Virus.Org IT Security News and Information Portal. We offer the latest IT security news, updates, product reviews, books, and articles for all you IT security professionals out there. Enter and get the best IT security information on the Internet.

 
. Welcome to the Virus.Org Mailing List Archive  
.
.


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


Re: bootable readonly media in your pocket Re: yes, its t0rn again
.

  • To: [EMAIL PROTECTED]
  • Subject: Re: bootable readonly media in your pocket Re: yes, its t0rn again
  • From: Ed Padin <[EMAIL PROTECTED]>
  • Date: Fri, 05 Jan 2001 22:47:51 +0100
  • In-reply-to: <[EMAIL PROTECTED]>
.
 
Don't know if it'll fit on a small CD but look for a distribution called
Finnix. It's a mostly full distribution of RH 6-sumthin'. It takes a long
time to download the compressed iso image. The guy that wrote it configured
it to mount all writable directories on ram disks. I was able to create my
own disk to suit my needs using his example. You'll need a cd writer to
create the CD.

Cheque it--> http://www.finnix.org/





----- Original Message -----
From: "marc" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, January 05, 2001 1:22 PM
Subject: bootable readonly media in your pocket Re: yes, its t0rn again


> On Thu, 4 Jan 2001, Robert Horn wrote:
>
> > > Em Tue, Jan 02, 2001 at 11:33:45PM -0800, Andrew Edelstein escreveu:
> > >> Make sure your md5sum binary is also on immutable media. It doesn't
do you any
> > >> good to have known good checksums, if the binary that does the
checking can be
> > >> hacked to tell you what the hacker wants it to tell you.
>
> Does anyone know of an iso distribution of linux already built to
> do this?  I am familiar w/ trinux, but id like a bootable cd that already
> has the ability to mount different filesystems, md5 check, etc.  At SANS i
> saw someone was walking around giving out small recovery cdroms like this
> that were cut down to the size of a credit card.  Id really like one of
> those.
>
> marc
>
>  > >
> > > That may also not be enough. A library could have been hacked, md5sum
should be
> > > statically linked. And, if a kernel module has been inserted, then all
bets
> > > are off, you would have to reboot from a known kernel to be sure.
> >
> > One convenience for some systems is to create a mountable and bootable
> > CDROM with:
> >  1. The md5sums
> >  2. A program for checking the md5sums.  If you write one of your own
> >     in C or some other language that generates executable code you
> >     increase the difficulty of a modified kernel recognizing and
> >     defeating it.
> >  3. A usable small complete OS for initial forensics.
> >
> > A modified kernel can hide modifications by trapping filesystem I/O, so
> > only rebooting directly from the CDROM with the known good OS and tools
> > is the only way to detect kernel modifications.  Using a CDROM is just a
> > convenience. It avoids dis-assembling the computer to take the suspect
> > disks over to another known good system for analysis.  It is usually
> > much easier to reboot from the CDROM.
> >
> > If they've penetrated the boot ROM, well, you can reflash it from a
> > known good copy.
> >
> > R Horn
> >
>
> marc
>
> import sigfile
 
.
.
 
Copyright (c) Virus.Org 1997-2006.
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.