How much is your laptop really worth?

October 2008 Information Security

Losing your laptop can cost far more than simply the price of the hardware.

A laptop is a costly investment. Even the cheap ones that fell off the back of a bus cost a few thousand rand, with a performance machine costing in the tens of thousands of rand. But when you lose a laptop due to theft or for any other reason, the hardware is the least of your worries, insurance covers that, the real worry is what happens to the data on the device. Even if you are paid out for data loss, the impact of having potentially sensitive data in the hands of criminals can be severe.

Statistics from the US show that laptop theft is up 53% year-on-year with 620 000 laptops stolen last year alone. More importantly, the value of the data lost on each laptop averages out to $89 000 per device. With 70% of laptops containing some data that should be kept secure, management needs to take care of the corporate data on their laptops.

Even if a senior staff member in a company has a full backup of his or her data that can be restored to a new device quickly in the event of a loss, few companies realise that the data on the stolen machine is now in the hands of strangers who may use it for competitive advantage, blackmail, to harass the company's client base or for whatever ends they want. Even with a strong password, a Windows-based laptop can be easily hacked and the data stored on it retrieved.

Of course the same applies to whatever operating system one chooses, however, since Windows is prevalent in South African business we focus on it.

Broken windows

In a demonstration of this uncomfortable fact, Hi-Tech Security Solutions saw how simple it is to discover the passwords of Windows XP machines with a nifty tool called Ophcrack, which is available to anyone for free. This application discovered two passwords, including the administrator password on our demo XP machine in less than 20 minutes. Once the administrator password is compromised, the hacker has full access to the machine.

Apparently, Ophcrack can discover any password of up to 15 characters (which includes passwords containing letters, numbers, special characters and spaces) in an hour or less. Even so, how many users use a 15-character password? How many would remember it if they were forced to use it? How many would write it down and keep it somewhere convenient?

The sad fact is that there are many tools of this nature freely available on the Internet. Of course, most are used by people playing around and not by someone targeting your company, but all it takes is one person to steal your customer database or your strategic plans. Would it cause a problem if plans for a new product were stolen and sold to a competitor? And it is as easy to get into a PC as a laptop, with the possible exception that PCs are not as easily transportable, although extracting an easily concealable hard drive takes a minute.

To protect sensitive data people need to use in their daily business from falling into the wrong hands therefore, additional security mechanisms are required. One simple solution that will prevent anyone from getting into a machine no matter how much time they have is SecuriKey.

SecuriKey is a USB device that prevents anyone from logging into a protected computer if they have not inserted the USB token. It supports Windows XP, Vista and Apple operating systems.

The SecuriKey package arrives with two USB tokens in the box, one for the user to keep and one to be kept in a safe place as a backup. All the user does is install the accompanying software, insert the token and there it is. If you do not have the token you cannot log onto that computer. Each set of tokens is unique and part of the registration process is to log them with SecuriKey. Once logged the company can make new tokens for you should both be lost.

The technology

SecuriKey is not simply a normal USB memory stick with some clever software on it. If it was it would be easy to copy it to another USB device. The system works through a combination of hardware and software to provide multilevel computer security.

The SecuriKey USB token contains a custom security ASIC chip which functions as a hardware-based encryption engine. The ASIC includes anti-hacking technology, creating a tamper-proof physical guardian for computer access control and data protection. It offers users three levels of security.

First, SecuriKey provides two-factor authentication for access control. It integrates directly with the Windows and Mac OS X logon user interfaces, combining the user's logon password - something you know - with the SecuriKey USB token - something you have. SecuriKey can also block user access to logging on in Safe Mode.

The second level of security is AES-based data encryption. SecuriKey integrates directly with the AES encryption provided by Windows and includes the SecuriKey Encrypted Volume for Mac OS X. Files and folders can be easily designated for encryption. To decrypt the data, the user must log in with the correct SecuriKey Token and password. Using pre-boot utilities, booting from Linux, using the Mac's Target Disk Mode, and even taking the hard drive out will not bypass the encryption.

The third level of encryption assists users who have already logged in to keep their data safe while they are away from their machines through SecuriKey's Continuous Protection. When the user goes to lunch, attends a meeting or even steps away for a few minutes, simply by removing the token will they ensure their computer is locked against unauthorised use, while allowing existing processes to continue to run in the background. When the person returns, he/she simply plugs the SecuriKey Token back into the USB port, enters the password and access is granted.

During the setup phase, users are able to decide what they would prefer to see happen when the token is removed. The machine can lock, sleep or shut down.

SecuriKey is available in single or multi-user options. In the multi-user option, an administrator can have a set of master keys that grant access to multiple PCs and laptops, while users have keys that only grant access to their own systems.

SecuriKey technology is a simple way to implement strict security policies for corporate computers. The only technical knowledge users need to make use of the device is the ability to insert and remove a USB token, while the result is the knowledge that corporate and personal data is safe, even if the physical device is stolen.

For more information contact Daryl Bartkunsky, Dargil, +27 (0)72 177 3071.





Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Want effective Attack Surface Management? Think like an attacker.
Information Security
Effective ASM requires companies to think like attackers, anticipate risks, and act decisively to reduce exposure by knowing their environment, deploying a structured approach, leveraging capable tools, and addressing both internal and external risks.

Read more...
The growing role of hybrid backup
Infrastructure Information Security
As Africa’s digital economy rapidly grows, businesses across the continent are facing the challenge of securing data in an environment characterised by evolving cyberthreats, unreliable connectivity and diverse regulatory frameworks.

Read more...
POPIA non-compliance puts municipalities at risk
Information Security Government and Parastatal (Industry)
Digital responsibility must go beyond POPIA compliance to recognising that privacy and service delivery are fundamentally linked. Despite this, only 51 out of 257 municipalities submitted their mandatory data protection and access to information reports in 2024.

Read more...
Choicejacking bypasses smartphone charging security
News & Events Information Security
Choicejacking is a new cyberthreat that bypasses smartphone charging security defences to confirm, without the victim’s input or consent, that the victim wishes to connect in data-transfer mode.

Read more...
Most wanted malware
News & Events Information Security
Check Point Software Technologies unveiled its Global Threat Index for June 2025, highlighting a surge in new and evolving threats. Eight African countries are among the most targeted as malware leaders AsyncRAT and FakeUpdates expand.

Read more...
Welcome to the new cyber battleground
Information Security
The Iran-Israel conflict is rapidly redefining modern warfare, pushing the boundaries of cyber capabilities and creating a new, borderless digital battlefield. Fortinet’s CISO, Dr Carl Windsor, offers a critical, in-depth analysis of the escalating tactics and global implications in his latest report.

Read more...
African industries may overestimate cyber defences
Information Security
A significant perception gap exists in security awareness training: 68% of leaders believe training is tailored to roles, yet only a third of employees feel adequately trained. Many organisations only conduct annual or biannual generic training that may not effectively change behaviour.

Read more...
SMARTpod talks to Sophos and Phishield
SMART Security Solutions Technews Publishing Sophos Videos Information Security News & Events
SMARTpod recently spoke with Pieter Nel, Sales Director for SADC at Sophos, and Sarel Lamprecht, MD at Phishield, about ransomware and their new cyber insurance partnership.

Read more...
Highest increase in global cyberattacks in two years
Information Security News & Events
Check Point Global Research released new data on Q2 2024 cyber-attack trends, noting a 30% global increase in Q2 2024, with Africa experiencing the highest average weekly per organisation.

Read more...
Corporate and academic teams can register for Kaspersky contest
Kaspersky News & Events Information Security
Kaspersky has announced the registration opening for its new Kaspersky{CTF} (Capture the Flag) competition, inviting academic and corporate teams from around the globe to compete in a battle of skill, strategy and innovation.

Read more...










While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.




© Technews Publishing (Pty) Ltd. | All Rights Reserved.