in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

September 2008 - Posts

  • Laptop Losses To Grow 300% According To Safeware. Time To Consider Hard Disk Encryption?

    According to a survey conducted by Safeware, an Ohio-based provider of specialized insurance programs, it expects claims on thefts of laptop and other portable computing solutions to increase by 300% by the end of the year, as compared to last year.  It sounds like the importance of hard disk encryption software solutions like AlertBoot will grow as time goes by.  Or, at least, it certainly appears like the importance of such data protection solutions will not decrease with time.

     

    Safeware’s analysis shows that the theft of computers had increased by 29% in the 2006 to 2007 period, as compared to the period before, and is projecting a 278% increase in the 2007 to 2008 period.  It is believed that this increase is mostly due to the growing use of laptops and other electronic devices in the classroom and business professionals.  Of course, the growth of laptop use in business is nothing new.

     

    Nor could one feign surprise at the fact that college students have gravitated toward the use of computers in the classroom.  Or claim that this is news to them.  In fact, there have been reports/complaints from college professors on how the new generation is not paying as much attention in the classroom, what with college students multitasking: sending instant messages, checking e-mail, surfing the web, and listening to a lecture (the academic kind…and possibly the other kind of lecture).  And, social media sites such as MySpace and Facebook owe their growth and relevance in part to college students.  At least, it did during its initial stages.  Then the entire world decided to drop in.

     

    In other words, yes, there are a lot of people using computers out there.  Without the raw numbers, though, it’s impossible to see why there was such a sudden increase in thefts in 2007-2008.  I wouldn’t imagine, for example, that there was actually a drastic increase in laptop thefts in this particular period (although I’d be the first to admit that each year we seem to have record numbers of lost and stolen laptops).

     

    I strongly suspect the growth in theft Safeware has noted is because such specialized insurance—where computers and other high-end electronic equipments are protected against loss—is relatively new, and Safeware has been signing up more and more people over time: when your base—the number of people signed up for insurance—increases over time, so does the number of claims.

     

    If interpreted in the above way, the increase of 300% seems less impressive: Oh, I guess laptop thefts haven’t really increased that much.  However, that figure also implies that there’s been an explosion in people signing up for such insurance.  Clearly, there is a huge demand out there for such services.  Will this also translate into demand for encryption software as well, though?

     

    While the importance of data encryption as an information security measure cannot be overemphasized, people seem to have a problem grasping its importance.  For example, the above insurance is, I presume, for the replacement of lost and stolen laptops.  People have gravitated to them on their own.  But when it comes to encryption…well, even when the law gives a distinct protection to businesses that encrypt their data and subsequently lose a computer, you still don’t have such record numbers of people signing up for file encryption software and full disk encryption.

     

    It’s weird, in a way.  People generally sign up for insurance prior to the theft of computers.  People generally sign up for encryption after the theft of computers.  Both are designed to protect the people who sign up, and are effective only if it’s in place prior to theft.  Am I the only one who sees the oddity in this?

     

    Related Sites:

    http://www.safeware.com/AboutUs.aspx

    http://www.skynewswire.com/modules/news/article.php?storyid=6404

     
  • New European Directive Could Boost Full Disk And Other Encryption Products

    A new European Commission directive on electronic privacy may include a data breach notification provision.  While it’s still up for debate, all signs seem to point that the data breach legislation will be approved.  While this is not a clarion call for companies to start protecting digital information with the use of data encryption software like AlertBoot encryption solutions, it certainly would raise interest in both such products and the idea of data security overall.

     

    Of course, if one’s not aware that data security is a necessity in this day and age, there’s a good chance that they don’t need it: even 60-year old grannies who’ve never touched a computer know about the need for data protection, knowledge gained ever since some *** decided to take out a mortgage via identity fraud.  And, Europe has been rocked by its fair share of data breach scandals, although most of it has been in the UK, it seems.  So, again, if you’re not aware of the need for data security, you probably don’t need it; on the other hand, you’re probably not reading this blog post either…

     

    There are some pointing out that this new legislation is “farcical.”  The reason?  Only web service companies, such as ISPs or online retailers, are required to fess up to a data breach.  Incidents like the loss of CDs with huge amounts of data, such the HMRC fiasco in the UK, where nearly half the population of that country was potentially affected, does not require a public confessional.  This means that if one loses a laptop full of sensitive customer details, and the company is, say, a hospital, there’s no need to alert anyone—at least, not from a legal standpoint.  If you’re WebMD facing the same situation, though, you will have to.

     

    Is this the right legislation?  I find it lacking, not farcical.  It’s like having separate legislation for murder: if you plan and kill someone with a knife, you get 10 years; kill with a gun and you’ll get life.  If such legislation exists, it doesn’t make sense: why does it matter how one carried out his premeditated crime?

     

    Likewise, why confine data breach notifications to only a segment of those who are part of data breaches?  If past history has shown us anything—and I haven’t actually compiled hard numbers, so I’m basing it off my feelings and experience—it’s that you have as many, perhaps more, data breaches that happen offline than online.  I’ve covered more instances of lost and stolen CDs, USB memory sticks, laptop and desktop computers, and external hard drives than I’ve written on online hackers.  And, the biggest data breaches seem to be offline as well: the above-mentioned HMRC.  TJX’s was offline, in the sense that it was credit card data collected (yes, wirelessly) at the retail point of sale, not online point of sale.  The VA computer thefts from last year in the US.

     

    Maybe the proposed legislation is a farce in the sense that governments are not pointing fingers at themselves.  After all, each government has access to the biggest depository of data on citizens.  Not everyone shops at TJX; pretty much everyone pays taxes to the government.  Guess whose data breach would be more massive?

      

    Related Articles:

    http://www.pcpro.co.uk/news/224478/european-companies-forced-to-own-up-to-data-losses.html

    http://www.computerweekly.com/blogs/the-data-trust-blog/2008/09/farcical-data-breach-notificat.html

     
  • 22,000 At Intuit Subject To Data Breach: Colt Express Computer Theft And Lack Of Data Encryption Aftershock

    The site pogowasright.org is reporting that the Colt Express computer theft from back in June is still bringing victims out of the woodwork.  The latest company to admit that they were affected is Intuit.  You may know them as the makers of Quicken, QuickBooks, and TurboTax.  As detailed back then (and many times subsequently, as more companies reported being affected by the Colt Express matter), the stolen desktop computers did not feature hard drive encryption like AlertBoot data encryption solutions.

     

    Also, most of the companies who’ve reported about being affected by the Colt Express data breach had stopped being the firm’s clients, some for a couple of years or more.

     

    How many are affected?  22,000 people, including former employees and dependents who signed up for Intuit’s health benefits plans between August 1997 and January 2002.  Hm.  I’d say this is another company that had stopped being Colt’s client for a while now.  I keep wondering why Colt kept all that information?  I mean, at this point it seems like data encryption is secondary to this puzzling question.  Is it some kind of requirement, like my keeping of all receipts for seven years because I’m terrified of the IRS?

     

    Or perhaps it’s because the cost of purging information, at least at face value, is so much more expensive than just storing everything.  Let’s face it, there are very few things in life that go down in cost over time, and one of them happens to be digital storage.  Heck, it doesn’t just go down, the cost kind of falls off a cliff.  And when one considers that the cost of labor goes up over time—the other significant cost factor when it comes to data purges—many companies would find it much more advantageous to keep everything (you don’t want automatic purges…what if you purge the wrong thing?)

     

    Yes, hard drive encryption would have kept the information on those stolen desktop computers safe.  But there is always a caveat.  You must keep the password for decrypting the information safe from outsiders.

     

    When a company shows a misguided attempt at data security—like keeping unnecessary but highly sensitive information around, not using encryption, assuming password protection is “protection”—it makes me wonder if encryption would have helped in the end:  I get the feeling that the password to decrypt the data would have been written on a post-it note and stuck to the computer.

     

    Related Articles:

    http://www.pogowasright.org/staticpages/index.php?page=20080731113218447

    http://www.pogowasright.org/article.php?story=20080915080929430

    http://doj.nh.gov/consumer/pdf/Intuit.pdf

     
  • File Encryption Not Used In Yet Another Lost UK CD: Whittington Hospital NHS Trust

    Whittington Hospital NHS Trust is alerting the public that four CDs with employee payroll details were lost on July 22.  The CDs were in transit to McKesson, a payroll company, where it was to be stored.  While the four CDs did not feature file encryption solutions like AlertBoot, the contents were protected via the use of alphanumeric passwords.

     

    The total affected number of employees is a little short of 18,000, and may mean the leakage of names, dates of birth, national insurance numbers, and pay details, as well as other information.  The large number of staff is due to the fact that Whittington manages the salaries of other health trusts as well: Islington Primary Care Trust, Camden Primary Care Trust, and Camden and Islington NHS Foundation Trust are all affected as well.  Whittington Trust has announced that bank account details were not included in the lost data.

     

    All reports on the story are quoting a spokesperson who’s announced that the password is hard to crack and it would require an “expert hacker” in order to crack the security in place.  Well, either that, or it would require a couple of hundred dollars in the bank and some free time.

     

    The thing about relying on passwords for security is that there is software out there designed to help you crack it.  In fact, some are sophisticated enough to take details such as you and your family’s dates of birth; phone numbers and address; and other personal information that is typically used by people to personalize their passwords.  And, yes, such software is available for sale to anyone with a credit card.  But, that is not the only approach to figuring out a password.

     

    There is also the method of “brute force,” which essentially means you start with single characters (1 or A or B or whatever) and steadily build up the length of your password, trying every single combination possible.  Now, depending on what type of application was used, it may make the use of brute force to reveal the password easy (and fast).  There are programs out there that, for some reason, limit the password to more than 4 characters but less than 13 characters.  This provides an upper limit on what one’s password can be.  There is also a lower limit, which works to ensure that the total number of combinations is restricted, further decreasing the total password combos one can use—and, again, allowing brute force to arrive to its inevitable guess much sooner.

     

    So, I guess the point is that, if you’re relying on a password to protect your data, make sure that there are no restrictions on what type of password it can take; ensure that it’s as long as possible, as well as ensuring the possible password length is open-ended; use as many different characters as possible, including special ones; and never use personal data when creating your passwords.  Also, if possible, place a limit on how many incorrect guesses one can make before further access to the data is irrevocably denied.

     

    The thing is, with password protection without encryption, there are easy ways to bypass the “security” in place.  Yes, you’ll have to have a certain degree of sophistication to use it, but, hey, it’s not an unattainable skill.  Learning how to throw pots and glazing them probably takes more effort.

     

    Related Articles:

    http://news.zdnet.co.uk/security/0,1000000189,39489341,00.htm

    http://www.computerworlduk.com/management/security/data-control/news/index.cfm?newsid=11028

     
  • UK Insolvency Service Loses Laptops. Use Full Disk Encryption, Anyone?

    The UK Insolvency Service in Manchester has alerted 122 former directors of bankrupt companies, most of them small and medium businesses, that four laptops with their information has been stolen from a Manchester office.  The number of people affected, however, seems to be higher.  According to the telegraph.co.uk, the total number of companies affected is 122, and the number of people affected is nearly 500—which makes sense, considering that you could have multiple directors and what not.  It wasn’t revealed whether the laptops contained data security solution software like AlertBoot full disk encryption installed in them.

     

    The way the UK media is describing the event, however, and the fact that they are associating it with past cases where data encryption wasn’t used to secure subsequently lost or stolen data devices, strongly points towards the lack of information security measures.

     

    The theft happened on August 27, and of the four laptops, only one of them contained sensitive data.  Some will take this to mean that the laptops were stolen for what they were: easily resalable items, quite possibly sold from the back of a car.  Others might see the same and claim that it was stolen for the data: there are four laptops, which one to take?  Booting up the computers takes time, so just steal all four, figure out which one has the data later.

     

    Of course, these two are not mutually exclusive.  One could imagine that they break in to the office and see the laptops; steal them for resale; and decide to take a peek under the hood to see what’s in those computers before offloading them—and, voila!  Names, addresses, dates of birth, and National Insurance numbers of nearly 500 people.  Sure, the companies are bankrupt, but that doesn’t mean that people are bankrupt themselves (that’s the beauty of corporations and limited liability partnerships).

     

    Would hard disk encryption on these machines have prevented their theft and possible data leakage?  Yes and no.  Data encryption can’t do anything for sticky fingers.  That’s just a fact.  One has to invest in physical security like bars, chains, locks, and the like to stop theft.  However, if we’re talking about ensuring data security, whole disk encryption of hard drives in a computer can’t be beat.

     

    This is especially true for digital information.  In the old days, when information was stored on paper, you could expect some degree of privacy and security via obfuscation: after all, who has the time to read through thousands of pages to get to the juicy data?  But on computers, searching is a snap.  Google has ensured that, along with other software makers.  I mean, you can even purchase, for less than $100, software that searches for Social Security numbers and credit card numbers in myriads of disconnected files.  It was developed to enhance data security (you know, run it every month or so to ensure that you’re not storing data you shouldn’t be storing.  Regular audits are part of comprehensive data security practices), but any tool is double-edged, philosophically speaking.

     

    Even encryption, actually.  There are plenty of hackers out there that will break into a company’s data centers, hijack their data and encrypt it.  They’re essentially keeping the data hostage, and will only release the password to decrypt the information once the dollars (and pounds, and yen, and rubles, etc) roll in into their bank account.  Why?  Because they know the power of encryption: the chances of any breaking the protection in place is pretty close to nil.

      

    Related Articles:

    http://www.telegraph.co.uk/news/uknews/2977534/Government-loses-personal-details-of-nearly-500-company-directors-and-employees.html

    http://www.computing.co.uk/computing/news/2226315/insolvency-service-loses-laptop

    http://www.scmagazineuk.com/Insolvency-Service-confirms-laptop-theft/article/118068/

    http://www.manchestereveningnews.co.uk/news/s/1067174_stolen_laptops_held_insolvency_data

     
  • Can Disk Encryption Stand Up To Shinto Blessings?

    I found a fun little article that deviates from the usual disk encryption stories.  I was looking over Gizmodo today, and happened upon this post about a Tokyo shrine that blesses computers.  Quite a number of blogs have picked up on it.  Granted, you still might want to invest in a less-than-godly method like AlertBoot hard drive encryption solutions.  You know, just in case the Gods are not paying attention.

     

    Apparently, the Kanda-Myoujin Shrine in Tokyo is willing to bless computers from problems—like malware. (Perhaps even theft?)  Since antivirus software tends to miss the mark quite a bit, nothing like giving heavenly intervention a try.  Other blogs note however, that blessings are performed on pretty much anything that seems to be technology-related: blogs, the blue screen of death, computer hardware, other electronic devices, etc.  Apparently, it all started with local IT guys frequenting the shrine, and it spread…like a virus.  It’s all about location, location, location: the Kanda Shrine is within easy walking distance to Akihabara, the celebrated Mecca of consumer electronics. (Although, based on the reviews I’ve read of the shrine itself, people seem to find the shrine a bit disappointing.)

     

    Let’s assume that these blessings work.  I mean, the power of the ethereal and whatnot—if Harrison Ford has taught me anything, it’s that you just don’t mess with the ethereal: Arks; magical, glowing stones; wooden cups; crystal skulls…I’m sure Shinto blessings have a place in that list.  If this works, does it mean that disk encryption is out of business?

     

    Not quite, I’d say.  The problem is that, as far as I know, the blessings have to be done in situ.  So, your computers have to be present at the shrine, as they’re blessed.  What if your computer (and your data) gets lost en route to Tokyo?  Food for thought, no?  Encryption just doesn’t go out of style…

     

    Also, I notice a lot of pictures (actually, the same picture in multiple sites) of the blessings and talismans floating around.  I’m not sure who it belongs to, but word of warning: they tell me that that thing has to be stuck on to the body of whatever you’re trying to protect.  I can understand how to stick a talisman to a laptop, but how do you do it for a blog?  Can you scan the essence and upload it?  How does that work?

     

    Related Articles:

    http://otakuinternational.com/2008/09/shinto-blessing-is-the-new-antivirus-for-otaku-pcs/

     
More Posts « Previous page - Next page »