OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Michael H. Warfield (mhwWITTSEND.COM)
Date: Fri Jan 05 2001 - 14:57:00 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    On Fri, Jan 05, 2001 at 12:22:30PM -0600, marc wrote:
    > On Thu, 4 Jan 2001, Robert Horn wrote:

    > > > Em Tue, Jan 02, 2001 at 11:33:45PM -0800, Andrew Edelstein escreveu:
    > > >> Make sure your md5sum binary is also on immutable media. It doesn't do you any
    > > >> good to have known good checksums, if the binary that does the checking can be
    > > >> hacked to tell you what the hacker wants it to tell you.

    > Does anyone know of an iso distribution of linux already built to
    > do this? I am familiar w/ trinux, but id like a bootable cd that already
    > has the ability to mount different filesystems, md5 check, etc. At SANS i
    > saw someone was walking around giving out small recovery cdroms like this
    > that were cut down to the size of a credit card. Id really like one of
    > those.

            What you probably saw was the "LinuxCare Bootable Recovery Disk"
    (got one in my pocket right now). Check out the LinuxCare web site
    or corner one of them at a show. They generally pass them out at the
    trade shows, but you often have to ask. They also offer them to users
    groups.

    > marc
    >
    > > >
    > > > That may also not be enough. A library could have been hacked, md5sum should be
    > > > statically linked. And, if a kernel module has been inserted, then all bets
    > > > are off, you would have to reboot from a known kernel to be sure.
    > >
    > > One convenience for some systems is to create a mountable and bootable
    > > CDROM with:
    > > 1. The md5sums
    > > 2. A program for checking the md5sums. If you write one of your own
    > > in C or some other language that generates executable code you
    > > increase the difficulty of a modified kernel recognizing and
    > > defeating it.
    > > 3. A usable small complete OS for initial forensics.
    > >
    > > A modified kernel can hide modifications by trapping filesystem I/O, so
    > > only rebooting directly from the CDROM with the known good OS and tools
    > > is the only way to detect kernel modifications. Using a CDROM is just a
    > > convenience. It avoids dis-assembling the computer to take the suspect
    > > disks over to another known good system for analysis. It is usually
    > > much easier to reboot from the CDROM.
    > >
    > > If they've penetrated the boot ROM, well, you can reflash it from a
    > > known good copy.
    > >
    > > R Horn
    > >
    >
    > marc
    >
    > import sigfile 

    --
 Michael H. Warfield    |  (770) 985-6132   |  mhwWittsEnd.com
  (The Mad Wizard)      |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!