in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

May 2008 - Posts

  • Hard Drive Encryption A Solution For University Of Florida Case?

    The University of Florida will be notifying patients that there was a breach of their information.  According to the Triangle Business Journal, an assistant professor of plastic surgery at the university stored digital photographs of patients and identifying information on a computer.  The identifying information included names, dates of birth, Social Security numbers, and Medicare numbers.  Such information is to be stored on university servers and never on individual computer hard drives, per school regulations; the doctor is resigning from his position for violating this policy.

     

    The storage of the information was not the cause of the information security breach, however.  The breach occurred when the doctor gave away the computer to a friend.  The computer had a new operating system installed in it—by the friend, not the doctor—and the Journal article states that it “[resulted] in the permanent loss of most of the patient information.”  I don’t know who the Journal is quoting, but they may want to revisit that last statement.

     

    Most data is not lost when a new OS installed in a computer.  Data is not lost even when a computer’s hard drive is formatted in preparation to installing a new OS.  What does get lost is the ease in which one accesses the data.  However, the data is still there, and if one has the right software, he’ll be able to get to it.  The only way to delete data is—surprise!—to add more data; more specifically, to write new data over the old data.  Otherwise, the act of deleting data does not delete the data at all (like clicking on “empty recycle bin”), which explains why data recovery software can do its namesake duty.  There are other ways to protect the data besides data overwrites, though.  For example, one could encrypt the hard disk with full disk encryption solutions like AlertBoot.

     

    Returning to the University of Florida article, it sounds like there was no attempt to steal identities, and the university is alerting the public because they have a duty to do so.  If I were one of the 1,300 patients, I wouldn’t be too worried about this particular incident.

     

    There are, however, a couple of points of interest to this story.  To begin with, how did the university know about the above incident?  The article seems to imply that university property was given away, but I’m not sure if I’m reading things in context.  My suspicions reside on the assumption that a doctor knows better than to give away university property to friends.  If he were doing this, obviously a routine check on inventory would have brought the incident to light…as well as providing another reason for immediate dismissal.

     

    Also, this case shows how hard it is to ensure that employees follow policies within an organization.  Often times, policies are not followed because employees are unaware that such policies exist in the first place.  In other cases where similar policies exist, data is saved on a local computer because accessing files from a local computer is much more convenient, knowing that policies prohibit such behavior for security reasons.  Convenience will often trump security policies.

     
  • Full Disk Encryption Is Much More Powerful Than Password Protection

    It is not uncommon for companies to add the words “password protection” when making an announcement regarding the loss of a computer.  As in, the computer was stolen but it was password‑protected.  What is password protection?  And is this protection better than other security measures like full disk encryption provided by data security solutions providers like AlertBoot?

     

    Because Microsoft dominates the world when it comes to computer operating systems, generally password protection refers to the Windows login prompt.  The Windows login prompt is the little window asking for a username and password one faces immediately after booting up their computer.  If you work with a Windows PC at work, chances are you’ve seen this prompt.  If you use a Windows PC at home, there is a slight chance that you haven’t seen this prompt, since it’s not a required feature – you have to set it up.

     

    To the average user, the Windows prompt appears to be a security feature.  It’s probably because we’re so conditioned to think of a username and password as security.  For example, if you’ve got an on‑line e‑mail account, the only way for you to get into that account is by supplying the correct username and password, also known as “creds” in certain circles (assuming you’re not working as an IT administrator at the e-mail company).  If you don’t have the right creds, you don’t get in – end of story.  This is also true when it comes to data encryption, assuming that one has to type creds (sometimes a token that looks like a small flash drive can take place of usernames and passwords).

     

    The Windows prompt, however, is not as foolproof as an e‑mail account.  For example, have you ever noticed that you don’t have to supply an extra set of creds when you connect an external hard drive to your computer?  Security wise, it only makes sense to supply two sets of creds, one for the external drive and one for the internal hard drive in your computer.  But this is not the case; one set of creds gives you access to everything.

     

    And if you take that external hard drive and hook it up to a different computer…you still don’t need to supply a username and password.  Not only that, you’ll be able to read the contents of that drive.  Why stop at that?  You could copy data from the external drive to the computer and vice versa.  Clearly, the Windows login prompt was not designed to protect access to the contents of your hard drive – it was designed to protect access to your operating system.

     

    What is more telling of that last statement is that, if you take the internal drive of a computer and connect it to another computer (and convert the displaced internal drive into what’s known as a slave drive), you’ll be able to read the contents of that drive without providing the creds at all!  In other words, the only difference between an internal and external drive lies on how easily you can unhook it from one computer and hook it up to another computer.  Besides the cosmetic appearance, both types of drives are the same.

     

    This is the reason why data security bills like California’s Senate Bill 1386 – the one that started prodding companies to reveal data security breaches – require companies to reveal the theft of computers, including those with password‑protection.  On the other hand, lose a computer with hard drive encryption and there is no need for a public announcement.

     
  • Full Disk Encryption On Stolen Laptop Would Rid Sodexo Of Uncertainty

    Sodexo, a global company that provides integrated food and facilities management (cafeteria food and HVAC maintenance—a winning combo?  Well, it’s working for them to the tune of billions in revenue) has notified the Maryland AG that a company laptop was lost, according to pogowasright.org.  The lost laptop, which one concludes is lacking full disk encryption, may affect 919 employees, a fraction of the 342,000 employees that work for Sodexo.  Does the figure of nine hundred just mean Maryland residents of total affected employees, or is that the actual total number of employees affected?  I’ll bet it’s the former; less than 1% of employees affected?  Sounds too good to be true.

     

    The laptop was stolen from an employee’s car, and while the computer had password protection, it looks there wasn’t much else in terms of data protection.  Sodexo thinks that there may be names and Social Security numbers in the lost laptop, data that could lead to identity theft if someone with rudimentary knowledge of computers is able to get to the data.

     

    They think there may be such data?

     

    A common problem with trying to find what was exactly on a computer after it’s been lost or stolen: there’s no real way to know.  The best IT administrators can do is make an assumption based on the last back up of the data; but anything that was saved in the laptop between the time data was backed up and the laptop was lost…there is no way for anyone but the user of the laptop to know, assuming he can remember.

    This is why people tend to recommend that computers be protected using encryption solutions like AlertBoot.  In this case, full disk encryption would have been advantageous over file encryption due to the fact that Sodexo doesn’t have an exact idea of what was in the laptop.  If one file, with sensitive data, is encrypted, and another file with similar data is saved in the laptop without encryption—you’ve still got the possibility of a data breach.

     

    However, if full disk encryption is employed, the entire hard drive is protected, and the chances of an information security breach becoming reality are drastically diminished.  In fact, the chances become nil, unless the user did something unusual, like taping the username and password, necessary for accessing the encrypted data, to the bottom of the laptop.

     

    Full disk encryption is in many ways the easiest and most hassle‑free way of protecting your digital assets, since it requires a one‑time encryption process.  Once your hard drive is encrypted, placing any kind of document in the hard drive will ensure that it’s encrypted as long as it remains in the disk itself.

     
  • If Hard Drive Encryption Is So Powerful, How Were FARC’s Documents Analyzed?

    Anyone following international politics may have heard about Chavez’s latest rant against the western world.  This particular rant—as opposed to his other, regular rants against the western world—stems from a finding by Interpol that confirms the legitimacy of files found in the computers and other digital devices belonging to a now‑deceased FARC leader, Raul Reyes.  The Interpol finding is damaging because apparently some e‑mails found in the computers imply that the government of Venezuela, at its highest levels, has been supporting FARC, which is considered a terrorist organization by the US and the EU.

     

    The devices in question were recovered in March by Colombian security forces, after raiding a Revolutionary Armed Forces of Colombia (FARC) camp in Ecuador.  At the time, there was a lot of talk about the contents of the computers, external drives, and flash drives being encrypted.  Although I haven’t been keeping up with the news, my understanding was that all the devices were protected with full disk encryption.  I remember thinking that anyone trying to analyze the contents of those machines had their work cut out for them, since full disk encryption solutions like AlertBoot are pretty much unbreakable.  I’d imagine the rebel/terrorist organizations that took the time to encrypt stuff would have used the best solution available.

     

    That hasn’t stopped the Interpol from trying to break the encryption, though.  They used ten computers, 24/7 for two weeks, according to a statement by Ronald Noble, General Secretary of Interpol.  Did they manage to break the encryption?  Well, the findings would imply so; otherwise, how could Interpol verify the legitimacy of the files?  However, the above setup of ten computers is not enough for cracking encryption.  What’s going on?

     

    Upon reading Interpol’s concluding report, I think that full disk encryption was not used on these computers.  Rather, it was file encryption, and it was used on a small number of files.  Whether the specialists were able to gain access to the files is not reported, only that 900-odd files were protected using cryptography.

     

    So, were they able to crack the encryption for those 900 files?  My guess is “no.”  However, “no” doesn’t mean that the specialists were not able to gain access to the encrypted information.  There are two methods of attacking an encrypted file: 1) break the encryption key or 2) figure out the password for decrypting the file.

     

    Generally, it’s the latter that will be attacked because the former is just too difficult to break.  Ten computers running at all times for two weeks will just not do, assuming something like 256-bit encryption was used.  The weakest link generally tends to be the password a person selects to access the contents of encrypted data, since people tend to choose something that is not truly random, and there is a limit to how many random characters can be memorized by the average person, so passwords tend to be short, in general.  If the encryption system used by FARC allowed someone to enter the incorrect password unlimited times, a simple program could be created by the Interpol specialists to try millions of password combinations in an attempt to gain access to the data, since all they’d need is one good guess.

     
  • Full Disk Encryption Is Priority One For Formula One Drivers: Blackmail Suggested But Where’s The Crime?

    Reportedly, a “thief” has tried to “blackmail” Formula One driver Adrian Sutil.  I’m having problems calling the guy a thief, though, and I’m not sure I see the blackmail angle.  Not that I’m excusing this guy from his actions.  Either way, he has helped highlight the need for better disposal practices when it comes to throwing away one’s computer.  Hard drive encryption could have helped in this case, although a magazine publisher with standards will serve in a pinch.

     

    The facts are the following, supposedly: Sutil’s father gets rid of the computer.  Nobody knows where it ended up, but a man by the name of “Dieter” acquires the hard disk found in the computer.  Dieter accesses the disk and finds Sutil’s data: financial information, such as Swiss bank account transactions, as well as photographs and personal correspondence.  Obviously, data security measures like full disk encryption from AlertBoot were not present; otherwise, Dieter wouldn’t have nothing but a nice magnet and assorted metals.

     

    The suspect then proceeds to contact Bild Motorsport magazine in an attempt to sell the disk for approximately $12,000, a hefty bounty for a jobless man like Dieter.  The editor of the magazine gets in touch with the police; a sting is set up; seller is caught and charged with attempted blackmail and possession of stolen personal data.

     

    I guess I just don’t understand how German law works, because as far as I can tell, there was no theft and there was no attempt to blackmail.  I mean, Sutil’s privacy would have been invaded if the information were released to the media—there’s no argument there.  But it’s not as if Dieter stole the computer from the F1 racer’s home.  Dieter could have bought the thing for $15 at a recycling plant, who knows?  And is it a crime that he recognized a public figure? And how is Dieter responsible for Sutil (or his father) not wiping the data prior to throwing out the computer?  And, where are the attempts to blackmail?  Generally blackmail consists of getting in touch with the victim—there was no attempt to reach Sutil, as far as I can tell.

     

    Maybe Dieter is jobless because he’s in Germany.  In the US, he’d be an entrepreneur.  Certainly, I’d consider him to be the lowest kind of entrepreneur, down there with paparazzi (legal profession) and arms traffickers (illegal profession).  But, as gross as his actions may be, Dieter wouldn’t have belonged to the latter type of profession had he been able to carry out his so‑called “crime.”  And if F1 were popular, he’d have made a pretty penny.

     

    The burden really falls on the Sutil family in this case, as far as I can tell.  They should have thought of the consequences and acted accordingly.  I’m sure they don’t throw out sensitive documents willy‑nilly: contracts, Swiss bank account statements, love letters, what have you.  Why wouldn’t they exercise the same caution when it comes to throwing away a computer?

     

    Perhaps the father was not computer‑savvy enough?  The thing is, “I didn’t know” is not an adequate defense when it comes to breaking the law, it shouldn’t be a defense in this case either.

     
  • Full Disk Encryption Not Used In Yet Another Lost BOI Laptop

    The Bank of Ireland (BOI) has announced that a fifth laptop has been stolen.  Honestly, I’m not sure if this a needed announcement; if any penalties are given due to this latest revelation, I believe that it’ll just be a case of a company being penalized for having meticulous records. (Of course, not that I would go about saying that’s always a bad thing; lots of deserving people were caught for the same reason.)

     

    However, why would a theft from 2001 have a bearing on what’s going on today?  If any crime was perpetrated due to that particular incident, the affected would have been victimized by this time.  Revealing the theft at this point is just asking for a lawsuit—that will probably be shot down eventually because of some statute of limitations, wasting everyone’s time and taxpayer money (but then, I may be wrong since I’m not a lawyer).

     

    Plus, you can’t blame the bank for belatedly revealing such a theft.  It was seven years ago; people probably forgot about it—they probably came across the fact once they started auditing their records.  There wasn’t any legislation forcing companies to reveal such incidents back then, and the use of full disk encryption at that time was not widespread.  Sure, encryption solutions existed at the time (although I’m not sure if centrally managed hard drive encryption solutions like AlertBoot were available back then); however, they had a noticeable impact on computer performance, so it was not a popular method for securing digital assets.  And, laptop computers were not as ubiquitous as they are now, so losing a computer wasn’t such a big concern, not because there’s nothing to worry about, but mostly because the chances of losing a computer was pretty much non-existent.

     

    Per the BOI’s press release, about 98% of their laptops are currently encrypted, and they expect the deployment to finish by the end of the month.  Better late than never…especially if your business is an on‑going concern.

     
More Posts « Previous page - Next page »