Spotlight AO Member Tutorial - Laptop Security Basics

[phernandez]

Congratulations to keezel, author of this month's spotlight member tutorial!

How To: Laptop Security Basics
by keezel

It is appalling how easily security measures are circumvented on most laptops. In the following paragraphs you will learn various methods of securing your laptop against theft and unwanted users tampering with your files. You will also learn how to circumvent most of those security measures should the need arise.

How secure is your laptop?

First, let look at some the terms we’ll be discussing in this tutorial and what they mean.

BIOS - Intended to detect/verify hardware (via POST) and select a boot loader prior to entering the Operating System. This is the very first thing a computer does when powered on.

BIOS Password - A password stored on the motherboard that requires you to authenticate prior to booting into any Operating System.

Operating System - Abbreviated as OS and referring to Windows XP/Vista, Mac OS X, Linux Distributions (Such as Ubuntu, SUSE).

CMOS - The chip on the motherboard where a variety of information (including the BIOS password) is saved.

CMOS Battery - A small battery on the motherboard dedicated to powering the CMOS chip.

MoBo - Motherboard.

Operating System Passwords

I will begin with OS passwords. This is the only security precaution I say is an absolute necessity. If you keep your laptop behind locked doors (i.e. at home) 24/7 and you'd rather not deal with more inconvenient security precautions, at least take the time to set up this password.

Step 1 - Set a password for all administrator accounts, including the hidden Administrator account in Windows XP and Vista. You can access the Admin account in Windows by booting into safe mode. This is accomplished by mashing F8 frenetically as the computer first powers on.

Step 2 - Once this is done, train yourself to lock the computer (Windows key + L in Windows) every time you are away. This will prevent Joe Blow in an adjacent office/dorm room or anyone that happens upon your laptop from sitting down and potentially doing nasty things. Or possibly simply annoying things...like relatives that find if funny to deposit naughty gifts on your desktop.

Step 3 - Secure yourself against telling everyone your password.

Step 4 - Change all administrator passwords from time to time. Realistically this only happens once every six months at best unless you are paranoid.

Unfortunately these passwords are the least secure of all in terms of physical security. Windows XP and Vista passwords are easily wiped out using a variety of applications on boot CD's. I've used four different applications, and I imagine there are many more out there.

The same theory applies to Mac and Linux operating systems as well, although password resetting programs for these OS's are far more obscure. Mac passwords are slightly more secure purely because fewer people know how to reset them (security by obscurity). It took me over an hour one day to figure it out and that was with Google on hand to aid with research.

BIOS Passwords

The next step in securing your computer is to create a BIOS password.

Step 1 - Access the BIOS generally by reading the small text on the top or bottom of your computer immediately after the computer first powers on. Generally you can press F2, Delete, or Escape to enter the BIOS setup. Some computers, including IBM models, do not display instructions or have a usual key to press to access the BIOS. For these, look up how to access the BIOS for that particular model using your preferred search engine.

Step 2 - Navigate to the menu that presents you with an option to set an administrator password. Once there, click on the option and type in your password twice to verify. This is a fairly straightforward process.

These passwords are significantly more difficult to remove, which inherently increases their ability to prevent unauthorized use of a laptop. Removal of these passwords requires someone to physically disassemble the laptop and locate the CMOS battery, remove it (as well as the regular battery), drain all remaining power from the MoBo (usually accomplished by pressing the power key, which will sap the remaining power...also a handy trick before you install memory), and then reassemble the laptop. This is further complicated because not all laptops have the CMOS battery in the same place. I even encountered one that I swear does not have a CMOS battery... I was unable to reset that one.

Physical Security Measures

This step is the least technical.

There are a variety of physical locking devices that can be purchased in most stores that have a technology section. All recently manufactured laptops have a notch on the side, commonly referred to as a Kensington security slot.

Placement may vary. On HP models, for example, it is generally at the bottom of the LCD; Toshiba tends to place theirs on the side of the laptop nearer where you'd look to find a USB port. Options you may consider include locking cable tethers (http://www.targus.com/US/product_details.asp?sku=PA410U), (http://www.targus.com/US/product_det...sp?sku=ASP29US) or for the or for the ultimate in security, full-blown safe-like enclosures (http://www.securitykit.com/laptop_safes.htm).

Theft Recovery Software

If the worst happens and your laptop is stolen, this is your last line of defense.

There are several programs designed to track your laptop in the event that it is stolen. The most popular of the options out there is LoJack for Laptops (http://www.lojackforlaptops.com/). $39 buys you a program that can reinstall itself on a newly reformatted computer (thanks to an agent embedded in the BIOS of newer computers) and track itself, ultimately leading to the recovery of your laptop.

Once you've followed these steps, you've vastly increased your resistance to both data loss and theft!

[westin]

HDD encryption, and HDD passwords are also a good way to prevent others from accessing your data, which in some cases could be more valuable than the system itself. Some models of the thinkpad line actually have tamper resistant system boards that will lock the system down if it detects someone trying to reset the password. [or at least that is what I was told when I did tech support for them.]

[keezel]

Ya know, I actually thought about that after I submitted everything. I was hanging out with a former roommate and he mentioned that he did not have his HDD encrypted over the course of conversation, and I was like "Hey....I totally missed that in my tutorial...awesome."

[phernandez]

Quote:

Originally Posted by keezel

Ya know, I actually thought about that after I submitted everything. I was hanging out with a former roommate and he mentioned that he did not have his HDD encrypted over the course of conversation, and I was like "Hey....I totally missed that in my tutorial...awesome."

Looks like a topic for another tutorial...

[d3m0nb0y]

The best thing to do, is to minimize the time spent without your laptop in public. Always carry it with you.