* Posts by pssst3

3 publicly visible posts • joined 13 Jan 2018

Intel AMT security locks bypassed on corp laptops – fresh research

pssst3

Re: Staggering

Passwords suck as security because anyone can use them. You don't even need to go to a hardware store to make a copy.

A password that is never set from the default is known to thousands.

A password on a corporate machine that is one of many, IF it is set, has the same password as all the other machines.

A physical lock on a computer case, a BIOS that can't be accessed without opening the case, either of these better security than a BIOS password, bacause they require an instrument and more time.

If you want a computer to be secure, LOCK IT IN A drawer when you are not using it.

pssst3

Re: Staggering

You let someone else access your "personal" computer?

That is exactly what this exploit requires, and if you leave your machine unattended, they can just pick it up and walk off with it.

;-D

Good luck.

pssst3

Intel isn't the security issue here, people are.

"as this is most likely unchanged on most corporate laptops"

This issue is the same problem as leaving the front door of a building unlocked and unattended - lack of physical security. It isn't the fault of the door or the lock manufacturer, but a failure of corporate management to practice due diligence.

If someone cannot get into a building who should not be there, someone cannot gain physical access to a computer who should not have it, and there is no security system that prevents "inside jobs".

It has been proven time and time again that shared passwords can not provide high level security, and that data stored on a "personal" computer is insecure, even if it is encrypted in the machine's storage.

In practice, it would be virtually impossible to have a separate password for every computer in a corporation. Hundreds or thousands of machines are maintained by a staff of dozens with 25% annual turnover. Even if a corporation had its IT department set a BIOS password, it is ridiculous to assume that password would not leak, and there is no simle way to change thousands of passwords.

In the case of the Intel/BIOS issue, the fundamantal architecture of the modern computer is a kludge of insecure components, integrated into an unreliable appliance that is administered by unreliable people with no system of standards that they are held accountable for following.

The closest thing to a secure PC is a one that assumes it has been hacked, has NO firmware configuration and has multilevel secure boot that checks BIOS, kernel, OS and apps every time that the machine is started up. If that machine is connected to a network the network must be equally secured.

The poor quality software available today that requires a constant stream of updates and patches,is defective from date of inetallation through retirement. Of course it has security loopholes.