Security Incidents mailing list archives
Re: bootable readonly media in your pocket Re: yes, its t0rn again
From: "Michael H. Warfield" <mhw () WITTSEND COM>
Date: Fri, 5 Jan 2001 15:57:00 -0500
On Fri, Jan 05, 2001 at 12:22:30PM -0600, marc wrote:
On Thu, 4 Jan 2001, Robert Horn wrote:
Em Tue, Jan 02, 2001 at 11:33:45PM -0800, Andrew Edelstein escreveu:Make sure your md5sum binary is also on immutable media. It doesn't do you any good to have known good checksums, if the binary that does the checking can be hacked to tell you what the hacker wants it to tell you.
Does anyone know of an iso distribution of linux already built to do this? I am familiar w/ trinux, but id like a bootable cd that already has the ability to mount different filesystems, md5 check, etc. At SANS i saw someone was walking around giving out small recovery cdroms like this that were cut down to the size of a credit card. Id really like one of those.
What you probably saw was the "LinuxCare Bootable Recovery Disk" (got one in my pocket right now). Check out the LinuxCare web site or corner one of them at a show. They generally pass them out at the trade shows, but you often have to ask. They also offer them to users groups.
marc > >That may also not be enough. A library could have been hacked, md5sum should be statically linked. And, if a kernel module has been inserted, then all bets are off, you would have to reboot from a known kernel to be sure.One convenience for some systems is to create a mountable and bootable CDROM with: 1. The md5sums 2. A program for checking the md5sums. If you write one of your own in C or some other language that generates executable code you increase the difficulty of a modified kernel recognizing and defeating it. 3. A usable small complete OS for initial forensics. A modified kernel can hide modifications by trapping filesystem I/O, so only rebooting directly from the CDROM with the known good OS and tools is the only way to detect kernel modifications. Using a CDROM is just a convenience. It avoids dis-assembling the computer to take the suspect disks over to another known good system for analysis. It is usually much easier to reboot from the CDROM. If they've penetrated the boot ROM, well, you can reflash it from a known good copy. R Hornmarc import sigfile
-- Michael H. Warfield | (770) 985-6132 | mhw () WittsEnd com (The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
Current thread:
- Re: yes, its t0rn again, (continued)
- Re: yes, its t0rn again Andreas Hasenack (Jan 03)
- Re: yes, its t0rn again Helmut Springer (Jan 04)
- Re: yes, its t0rn again Aaron (Jan 06)
- Re: yes, its t0rn again Helmut Springer (Jan 06)
- LKM insecurity Greg A. Woods (Jan 06)
- Re: yes, its t0rn again Andreas Hasenack (Jan 03)
- Re: yes, its t0rn again Jeff Bachtel (Jan 04)
- Attack Signature Reprodution Alexandre Soares (Jan 06)
- Re: yes, its t0rn again Jeremy 'Circ' Charles (Jan 06)
- bootable readonly media in your pocket Re: yes, its t0rn again marc (Jan 05)
- Re: bootable readonly media in your pocket Re: yes, its t0rn again Michael H. Warfield (Jan 05)
- Re: bootable readonly media in your pocket Re: yes, its t0rn again Jeff (Jan 05)
- Re: bootable readonly media in your pocket Re: yes, its t0rn again marc (Jan 09)
- Re: bootable readonly media in your pocket Kevin Martin (Jan 09)
- Re: yes, its t0rn again - chkrootkit Talisker (Jan 08)