How To: 3 Steps To A More Secure Laptop
The threat is a big one. An estimated 750,000 laptops were stolen last year, up from 600,000 in 2003, according to Absolute Software, a maker of tools to retrieve lost or stolen laptops.
The threat of lost data is the top worry. But close behind is the fear of identity theft. For system builders, all this means it's mission-critical to have a laptop-security program in place.
In this Recipe, I'll show you how to deploy readily-available, inexpensive technology to protect your customers' laptops " and the data that resides on those systems. This three-step plan includes: Securing the contents of a laptop with basic encryption methods; recovering a stolen laptop using tracking technology; and rendering a stolen laptop virtually unusable to a thief by installing a simple "kill switch." Let's get started.
Encryption
The best justification for deploying laptop encryption: It's now mandatory in many states. California, for example, has a regulation, SB-1386, requiring anyone who does business in California and suffers a breach of unencrypted personal information concerning a California resident to notify that California resident. That Senate Bill became California law in 2003. Today there are similar laws in about 25 other U.S. states. Most state the same thing: Regardless of where the company owning the data is located, notification is required if the data of a state resident is breached. What's more, a single breach can lead to cumulative penalties reaching as much as $10,000 a day.
From a technical perspective, there are two specific kinds of encryption, according to Eric Maiwald, a security analyst at the Burton Group: file and disk. While an OS such as Windows XP Professional has a file encryption facility built into it called EFS (Encrypting File System), that system can be easily breached by a user with administrator privileges, Maiwald says. Worse, EFS is entirely absent from XP Home, which is used on cheaper laptops.
From a vendor perspective, here are the leading vendors of hard-disk encryption software:
- Pointsec Mobile Technologies : Based in Lisle, Ill., PointSec's encryption is deployed extensively by the U.S. government, particularly the Army. The company offers versions of its software for Windows PCs, Linux PCs, PDAs, smart phones, and removable media.
- Guardian Edge Technologies : Based in San Francisco, Guardian Edge offers the Encryption Anywhere hard-disk package. This software was selected by the U.S. Veterans Administration after the VA's belated decision to enhance their organization's security.
And the leading vendors of file encryption software are:
- PGP Corp. : Based in Palo Alto, Calif., PGP is one of the pioneers in the encryption field. In fact, the U.S. government tried to suppress the export of PGP's Pretty Good Privacy software in 1993, but dropped the case in 1996. The company offers a wide range of products, including file and e-mail encryption.
- Credant Technologies : From Addison, Tex., Credant offers encryption technology that has been adopted by the U.S. Army. Cedant's range of software includes products for notebooks, tablet PCs, smart phones, and PDAs.
Tracking
Stolen laptops are no longer a lost cause. Today's new LoJack-like tracking software gives victims a real shot at tracking down a misappropriated notebook.
Tracking involves adding software to the laptop that will, once a day or so, check with an Internet server while the machine is on-line. Since most notebooks are on-line in some capacity, why not add software that can -- in the background and unknown to the user -- check with a server once a day or so? If the machine is reported stolen, the next time it checks with the server, the machine will find special instructions to follow. Usually, the machine will be told to send out pings every few minutes so its physical location can be tracked. Then the local police can be notified.
Absolute Software of Vancouver, B.C., has the patent on this concept. Its Computrace service is worth the price. High-end pricing for the full service peaks at $128.95 for three years. For a cheaper alternative, the company's LoJack for Laptops consumer product costs $49.99 for one year.
You'd think a clever thief could format the hard disk and reload the operating system, effectively erasing the software that allows tracking to happen—killing off the phone-home application. (Of course, this assumes the machine was stolen along with its restore disc). In an effort to prevent such activity, Absolute Software has made agreements with leading laptop vendors -- including Hewlett-Packard, Gateway, Dell and Fujitsu -- to put function calls to Computrace software in the BIOS chips of its machines, so that the Computrace functionality will survive restoration.
Absolute Software's principal patent licensee is CyberAngel Security Solutions of Nashville, Tenn., which offers a mix of tracking and encryption. Single-quantity for CyberAngel pricing is $59.95 for one year.
The CyberAngel software creates an encrypted partition on the hard drive. Anyone who boots the system and gives an incorrect password will get access to the system and will appear to have free to use it. Since the thief will assume that no password was enabled, the thief will not be able to see any of the files in the encrypted P: partition, since the OS will simply pretend the partition does not exist. Here's a shot of the before-and-after file directory from a laptop running CyberAngel:
Only by analyzing the disk space allocation display would the thief begin to suspect something was amiss. In the meantime, the machine would be sending tracking pings anytime it found itself on-line. In other words, the system is a honey-pot. With such easy, partial access, the thief will be most likely be using the laptop when the police arrive.
The "Kill Switch"
In some cases, the value of the laptop may be trivial in comparison with the value of the data it holds. In these instances, the owner may have little or no interest in tracking and recovering the physical machine. It's the data they want returned. However, they may also be interested in retaining control over the data on the missing machine. There's actually a way to accomplish that, thanks to technology called a "kill switch." It's analogous to the emergency switch in a race car that automatically turns off the engine in the event of an emergency.
Kill switches are the core of the Lost Data Destruction service offered by Beachhead Solutions of Santa Clara, Calif. As with the tracking service described above, a stolen machine checks with an Internet server at intervals. If the server sees that the laptop is flagged as stolen, the server will launch a pre-determined series of actions, some of which can be quite nasty. Single-user pricing for this service is $129 per year per machine.
As shown in the following illustration, such actions include "secure delete" operations that overwrite (rather than merely erase) sensitive files, in a specified order. Typically, the operation would start by overwriting the file containing the system decryption key. Here's how it looks:
The thief may notice the disk activity and turn it off, but the activity will resume when the system is turned back on. The machine can then go on and pull other tricks, like reformatting the drive and lapsing into eternal-reboot mode.
The kill switch can still work even if the machine never goes on-line again. The machine can decide that it's been stolen based on various parameters, including a suspicious amount of time since it was last turned on, failed log-ons, or signs of tampering. Clever, no?
There is no single technological solution for laptop security. But with encryption, tracking and kill switches, you've got three serious tools for securing your customers' laptops.
LAMONT WOOD is a freelance writer in San Antonio, Tex., who has been covering technology for nearly 25 years.