laptop computer security

Document Sample
laptop computer security Powered By Docstoc
					Laptop Computer Security
White Paper
MARCH 2003

Table of Contents
1.0. INTRODUCTION AND OVERVIEW ................................................................................................ 3 2.0. THE LAPTOP SECURITY PROBLEM ........................................................................................... 3 3.0. APPROACHES TO LAPTOP SECURITY ....................................................................................... 8 3.1. User authentication systems.............................................................................................. 8 3.2. Physical locking devices................................................................................................... 12 3.3. Encryption........................................................................................................................... 12 3.4. Monitoring and tracing software ...................................................................................... 13 3.5 Alarms .................................................................................................................................. 14 4.0. THE UNMET NEED ................................................................................................................... 14 5.0. AN ANALOGY AND A MODEL: AUTOMOBILE SECURITY.......................................................... 15 6.0. CAVEO® ANTI-THEFT AND TARGUS DEFCON™ MDP ANTI-THEFT PC CARDS ................ 16 REFERENCES ................................................................................................................................... 18

© Caveo Technology
Rev. 3, March 2003. This document reflects Caveo Technology’s understanding, based on publicly available information. Caveo Technology makes no representations regarding the accuracy of any information contained herein. This document is revised periodically to reflect new information. Questions and comments are welcome; please direct to info@caveo.com.

© Caveo Technology

1.0. Introduction and Overview
Despite the slowdown in the overall personal computer (PC) market, growth in laptop computers continues. According to Gartner, worldwide laptop sales grew 11.6% in 2002, compared with only 2.7% growth in PCs overall (1, 2). Worldwide growth for PCs is projected to return to high single digit levels in 2003 (3). The laptop -- increasingly the computer of choice for both business and consumer buyers -- will likely to continue growth at double-digit levels. As laptops proliferate, theft has become an ever more critical security issue. Laptop buyers in search of a security solution are faced with a wide array of products, systems, and services, each of which addresses a part of the problem. There remains considerable confusion about the extent of protection provided by each product, and the overall level of security that is achieved when a combination of approaches is used. This paper provides an overview of the laptop security problem and summarizes the various categories of products and systems in current use.

2.0. The Laptop Security Problem
A rash of recent news items has brought the laptop security issue to widespread public attention: • In October 2002 an Air Force sergeant was charged with the theft of two laptop computers taken from the military command center that oversees U.S. military operations in Afghanistan and Iraq. The laptops were missing for nearly two weeks before they were recovered, but according to military sources, no sensitive information was taken (4). In a report released in August 2002, five agencies under Justice Department jurisdiction reported 400 missing laptop computers. The classification level of 218 of the missing laptops was unknown, and the report noted, “It is possible that the missing laptop computers would have been used to process and store national security or sensitive law enforcement information that, if divulged, could harm the public (5).” In June 2002 a laptop computer and stamps used to grant access to the United States were stolen from an Immigration and Naturalization Service office (6). In March 2002 a laptop computer belonging to the Auditor General of Nova Scotia was stolen from his home, raising concerns about a security breach affecting auditing offices across Canada (7). In July 2001 the Federal Bureau of Investigation reported that 184 laptops had been lost or stolen. At least one and possibly as many as four contained classified information (8). In April 2001 the British Defense Ministry reported 205 laptops missing since 1997, most of which contained classified material (9). In September 2000 three laptop computers and a handheld device were stolen from a Democratic National Committee office (10). Also in September 2000, the laptop of Qualcomm’s CEO, Irwin Jacobs, was stolen from a conference room in which he had just given a presentation. Jacobs told participants

•

• • • • • •

Laptop Computer Security White Paper

3

© Caveo Technology

•

•

that the computer contained proprietary information that could be valuable to foreign governments (11). In three separate incidents between March and May 2000, British intelligence and military agents lost laptops that were reported to contain state secrets. In the first, an intelligence officer for MI6 mislaid a laptop, which was recovered by police two weeks later. In the second, a laptop containing classified material on Northern Ireland was stolen from an MI5 security officer. In the third, a naval officer’s laptop, containing details on a fighter plane being jointly developed by Britain and the United States, was stolen and later recovered by a British tabloid (12, 13). In February 2000 a laptop computer with “highly classified” information disappeared from the U.S. State Department (14). The laptop was not password protected and the data on it were not encrypted. It was reported to contain several thousand pages of highly classified documents. In May 2000 two more laptops were reported missing from the U.S. State Department (15).

The Computer Security Institute (CSI), in collaboration with the FBI’s Computer Intrusion Squad in San Francisco, conducts an annual survey on computer crime and security in U.S. corporations and government agencies. For six consecutive years, CSI has reported the types of security attack and misuses experienced by its respondents. Laptop theft has been consistently reported by about 60% of the reporting organizations, as shown below.

Most Common Security Breaches in Organizations
120

100

80

Percentage of 60 respondents

1997 1998 1999 2000 2001 2002

40

20

0

Virus

Insider Abuse of Net Access

Laptop theft

Unauthorized Access by Insiders

Denial of service

System penetration

Source: Computer Security Institute (Ref. 16).

Laptop Computer Security White Paper

4

© Caveo Technology

Safeware Inc., the largest U.S. insurer of laptops, issues an annual estimate of laptop thefts in the USA (17). Despite an increasing attention to security and an increasing array of security products, the number of thefts has been consistently rising, and is, on average, rising much faster than the underlying growth rate of laptop computers.1

Laptop Thefts in the US, thousands
700

600

500

400

300

200

100

0 1998 1999 2000 2001 2002

Source: Safeware, Inc. (Ref. 17)

The asset loss associated with laptop theft is substantial. However, losing the computer and its installed software is often the least important worry among corporate and government users of laptops. Of far higher concern are: • • • • The risk that confidential and/or sensitive information will be lost or stolen. According to the Gartner Group, informal surveys indicate that 10-15% of laptop thefts are committed to obtain confidential data (18). The risk that a stolen laptop will be used to gain unauthorized access to private networks. The business interruption losses and administrative costs involved in obtaining and setting up new systems, greatly compounded when employees have not recently backed up the information on the hard drive. The concerns about liability if confidential information from a third party such as a vendor or customer is lost. This is a particular issue in the health care industry, which must

1

In 2002, because of a system change, Safeware did not provide a breakdown between notebook and desktop thefts, as had been done in previous years. In this chart, it is assumed that notebook thefts in 2002 were about 97% of total thefts, as they had been during the previous two years.

Laptop Computer Security White Paper

5

© Caveo Technology

comply with new rules protecting private patient information pursuant to the Health Insurance Portability and Accountability Act (HIPAA). The final Rule adopting HIPAA standards was published in the Federal Register on February 20, 2003 (19). The Rule specifies a series of administrative, technical, and physical security procedures, and requires health care organizations to protect against any reasonably anticipated threats or hazards to the security or integrity of electronic private health information. Organizations must implement safeguards to restrict access to all workstations that access protected information, and, in the final rule, the definition of the term “workstation” has been changed specifically to include laptops and other portable computing devices. For the respondents to the CSI survey (16), average losses from laptop theft ranged from $32,000 to $89,000 during the past six years. The highest reported losses ranged from $500,000 to $5,000,000. Both average losses and highest reported losses have been generally increasing throughout the years of CSI’s survey, as shown in the charts on the next page. According to the Meta Group (20), a typical large firm suffers between $1 million and $3 million in losses due to laptop theft every year. When loss of business data is included, losses can exceed $20 million, and if confidential data lands with a competitor, can be catastrophic. In recent focus groups, we found these risks to be foremost in the minds of IT managers in companies and institutions that are significant buyers of laptops: “Once a laptop is out of IT’s hands and out of our site, anything can happen to it and we have no control over it. I can’t [be there to] tell that person that the laptop has critical information on it and they shouldn’t leave it anywhere.” “The interface between physical security and data security is the laptop. If that disappears, you lose the data on it, too, and if it is proprietary data then you are up two creeks.” “ We have had issues of laptops that were stolen. There is very confidential data because we have case managers who go out and visit patients.”

Laptop Computer Security White Paper

6

© Caveo Technology

Average loss from laptop theft
$100,000

$90,000

$80,000

$70,000

$60,000

$50,000

$40,000

$30,000

$20,000

$10,000

$0 1997 1998 1999 2000 2001 2002

Highest losses reported
$6,000,000

$5,000,000

$4,000,000

$3,000,000

$2,000,000

$1,000,000

$0 1997 1998 1999 2000 2001 2002

Source: Computer Security Institute (Ref. 16)

Laptop Computer Security White Paper

7

© Caveo Technology

3.0. Approaches to Laptop Security
Within the much broader arena of IT security, there are five classes of technology that are most relevant to laptops because they protect against the risks described above. These are summarized in the table below, and are described in more detail in this section.

Laptop Security Technologies Technology 3.1. User authentication 3.2. Physical locking devices 3.3. Encryption 3.4. Monitoring and tracing software 3.5. Alarms Purpose Confirm the authorized user; prevent unauthorized access Deter theft Protect data Locate and assist in recovery of stolen computers Deter theft

3.1. User authentication systems User authentication is a required component of all security systems. It has often been written that authentication can be done three ways: - By something the user knows (e.g., a password), - By something the user has (e.g., a token or card), and/or - By a personal feature of the user (e.g., fingerprint, voice, eye scan) Each approach has advantages, but each also has intrinsic limitations: “Something you know” can be forgotten, guessed by others, or inappropriately shared, “Something you have” can be misplaced or stolen, and “Something you are” can be difficult to distinguish reliably.

Combining two or more methods enhances the confidence level. This is common in situations where high levels of security are required; for example, a bank ATM machine requires both a card and a password. In a PC, different levels of authentication may be used: (1) pre-boot, done prior to boot-up (typically done with BIOS and/or hard drive passwords); (2) OS-level, done prior to operating

Laptop Computer Security White Paper

8

© Caveo Technology

system startup, and (3) user-level, done before granting access to networks or specific files, folders or applications. The most common approaches to user authentication – password systems, smart cards and tokens, and biometrics -- are briefly profiled below. Password systems “Something you know” is usually manifested as a password or by providing correct responses to previously established questions. Password or personal identification number (PIN) systems require the user to type in a sequence of characters. They are the most common of the user authentication methods, and the least expensive in initial cost. Password systems are vulnerable to various forms of attack. Brute force and dictionary attacks are carried out by readily available “crack” programs that simply try all possible passwords, starting with the most likely choices, such as words in the dictionary. Other methods of password attack include keystroke monitoring, “social engineering” methods (snooping or trying to trick people into disclosing passwords), and network “sniffing” (21). To reduce the risk of password attack from brute force or dictionary attacks, many companies require employees to use relatively strong passwords containing 8 or more digits, combining random upper and lower case letters, numeric and punctuation characters. Policies requiring frequent password changes are also used, as are policies that employ different passwords for access to the computer or operating system, the network, and specific files and applications. These added complexities are inconvenient and burdensome to users, and they substantially increase the administrative burden. By some estimates, as much as 30 percent of internal help desk calls are related to forgotten passwords (22). Burdensome password policies are also self-defeating: users faced with trying to remember a number of complex passwords give up, and write them on sticky notes posted near or on their computers, or program their computers to remember their passwords, thereby eliminating any protection. Smart cards and tokens “Something you have” can be manifested in a number of form factors – most common are smart cards and tokens. These provide the advantage of storing robust authentication information that the user does not have to remember – he or she just has to possess the smart card or token. A smart card is a plastic card with an internal memory chip or microprocessor. Memory smart cards are used to store confidential data such as personal information and encryption keys. Microprocessor smart cards are used in applications that require manipulation of data, such as data encryption. Smart cards have gained widespread use, especially in Europe, for telephone calling, electronic cash payments, and similar applications. Gartner reported that worldwide smart

Laptop Computer Security White Paper

9

© Caveo Technology

card shipments were 628 million units in 2000, with two vendors, Gemplus and Schlumberger, accounting for 66.7% of the world market (23). Gartner predicts that worldwide chip card shipments will exceed 2.6 billion units by 2006, with microprocessor card shipments exceeding memory card shipments for the first time in 2005 (24). In computer security applications, smart cards offer the opportunity for enterprises to implement single sign-on capability, i.e., allowing employees to log onto a company system one time rather than having to deal with multiple passwords for different applications. Without two-factor authentication, single sign-on is viewed as too risky; thus, most systems require both a typed-in PIN as well as possession of the card. Microsoft included support for smart cards in Windows® 2000, and added stronger capabilities aimed at system administrators in Windows XP (25). Nevertheless, smart card systems are somewhat inconvenient for the users. In addition to requiring that the user have the card in his or her possession, most systems today require separate smart card readers, available in USB, serial port or PCMCIA format. Acer began offering notebook PCs with smart card slots in the first quarter of 2001 (26). Smart card technology costs between $50 and $150 per user for a typical enterprise installation, including software, smart cards and readers, but these costs don’t reflect the significant amount of systems integration work required to install smart card systems. The lack of interoperability among smart cards, software and readers also continues to be a problem (25). The IT managers in our focus groups cited the robust security provided by smart cards as an important advantage, especially for network access. However, they noted that users are prone to lose them, creating a cost and administrative burden associated with replacing lost cards. Compliance with good security practices was also cited as a problem: as one participant noted, users often carry the smart card in the same bag with the laptop to avoid losing or forgetting it. In late 2002, Cryptography Research Inc. (CRI) claimed to have discovered a new class of attacks that could be used by hackers to extract secret keys and information from smart cards and secure cryptographic tokens (27). By eavesdropping on the fluctuating electrical power consumption of microprocessors in the devices and applying statistical methods, CRI states that secret information such as encryption keys and PINs that are held on the device can be determined. Current generation smart cards are said to be especially vulnerable because of their small size and minimal shielding. Smart tokens differ from smart cards in form factor and interface but operate on the same premise – they can store robust authentication information, and their presence is required for access. An example is Rainbow Technologies’ iKey™, a token that plugs into the USB port on the computer. Rainbow’s tokens operate on two-factor authentication, i.e., the user is also required to enter a password (28). Other tokens such as RSA Security’s SecurID® products display a unique code that the user must then enter as a PIN to gain access (29).

Laptop Computer Security White Paper

10

© Caveo Technology

Ensure Technologies’ offers XyLoc™, a system consisting of a token (“key”) that communicates via RF with a serial-port or USB-based peripheral (“lock”) on the computer. The lock and key communicate up to 50 feet. When the authorized user approaches the computer, the key transmits verification information, and the lock enables access to the computer’s keyboard and screen (30). Biometrics Biometric technologies rely on a personal feature of the user (“something you are”). Approaches include fingerprint recognition, hand geometry, face recognition, eye scans, and voice verification. The most commonly used in PC applications is fingerprint. The major advantage of fingerprint technology is that it provides very strong authentication without requiring the user to remember and type in a password or keep track of a smart card or token. Fingerprint technology today is able to achieve very low false acceptance rates (FAR) of 1 in 10,000 or better (31). By definition, though, a low FAR means that the fingerprint sensor very rarely accepts the wrong fingerprint. Much attention was given recently to the results of a Japanese researcher whose effort focused on mimicking the right fingerprint (32). He performed experiments on 11 different biometric scanners using a fake gelatin finger made from a mold of the user’s finger. The gelatin finger was able to gain unauthorized access about 80 percent of the time. He then attempted a more complicated experiment in which he acquired a latent fingerprint from a piece of glass, enhanced it, photographed it and tweaked it using photo editing software. He then printed the fingerprint onto a transparency and had it etched into a photosensitive circuit board. The print on the circuit board was then applied to the gelatin finger. This technique also allowed access about 80 percent of the time. Another measure of importance for biometrics is the false rejection rate (FRR), i.e., the probability of rejecting the authorized user. Statistics vary by the type of sensor: Shen (33) cites FRRs ranging from 0.1% to 3%. The FRR achieved depends on whether the user is trained on proper fingerprint placement on the reading device, and how many fingers are used in the attempt. In practice, there are still significant levels of false rejections; therefore, some systems provide users with smart cards or other tokens for access in the event of rejection. Further, about 2.5% of people do not have fingerprints of sufficient quality to allow for authentication (31). For these users, an alternative authentication technique (e.g., a password) is necessary. Impravata is a Massachusetts startup with software that uses mathematical algorithms to confirm fingerprint data. According to David Ting, a co-founder, it improves the accuracy of fingerprint technology from 80% to 99.99%. The issue of potential database hacking is also reportedly addressed because the fingerprint maps aren’t stored; they are newly verified each time a user needs clearance (34). Acer offers laptop PCs with integrated fingerprint scanners using Authentec’s EntrePad sensor (35), and a number of vendors offer external devices. Fingerprint technology remains expensive to purchase and implement. Individual fingerprint scanners range from a low of about $100 for peripheral devices to $150-250 for PC Card readers. Server software for 25

Laptop Computer Security White Paper

11

© Caveo Technology

users is $1500 plus $50 per additional user (36, 37). Significant additional costs are incurred with installation and integration into enterprise systems and training end users. Template storage is one of the complex aspects of biometric systems. Most solutions rely on one or more centralized databases. Since biometric templates require large storage capacity, these can become quite substantial for systems with many users. They must be absolutely secure and resistant to remote attack, of course, because an attacker who recovers the data can use it to create false credentials. Systems that store templates locally on hard drives or on smart cards avoid the problems of large central databases but have the disadvantage of creating local vulnerabilities that are susceptible to loss or theft (38). 3.2. Physical locking devices According to a survey conducted several years ago by Kensington (39), two out of every five laptop thefts occur from the office. Because of this, many companies adopt increased building security (guards, gates, badges, video surveillance systems) as a means of reducing laptop theft. Also in fairly widespread use are physical locking devices, e.g., Cable locks (e.g., Kensington, Targus) Docking stations and lockdown enclosures

Devices such as cable locks are generally inexpensive (<$50), and they are good deterrents. The main disadvantage of physical locking devices is that they are cumbersome, and especially inconvenient to the mobile laptop user. In another study commissioned by Kensington (40), individual accountability was seen as the top barrier to effective security measures. While 80 percent of respondents said physical security measures such as cable locks are an effective deterrent to theft, only 32 percent actually purchase them (and actual usage rates are likely far lower). 3.3. Encryption Robust OS-level authentication systems prevent unauthorized access to the laptop’s operating system. However, if the hard drive is removed to another machine, or if boot-up from a floppy disk is enabled in the stolen machine, the files can be accessed. Unless a hard drive lock option is available and implemented, the only way to protect files from this type of attack is to encrypt them. Encryption requires the use of a digital key to encrypt and decrypt the data. In “symmetric” systems, the same key is used for both encryption and decryption. In PKI (public key infrastructure)-based applications, asymmetric encryption is used, with two keys: a public key for encryption and a private key for decryption. In many current encryption products, the keys are stored on the hard drive, making them vulnerable to attack. Encryption experts such as RSA Security recommend protecting keys

Laptop Computer Security White Paper

12

© Caveo Technology

by storing them in tamper-resistant hardware devices that can handle cryptographic functions internally and do not permit the keys to be exported outside the hardware (41). This is the basis of cryptographic cards and tokens, as well as IBM’s Embedded Security Subsystem (ESS), available in ThinkPad laptops (42). ESS consists of a built-in cryptographic security chip, which supports key storage, encryption and digital signatures, and a downloadable software component that provides the user and administrative interface and the interface to other applications. Because critical security functions take place within the protected environment of the chip -- not in main memory, and not relying on the hard drive to store cryptographic keys -- the system is more secure than software-only solutions. 3.4. Monitoring and tracing software Monitoring and tracing software keeps track of the location of the laptop and, if it is stolen, assists in its recovery. These products work by making a call into a monitoring service each time the laptop is logged onto the internet. If the laptop has been reported stolen, the service activates a caller-ID system, identifies the IP address of the computer, and notifies the owner. Products that fall into this category are Compu-Trace™ (Absolute Software), Cyber Angel™ (CSS), zTrace™, and Solagent™(43-46). In most cases, the cost of the software plus a oneyear monitoring service is about $50. For example, CompuTrace packages range from a $49 one-year agreement for one license to site licenses that cover 20 laptops for $2,999 for four years (47). These prices have declined considerably, and continue to drop, as competition increases in this segment. A relatively new product, PC PhoneHome™, offered by Brigadoon Software, is available for a one-time fee of $29.95 for as long as the customer owns the computer (48). The benefit of monitoring and tracing software is that it offers the possibility of recovering a stolen computer. Another benefit is that the monitoring service can be used for routine asset tracking. In certain situations – e.g., college campuses -- IT managers have posted warning notices once monitoring and tracing software has been installed, simply to serve as a theft deterrent. Of course, such as strategy is only wise if insiders are suspected to be responsible for most of the thefts, and if theft of confidential or sensitive information is not a concern. The major disadvantage of trace and recovery products is that they require the stolen computer to be logged onto the internet before the recovery operation can be enabled. A stolen computer that is not logged onto the internet, or that has had the software removed before logging on, will not get recovered. Another disadvantage is that tracking down the physical location of a computer from an IP address can be time-consuming, as can assembling the evidence needed to persuade law enforcement agencies to issue search warrants and take action to recover the computer. Although the software is claimed to be difficult to remove from the computer (not achievable by reformatting), the software may be rendered inoperable in some cases by simply reinstalling a newer operating system (47).

Laptop Computer Security White Paper

13

© Caveo Technology

Some products offer features for retrieving, encrypting and/or erasing files on the stolen laptop once it is logged onto the internet. Of course, such files would be accessible to the thief up to that point. 3.5 Alarms Alarm systems, such as the DEFCON™ unit marketed by Targus (49), detect motion and sound an alarm. One version, which costs about $50, attaches to the computer via the security slot, and also comes with an integrated cable for physical locking. Arming and disarming is done by entering a combination or with a remote controller. The system offers two levels of motion sensitivity before the alarm is tripped. TrackIT™ markets a two-piece alarm system with a keychain token that communicates with a receiver that is carried in the bag with the laptop. If the signal is lost between the two units, the alarm sounds. The product costs about $60 (50). Alarms serve as deterrents; however, these devices are somewhat cumbersome because they are external peripherals. They are not integrated with the computer system and, therefore, cannot provide user authentication or data protection. Products based on RF communication have the added disadvantage that signal strength varies considerably. The signal can be lost in certain environments – e.g., in buildings with metal infrastructures – or because of a change in orientation between the token and the receiver’s antenna, or simply when the user’s body comes between the token and the receiver. This results in many false alarms.

4.0. The Unmet Need
In focus groups and customer surveys, we’ve asked IT and security directors to define the features of an “ideal” security system. Here is what they say: 1. The ideal system addresses multiple security risks, not just one – i.e., it prevents unauthorized access, protects confidential information, and protects hardware. 2. The ideal system is easy to install, use and administer. For the user, the best of all worlds would be a completely transparent system. For the IT administrator, user transparency translates to fewer calls to help desks, thus decreasing administrative burden. 3. The ideal system is configurable, with options that enable users and their organizations to configure the system to their particular needs. 4. The ideal system deters theft, but if deterrence fails, detects theft and responds accordingly. We have found unanimity in the notion that deterrence is necessary. If deterrence fails, detection and response become vitally important. However, systems that focus on detection and response without deterrence ignore the substantial costs and aggravation associated with simply dealing with a laptop theft. 5. Last but not least, the ideal system would be inexpensive.

Laptop Computer Security White Paper

14

© Caveo Technology

5.0. An Analogy and a Model: Automobile Security
It has been written that one’s laptop is the second most likely personal possession to be stolen, after the automobile. Actually, auto theft rates have declined dramatically in recent years, while laptop thefts have soared – so unless you own one of the two or three cars most vulnerable to theft, your laptop is now far more likely to be stolen than your car (51). Nevertheless, auto theft has been a problem for a much longer period, and the sheer number of automobiles -- and therefore auto thefts -- is still far greater. It is useful, therefore, to consider the evolution of automobile security systems and the parallels with laptops. In auto security, the earliest approaches focused on deterrence alone. Using a lock and key (in essence, a token-based “user authentication” method) -- has been long established as a necessary, but not sufficient means of preventing theft. It deters the casual or opportunistic thief, but barely slows down the professional thief. Physical locking devices gained some use as auxiliary deterrents by a small fraction of automobile owners. They have advantages in some situations, but are too unwieldy and inconvenient to gain widespread use. Alarms also gained some use for their value as deterrents, but accidental alarms are a nuisance. When they occur frequently, they are ignored. The relatively low acceptance of physical locking and alarm-only devices illustrates the importance of minimizing user inconvenience and aggravation. If the deterrent is a hassle, it will not be used. Next, auto security systems evolved to include a particular kind of response – initiating steps to recover the stolen vehicle. The LoJack™ system, introduced in Massachusetts in 1986, is an example of this approach. LoJack relies on a hidden transmitter that is activated when a vehicle is reported stolen, enabling police to locate the vehicle. This approach is effective in areas where prompt response from law enforcement agencies is available. Establishing regional police support has proven time-consuming, though. LoJack has gradually expanded its service area over its 15-year history, but in the United States, it is still only available in 20 states and the District of Columbia (52). The most recent – and most effective – development in auto security is the passive immobilizing anti-theft system. Usually factory-installed by the manufacturer, these systems are based on the use of motion detection technology to detect threats. When a threat is detected, the system invokes an alarm, but more importantly, it also invokes an immobilizing device that keeps the vehicle from being driven. Thefts of vehicles containing immobilizing systems have declined dramatically. The Nissan Maxima provides an example: 1998 models, without factory-installed antitheft devices, had overall theft losses more than seven times the average for all cars. After standard immobilizing antitheft devices were introduced in 1999, theft losses for the Maxima declined

Laptop Computer Security White Paper

15

© Caveo Technology

by more than 60% (53). Theft rates for the Acura Integra declined 33% between 1999 and 2000, when passive immobilizing devices were installed (54).2 Cars containing passive immobilizing anti-theft systems use simple stickers and warning lights to communicate the presence of the system to the potential thief. LoJack, on the other hand, has not traditionally provided stickers or warning signals, maintaining that its system is not intended to be a deterrent – that there is major benefit in not disclosing its presence to the thief, in order to make rapid recovery more likely and minimize damage to the vehicle. Recently, though, LoJack has begun offering “full-featured” systems including intrusion detection, warning signals, and passive immobilization, in addition to its traditional tracking and recovery product. Overall insurance losses for vehicle theft have been reduced an average of about 50 percent for vehicles with passive immobilizing antitheft devices. As a result, insurers offer significant discounts to owners of vehicles with these systems.

6.0. Caveo® Anti-Theft and Targus DEFCON™ MDP Anti-Theft PC Cards
Caveo Technology introduced the Caveo Anti-Theft laptop security system in early 2002. In November 2002, Targus Inc. acquired exclusive U.S. marketing and distribution rights for a modified version of the product, marketed as the Targus DEFCON MDP Anti-Theft PC Card. Caveo continues to distribute Caveo Anti-Theft in non-US markets. Caveo Anti-Theft and DEFCON MDP are based on the same principles as today’s most sophisticated auto security systems: (1) use of motion detection technology to detect threats, (2) implementation of strong responses (“immobilization”) when theft is detected, and (3) incorporation of known deterrents – stickers, warning signals, and alarm. Threat detection is key to an ideal security solution because it enables the system to immediately implement strong responses that protect the computer and information. In the case of the car, the vehicle is rendered immobile. In the case of the laptop, Caveo Anti-Theft and DEFCON MDP shut down the computer, block access to the operating system and secure encryption keys. Threat detection is also important because it enables the system to remain convenient and virtually invisible when a threat does not exist, i.e., in normal everyday use. Caveo Anti-Theft and DEFCON MDP are available in the convenient PC Card (Type II PCMCIA) form factor. Suggested retail price is under $100. There are no external peripherals. The PC Card is a stand-alone system containing a motion sensor, processor, secure storage, sounder, and a rechargeable battery. The system operates independently of the PC and works whether the laptop is on or off. In normal everyday use, the system is either armed or disarmed. Arming and disarming can be done easily via an icon on the desktop, or with Caveo’s proprietary Motion Password™, which provides a quick and simple way to arm and disarm when the computer is off.
Integra theft rates rose again in 2001, although they remained 15% below 1999 rates. Investigators attribute the rise to the fact that Integras are targeted by professional thieves mainly for their parts.
2

Laptop Computer Security White Paper

16

© Caveo Technology

The system can also be set to automatically arm upon specific events, if desired: when the operating system starts up, when the screen saver comes on, and/or when the system enters suspend/hibernate mode. Labels are provided and can be affixed to the laptop to alert the potential thief that the laptop is protected. In initial setup, the user sets the “theft perimeter,” which defines the distance that an armed computer can be carried before theft is assumed. An armed computer issues an alert sound if it is moved, transitioning to more insistent warning signals if movement continues. These sounds serve as further deterrents to theft, and also serve to remind the user to disarm the system if he or she wishes to carry it beyond the specified distance. If an armed system is carried beyond the theft perimeter, the system assumes theft and invokes strong responses, including: (1) sounding an alarm (2) shutting down the computer if it is powered on, (3) upon restart, preventing access to the operating system, and (4) securing passwords and encryption keys in secure storage on the PC Card. If a stolen computer is recovered, a robust 16-digit master code (emergency PIN) is required to regain access to the operating system and the information in secure storage. In addition to the auto-arming options, the user-selected perimeter, and optional alarm settings (high, low, off), Caveo Anti-Theft and DEFCON MDP offer other convenient user options such as a browse feature that enables the user to select his or her own sounds or recordings for the alert and warning signals, arm and disarm confirmation, etc. Like a smart card or hardware token, Caveo Anti-Theft and DEFCON MDP enhance the security of file encryption by providing secure storage off the hard drive and by securely managing operations involving encryption keys, user information and passwords. Integral encryption software is provided. The PC Card contains a rechargeable battery that provides power for more than three weeks when the computer is off. The battery automatically recharges when the computer is on. Caveo Anti-Theft and Targus DEFCON MDP incorporate the critical elements of deterrence, detection, and response. They offer a robust and very convenient security system for the laptop user. Future upgrades and extensions are planned to provide: • • • An enterprise version that can be LAN installed, configured and managed, including IT administration of some of the configurable options, onsite creation of replacement cards, and expanded auditing and notification features; A Macintosh-compatible version; and Combination PC cards with Caveo Anti-Theft and other functionality (e.g., biometric, wireless, trace and recovery).

Laptop Computer Security White Paper

17

© Caveo Technology

References
1. Anon., “Gartner Dataquest says PC market experienced slight upturn in 2002, but industry still shows no strong rebound,” Gartner press release, January 16, 2003. 2. Gartner Inc., as cited in Bray, Hiawatha, “Intel and rivals put their chips on table,” Boston Globe, March 13, 2003. 3. Anon., “IDC sees solid PC market in second half of 2002 and projects growth of more than 8% in 2003,” IDC press release, December 6, 2002. 4. Anon., “Air Force sergeant charged in theft,” Tampa, FL, October 10, 2002 (http://www.dfw.mld/state/4257188.htm). 5. Newton, Christopher, “Feds missing weapons, laptops,” www.computeruser.com, August 9, 2002. 6. Anon., “Washington INS office burglarized,” Associated Press, June 4, 2002. 7. Anon., “Theft of N.S. auditor general’s laptop poses possible security breach,” March 14, 2002 (http://www.canoe.ca). 8. Vicini, James, “FBI finds weapons, computers missing or stolen,” Reuters, July 18, 2001. 9. Delio, Michelle, “The spy who lost me,” Wired news, April 17, 2001. 10. “Stolen DNC laptops located, three men arrested,” APB newswire, October 6, 2000. 11. “Qualcomm secrets gone along with CEO’s laptop,” Associated Press, September 18, 2000. 12. “British officer’s laptop recovered by tabloid,” APB newswire, May 22, 2000. 13. Sharkey, J., “Business Travel” column, New York Times, March 29, 2000. 14. “Highly classified State Department computer missing,” CNN, Associated Press, and Reuters, April 17, 2000. 15. “Two more laptops missing from U.S. State Department,” CNN and Reuters, May 5, 2000. 16. “2002 CSI/FBI Computer Crime and Security Survey, Computer Security Institute, www.gocsi.com, Spring 2002. 17. Safeware, Inc. press releases and published loss statistics, 1999-2003, www.safeware.com. 18. Malik, William, Gartner Group, cited in Ryder, J., “Laptop Security, Part One: Preventing Laptop Theft,” www.securityfocus.com, July 30, 2001. 19. Centers for Medicare and Medicaid Services, http://www.cms.hhs.gov/hipaa/hipaa2/regulations/security/default.asp. 20. Gold, Jack, et al., “Take steps to minimize laptop loss,” www.zdnet.com, September 18, 2002. 21. Lobel, Mark, “The case for strong user authentication,” Price Waterhouse Coopers, reprinted by RSA Security, 2000. 22. “Client Security in the Enterprise Network: Dell’s Perspective,” Vectors Dell Highlight, February 2000. 23. Gartner Group, “Gartner Dataquest says worldwide smart card shipments grew 45% in 2000,” Gartner Dataquest press release, www.gartner.com, May 14, 2001. 24. Hirst, Clare, “Chip cards: EMV credit/debit brings next phase of growth,” Gartner research report, December 3, 2002. 25. Dunlap, Charlotte, “The smart card glitch,” ZDNet Tech Update, December 7, 2001 (www.zdnet.com). 26. Uimonen, T., “Acer unveils notebook PC with smart card slot,” InfoWorld, October 13, 2000. See also www.acer.com.

Laptop Computer Security White Paper

18

© Caveo Technology

27. Anon., “Research signals safer smart cards,” www.computeruser.com, December 9, 2002. 28. Rainbow Technologies, www.rainbow.com. 29. RSA SecurID authenticators, www.rsasecurity.com. 30. Ensure Technologies, www.ensuretech.com. 31. American Biometric Company, “Discussion Paper: Biometric User Authentication,” January 1999. 32. Costello, Sam, “Japanese researcher gums up biometrics scanners,” www.itworld.com, May 17, 2002. 33. Shen, Michelle, “A guide to biometric fingerprint sensors: major manufacturers and technical specifications,” www.biometritech.com, September 16, 2002. 34. Healy, Beth, “Lexington start-up has its fingerprint on security issue,” Boston Globe, April 22, 2002. 35. Anon., “TravelMate Fingerprint Identification Technology,” www.acer.com. 36. Deitch, Joel, “Body language: the new security,” ZDNet Tech Update, August 22, 2001, www.zdnet.com. 37. Raikow, David, “Pick a finger, any finger,” ZDNet Security News, March 12, 2001. 38. Raikow, David, “The myth of fingerprints,” ZDNet Security News, March 12, 2001. 39. “Most reported laptop thefts occur inside the office,” news release by Kensington, January 26, 1999 (www.kensington.com). 40. Anon., “Warning: value of lost computers underestimated,” Security, February 2002. 41. RSA Security, www.rsasecurity.com/rsalabs/faq. 42. IBM Corp., www.ibm.com. 43. Absolute Software, www.computrace.com. 44. CSS, Inc., www.sentryinc.com. 45. zTrace Technologies, www.ztrace.com. 46. Solagent, www.solagent.com. 47. Junnarkar, Sandeep, “Setting a trap for laptop thieves,” www.zdnet.com, August 23, 2002. 48. Anon., “Security software uses Internet, e-mail to track down a vanished laptop,” Washington Post, www.computeruser.com, June 7, 2002. 49. Targus, www.targus.com. 50. TrackIT, www.trackitcorp.com. 51. Highway Loss Data Institute, press release, May 23, 2001, www.carsafety.org. 52. LoJack, www.lojack.com. 53. Highway Loss Data Institute, press release July 19, 2000, www.carsafety.org. 54. Anon., “Most frequent theft claims are for Acura Integra; which also has worst overall insurance theft losses,” Highway Loss Data Institute, news release, May 15, 2002.

Laptop Computer Security White Paper

19

© Caveo Technology

Caveo Technology 49 Lexington Street, Suite 103 Newton, MA 02465 USA
ph: fax: email: 617-332-2836 (617-33caveo) 617-332-0849 info@caveo.com

Caveo® and Motion Password™ are trademarks of Caveo Technology. DEFCON™ is a trademark of Targus International. Windows® is a registered trademark of Microsoft Corporation. Other product names cited in this document are presumed to be trademarks of their respective owners.

Laptop Computer Security White Paper

20


				
john kimingi john kimingi ceo www.kimingi85.blogspot.com
About just a whizz kenyan boy