The present application is related to co-pending application Ser. No. 09/108,479, entitled xe2x80x9cMethod and System for Detecting an Authorized Tamper Event,xe2x80x9d filed on the same day and assigned to the same assignee as the present application.
The present invention relates to computer systems and portable computer systems and more particularly, to systems for protecting such computer systems from theft or misuse.
Personal computer systems are well known in the art. Personal computer systems have attained widespread use for providing computer power to many segments of today""s modern society. Personal computers can typically be defined as a desktop, floor standing, or portable microcomputer. Examples of such personal computer systems are IBM""s PC series and IBM""s Thinkpad Series.
Theft of personal computers and personal computer components is becoming a major industry problem. As a result, there has been an ever increasing need to provide security for computer systems against the unauthorized removal of components and theft thereof. Since modern computer systems and components are generally more compact and more easily transportable, it is even more difficult to provide security measures that prevent unauthorized removal or theft thereof.
In addition, today, computer networks are employed to provide efficient computing capabilities throughout a large work area. Existing computer networks generally include a number of remotely located computer systems coupled via a data link to a server system or a central processing center. The wide dissemination of such systems at remote locations has made the computer systems and computer components an even more accessible target for computer thieves.
Furthermore industry standardization has increased the exchangeability or reusability of components between various types of computer systems from various vendors. The smaller form factor of components such as CPUs, memory, and DASD are popular targets, given their portability and high value. A thief could upgrade a low performance and inexpensive PC with stolen parts to create a high performance and expensive machine.
The precise time of any security event provides invaluable information to security personnel and law enforcement by enabling them to focus their studies of access logs and CCTV tapes to identify the perpetrator. IBM PCs currently carry a tamper detection switch, which can detect when the system cover has been removed and cause the system to be functionally disabled on subsequent boots until the user successfully enters the appropriate password. This mechanism adequately protects the overall system but does not deter theft of components within the system such as DIMMs, HDDs, and CPUs. A common scenario will find a user discovering that their system has memory or a HDD missing but with no way of knowing when precisely the theft took place.
Accordingly, a number of methods have been developed for guarding against the unauthorized removal of computer systems. One such method is the use of Electronic Article Surveillance (EAS) tags are widely used in commercial markets for everything from clothing to Compact Disks. When an item with an EAS tag is carried through a portal, the portal sounds an audible alarm to notify security of a tamper event. The EAS tags are attached or embedded in computer systems to provide a notification of when an asset is removed.
EAS is an excellent technology for retail applications, however it is less effective for protecting assets of a corporation. Employees may have opportunities to defeat the technology such as removing the tags, passing components out though a mail service, or reusing parts within the building.
A number of other methods have been developed for guarding against the unauthorized removal of computer systems. For example, U.S. patent application Ser. No. 08/965,140 U.S. Pat. No. 5,945,915 entitled xe2x80x9cComputer System for Sending An Alert Signal Over a Network When A Cover of Said System Has Been Openedxe2x80x9d and assigned to the assignee of the present invention discloses a mechanism to notify a system administrator within a network (typically an Ethernet network) when the cover of the computer system is removed through the use of a timestamp. When the cover is removed, an Ethernet subsystem sends a cover tamper signal to the network administrator. The disadvantage to this method is that the timestamp is based on administrator receiving the alert. Given the lossy nature of an Ethernet network the packet may never be received by the system administrator. Another problem is the potential delays inherent in the network, which results in being unable to pin-point the time of the event with accuracy.
There are other methods that provide local protection (non-network based) to detect and prevent unauthorized access to the data stored in a computer system. For example, U.S. Pat. No. 5,388,156, owned by the assignee of the present invention and incorporated herein by reference, discloses a personal computer system having security features enabling control over access to data retained in such a system. The personal computer system has a normally closed enclosure and at least one erasable memory element for receiving and storing a privileged access password (PAP). The PAP is designed to provide protection for the system owner by protecting the initial program load (IPL) device boot list, access to a password utility. The system further includes at least one tamper detection switch mounted within the enclosure and operatively connected with the memory element for detecting opening of the enclosure.
If the enclosure cover of the system is removed by an unauthorized user, the tamper detection switch will change states and set the tamper evident bit. If this occurs, the system will require the PAP to be entered before the user can enter access data. If the PAP is not known, then the system board must be replaced. However, the system of the ""156 patent has a disadvantage in that the time in which the cover was removed is not recorded.
It is therefore desirable to provide a computer system that provides a mechanism to accurately record the time when security breaches are detected. The mechanism should work in conjunction with tamper detection mechanisms that are standard in many personal computer systems. The mechanism must be software and configuration independent, to protect against a thief disabling or altering the event. In a preferred embodiment the time of event should be recorded in a secure fashion. The present invention addresses such a need.
A system for monitoring tamper events in a computer system is disclosed. The computer system is on a network. The system comprises a tamper realtime clock (RTC) means which receives at least one tamper event signal from the computer system. The tamper RTC includes a timer for indicating the time of a tamper event and a management device for receiving the at least one tamper event signal. The management device issues a command to the tamper RTC means to obtain the time of the at least one tamper event. The management device also generates a network packet which includes the time of the tamper event to a system administrator of the network.
The present invention in a preferred embodiment is directed to a computer system which has the ability to functionally detect and store the time of a tamper event. A tamper real time clock (RTC) circuit is operatively connected with logic to store the date and time of an event as it occurs. In a preferred embodiment, the tamper event could be as simple as a toggle switch being activated when a cover on the computer system is removed. The computer system could also send network alerts when the cover is removed.