Home |
Search |
Today's Posts |
|
UK diy (uk.d-i-y) For the discussion of all topics related to diy (do-it-yourself) in the UK. All levels of experience and proficency are welcome to join in to ask questions or offer solutions. |
Reply |
|
LinkBack | Thread Tools | Display Modes |
#121
Posted to uk.d-i-y
|
|||
|
|||
Idle fun for net hackers..
On Thu, 01 Mar 2012 14:50:36 +0000, The Natural Philosopher wrote:
Jules Richardson wrote: On Thu, 01 Mar 2012 06:30:06 +1100, Rod Speed wrote: Tim Watts wrote The Natural Philosopher wrote exactly, An undetectable change that results in no detectable activity by anyone in the whole universe is not a security risk. You may have a "potentially detectable" change, but for any practical detection mechanism, I feel fairly safe in asserting that it could potentially be hacked so as not to leave a trace *detectable by the detection mechanism". Doesnt matter if you are fairly certain or not, there are obvious examples where that isnt possible. Most obviously with a full restore from image using a machine that isnt even net accessible. Technically, is it possible to re-flash a PC's BIOS from a binary running with sufficient permissions under the host OS, such that malicious code could potentially run undetected following reboot, regardless of whether hard disk contents were restored from an image on another system? It is not clear that Linux uses the BIOS at all, except to boot.. I SUPPOSE the bios might write something to the disk during boot.. Yes, I don't think there's much BIOS interaction once a modern OS has booted, but the point is that BIOS code *is* run at system startup, so perhaps it's possible for some form of malicious BIOS to infect the machine's OS at boot time, even if that OS is a supposedly-clean image freshly installed from a 'secure' system. Its sort of along the lines of 'well you have smashed down the front door and all you are going to steal is a magazine?' in other words, given that sort of access, you could find easier targets. Well the point would be that a user could think that their system was secure because even though malicious code existed on the system, but not actually on the hard disk. If it is possible at all, I'd suspect that any form of malicious BIOS wouldn't actually be the virus, but would compromise the system's hard disk such that when the OS was booted something else was run which did the hard work. Getting malicious code into the system BIOS in the first place would be the tricky bit of course, and would rely on something nasty being run on the machine - but the "clever" part is that if the user spotted the infection and cleaned up, they might be blissfully unaware that the machine was still compromised. The dodgy code could easily sit around for months in the BIOS before triggering on a reboot. I'm just curious if modern systems prevent it from even being possible - or if it's just not common because at the moment there are currently far easier ways of attacking a system. The latter might change as systems become more secure (and/or users become more clueful about threats). Obviously what you want to build is a daemon that doesn't show up in the process table, either as a process or in terms of RAM used,... doesn't get logged, whose internet accesses don't get recorded in the machines ethernet statistics.. so its probably going to be a new ethernet driver..oh, and it must have the same file length and checksum as the proper one. And you must erase all entries in all logfiles relating to your access to install it. I don't think the 'loader' stage would necessarily have to cover its tracks to that extent - it would just need to look like a regular old virus and re-flash the BIOS, while somehow concealing the fact it had done the latter (which I suspect is easy at present because AFAIK nobody habitually keeps a record of their BIOS checksum, so wouldn't know that it had been altered). The major stumbling block from the virus point of view is the diversity of BIOS code out there - I suspect it would either have to detect the BIOS vendor and load malicious code from something internal to the 'loader' code, or "phone home" to fetch the appropriate code for the system it was trying to infect. The dodgy code which actually got installed in the BIOS area could probably just assume a SATA drive and some flavour of Windows, and that would cover a high enough proportion of running machines to make that aspect worthwhile. cheers Jules |
#122
Posted to uk.d-i-y
|
|||
|
|||
Idle fun for net hackers..
Jules Richardson wrote
Rod Speed wrote Tim Watts wrote The Natural Philosopher wrote exactly, An undetectable change that results in no detectable activity by anyone in the whole universe is not a security risk. You may have a "potentially detectable" change, but for any practical detection mechanism, I feel fairly safe in asserting that it could potentially be hacked so as not to leave a trace *detectable by the detection mechanism". Doesnt matter if you are fairly certain or not, there are obvious examples where that isnt possible. Most obviously with a full restore from image using a machine that isnt even net accessible. Technically, is it possible to re-flash a PC's BIOS from a binary running with sufficient permissions under the host OS, Not with a system that has a jumper that has to be in a particular position before that can happen, and obviously if you are paranoid about that being done malicioiusly, you would only use one of those. And its perfectly possible to keep a hash of that anyway, so you can always detect when that has happened. such that malicious code could potentially run undetected following reboot, regardless of whether hard disk contents were restored from an image on another system? I've never heard of it happening, but I'm curious whether it could in theory be done. Yes, its certainly possible but very easy to protect against and monitor if thats happened so it wont go undetected. |
#123
Posted to uk.d-i-y
|
|||
|
|||
Idle fun for net hackers..
Jules Richardson wrote
The Natural Philosopher wrote Jules Richardson wrote Rod Speed wrote Tim Watts wrote The Natural Philosopher wrote exactly, An undetectable change that results in no detectable activity by anyone in the whole universe is not a security risk. You may have a "potentially detectable" change, but for any practical detection mechanism, I feel fairly safe in asserting that it could potentially be hacked so as not to leave a trace *detectable by the detection mechanism". Doesnt matter if you are fairly certain or not, there are obvious examples where that isnt possible. Most obviously with a full restore from image using a machine that isnt even net accessible. Technically, is it possible to re-flash a PC's BIOS from a binary running with sufficient permissions under the host OS, such that malicious code could potentially run undetected following reboot, regardless of whether hard disk contents were restored from an image on another system? It is not clear that Linux uses the BIOS at all, except to boot.. I SUPPOSE the bios might write something to the disk during boot.. Yes, I don't think there's much BIOS interaction once a modern OS has booted, but the point is that BIOS code *is* run at system startup, so perhaps it's possible for some form of malicious BIOS to infect the machine's OS at boot time, even if that OS is a supposedly-clean image freshly installed from a 'secure' system. Yes, thats certainly possible. Its sort of along the lines of 'well you have smashed down the front door and all you are going to steal is a magazine?' in other words, given that sort of access, you could find easier targets. Well the point would be that a user could think that their system was secure because even though malicious code existed on the system, but not actually on the hard disk. If it is possible at all, I'd suspect that any form of malicious BIOS wouldn't actually be the virus, but would compromise the system's hard disk such that when the OS was booted something else was run which did the hard work. Sure, but that 'something else' would obviously be visible. Getting malicious code into the system BIOS in the first place would be the tricky bit of course, and would rely on something nasty being run on the machine - but the "clever" part is that if the user spotted the infection and cleaned up, they might be blissfully unaware that the machine was still compromised. The dodgy code could easily sit around for months in the BIOS before triggering on a reboot. Yes, but it isnt hard to check if there has been any change to the bios. I'm just curious if modern systems prevent it from even being possible Yes, thats why many systems have a jumper that has to be in a particular position before the bios can be replaced. - or if it's just not common because at the moment there are currently far easier ways of attacking a system. Thats true too, its not very common at all. The latter might change as systems become more secure (and/or users become more clueful about threats). And its easy enough to have a ute that checks if the jumper is in the write enable position and warn the user about that. And even easier to keep track of the bios hash and see if it gets changed. Obviously what you want to build is a daemon that doesn't show up in the process table, either as a process or in terms of RAM used,... doesn't get logged, whose internet accesses don't get recorded in the machines ethernet statistics.. so its probably going to be a new ethernet driver..oh, and it must have the same file length and checksum as the proper one. And you must erase all entries in all logfiles relating to your access to install it. I don't think the 'loader' stage would necessarily have to cover its tracks to that extent - it would just need to look like a regular old virus and re-flash the BIOS, while somehow concealing the fact it had done the latter (which I suspect is easy at present because AFAIK nobody habitually keeps a record of their BIOS checksum, Most modern bios in fact do that and have done for a long time now and notify when it gets changed. so wouldn't know that it had been altered). Sure, but the paranoid can obviously check that that as well as disk files. The major stumbling block from the virus point of view is the diversity of BIOS code out there - I suspect it would either have to detect the BIOS vendor and load malicious code from something internal to the 'loader' code, or "phone home" to fetch the appropriate code for the system it was trying to infect. It likely wouldnt be that hard to find some generic place to put it. The dodgy code which actually got installed in the BIOS area could probably just assume a SATA drive and some flavour of Windows, and that would cover a high enough proportion of running machines to make that aspect worthwhile. It isnt just the motherboard bios either, quite a few of the drives have code which can be replaced live too. |
#124
Posted to uk.d-i-y
|
|||
|
|||
Idle fun for net hackers..
Tim Streater wrote:
In article , Jules Richardson wrote: Yes, I don't think there's much BIOS interaction once a modern OS has booted, but the point is that BIOS code *is* run at system startup ... Only if you have a machine with a BIOS. I am not sure how you bootstrap an OS without a modicum of BIOS or at least a ROM based boot loader. Unless the whole machine runs out of ROM.. -- To people who know nothing, anything is possible. To people who know too much, it is a sad fact that they know how little is really possible - and how hard it is to achieve it. |
#125
Posted to uk.d-i-y
|
|||
|
|||
Idle fun for net hackers..
"The Natural Philosopher" wrote in message ... dennis@home wrote: Are you sure he is a troll, I thought he was just thick, very thick. Its alawys a mistake to see yourself in others, dennis. That's true, my biggest failing is crediting others with too much intelligence. You won't get that benefit again. |
#126
Posted to uk.d-i-y
|
|||
|
|||
Idle fun for net hackers..
dennis@home wrote:
"The Natural Philosopher" wrote in message ... dennis@home wrote: Are you sure he is a troll, I thought he was just thick, very thick. Its alawys a mistake to see yourself in others, dennis. That's true, my biggest failing is crediting others with too much intelligence. indeed. You feel that the are at least as intelligent as a medium sized frog, where you can only manage bacterial levels. I have concluded that most people are so far ahead of you that your are simply unable to recognise where they are at all. You won't get that benefit again. Nothing you have ever said on this group has been of any benefit to me whatsoever apart from occasionally being so stupid its actually amusing. -- To people who know nothing, anything is possible. To people who know too much, it is a sad fact that they know how little is really possible - and how hard it is to achieve it. |
#127
Posted to uk.d-i-y
|
|||
|
|||
Idle fun for net hackers..
On 01/03/2012 14:50, The Natural Philosopher wrote:
Jules Richardson wrote: On Thu, 01 Mar 2012 06:30:06 +1100, Rod Speed wrote: Tim Watts wrote The Natural Philosopher wrote exactly, An undetectable change that results in no detectable activity by anyone in the whole universe is not a security risk. You may have a "potentially detectable" change, but for any practical detection mechanism, I feel fairly safe in asserting that it could potentially be hacked so as not to leave a trace *detectable by the detection mechanism". Doesnt matter if you are fairly certain or not, there are obvious examples where that isnt possible. Most obviously with a full restore from image using a machine that isnt even net accessible. Technically, is it possible to re-flash a PC's BIOS from a binary running with sufficient permissions under the host OS, such that malicious code could potentially run undetected following reboot, regardless of whether hard disk contents were restored from an image on another system? It is not clear that Linux uses the BIOS at all, except to boot.. I SUPPOSE the bios might write something to the disk during boot.. It's not necessary to write anything to the disc. You just have to alter what it reads. Or for that matter, most discs these days can have their own firmware altered... I've never heard of it happening, but I'm curious whether it could in theory be done. Its sort of along the lines of 'well you have smashed down the front door and all you are going to steal is a magazine?' in other words, given that sort of access, you could find easier targets. Obviously what you want to build is a daemon that doesn't show up in the process table, either as a process or in terms of RAM used,... doesn't get logged, whose internet accesses don't get recorded in the machines ethernet statistics.. so its probably going to be a new ethernet driver..oh, and it must have the same file length and checksum as the proper one. And you must erase all entries in all logfiles relating to your access to install it. Most of that can be overcome. For example the file doesn't have to be the same length, it merely needs to be reported as the same length. It won't show up in the process table because it's intercepted the "getNextProcess" call to leave itself out. Or whatever mechanisms your OS uses. Whilst all that is theoretically possible, I am not sure that I could actually find a way to implement it, let alone install it. And YOU want a boot ROM to do that? It's vanishingly unlikely that anyone could do it. But that isn't ZERO probability any more than the national debt is infinite. Now then the risk that you could shoot off my kneecap without me noticing? As has been said, it depends what else is going on. If you cut my head off at the same moment I'm quite likely not to notice. Now I'm sure beyond reasonable doubt that my machine is clean. I'm not certain - the men in the black helicopters _could_have got to Intel and AMD to make all the worlds processors misbehave just for me. (But I'm not _that_ paranoid) Now then: How many angels can dance on the head of a pin? This is a similar question in a way - is the answer infinite, or some arbitrary finite number? Andy |
#128
Posted to uk.d-i-y
|
|||
|
|||
Idle fun for net hackers..
"The Natural Philosopher" wrote in message ... Tim Streater wrote: In article , Jules Richardson wrote: Yes, I don't think there's much BIOS interaction once a modern OS has booted, but the point is that BIOS code *is* run at system startup ... Only if you have a machine with a BIOS. I am not sure how you bootstrap an OS without a modicum of BIOS or at least a ROM based boot loader. Unless the whole machine runs out of ROM.. Just wandering idly by after a holiday break. Just wondered (reading all this stuff) if something was inserted into RAM at boot time, ran memory resident, and kept an area of SWAP for any data storage, how detectable would it be in the log files? Or even if it used raw access to the disc to use any spare, unformatted areas or suchlike? Certainly wouldn't show up on any checksum of the filestore. -- No plan survives contact with the enemy. [Not even bunny] Helmuth von Moltke the Elder (\__/) (='.'=) (")_(") |
#129
Posted to uk.d-i-y
|
|||
|
|||
Idle fun for net hackers..
David WE Roberts wrote:
"The Natural Philosopher" wrote in message ... Tim Streater wrote: In article , Jules Richardson wrote: Yes, I don't think there's much BIOS interaction once a modern OS has booted, but the point is that BIOS code *is* run at system startup ... Only if you have a machine with a BIOS. I am not sure how you bootstrap an OS without a modicum of BIOS or at least a ROM based boot loader. Unless the whole machine runs out of ROM.. Just wandering idly by after a holiday break. Just wondered (reading all this stuff) if something was inserted into RAM at boot time, ran memory resident, and kept an area of SWAP for any data storage, how detectable would it be in the log files? if it didn't log, it wouldn't be in the logs But you would need to install the program that did it, and that would be root access and would be logged. Ram comes empty - or random rather. Anything to be put into it needs a disk based file Disk based files are detectable Or even if it used raw access to the disc to use any spare, unformatted areas or suchlike? Certainly wouldn't show up on any checksum of the filestore. -- To people who know nothing, anything is possible. To people who know too much, it is a sad fact that they know how little is really possible - and how hard it is to achieve it. |
#130
Posted to uk.d-i-y
|
|||
|
|||
Idle fun for net hackers..
David WE Roberts wrote:
"The Natural Philosopher" wrote in message ... Tim Streater wrote: In article , Jules Richardson wrote: Yes, I don't think there's much BIOS interaction once a modern OS has booted, but the point is that BIOS code *is* run at system startup ... Only if you have a machine with a BIOS. I am not sure how you bootstrap an OS without a modicum of BIOS or at least a ROM based boot loader. Unless the whole machine runs out of ROM.. Just wandering idly by after a holiday break. Just wondered (reading all this stuff) if something was inserted into RAM at boot time, ran memory resident, and kept an area of SWAP for any data storage, how detectable would it be in the log files? Or even if it used raw access to the disc to use any spare, unformatted areas or suchlike? Certainly wouldn't show up on any checksum of the filestore. You'd still have to get it inserted into ram at boot time without leaving any traces of getting that onto the system. |
Reply |
Thread Tools | Search this Thread |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Forum | |||
Will the hackers win? | Home Repair | |||
Hackers steal electronic data | Metalworking | |||
Hackers steal electronic data | Metalworking | |||
Chinese hackers steal code for Joint Strike Fighter and more | Metalworking | |||
EBAY HACKERS | Home Repair |