Category list

Section 19.8 Planting False Data

19.8 Planting False Data

Once the cracker has gotten control of your system he can read any file, alter any file, create any new file, and remove any file, all without your knowing it. Even if you use a strong encryption algorithm that even the NSA would have difficulty breaking and allow unencrypted sensitive information only in memory, he simply reads the unencrypted data from memory. This is not hard for a good cracker to do. The best crackers will leave no trace of their intrusion.

Your confidential company plans, details on your customers, financial data (including bank and credit card numbers and passwords), orders, Web pages, resumes, confidential documents relating to legal matters, etc. all can be read or even altered . The potential cost to you could be rather substantial. This is why it is so important to have a defense that is hard to penetrate and that, if it is penetrated, is detected quickly. Also, it is why having intrusion attempts activate SysAdmins' pagers , remote logging, and a prepared detailed plan of action is so valuable .

Frequently, a cracker will probe for known vulnerabilities until she finds one. If you detect her first by detecting such probing, you can stop her.

Top

19.9 Altered Monitoring Programs

Any talented cracker will alter your ps , ls , who , and other trusted programs that you would use, so that these programs do not show his intrusions. This is not unusual at all. It is suggested that you keep copies of these basic programs buried in an obscure directory to be used in this event. This is discussed in "Advanced Preparation" on page 547.

Understand you could be in "the house of mirrors," not knowing which programs, files, or even kernel system calls are real and which have been altered by the cracker.

It is possible that a cracker could have altered sum or md5sum so you cannot even be sure that your backup copy of ls really is untouched. It is theoretically possible for mount and the kernel to be altered so that even if you mount a Read/Only floppy with trusted tools, you might not be able to trust them. Using any existing programs on a system where root may have been compromised should be limited to trying to detect what cracker tools might be running at that moment. The only reason even for doing this is that there might not be copies of the running executables on disk. See "Regaining Control of Your System" on page 671 for details on this.

Top

19.10 Stuck in the House of Mirrors

It is clear that with a compromised system you do not know what is real and what is not. You cannot even shove a trusted boot floppy in the drive and issue the reboot command to boot it up, because the reboot command might be a fake one, installed by the crackers, that really reboots the compromised system. Issuing a sync command and pressing the reset button is more trustworthy.

Ensure that you either have secure boot floppies or you have some other secure way either to boot this system or to boot another Linux system. Preferably, you made the secure boot floppies when you created the system (or when you knew that it was secure) and kept them in a physically secure area and write-protected.

Now take down the system. The simpler the method, the better. Remember that the cracker might have altered the shutdown process to hide his tracks when the system is shut down. It might be best simply to let the system be idle for five minutes (to allow init to do its periodic sync() ) and then press and hold in the reset button. While holding the reset button, turn off the power. Disconnect the system from all networks and modems that it still might be connected to.

Top

Flylib.com

Category list

Similar pages

Section 19.8 Planting False Data

19.8 Planting False Data

19.9 Altered Monitoring Programs

19.10 Stuck in the House of Mirrors

Similar products