in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

December 2008 - Posts

  • Laptop Encryption Software: It Won't Lead To Drug Busts

    Which one should you use?  Laptop tracking software or laptop encryption software?  It's a trick question, really.  You want both: one to protect data, one to recover your laptop.  But if I had to choose one, I would opt for the latter.  Mostly because my laptop happens to be covered by insurance, but my data isn't (meaning my life, pretty much.  Which is technically not covered by life insurance).  But I have to admit that tracking software gives you better stories.

    According to dailyrecord.com, the theft of a laptop computer has led to a drug bust by the police.  The laptop was stolen from a student at Lehigh University.  The theft was reported to the police, and they tracked the laptop via the on-board anti-theft tracking system.  (There are two types of tracking technologies: one that uses technology similar to a car's LoJack and another that finds the computer's IP address when connected to the internet.  The latter obviously requires someone to get on-line with the stolen goods).

    Once the police arrived on site, they noticed the use of drugs.  Furthermore, the computer was analyzed after recovery, and it turns out there was evidence of drug sales and drug activity on that computer (were these guys selling their wares on eBay?).  A search warrant was obtained based on that information and people were arrested.

    This is a hell of a story.  And that's the problem with it: On the one hand it justifies this tracking technology.  On the other, it plants the seeds for its eventual ineffectiveness.  This story is bound to spread.  That's not a problem for LoJack-type technology, but, as far as I know, most laptop tracking services require the stolen computer to be connected to the internet, eventually.  As more laptops are recovered using similar methods, it's just a matter of time before thieves learn not to connect to the internet on stolen computers. 

    So, if you have to choose between tracking software and encryption, which one do you choose?  What is your priority?  Hardware is hardware - a replacement can always be found.  But data…that's a little different.

    Insurance aside, this is the true reason I use hard disk encryption solutions: There's plenty on my computer that I would hate other people having access to.  Tracking technology is great, when it works.  But even if it does work, there's no guarantee that my data will be protected while the police do their thing, as the story above clearly illustrates.

    Related Articles:
    http://www.dailyrecord.com/article/20081226/UPDATES01/81226014

     
  • Focus On Data Encryption Software Is Wrong Approach To Data Security?

    The holidays tend to make one more philosophical.  For most people, it becomes a time to ruminate on what is truly important: family, health, love, friendship, world peace…  Then there are others like myself who wonder about some aspect of their jobs.  For me, the holidays have given me the time to ponder whether, as many critics have pointed out, focusing on the use of data encryption software is the wrong approach to data security.  Many point out that not having any sensitive data is the correct approach: if there's no sensitive data, there's nothing to be breached, meaning there is nothing left to encrypt.

    This means there is no need for encryption, and the associated hassles of keeping track of, and making backups of, encryption keys; supporting endusers, like in resetting passwords; and keeping track of said encrypted machines via audit reports. (And, if I may point out, all of these are made infinitely easier with a centrally managed encryption product like AlertBoot).

    I have to admit that not collecting sensitive data in the first place is the best practice.  But is it realistic?  After all, you have to collect some data.  For example, if you're billing someone for monthly services, like a cell phone company or a cable TV company would, you've got to collect their names, addresses, phone numbers, and some method of payment, be it credit card or checking account numbers.  Otherwise, the only option is to have customers show up with cash at an authorized payment processor, a practice that is not readily available to all.

    Should a guy living in the middle of nowhere have to travel 40 miles to pay for his satellite internet?  Completely forbidding the collection and retention of sensitive data--financial information, in this case--would mean serious logistical issues.  Granted, he could live his life without internet access, but what about water and electricity?  Sending a check when billed would constitute giving a company sensitive data (your account number and bank routing numbers are on that check).

    Our original statement has to be amended: sensitive data shouldn't be collected more than necessary.  That's what it means to live in the real world.  But then, this means there will be sensitive data retained by companies, no matter how small, and this means data security products are necessary.

    Going Back In Time?

    In seems to me, and I don't write this lightly, that people who argue that true security will only come from not collecting data are advocating, whether they mean it or not, a return to halcyon days.  Before identity theft.  Before credit cards.  Before credit checks.  Before governments required some form of national ID or something approaching it.

    But those halcyon days are imagined.  Going on a night out with your wife to celebrate?  Without credit cards, it meant having to carry the right amount of cash: too little, and your celebration kind of peters out (either by holding back on your celebration or by washing dishes in your nice clothes after having dinner.  You gotta make that difference somehow).  Carry too much and you've go to worry about misplacing your wallet or being mugged.  And unlike credit cards, there is no protection in place.  Once that money is gone, it's gone.

    In theory, one could pay by check, but they required identification back then to track you down in case the check bounced (if they didn't, it's because they already knew who you are).  Plus, the check has account information on it, as I've already pointed out.  So, even back then, sensitive data was being collected, passed, routed, etc.

    Need a mortgage to buy a home?  Without credit checks (and a central repository of credit history), how is a bank supposed to know whether to loan you the money?  Well, back in the old days you had to establish a presence and a history with the bank and the community.

    But then, it puts the loan officer in charge of your life, doesn't it?  Maybe you have an excellent history with the bank, but you're denied a mortgage because the loan officer doesn't approve of your race, sex, marital status, religion, etc.  You hope you get a fair-minded person, but there is no guarantee.  And what then?  Passing legislation not to consider such factors just tends to make better liars out of biased people.  Do you change banks?  Can you wait another ten years or so to build your history with this new bank?  What if you're met with the same resistance after another ten years?

    But if you have credit histories that can be tracked, it's just a matter of finding the one bank that doesn't care about your race, sex, religion, etc.  The bank that doesn't care will get your business, the ones that do will not…and you won't have to grovel--one of those few instances where "not caring" can be construed in a positive light. (I realize it's illegal to consider such things when deciding on approving mortgages, as well as a variety of other things…but if everyone followed law, I wouldn't even need to be ruminating all of this in the first place).

    This Is Your Cake.  Eat It.

    I recall a particular scene in American Wedding (i.e., America Pie 3) where a marvelous wedding cake is ruined.  (For those who haven't watched the movie, I'm not going to elaborate further.  Let's just leave it at, I've never seen writers more dedicated to the sophomoric spirit of the series).  To me, in many aspects, society is like that cake.

    In the movie, the cake is ultimately trashed.  Unfortunately for us, we can't do the same with society; it would mean razing everything and starting over, from scratch.  And we can't go back either.  That is, keeping with the wedding cake analogy, we can't, uhm, de-follicle-ize the cake: it would take too long; we'd never be sure whether the job is complete; and even if the job is completed, no one wants the cake. (Of all the days in the year, I had to bring this up on Christmas. Tsk.)

    My point is, before the analogy begins to take a seriously twisted turn, this is the world we live in.  Like it or not, the submission, collection, and retention of sensitive data will continue, and in certain cases, is necessary.  Some will hate it, some will love it, most won't care…until something untoward happens.  Those who argue against collecting any sensitive data are crazy.  The world as we know it wouldn't exist if this came to be.  And if you've been to Colonial Williamsburg, you know the world as we know it is pretty sweet.

    Those who claim encryption will solve all ills are crazy as well.  Encryption doesn't protect the CIA and NSA from moles and double-agents.  'Nuff said.  The point is not to waste time debating (or ruminating) on what should be done, and what is the best solution, but admitting that there are different yet equally important ways of approaching the task at hand and taking action: Encrypt your stuff and engage in good data retention practices.

    What? Can't chew and walk at the same time?  If so, that should be part of your New Year's resolution....

     
  • Full Disk Encryption Not Enough For North Yorkshire County Council

    North Yorkshire County Council has lost or had stolen seven laptops in the past year, as well as two BlackBerries and 35 cell phones.  The good news is that five of the laptops and the BlackBerries were fully encrypted using disk encryption software, presumably something similar to AlertBoot.  The remaining two laptops that were not encrypted did not have any sensitive data on it.

    The bad news, however, is that countless USB memory sticks have been lost as well.  Granted, they wouldn’t be “countless” if the council knew how many they had to begin with.

    County councilor Steve Shaw-Wright had this to say about the encrypted laptops:

    “to say it’s okay because the data lost is not sensitive, or it’s fully encrypted is not good enough - if a laptop is stolen with lots of names and addresses on and it gets into the hands of a conman, then that is serious.”

    At first, I thought he didn’t quite understand how hard disk encryption works.  If your computer’s hard disk drive is fully encrypted, it is good enough, although one must ensure that the password used to secure the data is strong enough, and that it’s not on a sticky-note affixed to the laptop. (Your front door can’t protect your belongings if you constantly leave your keys in the lock, right?)

    Upon further reflection, it seems to me he’s pointing out a mode of thinking that I’ve often berated myself.  For example, if a stolen laptop contains a list of names and addresses, it’s assumed this is not a big deal because the same information is available publicly, like in the white pages (we’ll assume that there are no unlisted numbers for people seeking privacy).

    However, it’s not the same situation because there can be additional information that eventually leads to that data’s exploitation.  If there’s a document showing five year revenue projections for XYZ, Inc., now you know those people are somehow associated with XYZ, something that is not apparent from the white pages.

    And that extra information can be enough for successful social engineering, which is just another word for committing fraud.  So, the councilor was right regarding “sensitive data” or the lack thereof.

    But, Mr. Shaw-Wright is wrong regarding encryption.  Consider this: a computer is kept in a locked closet.  Someone breaks into the closet and steals the computer.  The data, residing on the computer, is stolen as well.

    You could have stronger locks and thicker walls, but at some point someone -- authorized employee or otherwise -- will access the computer.  Access means there’s a hole, and that means the possibility of theft is there.

    What measures can you have in case something is stolen?  Encryption.  Because encryption resides in the same space as the data, it’s the ultimate form of protection for your data (this doesn’t mean it can do much for the computer itself, mind you).  Clearly, if encryption trumps doors, walls, and locks, it must be good enough.  I mean, how else can you secure your data?  What options have you got left?

    I guess you’ve got not having the device stolen to begin with.  I don’t consider wishful thinking to be a critical component of good data security practices.

    Related Articles:
    http://www.thenorthernecho.co.uk/news/local/northyorks/3999585.North_Yorkshire_County_Council_s_computer_security_under_scrutiny/
    http://www.thepress.co.uk/news/3997346.North_Yorkshire_County_Council_loses_seven_laptops/

     
  • Managed Encryption Issues? North Carolina Auditor’s Laptops Lack Hard Disk Encryption Software

    The state auditor’s office in North Carolina has 234 laptop computers that are still waiting to be encrypted, according to The Insider.  This, an entire year after the state’s chief information officer issued standards for the use of laptop encryption software, offered by several vendors including AlertBoot.  The state CIO, George Bakolia, fired off a missive to the state Auditor, Less Merritt, saying this delay is “irresponsible and unacceptable.”  The auditor responded that it was Bakolia’s fault for not setting a deadline.

    Does Your Encryption Deployment Scale?  AlertBoot Does

    Encrypting a computer is not hard.  Encrypting hundreds of computers, on the other hand, may be hard, depending on whether the software is designed to handle such a load.  The ability to easily do so means that the software “scales.”

    It’s a funny thing, really.  Normally, one doesn’t wonder whether encryption software scales, since data protection means one has to deal with laptops one by one: not encrypting just one laptop from the 234 could mean that the Auditor’s office still has a sizable data security risk. (For example, perhaps all the computers contain the same sensitive data for tens of thousands of constituents.  Under such circumstances, losing one unprotected computer is no less of a breach than losing two or three computers.)

    However, scalability issues are a real concern once you pass a certain threshold of devices to protect.  Indeed, I’ve heard (unconfirmed) rumors that the IRS had signed up with two computer data security vendors in the past couple of years (not at the same time), specifically to encrypt their computers -- and paid for their services -- without actually encrypting computers.  The process was so complicated that the IRS supposedly kind of gave up on it.

    Your tax dollars hard at work.

    Deadlines A Good Thing When In A Bureaucracy

    On the other hand, deploying encryption software enterprise-wide is never an easy job, regardless of scalability.  Having someone in charge of implementing it is definitely necessary.  Plus, people have their regular jobs to do.  If one doesn’t specifically make an effort to start such a project, it’s never going to get off the ground.

    It kind of reminds me of my experience with my commanding officer in the Navy.  He never gave deadlines, claiming that everything “was of the utmost importance to be done ASAP.”  Since everything was important, nothing ever got done on time when he wanted it done -- stuff got done when the person charged with the work felt “it was about time to wrap it up.”  That’s usually what happens when you assign one guy five different things that are due ASAP.

    If you find that your organization needs to get started on data security, the first thing to do is appoint someone to be in charge of seeing the project to its end.  Then, and only then, do you start your data security program.

    This establishment of a point man is the first step towards a key aspect of data security: the continuous monitoring and assessment of your organization’s security needs.  Without it, data security tends to fall by the wayside, eventually leading to what it was supposed to avert -- a breach.


    Related Articles:
    http://www.newsobserver.com/news/story/1337468.html

     
  • Cake And Sticky Fingers Behind German Data Breach Scare Shows Why Data Encryption Is Needed

    The theft of a cake en route to the Frankfurter Rundschau newspaper was behind one of the biggest German data security scares in recent memory.  If you’re not aware of the story, about a week ago, the newspaper received a package full of credit card records from a bank.  There was nothing included as an explanation: a ransom note, a threatening letter, a whistle-blower’s statement, etc. -- nothing.  The package just appeared in their mailroom one day.

    Connecting Cakes To Hard Drive Encryption Software?

    The reason for the data breach, it turns out, is quite banal, yet hilarious, and goes on to show why you want to use data encryption software like AlertBoot prior to sending off a package that contains digital data.

    The couriers got wise to the fact that one of the packages to the newspaper contained cake, more specifically, a German Stollen (yes, even the cake is pleading to be part of this momentous occasion).

    They ate the cake, took hold of a different package (destined to the bank), and attached the newspaper’s label to the new package, in an effort to cover their tracks.  And that’s how a bunch of credit card documents on their merry way to the bank got diverted to a newspaper’s office, sparking a national data breach scare.

    The bank, meanwhile, came to the conclusion that their documents had gone missing during transport, which is true.  But, what other conclusion can a company arrive at if anything goes missing?  They certainly can’t go around claiming it was stolen -- they have no evidence.

    Now imagine that the package was not credit card records from a bank, but a couple of CDs, an external hard drive, or even a laptop computer being returned by a hotel to a guest that left the machine behind.  What’s to prevent a couple of couriers from diverting these parcels?  Or stealing them?  Or those things just getting lost, literally?

    Protecting Data For All Those Unforeseeable Events

    The bigger problem, data-wise, is that you’re never quite sure if someone out there is in possession of that data.  If you lose a CD or a laptop, and don’t have any sensitive data stored in them, that’s the end of the story; it’s not unlike missing a cake.  You write it off, apply for a tax-break, get yourself a new one, etc.

    However, with sensitive data, the difference between losing something and having it stolen might mean the difference between business as usual and a future lawsuit.  There is the additional risk of further ramifications from the loss.

    All the more reason why you should have something in place to ensure that the loss of a laptop, CD, external hard drive, etc. remains exactly that.  And the only way to ensure that?  Use encryption solutions like full disk encryption or file encryption, of course.


    Related Articles:
    http://www.tampabay.com/news/bizarre/article943899.ece
    http://www.google.com/hostednews/afp/article/ALeqM5hb4uCtAvnJeY47M3x8DROO6QB6hA
    http://www.earthtimes.org/articles/show/247112,credit-card-data-theft-a-piece-of-cake.html

     
  • Hard Drive Encryption Software Missing On Stolen Austin Peay State University Computers

    The Veterans Upward Bound office at Austin Peay State University experienced a data breach earlier this week.  Two computers were stolen, one of which had the names and Social Security numbers of approximately 750 veterans.  The VUB program is meant to prepare veterans for college (and, possibly due to this breach, to prepare them for the horrors of identity theft in the real world).  While the use of hard drive encryption software like AlertBoot was not mentioned in the media, I think it’s safe to assume that it wasn’t, since they’re putting quite a bit of emphasis on the presence of password-protection.

    Based on what I’m reading, it looks like both computers were desktops.  Not only that, monitors and keyboards were taken as well.  A printer was still in the premises, although my guess it, too, would have been stolen if it weren’t for the campus police: an officer noted someone near the building, and gave pursuit.

    The chase has been described as “futile.”

    Hard Disk Encryption vs. Mainframes?

    I didn’t think much of the story, since it sounds like any other story regarding data breaches.  That is, until I found this particular gem:

    It is time that companies went back to mainframes instead of using PCs to keep sensitive data on that people can simply pick up and walk off with.
    It happened at my place of employment last week. [article comment by Starclassic at knoxnews.com]

    Luddite much?

    While I’m not going to rag on mainframes (the mainframe industry still rakes in billions of dollars each year -- and such figures pretty much establishes need, so it’s too soon to write off mainframes as dinosaur technology), I will rag on the thought that, somehow, size equals security.  I mean, as long as we’re talking about data security, couldn’t someone conceivably just steal the mainframe’s tapes?  They tend to be smaller and lighter than desktops computers…

    If I may, I’d like to point out that even guys who use mainframes will use encryption software to safeguard their sensitive data.  Call me crazy or biased, but it seems to me that using data security software to prevent endpoint security breaches is what people should be doing, not espousing a return to some half-thought out practice.

    Related Articles:
    http://www.msnbc.msn.com/id/28303684/
    http://www.knoxnews.com/news/2008/dec/19/computers-stolen-apsu-contain-ids/

     
More Posts « Previous page - Next page »