OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Ed Padin (ohdamnthathurtsYAHOO.COM)
Date: Fri Jan 05 2001 - 15:43:20 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Don't know if it'll fit on a small CD but look for a distribution called
    Finnix. It's a mostly full distribution of RH 6-sumthin'. It takes a long
    time to download the compressed iso image. The guy that wrote it configured
    it to mount all writable directories on ram disks. I was able to create my
    own disk to suit my needs using his example. You'll need a cd writer to
    create the CD.

    Cheque it--> http://www.finnix.org/

    ----- Original Message -----
    From: "marc" <marcZOUNDS.NET>
    To: <INCIDENTSSECURITYFOCUS.COM>
    Sent: Friday, January 05, 2001 1:22 PM
    Subject: bootable readonly media in your pocket Re: yes, its t0rn again

    > On Thu, 4 Jan 2001, Robert Horn wrote:
    >
    > > > Em Tue, Jan 02, 2001 at 11:33:45PM -0800, Andrew Edelstein escreveu:
    > > >> Make sure your md5sum binary is also on immutable media. It doesn't
    do you any
    > > >> good to have known good checksums, if the binary that does the
    checking can be
    > > >> hacked to tell you what the hacker wants it to tell you.
    >
    > Does anyone know of an iso distribution of linux already built to
    > do this? I am familiar w/ trinux, but id like a bootable cd that already
    > has the ability to mount different filesystems, md5 check, etc. At SANS i
    > saw someone was walking around giving out small recovery cdroms like this
    > that were cut down to the size of a credit card. Id really like one of
    > those.
    >
    > marc
    >
    > > >
    > > > That may also not be enough. A library could have been hacked, md5sum
    should be
    > > > statically linked. And, if a kernel module has been inserted, then all
    bets
    > > > are off, you would have to reboot from a known kernel to be sure.
    > >
    > > One convenience for some systems is to create a mountable and bootable
    > > CDROM with:
    > > 1. The md5sums
    > > 2. A program for checking the md5sums. If you write one of your own
    > > in C or some other language that generates executable code you
    > > increase the difficulty of a modified kernel recognizing and
    > > defeating it.
    > > 3. A usable small complete OS for initial forensics.
    > >
    > > A modified kernel can hide modifications by trapping filesystem I/O, so
    > > only rebooting directly from the CDROM with the known good OS and tools
    > > is the only way to detect kernel modifications. Using a CDROM is just a
    > > convenience. It avoids dis-assembling the computer to take the suspect
    > > disks over to another known good system for analysis. It is usually
    > > much easier to reboot from the CDROM.
    > >
    > > If they've penetrated the boot ROM, well, you can reflash it from a
    > > known good copy.
    > >
    > > R Horn
    > >
    >
    > marc
    >
    > import sigfile