Tuesday, March 18, 2008

BOSS 2.0 LiveCD owned / Bundestrojaner entdeckt

The BOSS LiveCD (BSI OSS Security LiveCD) is a bootable Morphix Linux
distribution basically with a nessus scanner and some other security tools.
Its distributed for administrators to check their network for vulnerabilities.
The aim is to make the network more secure.

However there is a backdoor: If you boot this CD in your network it sets up
the network interface(s) via DHCP. It also starts an OpenSSH daemon and guess what,
it has a DSA private key for the user 'slad' placed in slad's homedir. The passphrase
for this key is 'bosscd'. And... the root password to su to root after ssh login
(root login via SSH is disabled) is also 'bosscd'.
One may argue that this is a LiveCD system and this does not matter. Wrong! The laptop
you boot has got a harddisk! And you are behind the firewall!

So, if you are responsible for your network, DO NOT BOOT THIS CD. You are subject to
immidiate owning. It is very easy to scan whole class A networks for this DSA key
within a short period of time, so do not think that "just running it half a hour" is short enough
for you to survive.

More info about the BOSS CD/Bundestrojaner here.

After contacting the "Bundesamt für Sicherheit in der Informationstechnik" (BSI) they responded
and included a security notice about the LiveCD in their website. Although I do not think
that, due to automatic WLAN setup during boot, a splitted testing environment is possible,
I recognize that they reacted within one day which is very fast for a government agency.