in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

March 2008 - Posts

  • Indiana VA Arrests Laptop Theft. Still Doesn't Know Whether There Was Full Disk Encryption

    A former patient has been charged with the theft of a laptop from a VA hospital last November.  If you’ll recall, the Indianapolis VA center found itself short of a laptop, two desktops, and assorted peripheral equipment.  The items were stolen over Veterans Day weekend, ironically enough.  One of the stolen computers contained information on nearly 12,000 veterans.  The thief was identified from surveillance video recordings and has been apprehended; however, the laptop containing sensitive data has not been recovered.

     

    I’ve heard how insiders pose something of a higher risk when it comes to security breaches, but this certainly is a twist.  When the story broke initially last November, there were some conflicting reports on the state of encryption on the computers.  Initially, it was reported that there was no encryption.  Later, the statement was amended to “there may be encryption.”  Even now, with suspect under arrest, they still don’t know if the stolen laptops information is protected using encryption.

     

    In many ways, this is not surprising.  According to an article I read a couple weeks ago, half of the Fortune 500 companies are unaware of how much computer equipment they own.  I imagine a sprawling bureaucracy wouldn’t be any better in keeping track of their assets.

     

    Incidentally, this shows why some encryption solutions are more appropriate than others.  There are only a handful of encryption algorithms that so far have proven to secure data. These algorithms are the core technology of encryption solutions, be they free or otherwise.  However, an organization needs more than encryption.  They also need to be able to prove that the machine they claim was encrypted was, indeed, encrypted.  A real and necessary part in the process of securing data is performing audits.

     

    AlertBoot was designed with this in mind.  Not only do companies get proven encryption technologies such as RSA or AES, they get powerful reporting to make sure that they’re adhering to compliance measures.  This way, if an organization like a hospital has their equipment stolen, they can unequivocally say that the public has nothing to fear, since their information is protected, as opposed to saying that it may be encrypted.  I mean, doesn’t that really mean it may not be encrypted?

     
  • Georgia Getting It Only Half Right: Not Getting Hard Drive Encryption

    The Department of Human Resources (DHR) in Georgia has alerted current and former employees that the department has experienced a data breach.  The incident took place on March 19, when it was found that an external hard drive containing names, Social Security numbers, birth dates, addresses, and federal tax information went missing.

     

    One must applaud the DHR for responding swiftly to the data breach.  Not only have they alerted their employees only a day after the breach itself, they’ve already contacted the three credit bureaus to sound the alarm, and are already conducting an internal investigation.

     

    However, there are reasons for concern on how the DHR is approaching the situation.  Supposedly, the DHR has instituted a new directive, right after the incident, requiring password protection on external drives, including USB flash drives, as well as ordering employees to physically secure items when away from their desks and offices.

     

    There is nothing wrong with physically securing items.  Indeed, it is the first step towards their security.  But, password protection?  Such a security “feature” is better than nothing, yes, but it is also close to nothing.  It’s like tipping the maître d’ at a restaurant twenty cents to secure a good table.  Yes, it is that worthless.

     

    What the Georgia DHR should do is look into data encryption packages, for reasons other than office items randomly disappearing.  The past couple of years have already shown that break-ins into government offices are not unusual.  Plus, high-value items of diminutive size and weight, like laptops and desktop computers and other electronics, are by far the most targeted items by thieves.  There is no way that locked desks can be considered security in a break‑in; there is no way that password protection can be considered security once the stolen device has left the office premises.

     

    The federal government has indirectly acknowledged that the only way to protect information in the digital age is to encrypt data using software like AlertBoot.  They have done this by signing a blanket agreement last year for encryption products.  On top of that, the military has also acknowledged the benefits of encryption by requiring that all data‑at‑rest devices be encrypted, regardless of the type of data housed in said devices.

     

    It behooves the state of Georgia to look into this issue more carefully.  If they already had whole disk encryption in place to secure all drives, external and internal, they would have been applauded for their foresight and commitment to public trust—a commendation more worthy than one extended for a swift response.  Plus, their employees’ information would have been protected, which is nothing to sniff at in this day and age.

     
  • Hard Drive Encryption Could Help Aussie Government Avoid Data Breaches

    The West Australian is reporting how second‑hand computers sold by the government may lead to data breaches.

     

    An audit of disposed government computers—via donations, sales, and auctions—showed that sensitive and confidential information could be found in four out of ten computers.  The information ranged from salaries and other details of public servants to government projects.

     

    As pointed out by the auditor, the information found on these second‑hand computers could be used as the foundation for successful social engineering attacks, allowing criminals to carry out fraudulent activities.

     

    The computers tested cost anywhere from $2 to $180 (I’m guessing Australian, which is currently pretty much at par with the US dollar).  If one does the math, then, $20 to $1800 will land you about four computers with sensitive information; information that could be exploited to net gains tens of times, potentially thousands of times,  more money than the initial outlay.

     

    As more and more people are beginning to find out, deleting data doesn’t mean that the data is gone.  Deleting data on a computer is more like shredding paper documents as opposed to burning them.  And while to the lay person shredding and burning seems to be about the same when it comes to protecting information found on documents, it’s not necessarily so.

     

    For example, I’ve heard in the past (but haven’t been able to confirm) that the IRS has reconstituted the shredded tax forms, hundreds of pages, of a tax filer suspected of fraud.  In order to prove their case, the IRS reclaimed the man’s garbage (which is public property, as far as I know) and pieced every single page together, shred by shred.  I think we’re talking microcuts, so that was no easy feat.  Anyway, the fraudster was arrested based on the evidence, and the documents were encased in glass and is now hanging in the lobby of one of the IRS buildings.  I’m guessing probably HQ.

     

    Of course, if the documents had been burnt, there would be nothing to display in the lobby since it would’ve been impossible to reclaim anything.  The story is the same with electronic data stored in your computers.  Deleting files is akin to shredding it.  Even reformatting the hard drive is like shredding it; your information is still there, waiting to be plucked up, except it’s infinitely easier to reclaim than information on shredded paper.

     

    The only way to “burn” digital data is to torch the hard drive (literally burn it) until it’s a gloopy mass.  Or to rewrite every single space on the hard drive multiple times with random data.  The lowest number of passes, and hence the least secure, is three times, according to the DoD).  However, this process takes forever because it has to be done more than once, and because hard drive capacities keep increasing exponentially: the bigger something is, the longer it’s going to take to fill it in with gobbledygook.  My laptop with eighty gigabytes of disk space takes north of 3 hours for two passes, for example.  Try doing this for tens of thousands of computers at once, and you’ve got a nightmare.

     

    There is, however, an effective method to safeguard discarded computers with plenty of side benefits: encryption.  Whole disk encryption of computers’ drives will ensure that the information cannot be accessed once the machines are tossed.  Indeed, new owners will be able to reformat the drives and install new operating systems, and use the computers like they usually do.  At the same time, former owners won’t have to worry about their information being exposed by accident.

     

    What are the side benefits?  Well, governments tend to suffer from thefts, just like any organization.  And in some cases, these thefts result in spectacular information security breaches.  If they were to use full disk encryption, like the managed encryption systems offered by AlertBoot, data security breaches could be avoided during the machine’s useful lifetime, and beyond.  And unlike data rewrites, encryption only needs to go through the entire drive once, not three times, so there is significant time savings.  And significant times savings equals significant tax payer money savings when it comes to a bureaucracy.

     
  • Insurance Company Suffers Data Breach. Considering The Use Of Device Encryption

    Starling Insurance and Associates, a Colorado‑based company, is notifying their customers that their personal data may be compromised, including Social Security numbers, dates of birth, drivers license numbers, account information, and names.  The data breach appears to have occurred earlier this month, and those affected were notified beginning March 5.

     

    A letter to the Attorney General of New Hampshire shows that the data breach was caused by the theft of a server from a locked office, and while the computer in question had password‑protection (a misnomer, in such cases), there was no encryption in place to protect the data.  Currently, it appears that the company has no idea how the data breach came to be, or what kind of information was actually lost, as they are in the process of reconstituting the information from backups.  However, they’re pretty sure that some or all of the information listed above are included in the lost server.

     

    What more could have Starling Insurance have done?  It seems to me that they could have done what every single insurance company on the face of the world does: assess risks and asses expected values.  More specifically, they should have figured out the ramifications of the data breach to the company on a financial basis, including damaged reputation, likelihood of lawsuits, and costs of credit monitoring services.  If they had done that and compared it to the amount spent on device encryption services like AlertBoot, they would have realized that it made sense to go with data encryption.  Encryption is like insurance in many ways: it tends to look like an unnecessary expense (I’m paying all this money and my server’s not getting stolen!) until disaster strikes (oh, my god!  My server was stolen!)

     

    Unfortunately, it seems many companies still don’t think of it this way.  Instead of likening data encryption to insurance—an on‑going expense that, despite not generating any revenue, is widely considered to be necessary, just in case—encryption seems to be viewed as…well, as not worthy of any expense at all.  They’re only interested after something has gone terribly wrong.

     

    Starling has sent a letter informing those affected about the incident.  On the last page, there is a Q&A section where it states it will look into obtaining any additional security measures, if necessary, in order to prevent a repeat of the problem.  I think that once they start looking into encryption they’ll find full disk encryption for any future servers will be very cost‑effective.

     
  • Hannaford Suffers Credit Card Data Breach. Could Their Drive Encryption Processes Be Stronger?

    Hannaford supermarkets has been alerting their customers that there has been a data breach of credit card and debit card numbers.  The statement that they’ve released made an emphatic point to let the public know that the information breach concerns those numbers alone, and does not extend to other personal information such as names and addresses, which Hannaford does not collect.  And good for them, too: personal data collection and retention was one of the root problems following the TJX data breach a little over a year ago.

     

    Hannaford has also pointed out that they’re using the latest encryption protocols which are in compliance with PCI.  In fact, they were certified as PCI compliant last year and recertified just this past February.  However, 4.2 million credit card and debit card numbers were exposed in a breach that lasted four months from December 7 to March 10.  About 1800 cases of fraud have been linked to the breach.

     

    Law enforcement agencies are still working on the case, but based on the Hannaford CEO’s statement, it seems that the breach stemmed not from using weak encryption—the problem that riddled TJX—but by the hackers targeting the weakest links in the chain, sometimes known as the man-in-the-middle attack: targeting any or all of the points between the cash register (the point of sale where the credit card number is entered) and the card processor’s servers (where the A-OK is given to charge the card).

     

    Security experts point out that such attacks are nearly impossible to prevent, unlike using weak encryption for protecting data (easily fixed by using a stronger form of data encryption).  Man‑in‑the‑middle attacks could range from bribed network administrators to Trojan malware surreptitiously installed in computers to rogue vendors with intent to steal big.

     

    Assuming that the criminals got the credit card numbers via some other method than cracking the encryption used for data transfers, it’s obvious that stronger encryption is not the answer.  In fact, if criminals are beginning to give up on cracking encryption, it’s probably a sign that it’s working and security practices have to be strengthened in other areas.  Under the above assumption, switching to stronger encryption would be a detriment for Hannaford since it would mean slower check outs at the register without affording extra security: stronger encryption means longer encryption times.

     

    For example, if you sign up for AlertBoot full disk encryption to protect the contents of your laptop’s hard drives, you get choices on how what type of encryption to use, such as RSA or AES; 128-bit over 256‑bit; etc.  The stronger the encryption algorithm, and the bigger your hard drive, the longer it takes to scramble every bit of information because the entire drive is encrypted, including the unused spaces.

     

    However, with laptop encryption you can design it to have a low as an impact on the system as possible so the enduser doesn’t notice there’s encryption going on while working on a document.  But waiting in line at a supermarket?  Everyone feels inconvenienced by that, and a small increase in waiting time would be even more inconvenient, so unless it can be demonstrated to retailers that stronger encryption does mean extra protection for customers, I don’t see it happening.

     
  • When Drive Encryption Or Other Security Measures May Be Needed?

    It’s the sign of the times.  The Age in Australia is reporting how thieves burglarize a home once they get their hands on a stolen GPS device from a car.  In a way, it makes sense.  Once a thief steals a GPS device from a really nice car (and if he’s pretty sure it’s not a rental), logic would lead him to believe that the victim’s home would have nice things, too.  To confirm the above, the thief can just power on the device and check the target area.  After seeing whether “home” is in a nice residential area, he can weigh his options regarding an encore to his current law-breaking ways.  It certainly is convenient for the criminal.

     

    And the above is not a what‑if scenario.  The Age was prompted to report on this because homes in Britain were being ransacked via this method.  In fact, what the burglars do is figure out how far away from home the victim happens to be.  Then, they make a beeline to burglarize that house knowing a) there’s no one home and b) how long it will take the unsuspecting victims to return home.  I imagine that if I were under those circumstances, it would take me a little bit longer to get back home, not because I can’t drive without the GPS device (that could be a factor, too), but because I would report the theft on the spot, leading to delays.

     

    This unexpected result of technology backfiring falls under the umbrella of what economists call unintended consequences, and it tends to crop up whenever a new technology is adopted or created.  The problem’s roots, security wise, lie in that most people don’t consider security when developing new products unless the product is actually geared to ensure security or privacy.  (And even then, some do a terrible job.)

     

    Hence, when a GPS device is created, with the objective to make life a little easier, the last thing its creators are thinking is “how could this be used for criminal intents?”  Of course, if everyone thought that way, nothing would get done.  And taken to extremes, it causes mindboggling situations.  For example, I remember that due to an embargo, a country couldn’t import paper and pencils since these could be used to design weapons, endangering the region that the country was in.  But the unintended consequence in that case was that the economy and education ground to a halt—meaning a lot of downtime; angry, idle people; and resurging violence.  In case of GPS devices, the unintended consequence is enabling the criminals to do more, more efficiently.

     

    Will the problem become worse?  Generally, breaking into a car is a crime of opportunity.  Once the thief has the goods, he tries to offload it as quickly as possible and get away as far as possible.  It’s rare to find someone who’s looking to leverage on his score.

     

    On the other hand, there is reason for concern elsewhere.  GPS manufacturers are beginning to add more features to their GPS devices in a clear case of device convergence.  For example, in Asia GPS devices are combined with PMPs, or portable medial players.  You can think of them as self‑powered hard drives with an LCD screen that will play music and videos; let you tune into your favorite radio and TV stations in real time; and give you driving directions.

     

    These functions don’t pose a problem in of themselves; however, it does give users the ability to store whatever they want on that device, other than music and video files.  Could GPS devices become another way of causing data breaches?  I don’t see why not.  The latest generation of such devices is, from a physical standpoint, a portable hard disk at its core, just like an iPod.  And just like an iPod, GPS devices are designed to be carried around, meaning the chances of losing one of these devices are increased just because they’re that much more mobile.

     

    Problems are further compounded by the fact that such devices don’t come with encryption products like AlertBoot attached to them.  In fact, encryption is probably as far removed from any design plans since such devices have a slow processor (your 10 year-old laptop probably has a faster one), and the endusers would notice an impact.  However, as data retained in such devices increases and more people begin to carry such converged devices—who knows?  Maybe a phone will be added.  The iPhone is certainly going in that direction—manufacturers will be challenged to find a better way to secure the data.

     
More Posts « Previous page - Next page »