How strong are your passwords?

On Sat, 11 May 2013 00:56:02 +0000, amarildojr wrote:

> How are YOU protected against a regular user in your home searching on
> Google “how to by-pass Linux root passwd” or “how to decrypt a hard
> drive”?

You aren’t, really, unless you lock them out of your network. Which, if
they have physical access to your network, good luck with that.

Security is about tradeoffs. Security and convenience, primarily.

I use full disk encryption with truecrypt on an external hard drive. It
isn’t so much to protect the data while I use the drive, though, as to
make it highly improbable it’ll be retrieved after the drive croaks. I
don’t want my tax returns and other private data getting into the wild,
so I use FDE so when the drive croaks, I don’t have to worry much about
wiping it.

The questions you ask here are the sorts of questions one learns to
answer while pursuing the CISSP certification, or a Certified Ethical
Hacker certification.

Jim

–
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

I usually use an 8 or 10 digit password made up of random letters and numbers since I have
found that anything much longer than that is inconvenient to use and anything other than
a letter or number may not be compatible with the password prompt.
However I have a different set of standards for website logins since the web browser can
autofill the password forms and still maintain a good level of security.

Also I have found from experience that encrypting the entire contents of the hard drive
is a much more effective means of preventing casual snooping.

I still use “Darik’s Boot And Nuke” to periodically wipe my hard drives but for entirely different reasons.
Speaking of which, I need a 64 bit version of “Secure Delete” to wipe my computer’s memory using
‘smem -v’
to get rid of any memory resident malware on the system so that I can switch over to Linux.
The current 32 bit versions of “Secure Delete” can’t reach the entire 8 gigabytes of memory
which kind of defeats the purpose of it.
And since I can’t install Linux until after the malware is removed, that kind of puts me between
a rock and a hard place.

So because the unusual properties of the malware prevent installing or running any form of Linux
except text only command line from a live cd or dvd. That pretty much means that I am stuck
with Windows 7 until I can get such a 64 bit live disk with 64 bit “Secure Delete” on it.

I feel your pain, I was insane like you in the past but I have some questions:

1 - Why wipe the whole drive just because of a malware? Just wiping the Partition Table/MBR is enough to make malware useless.

2 - Which malware prevents you to install Linux? Nothing can stop the CD/DVD from booting except a BIOS virus but I don’t thing that’s your case.

3 - Why SecureDelete? If it is malware issues, I’d only do the zero wipe, nothing more. If it’s sensitive data, why allow malware to come in in the 1st place? Even Secure Delete may leave magnetic data traces that can be recovered. I made a thread here on the past asking if zero-fill is a good idea. Turns out that it’s pointless for malware reasons. Some malware may infect the MBR but a wipe in that area is enough. “sudo dd if=/dev/zero of=/dev/sda count=100000”

NOTE: I read somewhere that depending on your HDD size, the partition table may be bigger. Mine’s a 1TB so a do like above.

https://forums.opensuse.org/english/get-technical-help-here/install-boot-login/482574-zerofill-good-idea.html

I’m pretty sure it’s not a malware that’s preventing you from booting into a LiveCD. I’d do the following:

a) Download the ISO again and do a md5 cheksum. If the download is OK then go to the next stage:
b) Burn to a DVD. After bruning it, check again if the md5 matches. And don’t forget to check if the media itself is in good conservation.

Even when talking about a “good malware” (or a strong one, if you may call it), I don’t think it’s able to change anything on the media/download itself, so even if you download your LiveCD on an infected PC it’s still be a LinuxCD, very unlikely the virus will affect that.

On Sat, 11 May 2013 04:36:01 +0000, Trinton88 wrote:

> I still use “Darik’s Boot And Nuke” to periodically wipe my hard drives
> but for entirely different reasons.

That works well if the drive functions - I’ve had situations where I had
data that I deemed sensitive on a drive that had a head crash. I managed
to wipe the directory structure areas of the drive, but it took a lot of
work (and the drive made lots of really ugly noises).

I figure that FDE solves the problem with a nice long password.

Jim

Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

On 2013-05-11 06:36, Trinton88 wrote:

> I still use “Darik’s Boot And Nuke” to periodically wipe my hard drives
> but for entirely different reasons.
> Speaking of which, I need a 64 bit version of “Secure Delete” to wipe
> my computer’s memory using
> ‘smem -v’
> to get rid of any memory resident malware on the system so that I can
> switch over to Linux.

Huh?

Just power off, and all RAM is erased. No memory resident malware can
survive that unless you reload it from somewhere else - like booting the
hard disk that is infected.

By the way, erasing the entire RAM with the computer running is
impossible. Many reasons: the program doing the erase is in RAM, and it
can not erase itself of the program stops. It can move itself to another
section and then erase the previous one, but then it is not doing a full
erase.

Another, very old one: there was a virus that confused the computer to
give a different value of RAM, as to hide himself outside. The antivirus
software of the time were unable to protect, once this was active. It
survived a warm reboot, but not a cold one.

–
Cheers / Saludos,

Carlos E. R.
(from 12.1 x86_64 “Asparagus” at Telcontar)

I use the same “method”, except using songs from kindergarden. And, in dutch. Ergo: “Drie maal drie is negen” (a kids song starting with 3*3=9) becomes “3maal3=negen” or “3maal3!=tien”.

BTW I now know your username will be USApie :D. And if that won’t work, I’ll try DonMaclean :P.

Aw, I didn’t want to change that.

Actually it really doesn’t matter if your password is 8 characters long or 25 characters long
it will get bypassed in about the same length of time (about 5 minutes).
That is how long it takes to inject Java malware into your system through the port 80 browser vulnerability.
The Java malware obtains your passwords and everything else from the inside out and sends it all back
to the hacker through encrypted SMTP packets. That is how it is done these days.

I would know because that is exactly what I am up against.

The Malware in question is an updated new derivative of Stuxnet. There is a very precise procedure to follow
to keep the malware from going into stage 3 execution and erasing the computer flash bios.
The malware resides in the hard drive boot sector, resident in system memory, resident in the
video card memory, and in Windows page file, or Linux swap partition.

It has to be cleared from memory before you can repartition or wipe the hard drive or else it will give an
IRQ 14 error device not accessible. Then after the hard drive has been wiped the memory has to be
cleared again before any operating system can be installed. Simply turning the computer off for an hour
is not a workable solution because the malware can respawn from any of its four parts.

If you disconnect any computer component from the motherboard at any time, the malware will go into
stage 3 execution the moment the computer is powered back on and the bios would be erased leaving
you stuck with a permanently dead motherboard. The malware keeps a synchronized time and date
stamp and copy of the hardware configuration across all four of its parts.

Any time I have ever brought this up for discussion on any boards I was always laughed at and told it didn’t exist.
Very frustrating to say the least.

I am pretty sure it is the malware, I already have two hard drives that are blacklisted from the system
and are now inaccessible, because it is locked out by the malware. Also this malware shut off the
cooling fans for the CPU and video card, I had to find work around solutions for that too.

It is not the DVD roms of Linux at fault, they worked before, and now they don’t.
Unless I use text only mode, the reason for this is that this malware is only designed to intercept
and interpret input from a GUI based operating system, unless you try to wipe or repartition the
hard drive which the memory resident part of the malware actively prevents. However the malware
does not prevent viewing of the contents of the hard drive unless you try to view the boot sector.

The whole point is that you can’t zero out the hard drive unless you use ‘Secure Delete’ first
because the running memory resident portion prevents writing to the hard drive outside of Windows 7.
The Malware uses upper memory not used by Windows 7 or Linux and also the video card.
Because Linux initializes the video card for GUI differently than Windows, the malware kicks in
and deactivates the video card the instant you try to use Linux in GUI mode.

I need a 64 bit version of ‘Secure Delete’ to kick the malware out of the top 4 gigabytes of memory
and the x86 versions that are commonly available on ‘Back Track 4’ can only reach the
lower 4 gigabytes of memory which is not good enough to remove the active running portion of the malware.

And since I don’t know how to incorporate a tgz or bz2 file into the build system it would be much more
easy if ‘Secure Delete’ were one of the selectable packages in the build system.

So really I am just requesting that ‘Secure Delete’ be added to the available packages.

It is very hard to locate any Linux packages using only Windows 7, and even tougher to compile
anything for Linux using Windows 7. I wouldn’t trust anything compiled on my system while
there is an active malware infection anyway. Although I think burning an ISO would be reasonably safe.

There isn’t any official name for the malware that is preventing me from installing Linux
because it remains unknown to all the Antivirus companies with the exception of Kaspersky.
Which Kaspersky classifies it as an undocumented type of Stuxnet, Flame or Gauss worm.

AMD Phenom II x6 1075T Processor 3.00 GHz, Gigabyte 890FXA-UD5 , 8 gigabytes DDR3 memory
Diamond ATI Radeon HD 5670, SATA3 Seagate Barracuda 1 TB, SATA6 Western Digital Black Desktop 1 TB
SATA Liteon iHAS324 internal DVD Writer 24x, Coolmax 700W modular power supply, Cooler Master V8 heatsink
Rosewill RFX-100B system exhaust blower.

On 2013-05-17 12:46, Trinton88 wrote:

> It is not the DVD roms of Linux at fault, they worked before, and now
> they don’t.

Fully power down the machine, boot to bios, select boot target to be
only the DVD. Then boot from DVD.

I don’t believe your claims, unless the malware flashed your BIOS.

If you have one of those uEFI things that store boot configs in flash,
reset it fully. Ask the computer manufacturer how to do it.

> And since I don’t know how to incorporate a tgz or bz2 file into the build system it would be much more
> easy if ‘Secure Delete’ were one of the selectable packages in the build system.
>
> So really I am just requesting that ‘Secure Delete’ be added to the
> available packages.

We are plain users here, not the people creating the DVD.

You may request such a thing for the next release in Bugzilla, but you
will have to backup your claims with hard facts or they will just laugh
at you and close the bug.

> There isn’t any official name for the malware that is preventing me from installing Linux
> because it remains unknown to all the Antivirus companies with the exception of Kaspersky.
> Which Kaspersky classifies it as an undocumented type of Stuxnet, Flame or Gauss worm.

Link?

If you have facts backing up your claims of a virus impeding
installation of Linux, please report it ASAP in Bugzilla and security
mail list.

> openSUSE:Communication channels: Mailing lists
> openSUSE:Submitting bug reports

–
Cheers / Saludos,

Carlos E. R.
(from 12.1 x86_64 “Asparagus” at Telcontar)

On 2013-05-17 11:06, Trinton88 wrote:

> The malware resides in the hard drive boot sector, resident in system memory, resident in the
> video card memory, and in Windows page file, or Linux swap partition.

Memory is erased at power off, completely.

Disks can be erased copletely on another computer, via usb cable,
without rebooting.

> Simply turning the computer off for an hour
> is not a workable solution because the malware can respawn from any of
> its four parts.

As you have not mentioned the malware residing in BIOS, I can’t believe it.

> Any time I have ever brought this up for discussion on any boards I was
> always laughed at and told it didn’t exist.

Not surprising.

You have to support those claims with reports from a known security
company, or otherwise known reliable source, otherwise they will laugh
at you.

It is like claiming that pigs can fly - unless we see them, we can’t
believe it, sorry.

–
Cheers / Saludos,

Carlos E. R.
(from 12.1 x86_64 “Asparagus” at Telcontar)

On 2013-05-17 10:26, Trinton88 wrote:

> Actually it really doesn’t matter if your password is 8 characters long or 25 characters long
> it will get bypassed in about the same length of time (about 5 minutes).
> That is how long it takes to inject Java malware into your system
> through the port 80 browser vulnerability.
> The Java malware obtains your passwords and everything else from the
> inside out and sends it all back
> to the hacker through encrypted SMTP packets. That is how it is done
> these days.

Link?
For Linux, of course.

–
Cheers / Saludos,

Carlos E. R.
(from 12.1 x86_64 “Asparagus” at Telcontar)

I am pretty sure it is the malware, I already have two hard drives that are blacklisted from the system
and are now inaccessible, because it is locked out by the malware. Also this malware shut off the
cooling fans for the CPU and video card, I had to find work around solutions for that too.

Try starting the MOBO without the hard drives and post results here. If it’s not a MBR malware than your BIOS got infected. I wonder WHAT THE HELL DID YOU DO to get this kind of malware, I’ve never seen anything like this before. Might be hardware failure.

It is not the DVD roms of Linux at fault, they worked before, and now they don’t.
Unless I use text only mode, the reason for this is that this malware is only designed to intercept
and interpret input from a GUI based operating system, unless you try to wipe or repartition the
hard drive which the memory resident part of the malware actively prevents. However the malware
does not prevent viewing of the contents of the hard drive unless you try to view the boot sector.

Why would a malware prevent you from using GUI but not text-base? And what type of malware can infect the memory (RAM) when booted from a LiveCD? it does simply doesn’t exist this type of HD malware. Order an Ubuntu CD and test with that. I also recomend you to do

sudo dd if=/dev/zero of=/dev/sda bs=16M count=10000

to wipe your partition table and a little more.

The whole point is that you can’t zero out the hard drive unless you use ‘Secure Delete’ first
because the running memory resident portion prevents writing to the hard drive outside of Windows 7.
The Malware uses upper memory not used by Windows 7 or Linux and also the video card.

You can only zero the drive after doing secure delete first? That’s also BS, zeroing the entire drive will make ANY VIRUS, NO MATTER HOW STRONG IT IS, to be inaccessible/prevent it from operating.

Because Linux initializes the video card for GUI differently than Windows, the malware kicks in
and deactivates the video card the instant you try to use Linux in GUI mode.

I don’t think you’re trying to use a LiveCD.

I need a 64 bit version of ‘Secure Delete’ to kick the malware out of the top 4 gigabytes of memory
and the x86 versions that are commonly available on ‘Back Track 4’ can only reach the
lower 4 gigabytes of memory which is not good enough to remove the active running portion of the malware.

Again, you’re trying to remove a pretty good malware while it’s operating. Download a Linux LiveCD from a friend’s house and then wipe the entire drive. No surprise you can’t do nothing, you’re inside hell trying to drink cold water.

And since I don’t know how to incorporate a tgz or bz2 file into the build system it would be much more
easy if ‘Secure Delete’ were one of the selectable packages in the build system.

Why do that? Just boot from a LiveCD and wipe the disk.

It is very hard to locate any Linux packages using only Windows 7, and even tougher to compile
anything for Linux using Windows 7. I wouldn’t trust anything compiled on my system while
there is an active malware infection anyway. Although I think burning an ISO would be reasonably safe.

AGAIN, you’re using W7. Get out of there. Download an openSUSE LiveCD, and then type the ‘dd’ command I just told you above.

There isn’t any official name for the malware that is preventing me from installing Linux
because it remains unknown to all the Antivirus companies with the exception of Kaspersky.
Which Kaspersky classifies it as an undocumented type of Stuxnet, Flame or Gauss worm.

Is this a HD malware? Because if it is, it’s not loaded before the LiveCD is. Download Kaspersky Rescue DIsk and do a full scan.

BTW, can you post the source of your information above?

On 2013-05-19 03:56, amarildojr wrote:

> Try starting the MOBO without the hard drives and post results here. If
> it’s not a MBR malware than your BIOS got infected. I wonder WHAT THE
> HELL DID YOU DO to get this kind of malware, I’ve never seen anything
> like this before. Might be hardware failure.

If it is really a derivative of stuxnet, that’s heavy stuff, probably
targeted.

But his claims are not believable, unless the bios/efi is damaged. And
of course, as you say, he has to download Linux from another, safe,
computer.

–
Cheers / Saludos,

Carlos E. R.
(from 12.1 x86_64 “Asparagus” at Telcontar)

It didn’t work, I typed in the following at a command prompt on ‘Back Track 4’ and it didn’t recognise the ‘sudo’ command.
“sudo dd if=/dev/zero of=/dev/sda count=100000”
So I typed in the following “dd if=/dev/zero of=/dev/sda count=100000” and I got the following error message.
“ata1.00: status: { DRDY }”
“ata1.00: error: { ABRT }”
“end_request: I/O error, dev sda, sector 99960”
“100000+0 records in”
“100000+0 records out”
“51200000 bytes (51 MB) copied, 12.5457 s, 4.1 MB/s”

Then I rebooted and tried to install ‘Open Suse 12.3 x86_64’ but the installer rolled over and died with the following error.
Yast 2 Error No hard disks were found for the instalation. Please check your hardware!

So I rebooted again with ‘Xubuntu 12.04.01 Desktop AMD 64’ in live dvd mode, opened a terminal window and typed in
“sudo dd if=/dev/zero of=/dev/sda count=100000” and got the following.

xubuntu@xubuntu:~$ sudo dd if=/dev/zero of=/dev/sda count=100000
100000+0 records in
100000+0 records out
51200000 bytes (51 MB) copied, 12.1423 s, 4.2 MB/s
xubuntu@xubuntu:~$ fdisk /dev/sda
fdisk: unable to open /dev/sda: Permission denied
xubuntu@xubuntu:~$ sudo fdisk /dev/sda
fdisk: unable to read /dev/sda: Input/output error
xubuntu@xubuntu:~$

The drive activity light lit up for a few seconds but I still got an error. I am using this Xubuntu live DVD to post so
I think I solved the problem with the video card blanking out in GUI mode.
Even with the Windows 7 hard drive disconected and the WD Black attached the malware is still resident in memory
and still directly alters other software in the computer memory but not on the DVD rom media.

On 2013-05-19 06:46, Trinton88 wrote:

> Then I rebooted and tried to install ‘Open Suse 12.3 x86_64’ but the
> installer rolled over and died with the following error.
> Yast 2 Error No hard disks were found for the instalation. Please check
> your hardware!

Don’t just reboot. Power-off, power on.
Some malware can survive a reboot.

> So I rebooted again with ‘Xubuntu 12.04.01 Desktop AMD 64’ in live dvd
> mode, opened a terminal window and typed in
> “sudo dd if=/dev/zero of=/dev/sda count=100000” and got the following.
>
> xubuntu@xubuntu:~$ sudo dd if=/dev/zero of=/dev/sda count=100000
> 100000+0 records in
> 100000+0 records out
> 51200000 bytes (51 MB) copied, 12.1423 s, 4.2 MB/s
> xubuntu@xubuntu:~$ fdisk /dev/sda
> fdisk: unable to open /dev/sda: Permission denied
> xubuntu@xubuntu:~$ sudo fdisk /dev/sda
> fdisk: unable to read /dev/sda: Input/output error
> xubuntu@xubuntu:~$

I’m unfamiliar with Ubuntu.

Remove the disk and plug it on another computer. Format it there, or
better, instal a small Linux in there. Then switch back the disk.

> Even with the Windows 7 hard drive disconected and the WD Black
> attached the malware is still resident in memory
> and still directly alters other software in the computer memory but not
> on the DVD rom media.

Are there more HD on that computer? Disconnect all except the DVD (once
burned, it can not be compromised).

I would think that the BIOS or UEFI (you have not clarified what you
have) is compromised.

–
Cheers / Saludos,

Carlos E. R.
(from 12.1 x86_64 “Asparagus” at Telcontar)

I’ve had similar issues when my old drive was failing, it had more then 4000 bad sectors. I suggest you download Ubuntu 12.04, there’s an utility called “Disks” where you can do a S.M.A.R.T. check for all kinds of erros.

I’d also verify if:

• The cables are connected right, ALL CABLES, from PSU to every single cabled component, Motherboard included
• Your video card/HDD is in good shape
• If there’s dust in the connections. Take off your graphics card, for example, and look for dust in the slot. Also, clean the contacts of the RAM module (it can save your life) and PCI-E’s also.
• Renew you processor’s thermal compound
• Buy a new SATA cable, I had a bad one with a corrupted wire

With the sudo problem, try

sudo passwd

, then type a root password for the LiveCD, then “su” and “dd if=/dev/zero of=/dev/sda count=10000”.

sudo isn’t installed on the live CD. su is the standard method used for openSUSE.