Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

8/10/2006
05:15 AM
50%
50%

Eliminating the Laptop Threat

Here's a real different take on dual-factor authentication

We used to say that the wallet was worth far less than the money it contained, that analogy simply can no longer adequately address the vast disparity between the cost of an $800 laptop and the seven-figure plus impact that loss or theft can bring.

After the fact it appears that in each case the data wasn't the target, the laptop was. We've always known the value of the data on a PC was more valuable than the PC itself, but under the current environment the ability for a lost laptop to do material damage to a firm far exceeds anything we have considered in previous decades.

Forget viruses and spyware for a moment -- not that these can be ignored, but theft is a bigger deal. In addition to loss and damage, new rules now force public disclosure of these thefts. For some institutions, this has been incredibly embarrassing. (See Laptop Theft Hits Toyota, No Wires & No Policies, and FBI Recovers Stolen Veterans Affairs Laptop.)

It would seem that the best way to address this problem is to destroy the market for stolen laptops and, as it turns out, there is a technology that can do this.

Thinking Outside the Box
A few weeks ago, Microsoft and a series of partners unveiled an initiative called FlexGo, which provided favorable leasing terms to those wanting to buy new PCs in developing countries. The problem with financing programs in the past was a combination of no financial infrastructure to handle the loans, and the inability to repossess the hardware if the payments weren't maintained. In fact, it was believed that hardware sold this way would simply lead to losses for any reseller.

To combat this, a technology called TCSubscribe was created by Phoenix Technologies which renders the hardware, either as a complete system or as components, unusable if the buyer doesn't make his payments.

Now, what if this technology was repositioned so that, were a laptop stolen, it would simply stop working and the components wouldn't work either? This would virtually eliminate any reason to steal laptops for resale and leave us with the folks that were actually taking the thing for the data. Coupled with strong encryption of the disk and good user authentication, laptops could actually become more secure than most desktop PCs.

It is interesting to note that Phoenix worked with another company, Absolute, on a similar solution years ago when few saw any value. These new disclosure rules have clearly changed the landscape.

Looking Farther Forward
Given that PC hardware vendors are in close competition to provide the most secure platform, it is my belief that, before long, we will see a solution like this. However, as we mull this probability, many have been trying to figure out a way to make the trigger event (the thing that turns the laptop into a boat anchor) near instantaneous.

That leads us to using the cell phone as part of a multi-factor authentication solution. Let's say we wed each cell phone's unique identifier with this solution, and when the laptop can no longer "see" the associated cell phone, it blanks the screen and secures access. If, after a set period of time, the user doesn't re-authenticate, the laptop goes inert until proper multi-factor authentication can be presented to unlock it.

In doing background for this piece, we discovered Phoenix had demonstrated a Bluetooth solution that would work much like we've summarized. Once again, it appeared the technology was ahead of its time, as few seemed interested.

With laptops increasingly being equipped with wide-area wireless and GPS there is an opportunity, at some future date, to have a true Lojack feature where a code could be sent to the laptop. Not only would it become inert, the machine would start broadcasting its location for quick retrieval.

One interesting feature would be to have the cell phone and laptop beep if the two devices become separated. This would help prevent folks from leaving notebooks at airport scanners or forgetting their cell phones in taxis.

Of course, if we applied ring tones to this, we could probably get cell phones and laptops that could yell for help, giving some real value to this obnoxious technology. Combined with biometrics, this could provide incredible piece of mind.

Everything I'm talking about doesn't require any new technology, only different applications of stuff that already exists. In many cases, Phoenix and others have demonstrated parts of these solutions already, and we are simply waiting for the forward looking OEMs to pick them up.

In a world that is increasingly unsecure, wouldn't it be great to truly fix one of the more visible exposures? We sure think so and hope that this kind of solution comes sooner rather than later.

— Rob Enderle is President and Founder of Enderle Group . Special to Dark Reading

  • Microsoft Corp. (Nasdaq: MSFT)
  • Phoenix Technologies Ltd. (Nasdaq: PTEC)

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 9/21/2020
    Hacking Yourself: Marie Moe and Pacemaker Security
    Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
    Startup Aims to Map and Track All the IT and Security Things
    Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon
    Current Issue
    Special Report: Computing's New Normal
    This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
    Flash Poll
    How IT Security Organizations are Attacking the Cybersecurity Problem
    How IT Security Organizations are Attacking the Cybersecurity Problem
    The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2015-4719
    PUBLISHED: 2020-09-24
    The client API authentication mechanism in Pexip Infinity before 10 allows remote attackers to gain privileges via a crafted request.
    CVE-2020-15604
    PUBLISHED: 2020-09-24
    An incomplete SSL server certification validation vulnerability in the Trend Micro Security 2019 (v15) consumer family of products could allow an attacker to combine this vulnerability with another attack to trick an affected client into downloading a malicious update instead of the expected one. CW...
    CVE-2020-24560
    PUBLISHED: 2020-09-24
    An incomplete SSL server certification validation vulnerability in the Trend Micro Security 2019 (v15) consumer family of products could allow an attacker to combine this vulnerability with another attack to trick an affected client into downloading a malicious update instead of the expected one. CW...
    CVE-2020-25596
    PUBLISHED: 2020-09-23
    An issue was discovered in Xen through 4.14.x. x86 PV guest kernels can experience denial of service via SYSENTER. The SYSENTER instruction leaves various state sanitization activities to software. One of Xen's sanitization paths injects a #GP fault, and incorrectly delivers it twice to the guest. T...
    CVE-2020-25597
    PUBLISHED: 2020-09-23
    An issue was discovered in Xen through 4.14.x. There is mishandling of the constraint that once-valid event channels may not turn invalid. Logic in the handling of event channel operations in Xen assumes that an event channel, once valid, will not become invalid over the life time of a guest. Howeve...