Oh good, double passwords

| Comments (0) | SYSSEC
SF Gate has this article about the mysterious semi-disappearance of Clear (the airport Verified Identity bypass people's) laptop at SFO:
The Clear service speeds registered travelers through airport security lines. Verified Identity Pass operates the program at about 20 airports nationwide.

New enrollments in the program were suspended after a laptop with names, addresses and birthdates for people applying to the program disappeared from a locked Verified Identity Pass office at the airport. The files on the laptop were not encrypted, but were protected by two passwords, a company official said.

A preliminary investigation showed that the information was not compromised, said Steven Brill, CEO of Clear, but the TSA is still reviewing the results of its forensic examination of the computer.

In case you didn't know this already, multiple passwords don't add a lot of value when the attacker has physical possession of the computer. Passwords only protect access when the operating system is running. However, typically computers can be booted from some media other than the hard drive, e.g., CDROM or a USB stick. In that case, you can boot any operating system you want and read the laptop hard drive directly, regardless of what passwords there are. On many computers, you can configure the BIOS so that the machine can only be booted from the hard drive, and then some password is needed to reconfigure the BIOS. I can't tell whether this machine was configured this way. If it were, you could try guessing the password, or you could just open the case and read the hard drive directly in another machine. This, of course, is why you want to encrypt the hard drive.

I'd also be interested in hearing what forensics were performed. Neither of these procedures would leave much in the way of electronic evidence, especially if the computer was already off—both these attacks would require rebooting the computer, though of course the attacker could just let the battery run down, which would help cover up an intentional reboot. If you removed the hard drive, that might leave tool marks on the case, screws, etc. but then you'd have to know what tool marks were there before from assembly, repair, etc. In any case, it's not clear to me that one could really tell whether this sort of attack would be readily detectable.

Leave a comment