Live CD is secure agaist BIOS malwares ?

[sa3er3]

Hi all.
for our business bank account we need extra security. as i researched on google seems the only real safe way to avoid spywares is using a live linux CD instead of windows.
but my question is if we get a BIOS virus then what ?!
see here : threatpost.com/en_us/blogs/researchers-unveil-persistent-bios-attack-methods-031909

let say is that possible a virus attack us when we are in Live CD from BIOS ?
or maybe modify the BIOS so when we try to restart computer and go to Clean LIVE CD then the bad guys send us to a Fake infected OS which looks like the ubuntu live cd ?

[Soul-Sing]

A bios virus isn't a banking trojan. You should be fine using a very recent linux live cd.

It is also possible to use an op system on a second/third partition. This system should be nicely updated, and only used for online banking. That's a second secure option. Please secure your browser with all nec. security measures. (Apparmor/no-script or RequestPolicy add-on.)

Third remark. "A" 100% security isn't possible. But your pretty secure with Linux.(live cd)

[sa3er3]

i know BIOS virus is not a banking malware but actually my question is that 2 method i explained possible with a BIOS virus to a ubuntu Live CD ?
1-calling a keylogger code from hard drive or internet from BIOS virus when Live ubuntu is working
2-faking the boot. for example when we choose boot from CD in bios setting then when we restart to go to ubuntu live CD then we get into a fake OS which is hosted in hard drive but looks same as ubuntu live CD ...

this 2 hack are possible ? (if are possible then i have to buy a computer without hard drive dedicated only for our business bank account to make sure there is no way it infect by BIOS or any other virus ..)

[Ms. Daisy]

I would encourage you to do some reading on basic security. Rather than defend against one specific attack or another, you should try to harden your system against MOST attacks. In order to do that you need to understand where most attacks come from. The basics of security are pretty much the same across operating systems. This will get you started:

https://wiki.ubuntu.com/BasicSecurity
http://ubuntuforums.org/showthread.php?t=510812

Not sure what operating system you're running at the business because you didn't say, but if it's windows you should add an anti-virus scanner.

[sa3er3]

no sir actually i am an expert security user. and our business is related to a government. thats is why i asking such a question because the ways that they attack us can not be compared with personal behavior like use anti virus or install noscript ...
when they make stuxnet then such a malware is several times easier ...

so i think the answer is i have to buy a computer without HDD and BIOS battery (old fashion) ?

[PapaGary]

From the article:

Sacco and Ortega stressed that in order to execute the attacks, you need either root privileges or physical access to the machine in question, which limits the scope.

[Soul-Sing]

the ways that they attack us

Who is attacking you, how do you monitor your computer to jump into that conclusion? If so call the police, contact your provider.
Computercrime is serious business!

If you don't trust hardware a priori, because of possible sec. issue's, stop using the internet, because hardware is made in several countries in world.

[CharlesA]

I would encourage you to do some reading on basic security. Rather than defend against one specific attack or another, you should try to harden your system against MOST attacks. In order to do that you need to understand where most attacks come from. The basics of security are pretty much the same across operating systems. This will get you started:

https://wiki.ubuntu.com/BasicSecurity
http://ubuntuforums.org/showthread.php?t=510812

Not sure what operating system you're running at the business because you didn't say, but if it's windows you should add an anti-virus scanner.

+1. I haven't heard of a BIOS exploit in a while.

Browser exploits on the other hand...

[Hungry Man]

A few things...
1) To write to the BIOS you need administrative rights meaning that the attacker either needs to compromise a root service or find some escalation privilege.

2) BIOS infections are really difficult to pull off. The attacker needs to know which hardware you're running, then they need to develop and test the payload on that hardware. They also need to know which version of the BIOS you're already running because even between versions it may or may not work.

It's definitely possible but really not viable.

I suggest that instead of worrying about LiveCDs writing to the BIOS you should, as Ms-Daisy says, harden your system.

The hacker needs to get onto your system and they'll likely want admin rights. Keeping your system patched and making use of apparmor is the best way to prevent infection.

[Ms. Daisy]

no sir actually i am an expert security user. and our business is related to a government. thats is why i asking such a question because the ways that they attack us can not be compared with personal behavior like use anti virus or install noscript ...
when they make stuxnet then such a malware is several times easier ...

so i think the answer is i have to buy a computer without HDD and BIOS battery (old fashion) ?

And you're the sys admin?

OK. What services are running on your company system? What services are facing the internet? What attacks are you seeing in your logs? What have you done already for security?