| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <423B0313.5000400@davewking.com>
From: davefd at davewking.com (Dave King)
Subject: Microsoft GhostBuster Opinions
Todd Towles wrote:
>But could this not be bypassed by running Tripwire from a bootable CD?
>The modified keneral would be inactive and therefore you would see the
>two separate files are opposed to just one. This is the idea that this
>new Microsoft products uses, but as people have stated, this can be done
>now with a combination of open-source products.
>
>-Todd
>
I agree that that this can be done currently with open source (or at
least free) tools currently. Basically what GhostBuster was meant to do
as far as I can tell, was to simply automate currently available tools.
With Linux it would be simple to come up with a complety open source
solution that would work great and could be easily downloaded as an
ISO. I suppose this may be possible with Knoppix, but the whole captive
needing to find an NTFS driver thing kind of slows the whole thing
down. It seems that the best solution for a Windows tool would be to
create a BartPE plugin that would do the trick.
GhostBuster does have some weakness as have been pointed out, like
using "dir /a /s" instead of some type of secure hash. There are free
tools out there that can do these hashes and comparisons, like the
Microsoft's file integrey checker. Tripwire is one of them, but for
Windows Tripwire is neither open source or free.
Thanks,
Dave King
http://www.thesecure.net
Powered by blists - more mailing lists