in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

February 2008 - Posts

  • Grab And Smash Hard Drive Disk Theft Creates Information Security Breach

    Seems like California’s education system is somehow getting involved in a rash of thefts that may eventually lead to identity thefts and other personal information‑related crimes.  In addition to the Modesto thefts where over 3000 and 8000 people were affected, and the 4000 people recently affected in Clovis, there are now reports that Torrance school district employees will be affected by a stolen hard drive.  I guess it makes sense, since they’re all tied to the one incident at Systematic Automation, Inc.

     

    The Orange Country company engaged in administering employee health benefits has lost information on 2200 Torrance Unified School District employees.  The hard disk was lost in a smash‑and‑grab incident on February 11.  Personal information potentially exposed via the theft include names, addresses, dates of birth, and SSNs.

     

    Employees were alerted of the situation by Systematic Automation—employees have yet to hear it from the Torrance Unified School District—so quite a number of employees are upset at their employer, the school district.  Not that they’re being blamed for the incident.  And they shouldn’t be.  I mean, I don’t know if the Torrance school district had sent their employee information on encrypted disks like the Modesto schools did; however, it’s apparent from previous examples that it wouldn’t have helped.  The printer saved all the encrypted data in an unencrypted format.

     

    As commented before, this was probably because the printer needed to have the information in an unencrypted format—if you can’t read it, you can’t use it.  However, I should point out that whole disk encryption (full disk encryption, if you prefer) is pretty much tailor‑made for preventing data breaches for the above scenario.  If you protect the entire hard disk using encryption services like AlertBoot, it doesn’t matter that individual files were left unencrypted when the entire disk—or even the laptop or desktop—gets stolen.  Short of finding out what the username and password combo is for decrypting the information, there’s no way to access it.

     

    Mind you, this is different from the username and password combo you face when firing up Windows.  In those cases, you can easily bypass the passwords to get to the data.  This is why many states, including California, don’t require a public announcement when encrypted information is stolen—since there is no sensitive information breached in such an instance.  However, if the only thing protecting the data is the Windows username and password, you’ve got to let those affected know.  Just like Systematic Automation.

     
  • Laptop Encryption Not Secure or Safe? Must Be A Slow News Day. My Take On The Princeton Research

    I initially read the news on The New York Times, and the story has spread since.  Must be a really slow news day, because I don’t think I’ve ever seen so many different news sites—traditional media or otherwise—cover a computer security issue on such a scale before.  Of course, it could mean that we’ve had a surge in media outlets that cover this kind of stuff.  Or, it may indicate that the issue is of extreme importance; I don’t agree that it is, although I’m sure the tinfoil brigade will beg to differ.

     

    What am I ranting about?  Well, the Gray Lady and others report that researchers at Princeton are able to hack into laptops protected with advanced encryption.  However, most of the media has approached the story in such a convoluted manner (not the NYT, by the way) that they’re making it sound as if encryption is about as safe as having a poodle in charge of El Dorado’s gold.  Plus, there’s the canned air, which we’ll come to later.

     

    Before I go on, let me state in unequivocal terms that the security flaw described here is irrelevant to 99.99% of the people out there, in my opinion.  I still advocate whole disk or other encryption software, like those offered by AlertBoot, for protecting sensitive data because the vulnerability’s impact for most people is about as relevant as an announcement that tachyon particles are real: exciting in certain circles, but immaterial to most. (If you’re wondering, some think that tachyon particles will allow time travel.  As of yet, they’re theoretical; but even if they were real, they’d exist for less than a second.  It’s one of those particles.)

     

    What did the Princeton guys find that’s causing all this hubbub?  Essentially, they can bypass advanced encryption using their custom software if they can access the contents of the RAM chip on time, even if the computer’s turned off.  The software will be distributed to security researchers (and eventually the bad guys will have a copy as well, I presume).  The technique, an attack focusing on the encryption key, can also be used on a computer that’s not turned off.

     

    A key is necessary to encrypt and decrypt data, i.e., to scramble, and later make sense of, the data.  This key is loaded to RAM when in use and can’t be encrypted (if it were encrypted, then a key to the key would be needed, which in turn is not encrypted, so that would have to be encrypted, which means another key is need, and so on—the point is, you’ll eventually have an unencrypted key somewhere, so encrypting the key is pointless).

     

    The researchers have created software to fish this key from the computer’s RAM, which is not unlike finding someone’s password written somewhere.  If you know the password, the most advanced encryption in the world won’t protect scrambled data, and this is true as well if the key is compromised.  So far, this is all logical and old news, with the exception of the software that the researchers developed for finding encryption keys in the RAM.

     

    What’s attracting a lot of attention in the media, it seems to me, is that the hack can be successfully carried out on computers that have been turned off as well—if the attack is carried out within one minute or so after it turns off.  This is because the information on RAM does not instantly wipe out.  Instead, it decays as the electric charges in the RAM decays.  This is not news, either.  A RAM chip is basically many tiny capacitors on a chip, each capacitor being a temporary container for electricity.  The electricity in turn switches things on and off, each “on” or “off” position representing data.  Cut the juice and the RAM returns to its original, unpowered state, i.e., no data.

     

    If you’ve ever played with capacitors, you know it can shock you—in fact, it could kill you—after a device has been turned off unless you give the capacitor time for its electric charge to power down.  It’s only natural, then, that electricity in RAM will gradually disappear after the computer is turned off.  This process will sometimes take a couple of minutes, according to the researchers’ testing, but usually takes seconds.  The data will also gradually disappear—this is what people mean by “decay.”  Most people are unaware of this short‑lived decay, and assume that once you cut the electric supply, that’s the end of the story for the data in the RAM.

     

    The Princeton researchers have taken advantage of this momentary state where the RAM still retains the data.  Their key‑finding software includes a way to compensate for the information decay in the RAM.  But as the researchers themselves point out, you’ve got to start using their software generally within minutes of cutting power, before there is too much decay.

     

    This is where the canned air comes into play.  Past research has shown that decay can be slowed if the RAM is in a freezing environment.  The researchers inverted a container of canned air and sprayed the contents on the RAM, pretty much freezing the RAM chip and prolonging the retention of data.  If you’re not aware, the stuff coming out of an upside‑down can of air is way below freezing (there’s specific warnings not to do this on the can itself)—and this is like mana for journalists covering the world of computer security.  I mean, read the headlines: “Canned Air Renders Computer Encryption Useless!”  It makes great copy.  It’s definitely less fun if you say that the researchers needed to cool the RAM down to -60 ˚C.

     

    What does this mean for people like you and me?  For one, run if you see someone approaching you with an inverted can of air—he might give you frostbite.  Computer security‑wise, it means that you’re not protected if your encrypted computer gets stolen while you’re working on it or within minutes of shutting it down.  The former is just obvious and common sense, and was always the case—after all, an open safe is vulnerable to theft.  The latter is a vulnerability if the FBI decides to bust you in a surprise raid and you pull the plug on your computer.  Of course, your immediate concerns should be other stuff, such as not getting shot.  Or tasered, bro.

     

    For the rest of the world, who need to protect their data if their computers are lost or stolen, due to break‑ins, muggings, or otherwise, encryption is still a necessity and a practical, effective way of preventing data breaches.  I expected a thief will run as far away as possible after stealing a laptop, not stop mid‑flight to pop open a laptop’s memory compartment and freeze it within the required minute or so; it just sounds ridiculous.  I think Microsoft, of all companies, put it best:  The claims detailed in the Princeton paper are not vulnerabilities, per se, but simply detail the fact that contents that remain in a computer's memory can be accessed by a determined third party if the system is running.” [from CNet]

     

    And while the Princeton case is novel, I don't think it is so unusual that it merits all this attention outside the usual circle.  Like I said.  Must be a slow news day.

     
  • Newfoundland Student Data Breach Affects 28,000. Laptop Security Lacking

    The Canadian Press is reporting that the Eastern School District administrative offices reported four laptops missing, presumably stolen. from a secure location with guards and security pass entry.  I’m guessing the latter is a reference to some kind of electronic key card system.

     

    The information on those machines took several days to compile, and the administration has concluded that compromised information includes names, addresses, grades (not the report card, but K‑to‑12), health card number, and phone numbers of 28,000 students at 56 schools.

     

    The laptops were protected by passwords, allowing the Eastern School District CEO to claim that access was “limited.”  

     

    Hm.  I concur. Limited—just like access to a home is limited to those who hold the key or have a battering ram.  And in the computer world, the battering ram required to get past passwords is a CD with a program that is easily and freely available over the internet.  (There are other methods, but let us keep it simple, yes?)  What they should have had on that laptop is encryption, not password‑protection.  What’s the difference, you ask?

     

    Perhaps a simple analogy would help.  Encryption is like putting something in a safe with locks—strong ones.  Password‑protection is like hiding something in a hollowed out book.  In both cases, it’s just a matter of time before each yields its secrets.  However, most would agree that the hollow book does not require much expertise to crack and would be deemed as terrible security for anything other than, say, a flask of whiskey.  Plus, it only protects only if someone is not actively looking for something.  Likewise with password‑protection.  It’s protection only if someone is not looking to gain access to the stolen laptop.  Otherwise, you can expect an information breach.

     

    Now, with the safe—again, it’s also just a matter of time; I don’t deny that it can’t be broken into.  But unlike a hollow book, it’s going to take a long time.  The thicker its walls, the longer it’s going to take.  If it’s designed right, dynamite won’t work.  There’s nothing left to do but drill it—possibly for days, perhaps months.  Data encryption on a computer affords one the same security.  Except “drilling” it is going to take decades, probably centuries, perhaps (and this is no joke) longer than the age of the universe as of right now.  The thief will be dead by the time he can access your data.

     

    Plus, if you sign up for encryption with certain companies—like AlertBoot, which offers managed encryption services—you also get the benefit of powerful reporting, meaning it won’t take four days to figure out the extent of a data breach.

     
  • Vineyard Victim To Computer Theft and Possible Information Security Breach

    J. Lohr Vineyards and Wines notifying the Attorney General’s office in New Hampshire that two computers were stolen from their office at company headquarters. A reconstruction of the computer data showed that one of the computers contained the names and Social Security numbers of J. Lohr employees.

     

    A copy of the letter to be sent affected employees, filed with the New Hampshire AG, opens with the following: “… recognizes the importance of safeguarding its personnel information.  Even the most rigorous safeguards, however, can not guarantee protection against criminal conduct.”

     

    This is a true statement; however, the truth comes in a variety of shades.  Could J. Lohr have done more to prevent their computers from getting stolen?  Absolutely.  If they had a platoon of armed Marines protecting those two computers, chances are they would be extremely hard to steal.  Nobody could argue under such a scenario that the winery hadn’t done enough if someone had managed to steal the devices.  It would also cost an arm and a leg for protecting what may retail for $1000. Not cost effective; not realistic.  Plus, I’d imagine the mood wouldn’t be conducive to the romancing the wine with armed soldiers all over the place.

     

    Everyone, be it a person or a company, weighs their options when it comes to making a decision.  If you happen to be a small winery, and most of your assets are tied down—in huge, heavy oak barrels, for example—then chances are a locked door seems sufficient protection for your computers, especially considering that their monetary value is so small compared everything else the company owns.  If your company deals with data and nothing else, then information security is at the top of your mind.  Plus, who’d travel all the way through those open fields of grapes just to grab a couple of computers, right?

     

    I think what the above quoted statement stems out of ignorance, not as in chicken‑brains but as in “they have no idea.” The fact is that there are certain cost‑effective things one can do to protect data that approaches the most rigorous safeguard that can virtually guarantee protection.   Number one on the list is encryption, be it file or whole disk encryption, available via AlertBoot.  Encryption of the hard disks found inside the stolen computers would have protected the information from being leached—say, to criminal organizations such as a data identity theft ring.    It would be cheaper than hiring a security guard.  Possibly cheaper than filing a letter with the AG (a lawyer was involved, right?), and definitely cheaper than signing up for credit monitoring and fraud alert for all affected.

     

    Of course, encryption isn’t a panacea.  For one, it can’t go after the perps if they’re caught red‑handed; you need a human or a robot for that.  However, if a company regularly backs up data and uses off‑the‑shelf computers at their place of business, think of all the extra expenses and efficiencies one could save if they replaced just one on‑duty guard with encryption: Health insurance. Bonuses. Sick days. Donuts.  Plus, encrypted data stays protected even if the perps get away.

     
  • Irish Blood Donor Data Security Breach Potentially Averted

    At least, I’d say it was averted.

     

    A laptop computer with over 171,000 confidential blood donor records was stolen in New York.  Irish Blood Transfusion Service (IBTS) had sent an encrypted computer disk with the records to New York.  The information was copied to a laptop, and somewhere along the line the poor bloke carrying the laptop was mugged coming out of his home.

     

    The donor information included names, dates of birth, addresses, and blood types.  The reason for sending the info all the way across the pond?  The company was upgrading its software to provide better service, and had engaged New York Blood Center’s services.  The good news is that IBTS, as well as its New York counterpart, had the foresight to encrypt the blood donors’ information:

    “We are always aware of the potential for data loss and took all measures to ensure that state-of-the-art data encryption was used,” said the service. “The records were on a CD that was encrypted with a 256-bit encryption key. These records were transferred to a laptop and re-encrypted with an AES 256-bit encryption key. This represents one of the highest levels of security available and to our knowledge there is no record of a successful attack against this level of encryption.” [from the Irish Examiner]

    It’s refreshing to find a company that has it done right all the way through.  Not only was the CD encrypted, they had the information transferred to a laptop and had that file encrypted as well—a lot of companies tend to flub the transition (which, honestly! what’s the point of encrypting data if you’re going to save it unencrypted somewhere else?)  This certainly contrasts with the other blood donor company that made the news due to a donor information security breach.

     

    That 256‑bit encryption mentioned by IBTS?  Pretty much the strongest form of encryption one can get commercially.  While you can get something stronger, most people feel a slight performance hit on their computers.  If you want the strongest stuff, chances are the NSA will come knocking on your door.  That’s right.  The “No Such Agency” guys.

     

    Could things have been improved?  Well, I guess each employee could be teamed up with a Chuck Norris clone to protect them from muggings.  On a more pragmatic note, I’d like to point out that, assuming the stolen laptop was a company‑issued machine, that there might be other sensitive information besides the donors’ information.  If only the latter was protected with encryption, that remains safe; but any other information on the laptop would not benefit from encryption.  If the New York company had decided to use whole disk encryption, like that offered by AlertBoot, it could pretty much guarantee that everything on that laptop is safe from the clutches of the mugger—not just the blood donor information.

     
  • Leading Korean Auction Site Falls Victim To Data Breach

    The South Korean on‑line auction site—officially known as Internet Auction Co., and for all intents and purposes owned by eBay, the behemoth having acquired a majority stake back in 2001—fell victim to a data breach earlier this month.  Among other things, it was revealed that the hackers tried to get ransom in exchange for the breached data, and that auction participants—active or otherwise—were not alerted of the breach for twenty hours.  Twenty long hours during which business proceeded as usual, but as plenty of people are pointing out, could have resulted in serious problems for sellers and buyers without them knowing that anything was amiss.

     

    The information stolen by Chinese hackers included names, account information for refunds, addresses, email addresses, phone numbers, and national ID numbers.  The latter is used for many purposes in Korea—anywhere you need some kind of government service, such as Social Security and medical services, or opening a bank account, for example.  It is also used for identity verification when signing up for on‑line accounts of any kind in Korea.  This took effect just last year, in an effort to curb negative comment feedback.

     

    Well, I say “negative,” but what I really meant was libelous comments.  Celebrities as well as just regular folk have been subject to libelous rumors—sometimes resulting in a string of suicides.  The use of national IDs was implemented in order to curb the start of irresponsible rumors, and to more easily track down offenders.

     

    As can be seen from the above, the theft of such information can have an incredible impact.  And like in the U.S., it is very hard to rectify your records once they go bad.  Needless to say, this is a very serious issue for the 18 million Koreans affected.  So, how did this happen?

     

    According to official reports, Auction employees were sent mass e-mails, which when opened, automatically transferred usernames and passwords on the user’s computer to the hackers.  The description of the process—the lack of any action on the Auction employees’ part to become a victim—has many saying that it’s probably a case of Cross Site Request Forgery (CSRF), sometimes called session hijacking or session riding.  The method is not particularly new—the issue was pointed out as far back as 2001—but it’s been infrequently used and, hence, most people are not aware of it, although a problem concerning the Google AdSense program brought it some notoriety.

     

    Unfortunately, this is one of those instances where information security services like AlertBoot cannot help.  Based on my short research, the only surefire way of preventing CSRF would be to disable cookies completely as well as log out from every session when going from site A to site B—that is, log out of Gmail when you decide to open up another website.  However, this not being realistic, there are other, pragmatic methods.  One effective method is the use of temporary session tokens to randomize the URLs of websites.  This particular site (http://www.0x000000.com/?i=309) seems to have an easy‑to‑understand explanation on what CSRF is, as well as ways to prevent its occurrence.

     

    On second thought, maybe AlertBoot can help; companies lax in one security area tend to be lax in other areas as well….

     
More Posts « Previous page - Next page »