in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

October 2008 - Posts

  • Laptop Theft Leads Aussie Data Breaches, Data Encryption Is Tops For Data Security

    According to the first data loss survey Symantec has run in Australia, 80 percent of local companies had at least one data breach in the past five years, and 40 percent had between six and twenty breaches in the same period.  Furthermore, 59 percent of businesses think they may have had a data breach they are not aware of.  The leading form of data protection is encryption, probably either file encryption or hard drive encryption like AlertBoot, which shouldn’t be a surprise, since the primary cause of a data breach was the loss of laptops (45%). 

    This is followed by human error (42%), lost portable devices (30%), hackers (29%), malicious insiders (28%), lost paper records (26%), and malicious code (malware, 24%).  These figures probably don’t add up to 100% because a company could experience multiple data breaches which were not similar in nature.  For example, lose a laptop one day, lose a briefcase full of documents the next.  What I can’t figure out is how human error got its own category.  I mean, aren’t they all caused by human error?

    Regardless, these figures could be used, in a way, as a measure of how advances in technology have reduced data security over time.  Laptop and portable devices account for 75% of data breaches together, whereas paper records account for 26%, which is a huge number on its own (so the halcyon days of yore were probably never as secure as we believed it to be).

    But, and this is a simplified point of view, the advent of the digital age seems to have wrecked havoc, in this case by nearly three times.  One can’t even argue that the above results don’t take into account the diminished importance of paper records since, if I recollect correctly, people are using more paper than ever.  So, this is not a case where laptops have taken the place of paper -- laptops are just an additional source of information security breaches on top of those caused by paper documents. (Of course, a counter argument could be that we use more paper than ever, but sensitive information as printed material has been decreasing overall…except I don’t see that disclosed anywhere.)

    This is the thing, though: the use of laptops and portable disks doesn’t necessarily need to mean increased incidences of data breaches, a term that has to be redefined.  Currently, a data breach tends to mean any instance where something containing data is lost or missing—even if the contents are protected with the use of full disk encryption.  But, is that really a data breach?

    I would argue that the definition of a data breach has to be grounded on whether the information can be easily accessed or not, just like paper documents are considered to be protected when inside a building as opposed to lying in garbage bags by the curb, unshredded.  Realistic accessibility is the key in this matter.  Bypassing a computer’s operating system’s password-protection is easy; bypassing encryption is notoriously hard.  If a laptop computer is encrypted, and no stupidity was involved (having the username and password anywhere on the laptop is stupidity; leaving a laptop in your car…well, I tend to think it leans more towards carelessness), there should be no reason why the loss of a laptop computer should be classified as a data breach.

    Ultimately, a data breach should focus on the data: is the data accessible by unwanted third parties?  If not, then there is no breach.  Note that there is a solution available today to keeping data secure even if the physical object housing it is missing or stolen.  It’s called encryption software.  No such tool exists for paper documents, unless you count those briefcases that have built-in locks with three dials.  Give me a beer, though, and I can crack through that in less than two hours.


    Related Articles:
    http://www.australianit.news.com.au/story/0,25197,24530567-15306,00.html
    http://www.smartcompany.com.au/Free-Articles/Trends/20081022-Four-in-five-Australian-companies-suffered-data-breach-in-past-five-years.html

     
  • CollegeNet Did Not Use Laptop Encryption On Lost Computer

    CollegeNet, a company that brands itself “the world's leading 'virtual plumber' for higher education internet transactions” and proclaims that “it pays to think” has filed a letter with the Maryland Attorney General’s Office to alert them of a data breach.

    While not mentioned in the letter to the AG, a copy of the letter to be sent to affected MD residents explicitly mentions that the data was not encrypted.  Of course, without the use of encryption  software like hard disk encryption from AlertBoot, the names, addresses, phone numbers, email addresses, SSNs, driver’s license numbers, and dates of birth of could be potentially exposed to identity thieves.

    While CollegeNet has not revealed how many people were affected overall, it is required to report how many Maryland residents were affected to the MD AG, twenty-three people in this case.  And while we can expect the total number to be much bigger, it doesn’t seem to me that it will number in the tens of thousands like some of the more high-profile cases.  That’s because the letter also makes it clear that the lost laptop contained information for people who applied with the NFLPA to be a contract advisor, i.e., a sports agent.  This explains the cornucopia of information that was lost; according to what I’ve read, becoming a certified agent also requires a background check.  Since it’s confined to people who are trying to become sports agents, I’d imagine upper limit on how many people will be affected is quite low.

    CollegeNet has stated that the stolen computer did have password-protection, but this is not really protection.  Password-protection, if it’s specifically tied to a computer’s operating system, can be bypassed quite easily without providing a password at all.  All one needs is a screwdriver and nimble fingers.  What CollegeNet should have done is encrypt the contents, either using file encryption to protect individual files or employing full disk encryption to protect the contents of the entire computer’s disk.  Especially if they were going to store all of this information on a laptop computer that would end up unsupervised in a car.

    When it comes to protecting portable digital devices like laptops, PDAs, cell phones, and others of its ilk, there are three rules to follow.  One, tie it down to something.  Two, if you can’t tie it down, keep your eyes on it.  Three, make sure no one whacks your head from behind; otherwise, the second rule is broken.  When it comes to protecting data on portable devices, though, there are two rules, as far as I’m concerned.  One, encrypt that stuff.  Two, do not stick to the device a sticky note with the username and password for accessing the protected data.

    You’ll notice that there is no rule number three.  That’s because, if unauthorized people are trying to access the contents of your encrypted data, the last thing they want to do is whack your head, assuming you followed rule number two.  Forgetting your username and password would be a great way to keep the contents secret, permanently.  (Well, for all intents and purposes.  Three hundred years or more is a long time to wait to force open that content).


    Related Sites:
    http://www.collegenet.com/about/index_html
    http://www.oag.state.md.us/idtheft/Breach%20Notices/ITU159173.pdf
    http://www.pogowasright.org/article.php?story=20081021062524130
    http://breachblog.com/2008/10/21/collegenet.aspx?ref=rss
    http://athleteagent.blogspot.com/2008/01/nflpa-agent-certification-deadline.html

     
  • Movie Theater Chain Loses Back Up Tape With Employee Data, Assumed File Encryption Was Not Used

    Regal Entertainment Group, the largest movie theater chain in the US, and parent to Regal Cinemas, United Artists Theaters, and Edwards Theaters, has filed a letter with the New Hampshire Attorney General, alerting that they have experienced a data security breach that involves at least 120 New Hampshire residents.  While it wasn’t mentioned -- and personally, because it wasn’t mentioned -- it seems likely that data security solutions like file encryption from AlertBoot encryption software solutions was not used.  If someone is using encryption to protect data, it’s usually a fact that’s paraded around; consequently, not mentioning encryption tends to be because it wasn’t used.

    Employees are being offered identity theft protection and fraud resolution services for one year, free of charge.  And in what may be one of the worst employee-relations letter ever written, employees are being alerted that the company’s investigation “indicates that some of your [the employees’] personal information, including your Social Security number, name, and address may have been included in the lost backup tape.  However, it is important to note that absolutely no customer or guest data was exposed.” [emphasis theirs]

    I’m sure that customers were not affected is important when you consider the bigger, overall picture.  However, is this what a company wants to be emphasizing when sending a letter to employees? Or rather, is this what employees want emphasized?  I guess the answer is “yes” if they’re just so totally focused on the customer.  However, my guess is that in addition to employees grumbling about management incompetence, a great majority will read the above words and state that the company doesn’t care about them; it’s just human psychology to do so.

    It behooves Regal Entertainment Group to start using backup tape encryption.  In addition to preventing a recurrence of employee information being at risk, Massachusetts has already passed a law stating that sensitive, personal information must be encrypted if stored in digital format, including those found in backup tapes.  And the definition of personal, sensitive information includes the combination of names and SSNs stored in the same medium.  Assuming the lost backup tape includes employees working across all states, Regal would have been in breach of Massachusetts law (the law takes effect beginning next year – only two months away) just by losing the backup tape.


    Related Articles:
    http://doj.nh.gov/consumer/pdf/regal.pdf
    http://www.pogowasright.org/article.php?story=2008101720462698

     
  • Wouldn’t You Prefer File Encryption Over This IBM Security Laptop Computer?

    It looks like the constant news of data breaches is beginning to arrest the attention of designers as well.  One Mr. Nicolas Lehotzky is garnering some coverage over at gizmodo.com for his mockup of a laptop computer that was designed with security in mind.  Of course, being only a mockup, the device still needs some details to be hashed out.  But still, it seems to me that the overall concept wouldn’t offer any advantages to existing data security solutions like full disk encryption from AlertBoot, among others.

    If you’re hankering for a gander, go over to his portfolio.  The first thing you’ll notice is that there is a huge metal knob on the left, rising from the wristpad.  This would be the lock for when the laptop computer is closed shut.  It’s also a biometric scanner, so the laptop won’t open unless the correct fingerprint is scanned.  There is also USB port security provided in the form of a sliding cap, which I assume is also lockable.

    Good ideas, no doubt, but the problem is that the design literally focuses on laptop security and not necessarily data security.  There is a significant difference between computer security and data security: the former is no different from what you would do to secure stuff in general, like canned goods.  You attach it securely to something or lock it up in a safe place.  Data security, however, is a little different.  Even if you’re able to physically tie down a computer, you can have a data security breach: hackers breaking into your network; rogue employees downloading information; etc.  And this is due to the nature of information, which is ultimately a metaphysical concept.

    Locking a laptop’s lid shut is just a temporary impediment when viewed from a data security standpoint, so it’s neither here nor there, if you really think about it.  It doesn’t prevent the theft of the laptop in the first place (you’d need the computer to be chained), nor does it actually end up protecting data.  In order to get to the data, all one has to do is get rid of the lock.  This may mean having to cut parts of the laptop’s lid/screen, but so what?  Assuming the fingerprint scanner and other security measures work, the laptop is no good since it can’t be resold -- it’s essentially a brick.  The thief has the option of either returning the device, tossing it whole, or trying to salvage something from his criminal venture.

    I think most thieves will go for the last option.  I imagine that in the not so distant future, laptop security measures like the above will not slow down computer thefts.  Instead, the equivalent of computer chop shops will be created.  If the entire computer can’t be sold, the only way to make a profit is to sell it in parts.  And while there is technology for tracking laptops, some built into the BIOS while others are completely software-based, there is no technology yet for tracking RAM, formatted hard drives, graphics cards, etc.

    And what happens to the data?  Well, the data is still vulnerable, since it’s not encrypted.  About the only thing I like about the above concept is the port control aspect, and even that is not truly secure, since it’s just a matter of cracking another physical barrier.  A better solution might be the use of port control from the inside.  AlertBoot, for example, allows a person to control which devices can connect with the port control for data exchanges.  So, you can specify that mice can be used but not iPods, ensuring true data security that cannot be bypassed while still making use of the ports.


    Related Articles:
    http://gizmodo.com/5063894/ibm-laptop-concept-features-built+in-scanner-shredder

     

     
  • In The UK, You Have The Right To Incriminate Yourself If You Use Encryption Software

    Several sources are covering a judgment handed down by the England and Wales Court of Appeal which states that computer passwords have to be handed over to law enforcement if requested, even in cases where providing said password would give access to evidence that incriminates the suspect.  No doubt this is prompted by the power of data security solutions like laptop encryption software such as AlertBoot, which require so much processing power to break the protections in place that even the FBI gives up trying.

    A US case similar to this one found the opposite conclusion, that a password for accessing encrypted digital content cannot be forced out of one’s mouth. (And I must point out, as I have done in previous posts, that I am not a lawyer.)

    Most countries, when facing a case where there is no precedence, tend to (but, obviously, not always) see what arguments were made and what conclusions were reached in other countries for similar cases.  To date, I only know of the one in the US where a man crossing the US-Canada border was caught transporting child pornography in his laptop, which led to his arrest.  When officers tried to access the contents of the laptop after making the arrest, they found the contents were encrypted.  A judge declared that the password for accessing said contents cannot be forced out of the suspect since revealing it would be tantamount to incriminating himself.  In the UK, however, the key is viewed as neutral in this case -- that is, the key itself doesn’t incriminate, it just gives access to something that may, or may not, incriminate a person.

    For example, a suspect can be asked to produce a key to a drawer that may contain incriminating evidence if the police obtained that drawer within legal means; they could, of course, break open the drawer as well.  The key just simplifies the process.  Likewise for the data in a computer using file encryption: it could be brute-forced (good luck!), but the key simplifies the process.  The government cannot ask one to produce a key, though, if that key itself incriminated the suspect (I guess, like, if you keyed someone to death or something).

    The conclusion reached by the Court of Appeal is controversial, in my opinion, because it brings to mind the practices of bygone eras, like the Spanish Inquisition (which, nobody expects…with the exception of Monty Phython fans).  What happens if the government asks you for a password you’ve forgotten (or even worse, don’t know), but that the government believes, quite erroneously, that you do know?  Torture is not allowed anymore in most countries to gain admissible evidence; however, there are penalties involved.  The refusal to cooperate by not divulging the password is punishable by two years in prison or up to five years in cases involving national security (and who knows what else.  Rendition is performed in the name of national security, right?)

    I mean, you’re screwed if there’s no incriminating evidence and if you want to cooperate.  It’s just that…you literally can’t remember.  How would you prove that to modern-day inquisitors?  I guess now there’s a real reason for developing and commercializing those lie detectors based on functional magnetic resonance imaging.

    Or, if you’re relying on encryption software to protect uninvited access to, er, uncontroversial information, like your business plans and collection of Care Bear images, you could go with a centrally managed encryption suite.  That way, someone would be able to reset your passwords if you ever forgot them.

    Of course, you would want to vet these people who are resetting the passwords for you.  It’s too bad Amish people can’t touch or get involved with most modern technologies.  I’d imagine their religious philosophy would make them the ideal candidates for such a job.


    Related Articles:
    http://www.out-law.com/page-9514
    http://business.timesonline.co.uk/tol/business/law/reports/article4944714.ece
    http://www.linuxworld.com.au/index.php/id;897277082
    http://it.slashdot.org/it/08/10/16/0311217.shtml
    http://www.bailii.org/ew/cases/EWCA/Crim/2008/2177.html

     
  • Sometimes, Endpoint Security Requires Something Less Advanced Than Hard Drive Encryption

    A team of intrepid news reporters at WHRW found that someone at Binghamton University had tossed a bundle of university documents listing out the sensitive information of fifty-six students who took courses in the mid-seventies.  This story wouldn’t be such a big deal except that there’s so many things wrong with it, I don’t know where the irony ends and the impulse to kick someone in the nuts begins.  It’s unfortunate that there is no equivalent to data encryption solutions like hard drive encryption from AlertBoot that can be used on paper documents.  It would have prevented a lot of the following ills.

    To begin with, Social Security numbers, birthdays, and names were listed, as well as grades, classes, grades, stipends, and addresses.  This latter set of information being revealed, I’d imagine, is not a very big deal since they’re thirty years old.  However, names, SSNs, and dates of birth don’t change (usually) and are used today to commit identity theft.  Just one of those careless oversights that happens all the time, right?

    Wrong.

    These documents were placed on top of a bag of shredded documents.  This is wrong #1.  Data security is not something that you practice out of convenience.  I can only imagine two scenarios where someone would have the gall to do such a thing.  First, the shredder broke and they really had to take out the trash.  The correct thing to do would be to throw out the shredded stuff first and wait for the shredder to be fixed, not throwing everything out, regardless.  The second, and more likely scenario to me, is someone deciding it was not worth their time to continue shredding thirty-year old documents belonging to the German Department.

    Which brings me to wrong #2.  People generally like the college they attended.  Some keep their alma mater in their minds and set up a scholarship.  Such as Paul R. Ewald, class of ’72 and ’76.  A scholarship was established in his name in 1997 for students who “show an interest in the study of Germanic linguisitics.”

    Mr. Ewald is deceased now, according to WHRW, but had the reporters not found the stack of papers, his name and SSN could have been used to apply for a home mortgage or a fake bank account if someone had picked up those documents.  I guess it’s true what they say.  A man may die, but his name will live on….


    Related Sites:
    http://bulletin.binghamton.edu/program.asp?program_id=897
    http://news.whrwfm.org/?q=node/135

     
More Posts « Previous page - Next page »