THE MAGAZINE

Arming the Road Warrior

By Peter Piazza

Data Protection
Companies also need to ensure that if a computing device falls into the wrong hands, the thief won’t be able to read, use, or sell the proprietary data it contains. There are several ways to keep data safe while it’s on a laptop: remote deletion, access control, and encryption.

Remote deletion. Services such as those offered by Computrace can contact the software agent inside a laptop when it comes online and remotely command it to erase all the data from the computer’s hard drive. This ensures that even if the computer is never recovered, nobody is able to access the data on it.

Access control. The time between the realization that a computer has gone missing and the deletion of its data could be enough for the contents to be compromised. Therefore, it’s necessary to control access in the strongest way possible and to encrypt sensitive files or the entire hard drive.

Biometrics. Some newer laptops, such as IBM’s newest line of ThinkPads, are incorporating biometric authentication in the form of fingerprint readers directly onto the machine. Slide your finger across the sensor and, once authenticated, you’re logged securely onto the computer.

Portable USB devices that provide authentication are available as well. For example, Silex Technologies offers easily carried fingerprint sensors that can be used to control access to a mobile computer. Its Combo-Mini (reviewed in “Technofile,” February 2005), which will block access to anyone whose fingerprint is not enrolled on the computer, can be carried on a keychain.

Portable fingerprint readers have limitations—for example, in tests for the Combo-Mini, some fingerprints were difficult to enroll—but they do make it much more difficult for thieves to access a laptop’s data. The Combo-Mini retails for about $179.

If you’ve got a little extra room in your laptop bag and don’t mind carrying a full-size mouse, AuthenTec offers the APC Biometric Mouse Password Manager. This optical mouse plugs into the laptop’s USB port and can register as many as 20 fingerprints, so multiple users can use the mouse to switch to their accounts—a handy feature particularly if using Windows XP, which allows multiple users to have their own accounts on a single computer. Both the mouse and the biometric access control functions performed admirably in my tests, with little difficulty enrolling users.

An added benefit is that passwords for applications and Web sites can be added so that these can be accessed instantly with a touch of a finger. The current version supports only the Internet Explorer browser, though the company says it will release a software upgrade this year to allow Firefox users to save passwords as well. The optical mouse can be found at online and brick-and-mortar retailers for about $50.

For anyone who wants to use the strongest level of biometric authentication while on the road, the Panasonic Iris Recognition Authenticam is a portable camera that controls access, as its name implies, through enrolled irises. Enrolled users look into the camera, which doubles as a CCD camera that can be used as a Web cam for videoconferencing, to get authenticated to the computer. Like the biometric mouse, the camera’s biometric functions can be used to replace Web site and application passwords. The Authenticam retails for about $215.

Encryption. Some travelers may simply want to protect a few files or folders that contain sensitive documents. This can be easily done; there is no shortage of products available to password-protect files, folders, or even entire hard drives.

Data Encryption Systems offers a free, downloadable version of its DESlock+ encryption product. The PGP Corporation, a venerable name in encryption, also offers a range of products, from those designed for a home desktop user to enterprise editions designed for thousands of users. Home versions lock down files, folders, e-mail, and even some instant messaging traffic; enterprise versions, which require some centralized management of encryption keys, can encrypt entire hard drives.

If you’re using Windows XP, encryption at the file and folder level is built in. For those with Windows XP Pro, a feature called Encrypting File Systems (EFS) lets you encrypt any file or folder by simply right-clicking the file or folder’s icon and selecting Properties, General, Advanced Attributes. Check the “Encrypt contents to secure data” box and you’re done.

The encryption in EFS is tied to the user’s account name, so if you use a password to access your XP account, you won’t need to take any extra steps; any encrypted document is instantly decrypted when you open it, and any files dragged into an encrypted folder are automatically encrypted.

If you’re using XP’s home edition, right click on the file or folder icon and choose Properties, Sharing. Then check the “Make this folder private” box.

This level of encryption is typically enough to protect data from the eyes of another user or a thief, but if the data is extremely confidential, you might want to look for a stronger product. Some biometric access control products, such as those mentioned earlier, can provide secure encryption.

Wireless Risks
You’ve made sure that you’ve only brought the data you absolutely need, and you’ve done everything possible to ensure that it’s secure. Now you need to consider how data will be secured when you remotely send and receive it while on the road, particularly when using a wireless connection.

Brian Hernacki, an architect with Symantec Research Labs, notes that wireless access—including Wi-Fi, Bluetooth, and infrared technologies—is now routinely built into laptops, and is often turned on by default, to make it easier for nontechnical people to connect wirelessly. But lowering the bar means that risks rise, he says. “When the bar gets that low that everybody can simply do it,” he says, “there are a lot of people using this service who are not so security aware.”

There are two major threats to wireless users: unencrypted channels and fake access points. Both could allow an attacker to see the data you’re sending or receiving, meaning that passwords and credit card information could be at risk.

Unencrypted channels. “If you’re at a wireless hotspot and you’re checking e-mail, potentially you’re connected over an unencrypted channel,” Hernacki says. That means that someone could, with a few freely available tools and a bit of know-how, have access to your data.

This could provide attackers with more than just access to your Hotmail account. “If they’re clever and capture a password and user name, these can be used to attack other systems,” he says, since people tend to use the same credentials at many sites.

One way to mitigate this threat is to connect only to wireless networks that are secured with one of two encryption protocols: Wired Equivalent Privacy (WEP) or Wi-Fi Protected Access (WPA). WEP, the older of the protocols, is less secure than WPA, but it’s adequate for most users—and certainly better than nothing. What these encryption protocols do is secure the data between the laptop and the access point; typically after that, other security features (for example, virtual private networks, or VPNs) take over.

If you want to use the stronger encryption level, one glitch is that support for WPA is built into Windows XP but is missing from older versions of the operating system. Help is available from antivirus vendor McAfee, Inc., which offers a free tool called WPA Assistant. This tool allows those with Windows 98, ME, and 2000 editions to access WPA-encrypted networks.

WPA Assistant is easy to use. Simply download it from McAfee’s Web site and add your preferred access points. On my home network, which is protected by WPA, I downloaded this tool onto a laptop running Windows 2000 that I wanted to add to the network. Next, I typed in the name of my home network, and added the WPA key used to secure the network. The process took only minutes, and the additional layer of defense (previously I had to rely on WEP) gives the network greater security.

Evil twins. Users must be aware of another problem that can arise with wireless due to the way the systems are configured. “The way wireless works is, it wants to communicate so badly with somebody that it’ll create its own network just so it can connect to something,” says Richard Rushing, chief security officer with AirDefense. Windows XP, for example, constantly scans for an open network (that is, one that is not encrypted and which will allow anyone to join), and then connects to it, typically without asking the user first.

This doesn’t have to be the case. The feature known as Wireless Zero Configuration in Windows XP can be easily disabled so that a user must decide which network to connect to, and then take steps to connect to it. (See “Technofile,” December 2005, for more on how to disable this feature.)

There are additional risks to having the Wireless Zero Configuration running. Rushing says that XP adds previously accessed networks to a list of preferred networks, and by default it prioritizes beginning with the last-accessed network. That could lead to trouble. In many cases, networks are simply named after the wireless router used, such as Linksys. So, XP might see a Linksys network—even if it’s not the same one connected to previously—and connect to it, believing it’s the same one. But it could be a stranger’s (or hacker’s) network instead of a trusted home or work network.

“Hackers know this,” Rushing says. They can set up their laptop to act as a wireless access point, give the network a name that won’t arouse suspicion—say, Linksys or Starbucks—and wait for victims to connect. Any machine that makes that connection is then routing its communications through a fake access point known as an evil twin.

What’s especially pernicious about this is that it bypasses encryption protections. “If I connect to one of these illicit access points and send my data to them, it doesn’t matter if the channel between me and the access point is encrypted,” says Brian Hernacki, “because now the access point has access to the data underneath.”

One way to protect against the dangers of fake access points is to use secure proxy services, which provide a secure and unbroken connection from beginning to end, says Patrick Hinojosa, chief technical officer for Panda Software and a frequent road warrior himself. A company called Secure-Tunnel offers a service in which data travels through an encrypted tunnel from end to end, and is additionally routed through the company’s proxy servers.

Even if an eavesdropper can see the transmission itself, they can’t see or decode anything inside it, says Hernacki. Moreover, the proxy server shields your IP address, meaning that transmissions can’t be tracked back to your computer.

Secure-Tunnel offers three levels of service, starting at $2.95 and going to $9.95 per month (the higher-priced services offer other functionalities, such as Usenet and peer-to-peer access). Tiered pricing means that infrequent travelers don’t have to pay for services they don’t use, while true road warriors can get discounts on annual plans.

Another option is a free tool called Personal Lite from AirDefense, which can help road warriors become aware of potentially unsafe settings on their laptops. It will also alert users if any access points look suspicious.

AirDefense Personal Lite gives pop-up alerts to risky settings, such as having the setting for “ad hoc” networks enabled (this allows someone to connect to the Internet through your computer), and suspicious connections that may indicate a fake access point. After I installed the software, I found that some of my connection settings were potentially dangerous, and after making some quick changes, the pop-up alerts disappeared.

Rushing explains that the product can help alert travelers to evil twins, because each hotspot has a unique “fingerprint” that is different from the fingerprint that an evil twin would have. “The fingerprint is made of different things such as DNS servers, IP address ranges, are there gateways at the other end, and so on,” he says. “It would be almost impossible to mimic the fingerprint” of a legitimate hotspot, and so the tool can alert when it sees too many unusual variables in the equation.

Other Tools
Apart from ensuring that laptops and the data on them aren’t stolen, users also have to secure them from infection and hacking as they would a desktop PC. Some of these tools are bundled with other functionality by various companies. For example, Panda Platinum Internet Security and Panda Titanium Antivirus both offer a combination of antivirus software with easy-to-configure firewalls, along with a suite of other tools (such as antispyware solutions).

These products, which retail for $79.95 and $49.95 respectively, are quickly installed and set up. Both immediately recognize and make rules for every application that attempts to access the Internet.

There is a downside to this type of bundled security product, however: size. For example, installing the full-blown version of Titanium on my admittedly aging laptop slowed boot-up to a crawl. Most of these products—including Trend Micro’s PC-Cillin—can be customized so that you only install the parts of the package you need. In the case of PC-Cillin, I installed only the antivirus software and rely on a USB firewall from Kensington.

The Kensington Personal Firewall for Notebooks (reviewed in “Technofile,” September 2005) provides firewall capability without breaking the memory bank. This plug-and-play device is on a USB token and retails for $49.99. Preconfigured settings can be accessed with a click of an icon, making it simple to add a layer of security to a mobile notebook.

Privacy screen. Not all mobile-security tools are high-tech. Patrick Hinojosa tells the story of a recent trip from Florida to Washington, D.C., where he found himself sitting next to a fellow traveler who was working on his laptop. Glancing briefly at the laptop, Hinojosa suddenly realized that this person was reading classified government information.

“A privacy screen is a good thing [to have] if working in an airport or on the plane so that people can’t shoulder-surf,” Hinojosa says of the lesson he learned from this experience.

These types of screens are widely available at computer-goods shops and online. One product that I tested was the 3M Privacy Computer Filter. The filter is a lightweight plastic sheet that can be permanently attached to the notebook’s monitor or can be held on temporarily using the small plastic clips included. When the privacy filter is in front of the monitor, the screen appears black to potentially inquisitive passersby and anyone else who is not directly in front of the computer.

My tests showed that while a passenger sitting next to me could see a small fraction of the screen, most of it was obscured, and the screen was totally invisible to someone walking down the aisle. While the filter darkens the screen slightly, it’s not enough to make viewing the screen difficult, plus it cuts glare significantly. The filters start at about $45 and increase based on the size (they’re also available for desktop systems).

Before road warriors take to the field, they need to know their enemy’s strengths, and they must prepare the appropriate defensive measures. With so much protective gear available, it’s easy to be prepared against mobile cyberattacks so that the only battle executives need to wage is against competitors.


Peter Piazza is associate editor at Security Management.


Comments

 

The Magazine — Past Issues

 




Beyond Print

SM Online

See all the latest links and resources that supplement the current issue of Security Management magazine.