in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

February 2009 - Posts

  • Data Breach Prevention Software Needed 'Cause Over Half Of Ex-Employees Will Steal Corporate Data

    According to the findings of a Ponemon Institute survey, over 59% of employees who've changed jobs in the past 12 months have stolen company data.  And, the way that they do it suggests that the use of centrally managed encryption solutions like AlertBoot may prevent many of these incidents.

    And it's important to prevent these incidents.  To begin with, they're considered to be data breaches, which require notification to the state, for most states.  This may or may not eventually be publicly disclosed, leading to the embarrassment of the affected firm.

    However, as the study points out, the more immediate result is the loss of competitive advantage of the affected firms.

    What Gets Stolen

    According to the survey (Question 2; link at the bottom), the top stolen data is e-mail lists, followed by non-financial business information, customer information (including contact lists), employee records, and financial information.  The totals add up to 202%, which I guess means that most employees steal more than one type of data.

    Not surprising, really.  My mentors always told me that something worth doing is worth doing right.

    How It Gets Stolen

    First and foremost is paper-based documents (61%), followed by saving information to CDs or DVDs (53%), and to USB sticks (42%), plus other methods.  Downloading data to portable devices like an iPod was at 28%.  The totals add up to 273%, meaning that people are not picky when it comes to stealing, and will steal corporate data in any way possible.

    Considering that there is not much of a difference, hardware-wise, between a USB stick and an iPod, it seems that USB-based breaches account for 70% of information security incidents, easily placing above the theft of paper-based documents.

    A majority of survey responders have admitted to using the stolen data to leverage themselves into a new job, and fully intend to use that information.

    (Also, something that bears noting: What this survey doesn't tell us is how much damage was incurred via each method.  I'm supposing here that it's easier to download massive amounts of information to an iPod than carting it off in boxes, so the former means larger breaches.)

    How The Risks Can Be Minimized

    One of the easiest ways to prevent data breaches when outsiders (laptop thieves, for example) are involved is via the use of encryption software.  The use of document encryption software or hard disk encryption software would prevent them from accessing the data.

    However, this may not be the best option when the problem is an inside job.  Logic alone tells you that--if not all, at least some--employees must have access to corporate data in order to perform their duties, meaning they know the authorization codes to the encrypted data.

    On the other hand, what you could do with a centralized encryption system is to disable a user's login credentials while he's in the boss's office getting the pink slip.  Not the best or most tactful of methods, perhaps, but if your corporate information is important and considered to be a competitive advantage, you don't want to give the soon-to-be ex-employee a chance to steal that data.

    However, there is the bigger issue of stealing data before one is fired.  Let's face it, a lot of employees know when they're going to get canned.  They may decide to steal some contact lists well in advance.

    USB Port Controls And Automatic Encryption

    This shouldn't be a problem either, though, not with the correct tools in place.  For example, with AlertBoot, an administrator is able to use whitelists and blacklists to block USB ports for specific hardware...and you can get really granular: USB memory stick "brand A" is allowed, "brand B" is not.  This way, you can prevent employees from using memory sticks brought from home.

    There is another option as well, though.  There is a setting in AlertBoot where, if you stick any kind of USB-based storage device, it will automatically be encrypted and will only be decrypted when connected to authorized computers only.

    What this means, is that, if an employee connects his iPhone to a corporate computer, it will become encrypted, and outside the office, is about as useful as a brick.

    Works wonders for stemming data leaks.  Now if we could only find a solution for paper documents...

    Related Articles:
    http://www.vontu.com/uploadedfiles/global/Data_Loss_Risks_During_Downsizing.pdf
    http://money.cnn.com/news/newsfeeds/articles/marketwire/0476303.htm

     
  • Data Encryption: New Hacker Tool Makes Browser Padlock Useless, Employs Man In The Middle Attacks

    A security researcher has shown a way to defeat the security of web browsers' padlocks (also known as SSL, which encrypts your on-line communications, for those who are interested).  But in testimony to how the use of data encryption software can increase information security,  the attack is a man-in-the-middle (MITM) attack, not an attack on encryption per se.

    Man In The Middle Attacks

    What is an MITM?  Essentially, it's when a hacker or would-be criminal gets in the middle between two parties.

    For example, let's say that Julius Cesar is sending a message to a general who will answer to no one but Cesar himself: he is utterly devoted to the emperor.  The Vandals know that the message from Cesar reads "attack the enemy," and would like the general on the field to, well, not to attack.  In fact, the Vandals would prefer that the general surrender.

    However, Cesar won't give such orders, and the general will not surrender unless he receives such an order (such is his devotion).  Bribing the general is out of the question, as you can tell by now.  What to do?

    Attack the guy who's carrying the message.  He's the man in the middle.  Bribe the messenger to deliver a different message.

    Attacking Web Pages

    The new attack revealed by the security researcher does something similar to the above.

    When you go to gmail.com to check your e-mail, for example, you'll notice that there is a little yellow padlock in the lower-right hand corner of your browser.  You'll also notice that the web address starts off with https, with the "s" signifying "secure."

    What this means is that the data between your home connection and gmail.com is encrypted, probably with 128-bit encryption.  Because it's so hard to crack this type of data security, hackers try to find ways to circumvent the data protection already in place.

    In essence, what the security researcher did was put himself between you and gmail.com.  He sets up his own fake gmail.com page, and makes it seem as if you've connected to the actual site.  Once you type in your username and password, he transfers that information to the real gmail.com.  Since he transfers, redirects, and controls the data back and forth, he's the man.  In the middle.

    The beauty is that, because he controls the page in the middle, he could show that he's providing an encrypted connection.  An encrypted connection that he can decrypt.

    However, he's found that this is not necessary, since most people don't bother to check for that padlock.  He claims to have obtained login details, credit card numbers, PayPal logins, and other information that should be secure.

    Breaking Encryption Is Not Easy

    Encryption is notoriously difficult to break.  That's why most hackers focus their efforts on guessing passwords (hopefully simple ones) or using social engineering to obtain login credentials.  This latest attack is a form of the latter.

    The power of encryption is also why certain states, such as Nevada and Massachusetts, have made the use of file encryption a requirement in certain situations.

    In fact, the state of Massachusetts will require any companies that store personally identifiable information--such as names and SSNs--on laptop computers to encrypt these, most probably via solutions like hard drive encryption from AlertBoot.


    Related Articles:
    https://media.blackhat.com/bh-dc-09/video/Marlinspike/blackhat-dc-09-marlinspike-slide.mov
    http://www.crunchgear.com/2009/02/23/software-sorta-lets-you-cut-through-ssl-encryption-like-nobodys-business/
    http://www.pcworld.com/businesscenter/article/159976/researcher_shows_how_to_hack_ssl.html
    http://www.abcnews.go.com/Technology/AheadoftheCurve/story?id=6925341&page=1

     
  • Data Security: Revisiting Heartland's Numbers

    About a week-and-a-half ago, in a detraction from covering stories where AlertBoot hard drive encryption software could have helped prevent a data breach, I noted that bankinfosecurity.com had compiled data on banks that were affected by the Heartland Payment Systems data breach.

    I took the data available at the time and ran some numbers.  Today, I noticed that the original list of 44 companies, which were reporting how many cards were affected, has increased to144 companies.  I though I might revisit the issue.

    My conclusion back then, even with only 44 data points, was that the number of accounts affected would be much smaller than the 100 million figure that was being tossed around.

    The inclusion of the new data seems to back those initial findings.

    The Numbers

    Of 409 companies on the list, 144 have reported how many cards were affected.  The information was taken from the bankinfosecurity.com site on February 19, 2009, at 10 PM EST.

    • 614,397  - Total cards/accounts affected (up 105 %, from 299,131)
    • 4,267      - Average accounts affected per company that's reporting figures (down 34 %, from 6,503)
    • 75,000    - Maximum accounts affected for one company (unchanged)
    • 15           - Minimum affected for one company (unchanged)

    The new breakdown of the frequencies are:

    # of accounts affected # of banks affected % of total cumulative %
     100 or less 11 7.6%  
     200 or less, greater than 100 12 8.3% 16.0%
     300 or less, greater than 200 13 9.0% 25.0%
     400 or less, (there's pattern here…) 6 4.2% 29.2%
     500 or less 8 5.6% 34.7%
     1000 or less 31 21.5% 56.3%
     2000 or less 14 9.7% 66.0%
     5000 or less 22 15.3% 81.3%
     10000 or less 15 10.4% 91.7%
     20000 or less 6 4.2% 95.8%
     30000 or less 2 1.4% 97.2%
     40000 or less 1 0.7% 97.9%
     50000 or less 0 0.0% 97.9%
     60000 or less 1 0.7% 98.6%
     70000 or less 1 0.7% 99.3%
     80000 or less 1 0.7% 100.0%
     Total                      144 100.00%  

     

    Observations

    I noted in the earlier post that the only way that the Heartland fiasco could even begin to overtake TJX as the "greatest breach ever" would be if the average number of accounts affected per bank were to increase.  The trend is downwards, though, so I think I can stand by my original statement.

    Also, databreaches.net made a point to show that it's not only banks that got affected, and I momentarily thought this could have an effect on my assumptions.  However, I realized that none of the banks were affected directly.  That is, all these breaches are stemming from merchants (why would a bank need a processor?  They're a bank; they've got the means to process things themselves).  Of course it's not only banks that got affected: the merchants are at the forefront, while the banks are in the back end of things.

    Nothing has changed, as far as I can tell.

    Related Articles:
    http://www.bankinfosecurity.com/articles.php?art_id=1200&opg=1

     
  • Data Protection: How Seemingly Insignificant Data Can Lead To Significant Problems

    • Utah scammed out of $2.5 million
    • Innocuous-looking vendor number was seminal in leading to the scam

    It's not uncommon to see people react indifferently when data breaches occur.  Yeah, you've got those who get stirred up, sometimes to the point of seeming violent, but most tend to react with a "meh," especially when the information doesn't seem like a big deal.  It's probably the reason why people don't consider drive encryption as an integral part of their security.

    But as the following story shows, information does not need to be personal or sensitive in order to lead to significant headaches.

    Utah Scammed Out of $2.5 Million

    The state of Utah recently found that $2.5 million was transferred to scam artists.  While most of the funds have been frozen, it's estimated that approximately $700,000 is unrecoverable.

    The seminal action to the scam was the misappropriation of a vendor number for the University of Utah's Design and Construction Department.  In of itself, the vendor number doesn't mean much to anyone except to the vendor and the university.  In fact, if my experience with retail operations is any indication, the vendor number was probably created by the university for the vendor, and used to keep track of billing and other paperwork.

    Since it's used as an identifier, and doesn't mean anything outside of the university, it's what most people assume to be non-sensitive data--no more secret than the PO Box address for a bank, if you will.

    However, the scammers used this information and changed the bank account number tied to that vendor.  Forged documents and signatures were involved, meaning than the scam was not so simple.  However, that doesn't signify that it was hard to pull off.  Rather, it just took longer and involved a little more elbow grease than usual.

    "Obviously Sensitive" Data Is Not The Only Kind of Sensitive Data

    Many security experts argue that the use of encryption software ought to be planned so that only sensitive data is protected.

    Protecting non-sensitive data is useless--by definition, it doesn't need protection--and can actually have a negative effect:

    • People and resources will spend time on encryption (typing in passwords, waiting for protected data to decrypt, etc.)

    • People will become less sensitive in terms of what's important data and what's not.  Seeing how people's indifferent attitudes towards data security is the leading reason for data breaches, this is a pretty good argument.


    I must confess that I'm divided on the issue.  I agree with the above points.  How could you not?

    However, I'm also aware that seemingly harmless data can lead to serious breaches because people didn't have the foresight to see the ramifications.

    The Utah case is one.  But there are others.  For example, let's say a financial advisor loses his laptop.  On that laptop is a list of names and current mailing addresses for clients, information that is also found in the phonebook.  The only other information found on that computer is the fact that the financial advisor's work is relegated to stock recommendations.

    Pretty innocent set of data, and freely available to anyone.  However, such information was used successfully in the past to scam people.  Basically, the scammer writes two letters to "investors," one predicting the market will go up, and the other predicting the market will go down.  Send one letter to half of the group, the other letter to the other half.  Drop from your mailing list the group of people for whom the prediction missed.  Repeat the process with the two letters.

    After a couple of months, you'll look like Warren Buffet to the remaining victims.  At this point, you ask for thousands of dollars for the last letter, and the remaining guys will probably will pay.

    Now, how many guys in your IT department, the guys usually in charge of figuring what data should be protected, will be on the lookout for such scenarios?  Probably little to nil.

    Which is why I sometimes feel like saying, "just encrypt everything," despite knowing that this is not necessarily the best option.

    Related Articles:
    http://arstechnica.com/security/news/2009/02/online-thieves-scam-state-of-utah-out-of-25-million.ars

    http://www.sltrib.com/news/ci_11691598

    http://www.fiercecio.com/techwatch/story/thieves-scam-state-utah-2-5-million/2009-02-17

    http://it.slashdot.org/article.pl?sid=09/02/14/204721


     

     
  • Backup Tape Encryption: Used On Missing Arkansas DIS Criminal Background Checks?

    The Arkansas Times blog is reporting that a backup tape holding the records of 800,000 people is missing.  The tape held background checks run over the past 12 years, and belonged to the Arkansas Department of Information Services (DIS).  Not that the DIS is to blame for this: the vendor that was providing secure off-site storage for DIS cannot find the tape.  However, there is good news: it looks like the information may have been encrypted using something similar to file encryption from AlertBoot.

    DIS doesn't specifically come out and say it, but the following words conclude the letter that was sent to people potentially affected by the loss of the tape:

    "DIS keeps backup copies of this information offsite to comply with federal standards and to ensure that the information is accessible should the original versions become unavailable through disaster or malfunction.  In addition, DIS has encrypted backup information stored off site for enhanced security."

    Since the lost tape was being stored off-site, one can assume from the above words that this tape was encrypted as well.  What a roundabout way of saying it--they could have just made a note of it at the beginning of the letter, which can be found here.  I can imagine a good fraction of the 800,000 people ripping up their notification letter in frustration after reading the first couple of sentences.

    (Or maybe, they hired a lawyer to play around with the words.  For example, what it could also mean is that, "in addition to the stolen tape, DIS has encrypted backup information..." which helps no one.  But no need to be cynical.)

    There are different ways of performing backup tape encryption, but one of the easiest is to encrypt the documents to be backed up first, and then copying it to the tape.

    Incidentally, this method also works when backing up to other storage devices like external hard drives, USB memory sticks, and CDs.  It also provides protection if the information is transmitted as an e-mail attachment or uploaded to a P2P network.
     
  • Full Disk Encryption Not Used By Rio Grande Food Project? Has Data Breach

    It looks like another nonprofit organization (the good kind) has been affected by the theft of a stolen laptop.  The Rio Grande Food Project, an organization that avails New Mexico residents with emergency food relief, has announced that a laptop computer was "stolen from a locked room at our facility."  Based on the contents of the letter, it looks like drive encryption software like AlertBoot was not used to secure the data.

    This is quite unfortunate, since the stolen laptop contained what turns out to be a treasure trove of information for ID thieves: 36,000 names, addresses, dates of birth, and Social Security numbers.  Rio Grande's own site notes that if clients have received assistance in the past three years, they should put a fraud alert on their credit lines.

    Aside from the locked door, the computer did have password-protection.  However, since there is no mention of the use of encryption software, one can safely assume it was not present in the stolen laptop.  And as I've mentioned in previous posts, password-protection is anything but.

    An Unfortunate Set of Circumstances

    I hate it when I hear that an NGO such as the above was involved in a data breach.  Granted, it's not a pleasant experience for anyone, but those who are in need of help truly cannot afford to deal with rectifying ID theft-related damages.

    Some cynics may note, "these people need food relief.  How could things get worse for them?  Identity thieves certainly won't be able to get loans in their name!"  However, we must remember that the stolen data can and are used in more ways than getting loans.

    • If a person applies for a job using someone else's SSN, that someone else is responsible for taxes.  The IRS will come after that someone else.
    • If a fake ID is created with an actual SSN and valid name, and the holder of this fake ID is arrested, that SSN and valid name goes on police records.  They rarely get expunged; they may be marked as "an alias" to the criminal.  The victim will be questioned because of his "alias" if he gets stopped for, say, a traffic violation.
    • If the above criminal decides to skip town after charges have been filed, or while on probation, or out on bail...there's a good chance the ID theft victim that will be caught.  The actual criminal will probably get himself a new ID to abuse.

    There are other ways of getting in trouble, trouble that stems from lost personally identifiable information (PII).

    I'll say it again, as many times as necessary--despite the fact that NGOs operate under the scantest of resources, when one considers their objectives and who they're serving, nonprofits are the ones that need to keep things encrypted.

    Thieves are not below stealing from a good cause, nor stealing from those who need the help.

    Related Articles:
    http://www.kvia.com/Global/story.asp?S=9868859&nav=AbC0
    http://riograndefoodproject.com/
    http://datalossdb.org/incidents/1781-stolen-laptop-contains-social-security-numbers-addresses-and-dates-of-birth-of-36-000

     
More Posts « Previous page - Next page »