Security Incidents mailing list archives

Re: bootable readonly media in your pocket Re: yes, its t0rn again


From: Ed Padin <ohdamnthathurts () YAHOO COM>
Date: Fri, 5 Jan 2001 16:43:20 -0500

Don't know if it'll fit on a small CD but look for a distribution called
Finnix. It's a mostly full distribution of RH 6-sumthin'. It takes a long
time to download the compressed iso image. The guy that wrote it configured
it to mount all writable directories on ram disks. I was able to create my
own disk to suit my needs using his example. You'll need a cd writer to
create the CD.

Cheque it--> http://www.finnix.org/





----- Original Message -----
From: "marc" <marc () ZOUNDS NET>
To: <INCIDENTS () SECURITYFOCUS COM>
Sent: Friday, January 05, 2001 1:22 PM
Subject: bootable readonly media in your pocket Re: yes, its t0rn again


On Thu, 4 Jan 2001, Robert Horn wrote:

Em Tue, Jan 02, 2001 at 11:33:45PM -0800, Andrew Edelstein escreveu:
Make sure your md5sum binary is also on immutable media. It doesn't
do you any
good to have known good checksums, if the binary that does the
checking can be
hacked to tell you what the hacker wants it to tell you.

Does anyone know of an iso distribution of linux already built to
do this?  I am familiar w/ trinux, but id like a bootable cd that already
has the ability to mount different filesystems, md5 check, etc.  At SANS i
saw someone was walking around giving out small recovery cdroms like this
that were cut down to the size of a credit card.  Id really like one of
those.

marc

 > >
That may also not be enough. A library could have been hacked, md5sum
should be
statically linked. And, if a kernel module has been inserted, then all
bets
are off, you would have to reboot from a known kernel to be sure.

One convenience for some systems is to create a mountable and bootable
CDROM with:
 1. The md5sums
 2. A program for checking the md5sums.  If you write one of your own
    in C or some other language that generates executable code you
    increase the difficulty of a modified kernel recognizing and
    defeating it.
 3. A usable small complete OS for initial forensics.

A modified kernel can hide modifications by trapping filesystem I/O, so
only rebooting directly from the CDROM with the known good OS and tools
is the only way to detect kernel modifications.  Using a CDROM is just a
convenience. It avoids dis-assembling the computer to take the suspect
disks over to another known good system for analysis.  It is usually
much easier to reboot from the CDROM.

If they've penetrated the boot ROM, well, you can reflash it from a
known good copy.

R Horn


marc

import sigfile


Current thread: