Hi all.
for our business bank account we need extra security. as i researched on google seems the only real safe way to avoid spywares is using a live linux CD instead of windows.
but my question is if we get a BIOS virus then what ?!
see here : threatpost.com/en_us/blogs/researchers-unveil-persistent-bios-attack-methods-031909

let say is that possible a virus attack us when we are in Live CD from BIOS ?
or maybe modify the BIOS so when we try to restart computer and go to Clean LIVE CD then the bad guys send us to a Fake infected OS which looks like the ubuntu live cd ?

A bios virus isn't a banking trojan. You should be fine using a very recent linux live cd.

It is also possible to use an op system on a second/third partition. This system should be nicely updated, and only used for online banking. That's a second secure option. Please secure your browser with all nec. security measures. (Apparmor/no-script or RequestPolicy add-on.)

Third remark. "A" 100% security isn't possible. But your pretty secure with Linux.(live cd)

i know BIOS virus is not a banking malware but actually my question is that 2 method i explained possible with a BIOS virus to a ubuntu Live CD ?
1-calling a keylogger code from hard drive or internet from BIOS virus when Live ubuntu is working
2-faking the boot. for example when we choose boot from CD in bios setting then when we restart to go to ubuntu live CD then we get into a fake OS which is hosted in hard drive but looks same as ubuntu live CD ...

this 2 hack are possible ? (if are possible then i have to buy a computer without hard drive dedicated only for our business bank account to make sure there is no way it infect by BIOS or any other virus ..)

I would encourage you to do some reading on basic security. Rather than defend against one specific attack or another, you should try to harden your system against MOST attacks. In order to do that you need to understand where most attacks come from. The basics of security are pretty much the same across operating systems. This will get you started:

https://wiki.ubuntu.com/BasicSecurity
http://ubuntuforums.org/showthread.php?t=510812

Not sure what operating system you're running at the business because you didn't say, but if it's windows you should add an anti-virus scanner.

no sir actually i am an expert security user. and our business is related to a government. thats is why i asking such a question because the ways that they attack us can not be compared with personal behavior like use anti virus or install noscript ...
when they make stuxnet then such a malware is several times easier ...

so i think the answer is i have to buy a computer without HDD and BIOS battery (old fashion) ?

From the article:

Sacco and Ortega stressed that in order to execute the attacks, you need either root privileges or physical access to the machine in question, which limits the scope.

the ways that they attack us

Who is attacking you, how do you monitor your computer to jump into that conclusion? If so call the police, contact your provider.
Computercrime is serious business!

If you don't trust hardware a priori, because of possible sec. issue's, stop using the internet, because hardware is made in several countries in world.

I would encourage you to do some reading on basic security. Rather than defend against one specific attack or another, you should try to harden your system against MOST attacks. In order to do that you need to understand where most attacks come from. The basics of security are pretty much the same across operating systems. This will get you started:

https://wiki.ubuntu.com/BasicSecurity
http://ubuntuforums.org/showthread.php?t=510812

Not sure what operating system you're running at the business because you didn't say, but if it's windows you should add an anti-virus scanner.
+1. I haven't heard of a BIOS exploit in a while.

Browser exploits on the other hand...

A few things...
1) To write to the BIOS you need administrative rights meaning that the attacker either needs to compromise a root service or find some escalation privilege.

2) BIOS infections are really difficult to pull off. The attacker needs to know which hardware you're running, then they need to develop and test the payload on that hardware. They also need to know which version of the BIOS you're already running because even between versions it may or may not work.

It's definitely possible but really not viable.

I suggest that instead of worrying about LiveCDs writing to the BIOS you should, as Ms-Daisy says, harden your system.

The hacker needs to get onto your system and they'll likely want admin rights. Keeping your system patched and making use of apparmor is the best way to prevent infection.

no sir actually i am an expert security user. and our business is related to a government. thats is why i asking such a question because the ways that they attack us can not be compared with personal behavior like use anti virus or install noscript ...
when they make stuxnet then such a malware is several times easier ...

so i think the answer is i have to buy a computer without HDD and BIOS battery (old fashion) ?And you're the sys admin?

OK. What services are running on your company system? What services are facing the internet? What attacks are you seeing in your logs? What have you done already for security?

so i think the answer is i have to buy a computer without HDD and BIOS battery (old fashion) ?Good luck getting such a system to run at all. The BIOS is necessary in order to boot the system, and without a battery you won't be able to configure it at all. Once the system boots, Linux no longer makes any use of the BIOS -- and the bootstrap code within the BIOS chip on the motherboard is totally incapable of accessing any network or downloading anything.

As others have told you, installing a BIOS trojan requires physical access to the machine. And if outsiders have such access, no security is possible.

In addition, if your security requirements are actually as strict as you indicate, the machine should never be connected to a network at all. The only completely secure system is one which is incapable of any input or output, and located in a sealed enclosure with no means of physical access. Of course, such a system is also completely useless...

You can overwrite the BIOS remotely, they don't need physical access.

They just need admin access.

Instead of removing the BIOS battery, which will just break ****, buy one of those dual BIOS motherboards. If one gets infected you just switch to the other and boot into a recovery disk.

You can overwrite the BIOS remotely, they don't need physical access.Please describe just how it will be possible to do anything remotely to a system that has no network access for remote control. The network access comes into play from a much later stage of the boot process than the bootstrap code.

If, and only if, the BIOS is set up to allow "remote boot" operation could something of this sort be accomplished. That would require special BIOS code in the first place.

It's possible that such a "trojan BIOS" could be created, and even installed -- but only if the intruder had physical access to the machine and adequate time to replace major chunks of its hardware. Placing a wiretap on the network line, or a sniffer in one of the ISP locations along the route, would be much more practical.

Stuxnet was targeted to a specific group of machines, and relied on a bit of physical intrusion to get it started. It's not at all comparable to the problem of breaking into a single company's bank accounts. Subversion of a bank employee is a much more likely scenario.

Please describe just how it will be possible to do anything remotely to a system that has no network access for remote control. The network access comes into play from a much later stage of the boot process than the bootstrap code.

If, and only if, the BIOS is set up to allow "remote boot" operation could something of this sort be accomplished. That would require special BIOS code in the first place.

It's possible that such a "trojan BIOS" could be created, and even installed -- but only if the intruder had physical access to the machine and adequate time to replace major chunks of its hardware. Placing a wiretap on the network line, or a sniffer in one of the ISP locations along the route, would be much more practical.

Stuxnet was targeted to a specific group of machines, and relied on a bit of physical intrusion to get it started. It's not at all comparable to the problem of breaking into a single company's bank accounts. Subversion of a bank employee is a much more likely scenario.

On modern machines you can alter BIOS settings and even flash the BIOS completely from a running OS if you have root access. So by compromising a machine you could then flash it with a 'trojan' BIOS which would take effect the next time the machine was booted.
As you mention though, except in very specific known configurations and required outcomes it would be far easier to take the normal attack route of finding vulnerabilities in the OS or installed software rather than going down the BIOS route.

Like Cheesemill states once you have Admin you can flash a new BIOS. This can be done while the system is booted and it's probably the most common way for users to update their home machine's BIOS.

So they don't actually need any physical access.

It's still insanely unlikely as they'd have to spend an inordinate amount of work with their being a huge risk of it failing entirely.

A few things...
1) To write to the BIOS you need administrative rights meaning that the attacker either needs to compromise a root service or find some escalation privilege.

2) BIOS infections are really difficult to pull off. The attacker needs to know which hardware you're running, then they need to develop and test the payload on that hardware. They also need to know which version of the BIOS you're already running because even between versions it may or may not work.getting root access is just like blinking ... rootkits are out there for ages ...
and getting hardware info of Bios version is just so easier than blinking ....




On modern machines you can alter BIOS settings and even flash the BIOS completely from a running OS if you have root access. So by compromising a machine you could then flash it with a 'trojan' BIOS which would take effect the next time the machine was booted.
As you mention though, except in very specific known configurations and required outcomes it would be far easier to take the normal attack route of finding vulnerabilities in the OS or installed software rather than going down the BIOS route.the problem is todays people for important jobs use Live ubuntu CD because windows (or even installed ubuntu) is almost impossible to stay clean so bad guys are focusing on Bios because with it we are not even safe at all in Live CD any more ... :(

Speaking from a security noob's point of view, most malware writers nowadays still targets Windows, because it's easier and more profitable for them. There is no proof (at least, not yet) that they are moving to hijacking the BIOS. It is possible, yes, but I don't see anyone would have the time and resources to develop a very complicated rootkit that only works with certain BIOS (or even certain versions of it) while a Windows malware is relatively easy to pull of and can be very widespread.

Getting root isn't that easy. Or at least you don't have to let it be. Apparmor vulnerable services/ programs and keep your system patched.

They could get onto your machine, get root, and then see which BIOS you use, and then develop and incredibly complex and risky payload over days/weeks depending on if they already have the hardware, and then if you somehow haven't realized you've been infected for weeks they could try the payload on you.

Of course, they already have root, so they have very little reason to do so.

Bad guys are not focusing on the BIOS. There have been less than a handful of widespread BIOS infections ever.

I would suggest you either forget about the BIOS as you have way bigger things to worry about OR you purchase a dual-BIOS motherboard on the insanely tiny chance that an attacker somehow infects your BIOS.

Speaking from a security noob's point of view, most malware writers nowadays still targets Windows, because it's easier and more profitable for them. There is no proof (at least, not yet) that they are moving to hijacking the BIOS. It is possible, yes, but I don't see anyone would have the time and resources to develop a very complicated rootkit that only works with certain BIOS (or even certain versions of it) while a Windows malware is relatively easy to pull of and can be very widespread.if all the people switch to use Live CD for banking instead of windows then they will move to hijacking the BIOS .. because that is what we wanna tell to all our companies to use Live CD for serious jobs
as all users have windows no linux so its not complicated rootkit. they easily can get root. then there is no too much Bios in the market. they just make a few one and will hit a big percent of people ...

so please think again


Getting root isn't that easy. Or at least you don't have to let it be. Apparmor vulnerable services/ programs and keep your system patched.

They could get onto your machine, get root, and then see which BIOS you use, and then develop and incredibly complex and risky payload over days/weeks depending on if they already have the hardware, and then if you somehow haven't realized you've been infected for weeks they could try the payload on you.

Of course, they already have root, so they have very little reason to do so.

Bad guys are not focusing on the BIOS. There have been less than a handful of widespread BIOS infections ever.

I would suggest you either forget about the BIOS as you have way bigger things to worry about OR you purchase a dual-BIOS motherboard on the insanely tiny chance that an attacker somehow infects your BIOS.in windows people have no Apparmor ...
and keeping system patched make no sense against real hackers

from your seen maybe it be complex and risky payload over days/weeks but as they make millions$ from it so they will do it very well ..

as we grow using Live CD they focusing on the Bios mate. as its the only safe way so it will happen soon :(

(by the way dual-BIOS motherboard is a joke ? user will never know he infected or not .. antivirus don't scan bios ...)

if all the people switch to use Live CD for banking instead of windows then they will move to hijacking the BIOS .. because that is what we wanna tell to all our companies to use Live CD for serious jobs
as all users have windows no linux so its not complicated rootkit. they easily can get root. then there is no too much Bios in the market. they just make a few one and will hit a big percent of people ...

so please think again

in windows people have no Apparmor ...
and keeping system patched make no sense against real hackers

from your seen maybe it be complex and risky payload over days/weeks but as they make millions$ from it so they will do it very well ..

as we grow using Live CD they focusing on the Bios mate. as its the only safe way so it will happen soon :(

(by the way dual-BIOS motherboard is a joke ? user will never know he infected or not .. antivirus don't scan bios ...)

Yes, IF everyone switch to use Live CD for banking. But, good luck convincing millions of Windows users to magically drop Windows, download a Linux LiveCD and start doing everything from there. Still, when that happens, developing a malware for Linux itself is still far easier than writing a complicated BIOS code. Crackers want short-term profit, not long-term investment. (but writing BIOS codes aren't exactly long term either, because new updates will just obsolete the malware out)

Like what others have said, you shouldn't worry about the moon falling down the Earth, but instead start worrying about real security threats that can potentially compromise your system. Start configuring firewalls, encryption and stuffs, and leave the BIOS problem for later. :)

Yes, IF everyone switch to use Live CD for banking. But, good luck convincing millions of Windows users to magically drop Windows, download a Linux LiveCD and start doing everything from there. Still, when that happens, developing a malware for Linux itself is still far easier than writing a complicated BIOS code. Crackers want short-term profit, not long-term investment. (but writing BIOS codes aren't exactly long term either, because new updates will just obsolete the malware out)

Like what others have said, you shouldn't worry about the moon falling down the Earth, but instead start worrying about real security threats that can potentially compromise your system. Start configuring firewalls, encryption and stuffs, and leave the BIOS problem for later. :smile:
is that possible a factory make a Bios which update itself automatically when the computer turned on ?

Possible but a bad idea and it doesn't exist.


in windows people have no Apparmor ...

I didn't realize we were discussing Windows. Securing a windows computer is much more difficult.

and keeping system patched make no sense against real hackers

I disagree. There is no "cost of exploit" when the exploit code is on metasploit or simply provided to the attacker. Forcing them to find a new exploit helps.


from your seen maybe it be complex and risky payload over days/weeks but as they make millions$ from it so they will do it very well ..

It's not really about the payoff. To write to your BIOS they need root. Once they have root they can just use (incidentally) the BIOS for direct disk access and come up with a way more reliable way to infect you.

Anyways, the best way to prevent an attack is to prevent and restrict root. That means, for Ubuntu, using apparmor.


(by the way dual-BIOS motherboard is a joke ? user will never know he infected or not .. antivirus don't scan bios ...)

You have a clean BIOS backup though if you ever do get infected.

I don't think I can stress enough just how annoyingly difficult it would be to infect someones BIOS. Yes, for a targeted attack there is the potential for it but there are so many easier ways to get what they want.

Regardless of this your focus should be restricting programs and services. That's the best defense.

if all the people switch to use Live CD for banking instead of windows then they will move to hijacking the BIOS .. because that is what we wanna tell to all our companies to use Live CD for serious jobs
as all users have windows no linux so its not complicated rootkit. they easily can get root. then there is no too much Bios in the market. they just make a few one and will hit a big percent of people ...

so please think again

in windows people have no Apparmor ...
and keeping system patched make no sense against real hackers

from your seen maybe it be complex and risky payload over days/weeks but as they make millions$ from it so they will do it very well ..

as we grow using Live CD they focusing on the Bios mate. as its the only safe way so it will happen soon :(

(by the way dual-BIOS motherboard is a joke ? user will never know he infected or not .. antivirus don't scan bios ...)

LiveCD for banking? I would be more concerned with browser exploits than having my BIOS "infected." Especially when browsing from a livecd that potentially does not have the latest updates installed.


is that possible a factory make a Bios which update itself automatically when the computer turned on ?

A BIOS update has to be user initiated.

In short: Listen to Hungry Man and Ms Daisy - they know what they are talking about.

LiveCD for banking? I would be more concerned with browser exploits than having my BIOS "infected." Especially when browsing from a livecd that potentially does not have the latest updates installed.
+1

Browser exploits are the most common way of compromising a system and the best defence against browser exploits is to use a fully patched and updated browser.

Unless you are updating your Live CD's every time your browser of choice is patched/updated then I would say you run the risk of being less secure using a Live CD than a fully patched normal installation.

On modern machines you can alter BIOS settings and even flash the BIOS completely from a running OS if you have root access. So by compromising a machine you could then flash it with a 'trojan' BIOS which would take effect the next time the machine was booted.
As you mention though, except in very specific known configurations and required outcomes it would be far easier to take the normal attack route of finding vulnerabilities in the OS or installed software rather than going down the BIOS route.I've added emphasis to the critical point I've been addressing. The OP has proposed getting a machine with no hard disk at all, thus no operating system, and booting it from a Live CD which he's presuming to be infection-free. Thus the only time that an intruder could gain root access would be while the presumed-clean CD had booted and gained a network connection. BIOS could not enter into the picture until after the system had already been compromised.

That's why I'm insisting that his worry about the BIOS is a total red herring. If he has taken normal precautions in using the Live CD, and avoided all social engineering ploys, he will be as safe as any networked user can ever be.

This, in turn, implies that wasting his efforts attempting to defend against a remotely possible attack sometime in the future is counter productive. Like the malware authors, he should be picking the low-hanging fruit first by selecting the safest possible browser, practicing safe use of the system, and all the "normal" precautions...

And even then, of course, he's still at moderately high risk since it will take only one idiot user to click on a bad link when browsing, and his "secure" system will become part of a botnet...