Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Incidents: Re: bootable readonly media in your pocket Re: yes, its t0rn again

Re: bootable readonly media in your pocket Re: yes, its t0rn again

From: Ed Padin <ohdamnthathurts_at_YAHOO.COM>
Date: Fri, 5 Jan 2001 16:43:20 -0500

Don't know if it'll fit on a small CD but look for a distribution called
Finnix. It's a mostly full distribution of RH 6-sumthin'. It takes a long
time to download the compressed iso image. The guy that wrote it configured
it to mount all writable directories on ram disks. I was able to create my
own disk to suit my needs using his example. You'll need a cd writer to
create the CD.

Cheque it--> http://www.finnix.org/

----- Original Message -----
From: "marc" <marc_at_ZOUNDS.NET>
To: <INCIDENTS_at_SECURITYFOCUS.COM>
Sent: Friday, January 05, 2001 1:22 PM
Subject: bootable readonly media in your pocket Re: yes, its t0rn again

> On Thu, 4 Jan 2001, Robert Horn wrote:
>
> > > Em Tue, Jan 02, 2001 at 11:33:45PM -0800, Andrew Edelstein escreveu:
> > >> Make sure your md5sum binary is also on immutable media. It doesn't
do you any
> > >> good to have known good checksums, if the binary that does the
checking can be
> > >> hacked to tell you what the hacker wants it to tell you.
>
> Does anyone know of an iso distribution of linux already built to
> do this? I am familiar w/ trinux, but id like a bootable cd that already
> has the ability to mount different filesystems, md5 check, etc. At SANS i
> saw someone was walking around giving out small recovery cdroms like this
> that were cut down to the size of a credit card. Id really like one of
> those.
>
> marc
>
> > >
> > > That may also not be enough. A library could have been hacked, md5sum
should be
> > > statically linked. And, if a kernel module has been inserted, then all
bets
> > > are off, you would have to reboot from a known kernel to be sure.
> >
> > One convenience for some systems is to create a mountable and bootable
> > CDROM with:
> > 1. The md5sums
> > 2. A program for checking the md5sums. If you write one of your own
> > in C or some other language that generates executable code you
> > increase the difficulty of a modified kernel recognizing and
> > defeating it.
> > 3. A usable small complete OS for initial forensics.
> >
> > A modified kernel can hide modifications by trapping filesystem I/O, so
> > only rebooting directly from the CDROM with the known good OS and tools
> > is the only way to detect kernel modifications. Using a CDROM is just a
> > convenience. It avoids dis-assembling the computer to take the suspect
> > disks over to another known good system for analysis. It is usually
> > much easier to reboot from the CDROM.
> >
> > If they've penetrated the boot ROM, well, you can reflash it from a
> > known good copy.
> >
> > R Horn
> >
>
> marc
>
> import sigfile
Received on Jan 05 2001

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos