HP biased against BIOS password security HP has come under fire for nullifying BIOS password protection steps on laptops by publishing reset data on its website. UK-based security consultancy SecureTest compared the approach to hiding a front door key under a welcome mat. Security breaches resulting from stolen laptops have hit the headlines repeatedly over recent …
"... in reality security is about in-depth defence. Each layer of the security onion needs to be as impenetrable as possible," Ken Munro, a director of SecureTest, explained.
So he would argue that cops should be required to wear bulletproof shirts under their bulletproof vests?
In reality, there are finite resources available, so security is about minimizing risk by focusing effort on pieces which best complement each other to cover as many holes as possible (starting with the most likely and/or most at risk.)
BIOS passwords essentially cover the "boot" option, which is also covered by HDD passwords. But HDD passwords cover many more holes, and do a better job overall. So the BIOS password at this point is redundant, and time would be better spent covering other holes.
I think it might be more of an issue that HP must have been overwhelmed by zillions of users forgetting their BIOS password.
Back in 1998 (10 years ago, wow!) one guy in school feared a "hacker" (which I would rather call "script kiddie") would hack his laptop, so he decided to set the BIOS and HDD password on his IBM Thinkpad. Only to forget said password ... 60 *minutes* later.
Setting aside the sheer ignorance of thinking that a BIOS password would protect your laptop from the net, we found it even funnier that this guy was effectively locked out from his 15-day-old laptop; which remained locked for at least one full year. In fact, none of us ever knew if he was able to get it working again.
I prefer the sweet yellow onion myself. Ogres are also like onions and life is like a box of chocolates.
On a serious note, I'm not sure that comparing security to an onion does a lot to help people take IT security more seriously. While the analogy may be relevant, it doesn't sound very "critical".
They probably did this because they get so many stupid users locking their systems then forgetting their passwords. I see it all the type, people come to me with their laptops they bought but forgot the password.
They call their support lines and get told to send it to x place or pay y money to get it fixed. Normally these prices are really high for something simple. The data on the hard drive is almost never the issue, people don't care about their pictures that they have someplace else any way as much as they care about having a dead laptop because they forgot their password.
Such information should be public, but the reset procedures should not be easy (ensuring its not just a lame back door password that thieves can use).
Paris, because id love to try her back door.
Every week an average IT dept will have to pull the drive from any number of laptops to get data from corrupt OS or forgotten BIOS or OS passwords. Most now don’t remove the drive if it’s just a password thing, saving the industry millions*.
Once the hardware becomes physically compromised you’re shovelled.
Things like EFS / OCS and proprietary full HDD encryption work well, but the fact is, users can’t remember passwords. Period. Allowing users to encrypt their own data is career suicide.
Laptop self destruct is a better principle, have them explode (or at least smoulder a little) if a DC is not contacted within 5 minutes after power-on. On a grander scale, have hard drives with programmable pins on the SATA / IDE logic so that if the pins aren’t connected in the correct order, the laptop self-terminates.**
Stopping people getting BIOS resets, beep codes or manuals is just silly. Imagine your sky plus not allowing you to record “Last of the Summer Wine” ? - you’d probably just stay up.***
*Probably.
**Wishful
*** Tentative
"Laptop self destruct is a better principle, have them explode (or at least smoulder a little) if a DC is not contacted within 5 minutes after power-on"
I had a IBM do this... in my case, it just made an otherwise sellable surplus computer worthless, but... we got a few Thinkpads in. Found this one wasn't working fully and cracked it open to see why. Wrong move! It turns out, after looking on IBM's web site, that these few thinkpads had an option so they would check for a particular radio signal, and not power up if the signal was absent. (If the department had a clue they would have turned this off in the BIOS before they sent in the machine.) Additionally, they were tamper-resistant so when I opened it up to see what was wrong it blew the motherboard.
...the real reason for the HP utterances to reflect a current state of affairs, where suits all of a sudden became "aware" of several problems regarding BIOS password security, meaning they somehow acquired the dangerous amount of knowledge where they still don't know zilch, yet somehow just about enough to severely disrupt day to day operation with their opinion.
The facts:
There's two common ways to store a password (or a hash), as far as BIOS password security:
1.) The CMOS RAM.
2.) The BIOS flash
1. is the legacy method and suffers from the limitation that once system battery power is removed/disrupted, the password/hash will be gone, along with the information that there was one to begin with
2. suffers from the proposition that it should not be possible to render a PC unusable by incidents happening during a flash BIOS update. Since writing a password/hash to the BIOS flash can (in theory) be interrupted the same way as any BIOS flash update operation can, there is either:
2a.) If that happens, you are FUBAR
2b.) The board has a bootblock/"recovery BIOS"... whatever... which will readily allow one to re-flash the system BIOS and hence overwrite any password/hash, including the information that there was one to begin with.
There is more stuff suffering from this very same chicken and egg problem. You are either secure, but not recoverable, or you can recover, but are not entirely secure.
I forgot 3.) The password hash is like 14-16 bits and the latter is even displayed to the end user if, during compile time, you set some BIOS switches accordingly.
Takes the better part of a millisecond to create a password that produces this hash. No exactly "brute" force.
HP, Compaq, Digital have supplied documentation on how to reset BIOS passwords for decades!
It's not a security risk and it saves a helluva lot of money.
BIOS passwords do not protect companies from data theft - they simply render the computer unusable. Not that great when the user is on the other side of the world and has forgotten their password. Anyone who enables BIOS passwords are completely nuts! There are so many other alternatives that actually improve security.
Using the bios password to secure data is a really bad idea, your average end user is crap at rembering passwords so more often than not bios passwords are only effective at locking the owner out of there own machine.
This is usually followed by the user phoning tech support for the machine and becoming apoplectic after being told how much a password reset will cost.
So they then set about finding someone who will hack the password for them for less than the fee tech support charge.
This ensures that there is a market for hacking laptops and at the same time ensures that laptop passwords are innefective.
Even the ATA passwords on hard drives arent totally effective, certainly the drives used in the xbox could have the password bypassed:
http://www.llamma.com/xbox/Unlocking%20Seagate%20Xbox%20Hard%20Drive.htm
I guess theres no real answer to security when the end user is the problem, but perhaps having a remote keyfob to activate your laptop (like the one for your cars alarm/immobiliser) would improve things, its easy for someone to forget a password, but they are less likely to loose a fob on the same keyring as there car keys.
Does anybody (the article author included) want to explain to me exactly how BIOS passwords should be regarded as a security measure at all!?
I expand this further to include even Windows login and user permissions.
Just try it - take a normal unencrypted NTFS volume with some files on it and set some heavy user access permissions to prevent users seeing them. Take it out of the PC and install it into another one, then ghasp in awe as all the files show up in Explorer, visible for all to read and copy!!
After all, its important customer and government data which is being compromised, the hardware is secondary to this and renders BIOS protection totally irrelevant.
Amazing bandwagon jumping there John Leyden. Journo awards coming your way?
IT icon cos you guys really need to learn it!
... ooh dear!
think b4 u leap, there, Stu:
"take a normal unencrypted NTFS volume with some files on it and set some heavy user access permissions to prevent users seeing them. Take it out of the PC and install it into another one, then..."
kinda depends on just exactly HOW those heavy, heavy user permissions are deployed in your forest, don't it?
try that stunt at my place, Stu - then gasp in awe as precisely the same permissions are applied ;-)
If you apply DENY permissions to all, and ALLOW permissions to specific users, those files will NOT be accessible to you.
Try it. I had that on a Samsung laptop, and when I tried to get the stuff off my laptop drive after the laptop died, I couldn't. Only once Samsung managed to revive the laptop and I removed said restrictions, did I get my data back.
So you're saying that because a BIOS password only prevents the system from booting, that it shouldn't be used? My, what hideous shortsightedness. I suppose you are also in favor of removing manual door locks and replacing them with fingerprint and iris sensors (if those sensors were secure and accurate)? Heck, let's eliminate all passwords, too, and rely solely on fobs such as SecurID since those are more secure.
Just out of curiosity, do you happen to use Norton Internet Security? After all, it covers more holes than just an antivirus app and is better overall (depending on your definition of "better").
As for those people who say we should all be using full-disk encryption, and that BIOS passwords (and even Windows login passwords) are useless, and so should not be used... I'm sure it comes as a great shock, but such measures are not only used to prevent your hard drive from being used if the notebook is stolen. Said measures are an easy way of keeping the general populace from accessing your data (say, your roommate when you're at the pub, or your children while you're at work, etc). Full-disk encryption is a bit overkill to prevent little Johnny from accessing the computer without supervision.
I don't know about the current batch of Toshiba laptops, but the ones we used in the early 90's were laughably easy to reset the BIOS passwords on. All you needed was a floppy disk, floppy drive and a hex editor. Edit the boot sector of the floppy to the right key-phrase and reboot with it in the drive. Instant password reset.
There are ways round permissions set in windows you know...
When I first tried Vista, I couldn't access some of the files from my XP partition. But hey, my Linux installation could see everything, and I could move, edit and delete protected files no worries!
At my old work, we had a Ubuntu box connected to the network, which wasn't supposed to be connected... It could see the Windows network and access everything, even though some folders had restrictions...
Bloody thing couldn't see any printers though...
Setting permissions is going to stop average Joe, however, if someone really wants access, they'll find a way.
Passwords are only as good as the memories as those who have to remember them... Simple people tend to have simple passwords, or have them written somewhere close to hand. My old boss used to keep all the passwords in her desk drawer which was never locked.
Goes to show doesn't it?
Mines the coat with passwords in the pocket ;0)
"Full disc encryption is the right thing for laptop security, but vendors often forget to mention the ATA-3 (or ‘drivelock’) standard that effectively ‘locks’ the hard drive to the BIOS."
So, if the PC dies due to a fault on the motherboard, it can't be plugged in to another machine to recover your data.
Well, it will teach everyone to back up their data.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
