[OPLINTECH] Potential Computer Vandalism

Chad Neeper cneeper at level9networks.com
Wed Nov 20 10:29:27 EST 2013 

If the BIOS in your computers has the ability to set a hard drive
password....and someone has done it, then your hard drive is probably now
rendered useless without that password. As a matter of course, I ALWAYS
ensure that the BIOS/CMOS passwords are set so patrons can't get in there
and wreak havoc!

I've gone a round or two trying to find a way to wipe a password from an
otherwise perfectly good hard drive. It's particularly difficult and I
ultimately gave up.

The password stays with the hard drive, so even if you remove the drive and
connect it to another computer, the drive will identify itself to the host
operating system, but that's all the further it will go. The password is
stored on one of the hard drive platters. So to remove the password, you
have to do a low-level access of the disk and know EXACTLY which bytes to
locate and interpret or overwrite. It'll be different for each model hard
drive.

I don't know of any malware that will enable a HD password, although I
suppose it's probably possible. Most of the malware that encrypts does so
at the file level, leaving your OS intact. They're trying to extort money
from you, so it's usually just the data files that get encrypted. Your
situation definitely sounds more like a pesky patron setting the HD
password, just like you suspect.

I think your only option here is to ensure that all of your patron
computers now have their BIOS passwords enabled, replace the locked hard
drives, and locate your pesky patron if possible and invite him/her into a
dark alley.

Good luck!


______________________________
*Chad Neeper*
Senior Systems Engineer

*Level 9 Networks*
740-548-8070 (voice)
866-214-6607 (fax)

*Full LAN/WAN consulting services -- Specialized in libraries and schools*


On Wed, Nov 20, 2013 at 9:20 AM, Mike Hensel <henselmi at oplin.org> wrote:

> OPLINTech Libraries:
>
>
>
> I’ve got a situation where one of my patron computers last week booted up
> with a Security Manager Screen that basically needed a password to boot
> from the hard drive.  We run DeepFreeze on all of the computers.  I
> eventually had to get another hard drive sent from Dell.  Last night 5 more
> computers displayed the same message.  We lock the computers down with
> policies as well.  I have not seen any virus alerts pop up in Symantec.  We
> run Symantec Endpoint.  I don’t believe we had the bios locked down so the
> only thing I can think of is someone logged into the bios and setup an
> password on access to the HD which is leaving our machines dead.
>
>
>
> Has anyone run across this scenario and is there any easy fixes besides
> getting a new hard drive and rebuilding the machine.   I’m trying to
> determine if it was a local hack (patron at each machine) or virus.
>
>
>
> Any help would be appreciated.
>
>
>
> Mike Hensel
>
> Director, MLIS
>
> London Public Library
>
> 20 E. First Street
>
> London, OH 43140
>
> www.mylondonlibrary.org
>
> 740-852-9543
>
> Mobile 614-325-1429
>
>
>
> _______________________________________________
> OPLINTECH mailing list
> OPLINTECH at lists.oplin.org
> http://lists.oplin.org/mailman/listinfo/oplintech
> Search: http://oplin.org/techsearch
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.oplin.org/pipermail/oplintech/attachments/20131120/d04a628d/attachment.html>

More information about the OPLINTECH mailing list