22 February 2008 | 8,718 views

laptop and data theft protection

Check For Vulnerabilities with Acunetix

A UK firm Virtuity has created data protection software called BackStopp which comes with ’self-destruct’ technology based on Wi-Fi and RFID tags that starts to run as and when a laptop is moved from its designated space.

So in layman’s terms, if the laptop is moved from its permitted zone (which is set by the user) Backstopp sends out a self-destruct message to block access and ultimately destroy data, locating the laptop using Wi-Fi and radio frequency identification technology. What’s even cooler is that any laptop featuring an in-built webcam will be prompted to start taking photographs to help identify the thief.

There are millions of people out there who keep very secure data on their laptops which, if fallen into the wrong hands can cause damage to a lot of people. This FBI/CIA type security tool brings advanced security to all laptops users at a very affordable price of £10 per laptop per month.



Recent in Countermeasures:
- StegExpose – Steganalysis Tool For Detecting Steganography In Images
- Twitter Patents Technique To Detect Mobile Malware
- Passera – Generate A Unique Strong Password For Every Website

Related Posts:
- A Forensic Analysis of the Lost Veteran’s Administration Laptop
- US Veterans Information Leaked on The Web
- Veterans Administration Chief Says Laptop Recovered

Most Read in Countermeasures:
- AJAX: Is your application secure enough? - 119,154 views
- Password Hasher Firefox Extension - 117,025 views
- NDR or Backscatter Spam – How Non Delivery Reports Become a Nuisance - 57,554 views

Advertise on Darknet

34 Responses to “laptop and data theft protection”

  1. James C 22 February 2008 at 11:53 am Permalink

    Looks very simple to beat just copy/image the hard drive (using one of these sexy things :) http://www.logicube.com/ or just stick it in your desktops tower) without booting the laptop. But i hope helps catch some low life thiefs.

  2. Darknet 22 February 2008 at 12:42 pm Permalink

    It’ll just teach people to take the battery out when they steal a laptop, and don’t put it back in until you are out of range of all Wifi.

    Then do a 7 pass overwrite and reinstall of the OS before connecting it back to the Internet.

  3. Pantagruel 22 February 2008 at 1:21 pm Permalink

    Indeed, someone after the precious data will pillage the disk after removing it from the laptop and the average crook only is interested in the cash he/she can get for the laptop and will most likely do the mentioned overwrite and clean install.

    But it remains a fun technique, this laptop’s data will self destruct in 3,2,1,.. Ripping the battery is the best option to avoid this action

    For those who will start about the security of hard drive encryption have a look at this one: http://www.youtube.com/watch?v=JDaicPIgn9U

  4. Ian Kemmish 22 February 2008 at 3:10 pm Permalink

    The key phrase is “set by the user”. If you’re a brass hat stupid enough to leave a laptop with RAF personnel details in the back of your car while you go to the pub, you’ll also be stupid enough to turn this off before taking the laptop home in the first place.

    However, al alternative application of this technology COULD be useful – an RFID keyfob, carried by authorised users.

  5. zupakomputer 22 February 2008 at 3:32 pm Permalink

    re:youtube vid: Is that the news story about using coolants to then read RAM? Surely in practice that takes way too much time to do – how likely is it that when a laptop or computer is stolen that the theif has a safe enough place nearby to begin taking it apart to then read the RAM.
    Considering the decay times, it’d also need to be stolen right after the user has closed the lid or locked it – it’s less likely that a laptop left in sleep mode would be unattended;

    however – as said above, if you really do have sensitive data then the mere idea that you’d leave it unattended is mad anyway. Anyone that irresponsible shouldn’t be having data that if stolen could affect others badly.

  6. Bogwitch 22 February 2008 at 3:53 pm Permalink

    Security is not just about Confidentiality. Once you factor in Availability and Integrity, a device that starts removing data (and how securely does it do that?) is going to be too much of a risk for most businesses.

    How many instances of legitimate users moving equipment and therefore destroying data will there be?

  7. Pantagruel 22 February 2008 at 4:45 pm Permalink

    @zupakomputer

    Their is a multitude of stories mentioning people losing/misplacing/or having stolen from them either their laptop, pda or memory stick. The people range from your ordinary Joe workhorse, pencil pushing bureaucrat up to military brass and all their superiors where quite certain about their integrity and their intend to guard the data ‘with their lives’. Trust is no substitute for basic data security/encryption or for keeping your sensitive data within the limits of your shop.
    You might trust your laptop locked in the trunk of your car only to get the trust abuse if some junk steals your radio/cd player and pops the trunk.

    I agree, the ‘coolant data recovery from RAM method’ is more proof of concept than a feasible attack vector, like many of the other proof of principals which have never generated a real world exploit. It just show what determination/ingenuity can do.

    @Bogwitch
    True, just imagine rushing to that deadline, only to have your laptop ‘burn’ your data because you forgot to take along the RFID or some other token.

  8. zupakomputer 22 February 2008 at 7:18 pm Permalink

    I wouldn’t even leave my own stuff on a laptop in a car! Nevermind data I was responsible for in some work situation.

    I find that kind of scenario very strange. It’s definitely become more common to do remote logins for work, but it is also breaking the basic ‘rules’ of a good security plan. I wouldn’t personally be happy with any sensitive data being taken off company property and I wouldn’t recommend sensitive data be kept on networks that were connected online.
    Of course, the way things have gone there are all kinds of systems holding personal data that are expected to be available (to authorised users) at say bank branches, hospitals, social security offices.
    I’m thinking though, that potential invasions of privacy aside, the encryption matters being refered to are more in the area of ‘company secrets’.
    ID fraud is a problem, and you sure don’t want your bank details of any type being accessible either – but the sad fact is, they are accessible to literally thousands of authorised users whom you know nothing about.

    There was a discussion on a radio show I heard today about the UK having a mandatory DNA database; one specific that wasn’t mentioned was the database security angle. Given that changes can be made to the database that don’t reflect reality, and given those doing the searches aren’t going to go checking every log of activity that may have been made in any alterations, its as open to abuse as any other system – maybe moreso since it’s oft considered infallible.

  9. Pantagruel 22 February 2008 at 10:42 pm Permalink

    @zupakomputer

    About the DNA database. We, the Dutch, will be facing a mandatory registration of fingerprint(s) due to the switch to a passport containing biometric data (the finger print(s) ). Everyone wanting a passport will have to register their prints and will thus be marked as criminal without any form of trial. The fun thing is the EU has granted permission for this and thinks it’s a great idea to reduce identity fraud and ofcourse claims the dat is kept to avoid problems. I wonder when the first idea’s appear to match prints found at a crime scene to the database of yet to be found guilty civilians.

  10. eM3rC 23 February 2008 at 4:59 am Permalink

    Ok there are a lot of people I am going to be replying to so just read through and comment on what you like :)

    There are a few USB drives that will actually self destruct (like explode or melt). If you are really scared about losing your data I would throw it on one of these and if the person enters the wrong password to many times… BOOM…

    As for the laptops… Some companies offer software which will track down the location of the laptop, like the stuff mentioned above. Someone, stated that most criminals would reformat the computer but would there be a way to plant the tracking software in the bios?

    Anywho, how hard is it to get past the laptops with the thumb print scanners? I know you could encrypt your hard drives for the extra security but if the criminal is good at computers odds are he could find a way in thanks to the power of google and blackhat forums.

  11. zupakomputer 23 February 2008 at 1:19 pm Permalink

    Exactly – biometrics doesn’t make anything safer, as it’s also equally exploitable.
    More to the point – it’s the reasons given for using biometrics, the justifications for spending all that public money. Most people are not in danger of having their passport IDs misused; also most people are not going to suffer any from someone else who is using a fake ID. So what they’re doing is creating a database of mostly those who wouldn’t be involved in fake IDs to begin with – and claiming it’ll help catch those who are.
    Of course it won’t help that much – as they’ll have other methods of faking IDs based on the new checks.

    It does sound exactly like all the NWO stuff about ushering in microchipping people for IDing and other purposes, as it’s one step closer to enforcing that; maybe they’re expecting a second coming and they want all their census-taking in order in time.
    First they start tagging farm animals, then it’s a slippery slope.

    Also – it creates a more easily hackable datbase of all the info required to fake an existing ID……which isn’t a resource that’s available with current passports (they are mailed out here, or you go and collect them in person).

    I think with the prints ID (to access a computer, not on the passports) it’s a matter of getting the prints – which would tend to be on the computer, already on the ID bit in some cases – and using some kind of putty to copy it/mould it to, which might include ensuring it’s a certain temperature also (some of them detect for human-body temperatures).
    Again also – there’s other ways to get into the machine anyway, if you have it on your person already. Only something like the intrusion-detection self-destruct might help destroy the data.
    After all – the print is just sending the right unlock signal. If you know what signal to send, the print is irrelevent.

    On passports and those sorts of IDs, it’d depend on what kind of checks were run. It might be enough to match your own prints to the rest of the faked data, or, database altering may be involved.

  12. eM3rC 23 February 2008 at 6:25 pm Permalink

    I had a feeling that the biometric technology was not as safe as I though it was. I have not seem one in action, but unless it requires a finger print to boot up or before the bios loads, one could easily get past this type of security.

    The interesting thing about the US (I don’t know if this is the same in other countries) but for about $30 someone can get an entire history of a person online. This includes birthday, names, phone numbers, addresses, phone records, criminal convictions, etc, etc. All you need is a name and I bet you could find a way to steal the persons identity. Especially if you are good at social engineering.

    About all the new chip technology. I know in Japan they are using cell phones as ATM cards where its a sort of swipe and go deal. Wouldn’t it be easy to just have a signal scanner. Basically sniff the signal, program it into your own phone and go on a shopping spree?

  13. Pantagruel 24 February 2008 at 9:04 am Permalink

    The thought behind the use of biometric data as a security measure is a valid one. The only bad things is the still evolving technique, which is marketed as the final solution to security problems. I used to have a PDA with one of those fingerprint scanners. I eventually returned it and switched for the same model without the darn scanner. It simply wasn’t up to scratch, it would either work, give false negatives (that’s not your index finger), false positives (sure I’ll accept your thumb as being your index finger) or just stop accepting input (stop trying I think your faking it) and effectively locking you out.

    @eM3rC
    The Dutch RaboBank has started as a telephone service provider and are now granting you access to parts of your account data via mobile phone. They will also conduct a trial using your mobile as a transaction mechanism for payments (combining credit/debit/pin card). According to the data it uses Near Field Communication for data exchange.

    wiki wikipedia.org/wiki/Near_Field_Communication

  14. Bogwitch 24 February 2008 at 10:50 pm Permalink

    The problem with biometrics is the crossover between the false acceptance rate and the false rejection rate. Very few users will tolerate a high FRR therefore manufacturers will be accepting a higher FAR to make their technology more palateable. As the technology matures, I’m sure the accuracy of biometrics will improve.
    A further issue is the user acceptance. Most users will allow the use of fingerprint ID, some, for whatever reason will not. Fewer will accept iris or retina scans.
    I am only aware of fingerprints being used for authentication therefore any security offered by a biometric system will be lost with physical compromise.
    There may be biometric encryption that I am not aware of; there has been some fairly heated discussion on sci.crypt concerning this subject. It appears that the main issues rotate aroung the amount of entropy that can be extracted from fingerprint minutiae. Estimated have ranged wildly from 14-16 bits to 30-240 bits. The problem being that the more entropy that is utilised, the higher the FRR will be, thus denying access to encrypted data. Therefore I have not investigated biometric encryption systems.

  15. eM3rC 25 February 2008 at 4:15 am Permalink

    @Pantagruel
    The Robabank… I mean Rabobank :) isn’t the only bank doing that now. Bank of America has put advertisements all over the TV networks advertising full banking access from one’s mobile phone. Seems kind of risky considering the number of mobile phones that are lost each month. Online banking is also getting popular… Seen a lot of hacked accounts floating around on the internet also. Seems like a really risky thing to introduce considering the lack of knowledge of people these days about keeping their personal information secure.

    That is very interesting about the near field communication. I can honestly say the Japanese are at least a couple years ahead of the rest of the world in cell phone technology (aside from the iPhone).

    @Bogwich
    I see what your saying about the juggle between security and false positives. I think the technology will take a while to develop or some new means of recognition will have to be developed for the products to work effectively. As for now it might be used for someone who wants all the security they can get but is also willing to compromise with occasionally being locked out and falsely let in.

  16. Charafantah 25 February 2008 at 5:51 pm Permalink

    is there a similar program that basically does the same thing but not relying on wifi?

    e.g. it self destruct when you dont do a set of steps, or when a certain date has passed.

  17. zupakomputer 26 February 2008 at 2:07 pm Permalink

    Yes – there’s all kinds of self-destruct or if-statement/conditional file erase programs and hardware that aren’t wi-fi – loads!
    You can use things like Task Scheduler (crontab in Linux) to customise your own lists and times, to run all kinds of tasks and programs also.

    ======

    I could certainly go on a shopping spree in Japan, cellphone or not.

  18. Charfantah 26 February 2008 at 2:19 pm Permalink

    Would you please tell me some names? or what to google for?
    as i tried googling for “self destruct” softwares with no luck at all.

    well, yes, on linux i think it’s very easy, a simple bash script could solve all your problems :)
    but life isn’t that good in windows :)

  19. eM3rC 26 February 2008 at 11:13 pm Permalink

    @zupakomputer
    The phones there are amazingly cheap (sometimes free!) as long as you go with a plan. I know this may not sound surprising, but the phones are dirt cheap. Only problem is they only work in Japan (for a reasonable cost and plan restrictions) so you wouldn’t be able to buy a ton of them and sell them for a profit in the UK or US.

    Just a fun side not about their phones. Its free to receive any call on a cell, you only get charges for the outgoing calls.

    @Charfantah
    What specifically are you looking for? Like a USB device or actual computer encryption/destruction software?

  20. Charfantah 27 February 2008 at 9:09 am Permalink

    am looking for something that would permanently delete some files or corrupt file system if i dont make a set of procedures when computer starts (e.g. start\stop a service, enter a certain sequence of key strokes etc)

    or just runs invisibly and does that if a certain date passed and i didnt turn it off.

    and no, i dont want to include any hardware interaction

    thanks

  21. Bogwitch 27 February 2008 at 2:16 pm Permalink

    @Charfantah,

    Why not just use truecrypt with the auto dismount? I doubt the auto dismount will work on WDE but for an encrypted container, it’s fine.

  22. Charafantah 27 February 2008 at 6:01 pm Permalink

    well, the idea is not about the encryption :) i can encrypt\protect the files in several ways.

    i need to clean *ANY* trace that these files were on the computer in case someone gained access to it.

    i dont want to leave traces of encrypted volumes\files :)

    thanks

  23. Bogwitch 27 February 2008 at 6:33 pm Permalink

    Truecrypt & hidden volume?
    If you have a lot of data that needs to be destroyed, overwriting it could take an excessive amount of time…..

  24. zupakomputer 27 February 2008 at 6:40 pm Permalink

    That’s not easy, because an hdd needs to be specially wiped (as in many times) to clear all traces – and that takes some time, so someone that knows what they’re doing could just unplug the hdd cause they’d realise it had begun to reformat or erase.

    To just delete files, as in the same way you’d put them into the Recycle Bin and then empty it – I *think* Task Manager would work there, but here I’m looking at Task Scheduler, and it doesn’t include options to do things following on from specific other events (I thought you maybe wanted only timed-deletions); in fact it doesn’t even list the bin but it does list things like reformatting to a different file system – that would effectively overwrite your disk.

    I can’t remember off the bat if Task Manager has more options in XP or any Server edition.

    If you were stuck using a timed erase only, the only thing I can think of justnow is to make a partition for the files you’d want to delete, and schedule it (on Task Manager – it’s in Control Panel or right-click the desktop to access it on XP, it’s easy to use – a wizard set-up) to reformat at some specified time – you could also schedule it to delete specified files or folders at specified times (without needing the partition), but that’s not as secure a deletion as a reformat.

    There’s also a feature on Server 2003, probably on 2000 also, called Disk Shadowing, that you might be able to use in a similar manner, as it rolls backs the file or drive status to whatever time you specify. It’s meant to be for recovering previous versions of files.

    To be really secure though, reformatting won’t entirely erase it either – you can get programs really easy that can recover data from such events.

  25. Pantagruel 27 February 2008 at 7:38 pm Permalink

    Google should turn up some windows based 7 passs DoD erasers and there are several secure file erasers available as well. No experience with those, I tend to use DBAN either on sub stick or cd

  26. zupakomputer 28 February 2008 at 1:20 pm Permalink

    re: Japanese phones – I know of one market for them outwith Japan: some run videogames that only exist on those phones! eg – the Gradius series had Japan-mobile-only releases called Neo and Imperial.

    Of course gaming on mobiles isn’t as satisfying given the screen and button sizes / configs, but even just as collectibles there’s certainly people who’d be more than happy to get their hands on some of those games.

  27. eM3rC 28 February 2008 at 8:37 pm Permalink

    re: about the phones

    There was an article on Pop Sci about those kind of games. The newest one is an MMORPG type game that is supposed to hit off almost as well as World of Warcraft (although it will only be in Japan, maybe China). With a little bit of googleing I bet there would be a way to change the circuitry around so you could use one of their phones in the UK/US/etc

  28. Dan 29 February 2008 at 6:16 pm Permalink

    Good lord – all they have to do is run a freakin’ terminal server and not keep the data on the bloody laptop!

    I know, I know – too simple so it can’t work in real life…

  29. eM3rC 1 March 2008 at 3:04 am Permalink

    @Dan
    Although it would be a simple and easy thing to do there are a couple of reasons why I would never do something like that. First, all your information, along with everyone else’s is stashed on a server. Image if someone hacked into the root folder and stole all of the information. Second, I like to keep my information private. By storing it all on a server how easy would it be for the government to get a warrant and download all that information. Yes, you could save it to a CD/DVD/flash drive, etc but in the long run why can’t we keep our information on our personal property and keep that private.

    Talking about terminals, it would seem like a good idea for companies or other organizations were users do not own the computers or have any reason to have their own personal software on them, but for personal purposes, a private laptop seems like the best option.

  30. zupakomputer 1 March 2008 at 5:22 pm Permalink

    Plus, even if a server of any kind isn’t on a WAN, they’re still exploitable by all manner of means – Tempest hacks, Ethernet bridge plugs, logins that got around traditional security to get building access….

  31. tekse7en 2 March 2008 at 6:31 am Permalink

    I’ve got a better idea. Make a laptop that comes with a corresponding RFID necklace or bracelet or something of that such. Then, when laptop leaves the vicinity, a pack of thermite right above the hard drive ignites… Sorry, too much thebroken. :)

  32. Pantagruel 2 March 2008 at 8:54 am Permalink

    Whether you have the precious data on the laptop itself, some remote server, there will always be a chance of someone nicking/exposing/exploiting it. It’s quite funny that a large amount of people carry their data around non-encrypted, guess they need some teaching.

    @tekse7en
    Well guess you’ll have some slight problems explaining at the custom’s or at checking why you are carrying an incendiary device onto a plane. They last time I flew they where very interrested in the model and batch nr of my laptop, guess they where looking for battery packs with spontaneous combustion properties.

  33. fever 8 April 2008 at 6:58 pm Permalink

    and if i forget to change the parameters before i decide to take my laptop with me in the car on a road trip across the country than i am screwed.
    oops.

  34. James C 8 April 2008 at 7:12 pm Permalink

    @fever
    Very true