<div dir="ltr"><br><br><div class="gmail_quote">On Fri, Jun 24, 2011 at 4:54 AM, Shachar Shemesh <span dir="ltr"><<a href="mailto:shachar@shemesh.biz">shachar@shemesh.biz</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<u></u>
<div style="direction: ltr;" text="#000000" bgcolor="#ffffff">
On 24/06/11 00:35, Orna Agmon Ben-Yehuda wrote:
<blockquote type="cite">
<div dir="ltr">Hello all security experts,<br>
<br>
</div>
</blockquote>
Hiya,<div class="im"><br>
<br>
<blockquote type="cite">
<div dir="ltr">I would like to export data from a machine on a
business's internal network on a safe media, such that only the
files I want exported are on the media. Specifically, I consider
the possibility that the machine may already be infected by a
malware which adds business-sensitive data to all outgoing
media, and would like to defend against such a theoretical
malware. The question may be limited to text files.<br>
<br>
Things already considered:<br>
*The media is a CD, which will be written and then finalized. No
USB devices.<br>
*An artificial file will be added to the data file, to fill the
media as much as possible. This, however, leaves a part of the
disk capacity unused - the part used for the structure table
(what used to be FAT), which is a place where additional data
can hide.<br>
</div>
</blockquote></div>
Don't see how that helps.</div></blockquote><div><br>The point of the additional file is to leave little room for anything else. Regarding the FAT place: Assuming the CD ends up on an infected machine, or falls into the wrong hands ( example: you want to make your client an offer on a CD, but you do not wish to give the client info about other offers you made, in this case the wrong hands are exactly the hands the CD goes to), the infected internal machine and the infected external machine agree on the interpretation of the extra space in the table sectors, and may communicate information through it. <br>
</div><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><div style="direction: ltr;" text="#000000" bgcolor="#ffffff"><div class="im"><br>
<blockquote type="cite">
<div dir="ltr">
*The CD will be read in two different machines, with two
different operating systems.</div>
</blockquote></div>
Try "copied". The CD will be burned on one machine. Only the
relevant files copied to another CD on a second machine, and again
on a third machine. If any of these machines are not infected then
only the information you think is there will actually be there.<div class="im"><br>
<blockquote type="cite">
<div dir="ltr"> One of the systems will be a bootable linux disk,
to preserve its (hopefully) initial not-infected status. The
listing of files will be performed including hidden files (ls
-la in Linux). The person who wrote the files will read them, to
verify they contain the correct information.<br>
</div>
</blockquote></div>
If you copy the files rather than only read the disc, this step
becomes, thankfully, unneeded.<br>
<br>
I think you mis-stated your security concerns, though. Assuming I
can guess the reason for this requirement, I think you will not be
able to satisfy yourself that the same unknown that has infected
your computer has not also infected the Linux image you are booting
from or the USB controller that does the actual writes. Depending on
your level of paranoia (and when it comes to such scenarios,
"paranoia" is the only conceivable description), I would suggest the
following:<br>
<br>
The only way to avoid going into a loop over what an infinite
resources theoretical attacker might do is to use a media that can
have no room for hitchhiking information. My suggestion - print it
out and OCR it on another machine. I seem to recall a distant story
about PGP writing a program that did OCR helping during the printing
(MD5 of the line, or something like that), but I doubt your paranoia
will not suspect that that very same program also puts in unwanted
information into that area.<br>
<br>
Of course, you might still claim that the virus will use one dot
errors (either black pixels where white ones should have been or
vice versa) in order to leak information out. Some careful math can
put a limit on just how much information can leak this way before
the dots themselves become noticeable, and hopefully we can prove
that not enough information can leak to pose a real risk (i.e. -
decide that the attacker can get all the information she wants that
can fit inside 10 bytes, and we can live with that).<br>
<br>
Shachar<br>
<br>
<blockquote type="cite"><div class="im">
<div dir="ltr">Questions:<br>
What else should I do?<br>
What about a malware compressing the data, using the extra space
for additional data?<br>
If I compress the data to avoid further compression, how can the
person verify it contains exactly what it should?<br>
What can I not defend against?<br>
Are such malware as I imagine known? For Linux? Windows?<br clear="all">
<br>
Thanks for considering the problem,<br>
-- <br>
Orna Agmon Ben-Yehuda.<br>
<a href="http://ladypine.org" target="_blank">http://ladypine.org</a><br>
</div>
</div><pre><fieldset></fieldset>
_______________________________________________
Linux-il mailing list
<a href="mailto:Linux-il@cs.huji.ac.il" target="_blank">Linux-il@cs.huji.ac.il</a>
<a href="http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il" target="_blank">http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il</a>
</pre>
</blockquote>
<p><br>
</p>
<br>
<pre cols="72">--
Shachar Shemesh
Lingnu Open Source Consulting Ltd.
<a href="http://www.lingnu.com" target="_blank">http://www.lingnu.com</a>
</pre>
</div>
</blockquote></div><br><br clear="all"><br>-- <br>Orna Agmon Ben-Yehuda.<br><a href="http://ladypine.org">http://ladypine.org</a><br>
</div>