51

How come I'm allowed to reboot a computer that I don't own, put in a USB, boot ubuntu from it and then access all files stored on the drives available (even critical files such as system files on C drive in Windows)?

Isn't there a way to prevent people from doing this, without putting up a password on the BIOS?

Adi
  • 43,808
  • 16
  • 135
  • 167
Force444
  • 697
  • 1
  • 6
  • 12
  • 1
    This is a really good question and something I wondered too when I booted into Tails using a USB. It made me ask -- what's the point of my Windows password if someone could boot into Tails, and access all my drives such as C://. – theGreenCabbage Mar 11 '14 at 19:28
  • If NTFS is POSIX compliant, how come Ubuntu doesn't enforce the file permissions? – Tiberia Mar 13 '14 at 04:55

8 Answers8

105

The file and folder/directory permissions on an operating system are managed and enforced by... you guessed it right, that operating system (OS). When the operating system is taken out of the picture (booting a different operating system), then those permissions become meaningless.

One way to think of it: You hire a big bodyguard (OS) to protect your house. You give him a list (permissions) of the allowed guests (users) and which areas (files and folders) they're allowed to visit. How useful are those lists when the bodyguard is asleep (not booting from that OS)?

Generally, it is assumed that once an attacker has physical access to your system, they own your system. Even a BIOS password won't help you in this case. One way to solve this problem is using full-disk encryption using software such as TrueCrypt, Bitlocker, and others.

The problem, in your case, is that you'll have to setup a password (or key) to be inputted whenever you reboot the system. Weigh in your options and decide.

Adi
  • 43,808
  • 16
  • 135
  • 167
  • 8
    I think typing in a password once per boot is not really a huge disadvantage of disk encryption. What is much more problematic is how complicated it can get to run your OS from an encrypted partition – Niklas B. Mar 09 '14 at 20:39
  • Another problem is that if you need to have your system shut down for some time before the partition is secure in the case of someone getting physical access to your computer – Niklas B. Mar 09 '14 at 20:42
  • @Niklas I completely agree with you. The only reason I mentioned the password as a problem is because of the OP's question itself (please check the last sentence in the question). So, yes, in the _OP's_ case, a password is a problem. But it's a problem that he'll have to accept. Also, in the OP's case, he's worried about _booting_ from USB (or a CD/DVD, etc), so, I believe, shutting down is implied. – Adi Mar 09 '14 at 20:53
  • Oh I see. I didn't realize that. You already had my +1 anyways ;) – Niklas B. Mar 09 '14 at 21:14
  • Even full-disk encryption won't prevent an attacker from *destroying* your data. – gerrit Mar 10 '14 at 13:53
  • 1
    @gerrit Well of course not. Destroying is the absolute least of your worries if someone gets physical access to your machine. – Cruncher Mar 10 '14 at 14:37
  • 1
    @Cruncher Assuming proper backups, indeed. I just wonder if some people who don't understand how things work may confuse "your data is safe!" ads with the quite unrelated issue of data loss (which, for some people without backups, may be the worst consequence of their laptop being stolen). – gerrit Mar 10 '14 at 14:47
  • It honestly would be nice if the OS had full system encryption baked in as part of it's security system. – Didier A. Mar 10 '14 at 15:01
  • @didibus I know (some versions of?) Ubuntu do, and Windows 8(.1?) has it baked in if your computer meets the requirements (which are unfortunately kind of restrictive). – JAB Mar 10 '14 at 16:48
  • 1
    @didibus Windows' solution is called BitLocker, present since Vista on the Pro or Enterprise or Ultimate editions. Many Linux flavours support LUKS which achieves a similar thing. You're still not protected from physical access, though. An attacker could modify the decrypting bootloader to store your password for later retrieval. – deed02392 Mar 12 '14 at 15:33
  • All versions of Linux can/do support full-disk encryption (it may or may not require a bit of manual configuration). In addition, OS X has included FDE (FileVault 2) since OS X 10.7 (FileVault 1 only encrypted a user's home directory). Plus, there's also TrueCrypt, which works quite well. – Kitsune Mar 13 '14 at 23:33
15

Because Windows only shows you what they think you should see, and other operating systems don't necessarily care and just show you what's on the disk. That is the gist of it.

It's not a Microsoft conspiracy; Microsoft protects Windows' system files from being damaged this way. You can access it if you know some fairly sophisticated tricks and manage to run explorer with "SYSTEM" permissions (these go above Administrator), or simply boot another operating system that does not implement these restrictions.

Sidenote: Viruses love these places. Almost every virus I've seen nested itself in System Volume Information, a folder in the root of each Windows drive where you cannot normally go without system permissions. Even the Administrator, who can usually get access to every file even if he denies himself all possible permissions on it, cannot go into that folder. Luckily anti-virus products also go there and they detect anything that shouldn't be there, but it's a caveat to keep in mind. For example I used to scan my computer from a remote machine with read-only permissions, but that is not enough because remotely (using SMB) you usually can't access these system protected folders.

If you want to protect people from simply reading what's on your harddrive, you need disk encryption (which will ask you for a password upon booting, just like a BIOS password would). Otherwise it will always be trivial to boot another OS and read the harddrive's contents. Even if you have a BIOS password, it's still fairly trivial to take the harddrive out. With most laptops and desktops, provided that noone is around, you can get a harddrive out, copy a few gigabytes, and put it all back within 5 minutes.

Luc
  • 31,973
  • 8
  • 71
  • 135
  • ```get a harddrive out, copy a few gigabytes``` It was some time ago but I remember to fiddle with *developer switch* http://www.chromium.org/chromium-os/developer-information-for-chrome-os-devices/samsung-series-5-chromebook#TOC-Developer-switch - I read their security design considerations etc... – Mars Robertson Mar 10 '14 at 01:19
  • 3
    You can also get a harddrive out, copy a few gigabytes, and put it all back within 5 minutes in the middle of a football stadium with 60,000 people watching you. – Emmet Mar 12 '14 at 14:10
  • @Emmet Yeah, very clever. – Luc Mar 12 '14 at 14:38
10

Isn't there a way to prevent people from doing this, without putting up a password on the BIOS?

There is a way to prevent people from doing this and it is called Full Disk Encryption


Here is the Mac attack vector: http://patrickmosca.com/root-a-mac-in-10-seconds-or-less/

The only sure way to prevent unwanted root access to your system is by simply enabling File Vault’s full disk encryption (not home folder encryption!).


TrueCrypt - recently there was a fundraising campaign - http://www.indiegogo.com/projects/the-truecrypt-audit - to audit the source code - http://istruecryptauditedyet.com/

Operating Systems Supported for System Encryption - http://www.truecrypt.org/docs/sys-encryption-supported-os - only Windows


Regarding BitLocker:

enter image description here

enter image description here


Why am I allowed to access protected Windows files when I boot Ubuntu from USB?

There is a car (hardware). But you happen to swap all the electronics (operating system). Now you have access to engine, steering wheel, indicators, lights and electronics itself, allowing you to wipe out other, already existing, operating systems.

Mars Robertson
  • 555
  • 4
  • 14
6

This only works, if you have not enabled Full Drive encryption. This can be achieved using various methods or softwares like TrueCrypt or the Windows Bitlocker as well.

If you drive is say, encrypted using the Windows Bitlocker protection then the user who is trying to access the file system of the hard disk using the live cd won't be able to even browse the hard disk.

You can read more about the Windows Bitlocker Protection here - http://www.technibble.com/bitlocker-101-easy-free-full-drive-encryption-for-windows/

Also, what more you can do is put a hard disk password. There are many softwares available over the Internet and I guess Seagate also provides such tools for Drive encryption and protection.

Pranav Jituri
  • 228
  • 2
  • 11
3

If you can boot an arbitrary operating system on a machine, you have root access. This is the essence of the evil maid attack.

AFAIK nothing can prevent that, maybe only Secure Boot can, but anyway its specification requires that the user must be able to disable it on non-ARM machines.

The BIOS password can be reset by removing the battery in the motherboard, or with easy-to-use freeware programs found on the Internet.

Disk encryption does not protect attackers from replacing the very first thing that is booted, be it the Master Boot Record, the kernel/initrd, or whatever, with one that stores the password somewhere for the attacker to read it later. While it does protect your data from thieves (provided you do not insert the password after the thief compromised the system). This is because something in the boot process must necessarily be unencrypted for it to be able to ask you a password (unless the encryption key is in the hardware, as per Secure Boot).

ignis
  • 136
  • 5
3

Information security depends on plain old physical security. If you don't want folks to tamper with your computer, then do not let them put their hands on it.

Erwan Legrand
  • 401
  • 2
  • 13
3

The easiest way of preventing this without significantly impairing your computer's performance (Bitlocker or TrueCrypt are not free performance-wise) is buying a modern SSD and enabling the BIOS password.

All modern SSDs encrypt all data all the time (usually using AES-256 since that is a good marketing buzzword). The reason is, however, not security, but randomizing data in order to better balance the memory cells against wear.

This has two practical advantages which come for free:

  • First, you can do an extremely fast and non-wearing bare metal secure format of the drive simply by throwing away the master key. This is how the "secure erase" functionality on these drives work.
  • Second, you can encrypt the key with a BIOS password, making the entire disk inaccessible. If your password isn't guessable (unluckily, it most likely is... but let's be optimistic for a moment), the data on the disk is not readable unless you know the password.

Modern drives usually have a recovery key which an attacker can use to remove the existing key. Unluckily this means that although a thief can't read the data on your disk, the drive as such is still valuable, since it can be used for storage (I'd wish a stolen drive was completely worthless).

Insofar, if your password cannot be guessed (or captured by a hardware keylogger plugged between your keyboard and the USB port), the best an attacker can do is destroy all data, akin to smashing the computer with a heavy hammer.

Damon
  • 5,001
  • 1
  • 19
  • 26
  • "Second, you can encrypt the key with a BIOS password". Do you have a reference for this? I wasn't aware there was any link between the BIOS boot-up password and the SSD "encryption key". Aren't the two things logically separate? – Andrew Ferrier Mar 10 '14 at 19:28
  • My Samsung Evo drive comes with 3 modes, of which one is enabled by the BIOS password (but doesn't work on some systems), and the other two need TPM (I've not tried these, since one needs "special security software" for whatever that means, and the other does a safe erase when enabling, and I couldn't be bothered to re-image my system _again_ after discovering that). My older OCZ vertex4 also supports BIOS pw encryption, but they were not very clear about it 2 years ago, apparently the firmware then had issues with a PW longer than 4 characters (which made it kind of pointless). – Damon Mar 10 '14 at 21:17
  • I would assume (though obviously I don't know) that it's somewhat the same with every manufacturer, some will have better, some worse support, depending on what you buy. – Damon Mar 10 '14 at 21:19
1

This really comes down to use case.

If you have military hardware/OS then you can lock everything down but it comes at a cost. Maintenance of FDE, disabling ports(or removing), making them tamper proof is pretty onerous from a management and usability point of view. The OS the military use is severely locked down and hardened but they would still consider a box to be owned if it was stolen.

If you are talking about corporate and even personal then If you are concerned about data then data security should always be done at the data level and not at infrastructure/OS. Encrypt your data above FDE as well if you are that concerned about it. It probably won't stop the NSA but it might give you a few days to breath while they are hacking away.

If you are concerned about your device being altered so that you don't know about it then FDE and AV ++, IPS/IDS is what you nee

barfly
  • 19
  • 2