One of the things I’ve always believed to be true about computer security is this statement:
The only unhackable computer is a computer that’s powered-down.
I always thought that a good, simple way to make your company a whole lot safer would be to simply power down every workstation and server at the end of the day (if this is feasible — usually it’s not). If you do this, then there are about 15 hours in the day when the machines can’t be touched, including the overnight hours which I’m sure are a cracker’s paradise.
But I got to thinking about this the other day: given the advances in cracking, is this still true? Or is there some way to remotely compromise a machine that’s unpowered? Alternately, is there a way to power up a machine remotely and involuntarily?
For instance, a lot of machines with modems can be set to boot when the phone line attached to the modem rings. So if you knew the phone number of a machine you wanted to crack, you could call it, and force it to power up.
Can anyone think of other situations where a cracker could compromise a machine that had no power? Is shutting off a computer still the single, uncircumventable security measure? Can I still cling to my theory?