in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

December 2007 - Posts

  • Tens Of Thousands Of Seniors Affected By Laptop Theft With No Data Encryption

    An employee of the Pennsylvania Department of Aging returned from a funeral to find his home burgled.  Among the items missing was his laptop issued by the department which contained information on approximately 21,000 senior citizens.  Information included names, addresses, Social Security numbers, medical information, and recently services on the part of the department.  There was no encryption on the machine, just the customary double‑password.

     

    Talk about bad timing.  The Department of Aging was actually in the process of encrypting computers when the burglary took place (all computers are encrypted as of the time of the press release), but the stolen laptop was one of those not yet encrypted.

     

    There’s not much to say here.  One of the engineering creeds (that applies to pretty much anything in life) is “you’ve got to start somewhere.”  This is very true with data encryption.  Encrypting takes time and a multitude of resources, from the guys in IT to the people actually working on the machines to be encrypted.  Even easy‑to‑deploy wholedisk encryption solutions like AlertBoot will require some time as well as strategic questions such as, “which computers should be encrypted first?”— a perfectly valid question if you have to manage over 1000 computers.  Heck, it’s a valid one if you have to manage 100 computers.  You’ve got to start somewhere.

     

    As for the security aficionados that would claim such information does not belong on laptops, I tend to find that “aging” people are hampered when it comes to mobility.  It’s generally easier for someone to go to the silver‑haired generation.  And as such, field agents do exist for the department—and assuming that wi-fi and other wireless connections are not universally available, which I don’t think it stretches the imagination—all that senior citizen data must reside somewhere with the field agent.  Governments need to step up on their efficiency, so it makes sense some form of a portable computer would be used.  Interestingly enough, due to the fact that wireless connectivity is becoming ubiquitous, the department actually has plans (and is working on) centralizing the required data so that downloads to a laptop won’t be required anymore.

     

    This is a department that’s doing many things correctly when it comes to securing sensitive data.  They’re taking on the challenges of the here and now, and also laying the foundation to ensure better data security as technology develops.  It’s just that sometimes, you need a little bit of luck for things to go perfectly.

     
  • College Entrance Exam Data Security Breach In Japan

    The Yomiuri Shimbun reports that a personal computer and a memory card belonging to a test writer were stolen.  The test writer in this case was writing for the National Center for University Entrance Examinations, which is in charge of creating the college entrance exam that is given once a year in Japan.  The next upcoming one is given on January 19 and 20.

     

    According to the article, over 400 teachers and professors at national, public, and private universities spent two years formulating the questions.  And while the test writer wasn’t storing the actual questions in the stolen goods (these are to be secured in a vault), he was carrying enough material used to create the questions to create problems—i.e., anyone who gets to see the contents of the laptop and memory card would be able to seriously narrow the field on what to study.  That helps a lot when twenty‑eight subjects are covered in the exams.  The national exams are more akin to AP exams that SATs, which is what one tends think of when the words “national exam” are uttered on American soil—except with these particular “AP Exams” anyone who wants to go to college must take them.

     

    For those who are not aware, plenty of parents have tried to game the system via bribes to give their kids an upper hand in the entrance exams.  If you’re caught, there’re fines, imprisonment, and invalidation of test scores, which means waiting an entire year before even having the chance of taking the exams.  It doesn’t sound that bad—more time to study, right?—except that people are stressed out for an entire year, and the exams don’t really get easier with time.  If you’ve ever had a friend trying to get into med school, imagine that level of stress.  Now imagine on top of that that she’s at that period of the month and she can’t find the Midol.  Plenty of students kill themselves over these exams, literally.  Jumping off fifteen story buildings, for example.

     

    So, what’s the reaction in Japan over this snafu?  Well, it sounds like it didn’t make much of an impact; the center chief was fined part of his salary and that seems to be the end of it.  I think it must be Japanese culture.  If the same had happened in Korea, where a national college exam also exists, a gaggle of people—usually the mothers of highschoolers—would be protesting outside the ministry of education or wherever the blame would fall.

     

    Supposedly, the examination center does not allow exam related information to go outside secure areas.  Using private PCs in the office is not allowed, and copying documents and data is forbidden.  Obviously, the rules are not being followed, which is not a surprise—otherwise, how would parents get caught trying to game the system, right?

     

    AlertBoot would have helped in some ways.  PCs used at the office could have port control in place, preventing workers from copying data to USB memory devices, for example.  This can be turned on and off as necessary based on who’s handling a particular computer.  Also, the encryption of files or the device itself (be it a laptop or a USB memory stick) would have ensured secrecy of the questions already formulated for the exam.  Last minute changes are generally a bad thing for tests prepared years in advance.

     
  • Security Guys Lose Laptop With Security Data

    A laptop computer with the details of a new security system protecting the British Parliament was supposedly lost by a Serjeant at Arms (not a typo) senior parliamentary official.  The Searjeant at Arms department is responsible for the security of the House of Commons at Westminster Palace.  Man, the UK government can't catch a break.

     

    Based on the security entry at Wikipedia for Westminster palace, it looks like the House of Commons would be in dire need of security: pretty much all security breaches in history—physical attacks of one sort or another, that is—seem to take place near the House of Commons.

     

    To heap some embarrassment on the irony of the situation, the laptop was lost on parliament’s grounds; taken right beneath their noses, as it were.  But then, supposedly the security is very lax at Westminster (according to the Register), and there is a “notorious” amount of theft when it comes to equipment and furniture.  Hmm…maybe the reason stuff disappears from the House of Commons is the same reason why people seem to successfully launch their attacks around that vicinity?

     

    Anyhow, the laptop in question was password protected (I’ll take that to mean that it wasn’t encrypted, thank you very much), so there are very valid concerns that the thieves could get easily access the information found on the computer.  A new security system is being launched next year, so it sounds like the currently stolen data may just naturally becomes worthless, but for the time being, it’s what I would assume to be a huge, huge failure (words Donald Trump would never utter).  But then, the Register also pointed out that the bloke who successfully stole the laptop from the Serjeant at Arms department probably has no problems making his way around Parliament, security details or not.

     

    With an encryption solution like AlertBoot, the fears of something (or anything) happening would have been neutralized.  Not so much for the embarrassment quotient, though.

     
  • The UK Caught In A Perfect Storm Of Data Breaches. How Long Will It Last?

    The UK government has had to admit to another potentially serious data breach:  3 million learner driver records were lost.  There were some smaller incidents between this latest case and the two lost CDs case last month—a veritable peppering of breach after breach.  The difference between the smaller cases and these two big ones is, obviously, size.  With so many data breach cases seeing the light of day, one wonders if these are attempts to hamstring the new Gordon Brown Administration.  Of course, when one considers that these breaches are happening under the auspices of the members of the Brown administration, one has to throw the conspiracy theories out the window and embark upon the incompetence theory.

     

    Or does one?  The Brown administration has been in place for a little less than six months.  When you’ve got a systematic failure of the government, it generally takes longer than six months to develop—and, usually, to diagnose it as one.  I’m no political pundit. And when it involves UK matters, I don’t think I can even attempt to pretend to be one, so I’m just gonna let it go at this: this problem with data security (on which I think I can comment a bit) has probably been developing for a while.  In fact, it’s been developing all over the world, and every single country has probably had an instance (at least!) where the government had a severe data security breach.  If you didn’t hear about it, chances are they hid the situation really well.  Or they don't use technology, but that means they've got bigger problems.  So, it seems to me quite unfair to suggest the Brown administration of incompetence when it comes to data breaches (now, if there are other matters where they blundered big time, that’d be fair game, as far as I know).

     

    Researching, selecting, and deploying software to safeguard data—like AlertBoot device encryption—is not a speedy process for bureaucracies.  Same goes for modifying how different departments go about their business.  In fact, my experience with different government branches in various countries show that about the only thing a government does quickly and efficiently is break for lunch.  Hell, sometimes they’re a little too quick.

     

    When you consider that the state of Ohio had to muster 30 state-employed IT experts and took nearly 6 months to decide on how to approach security (now all they have to do it deploy it—which usually is easier said than done.  Unless you’re using AlertBoot, which is ultimately easier on you), is it any wonder that the UK government is slow in making changes?  While they’re exploring their options (their unused and undistributed data security manual is probably being referenced by a lot of government worker right now), they’ll probably want to take a look at future potential problems as well, and figure out a way to safeguard against those as well, such as controlling device ports or software allowed to run on government computers.

     

    One thing I would like to criticize, however, is the Transport Secretary’s implications that the data is safe because it’s not “readily accessible.”  Special equipment may be necessary to read the data on the lost disk, but special equipment is sometimes easy to come by.  Have you seen what they sell on eBay?

     
  • Obfuscation One Way To Implement Data Security

    But not necessarily the best method, especially when it involves hiding a security manual from your workers who are supposed to follow it.  The Guardian has just released an article stating that junior civil servants, the same ones that were implicated in losing to CDs with information on 25 million children in the UK, were not given the official instructions on how to secure the data that is transferred to other departments.

     

    A manual was created for ensuring data security and privacy, but it was not distributed at the HMRC because it was decided that there was too much sensitive information in it.  Instead, a few senior civil servants got access to the manual and left it at that.  Did they ask for a new manual?  Doesn’t sound like it.  Talk about a Catch-22 situation.  The junior servant at the HMRC that was fingered as the culprit in the entire debacle had no choice but to do what he did.  How is he going to know the procedures if the procedures are not given to him?  Common sense, you say?  Apparently not a requirement to advance in a UK government post: look who’s at the top.

     

    Pathetic.  I mean, take this extreme example.  Can you imagine US military personnel working in a nuclear silo not having access to the launch button because the entire thing is top secret and sensitive? (Nothing more sensitive that nuking the wrong country...or nuking any country, for that matter.)  How would they launch the rockets when the president and the vice president read the authorization codes?  If the US military uses the same logic used by heads at the HMRC, the Veep or the President would have to drive over to some non‑descript barn in Nebraska; kick in the doors, assuming they don’t get shot at (you can bet instructions to shoot without questions in such areas are not classified and widely distributed); travel down a mine shaft; turn the keys; and launch it themselves.  And the Veep has a heart condition, so you know it’s gonna be W.

     

    I wish this I could say about the HMRC that it was a case of sacrificing functionality for security; however, I’d have to say it’s more like sacrificing your brain for a future swift kick in your pants seat.  In an environment such as the HMRC’s, no amount of security will safeguard data.  Even encryption services such as AlertBoot would be rendered useless, as I assume that the technology would be there but nobody would be authorized to use it.  Well, that is if they get as far as deciding on data encryption to secure their digital assets.

     

    There are many aspects to ensuring data safety.  Getting the correct technology is only one of them.  A big and not insignificant one, and perhaps the first in the process of securing data, is to educate people in the organization how and why data security is necessary, and how different aspects (including technology) can help.  If not...well, the letters HMRC should remind you of what can happen.

     
  • The Silver Lining To So Many Laptop Thefts? Laptop Encryption Is Finally Being Taken Seriously

    Ohio has recently announced that they’re going to encrypt all of their data.  It took a task force of 37 IT professionals from 30 state agencies, but they finally decided on how to do it.  Also, there are reports that, in a first of its kind, the US government has issued blanket purchasing agreements for “data‑at‑rest” encryption products.  Data‑at‑rest refers to data that is in storage, as opposed to bits and bytes traveling between one computer to another, or data temporarily parked, such as those residing in RAM.

     

    One of the beneficiaries is the military.  For example, the Air Force now requires that all data‑at‑rest on laptops be encrypted.  This was supposedly prompted by the computer thefts and losses at the various Veterans Affairs departments in the past year or so.

     

    State and local governments are also beneficiaries.  At the Tennessee Department of Revenue, encryption can’t be offered to all employees, but any machines that are mobile (pretty much anything but mainframes, I’d say) will be encrypted.  Plus, any DVDs or CDs with confidential data given to citizens will be encrypted as well.  The recipient would get a password to decrypt the data, of course.

     

    After the numerous data breaches over the past year due to thefts in the US, as well as the recent UK data debacle (or debacles, if you’ve been following the news across the pond.  Every day there’s a new screw up), it looks like bureaucrats are beginning to wake up to the fact that data breaches can happen any time, any place.  Especially when you consider a lot of government branches are creating a “mobile work force” of their own—and issuing laptops to connect with such government workers.  The sooner you can encrypt machines, the sooner you can prevent data breaches.

     

    It seems that the move to secure personal data will accelerate in the coming months.  As news travels that states are signing up for device encryption like AlertBoot, more states will feel pressured to do the same—and hopefully this will put a dent on the identity pandemic that seems to grow every day.

     
More Posts « Previous page - Next page »