What can I do with BIOS access and a rootable netboot?

[kiwiki]

My local community college has hundreds of computers with no lockdown on the BIOS. Not only do they not have BIOS passwords, they also have a network bootable image with no root password. I've already brought this to their attention, via a phone call, but I'm not sure they're going to do anything about it. I go back tomorrow, and I want to see if they have fixed the problem or not. If they haven't I want to do something to show them it's a major (I feel like it's a major problem, but I've only just started in the world of pen testing) problem. I'm aware I could just wipe the drives and leave it, but that's damaging and I don't want to get in any legal trouble. What should I do?

[kiwiki]

From IRC: "12/4 13:10:27 superteece> unless you're on a contract with a scope that allows you to take such action you should not. 12/4 13:11:10 superteece> "ethical hacking" is simply hacking with the owner's permission"

Now, I'm not going to do anything without permission, and I plan on asking the adminstration to allow me to demonstrate the scope of this vulnerability. I'm preparing a Kali USB, as well as looking into creating a linux image that simply displays: "Fix me" on the screen.

[digininja]

I'd go back, see what the state is and talk to them, if they aren't interested then walk away and leave it well alone. If you push it too much and then something happens you will be the one in the spotlight for it.

 

If they do want you to show them why it is bad, then come back and ask again. To be honest, without a solid reputation, there is a chance that you could be completely lying when you say that you only want to demonstrate things with permissions so not sure how much help you will get with it. From my dealings with universities and similar I'd let it go and just make sure that your stuff is protected in the best way you can.

[digip]

Until you get permission to touch the network, don't. As digininja mentioned, talk to them about it, keep on them, but don't expect them to change anything. Many schools and corporate networks have issues like this, but it's their responsibility, not yours. Secure your machine against attack, and if you consider the network hostile(I would any network I don't own though), learn to setup a VPN, either from your home machine, or a VPN service, and run all outbound traffic through the VPN when using their network. Just because they may have security issues, doesn't mean you have to.