Bios password prompt

Whilst I struggle to breathe life into this CF-74, reading through the forum brings up the issue of Bios passwords.
I have managed to charge the battery and hook an external monitor up. The first attempt to enter Set up was prevented by a Set up password which I have reset. So I can now enter the set up and change things.
The computer has no HD and therefore no OS. It appears to boot up into Bios and then says no OS found, which is correct!
Does that mean that I do not have a Bios password?

 

If you can get into the BIOS via hitting F2 before windows loads and get into a blue background place where you can change settings (IE in the advanced tab, for example, you can disable the WLAN), then you do NOT have a BIOS password.

"no OS found" will be displayed obviously because you have no HDD in the computer.

Thanks

 

If you can access the settings, then you don't have a password.
Bios passwords are a very taboo subject around here. Tread lightly.

 

There are several passwords
If you can enter the bios screen by hitting F2 ,you are good to go
The problem we run into here is with a password that prohibits entering the bios
If that happens, boot from cd might be disabled, not allowing reinstalling of the O/S
+ add-on devices could be disabled, like wwan or wi-fi etc

 

Thanks for the quick replies!
Being a newbie I was treading very carefully.
Yep, I can access the Setup via F2. In the sercuity tab I can set the Supervisor/User passwords. I was a little concerned when I saw the Embedded TPM sub menu as I saw this mentioned on a few threads.
Which begs another question. What are the pros and cons of setting passwords? I never have to be honest as I figure the security advantages are outweighed by the obvious disadvantage of forgetting them!

 

In my opinion a bios password is only needed if you don't want employees or customers mucking about.
On my personal machines, I never use them. If you want some level of data security I would use a hard drive password.

 

As it will only be used domestically it does seems unecessary. Even if someone broke in, they would overlook the stack of CF-72's and the 74 to get to the plastic Toshiba!

 

yeah I only use it on the toughbook my niece has so she won't accidentally mess with the settings. She could probably guess it but I find girls aren't too interested in BIOS passwords. lol

 

I believe that there is a serious security problem with Panasonic BIOS passwords. It appears to me that the BIOS uses the same password for gating access to the BIOS and for the hard drive password. This means that when using - as I do - a self encrypting hard drive (offered by both HGST and Seagate), that the password used to protect the drive encryption is being stored by the BIOS. This is BAD, BAD, BAD security practice, because someone acquiring the system could conceivably discover the password in the system and use it to gain access to the data on the encrypted drive. Does anyone have reason to believe that what I describe is not the case?

Thanks,
Dave

 

Are you talking about the HDD lock in BIOS, the one where the hard drive is tied to the motherboard and will not work on another computer. or encryption like Truecrypt/Bitlocker or those encrypting drives. I think those either store in on an unencrypted section of the HDD or the TPM chip if you computer has it to boot or else on a chip on the HDD itself for the self encrypting drives. Someone correct me.

 

The encryption I refer to is the embedded-in-the-drive function found in specific models of 2.5" laptop hard drives. This encryption can be managed by either a software utility like Wave Systems or Winmagic (among others) or by using the ATA security commands, usually supported in the BIOS by an HDD password. I am using the latter on a W8 and am concerned about that system's (and, incidentally, all other TB systems I have seen) password management I described. That help?

Dave

 

can you name the hard drive so I can read up on it. it does seem sort of unsafe if it is not using the TPm chip or one built onto the hdd.

 

The drive is an ST9250414ASG. The part that is unsafe is the Panasonic key management. The drive-based encryption is far and away the best method for protecting the confidentiality of data on a hard drive, but the laptop is compromising it. (I know I could just pony up the money to get one of the software management packages, which would solve this problem.)

The TPM would not do anything to improve security; it would only serve to tie the drive to a particular system, which I do not want. Incidentally, the BIOS password does not tie a drive to a system. Any system that can deliver the ATA password to the drive can unlock a drive protected by an ATA password. Moreover, in non-FDE drive, the ATA password is worthless as a security measure. (FDE drives protect the ATA password differently than is done in non-FDE drives.)

Dave

 

TrueCrypt, Free?
CAP

 

Cheaper, you betcha, but there are attack vectors that all software encryption products are vulnerable to and FDE drives are not. There are also compatibility/useability benefits that accrue to FDE drives.

Dave

 

how would the software manager work? pre boot? why would it be safer. does it use a token? some of the encrytpion software uses both token and password. thing is if the computer is out of your sight it could be compromised by an "evil maid attack" supposedly the TPM chip and Bitlocker from Windows are safer. Some interesting info here
The Invisible Things Lab's blog: Evil Maid goes after TrueCrypt!

This lady knows her stuff. Cute too, lol.

 

In fact "evil maid attack" is one of the threats that an FDE drive is not vuilnerable to. I don't have the time write up a description of how FDE drives work, but you should be able to find an explanation.

Dave

 

yeah i read some about it, but it seems it is tied to your bios password. Can't you just make it a stronger password. I still don't understand when you say the wave software would make it safer? how exactly? and if it really important then you gotta pony up the dough? it is all how secure do you need/want it. and what inconvenience you want to deal with. Did you read the link using TPM 1.2 which most recent toughbooks have and Bitlocker is also safe from evil maid. TPM does a bit more than just tying the drive to the laptop. I would be more worried about the Absolute software LoJack that is embedded in BIOS. That is more of a backdoor than anything. There is a reason the Federal Toughbook models don't have that piece of software installed.

 

The LoJack software won't overcome Bitlocker encryption with TPM. I'd think the reason why the Absolute/Computrace software is removed for Government models is because of it's tracking abilities (GPS, IP address, catching webcam images etc etc).

 

The "evil maid attack" requires that you have access to the computer multiple times without the user's knowledge. I'm not paranoid enough to worry about that. TrueCrypt will defeat Homeland Security, the CIA, even NSA I believe. I think we have quit torturing people recently so I can't gin up too much stress about undesirables surfing my hard drive. I hope you're not posting here with the computer which contains all the secret stuff, if you are the Chinese are reading your mail. If the info is that important you should be maintaining an "air gap" between your data and the vast interwebs.
Edit: On further reflection it seems that the "evil maid attack" requires booting from a USB thumb drive since she doesn't seem to be able to get past a bios password. You only have to disable boot from USB in the bios and she is SOOL
CAP

 

Meh.

The old adage is still true; if you have physical access to a machine, you can have anything you want from it.

FDE drives are about as good as it gets short of hiring an armed guard to protect your hardware. If you have physical access to the drive, you can swap the controller board with a hacked one, get a forensic copy of the drive, then attack the data at your leisure.

All these encryption mechanisms only profess to be "virtually" unbreakable for a reason; if you have the desire and time and money, you CAN break them.

The question then becomes the same as any other type of security; how do you make breaking into it hard enough that anyone contemplating it will seek out easier prey? This has ALWAYS been the name of the game; we keep making better locks, they keep making better lockpicks. We make better mousetraps, they make smarter, faster mice; but the key is not making something completely impenetrable. This is a virtual impossibility with ANYTHING that has to interact with human beings; by hacking the wetware you can almost always find a vulnerability in the associated hardware to attack. The trick is to make it so hard to break into it takes long enough that your miscreant decides to cut their losses and find a target they think they can break into without getting caught.

So... if you put your hard drive in your pocket every time you leave your laptop unattended; where's the weak link in that chain? The BIOS? No; it's YOU. All they have to do is find a way to get you out of your clothes. And THAT is ALWAYS the weakest link... the person.

mnem
Security is a waiting game.

 

The theoretical minimum energy required by a computer to crack a 256 bit key is 10^18 Joules, the USA consumes 10^19 joules of energy in one year. Seeing how we are no were near the maximum theoretical efficiency of a computer, it is safe to assume that a cracking a 256 bit AES key with modern computers would require orders of magnitude more electrical power then the USA states consumes per year.

The point: if you take my hdd away from me, and I have it encrypted, then you, nor the government will crack the encryption. The only way you will get the data is if you physically beat the password out of me.


To the person that previously mentioned evil maid attacks:
Virtually every system is susceptible to them. Here are two examples:
1. Install a hardware key-logger, you enter your password and boom, done.

2. Encryption keys are ALWAYS stored in memory, otherwise it isn't practical. So while your PC is running the evil maid dumps liquid nitrogen on your RAM, then yanks out the sticks and copies the contents of the ram sticks onto her flash drive (this is not difficult to achieve). She now has all the time in the world to comb through the data in the ram and find the encryption key.

 

Why is this thread 3 pages long?

 

Again, you prove my point: once physical access to a machine is acquired, you can have anything you want from it.

I did not say anything about BRUTE FORCE cracking the encryption on the hard drive; though, if I were to say something it would be that I have no doubt that some portion of the trillions of dollars our nation has gone into debt HAS to have been to the implementation of Quantum Computing Devices aimed at cracking YOUR favorite form of encryption.

Furthermore, history shows us, as usual, that the person is always the weakest link. You don't NEED to crack the encryption; you need to crack the person. I can guarantee you that for most people, we have conventional computers more than powerful enough to sift through every bit of data associated with a person and generate a list of millions of probable passphrases based on that knowledge. That is simply a place to START.

Keylogger in the device, RAM sniffing, whatever you choose... or simply put you in a room full of pinhole cameras and wait for you to log in... again, hacking the person, not the hardware.

If she has access to the laptop while it's running... then she doesn't very well need to worry about getting your key. She can get a decrypted copy of your HDD decrypted by your computer itself.

And I most certainly would not resort to beating your password out of you; we have much more effective concoctions of drugs to get such information, plus we'll make sure you only remember getting a really good knobber after too much wine and heavy petting. Which never happened.

mnem
Less is Moore.

 

Just so you'll peek in and go "What The Frakk?"

mnem
My work here is done.

 

Mnem, FYI, it is no longer possible to swap boards on FDE drives and get at even the cipher text. Putting on a new board bricks the drive. It was possible on the first models, I believe, but not any longer.

I'm still hoping for an answer to my question: Is it not true that the TB BIOS keeps a copy of the ATA password - i.e. is in effect a keystroke logger for exactly the data you would least like it to capture?

Dave

 

I guess I misunderstood. The point is: A well implemented 256 bit AES encryption is unbreakable by brute force. There are no known cryptographically flaws. So they only way to break the encryption is, as you mentioned, through social engineering.

And I would not worry about quantum computers quite yet, not even in a decade or two. By the way, once quantum computing is a reality I would bet on the bad guys having the technology before the public has it: Say good by to your modern banking system.

 

Rumor has it that there are a number of Russian teenagers who are already pretty good at "online banking", and the Chinese seem to peruse the DOD's computers pretty easily.
CAP

 

Dave - you're talking about technology the general public has access to; I'm talking about technology that our government/big business has access to.

Do you believe for one moment that the engineers who designed the hardware don't know of at least a dozen potential exploits that would allow access which could be implemented into a "hacked board" and permit the access I'm talking about? The servomotors don't care if the data's encrypted; they're just going to seek a track as directed by the control board.

Now... do you imagine for one moment that our government doesn't have at least 1 in 10 of those very same engineers on their payroll?

And finally... in this age of Government of the People by the Corporation For the Corporation do you actually believe that there is ANY difference between our Government having access to this technology and any of dozens of Megacorporations having access to that technology?

The hackers we hear about are just the (un?)lucky few who make a name for themselves in the public eye; the best ones have been bought long before we ever hear about them.

As for your question about the ATA password: I honestly do not know; Panny uses BIOS generated by AMI and Phoenix just like everybody else. If the underlying architecture stores this data, then yes, I'd imagine their implementation also does so. Unless it's a question of custom extensions in that BIOS, which of course EVERY manufacturer is guilty of.

I suppose the way to find out would be to set your password, then save your BIOS .bin and search for it in the resultant file; you may need to do a binary or hex search to be sure.

Good hunting,

mnem
Would you like a dill pickle with that?

 

Mnem,

Actually, I've worked quite a bit in both arenas, and am familiar with the DoDs capability with respect to FDE drives. That's why I think that FDEs offer the best protection. I would not be worried for a second if the government wanted to get something off my system. It'd be safe - except for this Panny BIOS business.

Thanks for your comments.

Dave

 

WARNING, PLEASE READ - I don't usually re-post these but... If someone comes to your front door, and asks you to remove your clothes, and dance in your front yard with your arms in the air.. DO NOT do this, it is a scam!! They just want to see you naked. Please copy and post this to your status -- I… wish I had received this yesterday.... I feel so stupid now..


And NOW they have your clothes off and can get that hard drive out of your pocket!!