in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

May 2009 - Posts

  • Best Hard Drive Encryption Software Program: Anything That Doesn't Use Proprietary Algorithms

    The business of creating bulletproof encryption software is a tough business.  Plenty of people thought they had found that perfect data security formula only to have their dreams dashed by other people looking to do the same.  As a result, there are only a handful of encryption algorithms out there in the world that are considered to "just work," such as RSA or AES.

    So, if you're looking for the best hard drive encryption software program, I'm afraid you are stuck with old technology.  Ironically enough, encryption is probably the only field where, the older the technology is, the better it is--because it means it's that much more secure.  (Otherwise, that encryption process wouldn't be here today.  Who was to protect data with encryption known not to work?)

    The key to choosing the best hard drive encryption, then, is not to find the best, but to forego the worst.  I'll repeat that: avoid the worst type of encryption and your data will be safer.

    So how do you avoid the worst?  Well, generally speaking, in-house or proprietary encryption algorithms that haven't been scoured by the eyes of the security community tends to be the worst.  Such encryption tends to rely, not on the strength of the encryption, but on obfuscation.  In other words, ultimately, security relies on hiding any defects associated with the encryption formula.  As long as that defect is not found, the data is protected.

    But, when (if?) the bad guys find that defect, they're not going to go around announcing it, so you'll continue to "protect" your data using the now-worthless encryption program.

    On the other hand, the methods on how RSA and AES protect your data are open secrets.  The security community has had time (ample time, in the case of RSA.  It's been around since the 1970's) to consider the background theory powering the encryption as well as testing it out, and these have stood up to the test of time.  If you're really interested, you can look up the theories on Wikipedia.

    Now, this doesn't mean that these algorithms are without their shortcomings.  However, these shortcomings are easy to counter.  For example, with RSA, their biggest problem is the fact that data has to be re-encrypted with a longer key length from time to time (we're talking years here).  The reason?  Computer power increases exponentially.

    All encryption algorithms, and software that uses them, such as AlertBoot endpoint data security, are bound to be defeated sooner or later by something called a brute-force attack: trying an infinite number of keys to figure out which one works will some day yield access to your protected data.  That's the bad news.

    The good news?  Right now, with all the computing power in the world combined, it would take at least a century to even realistically approach a 15% chance of randomly finding, and hence breaking, RSA or AES is considered pretty much impossible.

     
  • Encryption Used By LG Telecom To Protect Customer Information

    ZDNet Korea is reporting (in Korean, of course) that LG Telecom (LGT), the third largest mobile services provider in Korea, will be using encryption to protect customer information.  It will be the first to do so among mobile service providers in the country.

    The private information to be protected by LGT includes national registration numbers, bank account numbers, credit card information, and phone ESN numbers.  Also, they are examining over 4,000 programs for security issues sto see what changes need to be effected, if necessary.  It is estimated that the job will be finished by the 24th of this month.

    Not sure why this hasn't been done before.  After all, it's not as if Korea has been immune from the rampant fraud--stemming from personal information breaches--that is afflicting other countries.  I've covered those before.

    Just like in other parts of the world, the use of encryption software such as AlertBoot and other data security programs would help in controlling such crimes in this small peninsula.  I mean, data is data is data...protection measures for one set would work just as well for the other--it's not as if this is breakthrough knowledge.

    So, again, why now?  Someone's late to the party.  And, seeing how LGT is the first of the three to do so, there are two other companies that are even more overdue for better protecting their customers' information.

    Well, better late than never.  Plus, the good news is that when someone's late to the party, and there's absolutely no one at that party, the rest are bound to come.  It shouldn't be long before the other two telecoms, and possibly companies in other industries, start taking a serious look at how they're securing customer information.

    Related Articles and Sites:
    http://www.zdnet.co.kr/ArticleView.asp?artice_id=20090521093843

     
  • Drive Encryption Cheaper Than $50,000 Reward For Lost Clinton Drive

    The Associated Press as well as others are reporting that the National Archives have lost a external hard drive with presidential records.  From the looks of it, the portable drive did not utilize drive encryption software to secure the contents.  On the other hand, this is the National Archives were talking about; their objective is not only to preserve documents, but to also make them accessible to public.

    The Details

    Per the National Archives and Records Administration (NARA), the drive was lost sometime between October 2008 and March 2009.  The portable drive had a capacity of 2 terabytes, out of which 1 TB was used, and held the contents of approximately 113 tape cartridges.  Weighing only 2.5 pounds, and measuring 6.5 inches at its longest dimension, it would have been quite easy to carry off.

    And how easy it would have been!  According to theregister.com, about 100 badge-holders can access the area...including janitors, visitors, and employees passing through.  (Visitors.  Well, you know they can always be trusted...)

    Thankfully, the contents of the hard drive are backups, so the originals are still in place with NARA.  Unfortunately, the backups do contain a lot of data, so it's impossible to tell as of yet who's been affected, and what kind of information may have been breached.

    However, they do know that one of Al Gore's daughter's SSN was included in there somewhere.  I guess it was revealed during a preliminary investigation.  And, computerworld.com is reporting that

    "...data on the missing drive included more than 100,000, Social Security numbers and home addresses of numerous people who visited or worked at the White House....  Also on the drive were details about the security procedures used by the U.S. Secret Service at the White House, event logs, social gathering logs, political records and other information from the Clinton administration years."

    $50,000 is being offered as a reward for information that leads to the recovery of the stolen external drive.

    Lack of Security?

    The National Archives is not a place one tends to associate with lack of security.  I mean, how could they?  They hold original copies of the Declaration of Independence, the Constitution, the Bill of Rights...they even have a copy of the Magna Carta.  And, you know, it might be a copy so it's not as good as the original, but it was created in 1297, so it's pretty valuable.

    On the other hand, the theft did not occur from the archives building in D.C., but rather the building in College Park, aka, U. of Maryland.  (Why is it that stuff always happens when you've got college students in a 15-mile radius?)

    Would encryption software protecting the contents have been the answer to their problems?  I kind of doubt it.

    To begin with, it's hard to believe that physical security would have been lax at this venue.  Any institution that is tasked with preserving historical data takes conversation seriously (which explains why people were working on backups, not the originals).  Conservation--aka safeguarding--cannot be had without security.  I made a snarky remark before, but let's face it, all visitors to the building were probably vetted, not to mention all employees, and, hopefully, all janitors as well.

    A safe environment means that people had no reason to mistrust each other.  My personal experience is that, in such an environment, passwords to decrypt data are posted all over the place.  Encryption doesn't work if that happens.

    Regardless, I'd bet NARA would prefer that drive with encryption than without.

    Related Articles and Sites:
    http://news.cnet.com/8301-1009_3-10246004-83.html
    http://www.fresnobee.com/news/national-politics/story/1416134.html
    http://www.pcworld.com/article/165281/a_look_at_the_national_archives_data_blunder_and_other_govt_data_losses.html

     
  • Data Encryption On UK Military Laptop Missing Again? Oops, It's A Personal One

    The Ministry of Defence (MOD) in the UK uses hard disk encryption on all of their laptops.  This was a result of embarrassing data security breaches like that one time when a military officer had his computer stolen while enjoying a pint.

    And yet, here is a story about a military computer being returned to the MOD because it contained sensitive data.  Apparently, a woman in Edinburgh came across the laptop (I'll bet it was bought as a used computer) and returned it once she saw the sensitive information

    (No word on what type of sensitive information it was, although it has been disclosed that it was not top-secret.)

    How could this happen, yet again?  Was the MOD lax in securing their laptop computers?  Turns out, the answer is "no."

    Personal Computer Contained Military Information

    It turns out that the laptop computer that was recovered was a personal laptop.  It belonged to a non-commissioned army officer, but that's about as close as it gets to being military property.  Meaning, it's not military property, which in turn means it wasn't subject to having encryption software installed on it.

    Oops.

    This is what data security experts mean when they say that encryption is not a panacea.  Just like you need multiple types of insurance to cover all types of accidents (your car insurance can't pay for your heart surgery), you need different solutions to data security.

    Laptop encryption works great at securing data on a laptop.  However, it can't do squat for data that is copied from an encrypted laptop to other data storage devices--be they USB memory disks, external hard disk drives, CDs, or other laptop computers.

    There are solutions to this problem.  For example, CD drives can be deactivated (or, removed completely, if desired).  USB slots can be deactivated as well, using USB port blocking software.

    Hopefully, the MOD has taken such security aspects into consideration as well.  If not, it may be a good time to think about it.

     
  • Full Disk Encryption Can be Tied To Speaker Of The House Of Commons Resignation?

    The resignation of the speaker of the House of Commons in Britain is being covered by the world, as it should be, seeing as it hasn't happened since 1695--that's even before America existed as a nation.  Heck, it's even before the dream of an independent nation was conceived.  And this resignation can be tied to data encryption (or, rather, the lack of).

    Michael Martin Announces Resignation Over MP Expense Controversy

    Michael Martin, the speaker, has announced he would tender his resignation to promote unity in the House of Commons.  Unity has been needed ever since it was revealed that Ministers of Parliament have been using the parliament's expenses system as their personal piggybanks.  Among the list of offences:

    • MPs claimed interest payments on mortgage that were paid off
    • Outfitting second homes using allowances under the system before selling the houses for profit
    • $6,000 taxi fares (in total) for shopping trips--by Martin's wife.

    Martin is not the first to suffer due to the controversy (well, it's a labeled a controversy--but how is it "controversial?"  I mean, there is no controversy here; these people were obviously taking advantage of the system and from the lack of government transparency.  On the other hand, this type of stuff does happen a lot).

    So far, there has been two resignations (Martin's makes three) and two suspensions.  Eight others were forced to pay back the taxpayers.

    Stolen Hard Drive Source of Leaks

    How did the public find out?  A portable hard drive containing this information was offered to several newspapers, with The Sun and The Times turning it down, and the The Daily Telegraph paying for the drive, if rumors are to be believed.  After that, the newspaper did what it does best.

    It's times like these that I'm glad encryption software is not used to protect data. (Although, since the whistleblower was determined to leak the information, I'm sure the information would have been released in some other way...even if it were on Morse Code).

    The use of encryption would have prevented easy access to the information--perhaps permanently prevented access, depending on the settings (a feature in AlertBoot endpoint security systems). 

    However, if the past two years have proven anything, it is that the government's nonchalant when it comes to protecting sensitive information.  Seeing how now it's the MPs' turn to be personally affected by a data breach, you can expect big changes coming in how they handle data security.

    There's nothing like a situation getting a little personal to get things in gear. (Which is why companies only take up encryption after they've got a breach.  *sigh*)

    Related Articles and Sites:
    http://edition.cnn.com/2009/WORLD/europe/05/19/uk.mps.expenses.oakley/index.html
    http://www.telegraph.co.uk/news/newstopics/mps-expenses/

     
  • Data Security Budgets Are Decreasing According to Deloitte

    Deloitte has announced the results of a survey (link at the bottom), and the conclusion is that security budgets at companies--money earmarked for solutions like AlertBoot's data encryption software for computers' hard drives--are being cut.  Since I know data security threats are not receding (in fact there's reason to believe that they're increasing because of people being laid off, and lax data controls at most companies allow pink-slip holders to steal information) it can only mean that data security is finally facing up to the reality of this economy.

    Weird, because I just saw on the news reports to the contrary.  Some important government honcho was saying that the government knew the economy was finally stabilizing.  Maybe...security budgets are a trailing economic indicator?  I couldn't tell ya; I don't work in the finance sector.

    Leading Data Security Indicator

    But, I can tell you that such a cut will probably be a leading data security indicator: it indicates your company's security breaches will increase, perhaps explode.

    Of course, a different school of thought may be, "hey, we have security breaches even with the investment.  So, why not cut the budget a bit?"  And, history would show us a parallel on why this is a stupid school of thought.

    According to a friend of mine who's an MBA candidate (and, he's a smart guy, MBA notwithstanding), during the 90's cola wars, Pepsi decided to cut back on marketing because their market share wasn't improving even with annual increases in their marketing budget.  They, and Coca Cola, were sinking a fortune on a stalemate.  So, some guys at Pepsi thought, hey, let's save some money--this isn't going anywhere.

    Big mistake.  That's when the Pepsi market share started to erode.  One could say it imploded.  I don't know what evasive actions Pepsi took at that point to prevent a total collision with the rock-hard bottom, but the truth is that they lost the cola wars beginning at that point.  Actually, it's more of a cola battle; as long as you have at least two companies, the war will never be over (Pepsi's the winner as of now, actually).

    Anyway, the point of the story is, if you relent while the opposition doesn't, the opposition wins.  The "opposition" a company faces is internal and external, with breaches possibly being accidents or otherwise.  And the opposition doesn't show signs of relenting.

    A Company's Goal Is To Make Money

    A corporation's main aim is to make money, not safekeeping data (which is unfortunate from a data security standpoint).  So, it's no surprise that data security solutions like disk encryption software--which technically doesn't generate any revenue but could alleviate operational losses if something untoward happens, like a laptop being stolen--take the backseat to more pressing concerns like buying a new toothed-gear for some  factory in China which turns out salable widgets (and, thus, has a direct impact on generating cash for the company).

    There is no way out of this dilemma, if you have to choose between one and the other.  The only way out would have been to invest in data protection when the times were good.  You know, make sure things are protected even if it would have meant less cents per share showing up as profit on those 10-Ks to investors.  Hindsight is 20/20, though.

    The same hindsight tells me, though, that a company is setting itself up for a particularly spectacular downfall if they opt to cut their security budget for something else.  I mean, isn't that the lesson TJX taught us a couple of years back?

    Related Articles and Sites:
    http://www.networkworld.com/news/2009/051809-security-budgets-falling.html?hpg1=bn

     
More Posts « Previous page - Next page »