Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Incidents: Re: bootable readonly media in your pocket Re: yes, its t0rn again

Re: bootable readonly media in your pocket Re: yes, its t0rn again

From: Michael H. Warfield <mhw_at_WITTSEND.COM>
Date: Fri, 5 Jan 2001 15:57:00 -0500

On Fri, Jan 05, 2001 at 12:22:30PM -0600, marc wrote:
> On Thu, 4 Jan 2001, Robert Horn wrote:

> > > Em Tue, Jan 02, 2001 at 11:33:45PM -0800, Andrew Edelstein escreveu:
> > >> Make sure your md5sum binary is also on immutable media. It doesn't do you any
> > >> good to have known good checksums, if the binary that does the checking can be
> > >> hacked to tell you what the hacker wants it to tell you.

> Does anyone know of an iso distribution of linux already built to
> do this? I am familiar w/ trinux, but id like a bootable cd that already
> has the ability to mount different filesystems, md5 check, etc. At SANS i
> saw someone was walking around giving out small recovery cdroms like this
> that were cut down to the size of a credit card. Id really like one of
> those.

        What you probably saw was the "LinuxCare Bootable Recovery Disk"
(got one in my pocket right now). Check out the LinuxCare web site
or corner one of them at a show. They generally pass them out at the
trade shows, but you often have to ask. They also offer them to users
groups.

> marc
>
> > >
> > > That may also not be enough. A library could have been hacked, md5sum should be
> > > statically linked. And, if a kernel module has been inserted, then all bets
> > > are off, you would have to reboot from a known kernel to be sure.
> >
> > One convenience for some systems is to create a mountable and bootable
> > CDROM with:
> > 1. The md5sums
> > 2. A program for checking the md5sums. If you write one of your own
> > in C or some other language that generates executable code you
> > increase the difficulty of a modified kernel recognizing and
> > defeating it.
> > 3. A usable small complete OS for initial forensics.
> >
> > A modified kernel can hide modifications by trapping filesystem I/O, so
> > only rebooting directly from the CDROM with the known good OS and tools
> > is the only way to detect kernel modifications. Using a CDROM is just a
> > convenience. It avoids dis-assembling the computer to take the suspect
> > disks over to another known good system for analysis. It is usually
> > much easier to reboot from the CDROM.
> >
> > If they've penetrated the boot ROM, well, you can reflash it from a
> > known good copy.
> >
> > R Horn
> >
>
> marc
>
> import sigfile 

--
 Michael H. Warfield    |  (770) 985-6132   |  mhw_at_WittsEnd.com
  (The Mad Wizard)      |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!
Received on Jan 05 2001
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos