using it on my main PC. But if i used other Linux on my old pc and dedicated it only for online banking, that should be safe right ? Even if i had it long time, so i could have potentially some firmware viruses, that could impact security in future. Even if i had them and they didn't do anything so far. I don't know.

[Steve Coleman]

On Fri, Jun 12, 2020 at 2:35 PM <tomas.s...@gmail.com> wrote:

Well that's the problem indeed, knowing if you are clean from firmware viruses in the first place. But i don't suspect i have firmware viruses and i have new pc. It takes a lot of time and money and no one would bother to infect specific user. I am no one. It could be used in attacks on multi peoples, or if already some firmware virus existed someone could use it i guess, i don't really know. Even probability is low. I am just acting responsibly about this. If i can use Qubes, than why not right. So if i use Qubes, using ROM optical disk in external mechanic. So i should be generally safe, (nothing is perfect), even if i got firmware viruses afterwards ? I can't unplug disks and disable all of them in BIOS, i am using NVME and it is blocked by GPU vertical mount and it was insane to plug it in the first place and doing that each time, it is not feasible. So if i boot from live CD, not sure if viruses on hard disks could do anything. And i won't be booting from Windows when live CD is in and it would be ROM and i'll use external CD mechanic.

Also i don't know what i was saying previously, but i can't dedicate old pc for banking at least with Qubes, it doesn't work there. So i would be using it on my main PC. But if i used other Linux on my old pc and dedicated it only for online banking, that should be safe right ? Even if i had it long time, so i could have potentially some firmware viruses, that could impact security in future. Even if i had them and they didn't do anything so far. I don't know.

There is not much one can do to protect against firmware viruses other than to try and prevent situations where someone can reflash your BIOS in the first place. Since the BIOS is initialized even before the software/OS gains control the malware code would already be resident in memory before the DVD booted that read-only media. The DVD drive can not even operate until the system initializes the BIOS that understands how the DVD drive even works, so if someone was able to reflash the eeprom then game-over even before the OS is even loaded. Any software loaded after the malicious code is in memory is of course subject to what that code wants to do with your system in the first place. 

That being said, it is extremely difficult to reflash your BIOS when running a general OS in the normal user context, and even more difficult when running a virtualized system such as Qubes. So, if you can prevent the machine from booting from any external devices then you have just raised the bar for that adversary.  If you can prevent them from gaining physical access to the computer internals, as to attach a JTAG device, then that raises the bar even higher. Chances are the adversary would need physical access to the machine to pull this off, which means that any three letter agency or forign government would have to want you really really bad before they put someone to task to rig your physical machine like that. yes it's possible, but there are easier ways to do what they want than reflashing BIOS so this scenario is unlikely unless you are one very important person.

[tomas.s...@gmail.com]

On Friday, June 12, 2020 at 10:10:25 PM UTC+2, Steve Coleman wrote:

That being said, it is extremely difficult to reflash your BIOS when running a general OS in the normal user context, and even more difficult when running a virtualized system such as Qubes. So, if you can prevent the machine from booting from any external devices then you have just raised the bar for that adversary.

Wait what about internal devices ? Like disk. I can't disable NVME in BIOS unfortunately. Couldn't bios be reflashed from disk, before bootup ? So you say even Qubes doesn't protect against firmware viruses, if they are already there. As i am running main Windows and wanted to use Qubes from rom cd in external mechanic. So if i had already firmware virus, even that's very unlikely. Qubes wouldn't protect me in such scenario. Correct ?

Than probably best idea would be to use my old computer, disconnect disks and use one of the Linuxes people above suggested just for online banking. And use dedicated mouse and keyboard for that and external cd rom.

[tomas.s...@gmail.com]

Problem with cd is: every time update for browser comes out, you would have to burn qubes on new cd. I don't know if it is okay to run old browser to access bank. How often you should upgrade your browser.

[Mark Fernandes]

On Thursday, 2 July 2020 17:51:35 UTC+1, tomas.s...@gmail.com wrote:

Problem with cd is: every time update for browser comes out, you would have to burn qubes on new cd. I don't know if it is okay to run old browser to access bank. How often you should upgrade your browser.

 

I should imagine you could likely just download the latest browser 'on-the-fly' after Qubes starts-up. I suppose it depends on your internet connection. You can create a virtual disk in RAM for each Qubes session; such data is wiped when the computer is power cycled, so malware threats are generally low.

Alternatively, you might be able to create a multi-session DVD, so that whenever you have a new Qubes or new browser, you just add it to the current DVD (rather than throwing it out and starting afresh).

Would have thought using an old browser wouldn't pose that much of a security risk, but it's probably best to get advice from others on this. You will also probably find that other Qubes users have specifically experienced these issues; I've not encountered such issues (am a Qubes newbie). 

Kind regards,

Mark Fernandes

[tomas.s...@gmail.com]

I am still looking into this, it is a lot of to think of. Do you know any sites where is threat modeling for average user? I was trying dozens of phrases... and i didn't find any threat model website. Everything only for companies and developers, which were completely useless, i even banned these words in my search...

[awokd]

tomas.s...@gmail.com:

"Threat model" is a generic security term. See
https://www.macobserver.com/tips/how-to/security-build-threat-model/ for
a short example of how to develop one. Very basically, identify what you
want to protect, and against who/what. Then you can identify means to
defend it.

--
- don't top post
Mailing list etiquette:
- trim quoted reply to only relevant portions
- when possible, copy and paste text instead of screenshots

[tomas.s...@gmail.com]

Wait a minute... How checking account number, can represent security risk?

[awokd]

tomas.s...@gmail.com:

> Wait a minute... How checking account number, can represent security risk?

https://www.consumer.ftc.gov/articles/0196-automatic-debit-scams

[tomas.s...@gmail.com]

Btw isn't there same problem with multi session dvd as with usb flashdisk? You can write there additional data. Unless you use read only CD mechanic, but i didn't see it anywhere...

On Tuesday, June 9, 2020 at 5:18:10 PM UTC+2, Catacombs wrote:

[tomas.s...@gmail.com]

Yeah but, in that article: they talk about checking number, not actual account number. I never heard of some checking number honestly. I have recurring payments and it doesn't work that way, i have no checking number. I don't even know what that means in my language...

[unman]

On Sun, Jul 19, 2020 at 07:28:02AM -0700, tomas.s...@gmail.com wrote:
> Yeah but, in that article: they talk about checking number, not actual
> account number. I never heard of some checking number honestly. I have
> recurring payments and it doesn't work that way, i have no checking number.
> I don't even know what that means in my language...
>
> On Thursday, July 16, 2020 at 10:10:24 PM UTC+2, awokd wrote:
> >

> > tomas.s...@gmail.com <javascript:>:

> > > Wait a minute... How checking account number, can represent security
> > risk?
> >
> > https://www.consumer.ftc.gov/articles/0196-automatic-debit-scams
> >

The convention here is not to top-post.
Please scroll to the bottom of the message before you start typing. Or
reply inline.
It only takes you seconds, makes it much easier to follow threads, and
cumulatively saves your fellow users hours.
Thanks.

In that article *in English* there is no reference to "checking number",
every reference is to "checking account" information or number, so I
suspect something is lost in translation.
A checking account is a US name - we dont have them where I live, but we
have similar accounts, which allow for Direct Debits to be set up.

The point is that if someone has your account number and sort-code, they
*may* be able to set up a payment out of the account without your
knowledge or authority.