You can generate all the hashes using any algorithm you care to mention but you cannot trust any of them if they were generated from a file system while the operating system whose files were being hashed was running, as Jason quite correctly points out. You need to boot the system using another OS (one that is known to be clean) and then hash the files from within that OS. This will defeat, in most cases, a root kit. I say "in most cases" as a root kit could load itself at boot time and then unload as the system is shutting down. However, even in this scenario, it would leave some trace of itself but not perhaps in the binaries you are examining. What I would have to take exception to is an earlier assertion by Jason that a proprietary hashing algorithm would provide security through obscurity. This is a fallacy, and I rank it up there with proprietary encryption algorithms. Legal issues of the results provided by an algorithm aside, there are almost always commercial products available that provide you with what you need, and they incorporate proven algorithms that have withstood the scrutiny of experts in the field. John Howie CISSP MCSE President, Security Toolkit LLC > -----Original Message----- > From: Jason Coombs [mailto:jasoncat_private] > Sent: Thursday, January 23, 2003 10:42 AM > To: Kurt Seifried; adminat_private; forensicsat_private > Subject: RE: CRC32 vd MD5 > > A well-designed stealth rootkit would be certain to interfere with hash > verification -- returning the expected hashes of compromised files so as > to > further reduce the chance of detection. The fact that the attacker/rootkit > author can easily determine in advance what my authentic hashes are > supposed > to be is a legitimate risk in spite of the proven cryptographic safety of > SHA-1, etc. > > This isn't paranoid, it's simply being aware of threats that exist in > spite > of the perfect cryptography we're all no-doubt using. > > Jason Coombs > jasoncat_private ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Jan 24 2003 - 07:34:12 PST