Forwarded from: Chris Wilson <chrisat_private> Cc: Russell Coker <russellat_private> Dear Mr Coker, and fellow ISN readers, On Tue, 31 Dec 2002, InfoSec News wrote: > Forwarded from: Russell Coker <russellat_private> ... > Interesting that they claim their software-only solution can survive > fdisk and format. I wonder if they will claim that it can survive the > installation of a different OS? > > Something like TCPA MIGHT be able to do this, but nothing less will. I thought about this too, and I came up with one option: the BIOS. We've seen viruses which can erase a Flash BIOS, so wouldn't it be possible to write a small virus (just a few kilobytes) living in the unused areas in the top of that Flash ROM, which knows how to hook in to various common BIOSes (AMI, Award and Phoenix cover over 99% of the market), scan for supported operating systems at boot and install itself into their partitions? Admittedly, I'm not aware of a case where this has been done, and it would certainly be tricky, but it cannot be dismissed as impossible just yet. Look at what worm writers can do with less than a kilobytes of shellcode. The virus might not "support" any operating system other than Windows, but it could perhaps survive the installation of such an OS, lying dormant in the BIOS until such a time as a supported operating system is reinstalled, and then quietly reinject itself again. Once the virus code was running under Windows it would of course have access to the victim's, ahem, user's internet connection to detect whether the machine had been reported stolen. If it hasn't been done yet, perhaps it is a business idea for someone? I don't have time to implement it myself. > > Data Delete > > Hasn't anyone ever heard of cryptography? Not really, many people think it's "a deadly cyber-weapon used by terrorists" or some such nonsense, and most people can't deal with the risk of losing their passphrase. Of course they sacrifice their own security for safety as a result, but such is life. > Surely if you want to steal someone's data then the first thing you > do is power the machine down and remove the hard drive to prevent > such erasure! Yeah, but how many machines (apart from MI5's laptops) are stolen _because_ of the data contained? I would venture that casual thieves often do not realise the value of the information they've stolen until they take a good look at the machine. By that time, such trivial defenses as Data Delete would have had time to operate. Let's also remember that luckily, most thieves did not come from the deep end of the gene pool or receive cyber-espionage training. =) > Conclusion, after you steal someone's laptop to get their data don't > immediately connect it to the Internet, copy the data off first! > Don't boot from the same OS they used, put the hard drive in your > own machine (for best results mount the hard drive on a non-Windows > OS). True, and these solutions could never, ever protect against a determined thief. They have some value in the war against casual theft which is the biggest risk (in terms of frequency and publicity) for most users. > My observation is that "rm -rf /" is fast enough that even > experienced administrators often don't catch it while there's still > something left. mkfs is even faster. Ever tried that under Windows? =) > As for "disguiseing your location with a false IP address", that's > an amusing claim. I certianly agree with this, since it's almost impossible to get a reply to a genuinely spoofed packet, so it would not do the thieves much good to surf with one. > Firstly IP addresses on their own aren't THAT useful for locating > people (think about NAT, think about ISPs in other countries that > won't accept court orders). Again, casual theft is the main target of these programs, whatever their creators may claim. I don't think many thieves would take their freshly-stolen laptop all the way to Morocco just to download their pr0n in peace. > Secondly if you want your program to trace it's location based on IP > addresses then you could give it "traceroute" functionality and > have it send the complete trace log to the server. Yes, that would actually be a rather good way of tracing. But you don't need the complete trace. The next hop upstream (your ISP's dialup router) is definitely not spoofing its packets, and if you can get its IP address by a one-hop traceroute and send it to someone, then that someone can run the rest of the trace themselves. > Of course it's undetectable. It's so undetectable that even fdisk > can't find it... :-# Undetectable != unremovable of course, and neither applies to the product, but fdisk isn't looking for "agents", especially not in the BIOS. > A much better option is to encrypt all the disks and have the > encryption keys stored in a central office. Absolutely. > NB If using an encrypted file system on your laptop be sure to > permanently disable the "Hibernation" facility in the BIOS. If a > thief can get a dump of all kernel memory to disk then the > encryption key will be available in there. OS vendors should probably wipe this area immediately after resuming from it, to prevent the accidental retention of sensitive information. Cheers, Chris. -- _ ___ __ _ / __/ / ,__(_)_ | Chris Wilson <0000 at qwirx.com> - Cambs UK | / (_/ ,\/ _/ /_ \ | Security/C/C++/Java/Perl/SQL/HTML Developer | \ _/_/_/_//_/___/ | We are GNU-free your mind-and your software | - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Jan 02 2003 - 18:50:08 PST