in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

July 2009 - Posts

  • Hard Drive Encryption Software: Caithness Local Authority Break-In, Laptops Stolen

    It's been confirmed that two laptop computers issued to the Caithness authority--in the UK--were stolen from locked offices in November of last year.  Disk encryption software like AlertBoot was not installed on the computers, although these were password-protected.  A total of 1,400 Caithness residents are affected.

    One of the laptops was being used strictly for administrative work processing personal injury insurance claims.  Due to the nature of the job, some health information was included in the laptop (supporting medical evidence).  It's been emphasized that these are not NHS (National Health Trust) records per se, but information that was submitted by the claimants.

    (I guess the point is that the breach is limited to whatever information was submitted by the individuals...which should be minimal, as opposed to a situation where a NHS laptop with sensitive records goes missing, which, depending on the situation, could include everything related to a patient).

    It was not mentioned what was on the other laptop; this probably signals that there was nothing of importance on it (...or maybe, so important that it can't be revealed to the public).

    The computers were stolen during a break-in.  In a clear case of fixing the stable after the horses have fled, the council has decided to use encryption software on laptops, as well as installing other forms of security, in a bid to stem any similar future breaches.

    The local authority's chief executive has promised to encrypt all laptops by September 30 of this year.  It appears to me that encrypting all mobile devices in the Highland council in two months is a tall order, even if one were using encryption software designed for easy deployments ; however, considering that the council has known this was a issue since November of last year, technically, it seems they've had nearly a year to consider their approach to this security issue.

    And yes, as mentioned before, it is a case of fixing the barn after the horses have fled.  It won't do any good to the 1,400 already affected.  On the other hand, if you're confident of getting further horses, fixing the barn is required.  And this being a government agency, and the job was processing insurance claims...well, these things are like death and taxes: they'll be there as long as people and nation-states are around.

    One can only hope that the council has learned that security requires on-going assessment, and will not just stop at encrypting devices and data, but will periodically review their current and future needs.  Barns that require fixing today will require fixing in the future as well.

    Related Articles and Sites:
    http://www.johnogroat-journal.co.uk/news/fullstory.php/aid/6937/Council_laptop_theft__alarming_.html

     
  • Data Encryption Software: Proof That Computer Size Does Not Equal Protection - Server Stolen From MOD

    The Ministry of Defence in the UK has admitted to having a computer server stolen from a secured government building.  It also has reported the loss of personal data for 1.7 million people when a portable hard disk was stolen, also from a secure room.  It just goes to show that you need a combined, layered approach to data security, such as physical obstacles--like doors and locks--and information security programs, like drive encryption software from AlertBoot.

    Server Goes Missing

    According to the "Annual Report and Accounts," the MOD discovered that a server was missing after a government building was closed.  The breach took place in September 2008, and the lost data includes names, addresses, (military?) service numbers or National Insurance numbers, and medical records for 700 people.

    Whenever laptop computers go missing, a number of the on-line community remark that sensitive data shouldn't be on laptops.  Instead, they state, it should be on servers that are under key and lock, and are guarded.

    A computer server under the aegis of the MOD would fit the bill exactly, and yet, we see that this does not quite guarantee data security.  And why would it?  Plenty of stuff gets stolen or goes missing from locked rooms, including items that are physically big.  Being under lock--while always recommended--is not a guarantee of security.  And what about servers?

    Servers != Security

    A lot of people seem to think that a server has some kind of magical property that will prevent it from becoming stolen.  I'm not sure why people think this way.  Let us remember, any computer can act as a server, including laptops (if I'm not mistaken, I've heard people refer to such laptops as "California servers" during the height of the first internet boom).

    And even if something other than a laptop is used as a server, it doesn't mean it can't get stolen.  My own experience shows me that servers are not particularly heavy or cumbersome, at least not enough to dissuade me from stealing one if I really wanted to.  Stealing cinder blocks, 15 years ago, for my dorm room's bookcase was probably harder.

    Storing data on servers is meaningless.  Granted, one generally doesn’t carry around their servers on their way to business meetings, and thus data breach incident rates would be lower.  However, this just proves that security stems--not from storing information on a "server," whatever that means--but from not carrying sensitive data around.

    And if you do have to carry it around?  How about employing encryption software so that your information security won't be breached if something untoward occurs?

    Full disk encryption software for computers and portable drive, or document protection software like file encryption would ensure that sensitive data remain uncompromised in the event of theft.  In fact, it may be a good idea if you don't carry the data around, but can't trust the security of your workplace.

    Related Articles and Sites:
    http://www.eweekeurope.co.uk/news/mod-admits-losing-an-entire-server-1432

     
  • Missouri Personal Information Data Privacy Notification And Encryption Laws: Section 407.1500

    Missouri is the 45th state to pass a data breach notification law, which will go into effect on August 28, 2009 (which is a pretty random date, it seems like.  It's a Friday, if anyone's interested).

    It's being pointed out by some that this new law is much more similar to its California counterpart (the original personal information breach notification law) than to the one found in Massachusetts or Nevada, in that the MO law won't specifically say that personal information needs to be encrypted.

    In that sense, this law is not an "encryption law," although I imagine that many people will call it that since the use of data encryption seems to provide safe harbor (consult with your lawyer--I'm not one).

    What Is Considered A Personal Information Security Breach In Missouri?

    According to section 407.1500, a breach is the following:

    "Breach of security" or "breach", unauthorized access to and unauthorized acquisition of personal information maintained in computerized form by a person that compromises the security, confidentiality, or integrity of the personal information.

    Hm...it seems to me that Missouri is a little behind on the times.  If I'm not wrong, most other states are passing legislation so that security breaches include paper documents--not just digital data--and others are amending theirs if paper documents were not included originally.

    "Personal information" is defined as follows (my emphasis on "encrypted"):

    ...an individual's first name or first initial and last name in combination with any one or more of the following data elements that relate to the individual if any of the data elements are not ENCRYPTED, redacted, or otherwise altered by any method or technology in such a manner that the name or data elements are unreadable or unusable:

    • Social Security number;
    • Driver's license number or other unique identification number created or collected by a government body;
    • Financial account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to an individual's financial account;
    • Unique electronic identifier or routing code, in combination with any required security code, access code, or password that would permit access to an individual's financial account;
    • Medical information; or
    • Health insurance information.

    What Needs To Be Included In The Client Notification Letter?

    As lifted directly from the law:

    • The incident in general terms;
    • The type of personal information that was obtained as a result of the breach of security;
    • A telephone number that the affected consumer may call for further information and assistance, if one exists;
    • Contact information for consumer reporting agencies;
    • Advice that directs the affected consumer to remain vigilant by reviewing account statements and monitoring free credit reports.

    What Methods Can Be Used To Notify Clients?

    Like in most other states, there are various methods for contacting the affected individually, including letters, e-mail, and phone calls.

    Also, there are provisions if too many people are affected: if the cost of providing notice exceeds $100,000 or if over 150,000 people are affected, a substitute notice can be provided, including the use of statewide media.

    If more than 100,000 people are affected, the state AG and consumer reporting agencies must be contacted as well.

    Penalties

    The AG is given the authority to "obtain actual damages for a willful and knowing violation of this section and may seek a civil penalty not to exceed one hundred fifty thousand dollars per breach of the security of the system or series of breaches of a similar nature that are discovered in a single investigation."

    So, $150,000 or less in fines, plus I'd assume one would have to shell out money to contact the affected (something that should have happened).

    Encryption Provides Safe Harbor?

    It's up to the lawyers and courts to say, but if I'm correctly reading the section on what constitutes personal information (as I've emphasized), encrypted information is not considered personal information.  And since it's not considered to be personal information, then its loss cannot lead to a data breach, which means there is no need for notification.

    It's kind of a roundabout way of saying that encrypted data cannot be breached, I guess, but man, the twists on logic....

    Also, notification is not necessary if it's determined that the breach won't result in identity theft or fraud.  However, "such a determination shall be documented in writing and the documentation shall be maintained for five years."

    In other words, you'd better be pretty certain that criminals won't use it/find it.  My guess is that, if your determination was erroneous and something comes to light, not having that paperwork will mean lots and lots of fines.

    Should you use encryption software like AlertBoot to protect sensitive data?  The law does not mandate it, but it certainly seems to be encouraging it.

    Related Articles and Sites:
    http://www.house.mo.gov/billtracking/bills091/biltxt/truly/HB0062T.HTM

     
  • The Cost Of Data Breaches In The UK: Getting A 30% Discount On Millions

    HSBC, the global banking giant, has been in the news several times over the past couple of years over data breaches of customer information.  A data encryption software solution, like AlertBoot, would have prevented most of these breaches--as pointed out by the Financial Services Authority (FSA).  However, HSBC did not move quickly enough, and is now being fined for a total of more than £3 million (nearly US $5 million).  They do get a 30% discount for settling quickly, though.

    Three HSBC Firms Fined

    Three firms under the HSBC umbrella were fined: HSBC Life UK (£1.61 million), HSBC Actuaries and Consultants (£875,000), and HSBC Insurance Brokers (£700,000).

    These fines follow the loss of unencrypted floppy disks and CDs in the mail.  The combined breaches affected over 150,000 people.  And while HSBC maintains that no customer has complained to them about losses related to the incidents...well, how would clients know?

    I mean, how would clients know that a particular attempt at fraud stemmed from the data loss by HSBC?  The UK government alone had a breach that affected 1 in 4 Britons; it could have stemmed from that incident.  Or some other data breach; Lord knows the UK has at least one every week.

    Easily Prevented

    The thing about these breaches is that they could have been easily prevented.  The use of CD encryption software or file encryption is all it takes.  In fact, I've covered how an agency in the UK is going about CD protection the right way.  If they can do it, I don't see how a bank--with infinitely more resources, and with a greater interest in customer protection (let's face it, there a lot of banks out there)--would not be able to.

    Such protection can even be extended to laptop computers and portable hard disks, although it would be in the form of whole disk encryption, where the entire hard drive of the computer is encrypted, and, naturally, anything that's saved to it as well.

    On the other hand, depending on which package one goes with and the scale of the project, it could be very hard to implement an enterprise-wide encryption project.  That being said, there are solutions that make installing encryption easy.


    Related Articles and Sites:
    http://www.moneywise.co.uk/news-views/2009/07/22/hsbc-fined-%C2%A33-million-losing-customer-details

     
  • Full Disk Encryption (FDE): How Secure Is It?

    Full disk encryption is routinely touted as an effective way of protecting data if a computer is lost or stolen.  But, there are also those who say that encryption is useless and won't touch it with a ten foot-long pole.  How can this be?

    Full Disk Encryption (FDE) Is Not What You Think It Is

    Before we describe how FDE can help you secure your data, it should be pointed out that FDE may not be what you think it is.  Most people know that encryption means scrambling information so it cannot be made heads-or-tails of until the data is unscrambled back into legible text.

    Full disk encryption uses encryption to protect the data on your computers.  However, it should be noted that FDE, as reflected in the name, encrypts your hard drive, not your data.

    This is somewhat of a tricky concept, but can be easily illustrated via the following method.  You've got three computers, A, C, and E.  Of the three, only E uses full disk encryption to protect the contents of the hard drive ("E" as in encrypted).  Computers A and B do not have encryption.

    Now, let's say you have an unencrypted plaintext file on computer A.  You copy it over to computer E.  This file is now protected via FDE.  Then, you copy the file from E to computer C.  Is the file on computer C encrypted?

    The answer is no.  Like I stated above, full disk encryption encrypts your hard drive.  When the plain text file was copied over to the encrypted computer, the file is in an encrypted state because the hard drive is encrypted.  But, the moment that file leaves the confines of the encrypted disk, as it did when the file was copied over from computer E to computer C, it is no longer encrypted.

    The file left behind on computer E is, of course, still encrypted, and will remain so (unless the hard drive itself is decrypted).

    The Power of Full Disk Encryption (FDE)

    I won't go into the details of it, but encryption--real, strong encryption--is powerful stuff.  It is routinely touted that breaking modern encryption within one's lifetime is impossible, even with the aid of all the computers currently found on this planet.  This is the reason why the military and government services use encryption to secure their messages and communications.

    However, breaking encryption is possible (and it's more than a theoretical concept): one has to either figure out the encryption key or the username/password (which I'll just refer to as "passwords" from here on).

    Obviously, passwords are required to access encrypted information.  If an unauthorized person manages to get a hold of such passwords, encryption is "broken" in the sense that encryption is not preventing a data breach.  The same is true if someone is able to randomly guess the passwords successfully.  And, if it cannot be guessed, a brute force attack--where all possible combinations are tried, one by one--could be carried out to figure out the password.

    In order to prevent this, endpoint security systems like AlertBoot encryption software have settings to restrict how many times the wrong passwords can be entered before the system won't accept passwords anymore.  Let's say the limit is 10 failed attempts.  On the eleventh try, even if the correct password is entered, AlertBoot won't let the user in. (There are ways to get around this in AlertBoot by calling the 24/7 hour support number.  Other encryption services may vary on how they approach this.)

    Such restrictions greatly minimize the occurrence of a data breach.  When it comes to guessing the encryption key, however, the same restriction cannot be used (it's like attempting to fully protect the security guard: if we stick a security guard on the security guard, who protects the second security guard?)

    Because such restrictions cannot be applied to encryption keys, these are made to be long and complicated.  For example, AES-256 is an encryption algorithm with a key length currently accepted as being "strong and safe."  A brute force attack would require 2256 tries to run through all combinations.  In more familiar terms, that number would translate to 1.15 x 1077.

    Keep in mind that the number of atoms in the universe is thought to be 1 x 1080.  No wonder the chances of correctly guessing an encryption key is impossible during one's lifetime.  You've got better odds of hitting the Powerball three times in a row.

    Full Disk Encryption (FDE) And Its Detractors

    So, if encryption is so good at protecting stuff, why the detractors?  Well, people give many reasons why they think encryption doesn't provide data security, but these are some of the reasons:

    • Bad/Weak encryption algorithms exist: Encryption is big business, and people are always on the look to create a better/stronger way to encrypt data.  But, it turns out that creating a strong encryption algorithm is extremely difficult (which explains why most of the encryption algorithms out there that are in use are pretty old).

      Many companies will announce a new method of encrypting information, but sooner or later, most of these algorithms are found not to work.
    • Badly Designed Implementation Environment: Even if the encryption is strong and reliable, the implementation of it in software may not be.  For example, there may be coding errors that could allow one to bypass the security in place.
    • User Error: There are many types of encryption software out there.  Centrally managed encryption provides an administrator with a command-and-control center to manage an enterprise's computers' encryption, preventing the actual computer users from messing around with the settings.  However, plenty of encryption systems don't have this feature, meaning that the enduser can actually turn off encryption.

    Or, users who cannot be bothered to remember their own passwords will stick or tape the password on the computer itself.  Obviously, such practices make the presence of encryption superfluous, like a gun without bullets.

    It should be pointed out, though, that there are encryption packages that overcome most of these so-called problems.  Regarding the first two issues, for example, utilize encryption software that has been vetted out by the security community.

    There's technically nothing one can do for the last case, where the users hamstring the security provided by encryption.

    But not using encryption for that one reason precludes all those instances where a data breach could have been prevented because people did use encryption.  Encryption won't give you 100% protection; but, if won't give you 0% protection either, which is what you get without it.

    Benefits of Full Disk Encryption (FDE) vs. File Encryption

    One of the glaring holes of FDE is that--as described earlier--files are not actually encrypted.  That means that, even with FDE in place, one could have a data breach quite easily, such as by copying sensitive files off the computer (e.g., to a USB flash drive).

    If a particular file or files must be protected, regardless of where they're stored (computers, USB disks, sent as e-mail attachments, etc.), then full disk encryption must be used instead (or in combination with) file level encryption.

    However, there are quite a number of benefits to using FDE:

    • Everything is protected, including the swap space and all temporary files. While not "real" files, they will contain sensitive data, depending on the nature of your work.
    • Endusers do not decide which files are to be encrypted.  People may forget to encrypt files, or not do it at all.
    • Immediate data destruction. Deleting the encryption key ensures that the only way to access the data is by guessing it, which I've already described how hard it is.

    Related Articles and Sites:
    http://en.wikipedia.org/wiki/Full_disk_encryption

     
  • Laptop Encryption Software: Francis Howell Laptop Stolen, Employees Affected

    The Francis Howell School District in Missouri is sending notice that a laptop computer was stolen.  The theft could compromise around 1,700 employees who've worked for the district between 2005 and 2008.  It looks like laptop encryption software like AlertBoot was not used to secure the contents.  Instead, the laptop was guarded by password-protection, which provides very little security.

    Glass - Not What I Would Call Security

    The thief or thieves broke a window in order to steal the laptop.  From the police description, it's quite apparent that the laptop computer was sitting pretty close to the window itself.  The thieves only had to reach through and take it.

    I'm amazed at how often people do not consider windows as being a chink in the armor (and, no, that's not a Microsoft-bashing reference).  Take into consideration how many people assume their cars to be a secure environment.  Or, how a room is considered secure if all entrances (windows, doors, vents, etc) are locked: people check to make sure everything is locked, turn off the lights, and assume everything is OK.

    Which is weird because, the last time I checked, it was quite easy to break glass.

    Of course, not all glass is equal: the Sears tower in Chicago, for example, now offers a new attraction called "The Ledge" at its Skydeck, a glass box that extends 4 feet from the actual building itself.  That's some mighty strong (thick) glass.

    But, glass that thick and strong is not used for everyday purposes.  Everyday glass is pretty fragile.  If you don't have encryption software protecting your data, you may want to reconsider what exactly is providing you with data security.

    Full Disk Encryption - An Easy Way to Protect Data

    Password-protection doesn't provide security.  It's almost the digital equivalent of relying on glass windows for protection: it looks like it's going to work, until someone just goes in there and breaks something.

    A better way for the school district to protect their current and past employees would have been by using data breach prevention software like hard disk encryption.

    Used for centuries (literally!) by the military the world over (even Julius Caesar used it), it's about the only thing that can minimize the unintentional divulgence of information.


    Related Articles and Sites:
    http://suburbanjournals.stltoday.com/articles/2009/07/17/stcharles/news/doc4a60fecd526bb568210525.txt

     
More Posts « Previous page - Next page »