[LBo] System Security (was: Curious about a security issue)

Brice Hunt shoalcreek5 at gmail.com
Mon Feb 12 06:59:49 CET 2007 

> Brice Hunt wrote:
>> Sam Morgan wrote:
>>> What you get is Not what you see wrote:
>>>> By the way password protecting the BIOS is not a good security 
>>>> measure.
>>>>
>>> because?
>>> it at least makes them open the case to edit the bios to allow the 
>>> floppy/cd to be bootable doesn't it?
>> Not necessarily. Some motherboard manufacturers have default 
>> passwords that can be used to access the bios, no matter what. A 
>> Google search will turn those up easily (even ones that weren't 
>> published in owner's manuals). Also, do a Google search for "bios 
>> password" and you will get /tons/ of hits all about defeating bios 
>> passwords.
>>
> where are we going with this?
> back to:
> "the only secure computer, is one that is not hooked up to anything....
> meaning the internet/intranet *OR* power cord to the AC mains?"

No, I'm just dispelling the myth that bios passwords even resemble a 
secure solution. If you want to really secure a machine, then the number 
one thing to do is secure the physical access to that machine. When you 
grant someone physical access, you are granting them the ability to 
override the bios, boot from other media, and have complete access to 
anything on the machine's hard drive that is not fully encrypted. The 
obvious solution is to grant physical access to a machine only if you 
can trust the person that will use it. Anyone that breaks that trust 
should have their privileges revoked. In other words, employees that 
violate company computer policies can be reprimanded/fired. Students 
that violate school computer policies can be suspended/expelled. (Of 
course, the policies need to be reasonable enough that the employee and 
the student can do their work without being overly encumbered.)

If you must grant usage rights to a machine for people that you cannot 
trust (e.g. at an unattended kiosk), then there are other ways of 
physically securing the computer that will keep people from using the 
type of boot-time attack that you are talking about. It involves a 
secure cabinet for the computer that blocks physical access to anything 
on the machine that an attacker could use to gain access to the bios and 
hard drive combined with a software setup that is quite restrictive.  If 
you want an example of this type of machine, go to your local department 
store and look for the wedding registry kiosk (although, the cabinets 
might not be completely restrictive as there are usually security 
cameras and security guards around).

Brice

More information about the QnA mailing list