Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
You need to have physical control over who can access your computer before it can be considered "secure".
That's why commercial data centres are always housed in secure buildings.
Once you have physically secured your computer, you then need to consider software security.
That isn't always actually true, some servers have non-violiate BIOS's which are not resetable per se, generally for PCs it's true. My own PC has three specialised requirements for resetting a bios that either require the manual or alot of research to find out, it's not as easy as most generalised motherboards.
However the same could also be said for windows too, it's a bit more complicated but can be done. You take out the Hard Drive, place it into another windows PC and delete the password file, move the hard drive back and you know the adminstrator password is blank... their are applications out their that perform this operation automatically by burning them to CD and booting to the CD...
The only way around this is to use something like truecrypt and encrypt the entire drive.
If you use a stong password and a strong algorithm then there is no getting around that.(at least by current day computers)
Even with a totally encrypted drive (assuming you are booting from a USB key, for example), you are still vulnerable in certain ways if the attacker has physical access. For example, he could clone your encrypted drive while you are away, and then install a hardware sniffer to pick up the key the next time you provide it (which he will then use to decrypt the clone he already has). Another possibility is launching a cold boot attack. The point being, there's tons of ways a determined attacker can get his hands on your data even if you are using whole-disk encryption. Of course, I'm not saying that encryption doesn't provide a lot of benefits - it does. It's just that "there is no getting around that" is pretty far fetched.
Based on the website, it says we can change a root password if we forget the password.
So that means, i can simply use anyone's LInux box (when he is not around) and use KNopix live CD and change the root password.
So cracking into a linux box is possible (considering we must be physically there to change it) . Am I correct.
Linux security experts, what are your thoughts about this issue??
Yes, this is the way it is for any operating system. That said, in reality I would expect the attacker to NOT change the root password. This being due to the fact that doing so would make it evident to the admin that the box has possibly been rooted as soon as he tries to login. So unless the attack is intended to be nothing more than a prank (and he doesn't care about being discovered), the attacker with root access to the filesystem will likely want to do much more nefarious and/or profitable things - such as installing a rootkit, for example.
Even with a totally encrypted drive (assuming you are booting from a USB key, for example), you are still vulnerable in certain ways if the attacker has physical access. For example, he could clone your encrypted drive while you are away, and then install a hardware sniffer to pick up the key the next time you provide it (which he will then use to decrypt the clone he already has). Another possibility is launching a cold boot attack. The point being, there's tons of ways a determined attacker can get his hands on your data even if you are using whole-disk encryption. Of course, I'm not saying that encryption doesn't provide a lot of benefits - it does. It's just that "there is no getting around that" is pretty far fetched.
There are ways around that also. like having a 100mb partition outside of the encrypted with something like perl installed. and on shutdown use kexec to boot to the 100mb partition with perl and run a script like i posted in http://www.linuxquestions.org/questi...ml#post3243756
run the script in a loop 5-10 times and then shutdown.
on 12gb of ram is takes about 3 seconds with fill all the ram.
doing that after you used kexec to boot a partition that is outside of the encrypted drive and ensure the encrypted drive is unmounted and loop the script to clear keys in the ram then shutdown the server
that would clear any cold-boot attacks.
Unless they had access to the machine while it was running then the could unplug it and get the keys from the ram at that point.
You can actually freeze the ram and get the information from the ram up to 48 hours later with liquid nitrogen.
But this is assuming that they have physical access. At that point i would be worried about more than my computer. Like WTF is someone doing in my house.
If it a laptop and they steal it, it would be most likely 1 of 2 things.
either someone beat you up and took it while you were using it or the stole it when you were away from it, ex. broke into car (which it prob should have been powered off for a while and the ram is prob. clear
unless you are protecting TS info (in which case would not be connected to the internet, but a completely different seperate network) you machine is much eaiser to get to from the net then physically 9 times out of 10.
What most people need to focus on is OS security and App security before you worry about physical security.
Win32sux whats up with your tag.
"There are no answers, only choices." -- Solaris
There are ways around that also. like having a 100mb partition outside of the encrypted with something like perl installed. and on shutdown use kexec to boot to the 100mb partition with perl and run a script like i posted in http://www.linuxquestions.org/questi...ml#post3243756
run the script in a loop 5-10 times and then shutdown.
on 12gb of ram is takes about 3 seconds with fill all the ram.
doing that after you used kexec to boot a partition that is outside of the encrypted drive and ensure the encrypted drive is unmounted and loop the script to clear keys in the ram then shutdown the server
that would clear any cold-boot attacks.
Unless they had access to the machine while it was running then the could unplug it and get the keys from the ram at that point.
You can actually freeze the ram and get the information from the ram up to 48 hours later with liquid nitrogen.
But this is assuming that they have physical access.
Exactly. With physical access, even a "clear memory on shutdown" technique can be bypassed by, well, not letting the victim shut down. Besides, cold boot attacks are just one of many different ways someone could get the key from you.
Quote:
Win32sux whats up with your tag.
"There are no answers, only choices." -- Solaris
Solaris is not choice.
j/k =)
Correct. That's just something which Solaris (the enigmatic ocean world, not the OS) would say.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.