Live CDs for the practically paranoid

What live CDs are out there for those who want to explore potentially hostile online territory?

Not privacy stuff like TAILS or LPS... I mean a hardened live environment. The sort of live CD you could use to poke around on known attack sites, without significant risk of your installed OS getting compromised.

What's out there along those lines? And if there aren't any, what are the best tools for building one myself?

 

puppy linux

 

Sadly that is exactly the opposite of what I was thinking of.

 

PClinuxOS? Lightweight Portable Security? NetSecL (just been updated)? ADIOS? AntiX?

 

http://www.jggimi.homeip.net/livecd/downloads.html

http://openbsd.maroufi.net/download_en.shtml

 

Backtrack simply because it has so many tools on the livecd.
You don't specifically need a hardened environment - quite a lot of security testing tools need liberal permissions. Just something throwaway would suffice which all livecd are.

 

I think there was a specific LiveCD that was from the gov't for this.

But I wouldn't rely on a LiveCD. Your session can still be compromised and it can (unless hardened for specific purposes) still mount your other devices.

 

i use fedora live cd / redhat types centos SL.......etc

with password for root

and java script cookies disable

and i block is anything enable also icmp form gui firewall its pretty nice and easy on fedora/redhat 6 base distro

 

Lightweight Portable Security

--http://www.spi.dod.mil/lipose.htm--

That is if you trust the "US" government.

I know the OP discounted it, LPS does not access the local hard disk drive.

also

WEBCONVERGER - The Opensource Web Kiosk

--http://webconverger.com/--

Does not need a hard disk drive and does not access one if installed.

I would think LPS would be more secure, because of it's roots.

rrrh1 (arch1)

Edited: forgot information because was interrupted while making post.

 

HI
I am wondering what are "these hostile online territories" ?
Using a LiveCD means using a red only OS, then any GOOD live CD would be enough since all access to any device is disabled (if not, an autorun malware could infect any connected pendrive for instance).
More over, we need to consider that most infected web pages targuets Windows platform...
And by experience, for offensive or defensive tasks, i have never been infected by any kind of malwares when using a LiveCD.
There is possible attacks, but code persistence is Statistically nearlly impossible in practise...
Toppic already covered on this board, especially on this Unix/Linux section
https://www.wilderssecurity.com/showthread.php?t=277750&highlight=liveCD attack

Regarding the distribution, the question is too vague to list one of them in particular...but maybe FortressLinux could be intereting for some users
http://www.fortresslinux.org/

rgds

 

Depending on the LiveCD device access may not be disabled and persistence may be much easier than on a typical machine. If you're running an Ubuntu livecd for example (or Fedora or Puppy) there is no root password and an attacker can mount the disks with no issue.

 

I've been wondering about this. Will a live cd prevent a XSS attack, either persistent or non-persistent (the most common type) from occurring? Currently, I'm most interested in this type of attack, because I feel all others that I'm aware of are easily prevented or at least significantly mitigated. I would only consider using a live cd for banking or similar secure login to web services, but not so much if they can't prevent this type of attack.

 

I typically run LiveCDs as VMs with no disks.

 

I would NOT recommend a live CD for what you want to do. Live CDs are typically not hardened because they lack the most current updates, and they won't be updated in the future because they're frozen in time at the moment you burned the .iso.

If you want to surf hostile online territory, I would recommend an uber-hardened linux distro installed in a virtual machine- create a snapshot of the most secured OS you can manage. After each dodgy browsing session, you can just revert to the snapshot so that nothing can be saved.

Don't forget that if you log into any online accounts while also browsing the hostile sites, then you'll probably get your credentials stolen. So I would totally avoid any site that requires a log-in when you're doing this.

Although the best alternative is probably a fully sandboxed OS.

 

Thanks... I was hoping a live CD or other read-only medium might provide something workable on less powerful machines (i.e. not fast enough to run a decent VM). But if it's hazardous, I'll avoid it.

 

hi
As i said previously in my post, LveCD are Statistically secure, that s why they are widely used by hackers for servers rooting or defacement.
This thing said, there is no slution that provides 100% security.
With serial "if" we enter directly in science fiction...
Here again it is important to focus on Statistical Security/Insecurity, and not on Hypothetical Insecurity...
Risk is a variable of any life and task...and IF we consider some possible "IF scenarios" listed by the NSC, then it is perhaps suited to take immediately his place in the cimetarry http://www.nsc.org/news_resources/injury_and_death_statistics/pages/theoddsofdyingfrom.aspx
From my point of view, the most interesting solutions to avoid code persistence and infection are the use of LiveCD, a VM, or alternative OS (not Windows/Linux based/MacOS).
I use known or self customed liveCD since 6 years on known infected sites, and i have never been afraid of code persistence...on the Bios or the firmware network card/router...
Even if a few years ago, psybot worm targetted some routers:
http://www.zdnet.com/blog/security/stealthy-router-based-botnet-worm-squirming/2972

In practise, there is much more risks on Man in The middle and web application attacks ( http://en.wikipedia.org/wiki/Web_application_security ), which include wat0114 XSS and various attacks on cookies.
As they are client (mostly browser)/server (web site) attacks, we can only mitigate risks on our host, and take care of some web sites.
On hotspots, especially on some areas (airport/train station or Hotel/congress frequented by buzinessman, politicians etc), risks increase if we consider the last Defcon conference about PPTL/MS-CHAPv2 attacks
https://www.defcon.org/html/defcon-20/dc-20-speakers.html#Marlinspike
And there is specific distro available for wireless or web appliaction offensive tasks, free or paid ( http://www.secpoint.com/portable-penetrator.html ).
For those who bank and shop online with VPN, using virtual keyboard is not enough, and a more robust protocol is necessary like EAP/TTLS
http://en.wikipedia.org/wiki/Extensible_Authentication_Protocol#EAP-TTLS
This reminds me what happened to a known forensic investigator in France during the French BlackHat SSTIC sessions (compromission of mail and blog logins) http://translate.google.fr/translat...zythom-la-vengeance-des-frustres.html&act=url
Then with any hosted solution, LiveCD, hardened or/and alternative OS, or VM based, there is no way to elimate risk or a potential attack on your logins (mail, Facebook, bank )
It would be too long to answer to wat0114 question, but a good way to mitigate XSS and variant (CRSF) attacks is an hardened/sandboxed/virtual browser...then if you run from a .vmx or not LiveCD, this can be done on the cloud with Spoon studio solution http://spoon.net/browsers/
There is various way to build a secure station or OS for all kind of tasks, in an easy way or in hard way (LNFS).
Linux USB Creator provides a portable and Virtual Box protected environment for many distributions http://www.linuxliveusb.com/
As a plus protection, just write protect or "full space" it to mitigate risks.
MobaLive CD also provide an easy way tu try and run the Live CD directly from Windows with the help of Quemu emulator http://mobalivecd.mobatek.net/

It is also not difficult to build a virtual environment on USB devices or any desktop.
Using alternative OS is an interesting idea; and if OpenBSD is popular, i guess that exotic OS appears much more interesting as compatible malwares are very rare...why not a try with VMAROS/ICAROS http://vmwaros.blogspot.fr/2009/12/icaros-desktop-live-is-complete.html
Or Haiku, Syllabe, MenuOs, Kolibri...
Of course Johanna Qubes OS IS very interesting to
http://qubes-os.org/Home.html
But why not a French military OS like Polyxene http://www.polyxene.com/
Also interesting is the instant on OS alternative http://en.wikipedia.org/wiki/Instant_on
Splashtop is free, Presto seems discontinued and Mandriva one not updated...

As we see, there is various way to have a surf on hostile environmements like those listed by Malwaredomainlist.
Since there is no important information exposed in clear (any login), then the risk, despite possible and hypothetical labotory attack scenario, is very minor.
As i post here mostly to practise my english, and as i do not use any corrector, then sorry for the possible mistakes.

Rgds

 

100 % safety and security is impossible to obtain 100% of the time.

I used a LiveCD in an older computer that had no hard drive. I never logged in to any sites and never worried about anything persisting across sessions (reboot).

A session could be compromised while active only.

Have a good day !!

rrrh1 (arch1)

 

Thanks for the info, kareldjag!

So many seem to tout a live cd as the way to bank online, but in the case of, say, a persistent xss breach:

1. malicious script is saved to server's database because server doesn't sanitize html or script code.
2. user logs in and navigates to the location
3. script launches automatically (no user action required!)
4. user's session cookie is stolen and attacker takes over session.

or in the case of the far more common non-persistent (reflected) attack:

1. user clicks on link in email sent by attacker (social engineering).
2. user log in and personal info is "reflected" back to user because server doesn't sanitize output info and re-directed to attacker.
3. Attacker now potentially has login info or even the user's cookie.

How does a live cd prevent this any more than from a browser run in an O/S on real hardware? I see, kareldjag, you provided some info on this, which I'll check out. Thanks again.

Now I doubt any bank worth their salt would allow these vulnerabilities in their servers, but one never knows. Probably this is more likely in a blog forum or amateur run web service? Just a thought. Also as Brandi points out, the longer that cd sits in the "tool box" the more out of date and potentially vulnerable the applications on it become. I know nothing is saved to the disk, but what's so difficult about deleting history afterwards? Besides, I don't think xss requires that to happen, unless I'm missing something?

 

wat0114, you're exactly right.

It doesn't. If you install add-ons like Notscripts, WoT, etc. in your browser to harden it, then you're better off. But you can't do that on a live CD. Hence the limitation.

Using a live CD for banking is off-topic from the original question. I don't recommend a live CD for the original question. If you want to use a live CD for banking, then it could work. If you only go to your bank's website in any session, then the chances of your credentials being stolen are extremely low IMO.

 

Thanks Brandi! Agreed, the banking scenario or similar may not be "hostile territory" as is mentioned in the original question, but then I think a script-vulnerable server (one that doesn't sanitize input/output) could become hostile territory

 

Yes. I guess it's a matter of trust. Any bank worth their salt should have a very mature security model in place, making that kind of vulnerability exceedingly unlikely. (Aside from the fact that banks are required to do so under regulations). If you don't trust your bank to have such a hardened system, then maybe you should think about moving your money to a different bank before you worry about protecting yourself from your bank's insecure servers.

I guess I'm saying keep it in perspective.

 

Back to the original question... Just today I watched a webinar about this very thing. Look into these options to more efficiently and safely explore the dark side:

• Honeypots
• Honeyclients
• Sandboxes

There are low-interaction versions of honeypots & honeyclients which are just programs emulating servers or applications. Then there are high-interaction honeypots & honeyclients which are actual operating systems hardened & isolated.

 

Yes you can add add-ons to a live cd, I've done it many times. They work. Most live CD' will even let you update the software even. Ubuntu is a clear example of a LIVECD that does just that.

OP I'm not sure what's wrong with Talis or Liberte Linux They would be pretty good for surfing dangerous sites. Just take out/disconnect your hard drive and let it run from RAM if your that paranoid. Both Liberte & Talis take security very seriously I'd imagine.

 

LiveCDs use TempFS to allow you to install software. It obviously is not persistent.

 

I agree 100%.