Is it possible to bypass a bios password without me knowing? How safe is my data?
June 5, 2006 4:25 PM   Subscribe

This is Windows 2000 or XP, right? To unlock a locked Windows desktop, someone has to have your password, or they'll have to reboot, so at least you'd know. Bios password can be reset in hardware. You may choose to lock the case to prevent this. Hardware keyloggers are easy, but not terribly common.

Make it a little bit harder by locking your mouse and keyboard in the desk drawer when you leave. Password protect any really sensitive documents. Open the case, and remove the data cable from the floppy drive. Disable boot access from cd.

Make sure Windows file sharing is off. Name the workgroup something other then workgroup. Rename the administrator account and give it and your own account strong passwords. Rename the guest account administrator so if someone tries to get in as administrator, they have crap capability. Do not leave remote desktop running. Be certain the Windows firewall is on, with not too many exceptions.

You could set your own and renamed administrator account to have a normal login sound, and set any other account to have a loud sound attached to login and other actions. Just rename the windows login sound, and call your new .wav by the login sound name. We used to do this just to screw with co-workers, but you could find a siren .wav, or a make a .wav saying "Please stay out of my computer" or whatever. That would be fun.

Keep in mind the biggest danger is still hard drive failure and Back Up Your files.
posted by theora55 at 5:23 PM on June 5, 2006

To build off fvw's comment, having USB enabled under Windows (2000 or XP) is much more dangerous than most people know. Everyone knows about the dangers of autorun CDs, but not many people know how that it's possible to autorun programs with a USB thumbdrive or other USB device (if autorun's enabled). And even fewer know that you can bypass Windows XP's "protection" against autorun just by flipping a bit in the device's ROM & having it announce itself as a non-removable device. You can even buy thumbdrives with it already done for you, so all you need to do is drop in your autorun.inf & application you want it to run & you're good to go. So yeah, it's not only possible but actually it's not at all hard.
posted by scalefree at 8:05 PM on June 5, 2006

It's late, I forgot to add some remediation for you. Here's two things you can do. If you're a DIY type you can disable autorun completely. And if you're not that brave you can buy a program like Device Lock, which would protect you from all sorts of port-related vulnerabilities.
posted by scalefree at 8:29 PM on June 5, 2006

There's a lot to be said for old fashioned padlocks for stopping the person just pulling the drive out. (Not that a $20 bolt cutter won't cut the cable, and a $40 one cut the lock.)

Of course, there's also a pretty dangerous level of putting it on a USB flash. Easy to lose or have stolen.

I suppose a USB/Firewire hard drive that you could lock up might be better.

But really, what everyone is saying re encryption is the best bet for seriously protecting the data.

But as far as opportunistic, casual theft of data? The most basic of precautions should be fine, such as locking the machine down, BIOS password, screensaver passwords, and built-in XP encryption. Anyone wanting to bypass this stuff that's determined enough will bypass it. (I like the idea of unplugging your USB keyboard every day if you're concerned about a physical keylogger.)
posted by smallerdemon at 9:58 PM on June 5, 2006

Count one more for "physical access = unsecure". I'm glad someone else brought up ERD Commander. I use it at work all the time to reset student laptops. That program is scary.

Simply combine it with readily available Knoppix (live on CD linux) and suddenly Windows looks like wet paper bags. Add a custom built live Linux CD with some choice packages and suddenly you're a Windows-crackin' script kiddie fool!

Give me ten or twenty minutes alone with your machine and I can access and break anything you can do to secure any Windows machine. It is almost always trivial these days.

Physical locks, bios passwords, software passwords. Whatever. It's cracked. I "crack" Windows machines at least one a week, if not daily at work.

Physical case locks are mostly laughable. Give me a paperclip and a bobby pin and I'll have it raked and picked in under a minute. 4 sloppy tumblers? Maybe 5? Maybe even 3? Pfft.

Cylinder locks are harder, but most of the cylinder locks on computer cases are flimsy and sloppy too. Brute force works just fine against thin cheap plate metal, easy. And my rather cheap folding multitool pliers have killed many Kensington-style cable locks.

However.

I can't crack third-party full drive encryption. Which would slow your machine down something sick, and also make it extremely vulnerable to data loss. You lose or forget your key, or it corrupts or fails to properly error-correct, kiss it all goodbye. Yeah, drive encryption can be nigh-unbreakably strong.

But even if you encrypted your drive, I could easily put a physical keylogger on your keyboard port - or much worse, I could put it inside your box where you can't see it, or even inside your keyboard between the keyboard's PCB board and the cable-out. You'd never even know it was there.

Even worse, I could do it so it would transmit the keylog buffer dumps via radio, remotely, via a serial RF link. I might even be able to figure out how to do it in bluetooth out of readily available kit parts. I could probably even hide the thing under the motherboard or in the power supply.

Which would get me your encryption key in plaintext, making it all moot and your data all mine.

Physical access = unsecure. Period.
posted by loquacious at 5:24 AM on June 6, 2006