Skip

Is it possible to bypass a bios password without me knowing? How safe is my data?
June 5, 2006 4:25 PM   Subscribe

I have a desktop that is located in a semi-public place. I have a bios password and a windows password on it. Sometimes I leave it logged out of windows so that I can leave in the middle of a project without restarting everything again. I was wondering how hard it would be to get my data? Short of stealing the actual hardware, is there a way to get past a bios password and access my data without me knowing? (From what I understand, resetting the cmos would clear the password so I would know if someone got in.) Also, is it possible to get in if I leave it logged out of windows with a password? How safe is my data?
posted by D Wiz to Computers & Internet (28 answers total) 1 user marked this as a favorite
 
Your data may easily be stolen. One way to do this is to subtly insert a keystroke logger. There are hardware versions that fit between the connection of the keyboard to the computer, and they can log up to about 500,000 keypresses. Put one on one day, take it off the next, and your password has been stolen.
posted by Maxwell_Smart at 4:31 PM on June 5, 2006


This may seem obvious but why not keep the project on a USB key and take it with you?
posted by geoff. at 4:32 PM on June 5, 2006


Maxwell- That would not steal data only keystrokes, right?
Meaning if I have sensitive data that was not typed that day it wouldn't be stolen.

Geoff- Not practical for me.
posted by D Wiz at 4:42 PM on June 5, 2006


Maxwell's scenario would get a hacker your windows login password (well, bios too) pretty quickly, though, thus enabling access to all your data.
posted by misterbrandt at 4:44 PM on June 5, 2006


I didn't think of that. I was thinking it would only get windows keystrokes. Is there a way to stop that from happening?

Are there any other methods I should be worried about?
posted by D Wiz at 4:46 PM on June 5, 2006


Well the following are feasible:

1. Open the case, copy the drive. Put drive back in.

2. There are apps that can crack BIOS passwords (they use conventional cyptography afterall). You'd never know.

The only thing you can do is use strong public key encryption on your data and -never- store the private key on that computer. Like PGP. Now, of course, you really need to be careful of keyloggers as the attacker knows you have encrypted data on there, but if you access your private key via a USB drive you should be okay. The password to conventionaly unencrypt the private key is useless without the private key itself.
posted by skallas at 4:49 PM on June 5, 2006


D Wiz -- you can read about hardware keystroke loggers, e.g. KeyGhost. Pretty scary. Some have suggested super-gluing your keyboard cable to your computer to reduce the need to look for a logger before you login every time.
posted by misterbrandt at 4:50 PM on June 5, 2006


Is your BIOS password on bootup or just access to CMOS? If it's only on CMOS changes, and the PC has a bootable drive, someone could use ERD Commander to reset the windows password...
posted by nomisxid at 5:07 PM on June 5, 2006


I just stole your hard drive with all your data and since you haven't encrypted it your data is mine. Thanks.


Encrypt your data.
posted by caddis at 5:15 PM on June 5, 2006


This is Windows 2000 or XP, right? To unlock a locked Windows desktop, someone has to have your password, or they'll have to reboot, so at least you'd know. Bios password can be reset in hardware. You may choose to lock the case to prevent this. Hardware keyloggers are easy, but not terribly common.

Make it a little bit harder by locking your mouse and keyboard in the desk drawer when you leave. Password protect any really sensitive documents. Open the case, and remove the data cable from the floppy drive. Disable boot access from cd.

Make sure Windows file sharing is off. Name the workgroup something other then workgroup. Rename the administrator account and give it and your own account strong passwords. Rename the guest account administrator so if someone tries to get in as administrator, they have crap capability. Do not leave remote desktop running. Be certain the Windows firewall is on, with not too many exceptions.

You could set your own and renamed administrator account to have a normal login sound, and set any other account to have a loud sound attached to login and other actions. Just rename the windows login sound, and call your new .wav by the login sound name. We used to do this just to screw with co-workers, but you could find a siren .wav, or a make a .wav saying "Please stay out of my computer" or whatever. That would be fun.

Keep in mind the biggest danger is still hard drive failure and Back Up Your files.
posted by theora55 at 5:23 PM on June 5, 2006


If you haven't already, make sure that your BIOS won't boot off of CD, floppy, or USB. There are many tools out there that can recover Windows passwords, but they require a reboot of the machine.
posted by Eddie Mars at 5:29 PM on June 5, 2006


CmosPwd - bye bye, BIOS password.

Offline NT Password and Registry Editor - bye bye Windows passwords, including Administrator.

Hardware keyloggers are easier, though.
posted by obiwanwasabi at 5:36 PM on June 5, 2006


If you're worried about a hardware key logger (which you probably shouldn't be, I mean, that's really paranoid) all you have to do is use a USB keyboard. Just bring your USB keyboard with you and check the connection directly before typing. Like I said, though, that's super paranoid.

As far as software, they need to be able to get in and get access to the hardware before they can run any software to decrypt the BIOS.

Frankly if they have that level of access, I'd be a lot more worried about people simply stealing RAM or something.

There is a way of encrypting data in windows but it's risky, I've heard of people losing all their encrypted data because they lost their security certificates. If you use windows built in encryption make sure you back up your certificate files to a USB key.

The simplest thing to do would be to keep all your data on a USB key, but remember some of it might get cached somewhere on the hard drive.
posted by delmoi at 7:03 PM on June 5, 2006


You seem to be under the impression a BIOS password is for security. It's not. The only thing it's very effective against is making accidental changes to the system that would render it unusable.
posted by cellphone at 7:07 PM on June 5, 2006


If you have USB active you're screwed anyway, at least from a theoretical point of view. Misbehaving USB devices can read (and write) large swaths of system memory in most cases. The first step to security is physical security.
posted by fvw at 7:09 PM on June 5, 2006


To build off fvw's comment, having USB enabled under Windows (2000 or XP) is much more dangerous than most people know. Everyone knows about the dangers of autorun CDs, but not many people know how that it's possible to autorun programs with a USB thumbdrive or other USB device (if autorun's enabled). And even fewer know that you can bypass Windows XP's "protection" against autorun just by flipping a bit in the device's ROM & having it announce itself as a non-removable device. You can even buy thumbdrives with it already done for you, so all you need to do is drop in your autorun.inf & application you want it to run & you're good to go. So yeah, it's not only possible but actually it's not at all hard.
posted by scalefree at 8:05 PM on June 5, 2006


It's late, I forgot to add some remediation for you. Here's two things you can do. If you're a DIY type you can disable autorun completely. And if you're not that brave you can buy a program like Device Lock, which would protect you from all sorts of port-related vulnerabilities.
posted by scalefree at 8:29 PM on June 5, 2006


If the bad guys have physical access to your machine, your data is never safe. For example, if you encrypt your data and store the key on a thumb drive, the bad guys could pull the key out of memory or swap space.

The idea is that each thing you do (and there have been great suggestions in this thread) raises the bar -- it makes it more and more difficult (costly) for the bad guys to get to your data.

The key is to make the cost of getting your data higher than than value of your data. So what you should be asking yourself is how valuable is your data?
posted by event at 8:36 PM on June 5, 2006


There's a lot to be said for old fashioned padlocks for stopping the person just pulling the drive out. (Not that a $20 bolt cutter won't cut the cable, and a $40 one cut the lock.)

Of course, there's also a pretty dangerous level of putting it on a USB flash. Easy to lose or have stolen.

I suppose a USB/Firewire hard drive that you could lock up might be better.

But really, what everyone is saying re encryption is the best bet for seriously protecting the data.

But as far as opportunistic, casual theft of data? The most basic of precautions should be fine, such as locking the machine down, BIOS password, screensaver passwords, and built-in XP encryption. Anyone wanting to bypass this stuff that's determined enough will bypass it. (I like the idea of unplugging your USB keyboard every day if you're concerned about a physical keylogger.)
posted by smallerdemon at 9:58 PM on June 5, 2006


As event is saying... physical access trumps all security. If people can get access to your machine physically, there is nothing you can really do to secure it.

The USB-key approach, taking the data with you when you leave, would offer you a little bit of security, but a determined attacker could get past that very quickly. (he could, for instance, install a small daemon program that copies all files on any inserted volume to some hidden directory on the hard drive.)

You can get a *little* bit of security if your motherboard supports 'chassis intrusion detection' and the case has a sensor for that. Very few systems do, however. And I don't think, if they clear the CMOS, that the system will remember that it was opened.

For any measure you would take, if an attacker has physical access, there is a countermeasure. You cannot truly secure your data.
posted by Malor at 10:45 PM on June 5, 2006


Count one more for "physical access = unsecure". I'm glad someone else brought up ERD Commander. I use it at work all the time to reset student laptops. That program is scary.

Simply combine it with readily available Knoppix (live on CD linux) and suddenly Windows looks like wet paper bags. Add a custom built live Linux CD with some choice packages and suddenly you're a Windows-crackin' script kiddie fool!

Give me ten or twenty minutes alone with your machine and I can access and break anything you can do to secure any Windows machine. It is almost always trivial these days.

Physical locks, bios passwords, software passwords. Whatever. It's cracked. I "crack" Windows machines at least one a week, if not daily at work.

Physical case locks are mostly laughable. Give me a paperclip and a bobby pin and I'll have it raked and picked in under a minute. 4 sloppy tumblers? Maybe 5? Maybe even 3? Pfft.

Cylinder locks are harder, but most of the cylinder locks on computer cases are flimsy and sloppy too. Brute force works just fine against thin cheap plate metal, easy. And my rather cheap folding multitool pliers have killed many Kensington-style cable locks.

However.

I can't crack third-party full drive encryption. Which would slow your machine down something sick, and also make it extremely vulnerable to data loss. You lose or forget your key, or it corrupts or fails to properly error-correct, kiss it all goodbye. Yeah, drive encryption can be nigh-unbreakably strong.

But even if you encrypted your drive, I could easily put a physical keylogger on your keyboard port - or much worse, I could put it inside your box where you can't see it, or even inside your keyboard between the keyboard's PCB board and the cable-out. You'd never even know it was there.

Even worse, I could do it so it would transmit the keylog buffer dumps via radio, remotely, via a serial RF link. I might even be able to figure out how to do it in bluetooth out of readily available kit parts. I could probably even hide the thing under the motherboard or in the power supply.

Which would get me your encryption key in plaintext, making it all moot and your data all mine.

Physical access = unsecure. Period.
posted by loquacious at 5:24 AM on June 6, 2006


A solution might be to put your system and data drives in hot-swappable pullout caddys and just take them with you or lock them up.
posted by loquacious at 5:26 AM on June 6, 2006


That would work -- it's probably the strongest option mentioned so far -- unless the bad guys stick a data logger in the drive bay. I don't know if they exist for IDE or whatever, but if the data is valuable enough there would be plenty of incentive to build one.
posted by event at 7:30 AM on June 6, 2006


www.woot.com offer for today, 6-6-6, is PC Defender Wireless Screen Lock - 2 Pack for $19.99. Might be worth a try, and, besides, who doesn't love an excuse to try a new gadget?
posted by theora55 at 7:50 AM on June 6, 2006


Thanks for all the replies!
I guess I miswrote. When I said bios password I meant a bios and bootup password. Every time someone boots up it asks for a password. So as far as I understand it, a lot of these responses about bypassing by using a linux cd, Cmospwd or ERD commander would not work. With a system bootup password, no programs can steal my password, right?

From what I am getting, if I encrypt my private files using third part encyption on my drive, my data is VERY hard to get (Is it necessary to encrypt the whole drive or only the private stuff?). The only way that someone would be able to access it is to put a hardware keylogger on my PC which would most likely be between the keyboard and the system (does it matter if it is a USB keyboard or not?). Someone really determined would be able to place the logger somewhere I would not see it but that is highly unlikely.

In any of these cases (other than the hardware logger), if I left my computer on but logged out of windows I would know if someone tampered with it because it would not look the same when I came back.

Am I understanding correctly? Am I missing anything?
posted by D Wiz at 2:09 PM on June 6, 2006


What you're missing, DWiz, is the fact that unless the bloody thing is locked in a cabinet with the monitor visible through plexiglas and the keyboard and mouse locked in a drawer below, no password, be it bios, bootup, or whatever, offers any real security. If someone has physical access to your machine, they can do whatever they want, and you might not ever know. I hope you don't work for Ernst & Young or the VA.
posted by Mr. Gunn at 5:08 PM on June 7, 2006


With a hardware keylogger, your BIOS password can be captured. It's not software or OS dependent. All the keylogger needs is line power from the keyboard and input data to capture. Keyboards are very simple beasts and very easy to hack and modify.
posted by loquacious at 5:44 PM on June 7, 2006


But with a bios/bootup password, a keylogger is the ONLY way to access the data, without actually stealing the hardware, right?
posted by D Wiz at 12:19 PM on June 9, 2006


« Older Does anyone have experience wi...   |  I need good hip hop Podcasts..... Newer »
This thread is closed to new comments.


Post