In May, the U.S. Department of Veterans Affairs learned the hard way that laptop computers are easy targets for theft: burglars struck the home of a department analyst who’d taken his laptop home without authorization, and made off with social-security numbers, birth dates, and other personal information for more than 26 million veterans and spouses, as well as 2 million active military, National Guard, and Reserves personnel.
That well-publicized incident – the latest in a string of thefts compromising key data from large organizations – is reawakening interest in technologies for protecting laptops and prompting security companies to tout their latest advances.
These new systems, which aren’t intended to prevent theft, but rather mitigate their consequences, come in three flavors: tracking software, encryption, and “kill” switches that can make a laptop’s data self-destruct.
Extra layers of protection are needed because the password and encryption mechanisms that come with most laptops are weak or inconvenient, says Jack Gold, head of J. Gold Associates, a market research firm in Northborough, MA. “There are hacker tools that let you get around [passwords] very quickly, or you can boot from a CD,” Gold says. It’s true that any laptop running Windows XP Professional has an optional encryption function that should defeat thieves, but using it slows down normal file access.
One solution, then, is a tracking system, such as Computrace, run by Absolute Software of Vancouver, Canada. William Penn University in Oskaloosa, IA, turned to the system this year, after about 500 laptops in one of its colleges went missing, says Curt Gomes, the university’s IT supervisor. The university decided it had become uneconomical to try to hunt down each machine manually. Instead, Gomes decided to try laptop tracking – a technique that’s been around for a decade, but recently has seen sales growth of 50 percent per year.
Each machine subscribed to the Computrace service typically reports to a company server once a day via the Internet. If the computer is reported stolen, the server will instruct it to start sending messages every 15 minutes. And if the missing machine’s Internet address can be pinned down to a street address, police will soon show up there, according to company spokesman Les Jickling. In fact, a week after William Penn signed up for the Computrace tracking system, a laptop stolen out of a car was recovered by police five days later.
The tracking system also helps keep students honest. “Before, we had a huge rate of people dropping out of the program and not bringing their laptops back,” Gomes recalled. “Now I let them know that I can track them. Their eyes kind of open, and they bring it back right away.”
The Computrace service costs about $50 per year* per machine. At that price, Gomes figures the service will pay for itself if it prevents ten $2,000 machines from disappearing. A boxed consumer version of Computrace, called “Lojack for Laptops” (after the car-tracking device), costs $49.99 per year.
Some 80 percent of stolen or wayward laptops protected by Computrace are recovered, according to Jickling. A thief would be safe if he kept the stolen laptop off line – but that rarely happens, especially now that Wi-Fi networks have sprouted in every apartment building and corner café. Absolute Software has placed the instructions for contacting Computrace into the basic input-output system (BIOS) of recent Hewlett-Packard, Gateway, Lenovo, Dell, and Fujitsu laptops, so that even reinstalling the operating system will not stop the machines from reporting in, Jickling says.
Nevertheless, since tracked machines remain in the hands of thieves until they’re recovered, another security measure may also be useful: encryption. One firm licensing Absolute’s software, CyberAngel Security Solutions in Nashville, TN, combines tracking with an encryption scheme. Their software creates an encrypted partition on the hard drive, says spokesperson Bradley Lide. If someone boots the system without inputting the right password, they will be able to use the machine – but it will hide the encrypted partition from the user while sending alerts to the tracking service.
“If you steal it, boot it, and connect it, and violate authentication, the computer operates like a honey pot, as we draw in the thief while protecting the confidential information on it,” says Lide. The service starts at about $60 per machine per year.
But “kill” switches are the most dramatic – and drastic – way to foil thieves. As with Computrace, laptops equipped with kill switches report to a central server at intervals. But no tracking is attempted; instead, the purpose is to check whether a machine should start destroying its data files.
When a stolen machine reports in, it can be instructed to overwrite selected files, explains Jeff Rubin, a representative of Santa Clara, CA-based Beachhead Solutions, which offers a kill service called Lost Data Destruction. Deleting a file – simply putting it into a trash can or recycle bin, is not sufficient, since the data is still on the disk. The Pentagon, for instance, requires three over-writes to expunge sensitive data. Beachhead’s system, which starts at $129 per year, can be set to overwrite as many as eight times.
“If the VA [Veteran Affairs] had had this, there would have been no problem,” says Rubin.
*Correction: In the original version, we wrote that this service costs $50 per month.