No Security Without Physical Security

By Larry Seltzer  |  Posted 2003-03-13 Print this article Print

Once an attacker has physical access to the computer, he almost certainly has access to the data on it, writes Security Supersite Editor Larry Seltzer. If so, the OS doesn't really matter.

Very often well hear reports about a serious security vulnerability. We look into it, and theres a catch: In order to execute the attack, physical access to the computer is necessary.

You can safely ignore these alleged vulnerabilities: Without physical security, no system is secure.

If I can open the computer, I can remove the hard disk, put it in as the second drive in another computer and read the contents of the disk. Bye-bye, security. But its not usually necessary to open the box. I can boot the system off a floppy disk or CD-ROM and read the hard disk that way. Given such access, there are commercial and free tools available that can reset the Administrator password on the installation of Windows NT, Windows 2000 or Windows XP - gaining access to a Win9x system is even easier. (The existence of these tools is a good thing; administrators need to be able to access systems where the passwords are forgotten or changed for malicious purposes.)

But even thats not necessary; if you can boot off the floppy or CD, you can install a second copy of Windows on the hard disk and run that to analyze data on it.

This point is very important when considering whether attacks represent vulnerabilities in the computers operating system: If I boot the system off the floppy or CD-ROM, the operating system on the hard disk is not running. Its just a bunch of files.

Your only potential protection when physical security is breached is to use an encrypted file system, such as Windows 2000 Pro and Windows XP Pros EFS. (See this article on the SecurityFocus Web site for a good explanation of encrypting file systems.) No operating system (to my knowledge) employs such a file system by default.

The most recent such case of significance was an allegation by a famous writer that one could break into a Windows XP system by booting off a Windows 2000 CD and running the Recovery Console. The Recovery Console is a special console mode OS used to repair Windows 2000 and Windows XP. You run it by installing it to the hard disk and booting into it, or booting it directly off the Windows installation CD. See this Microsoft Knowledge Base article for a description of the Recovery Console, and this one for a description of the Windows XP Recovery Console.

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel