One of my favorite websites – Lifehacker.com – posted a story today about how easy it is to break into a PC or Mac and how to prevent it. The videos are good examples of what can be done when a computer is booted with a disc containing another operating system. We discuss this and even do it in Learning Tree Course 468, System and Network Security Introduction.
The usual countermeasure to this kind of attack is to encrypt the drive. That works, but there are other solutions.
First, if you are protecting servers, keep them physically secure! Nobody can slip a CD or DVD into a drive of a computer they cannot physically access. Fortunately most companies keep their servers in a locked server room or in locked “cages”. These solutions both prevent the kind of attacks described in the videos (along with a host of others, including inserting USB devices).
It’s not always possible to lock all computers in a secure room. It is impractical for users and not always friendly to the business. (I once worked in a “vault”. The room had a door like a safe and we were locked in for an hour or so at a time. Those were secured devices in there.) So we need to find a method to reduce the probability an attacker booting a computer from a removable device.
PCs boot through instructions in its BIOS. Briefly, the software in the BIOS looks for bootable devices in an order generally specified via a user-configurable interface. The first device in the list that is connected and has instructions for starting the computer is chosen. The list contains devices such as a hard drive or solid state disc, a network card, a USB device, a CD/DVD drive, and so forth.
If a removable drive is higher in the boot list than the hard drive or solid state disc, it will be booted first. This allows other operating systems that can access the hard drive to be booted. That other OS (e.g. Linux) can access the hard drive ignoring any notion of permissions, if it chooses. It can even change or remove passwords. If the hard drive is first, it will always be the first device to start (unless it gets corrupted, of course).
If the hard drive is first, then the attack is thwarted, right? Not necessarily. If an attacker can reboot the computer she can tell the bios to boot first from a removable device. That is, unless the BIOS configuration (with the boot order) is password protected. In that case the only way to re-configure the BIOS is to open the computer case and do something such as connect a couple of chip pins to each other. A locked case can make this very difficult.
So, if you cannot lock up a computer or you don’t want to encrypt the drive, set a BIOS password. It’s easy to do and can provide another layer of protection. If you have more tricks to secure PCs, I’m all ears and I’m sure our other readers would love to hear them, too, so please share in the comments below.