in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

November 2008 - Posts

  • Looking For Disk Encryption Software For Computers At Home? You May Want A Managed Encryption Service

    The importance of data security is not relegated to the office alone.  Plenty of people feel more comfortable knowing that the information on their home computers, be they a laptop computer or a desktop, is protected with data encryption software.  However, there are hazards in the use of encryption if you’re not careful.  If you don’t know what you’re doing, you may be interested in encryption as a service as opposed to a solution you have to manage yourself.

    Using encryption is admitting there is a chance that your computer might get stolen one day, just like insurance is admitting you could end up in an accident.  No guarantees, but if it happens, you’re glad you decided protect yourself beforehand.  If you work out of your home or happen to scan all of your documents to your computer -- including bank statements and other information you may deem sensitive, but don’t want to deal with clutter -- you’ll benefit greatly from the use of disk encryption or content encryption (they both work to protect your data in similar, yet different, ways).

    There are many encryption products out in the world, including free ones (free like in free beer).  However, there is something important you should keep in mind when using such products.

    1. Make sure the encryption software you select uses a properly vetted encryption algorithm.  The algorithm is the heart of any data security tool.  RSA or AES are good choices.  They’ve been properly vetted by experts and amateurs alike, and the worldwide consensus is that they’re very good at protecting your data.  There are plenty of people who try to create a new algorithm every year, and most of them fail when thousands of people test them.
    2. Make sure it supports strong encryption.  Any encryption using 256-bit keys is deemed strong.  If you’re offered less than 128-bit keys, you should look for a different encryption product.
    3. Make sure you always keep a copy of the encryption key you end up using.

    Despite the brevity of that last entry, it’s probably the most important of the three.  The encryption key is what allows one to decrypt the data.  That is, it allows you to restore the protected information, since encryption protects data by scrambling it (if you’re not looking to restore the information, it’s always advisable to destroy it, not encrypt it.  Remember, what’s not there cannot be stolen).

    Normally, the computer in which you’ve got encrypted information will have a copy of the encryption key, since it’s required to both encrypt and decrypt the information.  However, there are cases when the encryption key is not available anymore.

    For example, if your computer is stolen.  Mind you, the stolen computer’s data is encrypted, so the information cannot be accessed by the thief.  Everything is good with the world.  But, chances are you need that data.  As a conscientious person (you’ve got to be…you’ve decided to use encryption), you pull out your backup disk to restore the data.  However, the encryption key lies…on the stolen laptop.  Uh-oh.

    If you don’t have a copy of the key, there is no way for you to access the data on the backup disk, since the same technology that keeps your data safe from the thief also prevents you from accessing it.  Plus, not only do you have to make a copy of the key, you must make sure you can find it.  If you’re anything like me, you’ll forget where you decided to store that key in the first place.

    This is probably the number one reason why, despite free products out there, people decide to use encryption as a service.  Many think that encryption as a service is for companies only, since it allows easy and fast parallel deployments -- in other words, you can encrypt a lot of computers at the same time.  But, even though most people have one or two computers in the home, the management and safeguarding of encryption keys is a real issue that can’t be overlooked; so, in the interest of keeping one’s sanity after a distressing experience, people choose to sign up for managed encryption.

    The upside to such a service is not only that someone else is ensuring your key remains safe and available when needed, though.  Companies like AlertBoot that offer managed encryption software suites also add value by helping you if you forget your password (you need two things to decrypt data: the encryption key and, usually, a username and password…although some will allow the use of tokens).  For example, you can reset your password after it can be verified that you are, indeed, you.  The process is similar to resetting your password for a Yahoo! or Google mail account.  You can even choose what the questions are by typing them in directly.  Or, if you don’t have access to the internet, call support for help resetting your password.

     
  • The Difference Between Disk Encryption, File Encryption, And Password Protection: A Very Short Primer On Encryption And Related Data Security Products

    And I do mean short.  I’ve met a lot of people who didn’t quite understand the difference between hard drive encryption software and file encryption software, or that were assuming one is the other.  It seems to me that such confusion can only lead disappointment with encryption products, so here’s a really, really basic primer on what’s what.  I've kicked up "password protection" in the list below since it's of notable interest.

    Password Protection
    A lot of companies and agencies announce, when their laptop computer is lost or stolen, that it had password protection.  It’s the worst kind of “security” you could possibly have for your data.  In fact, I call the term “password protection” a misnomer because it doesn’t really afford you any protection.

    The real-world counterpart for password protection is hiding stuff beneath your mattress.  Now you understand why data security professionals tear their hair out whenever they read that something was password protected.  The game’s over if someone decides to look under the mattress.

    And, surprisingly enough, bypassing password protection is about as easy as lifting up a mattress.  All you have to do is pull out the computer’s hard disk and plug it into another computer.  That’s it. 

    Encryption
    A process for keeping data a secret.  The only way to unearth the secret is to provide the correct key.  I won’t go into the details of how it works, but essentially it will take an entry like “keep this a secret, OK?” and turn it into “wKsn a@kn q si1n,z$ !nZ.”  Provide the key, and that crazy jumble of words, numbers, and symbols will turn back into the original text.  Modern strong encryption is so advanced that, if someone were to try every combination possible to crack the crazy jumble, they’d have to take all the computers in the world (including supercomputers) we have now and run them for centuries to take a guess at what the jumble means.
    Data Encryption
    Ambiguous terminology.  It could mean either disk encryption or file encryption since both deal with data.  I personally don’t think it’s anymore descriptive than the term “encryption.”  If anyone is trying to sell you a product that does “data encryption” you may want to ask whether it’s disk encryption or file encryption.  As you’ll see below, they protect your data in different ways.
    Disk Encryption
    Disk encryption is the encryption of an entire disk -- not just specific files.  In other words, if you open up your computer and pop out the hard drive, all the contents of that physical hard drive are encrypted.

    Disk encryption is also known as hard drive encryption, full disk encryption, whole disk encryption, and partial combinations of these three (hard disk encryption, full hard disk encryption, etc.).  If anyone or anything alludes to an entire disk being encrypted, chances are this is what they’re talking about.

    The real-world counterpart to disk encryption is the use of a safe (strongbox, if you prefer) with a built-in lock.  That is, if you place any documents and close the door of the safe, the documents are protected.  The only way to get back those documents is by knowing the combination or having the key to the lock, or busting the safe’s door open.

    Likewise, any files that you save on a computer or digital device with full disk encryption will be encrypted (read: protected) automatically due to the fact that disk encryption is being used.  However, if you decide to e-mail that same file to someone else, it will not be protected anymore, just like taking a document out of a safe means that document is now not secure.

    File Encryption
    File encryption is the encryption of specific files only.  So, if you have only two documents on your computer, you can choose to encrypt one but not the other.  Unlike disk encryption, which I mentioned above, you actually have to make a decision on what you’re going to have encrypted. (This does not necessarily mean that you have to remember which files to encrypt every time.  There are managed data encryption service providers like AlertBoot that allow the use of “policies” to automate the process.  For example, your Excel files will be encrypted automatically but not any jpegs saved to your computer).

    Unlike disk encryption, since the actual file is encrypted, passing around the files (via e-mail or otherwise) will still ensure the security of those files.

    File encryption is also known as content encryption.

    There is no real-world counterpart to file encryption except encryption itself.  It might be useful, though, to think of file encryption as translating a document into a language only you know.  So, if you leave the translated document on a table and someone picks it up, that person can’t make heads or tails out of it.

    Folder Encryption
    Is the same concept as disk encryption, in that anything that’s saved to a particular folder (or, directory, if you prefer) is encrypted.  Take the file out of the folder, and it’s not encrypted anymore.
    Knowing When To Use What
    When it comes to encryption products, there are pros and cons.  For example, disk encryption is great in the event your laptop gets stolen.  On the other hand, if you send a sensitive file to the wrong person via e-mail, you can’t rely on disk encryption to protect you; file encryption is what you want.  If you’re looking into USB disk data security to protect external hard drives, your options are the same as those for a laptop or desktop computer, since the data to be protected resides in the same component: the hard disk.

    Sometimes it will be hard to know what your specific data security needs are, and you’ll need to consult with a professional.  You may need different encryption products to be used at the same time; it certainly is not unheard of to use both disk and file encryption on the same machine, although at first glance it sounds like overkill.

    Regardless of what you decide to use, the one thing to take from this one article is that you should never, ever under any circumstances come to the conclusion that password protection is protection.

     
  • Court Reporter’s Laptop Computer Without File Encryption Is Stolen In Home Burglary

    Tulsa police are looking for the thief that forced his way into a home and stole a laptop computer…and a dog.  A Maltese, more specifically.  If you’re familiar with that particular breed, you know the little fella wasn’t there to protect the computer.  Speaking of which, it contained plenty of private information: names, addresses, phone numbers, SSNs, medical records, and other good stuff.  Unfortunately, the computer in question did not use laptop encryption software like AlertBoot to protect all that data.  The only protection in place, besides the presence of the dog, was the front door which the thieves kicked in (subtle!), according to the report.

    Whether the theft of the laptop computer will actually lead to a data breach is debatable.  As most information security experts will point out, the conversion rate, if you will, of computer thefts to information security breaches is quite low.  On the other hand, it’s also true that this is an assumption.  Even if it were a documented, verifiable truth, I would presume that such statistics are lagging to current events: that is, it may have been true five years ago, but it may not necessarily be so now.

    For starters, there has been so much coverage in the media regarding stolen information and identity theft that I doubt even petty thieves don’t realize the value of a stolen computer lies in the information contained within.  Plus, the problem with statistics is that people tend to remember what they heard the first time around (behavioral psychologists call this phenomenon “anchoring”), and never follow up to see what’s happened since, so there’s a lot of old data making the rounds.

    Then, there’s the fact that, supposedly, the thieves passed through the living room and stole her laptop computer from the dining room.  If I were targeting a random home, and kicked in the front door, causing a lot of noise, I would steal the first thing that I could easily lay my hands on and sprint away with.  Like a DVD player, for example, or a Wii…Christmas is around the corner and there’s bound to be a shortage.  I certainly wouldn’t scan the room, note things of interest, and move over to another room to see what other goodies were available.  Makes one wonder if the computer was targeted.  The police don’t think so.  And supposedly there were 54 break-ins in the area this year alone, so it’s kind of a high-crime area.

    I guess what’s important to remember is that any place where you normally could have a break-in, regardless of whether there was one or not, is not a good place to keep sensitive data.  Like your home or your car.

    However, life happens to be a juggling act, and people will take their work home.  The fact that work means dealing with sensitive information is irrelevant in a society where the pressure is there to perform…or else.  It seems to me that it would be best to arm such mobile workers with the right security tools.  There are different ways of approaching it.  Some recommend VPNing, or logging in remotely but securely, into a network.  After all, If you don’t save data to a laptop, its theft cannot lead to a proper data breach -- there is no sensitive information stored on the device.

    On the other hand, how can you guarantee that all of your employees are living in an area where stable internet connections are available?  You can’t, unless you’re willing to relocate everyone to where such networks are available.  VPN is not feasible in many instances.

    The alternative is to use encryption software products like hard disk encryption to protect the contents of laptop computers, or to ensure usb disk data security for external hard drives.  And if you’re not looking to protect everything within the computer’s hard disk, you can go with file encryption, and ensure that only those files that need protection are encrypted.

    Related Articles:
    http://www.fox23.com/news/local/story.aspx?content_id=ffe4847e-8623-43b7-9f18-29c66c776f3a

     
  • Leicester Loses USB Memory Stick With Sensitive Information On 80 Babies, Did Not Use File Encryption

    Council bosses at Leicester City have announced the loss, or possibly the theft, of a computer memory stick that held sensitive information of 80 babies and their families.  The personal information included names, addresses, dates of birth, and telephone numbers.  The USB memory stick was last seen in a nursery that was run by the city council.  The use of disk encryption software like AlertBoot would have prevented the council from offering some drastic amends to the latest data breach in the UK.

    According to an article at SC Magazine, the parents or caretakers of the children affected by the breach will be given help on how to change phone numbers, which is pretty easy, or “in extreme circumstances, will even be offered help changing address.”

    That latter part must mean that the council will help families relocate.  That’s kinda extreme, no?  While I’m not sure what kind of circumstances could possibly lead to a move (perhaps, a single mother who’s trying to get away from an abusive relationship?), I assume that a move would require more than moving next door, or even down the street.  Perhaps the next county over.  Possibly a different city.

    That above cannot be cheap.  If you’re a cynic, like I am, you may believe the above offer was made because the council doesn’t think it will come to pass; at the same time, it sends a strong message that they’ll accept responsibility for this latest fracas, hopefully diverting from their way some of the criticism and vitriol that is bound to be tossed around.

    If the council wanted to be seen as being responsible, though, they would have invested in data security solutions, like hard drive encryption software for computers or file encryption software for content protection.  Both types of encryption, despite their names, work when it comes to USB memory sticks; USB disk data security need not be hard to deploy.

    The question, though, in this very specific case, is whether the loss of the flash drive is worth the hubbub.  Names, addresses, dates of birth, and telephone numbers are not exactly sensitive information.  As plenty of people will point out, such information is sold and purchased by reputable companies, and most of the lost information is available in telephone books.

    On the other hand, there is the additional information that these children, and their caretakers, were using the facilities run by the council.  I guess it would just be one step to call the parents and phish some information out of them: “Hi, my name is so-and-so at the nursery.  Your child’s records are being updated, and we’re missing some information.  We’re sending a form to your address on file…etc.”

    How many would not fall for the scam in a similar situation if they hadn’t know about the breach?  Not many, probably.  To begin with, the scammers in the above scenario have information people ordinarily wouldn’t have -- that a particular nursery is being used -- plus, they’re not demanding or collecting the information right away, and people tend to let their guard down in such situations.  (Oh? You’re calling to let me know you’re sending a form?  How nice!  How thoughtful!  How professional!)

    It seems to me that the council did well by raising the alarm, regardless of how people feel that they “can’t really see what the problem is here.”

    Related Articles:
    http://www.thisisleicestershire.co.uk/news/Children-s-data-lost-nursery/article-474309-detail/article.html
    http://www.scmagazineuk.com/USB-stick-containing-childrens-details-lost-in-Leicester/article/121031/

     
  • CIA Operative Is A Footy Jock With Tattoos: Why USB Key Security Requires Data Encryption

    I’ve got to laugh at this story I’ve come across, not because it’s funny, but because it’s wrong on so many levels.  It just goes on to show why the concept of data security was conceived in the first place, and why data encryption software is required if one’s dealing with sensitive information.  You know, because one’s job happens to require handling confidential government information.

    The Australian Federal Police (AFP) was the source of a data breach at a hotel in Nepal.  Apparently, AFP agents were sent to Nepal, a country 5000 miles away from the land down under, to investigate the October plane crash in that country (two Aussies were killed in the accident).  One of these AFP agents left a USB key device in a hotel computer.  It’s hard to tell from the news articles whether it was at the hotel’s business center or some other type of public-access kiosk.

    One thing that can be determined, though, is that these were public computers.  An unnamed guest, a non-government worker, who I assumed was involved with the plane crash investigation, deleted the sensitive information from a USB stick that was attached to a computer.  And about three weeks later, deleted other sensitive information from another hotel computer as well.

    According to The Age, an Australian publication, these are some of the contents:

    • Police photographs of charred remains, as part of the plane crash investigation
    • Diplomatic cables, one of them marked as “consular-in-confidence.” In other words for-your-eyes-only (the you here would be the ambassador and assorted others.  But not hotel guests, I reckon)
    • Copies of personal e-mail, including one where an Australian agent described a CIA agent as “a bit of a footy jock but covered with some huge … tattoos (stacks of them) and dressed like a total backpacker”
    • Strategies for sharing information with foreign agencies (not just Nepal, I assume)
    • A document marked as “protected” that detailed a meeting between an AFP agent and a secret foreign military organization
    • Plus other stuff

    Like I said, wrong on so many levels.

    In some ways, the contents of the breach (i.e., the e-mail about the footy jock), and how information security was bypassed, point that the accident was bound to happen eventually.  I mean, does the above sound like the results of a mistake by a brilliant guy, or the actions of an imbecile?

    Take for instance, the description of the CIA agent by the AFP operative.  Should anyone be surprised to find CIA operatives that dress like a total backpacker in Nepal?  Let me tell you, if you happen to be non-Nepalese, the only want to blend in is to dress like a total backpacker or some other type of tourist -- especially if your job happens to be to gather information while roaming the countryside -- because that’s what non-Nepalese who roam the countryside do in Nepal: they backpack.  You gotta blend in; an addendum to gathering intelligence is to not get caught doing it.
     
    Then, there’s the fact that someone copied sensitive information to a computer that’s freely used by anyone who, not only is a guest of the hotel, but is able to walk in through the front doors (hm...in hindisght, walking is not really necessary; someone could wheel you in as well.  Rolling because one's monstruosly obese may be an option, too).  Was this guy insane?  The fact that he had access to extremely sensitive material in of itself indicates he was near the top of the hierarchy; the guy on beat patrol doesn’t have access to confidential diplomatic cables, if you get my drift.  And yet, the guy who, by rank alone should know what he’s doing, makes a mistake a noob wouldn’t be caught dead in.

    And last but not least, someone forgets a memory device sticking out of a computer.  I’m not even going to entertain the possibility that there was USB key encryption used on the memory stick.  With such clowns running the show, there’s a good chance any disk encryption software was removed in the interest of letting the guys do their job; otherwise, it would just get in their way. (There are days when I actually believe this. Today is such a day.)

    There are many usb disk data security software products out there, including AlertBoot, which allows you to centrally manage encryption.  Protecting sensitive data is not difficult.  There’s no reason for you to get caught with your pants down like the AFP operative above.

    Related Articles:
    http://www.smh.com.au/news/national/secret-afp-files-photos-left-on-hotel-computer/2008/11/07/1225561135961.html
    http://www.theage.com.au/national/afp-security-breach-exposed-20081107-5k7v.html?page=-1
    http://www.boston.com/news/world/asia/articles/2008/11/08/australia_investigates_nepal_security_breach/

     
  • Tables Turn And Turn Again In Express Scripts Data Breach

    Express Scripts -- the pharmacy benefit management company I mentioned the other day -- is in the news again, less than one week after the extortion attempt was made public.  The criminals are now directly contacting Express Scripts’s clients, threatening to release personal information of the employees.  I never realized that extortion schemes scaled way good software and business models do.  I’m just saying.

    Regardless of what the final outcome may be, it looks like Express Scripts did the right thing by making the extortion scheme public and not paying up.  I had imagined that, if the criminals had been paid off, they would continue to demand ransom from Express Scripts.  I hadn’t considered the possibility that they would attempt to pull the same trick with other companies as well.

    Imagine what would have happened if Express Scripts had decided to keep mum on the extortion attempt.  Clients to Express Scripts would have assumed that they had a data breach.  They’d wonder how or where they had a security lapse.  IT departments would be going crazy trying to figure it out: maybe it’s a misconfiguration in the firewall?  Didn’t download the latest software patches?  Maybe the data encryption software they’re using is flawed?  Maybe, maybe, maybe…?

    On the other hand, it could be that these extortionists are actually (somewhat) good at heart, and would have stopped any criminal activities once they had been paid off, which would mean that Express Scripts erred and escalated the situation.  Personally, I find it doubtful; there is no honor amongst thieves.

    Which may be what Express Scripts is counting on.  Along with the announcement that their clients’ were contacted, the benefit management company has announced a reward of (cue Dr. Evil of Austin Powers fame) one million dollars for help catching the criminals.  They take the ransom money and use it as a bounty.  It’s like the movie “Ransom,” starring Mel Gibson.  If life follows the same script, chances are it’s an inside job.

    Insiders.  According to some reports, insiders are fast growing to becoming the number one reason for data breaches at companies, regardless of whether they had malicious intents or just happen to be klutzes.  The theory is that as IT departments become more able and responsive at curtailing network attacks, other data breach sources will take the top place.

    Related Articles:
    http://voices.washingtonpost.com/securityfix/2008/11/pharmacy_processor_offers_1m_r.html?nav=rss_blog
    http://www.bloomberg.com/apps/news?pid=20601103&sid=aStyqUsr4vX4&refer=us
    http://www.businessweek.com/ap/financialnews/D94CVLJO0.htm

     
More Posts « Previous page - Next page »