in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Disk Encryption Lacking On Oklahoma FHA Laptop - 225,000 Affected

A laptop computer belonging to an employee with the Oklahoma Housing Finance Agency has been stolen in a house burglary.  It affects 225,000 Oklahomans, a little over 6% of the state's population.  The agency was in the process of protecting computers with the use of drive encryption software; however, the stolen computer had not been equipped with encryption at the time of the theft. (This article, however, pegs the number at 90,000.)

The information on the stolen laptop included names, SSNs, tax identification numbers, dates of birth, and addresses of people in the Section 8 Housing Voucher Program.  In other words, people who can least afford to have fraud conducted against them.

Was the employee allowed to have all that information?  The answer is "yes."  The employee worked in the field--although, I doubt he could have helped nearly a quarter of a million of people at any given time.  It looks like, without the security that laptop encryption affords mobile computing devices, it would have been smart to at least reduce the amount of data on that laptop (perhaps only download files necessary for the week?)

According to newsok.com, there were two layers of passwords used to protect the data.

One of them, it looks like, is the usually Windows prompt when you initially boot up a computer.  I've already covered previously how these can be easily bypassed.

The other password is tied to the file itself.  Unfortunately, this, too, can be bypassed, although it requires the correct software, a hex editor (I'm not sure whether I should say it's "easily" bypassed, although it is pretty easy to do).  As long as the contents of the file are not encrypted, that information will show up on this program.

A hex editor allows you to open a file to show you everything in that file.  The contents of the files, yes, but also the rest of the stuff you normally don't see.  The programming language, if you will.  Included will be the password.  After all, the password has to follow the file around, if one's going to allow access to the file when it's typed in correctly. (That entire process about comparing to see if there's a match.)

But, don't take my word that password protection is a weak (almost non-existent) form of security:  Just take a look at the OHFA's actions.  If password protection is good at protection like data encryption, why were they in the process of encrypting all computers?

 
<Previous Next>

Data Loss Prevention Failure Should Lead To CEO Jail Time?

Software Application Control: Manage Program Installations

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.