in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

March 2009 - Posts

  • Data Security: What Is Sensitive Information?

    Data encryption software like AlertBoot can protect sensitive information.  But, what is sensitive information?

    What prompted me to ask this question is this story about the conviction of a man that was sentenced to four years in prison for stealing information from AOL customers.

    Defining Sensitive Information - The Obvious

    Many states in the US have taken it up to define what sensitive information is.  There is the usual, such as medical diagnoses, but with identity theft and credit card fraud being all the rage, many states have defined sensitive information (or private information or personally identifiable information) to be

    • A first name and last name, plus
    • Federal or state identification numbers (such as SSNs or driver's license numbers), or
    • Financial information such as credit card numbers with expiration dates, or bank account numbers

    If you're a business owner, you'll have to protect this data, depending on which state you live in, or, in some cases, which states you do business with--like California or Massachusetts.

    Sensitive Information - The Not So Obvious

    As far as I can tell, though, you can also pull of scams and fraud using non-sensitive information.

    For example, let's say someone hacks into your website and gains access to customers' purchase history, as well as a name, email address, and a telephone number.  None of it is "sensitive information."

    Names and phone numbers are public information (phone books), email addresses can be found on-line, and purchase history...well, I may want to keep certain purchases secret, but I don' think most people will consider such information "sensitive," unless you happen to be the buyer for a government-backed black ops unit that officially doesn't exist.

    Again, none of them is sensitive.  But, this is all that's required for a successful phishing scam.  Especially because the purchase history is available.

    Conman is Short for "Confidence Man"

    Phishing is just another word for "conning."  It's just that it doesn't happen face to face.  The essence of the con--a shortened version of the term confidence game--is getting a person to trust you.  When doing it face to face, looking right plays an integral part of the game.

    But on-line, it's not possible to "look" right.  So, how to obtain trust?  One of the best ways is to "borrow" trust, which is why there are so many phishing attempts done using e-mails that look official.  But, this, too, is meeting a barrier because of its prevalence:  there are just too many of these going around.

    The next step seems to be "tailor the messages."  And what could be more tailored than an e-mail that seems to know what you've done?  For example, if you get an e-mail from bargain-luxury-bags.com (made up site, for the time being) that states there's a problem with your account, listing the last three things you bought from them...are you positive you won't take the bait?

    Protecting Data

    Of course, when you take on the viewpoint that data is sensitive because of how it may be used, everything becomes sensitive data.  And that’s a problem, since protecting everything is just not possible.

    I mean, there are solutions that will allow you to do protect everything on a computer.  Deploying hard drive encryption on a laptop, for example, will protect all files found on that computer if it ends up lost or stolen.

    However, the same encryption can't protect you against other forms of data breaches such as an erroneously e-mailed file (it would require file encryption), or an on-line hacking attempt (up to date firewalls and patches).

    You' may need to perform a kind of data triage, if you will--safeguard certain data, while leaving others exposed to attacks.  But, in order to do so, you need to go in knowing what you're facing.  Depending on the level of protection you require, you may want to reconsider how you're going to define "sensitive information."

     
  • Data Encryption Software: Electronic Data Can Be Better Protected Than Paperwork

    A (Digressive) Comment On The Massachusetts General Hospital Red Train Data Breach

    According to an article at boston.com, a manager at the billing unit of the infectious disease center lost paperwork on the Red Line, possibly affecting 66 patients.  This being paperwork, there is no way a data encryption program like AlertBoot would have helped, but I wanted to comment on something.

    Whenever a story breaks on lost laptops with sensitive information, you'll find a significant majority crying bloody murder.  They'll point out that such information should never have been taken out of the office--and point at the laptop computer as the reason for the data breach.

    They do this indirectly sometimes, too.  People will comment that the data should have been kept on a desktop, or a mainframe computer, or at a data center.  Some even say that medical records shouldn't be digitized--they want paperwork to be literally that, with filing cabinets and whatnot.  In other words, anything but a laptop.

    But what happens when paperwork gets lost or stolen?  Does anyone point out how insecure paper happens to be?  I mean, how hard is it to pick up a stack of papers?  Or to photocopy something?  And yet, for some reason, fingers are never pointed at paper as the reason for the information breach.  Because it'd be stupid to do so.  After all, data has to reside somewhere.  The blame is placed on, obviously, the person who took the data outside the safety perimeters, as it should be.  So why does logic fail when it comes to laptops?

    Blaming Human Behavior

    I'm not sure where this acrimony towards laptops comes from.  As far as I can tell, it seems to derive from the fact that laptops are designed with portability in mind (but so is paperwork).  Let's be honest: do people really believe that information security breaches due to loss or misplacement won't occur if sensitive data is barred from laptop computers?

    The MGH story above shows that this is not so.  The reason why the manager took the paperwork home?  So she'd be able to work on it over the weekend.  I can commiserate.  Coming to the office on weekends, even if it's just to work for an hour, means spending more time than required--there's the commute, perhaps finding parking, etc.  It's never just one hour.

    The key point here is that, even if there are no ill-intentions, people will take sensitive data out of the workplace if they find it convenient to do so.  In other words, when a breach like the one at MGH occurs, it's not about laptops, USB sticks, or files in manila envelopes.  It's about human behavior.

    Preventing Data Breaches On Laptops Is Easy...Paperwork, Not So Much

    I'm sure the MGH has some of the best policies governing employee behavior--it'd be suicide for a medical organization not to.  People, though, have a propensity for doing stuff they're not allowed to do (I'm a big practitioner myself) so there'll be a significant minority who don't follow the rules.

    If you can't make it harder to take data out of the workplace, you can make it harder for it  to be breached.  The use of hard disk encryption on a lost or missing laptop, for example, makes it nearly impossible for a random person to boot up the computer, unless he's able to provide the username and password (a major reason for not jotting it down and sticking it to the laptop).

    It's also possible to encrypt paper documents.  In fact, Julius Cesar used to encrypt his battlefield instructions to his generals.  However, it would take forever to do so for a page-long document.  It would also take forever to decrypt the message.  Plus, there are additional headaches involved when it comes to manually encrypting information.  This lack of convenience is probably the main reason paperwork is usually not encrypted, which in turn is the reason why encryption never quite made it into the mainstream.

    And maybe that's why people put the blame on the laptop when a breach involving one occurs.  They're just not aware that a solution exists.  But it does.

    Related Articles:
    http://www.boston.com/news/local/massachusetts/articles/2009/03/24/mass_general_paperwork_for_66_patients_lost_on_red_line_train/?page=full

     
  • Disk Encryption Software: Whipps Cross University Hospital Computer Stolen

    Whipps Cross University Hospital in the UK has announced that a computer was stolen.  The computer did not employ full disk encryption software, although password protection was in place (read why password protection fails at securiting data).

    Thankfully, it looks like there was no financial data on the machines.  However, the information could be used in a phishing scam, so it only made sense for the hospital to make a public announcement.

    550 Patients Affected...But Limited Information

    The stolen computer contained information on 550 patients, including names, dates of birth, treatment information, and diagnosis.  Information pertaining to home addresses was not included.  Closed-circuit TV footage of the incident was turned over to the police, so it remains to be seen whether the computer can be recovered.

    On the surface, it looks like the potential harm from the lost computer is curtailed.  However, the information could still be used for a targeted phishing attack.

    Phishing - Viagra Ads Are Just An Unsuccessful Means To An End

    The term phishing tends to remind people of erectile dysfunction, lotteries, and deposed heads of states with hidden bank accounts.  But, it pays to remember that these are just the foundation of a story designed to part you with your money, and if not, with information that can be sold to the highest bidder.

    Fantastic stories--as in "related to fantasies"-- tend to trigger suspicion on most targets, however.  Which is why phishers will always welcome a story that is based on reality: chances are the targets won't dismiss these phishing attempts off-hand.

    Stories that are based, for example, on your last treatment at a hospital that you visited.

    If a hospital representative called you up today and said that there was a mistake on their records, would you be willing to believe them?  Especially if they knew what you had been treated for?  And you had been at the hospital recently?  Of course you would.

    Even if you personally don't fall for it, chances are that the success rate of phishing would increase dramatically overall.

    Yes, the home address and other information were not included in the above case.  On the other hand, they're not that hard to find if you have a first and last name (it's called the phone book).  And if your name happens to be Robert Smith...well, depending on how many of them are listed in your area, you may have lucked out (no way a phisher is going to call 300 Robert Smiths).

    The Importance Of Medical Data Privacy

    Keeping medical information private has always been of extreme importance.  High on the list of reasons, and a practical one at that, is that if the patient can't confide in the doctor, chances are the patient won't reveal all the required information.  And that means trouble for the patient--and perhaps to the community as well.

    The patient, because the correct treatment may be denied due to a misdiagnosis; the community, if the disease is contagious.

    In the modern era, though, other reasons for this privacy are beginning to take shape.  We live in a time when information as innocuous as knowing whom you bank with increases the chances of a targeted attack.  For example, I won't fall for a phishing scam if the e-mail beseeches me to log into my Citibank account and change my account details.  I don’t bank with them.

    But, I may think twice if it's from Bank of America.  Well, purportedly from the Bank of America.

    My defenses would be even lower if someone called me, identified oneself as from a hospital where I received treatment, and told me there was a problem with the records.  I'm not thinking scam, I'm thinking ack, what's wrong with me now?

    All the more reason why computers in medical settings ought to be using encryption software, regardless of whether information stored on the computer is sensitive or not.

    Makes you wish for those days when you knew medical information was safe because it was in the doctor's handwriting....

    Related Articles:
    http://www.guardian-series.co.uk/news/4225204.WHIPPS_CROSS__Computer_with_patient_details_stolen/
    http://www.databreaches.net/?p=2548

     
  • Drive Encryption Software: Canadian Retailer Sells Hard Drive Full Of Personal Files

    A Staples Business Depot store in Ottawa has resold a hard drive that contained sensitive information.  The use of hard drive encryption software like AlertBoot would have prevented the breach, but its use wouldn't have been practical under the circumstances.

    The Story

    According to this article, a retired political science professor bought an external hard drive from Staples.  Files were copied to that new drive, but it was found that the daily backup function did not work properly.  The copied information was deleted and the hard drive returned.

    A new customer bought the drive, fired it up, and found the deleted files.  I guess the customer was able to contact the professor because research papers in the public domain were part of the copied data.

    Canada, unlike the US, has a nation-wide personal information protection law known as PIPEDA.  It covers a range of data protection practices that will minimize the chances of a personal information breach by private companies. 

    Per this law, Staples should have deleted the information prior to reselling the external drive.  And, Staples makes it its business to do so: According to Staples Business Depot   spokeswoman Alessandra Saccal, "privacy of any kind is of great concern to us, that is why we have procedures in place to clear any items with memory before being resold."

    On the other hand, Staples also has the following warning on receipts: "Customers are responsible for the removal and backup of all data [including personal information] from returned products."

    Who Erred?

    Staples, according to lawyers.  The same article above quotes a privacy expert who says that the warning on receipts does not absolve the retailer from protecting customers' private information.  Which, I imagine, is why Staples has procedures in place to clear data before reselling items.

    Which leads to the question: why have that warning on receipts at all?  Couldn't that space be used for something else?  On the other hand, personal experience tells me that I won't read whatever is printed there.  I just check to make sure that the figures after the dollar sign are correct and move on.

    I have to give Staples the benefit of the doubt.  They have lawyers, and I'm sure someone must have brought up the issue of data on returned items, and whether a warning on receipts would clear the retailer from wrongdoing in the eyes of the law.

    Maybe the warning on the receipts was included despite what the lawyers said.

    Practicing Data Security

    However, anyone will tell you that things will always slip through the cracks.  Which is why the professor took the right step and deleted the information (but it...didn't get deleted).

    Not sure what happened there.  I mean, it's not as if deleting files is rocket science.  My guess?  The files were placed in the bin, but never erased from the bin-- Windows users will understand what I mean.

    And, as I pointed out at the beginning of the article, encryption software would have protected the files.  However, it's not a practical solution in this case, since, one assumes any hard drive encryption in place would have to be decrypted prior to returning the device.

    On the other hand, a simple reformat of the drive while in its encrypted state would have been enough.  Granted, it takes a little more time than just deleting files, but you can't have security for nothing--and spending a little more time is worth it.

     
  • Hard Disk Encryption Not Used In Stolen Disk At Jackson Memorial Hospital Data Center

    • Over 200,000 IDs exposed
    • Data center had cyberlocks and swipe cards

    The Jackson Memorial Hospital in Miami has announced the theft of a computer hard disk that held the identification information for over 200,000 visitors between May 2007 to March 2008.  Hard drive encryption software like AlertBoot was not used to secure the contents.

    200,000 IDs Stolen - But Not A Single SSN?

    From what I can tell, it looks like visitors had to present some form of identification at security posts.  These IDs were scanned and stored.  The press release points out that the stolen hard drive did not contain SSNs or any financial information.

    The problem is, there is no guarantee about the SSNs.  While a federal law passed in 2004 forbids the display of SSNs on drivers' licenses, any IDs that were issued before 2004 could have SSNs displayed.  Miami is a tourist attraction, and even if the state of Florida never allowed the display of SSNs on driver IDs, there's no guarantee out-of-state visitors never had to go to the hospital.

    With 200,000 IDs, I'll place my bet on at least one SSN being displayed.  What the hospital meant, I guess, is that they weren't using the hard disk for storing anything other than driver's license images.

    Data Center Built Like A Fortress?

    According to the reports, the data center that housed the data had cyberlocks and swipe cards.  I'm not sure what cyberlocks are, although they sound as if they're networked locks that can keep track of who accessed a facility via the chips in the swipecards.

    That's standard for data centers.  I can tell you from experience that good data centers have excellent security, including locks, cages, video cameras, armed guards, and even holding areas for visitors.  But, as I keep mentioning over and over, that's no guarantee that things won't be stolen.  For example, my boss works out of data centers once in a while, and he had his Bose noise-cancelling speakers stolen.

    Protection That Moves With The Data

    Physical security is an important part of any data protection measure.  But, it can't follow a hard disk around.  If one's serious about data protection, it only makes sense to use some type of encryption program.

    That way, if the disk is stolen, the data protection measure is still in place.

    Related Articles:
    http://www.miamiherald.com/business/breaking-news/story/959635.html

     
  • Device Encryption: 80% Of Uses Store Sensitive Data On Phones

    According to a survey, 80% of London commuters store sensitive information on their phones--and my guess is that the figure is representative of pretty much any metropolis in the world.  The only problem with this is that, as far as I know, there are no device encryption products for phones.  In other words, nothing similar to what AlertBoot can do for computer hard disks and USB memory sticks.  This means 80% of phones are ticking time bombs.

    You can get a full list from the original article at publictechnology.net, but highlights include:

    • 16% store bank account details
    • 11% store social security details
    • 97% store corporate information

    Furthermore, 40% fail to use password protection on their phones, which comes with every phone.

    Cell Phones Are The Perfect Data Storage Device

    With information infiltrating our daily lives, it only makes sense to carry around necessary data with you all the time--after all, there is a limit to how much you can memorize.  Things people carry around all the time?  Cellphones and wallets.

    But, wallets tend to be terrible places for storing information: they get bulkier the more stuff you stuff in there.  (Reminds me of a Seinfeld episode where George's wallet explodes.)  So, that leaves cellular phones, which is great, because they're digital and chances are your data is also digital.

    Until you lose the phone.

    Password Protection Not Enough

    Using password protection makes sense.  But, if you've lost your phone, it's a matter of time before someone figures out the password.  Password protection on phones generally tend to be a four-digit number: from 0000 to 9999.  How long do you think it would take to go through all possible combinations?  Five hours, maybe?

    I'd like to point out that BlackBerry devices are more data security-oriented.  Not only do they feature encryption of devices, the passwords can use letters and numbers: this allows for even more combinations than 0000 to 9999, making them exponentially more difficult to crack.  Plus, after ten wrong tries, a user will be forced to wipe the data.

    But most communication devices are not as security-conscious.

    Encryption Requires That The Device Be Ready For It

    Phones are like little computers nowadays (with the iPhone being a computer masking itself as a phone), so why not install something like AlertBoot's hard disk encryption--which works on computers--on phones?

    Unfortunately, it's not so simple.  Computers have been around for many decades, and the need for data security was recognized early on.  Essentially, there's been a long time for encryption to be perfected.

    The rise of cellphones as computing and as storage devices is relatively new.  While there is no doubt that some form of encryption program could be hacked up, my guess is that the processor on regular phones (i.e., non-smart phones) wouldn't be able to handle it.

    Not to mention that the public is just not ready for it.  Computer encryption has been available for the masses for over three decades, and yet a significant portion of computers with sensitive data are not encrypted.  Can you imagine if you had to type in an eight-character password to make a phone call?

    Related Articles:
    http://www.pogowasright.org/article.php?story=20090320042834620

     
More Posts « Previous page - Next page »