[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian audititing tool?

On Sat, Dec 23, 2000 at 03:30:08PM -0400, Peter Cordes wrote:
> On Fri, Dec 22, 2000 at 11:05:32PM -0900, Ethan Benson wrote:
> > On Fri, Dec 22, 2000 at 05:54:55PM -0400, Peter Cordes wrote:
> > > 
> > >  That's why you run the checker from a known-good floppy or CD.  The bogus
> > > kernel can't protect itself if it isn't running :)
> > 
> > don't be so sure, is the BIOS or firmware on your computer flashable?
> > if so an attacker could replace the firmware/BIOS itself to ensure
> > later trojans are installed.  
> Oh crap, I didn't think of that!  It would be a really hard attack if you
> didn't know what kernel was going to get loaded, but in theory there's no
> way around it, short of burning non-flashable ROMs!  (Well, you could take
> the drive out of the computer and test it in another computer.)

Yes, this little attack gets bandied about by paranoid people on a
regular basis.  AFAIK, the only malicious code which has been observed
to play with your BIOS is in 'doze virii which nuke it, but don't turn
it evil.

Although this attack is theoretically possible, it's probably not the
weakest link in your security chain.  Flashing a BIOS involves quite a
bit of effort, and is extremely platform dependent.  Do it in a less
than perfect way, and spectacular things happen.  The odds of doing
it without being noticed wouldn't be very good.

If you expect that a cracker might pour very large amounts of effort
into breaking your system (what *do* you use it for? :), you should read
your motherboard manual, and switch the jumpers to disable BIOS flashing.


|> |= -+- |= |>
|  |-  |  |- |\

Peter Eckersley
for techno-leftie inspiration, take a look at

Attachment: pgpp3w_Ds5v1M.pgp
Description: PGP signature

Reply to: