|
I don't usually subscribe
to conspiracy theories but cannot help wondering why
the likes of Toshiba, Compaq, Dell and other big names
in laptop computers don't fit better security to these
portable computers. It may be that additional computer
security will increase the retail price - some would
say that one stolen laptop computer equals one insurance
claim on a 'new for old' basis and the victim of the
laptop computer theft gets the latest model - very
nice indeed, if you have a cheap old banger with no
data!
A friend of mine
is a serving police officer and we were discussing
the theft of laptop computers, he recalled an article
relating to Thames
Valley Police and an initiative they had embarked
upon to reduce computer crime in both theft of data
information and the laptop itself. Unlike car theft
where in most cases the vehicle is worth more than
its contents, the information, data and indeed software
can easily out weigh the value of the laptop computer.
So in the majority of cases, the real loss is not
in the laptop computer but business to which it is
used.
I learned that over 8,100
Laptops were reported stolen in the Thames Valley
Police area during 2001.That is a staggering amount
for one region in the UK. The crime is also self propagating
because as more employers provide portable PC's to
staff, the more exposed they become to crime and more
likely to become victims.
There is rarely just
one victim after the theft of a laptop computer, the
user is the first victim, followed by the owner -
in the case of a company providing a laptop computer
to an employee. The laptop may contain work belonging
to many clients who also become victims.
A
Laptop is highly desirable to thieves who realise
that like mobile phones, they are easy to steal, easy
to access and most importantly easy to sell.
|
|
Alarms
are fine if we didn't ignore them and if you
saw a man in a suit swearing at a laptop computer
because the alarm was screaming and he couldn't
find his switch-off gadget - you'd probably
ignore the situation too. The fact that men
in suits steal computers didn't cross your mind
.... and you are not alone!
|
Laptops can be stolen
from anywhere; vehicles, homes, offices, in the street,
at the airport, dock or harbour, on the train or as
we walk from office to office, in restaurants, pubs
and indeed fast food cues. For a laptop user the PC
Immobiliser from Chirson
provides a 'barrier' prior to completion of the systems
'boot up'. If your unique 'iButton' is not in the
port the PC just locks the screen and keyboard and
prevents any further access. If your 'iButton' is
in the port the PC boots as normal, you don't even
know it's there!
|
"The
theft of Laptop Computers continues to be a
serious problem due to their high desirability.
In our police area alone in the last 12 months
over 8000 laptops have been stolen, of these
3000 were stolen from vehicles.
The Chirson
immobiliser is a piece of technology that
reduces the value of the stolen laptop by restricting
access to the database, making it less desirable.
It also incorporates a clear warning that the
equipment will be rendered useless, this reduces
the motive to steal it in the first place".
Barry Keane
CH/INSP Thames Valley Police, Business Crime
Centre
|
 |
|
|
The Chirson
PC immobiliser can also be used as security
in a day-to-day work related environment. Often
we visit clients and suppliers, we still need
to protect our companies data when we go to
lunch,or simply visit their washrooms.
|
Normally you would
have to turn the PC off and hope that no one can guess
your password or may be fail to do so because you
don't want to look like you don't trust anyone. With
the Chirson
PC immobiliser you can simply leave your
PC running and just remove your button to prevent
access to your PC. The button can fit to accessories
such as your key fob.
Chirson
offer a 'Reward
for Return' scheme. Each system is provided with
a special Tamper Evident Label to be affixed to either
the Desktop PC or the Lid of the Laptop computer.
The label destructs into tiny pieces if it is removed.
|
This can take a lot of time
and effort!!! The Label clearly states that
the PC is immobilised and unauthorised access
is prevented. This acts as a deterrent to any
thief as they are immediately aware that they
cannot access the data and may choose to dump
the PC, or not even steal it in the first place!
The label has a unique serial
number, and providing that you register your
details with Chirson, if the PC is recovered
or found, Chirson act as a central contact point
for repatriation to be arranged.
Chirson even provide a clearly
marked key ring for the outside of your Laptop
carry case which identifies the fact that you
have a security device installed and may stop
the thief from stealing it in the first place!!
|
Chirson
Tamper Evident Label
|
|
|
Chirson
LO2Kis an identity theft
deterrent system. It allows the user to 'wear'
a device that immobilises standalone or networked
WIN2000, NT 4.0 and XP PC's by using a Federally
Certified security device the size of a button.
Network |
Administrators centrally program
and issue a pre-programmed iButton to their users.
The user does not know their password, so it cannot
be copied, lost, compromised or forgotten.
Each users profile is stored in
a Java applet running inside the crypto barrier of
the Java-powered Button. Once the user logon credentials
are read LO2K software swiftly passes the encrypted
user profile to the WIN2000 Server automatically granting
the user logon to their machine. No more typing user
name/passwords for logon.
As an additional security measure
an individual PIN number can be centrally assigned
to the user for two-factor authentication. i.e. Have
something (iButton), know something (PIN Number)
The common problem of lost or
forgotten passwords can be eradicated as the iButton
protects its data from hacking and the password does
not need to be reset every 30 days. This removes the
need for Network administrators to waste valuable
time and resources dealing with support calls for
forgotten passwords, or even worse a user writing
their password on a Post-It Note and leaving it next
to their PC!
The Java iButton is one of the
worlds least counterfeitable devices known to man,
and has been certified to FIPS 140-1 Level 3 for security.
This is a device that has been tested by the National
Institute of Standards & Technology for the USA
and also the Communications Security Establishment
for the Government of Canada.
Administrators can be safe in
the knowledge that a user can be identified by the
fact that they have an individual iButton that is
their personal property and responsibility coupled
with a unique PIN number for network access.
|
The
key features of LO2K are :-
1. Windows
2000/NT 4.0/XP network Logon authentication
The
System Administrator has the ability to control
passwords centrally. No more typing of passwords,
or leaving written notes of ever changing passwords
for 'identity thieves'. Passwords are issued
and stored on the iButton centrally by the Network
Administrator. The iButton erases the information
if it is tampered with, or anyone tries to 'hack'
into it.
Additional security
measures are available by the Administrator
issuing an additional PIN Number for 'have something
(iButton), know something (PIN number)' user
authentication.
Access to the
network is controlled by the administrator and
cannot be altered by the user. All the user
knows is that they have an iButton and a PIN
Number issued to them and it is required for
PC to work.
2. True ability
to 'Hot desk'.
If
you use roaming profiles in your organisation,
simply plug in the iButton at any PC and it
will load your user profiles and gain network
access automatically from any network connected
PC.
3. PKI support
for signing/encrypting email
Electronic signatures
refer to any method used to associate a person's
identity with an electronic record. LO2K will
support the eSignature standard using PKI technology
to deliver Digital signatures. The users private
keys are stored on the iButton allowing users
to digitally identify themselves every time
they send an email.
4. FTP file transfer
for the storage of sensitive data for virtual
transportation
The
iButton has a 127K (24 page Word Document) memory
allowing secret files to be FTP transferred
to the button so that they are not left on the
machine. These could be documents such as merger
agreements, patent filings, PR Campaigns, legal
documents, accounts, etc, etc. If an attempt
is made to hack the iButton it destroys its
secrets rather than revealing them.
5. PGP key storage.
6. Acts like an
Immobiliser
The
system also behaves like the immobiliser product
so that when the iButton is removed if you leave
to go to a meeting, lunch, etc the PC is either
locked or the user is automatically logged off.
If an iButton is lost or stolen you are allowed
3 attempts to logon with your PIN number, then
the iButton locks for 30 minutes by its own
internal 'unhackable' true time clock. Therefore
a 4 digit PIN Number could potentially take
69 days, by which time you can centrally disable
the users access to the network.
|
|
Your concern, like mine
would naturally be how secure this Java-powered
iButton really is. Chirson
say;
"The National Institute of Standards (NIST)
and the Canadian Security Establishment (CSE)
have validated a version of the Java-powered
iButton for protection of sensitive, unclassified
information.
|
 |
FIPS 140-1 validation assures
government agencies that the products provide a trusted,
physically secure module to properly protect secure
information.
As a starting
point for the iButton's
extraordinary security, the stainless steelcase
of the device provides clear visual evidence of tampering.The
monolithic chip includes up to 200K of SRAM that is
specially designed so that it will rapidly erase its
contents as a tamper response to an intrusion. Rapid
erasing of the SRAM memory is known as zeroization.
Any attempts to uncover the private keys within the
SRAM are thwarted because attackers have to both penetrate
the iButton's barriers and read its contents in less
than the time it takes to erase its private keys.
Specific intrusions that result in zeroization include:
Opening the case, Removing the chip's metallurgical,
bonded substrate barricade, Micro-probing the chip,
Subjecting the chip to temperature extremes.
In addition, if excessive voltage is encountered,
the sole I/O pin is designed to fuse and render the
chip inoperable.
As a further security measure, the cryptographic iButton
contains a True Time Clock that is a tamper-evident
real-time clock. "True Time" differs from
real time in that a reputable agent sets it and its
time cannot be reset and is forever increasing. This
clock can be used to time stamp transactions. It can
also be used to impose expiration dates for inspection
intervals, whereby the iButton is required to periodically
check in with a host.
As a further security measure, the cryptographic iButton
contains a True Time Clock that is a tamper-evident
real-time clock. "True Time" differs from
real time in that a reputable agent sets it and its
time cannot be reset and is forever increasing. This
clock can be used to time stamp transactions. It can
also be used to impose expiration dates for inspection
intervals, whereby the iButton is required to periodically
check in with a host.
 |
The Java-powered iButton
is among the least counterfeitable devices ever
made by man. In response to tampering, the Java-powered
iButton would rather erase the key than reveal
its secrets. Would-be thieves cannot copy what
they do not know - the private key.
|
The iButton is highly reliable
with over 27 million being used in the world, and
over half of those being worn by people. It's design
ensures that connection to the PC is both simple and
positive in action.
It's design ensures that connection
to the PC is both simple and positive in action. The
iButton is placed in the Blue Dot receptor, which
is good for 1 million 'Hot' contacts. The PC then
polls the iButton for it's unique ID verifying access
to your PC. If the button is not in place the PC automatically
goes into secure mode where the keyboard and Screen
are lock up. The Blue dot receptor is spring loaded
therefore you do not have to worry about the button
falling out, or not being in securely.
Try to bend the iButton: you can't. Drop it on the
floor. Step on it. Forget to take it off while you
go swimming. No problem. The sturdy button signet
has been wear-tested for 10-year durability and 1
million hot contacts to the Blue Dot receptor. "
|
