Live CDs for the practically paranoid

Discussion in 'all things UNIX' started by Gullible Jones, Aug 17, 2012.

Thread Status:
Not open for further replies.
  1. What live CDs are out there for those who want to explore potentially hostile online territory?

    Not privacy stuff like TAILS or LPS... I mean a hardened live environment. The sort of live CD you could use to poke around on known attack sites, without significant risk of your installed OS getting compromised.

    What's out there along those lines? And if there aren't any, what are the best tools for building one myself?
     
  2. guest

    guest Guest

    puppy linux:thumb:
     
  3. Sadly that is exactly the opposite of what I was thinking of. :p
     
  4. ComputerSaysNo

    ComputerSaysNo Registered Member

    Joined:
    Aug 9, 2012
    Posts:
    1,414
    PClinuxOS? Lightweight Portable Security? NetSecL (just been updated)? ADIOS? AntiX?
     
    Last edited: Aug 18, 2012
  5. guest

    guest Guest

  6. NGRhodes

    NGRhodes Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    2,331
    Location:
    West Yorkshire, UK
    Backtrack simply because it has so many tools on the livecd.
    You don't specifically need a hardened environment - quite a lot of security testing tools need liberal permissions. Just something throwaway would suffice which all livecd are.
     
  7. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I think there was a specific LiveCD that was from the gov't for this.

    But I wouldn't rely on a LiveCD. Your session can still be compromised and it can (unless hardened for specific purposes) still mount your other devices.
     
  8. mack_guy911

    mack_guy911 Registered Member

    Joined:
    Mar 21, 2007
    Posts:
    2,677
    i use fedora live cd / redhat types centos SL.......etc

    with password for root

    and java script cookies disable

    and i block is anything enable also icmp form gui firewall its pretty nice and easy on fedora/redhat 6 base distro
     
  9. rrrh1

    rrrh1 Registered Member

    Joined:
    Sep 10, 2007
    Posts:
    202
    Lightweight Portable Security

    --http://www.spi.dod.mil/lipose.htm--

    That is if you trust the "US" government.

    I know the OP discounted it, LPS does not access the local hard disk drive.

    also

    WEBCONVERGER - The Opensource Web Kiosk

    --http://webconverger.com/--

    Does not need a hard disk drive and does not access one if installed.

    I would think LPS would be more secure, because of it's roots.

    rrrh1 (arch1)

    Edited: forgot information because was interrupted while making post.
     
    Last edited: Aug 19, 2012
  10. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    HI
    I am wondering what are "these hostile online territories" ?
    Using a LiveCD means using a red only OS, then any GOOD live CD would be enough since all access to any device is disabled (if not, an autorun malware could infect any connected pendrive for instance).
    More over, we need to consider that most infected web pages targuets Windows platform...
    And by experience, for offensive or defensive tasks, i have never been infected by any kind of malwares when using a LiveCD.
    There is possible attacks, but code persistence is Statistically nearlly impossible in practise...
    Toppic already covered on this board, especially on this Unix/Linux section
    https://www.wilderssecurity.com/showthread.php?t=277750&highlight=liveCD attack

    Regarding the distribution, the question is too vague to list one of them in particular...but maybe FortressLinux could be intereting for some users
    http://www.fortresslinux.org/

    rgds
     
  11. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Depending on the LiveCD device access may not be disabled and persistence may be much easier than on a typical machine. If you're running an Ubuntu livecd for example (or Fedora or Puppy) there is no root password and an attacker can mount the disks with no issue.
     
  12. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,983
    Location:
    Canada
    I've been wondering about this. Will a live cd prevent a XSS attack, either persistent or non-persistent (the most common type) from occurring? Currently, I'm most interested in this type of attack, because I feel all others that I'm aware of are easily prevented or at least significantly mitigated. I would only consider using a live cd for banking or similar secure login to web services, but not so much if they can't prevent this type of attack.
     
  13. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    I typically run LiveCDs as VMs with no disks.
     
  14. BrandiCandi

    BrandiCandi Guest

    I would NOT recommend a live CD for what you want to do. Live CDs are typically not hardened because they lack the most current updates, and they won't be updated in the future because they're frozen in time at the moment you burned the .iso.

    If you want to surf hostile online territory, I would recommend an uber-hardened linux distro installed in a virtual machine- create a snapshot of the most secured OS you can manage. After each dodgy browsing session, you can just revert to the snapshot so that nothing can be saved.

    Don't forget that if you log into any online accounts while also browsing the hostile sites, then you'll probably get your credentials stolen. So I would totally avoid any site that requires a log-in when you're doing this.

    Although the best alternative is probably a fully sandboxed OS.
     
    Last edited by a moderator: Aug 20, 2012
  15. Thanks... I was hoping a live CD or other read-only medium might provide something workable on less powerful machines (i.e. not fast enough to run a decent VM). But if it's hazardous, I'll avoid it.
     
  16. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    hi
    As i said previously in my post, LveCD are Statistically secure, that s why they are widely used by hackers for servers rooting or defacement.
    This thing said, there is no slution that provides 100% security.
    With serial "if" we enter directly in science fiction...
    Here again it is important to focus on Statistical Security/Insecurity, and not on Hypothetical Insecurity...
    Risk is a variable of any life and task...and IF we consider some possible "IF scenarios" listed by the NSC, then it is perhaps suited to take immediately his place in the cimetarry http://www.nsc.org/news_resources/injury_and_death_statistics/pages/theoddsofdyingfrom.aspx
    From my point of view, the most interesting solutions to avoid code persistence and infection are the use of LiveCD, a VM, or alternative OS (not Windows/Linux based/MacOS).
    I use known or self customed liveCD since 6 years on known infected sites, and i have never been afraid of code persistence...on the Bios or the firmware network card/router...
    Even if a few years ago, psybot worm targetted some routers:
    http://www.zdnet.com/blog/security/stealthy-router-based-botnet-worm-squirming/2972

    In practise, there is much more risks on Man in The middle and web application attacks ( http://en.wikipedia.org/wiki/Web_application_security ), which include wat0114 XSS and various attacks on cookies.
    As they are client (mostly browser)/server (web site) attacks, we can only mitigate risks on our host, and take care of some web sites.
    On hotspots, especially on some areas (airport/train station or Hotel/congress frequented by buzinessman, politicians etc), risks increase if we consider the last Defcon conference about PPTL/MS-CHAPv2 attacks
    https://www.defcon.org/html/defcon-20/dc-20-speakers.html#Marlinspike
    And there is specific distro available for wireless or web appliaction offensive tasks, free or paid ( http://www.secpoint.com/portable-penetrator.html ).
    For those who bank and shop online with VPN, using virtual keyboard is not enough, and a more robust protocol is necessary like EAP/TTLS
    http://en.wikipedia.org/wiki/Extensible_Authentication_Protocol#EAP-TTLS
    This reminds me what happened to a known forensic investigator in France during the French BlackHat SSTIC sessions (compromission of mail and blog logins) http://translate.google.fr/translat...zythom-la-vengeance-des-frustres.html&act=url
    Then with any hosted solution, LiveCD, hardened or/and alternative OS, or VM based, there is no way to elimate risk or a potential attack on your logins (mail, Facebook, bank )
    It would be too long to answer to wat0114 question, but a good way to mitigate XSS and variant (CRSF) attacks is an hardened/sandboxed/virtual browser...then if you run from a .vmx or not LiveCD, this can be done on the cloud with Spoon studio solution http://spoon.net/browsers/
    There is various way to build a secure station or OS for all kind of tasks, in an easy way or in hard way (LNFS).
    Linux USB Creator provides a portable and Virtual Box protected environment for many distributions http://www.linuxliveusb.com/
    As a plus protection, just write protect or "full space" it to mitigate risks.
    MobaLive CD also provide an easy way tu try and run the Live CD directly from Windows with the help of Quemu emulator http://mobalivecd.mobatek.net/

    It is also not difficult to build a virtual environment on USB devices or any desktop.
    Using alternative OS is an interesting idea; and if OpenBSD is popular, i guess that exotic OS appears much more interesting as compatible malwares are very rare...why not a try with VMAROS/ICAROS http://vmwaros.blogspot.fr/2009/12/icaros-desktop-live-is-complete.html
    Or Haiku, Syllabe, MenuOs, Kolibri...
    Of course Johanna Qubes OS IS very interesting to
    http://qubes-os.org/Home.html
    But why not a French military OS like Polyxene http://www.polyxene.com/
    Also interesting is the instant on OS alternative http://en.wikipedia.org/wiki/Instant_on
    Splashtop is free, Presto seems discontinued and Mandriva one not updated...

    As we see, there is various way to have a surf on hostile environmements like those listed by Malwaredomainlist.
    Since there is no important information exposed in clear (any login), then the risk, despite possible and hypothetical labotory attack scenario, is very minor.
    As i post here mostly to practise my english, and as i do not use any corrector, then sorry for the possible mistakes.

    Rgds
     
  17. rrrh1

    rrrh1 Registered Member

    Joined:
    Sep 10, 2007
    Posts:
    202
    100 % safety and security is impossible to obtain 100% of the time.

    I used a LiveCD in an older computer that had no hard drive. I never logged in to any sites and never worried about anything persisting across sessions (reboot).

    A session could be compromised while active only.

    Have a good day !!

    rrrh1 (arch1)
     
  18. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,983
    Location:
    Canada
    Thanks for the info, kareldjag!

    So many seem to tout a live cd as the way to bank online, but in the case of, say, a persistent xss breach:

    1. malicious script is saved to server's database because server doesn't sanitize html or script code.
    2. user logs in and navigates to the location
    3. script launches automatically (no user action required!)
    4. user's session cookie is stolen and attacker takes over session.

    or in the case of the far more common non-persistent (reflected) attack:

    1. user clicks on link in email sent by attacker (social engineering).
    2. user log in and personal info is "reflected" back to user because server doesn't sanitize output info and re-directed to attacker.
    3. Attacker now potentially has login info or even the user's cookie.

    How does a live cd prevent this any more than from a browser run in an O/S on real hardware? I see, kareldjag, you provided some info on this, which I'll check out. Thanks again.

    Now I doubt any bank worth their salt would allow these vulnerabilities in their servers, but one never knows. Probably this is more likely in a blog forum or amateur run web service? Just a thought. Also as Brandi points out, the longer that cd sits in the "tool box" the more out of date and potentially vulnerable the applications on it become. I know nothing is saved to the disk, but what's so difficult about deleting history afterwards? Besides, I don't think xss requires that to happen, unless I'm missing something?
     
  19. BrandiCandi

    BrandiCandi Guest

    wat0114, you're exactly right.

    It doesn't. If you install add-ons like Notscripts, WoT, etc. in your browser to harden it, then you're better off. But you can't do that on a live CD. Hence the limitation.

    Using a live CD for banking is off-topic from the original question. I don't recommend a live CD for the original question. If you want to use a live CD for banking, then it could work. If you only go to your bank's website in any session, then the chances of your credentials being stolen are extremely low IMO.
     
  20. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,983
    Location:
    Canada
    Thanks Brandi! Agreed, the banking scenario or similar may not be "hostile territory" as is mentioned in the original question, but then I think a script-vulnerable server (one that doesn't sanitize input/output) could become hostile territory ;)
     
  21. BrandiCandi

    BrandiCandi Guest

    Yes. I guess it's a matter of trust. Any bank worth their salt should have a very mature security model in place, making that kind of vulnerability exceedingly unlikely. (Aside from the fact that banks are required to do so under regulations). If you don't trust your bank to have such a hardened system, then maybe you should think about moving your money to a different bank before you worry about protecting yourself from your bank's insecure servers.

    I guess I'm saying keep it in perspective.
     
  22. BrandiCandi

    BrandiCandi Guest

    Back to the original question... Just today I watched a webinar about this very thing. Look into these options to more efficiently and safely explore the dark side:
    • Honeypots
    • Honeyclients
    • Sandboxes
    There are low-interaction versions of honeypots & honeyclients which are just programs emulating servers or applications. Then there are high-interaction honeypots & honeyclients which are actual operating systems hardened & isolated.
     
    Last edited by a moderator: Aug 21, 2012
  23. ComputerSaysNo

    ComputerSaysNo Registered Member

    Joined:
    Aug 9, 2012
    Posts:
    1,414
    Yes you can add add-ons to a live cd, I've done it many times. They work. Most live CD' will even let you update the software even. Ubuntu is a clear example of a LIVECD that does just that.

    OP I'm not sure what's wrong with Talis or Liberte Linux o_O They would be pretty good for surfing dangerous sites. Just take out/disconnect your hard drive and let it run from RAM if your that paranoid. Both Liberte & Talis take security very seriously I'd imagine.
     
    Last edited: Aug 21, 2012
  24. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    LiveCDs use TempFS to allow you to install software. It obviously is not persistent.
     
  25. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    I agree 100%. :thumb:
     
Loading...
Thread Status:
Not open for further replies.