in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

November 2007 - Posts

  • German Authorities Cannot Crack Skype Encryption. Should You Use The Same for Your Endpoint Security?

    As I was scanning the news in some Spanish sites, I came across an article at eleconomista.es where German police profess having problems with the encryption used by Skype, the Internet-based telephone company now owned by eBay.

     

    Based on the November 22nd article, the German police have been unable to decipher the encrypted calls.  The German authorities have been trying to tap the calls of those suspected of terrorism and other potential crimes, but have found the encryption impossible to break, and are looking for ways to intercept the calls prior to being encrypted or after it has been decrypted, on the receiving end.  An official was quoted as expressly stating that they are not asking for companies to divulge their encryption keys or asking for companies to establish a backdoor.

     

    The Spanish article is kind of surprising, not in that the encryption used by Skype is unbreakable, but that the German authorities are claiming that they can’t break it.  Because about a year ago, one would have been under the assumption that they can break it: In a New York Times article on May 21 of last year, a vice president at Verisign had divulged that the Germans “had the technology for intercepting and decrypting Skype phone calls.”  Of course, this doesn’t mean that they were successfully decrypting the calls.  Or maybe somebody was engaged in misinformation, but still….  Makes one wonder why German authorities are going around making such announcements.  Generally, those dealing with intelligence issues don’t want outsiders—much less the world—to know what they do and don’t know, what they can and cannot do.  I didn’t think much of it at the time, since I’m not a Skype user (and still am not).

     

    However, my curiosity roused by the article, I checked on the way back machine to see if Skype has changed their encryption method in the past year, and it doesn’t look like it.  A comparison between their FAQ from January 2006 and today shows that Skype still employs AES-256, the same used by the US government to protect its own data.  In fact, the language on both FAQs is exactly the same.  I wonder if the Verisign executive was misquoted:  If the Germans had been able to break this particular encryption technology, you can bet that the US Government wouldn’t be using it either, and all hell would’ve broken loose in the security community.  As far as I know, AES-256 is currently the encryption standard.

     

    Now that two governments are indirectly, if you will, recommending this particular encryption standard (what coud be a better recommendation that actually using it, right?), one might wonder, “is this available for the average layperson or commercial business?”  The answer is an emphatic yes.  Services such as AlertBoot are engaged in making sure the contents of laptops and files are untouchable from prying eyes by using AES-256—or other encryption standards if you desire—to secure data on laptops, desktops, smart phones, external hard disks, USB drives, etc.  Furthermore, the beauty is that your IT department doesn’t have to get involved if someone forgets their password, since there are internet and phone-based recovery procedures, lowering the costs of maintaining a secure environment.  Deployment of such services is quick and painless, as well.  You can check out details by going to http://www.alertboot.com/.

     
  • Ten Seconds Is All It Takes To Steal A Laptop. Make Laptop Encryption Part Of Your Endpoint Security Arsenal

    If one does a search for the words “laptop theft” in Google, the third result is the security footage of what looks to be a passing elderly man stealing a laptop.  More specifically, this elderly man scouts the place out and steals the laptop that was displayed at a storefront window in broad daylight, with at least two workers in the store.

     

    I wanted to call him a vagrant, but it doesn’t look like his appearance is causing sirens to go off in the minds of the storekeepers, despite what looks like an unkempt appearance in the extremely grainy footage from the camera.  Plus, one can clearly see him pretending to be talking on a cell phone as he walks out with the hot goods (good?) literally stuffed down his pants.  You don’t have too many hobos with cell phones out there.  Well, with the exception of South Korea, it seems.  I’ve been a direct witness to someone begging for money in the streets and answering a call at the same time.

     

    The footage found via Google is very telling in how thieves can and do use extremely small lapses in security to perpetrate their delinquent acts.  Despite there being two people on the same floor as him, the fellow was able to surreptitiously close the lid of the laptop on display, pick it up, and then slip it down his pants.  He does it in small increments, but the entire thing takes him less than thirty seconds, and the process of picking up his laptop, hiding it, and walking out the door takes him less than ten.

     

    The store is not a big one, so it begs belief that no one noticed.  Can you imagine what could happen, and how much easier it would be to steal in a setting such as an office?  Wider expanse in square footage; more people, meaning more anonymity…plus, no security cameras inside the office, since it’d be too weird in an office setting.  No need for the scoping, just need the timing.  Go into some random office dressed up as an exterminator and wait for the right moment.  Hide the goods in your exterminator bag—who’s gonna know if exterminators have bags or not?  And if someone does make a stink about it, make sure you've got a couple of mummfied rat cadavers in there; that'll put them on their way—and walk out after declaring a clean bill of health for the building.  It’s no wonder that people such as the Khaki bandit are able to pull off their stunts.

     

    So, how does one guarantee laptop security—as well as security for desktop computers and other devices—in such instances?  After all, it’s an unforeseen event.  And therein lies the problem: There’s no real way to defend oneself because one’s not expecting it.  (Can you defend yourself from a guy creeping up behind you and taking a swing at you?  Only if you’ve got a plate in the back of your head.)  Of course, if were strictly talking about protecting hardware, chances are that companies affected won’t be as concerned since they probably have insurance that will cover the replacement of the machine.  But, there are other things stolen along with the devices that cannot be so easily recovered.  For example, the presentation one was preparing for the sales meeting next week.  And this is why people are encouraged to back up their data.  Just in case.

     

    For the same reason, people should seriously consider encryption services for their computers, such as AlertBoot.  Only by installing easy‑to‑implement and easy‑to‑use encryption services that are transparent to the end user (i.e., the person typing up that report doesn’t experience the effects of the encrypted state) can a business make sure that data doesn’t fall into the wrong hands, in case someone is able to make out with office computers while no one is looking.

     
  • Another Day, Another Data Breach At A Government Facility: US Department of Veteran Affairs Missing (Even More) Computers

    Hot on the trail of the UK Government’s misplacement of two CDs with sensitive information on nearly half of all Britannia, there’s a small story concerning the Veteran Affairs office in the US.  Three PCs, two of them desktop machines and one of them a laptop, are missing from a medical facility in Indiana.  The theft took place, of all things, over Veterans’ Day weekend, so it actually preceded the brouhaha that’s rising to a crescendo on the other side of the pond.

     

    Some of the details vary, but this much is certain: Of the three computers stolen, one of them had the confidential records of 12,000 patients.  The contents were not encrypted, but they were password-protected (again, meaningless in terms of security; not so much in terms of PR).  Some say that the machines were stolen from an insecure location; however, the press release from the VA state that the computers were stolen from locked offices.  As well they should have been; otherwise, the VA hospital would in violation of several HIPAA requirements, and setting themselves up for major headaches.  Other than what they currently have, that is.  Contacting any number of patients, be it twelve thousand or twenty-five million, can never be a cheap or easy process.

     

    CDs, laptops, desktops…it just goes on to show that the medium in which the information is contained does not matter.  Unless things are bolted down, anything expensive enough will be stolen, assuming someone can lift it.  Heck, sometimes the fact that it’s bolted to the floor doesn’t matter at all.  Do a search for the words “ATM,” “stolen,” and “truck” in Google and you’ll see quite a number of instances where those heavy machines with their delicious, crisp bills are yanked away.  You might even be able to pull up a video.

     

    It’s unfortunate, but these are the times we live in.  Old timers may wistfully reminisce of the times when there was no crime in their neighborhood, and were able to keep their doors unlocked all day long; however, this illusion of safety is just that, an illusion.  The word burglar and thief, quite obviously, are not recent concoctions by the guys over at Oxford and Webster’s; they existed well before the 20th Century.  (Hammurabi had some laws regarding theft, if I’m not wrong.)  In Cold Blood was based on real incidents in 1959.  The past wasn’t much safer; slower and local is what it was.  People couldn’t travel far easily, cheaply, and rapidly.  Events in Kansas couldn’t affect people in New York, unless it became a literary sensation.  And even then, it took time for a man to compile the information, conduct interviews, and have the publisher print the books and distribute them before anyone was really aware.  Local.  Slow.

     

    Likewise, in the business world, things were slow and local as well up until the late 1980s, early 1990s.  That’s when the US companies really started to look overseas to find growth.  (Incidentally, that’s also when executives began to see foreign posts as a ladder towards something bigger, as opposed to being flung far away where they couldn’t do any damage to the real guts of the business, i.e., US-centric operations.)  The Internet came along; things got miniaturized and faster; and people still acted as if they lived in the 1950s while inside the digital world—they didn’t lock their digital doors; heck, they probably didn’t know whether they had digital doors to begin with.  Is it any wonder that we’ve got cybercriminals running rampant, commanding (illegal) revenues that rival a Fortune 100 company?

     

    It’s time for people to wake up to the fact that having locks and doors are, as Martha Stewart puts it, a good thing.  We have them on actual doors; it’s time to put them on the doors to our digital assets as well.  Passwords?  They’re like a screen door: Easily penetrable.  Plus, it allows those who are interested enough to peek through.  What you want in terms of security is encryption.  These are the double doors made of heavy oak.  This way, if your laptop or computer is stolen, you know that your data is safe.  With services such as AlertBoot, you can even extend this protection to your Smartphones as well.

     

    The continuing high-profile cases of governments and businesses being compromised by hackers and other criminals have brought digital security to the forefront of the general public.  It was high time that people started talking about this.  At the same time, it’s something of a disservice because people think it’s the incompetence of the government or the cost-cutting greed of businesses that is allowing all of this criminal activity to happen.  And my own personal bias is that, yes, it is.  But it’s also just people in general not being aware that they’re bound to become a statistic, much sooner than later.  Like some tourists arriving at JFK being robbed blind.  Or wearing a Yankee’s hat at Fenway.   Or eating a bunch of that bright, green stuff at the sushi place.  I tell people it’s horseradish, but people don’t know what horseradish is.  Until they’ve eaten a scoop of it, that is.  That's when they know horseradish is not some exotic BaskinRobins flavor.  Likewise, it seems those who are bitten by cyber crimes are the ones who've taken to heart that information security is a necessary and preventive measure.  I can only hope that the general population also accepts this view in time without falling victim to the times, just like they don't think twice about locking their doors.

     
  • UK Up In Arms Over Loss Of Two CDs. 25 Million Britons Affected By Lack of Data Encryption

    HM Revenue & Customs (HMRC) has lost two CDs containing the details of 25 million people in the United Kingdom.  With the official population of the UK at 60.5 million, this represents slightly less than half of all the people in that country.  The matter was grave enough, combined with other data breaches at the same department, for the chairman, Paul Gray, to resign.

     

    The data that could potentially be compromised are the names, addresses, and the birthdates of every child in the UK, plus the bank account details and England’s equivalent of Social Security numbers of 10 million parents and other caretakers.  The two CDs were lost en route to the National Audit Office.  Because of the nature of the media lost—compact discs—there has been plenty of fist-pounding on why the government is using such “ancient museum pieces” and that these must be replaced.  I would like to comment, as I usually do, that the method of delivery is not at fault.  After seeing the breaches for monster.com, TJX, Ameritrade, and other online data security mishaps, are we really to believe that substituting plastic doughnuts with a server and wires gives us more security?  That this will ensure total and complete security?

     

    I think most experts whose intent is not to sell their services—or recommend a cash infusion into devices that will lose half their value the moment that they’re delivered to your door—will readily agree that the transfer medium is not the issue.  The real issue is, “why weren’t the appropriate steps taken to protect the data?”

     

    Protecting the data, ensuring that outsiders can not see the sensitive information—that’s where the focus should be concentrated.  And if one does so, one realizes that the culture at the HMRC is ill-prepared for protecting data, and would have ultimately lead to data breaches, which it did.

     

    To begin with, there was no attempt to ensure that the information sent via courier from one department to another would be protected from prying eyes: inter-office mail envelopes used by the HMRC cannot be secured which, actually, makes sense.  I’ve seen such reusable envelopes in many corporations, and the last thing you want on “reusable” envelopes is something that will allow you to glue down the flaps.  You can’t use it after that one instance.  The answer, of course, is not to use reusable envelopes when sending sensitive information.  But sealable envelopes can only show you that there was tampering, it cannot protect the contents inside.  For digital data protection, encryption, such as those offered by AlertBoot, is necessary.

     

    Also, if you listen to the HMRC, it was junior officials who made mistakes and ignored security procedures.  I’m not sure in what context these officials are “junior,” but it certainly sounds like they shouldn’t have had access to such information in the first place.  Perhaps it was the presence of a password that supposedly secured the data (note to readers: having a password is not the same as encrypting data) that allowed the more senior officials to relax and pass the duties to the junior ones.  And I guess there’s a reason why the junior ones are in the junior position.  However, the above proves that a lax attitude towards security exists in the department.  What’s galling is that the HMRC has already had two other significant data breaches this year, so it’s readily apparent that nobody in that department seems to be learning from their mistakes.  I think the two prior cases were blamed on junior staff as well.

     

    In such an environment, it doesn’t matter how data is being handled.  Be it a CD or the latest secure gizmo, if people are going to be lax about security, data breaches will happen.  What good is the most impenetrable strongbox if you’re going to keep the combination to the safe taped to the door?

     

    I commend the HMRC for using a “password” to secure the data on the two CDs (which, incidentally, is actually four CDs.  A pair got lost earlier, and a second set of data CDs were sent via the same method, which got lost as well.  The latter is what everyone in the UK has bunched their knickers about) not because this implies that the lost data is secure from prying eyes, but because it indicates that not everyone in that department is incompetent—just misguided.

     
  • Laptop Encryption Is The Most Commonsense Way To Protect Portable Computers

    InformationWeek has an in-depth article on preventing data loss, and has fingered encryption as a must-have in one’s arsenal.  They correctly point out that it’s the most “commonsense” way to protect data, and that it also helps avoid penalties in certain states if the computer were to be stolen.

     

    How powerful is encryption?  It depends on what you’re using, but it is so powerful that the UK has included as part of their terror laws the ability for police to ask for encryption keys.  Last week, an animal rights activist was ordered to surrender her encryption keys to the authorities as part of RIPA, the Regulation of Investigatory Powers Act.   The measure is contentious, but English Parliament passed it in order to better fight organized crime and terrorism (criminals tend to be at the forefront of technology in order to escape the authorities.  This begs the question, how come the authorities are not using what’s at the forefront of technology?  Also, how is an animal rights activist "up there" with the likes of an Osama?)

     

    Why pass such a resolution?  Because it is that much harder to crack passwords (no word yet if criminals willing hand over the encryption keys).  If criminals are smart, they will follow the suggestions of security experts and use strong passwords composed of alphanumeric characters, ensuring that the passwords are not short in length, and perhaps using a mix of upper and lower case letters.  The reasoning behind this is quite simple.  The more options you have, the lower the chances that somebody will be able to break the password.

     

    Let’s say that your password will be composed of numbers only, but be of any length that you choose.  If the password is composed of three digits, there’s 1000 potential combinations in total, so one might have to guess at the password one thousand times (the first digit can be from 0 to 9; so can the second and the third, so the numbers would range from 000 to 999, i.e., one thousand different numbers).  Breaking the password in this case is a matter of time, and this is why seven year olds all over the world can break into their fathers’ briefcases, given enough determination.  Likewise, if one uses the letters in the English alphabet and limits the password to three characters in length, there are 26 x 26 x 26 (or 263) = 17576 guesses possible.

     

    Use a combination of letters and numbers, and the potential for each placeholder in a password jumps to 36.  The same three-letter password requires 46,656 (or 363) tries to go through all combinations (going through each combination, by the way, is what’s known as a brute-force attack).  If the password is case-sensitive, the placeholder jumps to 62 combinations (26 letters which are doubled, plus the 10 numbers) and the three-letter password now requires 623 or 238,328 combinations.  As you can see, a combination of case-sensitive letters and numbers would increase the potential combinations to the tune of 62n, where “n” is the length of the password.  Hence, the longer the password, the more “secure” it is, since it would take forever to go even through one-tenth of all combinations.  It would be quite an afternoon for a seven year old.

     

    Secure, long passwords—to be entered when Windows boots up, for example—are not enough, however.  Someone could hijack into a computer’s information just like someone could take a crowbar or a knife to a briefcase: bypass the locks directly and go for the documents (you want to watch out for that seven year old).  The equivalent for a computer is to take out the hard drive and hook it up to another computer, much in the same way one would hook up an external drive to a laptop.  By doing so, the password is bypassed, and the contents can be read without exhausting all 62n passwords.

     

    However, if encryption offered by companies such as AlertBoot is used, the bypass doesn’t work, and the correct password (as well as the correct username) must be supplied before anyone can access the data.  Under such circumstances, it’s much easier (and probably faster) to get the required passwords directly as opposed to try to guess it.

     
  • Eleven Laptops Stolen Out Of Japanese Embassy. No Word On Laptop Security. One Conspiracy Nut Created: Me

    The Yomiuri Shimbun is reporting that eleven laptops were stolen from a Japanese Embassy in Brussels, Belgium.  Japanese expatriates—about 12,700 of them—might be affected.  The information on the laptops included residence certification, overseas voting registrations, and passport information.  The information on residence certification also include personal details such as date of birth, name, permanent address in Japan, occupation, and family information.  Because of the fears expressed regarding personal identity theft, my guess is that there was nothing such as AlertBoot ensuring the safety of the information on the laptops via encryption.

     

    Is it normal for an embassy to have this information?  Actually, it is, and it’s not because they’re playing Big Brother.  Generally speaking, embassies welcome their country’s citizens to register their arrival whenever they step onto foreign soil, although this is rarely followed anymore.  I guess it’s more of a tradition nowadays.  In older times, when travel was not as easy, and people around the world rarely spoke two or more languages, especially the locals—let’s face it, the ordeal of speaking something other than one’s mother tongue falls upon the guy who decided to travel—an embassy offered services to make sure that there were no problems for citizen visitors.  The embassy personnel would give advice in terms of local law; what local customs are; where they could find a good, American-style burger in Paris (good luck finding one!); provide business contacts; which neighborhoods are dangerous; etc.  Being an ombudsman organization for their country’s visitors was part of an embassy’s duties among their less mundane ones, such as espionage and arranging the release of hostages.  I guess in many ways, it still is, although new duties have been added to reflect the changing times.

     

    When I called it a tradition, though, I don’t mean that there is no need for such registration at an embassy anymore.  Sometimes the need arises unexpectedly: In the 2004 tsunami that affected Southeast Asia, Korean embassies were able to find out who fell victim to the waves based on visitors who had registered—in fact left behind a travel itinerary—with the embassies.  Anyone who didn’t show up at the different outposts, which I imagine would be strategically based on where people are likely to be, were presumed dead, since in most cases it was impossible to recover the bodies.  In times of emergency, inclusion in such a list could mean the difference between dying a lonely death due to ignorance (nobody knows you’re there) and someone starting a rescue mission.  It also helps to rapidly communicate the news to concerned folks back home—be it happy or otherwise.

     

    So, collecting information: not exactly a nefarious thing, unless you’re still a citizen of one of those Soviet nation blocs…in the 1980s.  What the Japanese citizens should be concerned about is that the embassy was broken into and things got stolen.  Embassies generally have good security.  I’ve seen my share of consulates (satellite embassies, if you will, that carry the same services but the head is not the ambassador…or ambassadress.  Have I mentioned that the times, they are a changin’?) where security is not exactly up to par, but an embassy?

     

    An embassy!

     

    Why am I so incredulous?  Let me put it this way: embassy soil is sovereign soil.  If you’re an American working out of the American embassy in Brazil, every day you cross borders into the US as you enter the parking lot.  At night, you commute back to Brazil, perhaps pick up a Brahma chop on the way back (that’s beer) and a little side of grilled chicken hearts (they’re delicious.  Also, high in cholesterol, so, ironically enough, bad for your heart).  This also means that if a Brazilian cop were to scale over the US embassy’s walls in pursuit of a thief, both would be killed by the US Marines that guard the place, and Brazilian law couldn’t touch the Marines.  After all, the incident happened on American soil, and outside Brazil’s jurisdiction.  Nothing like the US Marines to protect your border and perimeter.

     

    Of course, the US Marines can’t protect the Japanese embassy; this goes without saying.  But bringing in some personnel from the Japanese Self-Defense Force might be something to think about.  For the embassy in Belgium, the only thing between criminals and the contents of the embassy was a lock on double-layer doors.  That, and an elevator ride to the 6th and 7th floors.  And despite this particular piece of Japan being in a building in Brussels, the concept of sovereignity still applies: go down one floor, and you're in Belgium.  Walk up the stairs to floor six and you're in Japan.  If someone breaks in, they're breaking into Japan.

     

    Also, one of the stolen laptops belonged to the consul.  (That’s another way of saying ambassador, since we’re talking about a break-in into an embassy.)  More importantly, an ambassador’s office is never left unlocked if he’s not in the office.  So, the perps had time to break that particular lock as well.  Remember, the ambassador is (supposedly) the guy who knows it all at the embassy.  He holds all the secret documents.  The news articles that I’ve read point out that no diplomatic information was leaked out—could they announce otherwise?—but there’s really no way to corroborate that.  We’re in an age where a cell phone could be used to take pictures of secret documents, for example.  Besides, a bunch of guys break into an embassy to steal laptops?  This is where my conspiracy nut personality kicks in.  Because the artilces make note of it as a passing instance, an every day crime, no different from a laptop going missing at the Gap.

     

    Are you kidding me?  Who breaks into an embassy just to steal laptops?  Spies, that’s who!  James Bond types with licenses to kill and nifty gadgets who order all the shaken Vodka Martinis you can shake a stick at!

     

    Let’s say that the perps were after the laptops, or more realistically, the information on those laptops.  You know, they don’t know which one contains the information that they want, so they steal all of them.  If the Japanese embassy didn’t have those machines encrypted with a powerful encryption process, anybody can get into them.  AES-128 or higher encryption standards, which are used by the US government to safeguard their information, would have been an ideal solution.  Not even Q could get through that one.

     

    Or, perhaps the laptops are a decoy.  They planted state-of-the-art bugs in the offices, and stole the laptops to make it look like a burglary because there was no way around busting the lock at the front door.

     

    Or, perhaps the laptops were already compromised, and there was a way to identify who planted stuff into the laptop.  See?  So, that information had to be retrieved.  But the laptops were powered down and this couldn’t be done over the Internet, and since the Japanese embassy was closed due to a three-day Japanese national holiday, the guys busted in and figured it’d be easier to steal the laptop as opposed to getting rid of any traces.

     

    I could come up with other stuff, but I would be required to wear a tinfoil hat.  I'm not ready for such a lifestyle, so I'll stop here with the ruminations.  However, I would like to make this observation: whoever stole these eleven laptops stole for them for a reason.  If those devices were not encrypted, you can assume that there is a data breach, as opposed to a laptop going missing at a retailer's office, which could be an instance of a grunt trying to make a quick buck.

     
More Posts « Previous page - Next page »