Intel vPro Expert Center Blog : Tags : at-p

1

Will you tell your users when AT-p is deployed?

Posted by Geoff Glave Mar 4, 2009

Absolute recently received a theft report concerning a laptop that a salesman claimed had been 'stolen from his vehicle.' Soon after the 'crime' the computer logged onto the Internet and began checking in with our monitoring center. This allowed our theft recovery team to extract information on the computer’s unauthorized user and location. Guess where the computer turned up? It was still in the hands of the user who claimed it was stolen! He had falsely filed a theft report so he could keep the computer for himself.

You can read more of the story here:

http://blog.absolute.com/absolute-recovers-laptop-from-clever-thief/

This scenario brings up an interesting issue for those deploying laptops equipped with Intel's AT-p anti-theft technology. Do you tell your users it's deployed? Or keep its existence as much of a secret as you can?

In this example, informing this user that AT-p was deployed would likely have prevented the 'theft' of this laptop. The salesman, realizing his laptop would have been rendered useless by means of a poison pill or a timer rundown, probably wouldn't have 'stolen' it in the first place.

However, the 'theft' resulted in the removal of a bad apple from this company - The one silver lining in this unfortunate incident.

So the question is this: When you deploy AT-p in your company, will you tell your employees it's there?

--------------------------------------

Please note that any indictments and criminal complaints referenced in this post are merely unproven accusations, and the accused, in all cases, are innocent until proven guilty.

1 Comments Permalink Tags: absolute, at-p, absolute_software, computrace_at-p

2

Laptop Security is a Three-Legged Stool

Posted by Geoff Glave Jan 28, 2009

People often say to me - "I've got encryption, so I'm protected," or "I always use a laptop lock," so I'm protected.

In response I always remind them that laptop security should be looked at like a three-legged stool. If any of the three legs are missing, the stool falls over (unless the person on the stool is a member of the Beijing Circus, but that's a rare exception).

What are the three legs?

The first leg is Physical Security, like a laptop lock and/or an alarm on your laptop bag. If you're leaving your machine, lock it down!

The second leg is Data Protection like encryption. If your machine does get out of your control and someone nefarious removes your hard drive, you can be "reasonably" confident they won't get at your data. (I say "reasonably" because we've all seen the laptops at airports on in presentations where the password is written on a sticky note stuck to the machine!)

The third and final leg on the stool is a Protection Solution like AT-p. If your machine fails to check in to the monitoring center after a certain length of time then presto it bricks. Or if you know your machine is lost you can send it a poison pill and lock it down.

How many legs does your stool have?

2 Comments Permalink Tags: absolute, glave, absolute_software, at-p, computrace_at-p, geoff_glave, computrace

3

“Two days” in the life of an Intel® vPro Anti-Theft Technology for Asset Protection (AT-p) User

Posted by Abhilasha Bhargav-Spantzel Jan 6, 2009

The new generation of notebook PCs with Intel vPro technology includes Intel Anti-Theft Technology PC Protection (Intel AT-p). Intel AT-p offers you the option of activating hardware-based client-side intelligence to secure the PC and data if a notebook is lost or stolen. Because the technology is built into PC hardware, it provides local, tamper-resistant defense that works even if the OS is re-imaged, a new hard-drive is installed, or the notebook is not connected to the network.

For a good introduction of the Intel® AT-p Technology please visit - http://communities.intel.com/community/openportit/vproexpert/blog/2008/12/04/anti-theft-technology-has-arrived

In the following we describe an example of how this technology is deployed and used in the life of a typical employee working for a security conscious company. Consider a user Jane who is a new employee of a company called SecureBank. SecureBank wants all its employees laptops to be protected against theft and is therefore utilizing the Intel® vPro Anti-Theft Technology for Asset Protection (AT-p) with Absolute ISV.

In particular Jane has two (rather adventurous) days –

- Day 1: IT admin receives a new laptop and sets it up for Jane. Jane uses the new laptop for the day when she receives her new laptop and manages to loose it to a thief!

- Day 2: the thief is unable to use the laptop due to the poison pill sent as a feature of the AT-p technology. The thief therefore gives up on it and leaves it in a coffee shop. The laptop is subsequently recovered by SecureBank, made functional again and is ready to be handed over to Jane.

Below are the details –

(Check out the video uploaded at youtube –

http://www.youtube.com/watch?v=bnTggBxhOVk&feature=email)

Day 1:

(1) Initial Setup by IT Admin:

The IT admin receives a new laptop and creates the SecureBank IT image on the laptop. This includes the Absolute agent which would be used for AT-p. The Absolute Client Windows Installer is a part of the IT image. The two key steps are undertaken -

- Enrollment: The IT admin runs the Absolute Client Windows Installer which installs the Absolute agent on the client. As part of the installation this client is enrolled with the Absolute server. Enrollment consists of the following steps –

1. The Absolute Agent checks the local platform to ensure that the platform is eligible for Intel® AT-p.

2. The Agent requests permission of activate AT-p with the ISV Server i.e. the Absolute Server.

3. The ISV Server takes this unique client request and sends it (along with a license key) to the Intel permit signing server.

4. Once the Intel signing server has validated this request, an AT-p permit is generated for that unique client. The client system is now ready to validate signed messages from the ISV server.

Once the machine is enrolled it shows up on the administrator console. The machine is identified using a unique identifier generated by the Absolute server, Detected Full Computer Name and Detected Serial Number. At this point a default policy for the client machine is also applied.

- Policy Setup: The IT admin can also fine tune the policy for Jane. Examples of Attributes he can set include:

Policy Attribute	Example Value	Meaning
AT-p Timer Value	48 hours	The machine’s disablement timer (time after which the machine is disabled if it does not connect with the server) is 48 hours.
AT-p Timer Action	Immediate Lock	The action a machine performs once the AT-p Timer has expired. In this case, the machine will shut down immediately (even if OS was up and running) and not allow the boot process to be carried out.
AT-p Theft Action	Immediate Lock	The action a machine performs once the machine is marked stolen when connecting with the server. In this case, the machine will shut down immediately, same as above.
AT-p Password	“StRongP@ssw0rd”	Admin Password used to recover the machine when it is disabled or locked.
AT-pState	Active	Marks whether AT-p is currently active or not on a machine. When it has a legitimate working user then it is marked as active.
Theft Status	Secure	Marks whether the machine is stolen or secure. In this case, the machine is not stolen.

Once the IT admin has set the above policy he is ready to hand over the laptop to Jane.

(2) Normal Usage:

On receiving her new Laptop, Jane logs in with her domain credentials and uses it seamlessly (as if there were no AT-p). The rendezvous may occur without any active participation of Jane. As such the rendezvous happens in the background and is transparent to Jane.

- Rendezvous (Machine Not Stolen)
The Absolute solution has a rendezvous timer of 24.5 hours. After this time the following steps would occur –

1. As the Rendezvous Timer (24.5 hours) expires the ISV Client Agent initializes a rendezvous.

2. The ISV Server’s response is relayed to the Intel Management Engine (in the firmware) through the ISV Client Agent. Any new settings are relayed.

3. Acknowledgments are generated for any message received.

4. Once finished, the Disablement Timer (or AT-p Timer) reset message is sent to the Intel Management Engine.

(3) Theft:

After a good first day of work, Jane’s colleagues take her out for a dinner. She leaves her laptop in the car and heads to the restaurant. To Jane’s bad luck her car is broken into and the notorious thief steals her laptop.

- Malicious Usage: The thief has a hacking tool that allows bypassing the windows login/password challenge and can use the laptop. He feels he can make a good fortune by selling this laptop in the black-market.

- Theft Reporting: When Jane returns to the car, she is shocked to see her car broken into and her laptop stolen. She immediately calls the IT admin helpdesk and reports the theft. The IT admin sets the Theft Status to Stolen. Next time the laptop checks in with the Absolute server, the Theft Action, which is Immediate Lock, will take place.

Day 2:

(4) Poison Pill:

The attacker logs in again using his hacking tool. Since it is past 24.5 hours (i.e. the rendezvous timer has expired) the agent initiates a rendezvous. At this time the following steps happen -

- Rendezvous (Machine Stolen)

As the rendezvous timer expires the ISV Client Agent initializes a rendezvous.
The server has marked the system as stolen, and sends an AssertStolen message (“Poison Pill”) to the system.
The local system takes action based on the current policy.

As the action is to immediately lock, the thief to his surprise observes that the machine just shuts down. When he tries to power on the machine he sees a pre-boot authentication screen which requests him to insert admin credentials. The thief’s hacker tools are not able to bypass this screen as the same OS (which is potentially more vulnerable) as the pre-boot environment serves as an extension of the boot firmware and guarantees a secure, tamper-proof environment external to the operating system as a trusted authentication layer. Brute force attacks in this environment are also much harder as the tamperproof firmware reboots the machine after a threshold time or number of attempts to login has expired.

To the thief’s dismay, he cannot really use the laptop and leaves it in the coffee shop where he logged in from.

(5) Asset Recovery:

The IT admin of SecureBank was able to get the IP of the location where the thief last logged in from and contacts the coffee shop. SecureBank officials pick up the laptop and bring it back to the IT admin desk for recovery. To recover the platform the IT admin carries out the following steps –

The IT admin (re)sets the Theft Status to be Secure (from Stolen).
Upon boot, the admin is presented with a “system locked” message in the pre-boot environment.
The admin recovery passphrase must be entered before a given time (say 2 minutes). The admin immediately inputs his admin passphrase for the given machine.
When the admin credentials and theft status have been verified, the AT-p timer is reset and the client platform is unlocked. The platform then boots to the OS.

Once this is done, the IT admin is ready to return this machine back to Jane without loosing any time. Thus we can see that AT-p solution not only provides a way to secure machines against theft and continued malicious use, but also ensures efficient recovery and continued use of the recovered machine!

3 Comments Permalink Tags: vpro_anti-theft_technology, case_study, vpro_expert_center, absolue, asset_protection, tools, security, intel_vpro, troubleshoot, at-p, vpro

1

Inside Dope for Notebook Thiefs

Posted by Scott Smith Dec 5, 2008

Hey, you guys, those of you makin’ like you’re part of the décor in an airport lounge or imitating camouflage behind a fern in a hotel lobby waiting for some mark to get distracted so you can lift his laptop. I’m going to save you some major grief. I’m feeling like a snitch doing this since I’m an Intel flack, but even criminals deserve an inside tip once in awhile. So, listen up, swifty. Before you slip ‘n slide that notebook under your trench coat, look it up and down carefully. If it says Lenovo Thinkpad T400 anywhere on it just put it back and save yourself a raft of frustration. Here’s the inside skinny: Absolute Software, Lenovo and Intel ganged up to develop this diabolical security stuff that’s … well, I was going to say almost criminal. They took these Lenovo ThinkPad T400 notebooks and booby-trapped ‘em with Intel’s new Anti-Theft PC Protection and Absolute’s Computrace technology. Here’s what’s gonna happen if you’re a sucker enough to boost one of these units. First thing you’re gonna do is turn it on to see if you can crack the password. These guys are just waiting for you to do that. They’re probably standing behind the other fern laughing their beanies off. After a few missed tries this notebook’s going to shut down like an iron door on the hole. It won’t do nothin’. It becomes a brick. Good luck tryin’ to hawk that. It’s because of this Intel Anti-Theft PC Protection. But let’s say you’re smart enough not to try to crack the password. Instead, you’re sitting there admiring the family of five on the screensaver trying to figure out what it will go for on eBay when WHAM! the thing shuts down. Won’t turn back on or nothin’. That’s ‘cause of Absolute’s Computrace. What happened was that soon as the mark saw his computer flew the coop, he called the guys at Absolute and they fixed their servers, so as soon as that computer came online, they sent it a poison pill through the Internet and that laptop became, yep, a brick. You’d do life for sending a poison pill, but these mugs got good lawyers and get away with it. But let’s say you’re a real Einstein, and you’re casing the airport parking lot and see some stiff shove one of those T400s in his trunk, grab his suitcase and head for the terminal. You’re figuring he’s gonna be gone for days, long enough to fence that T400 before he even knows it’s gone. So, you’re hanging out in a back alley, whispering “Hey, you wanna good computer cheap?” to every Joe that strolls by, until you finally hook some patsy. But you hit the button to turn it on and nothing happens. Yeah, you guessed it. You’re peddling that brick, again. This is because these Lenovo, Absolute, Intel guys covered that angle, too. Turns out the pigeon’s computer geniuses at the office set that ThinkPad T400 so it has to check in regularly, like it’s on parole. If it misses even once, it gets the poison pill treatment thanks to Computrace and Intel Anti-theft PC Protection, and, of course, dem guys at Lenovo who stick that stuff into those ThinkPad T400s in the first place. In the end, filching these rigged T400s will drive you crazy. Worse than being in the cooler. I know what you’re thinking, I’ll just grab another brand of computer. All I can say is, Are ya feelin’ lucky, punk? ‘Cause Lenovo is gonna be putting this Computrace and Anti-Theft PC Protection in their other computers. And, well, this ain’t no exclusive deal, if you know what I mean. So, before you do something stupid, my pal Josh Hilliker spills all the beans here. Check it out and save yourself some time…maybe hard time, not to mention saving you’s from going crazy frustratin’ yourself.