I was reading a brief blurb today at tcpalm.com about cell phones and other items being stolen from various phone kiosks. What arrested my mind is the following: “…cash had been stolen from the cash register, which had been forced open with a nail clipper in the key lock” [my emphasis]. I guess this is why some people confuse security measures, like full disk encryption, with “security measures,” like password‑protection: the illusion of security. We’ve been conditioned to think, via our own experiences, that passwords mean security, just like locks mean security.
I’m sure you’ve all heard the stories about how locks are not really secure. If you’re like me, you nod your head in agreement. There are just too many examples where locks have failed people. The above case, obviously, but there was also the debacle about the Kryptonite bicycle locks; the ease in which Master Locks can be opened (thank you YouTube); or kicking in doors (Logan and Briscoe do a fine job in Law & Order). And yet, at the end of the day, your only protection for that door is the lock—maybe a chain. I know very little people who’ve decided to reinforce their apartment doors, or who jam a chair under the knob before going to sleep.
The locks in our everyday lives don’t really protect us, if you think about it. At best, they scream “please don’t come in / look in” with a heavy emphasis on please. The security provided by those locks is an illusion. Can you imagine if a bank decided to secure their vaults using the same technology?
Likewise, the security provided by passwords is an illusion when it comes to data security. I’ve had some people ask, well, if passwords don’t afford security, why is that my e-mail account asks for one, and more importantly, why are hackers so intent on getting mine?
My guess is it’s because that’s the weakest link. Remember, on‑line e-mail accounts are powered by real computer servers. And companies like Yahoo! and Google definitely have physical security that will deter thieves trying to get into their data centers to steal the servers where your (and a million others’) data resides. It’s easier to trick you and get your password than run into a high‑security area with guns blazing, literally. And trying to hack into Yahoo! and Google’s software itself is probably hard as well.
However, that’s not the case if someone’s trying to get to the data stored in your laptop computer. To begin with, the laptop’s probably physically secured behind a door; the same door that people can kick in. No security there. Secondly, the username and password on your Windows machine can be easily bypassed. Just like one can YouTube for examples on how to get past Master Locks, one can get the same information for bypassing the password prompt. Illusion of security. If you’re really looking to secure the data on your computers, you need to use some form of encryption like hard drive encryption (available from AlertBoot and others).
Let me put it this way. There are passwords, and then there are passwords, just like there are locks and there are locks. If you told me that you’re living in a converted bank vault, and use the original vault locks to secure the door, I’d hope you have a solid HVAC system—you know, so you don’t suffocate—but I would think “now there’s a safe home.” Using hard drive encryption to secure your computer’s hard drives is just like that, except the vault comes to you. No illusions; just security.
Or at least, that’s the message I’m taking from an entry at pogowasright.org. Ebara Technologies had recently filed a letter with the New Hampshire AG’s office, alerting them that one of their vendors had suffered a security breach. A further follow up with by Pogo had a spokesperson confirm that the vendor was Colt Express, recently mentioned in this blog due to the CNet incident. At the time, I ruminated that hard drive encryption like AlertBoot may not have been used to secure the data found in the stolen computer. My guess was that there wasn’t (and it is still what I think); but now we know that password‑protection was in place.
What’s interesting, though, is that Ebara stated in the letter to the NH AG that the personal information “may have” been in the lost computer. This is weird, since the letters filed with CNet showed that Colt had a pretty good handle on what was in the stolen computers. According to Pogo, the Ebara spokesperson clarified the situation by saying that “because the owner of Colt Express Outsourcing Services, Inc. informed them by phone that the computer was ‘password-protected,’ they described the incident as ‘may have contained.’” Despite the fact that sensitive information was on the stolen computer.
I have to laugh. I didn’t know that the presence of data security measures allowed one to change a statement, meaning one thing, to another statement implying something else. (Well, that’s assuming you’re willing to believe password‑protection is data security…which it’s not).
You have implemented data security solutions to protect your data. That’s great. How does that change the fact that sensitive information was in the lost computers? It doesn’t; it makes it harder (or, in the case of full disk encryption, nearly impossible) to get to the data, if the thief attempts to retrieve the data. But it won’t allow you to imply that the data is not there when you know it is there. I mean explore this statement, will ya? Armored Brinks vehicles may not contain anything of value since they’ve got thick walls, armed guards, and bulletproof glass—despite the bags stuffed with money in the back. Yeah, it doesn’t make sense.
I’d say that Ebara may have come this close to lying if Colt Express had been as detailed in updating Ebara about the situation as they had been with CNet (and let me tell you, it looked to me as if CNet had received quite a bit of unequivocal information on how the breach may affect CNet).
Auditors have today released their reports on the HMRC data fiasco from last year. At the time, a junior employee was blamed for the loss of sensitive data affecting 25 million UK citizens. The audit reports place the blame squarely on…nobody. There are many covering this news, but the UK ZDNet seems to sum things up nicely. And when one reads the conclusions, it makes one wonder whether disk encryption solutions like AlertBoot would have helped in this case. Not because encryption is not secure enough, but because the work environment is one of those types where people are not aware of what they’re doing.
According to the report, the National Audit Office (NAO) had asked for the information multiple times, and the HMRC responded—badly, every single time. By badly, I mean that their data security practices were inexistent. For example, when the NAO asked for data, it also requested that personal data—including names, addresses, and bank account details—be stripped. HMRC ignored the request in order to save money.
What could the HMRC have been thinking? I’ve been associated with government bureaucracies in some way or another my entire life, so I’m assuming, based on my experience, that it went something like this: Well…that’s going to cost my department money, and we’re on a tight budget. So, we’ll ignore the request, send the data, and they can deal with deleting the data, using money from their budget.
Then there are the unencrypted disks. Supposedly, government regulations required data to be encrypted. They were not. What’s not mentioned anywhere (and I won’t read the actual audit reports…they’re like 100 pages each) is whether staff members had access to encryption software. Using data encryption may be a no‑brainer, but if the tools are not there.... Plus, nobody took any interest in tracking the sensitive information, ensuring it arrived at the correct destination.
In that kind of work environment, ensuring data security is very hard. Granted, if we were talking about securing the data on laptops, solutions like full disk encryption could have afforded some peace of mind. Encrypt your laptops once, and they’re encrypted for life. If someone decides to send that via internal mail and it gets lost—well, the data on that laptop is still secure.
However, encryption does not guarantee data safety when people are unaware of good security practices. For example, how many people do you know who have a post-it stuck to a monitor, a post-it with the username and password for accessing…pretty much anything?
As the auditors correctly pointed out, the blame cannot fall on one person if everyone has had a hand in creating such an environment.
Related Artiles and Sites:
The New Hampshire Technical Institute has filed a letter with the New Hampshire AG due to a potential data breach. According to the NHTI, a flash drive with information on students was lost on or around April 23. There is no mention whether full disk encryption was used on the drive; based on their subsequent actions, though, it seems quite unlikely.
The lost information includes students’ names, Social Security numbers, addresses, phone numbers, and e-mail addresses of 2006 and 2007 graduates of NHTI’s nursing program. The letter ended with the President apologizing for the incident and saying that they “are taking steps to prevent this type of breach from occurring again.”
The question is, what type of breach are they talking about here? They keep referring to a “security breach” in the letter to the attorney general, but it seems to me that they’re using the term for both physical security as well as information security. And while usually one begets the other, information saved in digital format allows one to go beyond this conventional way of thinking when it comes to security.
Digital data can be protected using encryption. This means that even if one ends up losing the device on which the data is stored, the data itself can be protected from an actual data breach. In other words, breaching physical security doesn’t necessarily mean that one will have a subsequent information breach as well.
Of course, encryption is not something that was specifically created for the digital realm. Cryptography is an old art—even Julius Caesar used it to communicate with his generals (granted, it was an easily‑breakable one but extremely effective at the time). And in Victorian England, lovers would send each other messages via the personals sections in newspapers—in encrypted form, of course. However, the times being what they were, messages were written on paper, and encryption was done manually. “Don’t attack yet” and “my heart pines for thee” is not a problem when encrypting messages by hand. Encrypting pages of information by hand? I’ve tried, and I can tell you I’d prefer to hire a burly guy with 17 black belts in all manners of martial arts to stand guard over the original, unencrypted document.
In the digital era, however, the biggest factor that made encryption virtually worthless for massive information security (i.e., the time and power needed to protect pages upon pages of data...and later decrypting them when necessary) is overcome with the use of computers. Instead of a person encrypting and decrypting information, one can have a computer take over the job. And this is why today the bonds between physical and information security can be broken: even if a laptop computer is stolen, whole disk encryption, a solution provided by AlertBoot among other companies, would ensure that the information is kept secure.
TNT. It is explosive stuff. It’s also the name of the courier that has lost a CD with information on approximately one million UK citizens. If I’m not wrong, they were associated with several breaches in the past year as well. For a courier company, they sure appear in the news a lot over losing packages. One wonders how they’re still in business? I mean, granted, delivery by FedEx and UPS doesn’t offer a cherry on top, but at least stuff arrives at their intended destinations…. Anyway, the important thing about this incident is that the potential for a data breach is really low. Encryption was used, as it should have been, to protect the contents of the lost CD, and a round of applause of ought to be given to the guys at the Paisley Emergency Medical Dispatch Centre (EMDC).
According to this article in the Telegraph, the disk contained the records of 894,629 calls to the Paisley EMDC, going as far back as February 2006. The records included patient names, addresses, phone numbers, medical details, or some combinations thereof. However, somebody at the EMDC was not asleep at his (or her) job, and decided to encrypt the contents before sending it via what appears to be the only working courier in the UK.
Due to the events over the past year, members of the government assumed that another data breach had occurred, and were getting ready to do some finger‑pointing and rabble‑rousing, going as far as asking for an emergency statement. However, it was pointed out that the disk was encrypted (and password‑protected…which is like saying that you’ve won the lottery and picked up a quarter. Kudos to you, but twenty‑five cents doesn’t mean much in the overall picture, ya git?), as detailed in the security procedures for data transfers. I assume the procedures were outlined by the government, so everything is A‑OK.
However, some in the government are trying to score points from the situation by lambasting the delay in notification, since it took two weeks for revealing the loss. To these people, I’d like to point out that, at this point, you’re not really concerned with potential data breaches and the security of your constituents. No, rather, you’re indirectly complaining about the terrible service afforded by TNT.
Why do I say this? Because properly executed encryption solutions like AlertBoot make it virtually impossible for data to be accessed—the chances of a data breach are so low it may take decades for a person to crack the security in place, assuming that’s all he does for 24/7. Thus, if the now‑lost disk is encrypted, then it doesn’t matter if the loss is announced today, was announced two weeks ago, or is announced next year—the citizens are no less likely to fall victim than prior to when the disk was sent out. The same principle protects laptops when using full disk encryption.
Unless, of course, the passwords for accessing the encrypted information were also sent in the same package. If so, point all the fingers you want. I’ll join in. I’ll also toss in some derisive laughter for good measure.
Lawyers for CNet have filed a letter with the Maryland AG office. According to the letter, a third party vendor, Colt Express Outsourcing Services, was victim to a break‑in over Memorial Day weekend. Computer equipment got stolen, although it’s not detailed how many or what type of equipment. While the use of full disk encryption (FDE) services could have provided the clients—including CNet—with data protection, it looks like encryption solutions were not used (based on the fact that they’re not alluded to at all).
According to Colt, the lost information includes names, dates of birth, SSNs, addresses, hiring dates, and other sensitive data related to employee benefit packages. Colt was in charge of CNet’s employee benefit administration for the past eight years, and the lost information goes all the way back to—yep, you guessed it—the year 2000.
So, what’s Colt doing to rectify the situation? All it can do, but it hands are tied because they’re going out of business—a fact that clients were aware of. Short of cooperating with the law and alerting clients that there is a potential for a data breach, Colt has stated that they “do not have the resources, financial and otherwise, to assist you [CNet, and I assume other clients] further.”
Ouch. I mean, Colt is only being honest and open, but still. I don’t know about the other affected companies, but CNet has signed up their employees for identity theft monitoring out of its own pockets.
Potential data breaches hitting companies due to the actions of third party vendors is nothing new. We’ve already had a handful this year affecting both big and small companies. Late last year, The Gap had an incident as well. Most of these cases could have been pretty much eliminated via the use of hard drive encryption, the likes of which are provided by AlertBoot.
The reasoning is pretty simple. Most of the “potential breach” notifications were prompted by the theft of computers—usually laptops, although desktops were included as well. By using whole disk encryption, the thieves—if inclined to get data off the stolen goods—would have found that the traditional methods of accessing computer data would have been useless, even in those instances where they try to override “password protection.”