Incident Report X050401 Blocco Setup Firmware Resets

orcmid> sostegno> 2005> X050401> 0.00 2005-04-16-21:23 -0700

Category: Reliability	Incident ID: X050401
Priority: 9 - Integrity Failure	Status: Under Investigation
Subject: Computer Security Exposure	Repaired in: none
Assigned To: Dennis Hamilton (analysis)	Reported By:  Dennis Hamilton (2005-04-16)
Date Opened: 2005-04-16	Date Closed: tbd
1. Summary 2. Remedies 3. Actions	see also: Blocco: System Management Notes

1. Summary (2005-04-16):

From time to time, Blocco, my Averatec C3500 Tablet PC, resets its setup firmware to the default settings.  This is very unsettling, especially because it leaves the computer insecure and makes me quite nervous that there is some sort of exploit being attempted or, worse yet, already accomplished.

2. Remedies (2005-04-16):

1. Recognition.  I have the computer set to require an user password before booting the operating system.  If the computer starts up without requiring any password, I know the setup firmware has been reset to its default configuration or otherwise altered.  I also know there's something amiss if it does a Fast Boot or shows me the Averatec OEM screen on power-up.  So the changes I make to my setup have the default behavior be startlingly different and a tip-off.  The biggie is failure to ask me for the user password, though sometimes I think I may have done it mindlessly and I'll do a reboot to be certain.

1. Apply Workaround.  My first step is to always restore the setup configuration to the one that I prefer.  I do that at once.  There might be more that I could do with respect to the hard disk and other bootstrap-related settings, but the documentation is silent on those features and settings and I don't want to end up locking myself out of the machine. 

2. Look for Patterns.  I don't know what kind of diagnostic or forensic effort I could apply here.  That's ignorance on my part.  Reinstalling everything doesn't seem like the right approach, and it would be very painful to do even though I keep records and backups that would allow me to do it.  What I am going to do is keep more-accurate records of these incidents as they occur and see what that provides.  I am recovering what I can from my personal notebooks and building a better record. 

3. Report the incident and see what information there is about it.  I don't know how customer support works for this particular computer.  I don't see anything confidence building on their site, but there are some places where users exchange information.  I will report this experience there, on my blog, and to the vendor.  They will all be able to access this incident material and maybe some resolution will arise.

3. Actions (as of 2005-04-16):

• 2005-04-16: Create Place to Record Incident Investigation.  You are there, here.

• 2005-04-16: Recover a log of the incidents that have occurred.  X050401b.

• Create my photographic record of how to make a more-secure setup that I consult when I need to restore it too (though I am beginning to learn it by heart, thanks to the frequency of incident occurence).

• Identify my configuration and how I obtained it so that troubleshooters know what I have installed that could matter here.

• Add a blog article about the incident so far.

• Report the problem on the Tablet PC information site.

• Let Averatec know about all of this, once I figure out how to contact support.

0.00 2005-04-16-12:26 Create Initial Incident Identification, Analysis, and Collection of Materials

Capture enough material so that related investigation can be defined and this report can be polished later.  Manage with a  job jar.  Dig up photographs and add them to a description of the restoration process.