in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

April 2008 - Posts

  • Full Disk Encryption And Physical Security: Locked Servers Stolen

    Pogowasright.org is reporting that Central Collection Bureau (CCB), a private company in Indiana, has had a security breach that could potentially affect over 700,000 people.  According to the site, eight computers were stolen from the CCB plus a server.  Other sites claim that the server was part of the eight computers; there is a lot of confusion, with everyone trying to upload the story ASAP.  Regardless, everyone agrees that this is very bad news, and it has affected at least 159 companies (there’s a list out there in cyberspace.  Thank goodness for comma delimiting and file imports in Excel).

     

    Why is this bad news?  Because the information was stored as a clear text file.  That is, the contents were not encrypted. The information in question includes dates of birth, last known address, names, Social Security numbers, and, in some cases, medical codes (not sure what they are; hopefully, they’re just internal codes used by a hospital, and not the government, making them nearly useless for ID thieves).  Plus, the lost information is not in some proprietary backup tape format: the perps only have to turn the computers on to gain access.

     

    The good news, if you can call it that, is that the computers have the weakest form of protection available, the digital equivalent of the little chain for your home’s front door: password‑protection.  However, my guess is that it won’t prove to be a foil.  Whoever stole the computers had to go through three locked doors.  At a collection agency.  The guy (or guys) really wanted to get those computers and, while this is speculation, it must have been for the data (what else would you find at a collection agency?)  And if that was the objective, then a little thing like password protection shouldn’t be a problem.  Besides, depending on what constituted as their server, hacking may not be necessary at all: the thieves could just pop out the hard disk and hook it up to another computer and read the contents that way.

     

    People often complain about sensitive data being transported about in a laptop, clucking their tongues and wagging their fingers about data retention in secure servers.  Time and time again, thieves have shown that servers in a “secure” location are not secure unless one has something akin to Fort Knox protecting their perimeters.  Otherwise, people will store their servers in a closet somewhere.  Locked, of course.

     

    Sure a closet (even one with three locks) may not seem that secure.  However, financial issues are always a factor when it comes to security.  Does one really expect a small or medium-sized business (SMBs) to spend upwards of $10,000 annually for a handful of computers that lose half their value the moment they’re purchased?  Especially when “security” is a non-performing asset?  (That means security doesn’t roll in the dough).  Nope, they’re gonna stick those computers next to the broom.  What else are they going to do?  They can’t keep servers in an unlocked closet.

     

    What SMBs need is a way to secure what’s important without denting them too much when it comes to the bottom line: encryption, either full disk encryption or file encryption (maybe even both).  After all, in such instances what everyone is upset about is the loss of the data, not the loss of the computers themselves (well, with the exception of the company).  So, what’s really important is to protect the data.  Data protection solutions like AlertBoot were made for such instances.  Easy and fast to deploy, and offering the latest and strongest encryption methods approved for civilians, AlertBoot is possibly the most hassle-free way of securing one’s computers, be they servers, laptops, or even PDAs.  Try to get something stronger and the NSA will show up at your door.

     

    CCB sure could have used some type of encryption on their computers.  Now, the only thing it can do is try their best to contact all people affected; however, the nature of the affected may mean it’ll be hard to track down a good number of them.  On the other hand if these people’s credits are on average really bad…well, no sense in carrying out ID theft, right?  Maybe it’ll work out in the end.

     
  • Bank Of Ireland Loses Laptops Without Hard Drive Encryption

    Bank of Ireland customers, nearly 10,000 of them, have had their information stolen.  Between June and October of last year, four laptops were stolen from the bank’s life assurance division.  The information breach included data on personal pension plan details, dates of birth, addresses, and bank account details.  Whole disk encryption solutions like AlertBoot were not featured in the stolen laptops.

     

    However, the bank must have realized at some point that full disk encryption is a convenient way of securing the data on their computers: the bank is in the process of encrypting all 5000 of them, which will take about two weeks.

     

    This certainly pales in comparison to how the other type of bank in Ireland handled a similar situation earlier this year.  In February, an Irish blood bank had reported that almost 175,000 people could have been affected by the theft of a laptop (actually, a mugging).  But, chances are they weren’t and won’t be because the contents of the laptop in question were encrypted.  Plus, the CD that went from Ireland all the way to New York with the data in question was encrypted as well (a stark contrast to how the UK government approaches things).  The blood bank made sure that information was protected at every stage of the process.

     

    What prompts certain companies that deal with sensitive data to do everything possible to decrease the probability of a data breach?  And why do others dillydally?  After all, sensitive data remains sensitive no matter who’s holding it.  Plus, there is no guarantee that thieves, muggers, conmen, and other scum of the earth will place some kind of moratorium on stealing your digital assets as you try to figure out what to do—meaning, you don’t know when some guy’s gonna hit the back of your head and steal your stuff.

     

    So, why wait?  For example, why did the bank above wait nearly one year since the first instance of a data breach?  It’s not as if encryption technologies have suddenly gotten tremendously better or cheaper; I’m pretty certain that last year’s offerings remain unchanged this year.

     

    In fact, if shopping for a data protection solution this year, one may face more difficulties: There is now so much interest in data security that companies that have nothing to do with the security business are getting in on the act.  Case in point: A couple of months ago, an external hard drive manufacturer debuted a hard drive with built‑in encryption (RSA, if I recollect correctly).  However, it turns out that RSA, one of the handful of encryption algorithms that are virtually impossible to crack, was relegated to a secondary function.  What was really “protecting” the contents of the hard drive was an in‑house developed encryption algorithm that was easily broken.  Although there is no way to verify it, my guess is they used that approach to save themselves some licensing fees.  I imagine more people will try to enter the market, offering security products and concepts that are untested.

     

    Encryption is one of those things that are better when used promptly.  The sooner you encrypt your data, the sooner can it begin to protect your data.

     
  • Another UK Hospital Finds Laptop Stolen. Hard Drive Encryption Not Included

    A laptop computer with patient information was stolen from Epsom Hospital in Surrey, UK.  The computer contained the information of 180 patients, including dates of birth, names, and addresses.  Thankfully, it seems the hospital’s security cameras may have caught the suspect in flagrante, so now it’s a matter of identifying him and brining him in for questioning.  The computer in question had password‑protection, but one can conclude from the announcement that no other form of data protection was available, like AlertBoot full disk encryption solutions.

     

    One of the most often asked questions when people are told of such news is, “why was that information on a laptop computer?”  Some will claim that any such information should only be in a secure server (which doesn’t guarantee it from being stolen either, but does feel more secure).  Well, in this case, the laptop was used for patients in outreach clinics—implying that one’s not within the hospital’s network.  Then, some will say something along the effects of “in this day and age of the internet blah blah blah….”  As if internet access were some kind of inalienable right.

     

    Plus, maybe it’s just me, but I’d imagine that outreach patients could be located in the middle of nowhere, where the deer and the antelope play (or sheep.  This is England we’re talking about), and the skies are not cloudy all day.  Chances of there being an adequate internet connection in such a place?  Depends on the region, but I assume there must be places where an internet connection is not an option.  I mean, I know a guy out in the Midwest who gets his internet via satellite at eye‑gouging prices.  The connection goes down the moment a renegade cloud passes by.

     

    The truth is that there are legitimate reasons for transporting sensitive data—be it on a laptop, a desktop, a disk, or some other form; say, Braille.  The hospital case above could be one of them.  Good data security practices must take into account such reasons, and will (and often should) take a backseat to data usefulness; precluding the inclusion of sensitive data on laptops, or requiring that everyone VPN into a secure network in the interest of security regardless of the circumstances, is putting the carriage before the horse.  After all, why collect data if one is going to secure it to the point of it not being useful?  What the hospital should have done is ensure that the laptop computer in question had whole disk encryption.

     
  • Between Honesty and Full Disk Encryption, I’ll Take The Latter

    Not long ago, I sat next to a medical doctor on a flight.  We got to talking and I found that he was from some small town in Mexico.  He found out that I had done quite a bit of traveling.  He asked me if it was true what they said of Japan, that if one lost his wallet, he’d get it back with all the contents intact.

     

    The above story the good doctor was referring to is something of a meme—one of those ideas that propagates within a culture (and in this case, without) and doesn’t quite die. Well, I guess the meme would technically be the Japanese culture’s value for honesty, and the above story a reflection of such a meme.  Either way, for the Japanese Ministry of Culture, it’s probably a good thing: given the choice of traveling to a country of thieves and a country of saints, which would you choose?  Assuming the saints also know how to liven things up, that is.

     

    Now, the above gentleman was quite a bit advanced in his years, so I couldn’t give him one of my trademarked “what are you, crazy?” looks without feeling that I had somehow betrayed my Confucian upbringing (I’m quaint that way).  Not being Japanese myself, I tried to be diplomatic by saying that I’d heard that story as well, and that it’s probably true for the most part; however, I added, it probably depends on the local environment and the circumstances, and that I wouldn’t go around losing my wallet on purpose just to see what would happen.  I mean, if you’re partying it up at a Yakuza drug den…you get my point.

     

    Plus, for all I know, that particular meme may not be valid anymore: just like the human appendix is an antiquated, useless remnant organ, a meme may exist without reflecting the current realities of life in Japan.

     

    Case in point: The Daily Yomiuri Online is reporting that a hospital in Japan has lost a desktop computer with information on 17,000 patients.  And by “lost,” I mean stolen.  The data includes names, conditions, test results, and ID numbers for patients who were subject to eletrocardiography over the past ten years.  The hospital requires that such equipment have a password in place, but this particular computer didn’t even have that, never mind an actual data security product like full disk encryption from AlertBoot.  There’s a good chance that a sophisticated computer user is getting his jollies looking at thousands of electrocardiograms while thinking of ways to abuse the medical IDs he obtained.  I imagine stealing a desktop from a hospital full of people would be hard.  On the other hand, slap on yourself a pair of scrubs, and roll the computer away on a cart…who’s gonna stop you?  You look like a doctor.

     

    Of course, there have been other similar incidents in Japan since I talked to el genial doctor, affecting not only hospitals but schools, a national exam, businesses, and, in one occasion, a Japanese embassy.  Japan is, by all accounts, still one of the safest countries in the world, the Yakuza notwithstanding.  However, I’d prefer not losing my wallet over having it returned to me; strong encryption of my personal data; and less reliance on the kindness of strangers.  I mean, I know how that ended for Blanche DuBois.

     
  • Full Disk Encryption Could Be Bypassed Using Chocolate

    Or at least, that would be the logical conclusion to some surprising findings on a survey by Infosecurity Europe.  On the other hand, it may just mean that more women than men in London will lie for a bar of chocolate.

     

    The Infosecurity survey asked total strangers for passwords on their survey sheets, and a chocolate bar was offered as a token of appreciation; I assume the chocolate was pointed out prior to volunteers filling in the survey.  Only 10% of men accepted the deal, which contrasts sharply with 45% of women who accepted.  The thing is, of course, that there is no way for the surveyors to verify the authenticity of the submitted password.  Heck, I’ll bet that, if anything, the passwords written down were even more secure than the passwords actually used by people in real life.  (I would have written something like “sjans@#$#@@#@!!!!!”  Sure, I wouldn’t remember it if you asked me five minutes later, but what the hell do I care, right?)

     

    On a different note, nearly 64% of people approached were willing to fill the survey last year, but only 21% did so this year.  Now, this is surprising to me.  Again, I have to point out the fact that there is absolutely no reason why a person needs to write down their actual passwords—they could easily fake one.  Perhaps the survey was taken on a rainy day?  Or maybe they were offering sub‑par confectionery?  Or perhaps people are truly more security conscious.

     

    Of course, such questions are also being asked by people who have read the findings as well.  In fact, the Register has, as of this posting, over 50 comments.  My favorite observation?  What if the prize was free beer?  Would that have skewed the results in the opposite direction?

     

    All fun aside, I can’t shake the feeling that at least one of the survey takers may have written an actual password.  Why?  Just a call it a professional hunch.  And that’s the crux of the matter, isn’t it?  People giving out their passwords?  Even if a company were to secure all their desktop and laptop computers with full disk encryption software like AlertBoot, you just know that there is one person—you never actually know who it is exactly—but there is just that one person who will give out sensitive information without a second thought under the right conditions.

     
  • Lack Of Hard Drive Encryption Strikes Again At A University?

    The University of Virginia has announced that over 7000 students, staff, and faculty members may have been affected by the theft of a laptop computer.  For the time being, the university is not identifying whose laptop it was or where it was stolen from.  This is per the request of the police who no doubt don’t want to clue‑in the thief of the potential bonanza he holds in his hands.

     

    The laptops contained names and Social Security numbers.  Other than this, details are pretty sparse—with the exception that the theft did not occur on UVA’s campus. Of course, this implies one of two things: one of UVA’s employees lost it after taking it off campus or someone working for UVA lost it, say, an outside consultancy that keeps track of finances.

     

    Based on the fact that students and others have been notified of this theft, I assume that the laptop in question did not have any data protection safeguards, such as full disk encryption, one of the services offered by AlertBoot.

     

    This is surprising because UVA has already had a data breach in the recent past.  In June of last year, they had revealed that hackers had made off with faculty names, SSNs, and dates of birth.  At the time, if I recall correctly, they had promised to review their security procedures, just as they are doing now with this unrelated incident.

     

    As part of that review, I guess, UVA had decided to phase out the use of SSNs as personal identifiers.  That’s a good thing.  Security is more than installing software and hardware, after all.  One needs an all‑encompassing holistic front to attack insecure practices, and data retraction is as valid a form of data security as a firewall.  However, this process takes an inordinate amount of time.  I mean, UVA is still going through the process, right?

     

    Makes me wonder who was in charge of those security proceedings, because the first thing I would have done is encrypt any computers that are even suspected of having sensitive information.  When you’ve got a situation where the problem is data leakage, and you have no idea how or when it’s going to happen, the first thing you do is contain the data.  Of course, since we’re not talking about a virus that will wipe out humanity drastic measures are not necessary, such as forbidding all computers used by administration from connecting to the internet, a possible source of data leakage.  The key is to find that balance between protecting and making sure your daily activities are not disrupted which, incidentally, favors hard drive encryption.

     

    Because the process of getting rid of SSNs as identifiers takes so much time, it would have been, from a security standpoint, much better to encrypt all machines to begin with—hence, securing the data—and then redacting data as necessary.  After the process is finished, UVA could have made a decision whether they would like to keep the data or whether they would decrypt all of their machines, knowing that they hit their objective, or have a combination where the machines needing security would retain their encrypted status.

     
More Posts « Previous page - Next page »