February 9, 2009

Physical Security Matters

With all the talk of firewalls, anti-virus software, spam filters, and anti-spyware software it is sometimes hard to remember one of the most important aspects of secure computing; keeping your computer in a secure location. I know what you are thinking, you use a strong password or a biometric lock on the computer so even if it stolen, your data will be safe. You are wrong.

Law #3 of Microsoft's 10 Immutable Laws of Security states:

"If a bad guy has unrestricted physical access to your computer, it's not your computer anymore"

I work on computers every day, and getting around passwords on desktops, laptops, and servers is so common it is routine. In fact, the only time it gets a second though is if I have to do it remotely, but I some times take for granted that many people don't understand how easy it really is. I was reminded of this a few days ago, and it started with an urgent call.

A very good client of mine gave us a call because one of their colleagues was having some trouble and was in a pinch. He had been having some trouble with the fingerprint reader on his HP laptop, after calling HP support and spending several hours trying to troubleshoot the problem, they decided it would be best to just disable the finger print reader, and see if they could prove that was the cause to they could get it replaced, so he did as support asked. The problem was, this person didn't know the password to his computer because he had been using the fingerprint reader for so long. Now he had a computer, which needed a password he didn't know. He was in a panic. He was thousands of miles from his office, needed access to the info on his laptop to do business, and the best HP could do for him was ask that he mail them the computer and they would reinstall windows for him. They were not hopeful when they called us, but have no fear...its only a password after all. We asked the client to bring in his computer, and he did while barely grasping for hope as we assured him this wouldn't be an issue.

He came by the office and took a seat as he settled in for what he could only assume was going to be a battle. I took hold of the laptop, popped in my trusty password reset CD, booted to that oh so wonderful command line interface, set the local administrator password to blank, rebooted the computer and a few seconds later, was welcomed with that oh so familiar sound of Windows loading.

The client sat in astonishment. How was it that after hours on the phone with HP, being told there was no hope, we had now given him access to his data in under 5 minutes. He praised us, thanking us, and singing our graces to our client, who in turn emailed our boss to let him know just how much they appreciated us being around.

Now I am good at what I do...but this was no major feat. Resetting passwords really is that easy. While doing it remotely can take hours, days or years against a properly secure system, once that computer is in my hands, it is only a matter of seconds before the data is mine.


So what can you do to prevent someone malicious from doing this to you?

  • Keep servers in a locked and secure environment which is monitored both electronically and by a human.
  • Keep desktops in safe areas, and if disable booting to a CD, Floppy, or USB drive.
  • Set a BIOS password so the above setting cant be changed easily.
  • Keep your laptop within arms reach, especially if on a business trip. Once that thing is gone, it is gone and so is your data.
  • Use encryption software on external drives so if they get lost or stolen, the data is still secure.
  • Use strong passwords, yes this is still important.
  • If possible, encrypt the data on your drive, or at least data in folders where critical data is stored.

So let this be a lesson. Security is not a single piece of software, it is not an expensive firewall, it is good planning and a set of well placed items to deter a thief, this includes the kind that sneak in through windows at night.

Bookmark this post:
StumpleUpon DiggIt! Del.icio.us Yahoo Technorati Reddit Google