[OPLINTECH] Potential Computer Vandalism

Wed Nov 20 10:41:03 EST 2013

>
> If the BIOS wasn't locked down, there is also the possibility that someone
> actually flashed the BIOS with a different version.

A comment on the above:  You don't need access to the BIOS to be able to
flash a new one. You can flash even a password protected BIOS. You simply
boot to a media that contains the BIOS you intend to flash and the
OS/program used to perform the actual flash.

On patron computer, it's always important to do the following in your BIOS
before the first patron ever touches it:
* Set your BIOS administrative password.
* Set the boot order to boot from the hard drive first or to boot ONLY from
the hard drive.
* Disable the ability to boot from removable media.

Those basic steps help to protect your patron computers at the "hardware"
level.

______________________________
*Chad Neeper*
Senior Systems Engineer

*Level 9 Networks*
740-548-8070 (voice)
866-214-6607 (fax)

*Full LAN/WAN consulting services -- Specialized in libraries and schools*

On Wed, Nov 20, 2013 at 10:29 AM, Ken Butler <hcotech at holmeslib.org> wrote:

> If the settings that password protect the hard drive are in the BIOS, I
> would try removing the CMOS battery for a period of time - say half an hour
> or more, and also pressing the power button while it is unplugged to clear
> out any residual power in the system. Once it has been drained and the
> battery removed for half an hour or more, try putting the battery back in
> and see what you get. Removing power from the BIOS for a decent period of
> time SHOULD revert all settings to default.
>
> If the BIOS wasn't locked down, there is also the possibility that someone
> actually flashed the BIOS with a different version. If what I mentioned
> above doesn't work, I'm not sure what you could do other than talking to
> your computer manufacturer to see if there are any back doors in the BIOS
> that you can use, or if there is a way to flash the BIOS with the standard
> version for that computer.
>
>
> On Wed, Nov 20, 2013 at 10:16 AM, Mike Hensel <henselmi at oplin.org> wrote:
>
>> Ron:
>>
>>
>>
>> I cleared the CMOS jumpers on the motherboard which allows me to at least
>> get to the Bios but once I’m there I cannot change or turnoff the HD
>> password because I don’t know it – it has been set by the individuals that
>> locked up the machines – at least that’s my guess.  I tried my admin
>> passwords but they don’t seem to work.
>>
>>
>>
>> I read online that Dell may have a backdoor password so I may give them a
>> call.
>>
>>
>>
>> Mike Hensel
>>
>> Director, MLIS
>>
>> London Public Library
>>
>> 20 E. First Street
>>
>> London, OH 43140
>>
>> www.mylondonlibrary.org
>>
>> 740-852-9543
>>
>> Mobile 614-325-1429
>>
>>
>>
>> *From:* Ron Woods [mailto:woodsro at oplin.org]
>> *Sent:* Wednesday, November 20, 2013 10:09 AM
>> *To:* 'Mike Hensel'; oplintech at oplin.org
>> *Subject:* RE: [OPLINTECH] Potential Computer Vandalism
>>
>>
>>
>> Hi,
>>
>>
>>
>> is this a boot password that’s stored in the BIOS? Or some kind of
>> encryption on the hard drive?
>>
>>
>>
>> Does clearing the CMOS jumper on the motherboard remove the password? I
>> wouldn’t think you have to replace the hard drive to clear a BIOS boot
>> password, all that should be required is clearing the CMOS jumper pins on
>> the motherboard…unless were talking about some kind of hard drive boot
>> encryption set with a password?
>>
>>
>>
>>
>>
>> Ron Woods
>>
>> Computer Services Manager
>>
>> St. Clairsville Public Library
>>
>> (740)-695-2062
>>
>> http://www.stclibrary.org
>>
>>
>>
>>
>>
>>
>>
>> *From:* oplintech-bounces at lists.oplin.org [
>> mailto:oplintech-bounces at lists.oplin.org<oplintech-bounces at lists.oplin.org>]
>> *On Behalf Of *Mike Hensel
>> *Sent:* Wednesday, November 20, 2013 9:21 AM
>> *To:* oplintech at lists.oplin.org
>> *Subject:* [OPLINTECH] Potential Computer Vandalism
>>
>>
>>
>> OPLINTech Libraries:
>>
>>
>>
>> I’ve got a situation where one of my patron computers last week booted up
>> with a Security Manager Screen that basically needed a password to boot
>> from the hard drive.  We run DeepFreeze on all of the computers.  I
>> eventually had to get another hard drive sent from Dell.  Last night 5 more
>> computers displayed the same message.  We lock the computers down with
>> policies as well.  I have not seen any virus alerts pop up in Symantec.  We
>> run Symantec Endpoint.  I don’t believe we had the bios locked down so the
>> only thing I can think of is someone logged into the bios and setup an
>> password on access to the HD which is leaving our machines dead.
>>
>>
>>
>> Has anyone run across this scenario and is there any easy fixes besides
>> getting a new hard drive and rebuilding the machine.   I’m trying to
>> determine if it was a local hack (patron at each machine) or virus.
>>
>>
>>
>> Any help would be appreciated.
>>
>>
>>
>> Mike Hensel
>>
>> Director, MLIS
>>
>> London Public Library
>>
>> 20 E. First Street
>>
>> London, OH 43140
>>
>> www.mylondonlibrary.org
>>
>> 740-852-9543
>>
>> Mobile 614-325-1429
>>
>>
>>
>> _______________________________________________
>> OPLINTECH mailing list
>> OPLINTECH at lists.oplin.org
>> http://lists.oplin.org/mailman/listinfo/oplintech
>> Search: http://oplin.org/techsearch
>>
>>
>
>
> --
> Ken Butler
> hcotech at holmeslib.org
> Head of Information Technology
> Holmes County District Public Library
> 3102 Glen Drive
> Millersburg, OH 44654
> PH: 330-674-5972 ext 224
>
> _______________________________________________
> OPLINTECH mailing list
> OPLINTECH at lists.oplin.org
> http://lists.oplin.org/mailman/listinfo/oplintech
> Search: http://oplin.org/techsearch
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.oplin.org/pipermail/oplintech/attachments/20131120/96f26c4c/attachment.html>