View Full Version : USB Boot Up...

19-08-2003, 20:18:40
Talk about a security nightmare!

A company, I forget which but I could dig it up, has perfected being able to boot from USB devices. They did this as they feel that the USB Thumb Drives will replace the antique 3.5 inch floppies.

I immediately wondered... if you are Security, or even IT Management, how are you going to secure your computers? With USB boot up, now something the size of a CAR KEY can be used to bypass all your arrangements. All it takes is a user willing to re-enable the "USB first" in the boot up sequence, save, exit, presto! They are in.

Most IT worried about users mucking about just get rid of Administrator account in the Windows world... but that won't help when a user can just have a "vanilla" flavor of the OS on their key chain they can boot up to use to mess about any USB bootable computer.

I can see it the new required security procedures (especially when combined with the smart clothes some of which already include USB accessable flash memory):

"Sir! She's got on clothes!"

"She knows better then that. Tell her she has to strip and leave those here."

"But... I just wanted to wear a comfortable outfit today that looks nice! I'm so bloated and I have a presentation to give! :cry:"

20-08-2003, 05:01:52
Most BIOSs should be password capable. I suppose somebody who had enough privacy and time to get at the motherboard could use the "clear CMOS" jumper.

Qaj the Fuzzy Love Worm
20-08-2003, 19:33:52
Not to mention passwording your BIOS is a pain in the ass for large organizations with small IT departments, especially if everyone forgets the password :)

Probably a better prevention overall would be for motherboard manufacturers to create certain motherboards without even the possibility of USB booting (mostly for purchase by businesses worried about USB boots). I don't see that happening any time soon, though.

20-08-2003, 19:38:01
BIOS password enabled machines are generally thrown in shredders at most corporations.

The business logic works like this... in Big Business, you will have to tell all your IT support people (the mushrooms that get sent out to the individual machines) the BIOS password. There's a critical mass of numbers, at which point letting the IT Support people know it is the equivalent of just broadcasting it to all in email, only slower. They can never change the password, as new and old techs need to be able to know what the password is... and so people that leave the company, still know the password. Business case studies of how to save money will point out all the wasted time it takes to deal with something that can be avoided in corporate machines by popping the case and reseting the bios (most corporate machines have an easy open clamshell/wingnut fasted slider arrangement, to make it easy to get into for the IT people). And then they just eliminate the password.

Companies that don't run passwords will shortly gain a policy forbidding the setting of a BIOS password, if they don't start off with it.

Heck, big corps used to feature "locks". But that quickly turned around, for the same reasons corps desert bios passwords.

There are only a few data and network sensitive situations where big corps will allow any sort of passwording or locking. And those tend to be their own little nets, independant of anything else. With strict control of both physical and digital access.

21-08-2003, 04:47:10
If somebody has local access to your computer, they're in.

Your best bet is to use encryption on your filesystem with something like IBM's Embedded Security Subsystem.