Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

8/10/2006
05:15 AM
50%
50%

Eliminating the Laptop Threat

Here's a real different take on dual-factor authentication

We used to say that the wallet was worth far less than the money it contained, that analogy simply can no longer adequately address the vast disparity between the cost of an $800 laptop and the seven-figure plus impact that loss or theft can bring.

After the fact it appears that in each case the data wasn't the target, the laptop was. We've always known the value of the data on a PC was more valuable than the PC itself, but under the current environment the ability for a lost laptop to do material damage to a firm far exceeds anything we have considered in previous decades.

Forget viruses and spyware for a moment -- not that these can be ignored, but theft is a bigger deal. In addition to loss and damage, new rules now force public disclosure of these thefts. For some institutions, this has been incredibly embarrassing. (See Laptop Theft Hits Toyota, No Wires & No Policies, and FBI Recovers Stolen Veterans Affairs Laptop.)

It would seem that the best way to address this problem is to destroy the market for stolen laptops and, as it turns out, there is a technology that can do this.

Thinking Outside the Box
A few weeks ago, Microsoft and a series of partners unveiled an initiative called FlexGo, which provided favorable leasing terms to those wanting to buy new PCs in developing countries. The problem with financing programs in the past was a combination of no financial infrastructure to handle the loans, and the inability to repossess the hardware if the payments weren't maintained. In fact, it was believed that hardware sold this way would simply lead to losses for any reseller.

To combat this, a technology called TCSubscribe was created by Phoenix Technologies which renders the hardware, either as a complete system or as components, unusable if the buyer doesn't make his payments.

Now, what if this technology was repositioned so that, were a laptop stolen, it would simply stop working and the components wouldn't work either? This would virtually eliminate any reason to steal laptops for resale and leave us with the folks that were actually taking the thing for the data. Coupled with strong encryption of the disk and good user authentication, laptops could actually become more secure than most desktop PCs.

It is interesting to note that Phoenix worked with another company, Absolute, on a similar solution years ago when few saw any value. These new disclosure rules have clearly changed the landscape.

Looking Farther Forward
Given that PC hardware vendors are in close competition to provide the most secure platform, it is my belief that, before long, we will see a solution like this. However, as we mull this probability, many have been trying to figure out a way to make the trigger event (the thing that turns the laptop into a boat anchor) near instantaneous.

That leads us to using the cell phone as part of a multi-factor authentication solution. Let's say we wed each cell phone's unique identifier with this solution, and when the laptop can no longer "see" the associated cell phone, it blanks the screen and secures access. If, after a set period of time, the user doesn't re-authenticate, the laptop goes inert until proper multi-factor authentication can be presented to unlock it.

In doing background for this piece, we discovered Phoenix had demonstrated a Bluetooth solution that would work much like we've summarized. Once again, it appeared the technology was ahead of its time, as few seemed interested.

With laptops increasingly being equipped with wide-area wireless and GPS there is an opportunity, at some future date, to have a true Lojack feature where a code could be sent to the laptop. Not only would it become inert, the machine would start broadcasting its location for quick retrieval.

One interesting feature would be to have the cell phone and laptop beep if the two devices become separated. This would help prevent folks from leaving notebooks at airport scanners or forgetting their cell phones in taxis.

Of course, if we applied ring tones to this, we could probably get cell phones and laptops that could yell for help, giving some real value to this obnoxious technology. Combined with biometrics, this could provide incredible piece of mind.

Everything I'm talking about doesn't require any new technology, only different applications of stuff that already exists. In many cases, Phoenix and others have demonstrated parts of these solutions already, and we are simply waiting for the forward looking OEMs to pick them up.

In a world that is increasingly unsecure, wouldn't it be great to truly fix one of the more visible exposures? We sure think so and hope that this kind of solution comes sooner rather than later.

— Rob Enderle is President and Founder of Enderle Group . Special to Dark Reading

  • Microsoft Corp. (Nasdaq: MSFT)
  • Phoenix Technologies Ltd. (Nasdaq: PTEC)

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Zero-Factor Authentication: Owning Our Data
    Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
    44% of Security Threats Start in the Cloud
    Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
    Firms Improve Threat Detection but Face Increasingly Disruptive Attacks
    Robert Lemos, Contributing Writer,  2/20/2020
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon
    Current Issue
    6 Emerging Cyber Threats That Enterprises Face in 2020
    This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
    Flash Poll
    How Enterprises Are Developing and Maintaining Secure Applications
    How Enterprises Are Developing and Maintaining Secure Applications
    The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-8813
    PUBLISHED: 2020-02-22
    graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has the graph real-time privilege.
    CVE-2020-9039
    PUBLISHED: 2020-02-22
    Couchbase Server 4.x and 5.x before 6.0.0 has Insecure Permissions for the projector and indexer REST endpoints (they allow unauthenticated access).
    CVE-2020-8860
    PUBLISHED: 2020-02-22
    This vulnerability allows remote attackers to execute arbitrary code on affected installations of Samsung Galaxy S10 Firmware G973FXXS3ASJA, O(8.x), P(9.0), Q(10.0) devices with Exynos chipsets. User interaction is required to exploit this vulnerability in that the target must answer a phone call. T...
    CVE-2020-8861
    PUBLISHED: 2020-02-22
    This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DAP-1330 1.10B01 BETA Wi-Fi range extenders. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of HNAP login requests. The issue ...
    CVE-2020-8862
    PUBLISHED: 2020-02-22
    This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DAP-2610 Firmware v2.01RC067 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of passwords. The issue results from the ...