[ale] Letter of Volatility

Jeff Hubbs jhubbslist at att.net
Wed Jan 29 18:05:58 EST 2014


On 1/29/14, 4:12 PM, Leam Hall wrote:
> In general any storage device that enters an area for classified 
> information cannot be removed intact. Even in non-classified 
> environments some government agencies retain the ram, cmos, disk 
> controller ram, hard drives, etc. Most of then are physically reduced 
> beyond use.
>
> The customer should have a disposal policy.
The destruction policy is supposed to keep you from having to care about 
just what detectable states exist in a RAM stick after the power has 
been removed or what can or can't be stored surreptitiously in a BIOS.

> <snippage>
>> Isn't that why the govt. uses RHEL instead
>> of CENTOS? 
Not necessarily; "the government" has a lot of different agencies, each 
with its own guidance and regulations.  But just as in the private 
sector, there are many PHBs who never understood the Open Source way of 
instituting and running computing resources and would therefore only run 
Linux if it were priced and supported in a Microsoft/Sun/IBM/Oracle manner.
>> I.e., if you did all the same hardening procedures to a
>> CENTOS box that you did to a RHEL box they would be equally secure, but
>> the CENTOS box would not be CERTIFIED, correct?
Pretty much.  If as much as one bit of code differs from the certified 
configuration, then it's no longer the certified configuration.  Whether 
the RHEL/CentOS differences are the least bit meaningful or germane - or 
that you could prove the provenance of every CentOS binary - is 
irrelevant.  This suggests, at least to me, that you'd better not 
rebuild any binaries that the machine started off with in its certified 
configuration.  Also, you're stuck with ancient versions of kernels and 
important packages (but that could be applied to RHEL/CentOS in general).
>>
>>
>> Would it be possible for a bot/virus/trojan to be loaded into BIOS that
>> could then grab info when the system is up and running? If it is
>> possible, they will be concerned about that and it will need to be
>> addressed in the LoV letter.
I guess it comes down to whether or not you can ever really trust the 
motherboard.  Could it read patches of RAM arbitrarily and wrap it into 
a packet stream in some custom protocol to be fired to a preset address 
our of the onboard NIC?  Sure.  Are you or anyone else prepared to 
certify that it can't?


More information about the Ale mailing list