in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

August 2009 - Posts

  • Data Security: US Governors Get Free Laptops, FBI Investigates

    Sometimes, it's not the use of data security tools like hard drive encryption that protect you.  Sometimes, it's doing nothing that can protect you.  Take the case of the unasked-for laptops.

    The FBI is currently investigating why unsolicited laptops were sent to US governors.  The Governor's Office in West Virginia received five laptops, for example; nobody at the office ordered them, though, and there was no explanation on why they were sent.  According to the article at computerworld.com, the same thing happened at ten other states.

    It's believed that the computers may contain malicious code (unconfirmed so far).  The idea is that the, ahem, "benefactor" may have sent the free laptops in the hope that government officials would just take the free swag and use them.  If that had happened, there is the distinct possibility that the computers would be used within the workplace, and that's when the malicious code--be it Trojans, viruses, or whatever--would be able to breach any security in the workplace.

    In a sense, the computer is the Trojan.  (It would have been highly symbolic if the computers were branded with a horse logo, like the Acer Ferrari laptop series.)

    The plan, assuming using the laptops as a Trojan horse was the plan, failed.  It looks like government officials are not venal as they're portrayed...well, pretty much everywhere.  Officials decided that this was just too suspicious, and got in touch with the FBI, who are investigating the issue.

    Not only are they looking to confirm the presence of malware on the computer, they've gotten in touch with the computer manufacturer to see if they can provide any leads.

    So far, I've neglected to mention that all the computers were HP-branded.  Personally, I don't see how it would be relevant...unless this happens to be some kind of weird marketing campaign by the computer maker, which it's not.

    HP has admitted to knowing that there have been attempts at fraud linked with such shipments, and that they're cooperating with the law enforcement to get to the bottom of the issue.  My own assumption is that whoever is doing this probably decided to buy the machines in bulk, and that's why they're all HP computers.

    Officials did the right thing by being suspicious and not using the computers.  Personally, being slightly paranoid, I may have wondered if the computers were rigged to blow up (similar to what the now-imprisoned Unabomber may have done), and not turned them on.

    As they say, you want the right tools for the job.  If you're looking for data security, generally you use a firewall (for on-line attacks) and encryption software (for off-line theft), among other tools of the trade.  But best tool of all, bar none, is the use of commonsense.

    Related Articles and Sites:
    http://www.computerworld.com/s/article/9137208/FBI_investigating_mystery_laptops_sent_to_governors?taxonomyId=17

     
  • Phishing Scam Uses Real BBC Article On Lost Iraq Money

    Normally, this blog deals with security breaches and how data protection software like AlertBoot's hard disk encryption could be used to prevent future ones.  However, I'd like to cover a phishing scam that seems to have been making its rounds since earlier this year.

    The other day, I received an e-mail from a SGT JIM WHITE:

    Good Day,
     
    My name is Jim White, a member of the U.S. ARMY 3rd Infantry Division in Iraq. I would like to share some highly classified information about my personal experience and the role which I played in the pursuit of my career serving in the U.S. ARMY. However, I would like to hold back certain information for security reasons until you have the time to visit the BBC website stated below. This will enable you to have insight as to what I'm intending to share with you.
    http://news.bbc.co.uk/2/hi/middle_east/2988455.stm
    Please get back to me after visiting the above referenced website to enable us to discuss the matter more. I'm uncomfortable sending this message to you without knowing if you are indeed with me or you decide to go public.

    At first glance, I didn't realize that this was a phishing scam.  Based on the first couple of sentences, I thought that maybe this guy was looking for a job with AlertBoot, or perhaps wanted to send us some information regarding a data breach (we're not a news organization, but we do cover data security breaches via this blog).

    But when I saw that BBC link...well, that's when I suspected that this was probably a phishing scam, or an attempt to remotely install malware after I had clicked on the link.  Normally, I would have ignored it, but my curiosity got the best of me in this case.

    I copied the link and googled it, and lo-and-behold, it was a legitimate link. An excerpt:

    Stash of money found in Baghdad
    Foreign currency worth nearly $200m has been found in a Baghdad neighbourhood, the US military say.

    Troops found $100m and 90m euros in 31 containers, US Central Command said.
    The money has been flown out of the country to a "secure location" for counting purposes and will eventually be returned to Iraq to help rebuild the country, the US said.
    Last week, US troops found more than $650m in the same area of Baghdad.

    Phishing scam.  For sure.

    Had I contacted this Sgt. White, I'd probably have gotten some story about needing to transfer the funds out of an undisclosed location in the Middle East, but the US government couldn't do so due to issues of international politics, blah, blah, blah, and needed my help.

    This scam has been around for a while, it looks like.  To begin with, the original BBC article was published on April 2003, so this scam has been around for at most 6 years.

    Also, doing a search for "phishing scam Iraq money" in search engines has brought up a bunch of results. If blog posts are any indication, it looks like this particular phishing scam has been making its rounds around March of this year.

    Attempts at phishing money from honest people are legion, but this one has an interesting twist to it in that it uses a legitimate site (not a legitimate-looking site) to carry out its fraud.  I must admit that, after having vetted that the link was for an actual BBC news site, I let my guard down: I forgot to check the date on the article.

    Of course, once I read the "Three Kings" scenario in the article, I knew it was a scam...but what if you're not into George Clooney movies?  Can't let your guard down....

    Related Articles and Sites:
    http://news.bbc.co.uk/2/hi/middle_east/2988455.stm
    http://www.thunderbayit.com/phishing.asp?show=28

     
  • Full Disk Encryption: PA Consulting Breach Figures Revised Upwards

    The UK's Home Office had to revise its estimates regarding a data breach from last year.  A USB memory stick with prisoner data was lost by a consulting firm, resulting in 130,000 prisoner records.  The memory disk did not make use of USB drive encryption like AlertBoot endpoint security systems, which could have prevented the breach from becoming big news.

    It would have also prevented the need for the Home Office to restate its figures.  According to a report, the data breach by PA Consulting actually affected 377,000 records.  That's nearly three times the originally reported figure!  Talk about being way off....

    PA Consulting, which was at the time involved in the UK's National ID Card scheme, saw its contract with the government terminated over the incident.

    All because of a lost USB flashdrive.  Who would have entertained the thought that something the size of a pack of gum would result in a cancelled contract, probably in the millions of dollars?

    This, however, is the risk a company takes when it does not have the proper security controls in place.  If whole disk encryption had been used, the loss of the device may not have had such a dire consequence for the consultant, even if the theft itself may have been a calamity. (Yes, a calamity.  That's what the loss of 130,000 sensitive records happens to be.)


    Related Articles and Sites:
    http://www.v3.co.uk/v3/news/2248501/home-office-loss-revised

     
  • Texas Personal Information Data Privacy Notification And Encryption Laws: Business and Commerce Code Chapter 521

    Under the Texas Identity Theft Enforcement and Protection Act (a link is provided at the end of this post), notification to customers is required if there is an information security breach of the customers' computerized data.  The notification must be done as quickly as possible.  Safe harbor is provided if the sensitive data is protected with encryption, like AlertBoot's endpoint security systems.

    The newly amended law is effective from April 1, 2009.

    Let's start by exploring the penalties, to see what the ramifications of a data breach happen to be. (BTW, I'm not a lawyer, and this is not legal advice...but the law happens to be pretty clear.)

    Penalties For Violating Texas's Data Privacy Law

    Subchapter D, which deals with remedies, states that there is a "civil penalty of at least $2,000 but not more than $50,000 for each violation."

    A company also has to deal with the fact that people affected by a breach must be notified (which could be viewed as a financial penalty; it certainly would be cheaper not to do so...not that I'm advocating it) which leads us to our next section.

    When Must Texas Residents Be Notified?

    Businesses in Texas must contact their clients of a data breach if it's reasonable to assume that clients' sensitive personal information was acquired by an unauthorized person (read: thief).  This must be done as quickly as possible.

    Delays can be introduced if it's determined by law enforcement that such a notice will impeded with a legal investigation.

    Texas Breach Notification Requirements

    Notice of a breach must in the form of a written notice (or electronic notice if it's in accordance with 15 U.S.C. Section 7001).

    If the cost of notification exceeds $250,000 or 500,000 people, e-mail can be used (assuming you've got their addresses), a conspicuous notice can be made on the company's website, or make an announcement on major statewide media.

    Also, if more than 10,000 people were affected by the breach, consumer reporting agencies must be notified as well.

    There are no statutes on what must be included as part of a breach notification letter, so I guess it's up to the company, it's lawyers, and it's PR department.

    Safe Harbor And Personal Information Defined According To Texas Encryption Law - Business and Commerce Code Chapter 521

    Under Section 521.002,

    "Sensitive personal information" means, subject to Subsection (b), an individual's first name or first initial and last name in combination with any one or more of the following items, if the name and the items are not encrypted" [my emphasis]
    • Social Security number
    • Government-issued identification number (including driver's license)
    • Account or credit card numbers (including debit cards) with its security code or any other access codes
    • Does not extend to publicly available information, or information obtained legally

    There is something to note here.  If sensitive personal information, as defined above, happens to be encrypted--for example, a list of SSNs and names were saved on a computer that featured whole disk encryption--then technically it's not sensitive information anymore.

    I've noticed that many states provide safe harbor for encrypted data in this roundabout manner, where encrypted information is, from a legal perspective, excluded from the definition of sensitive information; hence, losing encrypted data is not a data breach, meaning notification is not necessary.

    Also, note that losing names or just SSNs, for example, is not a breach.  Of course, losing a list of SSNs without their corresponding names almost never happens, so it might be a moot point.  However, by definition, the loss of credit card numbers without a list of names is also not a breach.  Even if their passwords were included!

    It's the perfect opportunity for people who create fake credit cards and deplete bank ATMs: they've got fake cards with real numbers and passwords.  Maybe the law should get updated on that... 

    Related Articles and Sites:
    http://www.statutes.legis.state.tx.us/Docs/BC/htm/BC.521.htm
    http://www.jeffreyneu.com/20090519193/data-breach-notification-requirements-in-the-united-states-and-european-union.html

     
  • Disk Encryption Software Recommended For London Borough Of Sutton

    The London Borough of Sutton has been reprimanded and ordered by the ICO to use data encryption on its laptop computers.  The borough lost paper files and two laptops (both of them unencrypted).

    The first laptop was stored in a locked cupboard at a children's hospital ward.  The computer contained the personal data of nine children who were being taught by the council.

    The second laptop had social care data of 39 people.  The computer was stolen from the employee's home.  There is no mention of what type of protection was used (including locked cupboards) if at all.

    The use of encryption software like AlertBoot endpoint security software would have meant that the theft of these devices would not have resulted in a data breach.  The reason is quite simple: with proper encryption, it becomes nearly impossible to access the data on the protected devices.  No access to data means no data breach (although you can't deny theft has taken place).

    As such, the undertaking Sutton has signed with the Information Commissioner's Office requires that any mobile devices with sensitive information (not just laptop computers) be encrypted.

    (I'd like to point out that this may be a little short-sighted.  There's no reason why non-mobile devices, like a desktop computer, couldn't be stolen as well.  When it comes to data security, what's important is not that a device can be easily stolen but that it can be stolen at all.)

    The requirements by the ICO go a little bit further than encryption, though.  It also requires that there be adequate physical security, that data retention policies be followed, and that employees have awareness training so they are conscious of the need for good data security practices.

    Now, considering that one of the laptops was stolen from a locked cupboard, one has to wonder what "adequate" physical security happens to be.  I guess a locked cupboard is as good as it gets in the workplace unless one has storage space specifically designed to be breach-resistant (like a safe).  But if it's going to be so easily broken into, is it "adequate"?


    Related Articles and Sites:
    http://news.zdnet.co.uk/security/0,1000000189,39727098,00.htm
    http://www.ico.gov.uk/upload/documents/library/data_protection/notices/lbs_undertaking.pdf

     
  • Data Encryption: Citadel Uses It To Protect Their Trading Platform

    I was reading the grey lady on-line when I happened upon the following tidbit that reveals a couple of things about data encryption software:

    "As part of the suit, Citadel detailed the extraordinary steps it takes to protect its software. Besides encrypting its programs, the firm discourages employees from writing down details about them. Its offices have cameras and guards, and there are secure rooms that require special codes to enter. The precautions are necessary because Citadel has spent hundreds of millions of dollars developing its software, the firm said." [The New York Times, my emphasis]

    But, before I make observations: what is Citadel?  The name and the content would lead you do believe that this company is part of the military-industrial complex.  However, it's actually one of the more successful investment groups in the world.

    The software they're talking about relates to trading software that allows high-frequency trading be profitable, generating about $8 billion for Wall Street firms this year alone, according to The New York Times.  Obviously, keeping such in-house developed software out of the clutches of competitors is extremely important.

    Now, on to my couple of observations:

    Encryption Software Is Not A Panacea

    Not only is encryption used to protect data, employees are discouraged (read: forbidden) from writing down details about them.  Offices are guarded, to the point of making it sound like a high-stakes casino, and access to sensitive rooms (and hence, data) is restricted to authorized personnel only.

    Note how there is constant monitoring, physical security and barriers, on top of encryption.  Encryption is powerful stuff, but it can only do so much.  It's also important to note that Citadel didn't forego encryption because they've got all these other security (No cases of, "encryption?  What do we need that for when we've got big Hurly Burly guy with an AK-47?")

    Encryption is just another piece in the overall security puzzle (an important piece, though).

    Encryption Works

    Nothing gets my goat more than people telling me that encryption doesn't work.  Among the reasons for making such an astounding argument:

    • People don't practice enough security.  In other words, passwords to encrypted data can be found on post-it notes, taped beneath a keyboard, passed around like office gossip on a slow day, etc.  Because people are not security-conscious, encrypting data is meaningless and self-defeating.

      Counterpoint: You can't have the ignorant and the lazy dictate your security needs.  For example, as a college student I saw plenty of instances where fellow students would leave their dorm doors unlocked all the time: while going to the bathroom, chatting up coeds around the hall corner, going to greet the delivery guy, attending a lecture, etc.

      Obviously, things got stolen.  Now, following the anti-encryption argument above and applying it here...who in their right mind would say that door locks don't work because people are not more security-conscious, and thus there's no need for locks?

      Stating that encryption doesn't work because of people is not a reason for not implementing encryption; it's just an excuse.

    • Encryption can be broken...eventually.  Some say that encryption doesn't provide security because a brute-force attack can be performed and eventually the information can be recovered, which is perfectly true.

      Counterpoint: What people don't mention is how long this would take.  It would take centuries for the moderate hacker to do it, assuming they know what they're doing.  I say "moderate" because the smart and average hackers already know that this is a lost cause, and would just not attempt it at all.

      (I'm assuming, of course, that the encryption program implemented can limit the number of wrong guesses before clamming up, like AlertBoot does.  Otherwise, the above criticism is perfectly valid, since people tend to use less-than-secure passwords, like, say bacon123--in those cases, it really is just a matter of weeks, not years.)

      They'd rather concentrate on using social engineering (i.e., lying and impersonating) to finagle the correct password

    • There are backdoors.  Some encryption systems have backdoors built into it, allowing the person with the right knowledge to gain access without knowing any passwords.

      Counterpoint: Yes, there are.  Also, there are plenty that aren't.  The trick is to use the one that doesn't offer a backdoor--while admitting that data cannot be recovered in the event something goes terribly, terribly wrong.

    There are many more reasons.  As you can see, though, most of these arguments are weak.  There's a reason why private companies use encryption to protect their crown jewels.  It's the same reason why governments use encryption to protect their crown jewels:

    Encryption works.


    Related Articles and Sites:
    http://www.nytimes.com/2009/08/24/business/24trading.html?_r=1&pagewanted=all

     
More Posts « Previous page - Next page »