in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

August 2008 - Posts

  • Full Disk Encryption Missing On USB Memory Stick: UK Home Office Data At Risk, Again

    Ah, the UK Home Office.  In recent weeks, it’s become to me what “W” has become to Jon Stewart and The Daily Show: my meal ticket.  Granted, in this case, it’s not really the Home Office department that’s to blame, but contractors.  The Home office did everything it should have, e-mailing a database of criminals’ records that was encrypted (probably with the use of a file encryption software like AlertBoot) to the contractors.  The problem was, once the contractors received the information, they decrypted it the info and saved it to a USB flash drive unencrypted.  Using full disk encryption on that memory device would have been a boon towards ensuring information security.

     

    Otherwise, it’d be like an armored Brink’s vehicle bringing in a truckload of money and the receiving party stuffing it inside their mattress, believing that the mattress will always be there (Surprise!  We got you a new mattress because the old one was…all clumpy and not cushy.  It was time to replace it, anyway.  The goods‑receiving party: Noooooooooooooo!)

     

    The baffling thing, to me at least, is the fact that these consultants decided to save something in an unencrypted format.  It seems to me that it would be logical to just save the encrypted file to the memory stick…until I remembered that consultants actually have to expend some energy working, contrary to whatever clichés you may have heard.

     

    My guess is that the consultants copied over the information from the format the Home Office department was using to whatever the consultants were using for doing their jobs.  Of course, once you do this, you need to encrypt the new file, which becomes a problem if you don’t have any encryption software solutions at your company.  It also doesn’t make sense to ask the Home Office to encrypt it for them because that defeats the purpose of having the file encrypted when it was e-mailed originally—you’d have to e‑mail the unencrypted file back to them.

     

    I don’t know how it works in the UK, but in the US, there are federal requirements when a company bids for a project.  For example, any companies that want to send in an RFP (request for proposal) for infrastructure projects must have engineers on staff who’ve passed the engineer in training exam, in addition to PEs—or at least that’s what I was told by professors who encouraged our graduating class to take the exam.  Perhaps it’s high time that governments also include in their requirements that companies bidding for projects that deal with sensitive data be equipped with encryption software.

     

    Of course, it’s one thing to have a way to encrypt data; it’s something else to have people use them.

     

    Related Articles:

    http://www.telegraph.co.uk/news/newstopics/politics/lawandorder/2598204/Home-Office-loses-confidential-data-on-all-UK-prisoners.html

     

    http://www.bloomberg.com/apps/news?pid=20601102&sid=a9OF1JOD38iY&refer=uk

     
  • Bank Data Tape With No File Encryption Lost: Wells Fargo Customers Affected

    At least, I’m assuming that file encryption was not used based on the article I’m reading at codyenterprise.com.  A computer data tape which contained sensitive customer information like names, addresses, Social Security numbers, and bank account numbers was reported as lost by Wells Fargo.  Specifically, the Shoshone First Bank in Cody and Powell; Jackson State Bank & Trust; Sheridan State Bank; First State Bank of Pinedale; and United Bank of Idaho in Driggs, as listed in the article.

     

    According to Shoshone First Bank executive vice president Ross, the tape was being transported from one bank to another, and when the staff arrived at “the site” they noticed that the tape was missing.  He also mentioned that it can “definitely [be said] this wasn’t a theft” and that the information would be difficult—but he did not say impossible—to access because special equipment is necessary.  As he noted, “you can’t just plug this into a computer and run it.”

     

    This is true.  I mean, you can’t just dump a DVD into a computer; it has to have a DVD drive.  If you have a CD drive, which happens to look exactly like a DVD drive (and to some, like a cupholder), that DVD is still no good; you have to have a device that can read the data.  This is just common sense.  Likewise, a data tape needs a tape drive; this, too, is common sense.  Now, the question is whether such equipment is freely available for purchase, and whether the bank uses an off‑the‑shelf solution for reading and writing data to tapes.  But, the truth is that as long as data encryption is not used, sensitive data is not really safe.  A person with the right skills can do more than glean the data from an unprotected file.

     

    Which brings us to the assertion that this incident is not an act of theft.  I mean, it’s obvious that the staff who were carrying this tape were not robbed blindly during daylight.  Otherwise, they couldn’t claim that they “lost” a tape.

     

    On the other hand, it’s pretty apparent they have no idea how they lost it: they could have left it on a bank executive’s desk or somebody could have lifted it off them.  The former can be considered “losing” a tape; the latter is clearly theft.  Just because someone hasn’t had to face the wrong end of a gun or knife; or that windows weren’t broken; or other acts of violence associated with a mugging or burglary haven’t happened in this case doesn’t mean that one can claim, unequivocally, that thieves weren’t after the data.

     

    How many customers were affected?  The bank’s not releasing that information due to pending investigations.  Personally, I think it’s smart that the bank didn’t release the details upfront.  If the number is significant, it might be an additional impetus for getting data off the tape—assuming someone did decide to actively steal it.

     

    What banks may want to do is use a data encryption solution like AlertBoot to secure sensitive information.  This way, one can steer the conversation from “well, it’s kinda hard to access the information, so you should be okay” to “your information has been encrypted with a 128‑bit encryption key.  It’d take the thief 200 years to get to that information. You will be okay.”

     

    Related Articles:

    http://www.codyenterprise.com/articles/2008/08/20/news/news4.txt

     
  • Computers Without Full Disk Encryption Stolen From Tax Services Firm

    Kingston Tax Service, doing business out of Washington State, has alerted their clients that they should sign up immediately for identity theft services.  Several computers were stolen from the Kingston Tax service office on August 12.  While the access to the computer had password‑protection, it sounds like full disk encryption services like AlertBoot were not securing the contents.

     

    According to the pnwlocalnews.com, letters sent to clients state that each of the computers stolen contained sensitive information that can be used by identity thieves, although it’s not detailed what type of information they are specifically.

     What’s notable about this case is that the owner of the firm, Tim Winsor, thinks he saw the computers up for sale in craigslist.org, two days after the burglary took place.  The serial number in the pictures were blurred, but I guess there must have been some kind of prosaic identifying marks on the machines.  The machines were being sold sans their hard drives.  Yep, the same drives that don’t have disk encryption but do contain sensitive information.  Come to think of it, even using the less‑resource intensive file encryption would have helped in protecting the data. 

    Now, there are many ways of getting around password‑protection to get to the data on a computer.  One of them is taking the hard drive out of the computer and hooking it up to another computer: since the latter computer is accessible to the thief, the contents of the “protected” disk drive are also available to the thief.  The process is no different from hooking an external drive to your computer.  This is why the Windows password‑protection is not considered to be protection at all—it’s just too easy to bypass, assuming you’ve got opposable thumbs.  And from hence comes, I guess, Mr. Winsor’s insistence that all clients sign up for fraud alerts on their credit cards and other ways of preempting would‑be identity thieves.

     

    I don’t think his concern is off‑base.  Much has been made of the fact that most stolen computers are re-sold as is or after a cursory disk format; almost no one is interested in the information found on red‑hot computers, apparently.  But in this case, the hard drives have been popped out intentionally.  This doesn’t necessarily mean that the thieves in question are interested in taking a peek at the contents of the unencrypted drive.

     

    If anything, all signs point to the fact that these guys are a little paranoid about being tracked.  Computer serial numbers can be used as proof that they stole the computers if the tax services company has a list of such numbers—hence, they’re blurred from the craigslist pictures.  Likewise, if there are some data vigilantes doing rounds, they could buy the computers listed in the online classifieds forum; analyze the data once the computers arrive; and peg the sellers as thieves if they were to find the firm’s data and if the firm were to vouch that they’re the firm’s stolen computers.  So, out go the hard drives.

     

    However, this would be indicative of thieves sophisticated enough to know the workings of computers.  So it stands to reason that they would not stop at just selling the hardware, no?

     

    Related Articles:

    http://www.pnwlocalnews.com/kitsap/nkh/news/27134264.html

     
  • Hard Drive Encryption Not Required By Law. Good Enough Is Enough?

    PC World has an article about “what the law requires of IT.”  They make some interesting points, and how the law in a certain case noted that laptop encryption was not necessary.  But they have other noteworthy points.

     

    Straight off the bat, the article notes that when bank robbers stole from banks in the days of yore, people felt sorry for the banks and hunted down the outlaws.  Today, we blame the banks for not providing adequate security.  And I say, can you blame people for behaving this way?  It’s all a matter of providing a decent amount of security.  There isn’t much too protecting money: get yourself a vault and some security guards with guns.  There’s not much else to do.

     

    However, if these same banks had decided to keep the money under their respective bank president’s office sofa cushions, and that money went missing during a burglary…well, let’s say that people wouldn’t be feeling sorry for banks—and others, in addition to outlaws, would be hunted down.

     

    Why does the public in the twenty‑first century heap scorn on companies like TJX, which are technically victims of a crime? (Or, depending on your point of view, victims of multiple crimes, since it continuously for over a year for TJX?)  Why do UK citizens talk about “imbeciles” working for the British government when unencrypted CDs with sensitive information went missing?  Because they did the equivalent of keeping the money under the sofa cushions.

     

    People understand implicitly that there is a standard of security that a company shouldn’t dip below, especially in this day and age of identity theft.  So when it’s reported that TJX’s C-level executives decided not to upgrade their wireless encryption standards in order to save money, fully knowing that the weaker standard posed a healthy amount of danger, well…it sounds like the company decided to forego their customers’ financial well‑being for company profits.  And while companies are supposed to pursue profit, this is America and the free world we’re talking about, people don’t like it when those profits come at their expense.  Sounds like commonsense, no?

     It’s a funny thing, though.  As the article points out, from a legal standpoint, the definition of what’s the “legal standard for compliance” with data security tends to vary from case to case.  For example, the case of Guin v. Brazos Higher Education Service is given as a legal precedent.  In that particular case, a laptop—which may or may not have had sensitive information on it—was stolen from a Brazos employee’s home.  Because the company didn’t know whether there was sensitive information on the stolen computer, they alerted all possible affected clients, and one them sued because the stolen computer did not feature full disk encryption. 

    The court, however, found that Brazos wasn’t required to have laptop encryption on that computer because the law (the Gramm‑Leach‑Bliley Act, specifically) had no provisions stating that encryption had to be used.  Brazos had followed the law to a T when it came to protecting the data.  I’m not sure what protections were in place—to me, they don’t sound like realistic protection measures: “Brazos had written security policies, current risk assessment reports, and proper safeguards for its customers’ personal information as required by [GLBA].”

     

    I know for a fact that the first two listed, while important overall when it comes to security, don’t have the same efficacy that disk encryption offers when it comes to protecting sensitive data after an incident like a home burglary.  And it seems to me that a home burglary, while not a common occurrence for the average person, wouldn’t be unexpected, so a provision for data protection under such a scenario should have been contemplated by the company.  Brazos may have won in the legal court, but who knows how many people have been turned off by their lack of proactiveness when it comes to protecting client data?

     
  • Disk Encryption Was Not Keeping Laptop Safe On Missing Stanadyne Computer

    Attorneys for Stanadyne Corporation have filed a letter with the Attorney General of New Hampshire.  A laptop with sensitive information was stolen from an employee’s car on June 27.  While the computer in question had password encryption, a copy of the letter to be sent to affect employees, and former employees, notes that “there are procedures that could be used to bypass the login security of the machine.”  While not mentioned outright, it seem obvious that disk encryption solutions like AlertBoot were not used to secure the information found on that laptop.

     

    The compromised information includes names, addresses, dates of birth, and Social Security numbers.  Although a total of four employees were affected when it comes to New Hampshire residents, it’s not known how high the total number may go.  It was not mentioned why such sensitive information was being carried about, although an investigation was launched to see if any company procedures were violated.

     

    One of the more interesting things about the letter to the AG is that the company claims to know exactly what information was on that stolen laptop computer.  Apparently, whenever the laptop is plugged in to the company network, company records are updated to reflect the contents of that laptop.  The wording is nebulous, so I’m not sure what they mean exactly, but I don’t think they mean a backup is made.  What do they mean?  I guess it means “don’t let lawyers write up technical descriptions.”

     It also means that if a company were using laptop encryption, their lawyers could just state, “the contents of the stolen laptop were encrypted.  The chances of this becoming a full‑blown data breach are lower than you winning the lottery for ten years straight.” 

    What’s the price to pay in order to be so forthright?  Much less than you think.  AlertBoot is a managed encryption service, so a company doesn’t have to invest—or as some people might see it, “waste money”—in setting up the right infrastructure.  All one has to do is install a small installer, connect to the internet, and let ‘er rip.  That’s it.

     

    Not that I’m claiming that the only thing you have to do to secure your data is encrypt the hard drive on your computer.  Which, incidentally, is why AlertBoot also provides the blocking of ports and software applications (managed via white and black lists), as well as providing a powerful reporting.

     

    Related Sites:

    http://doj.nh.gov/consumer/pdf/stanadyne.pdf

     
  • Laptop Encryption Not Used In Lost Charter Communications Laptop: Thousands Affected

    Charter Communications has announced that twelve laptops—out of which one of them contained sensitive personal information—were stolen over the weekend of July 11.  Charter seems to have declined to answer any questions on what type of data security programs they were using to protect the information found on those laptops—or at least the one laptop with the sensitive information.  It sounds like perhaps laptop encryption,  a service offered by AlertBoot among others, was not used to secure the data.

     

    The data in question are the details of 9,000 current and former employees.  Potentially breached information includes names, dates of birth, and Social Security numbers.  Charter has offered one year of free credit protection—and strongly recommended that employees take it up.  (A sign that information security software was not used?  Or just a company looking after the welfare of its employees?)

     

    If endpoint security software was used, Charter and its employees would be better served by announcing the fact; at least that would help allay fears among a significant number of employees.  As it is, the workers are probably feeling a little antagonistic about the circumstances.  One didn’t want to sign up for the credit protection services because she’d have to submit her personal information in order to do so, which happens to be the root cause of the entire fiasco: providing personal information.  

    Hmph.  I guess there’s a certain logic to that.  I mean, who’s to guarantee that credit protection services won’t get hacked?  Or that some employee will download sensitive data to his or her laptop and lose it, never mind the policies at those companies?  I mean, Choicepoint—a data aggregator—was involved in quite the massive data breach in 2004.

     

    At the same time, credit protection companies cannot protect you if they don’t know what to look for (well, assuming they’re there to protect you)—so providing sensitive information is de rigeur.

     

    Some continue to point out that sensitive information shouldn’t be on laptop computers.  I disagree, especially in this case.  A person who can steal twelve laptops can just as easily steal a desktop computer, perhaps two.  How can anyone in this day and age claim the size of a computer provides data security?  People need to wake up and smell the coffee.  It’s not the size of the hardware that matters, unless what one is interested is in protecting the laptop.  If one’s interested in protecting the data, then it’s time to realize that one must invest in data protection measures, like disk encryption or file encryption— the size of the computer cannot be classified as one.  

     

    Related Articles:

    http://www.forbes.com/feeds/ap/2008/08/13/ap5319900.html

    http://money.cnn.com/news/newsfeeds/articles/apwire/1fddc15e2bb5302e7df9caa844a74c5e.htm

    http://www.multichannel.com/article/CA6587530.html?industryid=47199

    http://www.wyff4.com/news/17177025/detail.html

     
More Posts « Previous page - Next page »