in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

January 2008 - Posts

  • When It Comes To Personal Data Protection, It’s A Myth That Some Types Of Information Are More Harmful To Lose Than Others

    The washingtonpost.com has an article today on “money mules,” people who make possible certain forms of phishing and other on‑line cons and scams.  One of the ways it works is as follows:  A person is contacted to see if he’s interested in making a little income.  He agrees.  He receives some money in his bank account or via Paypal, and is asked to forward the money to someone else—say, via Western Union.  He’s to keep 10% of the money as a commission.

     

    Sounds like a scam, smells like a scam, looks like a scam…it is a scam; however, this is where the social engineering part kicks in to deodorize the stench.  The “mules” are contacted through e-mail, stating that their address was found via an on‑line job posting, such as via monster.com.  Then, the scammers make it sound like a legitimate job.  They’ll construct—or better yet, copy an entire website—for the purpose of pulling off the scam.  They’ll have the mule sign a contract for the job just to make it seem legitimate.  The money is sent by the scammers and the mule forwards it to someone else.  Everyone’s happy.  After all, the necessary checks were done, and everything seems to be legitimate.  Plus, you’ve got a contact, remember?  Sit back and watch the money roll in.

     

    Then the e-mails and calls start coming in from random people.  When will you be sending the camera that I bought from you on eBay, Mr. Mule?

     

    Uh-oh.

     

    And guess what?  Based on past rulings, Mr. Mule is responsible for refunding the money, not the scammers.

     

    Of course, you don’t actually have to sign up for anything to become a victim.  Sometimes just reading the e‑mail itself is the danger.  Again, from the washingtonpost.com:

    “For example, money mules have helped to generate profits for the individual(s) behind some 15 separate, targeted malicious software attacks last year that came disguised as e-mails from the Better Business Bureau, according to iDefense, a security firm owned by Verisign. In those scams, the fraudsters sent virus-laden e-mails to tens of thousands of individuals whose resume and contact information were stolen in a previous compromise of a Monster.com job-seekers database, said Matt Richard, director of iDefense Rapid Response.” 

    This is why when any organization alerts the public that a laptop or a computer was stolen and—while there was no data encryption like AlertBoot to protect the information—there’s no need to worry, there was no financial information involved…you should worry nevertheless.  That’s because a random e‑mail address is pretty much useless, whereas one that is confirmed as a legitimate one is worth—well, it’s worth a little more than a random e‑mail address.  But get enough of them, and it definitely becomes palatable for scammers.

     

    At this point, someone will raise their hand and say, “well, that’s true for random e‑mail addresses as well.  Get enough of them, and it’s palatable for scammers, too.”  And this is not wrong.  However, we should imagine what the rate of success happens to be in either case.

     

    For random e-mail addresses, a scammer is stuck sending Viagra commercials, hoping to catch Bob Doles.  Or perhaps you don’t have performance problems but you’d like a genuine RoIex.  It’s all very hit and miss.  However, if I know as a scammer that you’re looking for a job and that you’ve posted your résumé on monster.com….well, that gives me something to work with.  That’s where the social engineering kicks in—and why danger lies ahead for the unsuspecting victim.  Of course, you could randomly send monster.com scam e-mails…but scamming people costs money, and the phishing industry is looking at its bottom line, just like any industry.  Concentrate on those you know that use the job boards, and the probabilities of success are much better.

     

    In this day and age, when it concerns personal data, I don’t think one can make a distinction on “safe to lose data” and “unsafe to lose data.”  I’d say it behooves any legitimate company to protect its data (and their customers’ data) regardless of what they think the level of safety happens to be, with true-and-tried information protection measures such as whole disk encryption.

     
  • Can Hard Drive and File Encryption Protect Your Fifth Amendment Rights?

    There’s an interesting case in the U.S. District Court in Vermont where a prosecutor is trying to force a suspect to give up the password to the encrypted contents of his computer.  The suspect claims that doing so would be self-incrimination, and he has every right to refuse the government’s request. I won’t get into what the charges are since that will just portray one of the uglier parts of our society, and that will just spark more of an emotional argument instead of a technical or legal one. 

    Why is this case so interesting?   A case of this kind has never made it up to this legal level, and now a judge needs to balance privacy and civil liberties while protecting the interests of the public.  The judge presiding over the case likens this to having a safe with potentially incriminating evidence.   The government can force you to give up the key to your safe since the key is physical, but if your safe has a combination lock, the government cannot force you to disclose the combination.  Doing so is considered a “testimonial act conveying the contents of one’s mind,” which is protected by the Fifth Amendment. In my opinion, whether a physical safe has a key or combination lock, a government official will find a way to break the safe open to review its contents. 

    Why are the folks in Vermont having such a tough time?

    The encrypted contents on the suspect’s computer are protected using 256 bit encryption, and the government’s computer forensics experts testified it would take years of a brute force password attack to get into files.  Trying to decrypt the file is out of the question since it would take a supercomputer several years to decrypt 256 bit encryption.  The only real way to get access to the data, according to the government experts, is to get the suspect to give up the password.

    Why am I confused?

    Most encryption products include a failsafe to allow authorized users to get access to their data in case they forget their passwords.  The AlertBoot managed hard drive encryption service offers such support to its customers.  Yes, security is important, but you should never be in a situation where you lose access to your data because you implemented security.  I wonder which product was used in this case where there is no way to recover the password or reset it by contacting the software vendor.

    The law is continually trying to catch up with technology, and it will be interesting to see how this case ends.

     

     
  • UK Department Store Marks & Spencer Ordered To Encrypt All Laptops

    Marks & Spencer was ordered by the Information Commissioner’s Office to encrypt all of their laptops.  This is the conclusion to the theft that occurred last May of a laptop that contained the personal information on 26,000 Marks & Spencer employees.

     

    The laptop was stolen from a printing firm working for M&S.  It contained details on the employee pension arrangements, as well as salary details, addresses, dates of birth, national insurance numbers, and phone numbers.  At the time M&S had revealed that the laptop was password-protected.  However, as detailed in many previous posts, this cannot be considered protection at any level.  Apparently, the ICO agrees.  Otherwise they wouldn’t have instructed the retailer to encrypt all of their laptops by April of this year.

     

    More specifically, the ICO is ordering M&S to encrypt all hard drives—apparently, including those within laptops.  Not complying with the order could result in the prosecution of… well, of someone.  In their press release, the ICO founded the retailer in breach of the Data Protection Act because the laptop was not encrypted.  This is a very interesting finding, mostly because a lot of data has been lost over the past couple of months, virtually all of them unencrypted.  One wonders if the ICO will be bringing charges against the government itself.

     

    Anyhow, it seems that M&S got the message a long time ago.  A spokeswoman for the retailer announced that they’ve been encrypting their laptops since October, when the ICO broached the subject.  (She also said, however, that they were surprised by the findings and by the ruling.)

     

    So, why did the ICO come to the ruling that a retailer ought to encrypt all hard drives?  After all, if it’s protection of information that they’re looking for, wouldn’t encrypting individual files achieve the same purpose?  The answer is technically, yes.

     

    However, the onus falls upon the end-user if individual files are to be encrypted.  And while I don’t mean to be disparaging towards people in general, the truth is that there is always a small number of individuals who take it upon themselves to create the conditions of a security breach.  In other words, they are the weakest link in the chain (if only a stern, British woman‑type could utter those words and fire people…it’d be great entertainment).  Plus, there’s always the question of which files are to be encrypted, and which ones not.  It’s much easier to encrypt the entire hard drive and protect the whole disk using services such as AlertBoot, and eliminating personal judgments on what is important: it makes security easier to enforce.

     
  • Oops! Worcester Stolen Laptop Incorrectly Identified As Having Data Encryption

    A stolen laptop was reported by Fallon Community Health Plan earlier this month as being encrypted.  Now, Fallon is reversing itself and saying that the laptop was not encrypted, based on the conclusions of a forensic technologist.

     

    This means that over 30,000 members of Fallon Community Health Plan could be affected.  While financial information was not present in the laptop, other information such as Medicare IDs were present, as well as dates of birth, names, etc.  Now, I’m not sure if this is true, but apparently Medicare Identification numbers are composed of people’s (or their spouses’) SSNs.  I guess I’ll find out once I become eligible.  At any rate, if the above is true, obviously the data loss could have a significant impact—and Fallon has offered free credit monitoring services for the next 12 months to those affected.

     

    The direct victim of the theft was a contractor for Fallon that was handling medical claims.  Fallon has declined to identify them, but it is known that the computer was stolen from the contractor’s offices.  The theft was discovered on January 2, but it was not found out that the device was not protected with encryption until January 14.

     

    This goes to highlight why not all encryption programs are the same.  With AlertBoot, not only do you get strong encryption with the encryption standard of the past thirty years (namely, RSA), you also get a very comprehensive reporting engine to go with it.  In other words, if a laptop gets stolen, you can easily look up the encryption status of that machine, as well as who had access to it.  Granted, the forensics guy probably didn’t spend 12 days trying to figure out whether there was encryption on the laptop—he’s got other stuff to check into as well—but something like AlertBoot would have allowed Fallon’s officers to correctly state that the laptop was not encrypted from the get go.  Worse than appearing incompetent is appearing incompetent twice.

     

    Of course, with such a reporting system, the IT department would also have been privy to the fact that one (or more) of their laptops was not encrypted during regular audits, and could (or rather, should) follow up with the renegade worker.  So, the data breach could have been prevented; one can hardly say the same for the theft itself.

     
  • UK Lawyer’s Office Is Burglarized: Laptop Security A Concern

    A barrister (that’s a lawyer for Americans) in London came to his office to find a laptop computer stolen.  The computer contained the details of an inquiry into the murder of Billy Wright.  For those who are not aware, Billy Wright is the founder of the Loyalist Volunteer Force, a paramilitary group he started after her being kicked off the Ulster Volunteer Force for being a tad overzealous—and breaking the cease‑fire during the negotiations for the Belfast Agreement. 

    The Belfast agreement was supposed to usher in an era of peace and tranquility in Northern Ireland; parties involved were awarded the Nobel Peace Prize in 1998.  However, the violence, while subsided, still continues a decade later.  Indeed, the Loyalist Volunteer Force still exists, although it seems to be in a diminished capacity.

     

    The vendettas, however, are still very real.  For example, just last week the Lurgan Mail had reported the firing of staff at a hospital for breaches of patient confidentiality.  One of those fired was the mother of the leading LVF figure in the area and—this might be a premature conclusion—but it seems that some of the information was used by the LVF to attack people (perhaps rivals?  I’m not sure; the article didn’t detail what relations existed between the attacked and the attacking members, if any).  However, the attacks were what prompted hospital administrators to search for breach of data, so….

     

    Going back to the stolen laptop, information on the device “contained confidential and legally privileged information in connection with the inquiry, including some details about a number of individuals in Northern Ireland…Those individuals are being notified and the potential implications of the theft are being assessed.”  The potential implication.  Right.  It could be that the objective was the laptop.  Or perhaps this was just a random burglary and the laptop was easily available. Regardless, if the latter, is it any less of a data breach?  It’s not as sensational as paramilitary types conducting some James Bond action, but less of a data breach?

     

    I’d say that anyone who’s a professional—in the strictest meaning of the word—should impose upon themselves the need to protect the welfare of their clients.  In many ways, the laws already do point towards it.  Maybe it’s time to update those laws, although I find it puzzling that a law would have to be passed for something that’s quite obvious.  Encryption of messages and data has been present since time immemorial.  In the UK, for example, lovers sent each other encrypted messages in the agony columns…during the Victorian era.  We’re talking about the 1800s here.  And encryption technology has only gotten better since then—and spread to many different devices.

     

    For example, AlertBoot allows one to encrypt entire hard drives or files or both on any type of computer, be it a desktop, a laptop, or a smartphone.  Plus, there’s ways to restrict who has access to the machine itself.  With technology such as this, there’s no excuse not to protect sensitive data.

     
  • Hospital Laptop Security: The Potential Consequences or How Patient Information Can Be Misused

    The Star-Ledger has an article detailing how hospital data was used to enable identity theft.  It turns out that there were no computers involved in this particular instance, but it shows the potential ramifications of losing an unencrypted data device, such as a laptop, from hospital settings—highlighting why laptop encryption services like AlertBoot is necessary.

     

    Samuel Jacobs, who worked at the Passaic County Hospital, supplied John Polo with names and Social Security numbers by photocopying information from hospital records.  In this day and age it might seem a little archaic, but data is data no matter what form it takes.  Polo used this information to open various E*TRADE brokerage accounts, and abused certain conditions set by E*TRADE to effectively steal money from E*TRADE.  Polo was able to withdraw more than $20,000 before he was stopped.

     

    Now, part of the information that was handed over to Polo did include credit card information.  However, he did not need that information to effect fraud at E*TRADE.

     E*TRADE allows account holders to withdraw funds from their accounts before deposited checks clear.  Polo would deposit $5,000 into a new account, go to an E*TRADE terminal—an ATM machine operated by E*TRADE, if you will, so no nosey bankers are around—and withdraw the cash.  The check for $5,000 was invalid to begin with, of course.  These accounts were opened with fake IDs.

     

    Here is a very clear-cut case where victims of identity theft can take a financial hit, even if stolen information does not include financial data.  And, in the end, the victim will probably not have to own up to the money issued under their name; however, I would bet good money that those amounts will end up on some debt collector’s list as the details are being hashed.  Well, maybe not with E*TRADE; but surely with some company.  I mean, isn't that how credit card fraud-instigated debts end up hassling innocent people?

     

    This incident also highlights why you need to think about your security options.  Encrypting electronic data is not a panacea.  If you safeguard all of your electronic data but improperly dispose of hard copies—such as printed material—you will still have a data breach.  So, feel out your options.  Find out what is necessary.  If ports need to be blocked, make sure they are not accessible on the laptop.  If you’re concerned that somebody will run some software application that they should not be, such as a file-sharing application, ensure that you can effect application control.

     

    But above all, don’t go around claiming that people should remain unconcerned about a personal information breach because financial information was not included.

     
More Posts « Previous page - Next page »