Other than standard security "best practices" like having a good firewall, strong admin password, ensuring the latest security patches, and upping router security, is there anything more specific that can help prevent (specifically) a BIOS rootkit via Ubuntu?
Asked
Active
Viewed 4,584 times
5 Answers
6
Be careful with installing software from unknown sources.
You might get more security ideas by looking at this project :
https://en.wikipedia.org/wiki/Qubes_OS
That project is developed by security experts.
The idea is to isolate work, home, play etc.
You can use this isolation idea yourself already by using Virtualbox, KVM, Qemu client guest install for "play", therefore having some isolation from your real important things.
Do you have rkhunter installed? It is a rootkit detection program. You can install it and run
sudo dpkg-reconfigure rkhunter
to adjust the settings to your taste. You can also install the chkrootkit package, but chkrootkit might give you more false alarms (Depending on which other programs you will install, or have running. Which is okay if can find out what is causing the false alarm).
http://packages.ubuntu.com/search?keywords=rkhunter
https://en.wikipedia.org/wiki/Rkhunter
Furthermore you can also install Lynis to perform a security check on your computer.
Eliah Kagan
- 119,640
albert j
- 1,463
4
Afaik there has been no observation of BIOS rootkit malware in the wild so far, only other rootkit types. So in that aspect your question sounds pretty hypothetical at this point but I'm going to indulge you anyway.
All the things you're listing as examples are general security advices against all types of malware.
If you're looking for defences specifically against malware in the BIOS then your best option is Secure Boot which helps to prevent the injection of unsigned boot loaders and kernel modules into the boot process. This assumes that the BIOS rootkit managed to place itself into the system firmware but not to disable or circumvent Secure Boot. This situation may happen if the malware comes in form of a UEFI module that doesn't modify the behaviour of the core UEFI firmware.
Other than that, don't run untrustworthy software in a trusted environment – especially not as super-user or in the kernel – and don't give untrustworthy people physical access to your machine, lest the trusted environment is tainted to become untrustworthy itself.
David Foerster
- 36,890
- 56
- 97
- 151
3
Nope, you've covered all the bases already.
Provided you understand and follow basic security protocols (as you've discussed in your post) and prevent unauthorized people from using your machine, there isn't much else you can do to prevent rootkits or similar.
The most common entry point on a well-maintained and sanely designed system would be through the use of zero-day or disclosed-but-not-yet-fixed exploits, but these are mostly unavoidable.
The one further piece of advice which may be of use is to avoid creating an unnecessary surface for attack. If you don't need something installed, get rid of it to prevent it from being used against you. Same goes for PPAs and similar. Plus, it helps clean up your machine and make it easier to administer.
Otherwise, install and use rkhunter and similar defensive strategies, and just keep doing what you're normally doing. Linux's permission isolation is inherently safe, so unless you're doing something to violate that (like running everything you can with sudo), arbitrarily running executables, using unknown/untrusted PPAs, you should be fine.
As for avoiding BIOS rootkits specifically, check if your BIOS has a "signature verification" mode or similar. Such a mode will prevent your BIOS from updating unless it detects a valid cryptographic signature, which is usually only present on legitimate updates from your manufacturer.
Kaz Wolfe
- 34,680
2
Yes, don't download and run that root kit. It is pretty easy to get a rootkit: download it, compile it if it is a source, run it and give it your admin password (...).
Ubuntu Software Center is free of rootkits, virusses and malware. Launchpad PPA's are not as safe as USC but it has a good track record. With some investigation about the PPA you add (ie. check askubuntu, ubuntuforums and the likes for reviews from other users).
Don't randomly download software. Don't use Windows. Don't use WINE.
And in my opinion Rootkit detectors are a waste of resources. Even IF they ever detect a rootkit you will have to wade through so many false positives it makes it useless. Feel free to think differently but I have yet to see anyone actually finding a rootkit. Let alone one that targets the BIOS from Linux. The topics on the web related to linux and rootkits where it ends up being false positives far far far outway the topics where there is an actual rootkit. Waste of resources. Seriously.
If you do believe a rootkit detector is a good thing you should install TWO of them and compare the results. If one claims there is a rootkit and the other does not you can assume it is a false positive. And even if both claim there is a rootkit it is more than likely to be a false positive.
Rinzwind
- 309,379
2
If you use wired ethernet on an intel vPro cpu (Intel Core i3, i5, i7 and others) you may not be aware of the "Intel Management Engine" - a separate cpu and processing environment connected to the hardware ethernet port.
https://en.wikipedia.org/wiki/Intel_Active_Management_Technology
This subsystem is able to:
- "Remotely redirect the system's I/O via console redirection through serial over LAN (SOL). This feature supports remote troubleshooting, remote repair, software upgrades, and similar processes."
- "Access and change BIOS settings remotely. This feature is available even if PC power is off, the OS is down, or hardware has failed. This feature is designed to allow remote updates and corrections of configuration settings. This feature supports full BIOS updates, not just changes to specific settings."
This seems to give physical-ethernet essentially physical-access to the device. If you are concerned, perhaps leave the device unplugged from ethernet.
While I can see some of the usefulness of all this in a corporate environment there could be some problems with a subsystem like this... Google "intel management engine vulnerability" and you'll find many links.