SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips
 

Vulnerability Note VU#789985

Physical access to a computer system can be used to bypass software-based access control mechanisms

Overview

An intruder who gains physical access to a computer system can bypass software-based control mechanisms.

I. Description

If an intruder can gain physical access to a computer resource, he can bypass software-based access control mechanisms, install Trojans horses, install hardware to facilitate subsequent access, copy data to another device, boot the computer into another operating system, modify data stored on the device, or destroy, steal, or disable physical components, including security-related components. This has been well documented. See
Data may be protected by encrypting it using strong cryptography. However, an intruder is still able to copy or modify the encrypted data. If the data is copied, an intruder may have the resources available to conduct off-line cryptographic attacks against the data. If the data is modified, it may be rendered useless. Alternately, the intruder may be able to insert a Trojan horse that will lead to subsequent compromise.

You should not assume that access control lists or other software-based security mechanisms provided by an operating system will prevent an intruder from gaining access to data if the intruder can boot the computer into an alternate operating system.

II. Impact

An intruder who gains physical access to a computer system can alter or control any aspect of the hardware and software. Encrypted data may provide protection against data theft.

III. Solution

Restrict physical access to computer systems to only those personnel who must have access. Consider using an encrypting file system or database to encrypt data stored on mobile devices such as laptops or PDAs. Restrict access to network closets or data centers.

Systems Affected

No Information Available

References

http://www.cert.org/security-improvement/practices/p074.html
http://security.uchicago.edu/docs/physicalsec.shtml
http://www.unixtools.com/security.html
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/columns/security/5min/5min-203.asp
http://www.utoronto.ca/security/policies.html
http://www.cio.gov.bc.ca/itsp/sec72.htm

Credit

This document was written by Shawn V Hernan.

Other Information

Date Public:70-01-01
Date First Published:2003-03-06
Date Last Updated:2003-03-07
CERT Advisory: 
CVE-ID(s): 
NVD-ID(s): 
US-CERT Technical Alerts: 
Metric:9.00
Document Revision:6

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2003 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader