How do you protect your computer from Live CD's?

Linux has grown in popularity in the past few years. Many more people are using Live CD's now than they were say 3 years ago. And with this comes a new problem for network admins. How do you stop a person from accessing certain file on the HDD that they, under Windows, would not be allowed to access, or even see. If you have a personal computer you can't really protect it either. A password on the BIOS won't work because if you remove the battery on the motherboard, wait 10 seconds, insert the battery back in, your password is gone.

How do I stop this threat?

Kredns

Posted 2009-03-16T23:32:09.820

Reputation: 2 857

4Lucas - Once a person has physical access to the machine, they, for all intents and purposes, can do anything to it and with it. If you want to protect your data, an encrypted filesystem is your best bet, but beyond that there's not much you can do. – Adam Davis – 2009-03-25T17:29:51.300

@Adam Davis: Wheres a self destruct button when you need one ;-) – Kredns – 2009-03-25T23:53:59.660

Answers

Keep all personal data (possibly your entire profile) in an encrypted partition that is decrypted with your account password (or even a separate password).

TrueCrypt can do such things (and it's free software).

Joachim Sauer

Posted 2009-03-16T23:32:09.820

Reputation: 935

Also see PGP (http://www.pgp.com/products/wholediskencryption/), and dm-crypt (http://www.saout.de/misc/dm-crypt/), EFS, bitlocker, and so on.

– Zoredache – 2009-03-16T23:44:46.840

3Just... don't ever forget the password! If they can't break into your computer, you can't break into it either. – Ilari Kajaste – 2009-09-02T10:40:48.803

The most obvious option is to remove (or move to lowest priority) the CD boot option and then set a password on your boot configuration utility.

Noldorin

Posted 2009-03-16T23:32:09.820

Reputation: 700

4You'd also have to padlock your computer chassis, so there's no easy access to 1) removing the BIOS battery - which would reset the password and allow the attacker to re-enable CD boot, or 2) plugging the hard drive directly to the attacker's portable computer, for example via USB. – Ilari Kajaste – 2009-09-02T10:39:28.480

1And most BIOSes have "emergency passwords" that only "service personel" knows (fat chance, Google knows them too). – vonbrand – 2013-02-16T05:34:26.890

If they have access to your hardware, you can't be 100% secure. Keeping your secure data physically separate is the safest thing to do.

mquander

Posted 2009-03-16T23:32:09.820

Reputation:

There are BIOS passwords that can't be removed.
Encrypt your hard drive. There are some good tools out there.

Georg Schölly

Posted 2009-03-16T23:32:09.820

Reputation: 1 146

What kind of BIOS passwords can't be removed? (I'm not disagreeing, I've just never heard of this technology) Thanks! – Kredns – 2009-03-16T23:40:44.137

1That really depends on the manufacturer. I, for example, haven't yet been successful removing the BIOS password of my secondary computer. Portable computers are often more resistant against such attempts. – None – 2009-03-16T23:42:48.700

1A basic security principle is that "I don't know how to do it" != "it cannot be done". I also have never heard of such a technology, so am a little sceptical. – None – 2009-03-16T23:50:18.077

2It can be undone by replacing the whole motherboard or by just moving the hard disk to another computer. – None – 2009-03-17T08:32:50.113

If you are putting it like that, you don't.

Or you can encrypt part of the files on the disk which will lead to a slower load time due to decryption and you will have to have extra applications installed for it.

fmsf

Posted 2009-03-16T23:32:09.820

Reputation: 389

You could keep all of your personal data on an external encrypted drive. That way you can take all of your data wherever you go, and not have to worry about someone getting to it on your personal PC.

32Gb USB thumb drives are coming down in price.

Strozykowski

Posted 2009-03-16T23:32:09.820

Reputation: 101