in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

October 2009 - Posts

  • Data Encryption Software: CalOptima Loses Unencrypted CDs

    Update 29 OCT 2009: CDs recovered

    CalOptima in Orange County has announced the loss of several CDs containing personal information of members.  It will affect approximately 68,000 people.  The use of data encryption software like AlertBoot would have been extremely useful, on a number of fronts.

    What Was Lost

    The CDs contained "names, home addresses, dates of birth, medical procedure codes, diagnosis codes and member ID numbers, and an unspecified number of Social Security numbers," according to computerworld.com.

    These had been mailed (via certified mail) to CalOptima by one of its vendors.  While not identified, it looks like the vendor was engaged in scanning paper documents into digital versions.

    The box sent by the vendor, however, was empty when CalOptima received it.  There was nothing to suggest that the CDs were stolen, so it looks like the package arrived at CalOptima undamaged.  Of course, this implies that the box was sent empty, which further means the vendor should still have the CDs.  They have not been found to date, however.

    Uh-Oh.  CalOptima Looking Into Why CD Encryption Not Used

    CalOptima is busy with post-breach actions.  One of them is the inquiry into the data protection of the CDs.  A spokesman for the company has stated that "the health plan (CalOptima) also wants to find out why the third-party claims-scanning vendor did not encrypt the data."

    In other words, it looks like there was an agreement in place that the data would be protected via encryption.  Why wasn't it?--many inquiring minds want to know.  It only makes sense to do so when you consider the following:

    • Encryption provides safe harbor under California law.  It's true.  If the information had been encrypted prior to its loss, it wouldn't have required public disclosure.
    • Encryption provides data protection.  Aside from legal protections, encryption software also provides technical protection.  In other words, it actually would prevent someone from popping the CDs into a computer and accessing the SSNs and whatnot.
    • Stuff goes missing from packages all the time.  Highlighting how badly things can go, a couple of CDs went missing in the UK, back in 2008.  It affected 25 million.  The UK'S population is approximately 61 million. (Yikes!)

    Third Party Breach

    Who's responsible for the breach?  Well, it turns out its CalOptima.  The loss was perpetrated by another, but since it's the health plan's information, they are held accountable (I'm not a lawyer, but I've heard this over and over again).

    This is--among other reasons, I'm sure--why CalOptima is contacting members, offering them credit monitoring services, etc.

    Take it from me--this is not the last time you're going to hear about a third party setting off a data breach.  It seems to me, based on how people are acting, that maybe third parties should be held accountable, too.  Sure, the vendor will lose CalOptima's business, but doesn't the law not actually going after them create something of a "moral hazard?"

    I'd assume so, especially when you consider that CD encryption was supposed to be used.

    Related Articles and Sites:
    http://www.computerworld.com/s/article/9139913/CalOptima_says_data_on_68_000_members_may_be_compromised
    http://datalossdb.org/incidents/2395-names-home-addresses-dates-of-birth-and-medical-information-of-68-000-on-lost-discs

     
  • Cost Of Computer Security Breach: Judge Rejects TD Ameritrade Offer

    The judge presiding over the TD Ameritrade lawsuit has rejected a settlement he himself had pre-approved nearly three months ago.  I can see how instances can justify the various data security measures companies across the US are choosing to take, despite their seemingly "heinous" upfront costs. (A drop in the bucket if Lady Fortuna decides to frown on you.)

    TD Ameritrade Settlement

    I had mentioned the settlement earlier in the year, and noted how a seemingly little breach (only e-mail addresses were exposed after all) would cost TD Ameritrade something like $8 million, taking into account some assumptions.

    Now, the same judge--having gone over the actual settlement language?--has decided that it doesn't do much for the actual plaintiffs.

    For example, the three main "benefits" of the settlement are:

    • Hiring a company to test TD Ameritrade's security
    • Checking for identity theft related to the company's data breach
    • One year of anti-spam service to victims

    It doesn't take an expert to see that only that last one would be of true benefit to victims.  The first, for example, doesn't benefit victims at all, unless one argues that it will lead to better security overall, and its effects trickle down to victims--if they choose to remain with TD Ameritrade.

    Plus, spam is like an unending river: it's not going to stop after one year, so I doubt the third one is of great benefit if you consider the long term.

    Insurance For Data Breaches?

    I found the following to be of interest: supposedly, insurance would have covered most of the costs of the proposed settlement.  Seeing how the anti-spam service would have constituted the majority of the costs (at least, I assume so.  With 6.2 million affected, the numbers definitely lean towards it), I take it to mean that some insurance company would be paying for it.

    I find this interesting because I think it is the first time I've come across a company that has referred to insurance covering a data breach.

    Such insurance products have been around for some time (they were beginning to really take off a couple of years back, when identity theft and data breaches were really beginning to come into the national consciousness), but any news related to them dropped off the radar soon after.

    Insurance cannot protect data, obviously (by definition, insurance getting involved means data protection was nullified).  But, it could very well be part of a company's data security arsenal, just like encryption software from AlertBoot.  After all, data security can never be 100% effective, so if you're smart, you would have some type of backup plan.


    Related Articles and Sites:
    http://www.databreaches.net/?p=7991
    http://cbs13.com/wireapnewsca/Judge.rejects.TD.2.1271078.html
    http://www.chicagotribune.com/business/sns-ap-us-broker-data-theft,0,6059556.story

     
  • Data Encryption And ISO 27001, Compliant UK Firms Are Actually Not

    According to networkworld.com, nearly half of UK business that have been certified compliant with ISO 27001 are engaged in actions that would make them anything but.  In my own experience with drive encryption software, I can see how this can be true.

    What is ISO 27001?

    ISO/IEC 27001:2005-Information technology-Security techniques-Information security management systems-Requirements (commonly abbreviated to ISO 27001, for obvious reasons) is an international standard for information security management.

    According to Wikipedia,

    "ISO 27001 formally specifies a management system that is intended to bring information security under explicit management control. Being a formal specification means that it mandates specific requirements. Organizations that claim to have adopted ISO/IEC 27001 can therefore be formally audited and certified compliant with the standard."

    ISO 27001 Criticism (Or Rather, Its Scope Of Limitations)

    Of course, as the Heartland Payment Systems fiasco showed us not too long ago, being audited and certified as being compliant doesn't necessarily mean that the data is secure.  This, too, is pointed out in Wikipedia, noting that

    "...the management system for information security is in place, but says little about the absolute state of information security within the organization. Technical security controls such as antivirus and firewalls are not normally audited in ISO/IEC 27001 certification audits: the organization is essentially presumed to have adopted all necessary information security controls."[my emphasis]

    This is not unusual.  For example, I've had firsthand experience with a company that was deploying encryption software on all of their laptops.  Now, they got to the point where their laptops were protected with full disk encryption, and I'm sure they reported it as such when an auditor--assuming there was one--came around to do his or her checks.

    However, it was later found that a significant number of the client's employees were using a temporary username and password that was passed around outside the normal channels used for deploying (this outside channel was an employee in the client's IT department.  Why did he do this?  We don't know).

    The end result was that these employees' laptops were not encrypted.  Just the fact that all these people used the same temporary username and password would have meant a fail under ISO 27001, for example.

    Seeing the above, one can see how networkworld.com's reportage makes sense.  After all, an audit is nothing but a spot-check, and auditors can't really tell whether, for example, passwords are being shared in the workplace: if the company says its employees don't share passwords, what more can the auditors do?  Spring a trap?

    Quocirca's Results

    The survey quoted in networkworld.com was conducted by Quocirca.  It was found that, of the 47% of UK firms claiming compliance with ISO 27001, half of them were engaged in compliance-breaking patterns:

    • Using default username and passwords
    • Access to more than necessary
    • Not monitoring employees' computer use and access
    • Not realizing that privileged users exist (administrators; the CEO who wants it all, despite him being more experienced with an Etch-a-Sketch; etc.)

    Granted, claiming that one is in compliance and actually being in compliance are two different things, as I've found out when people started calling in to say that their encryption wouldn't let them in (what were they expecting, with their expired temporary creds?)

    (A simple check with an encryption audit report in AlertBoot vs. their laptop count would have rooted out the problem easily, though.)


    Related Articles and Sites:
    http://www.networkworld.com/news/2009/102209-almost-half-iso-27001-compliant.html
    http://en.wikipedia.org/wiki/ISO/IEC_27001

     
  • Hard Disk Encryption? Paper Documents Get Stolen, Too

    Encryption, encryption, encryption.  The message oft repeated in this blog is, if you have a computer with sensitive data, make sure you use some kind of data security product like hard disk encryption from AlertBoot to protect its contents.

    However, encryption cannot be your only data security tool, as the following story shows.  Remember, it's not about protecting your computer...it's about protecting your data.

    Enloe Medical Center Patient Info Missing, Was Destined To Shredder

    Enloe Medical Center--a non-profit hospital in Chico, CA--is the latest victim of a data breach.  And, the portents of the theft are ominous.  What was stolen?  Paperwork with patient information, possibly including names, addresses, SSNs, medical conditions, insurance info, Medicare info...anything that was jotted down while ambulance was transporting a patient.

    That's right.  We're not even talking about computers or digital doodads anymore.  We're talking about dead trees.  Would encryption have provided some kind of protection?

    Technically, yes.  Encryption, technically, has been around during Julius Caesar's time and before, so it would be possible to encrypt information on paper.  However, no one wants to do that...it takes forever to do these things by hand.

    Point is, if you thought you were covered by encryption on your computers, well, think again.

    And Enloe is thinking again.  They've now realized that they don't have adequate security surrounding their "documents to be shredded" bin area, and are looking into the matter.  That area is accessed by employees normally, so I guess the medical center felt a little too secure.  Of course, it could also be that it was an inside job.  God knows there are plenty of such instances.

    One worrying thought?  Someone took great pains to get to those documents.  And I'm pretty sure there are easier methods of getting fuel for one's fireplace, so it goes without saying that those papers were taken with nefarious purposes in mind.  I'm not as sanguine as PR director at Enloe, who reminds "affected patients that the theft of information doesn't necessarily mean they will be the victims of identity theft."

    You Work In A Paperless Environment?  Still Not Secure

    Okay, so if you work in one of those environments where data never gets off a computer, unlike Enloe, you may think encryption has you covered.  Think again.

    What about personal USB sticks and similar products?  I found a 4 GB SD memory card (the type that goes into digital cameras) being sold for $10.  You can fit way too much data on that thing, and every computer I've owned since 2007 seems to have a SD port built-in (they're becoming as ubiquitous as USB ports).  Are you sure your employees are not copying sensitive data on such devices? (You would, with port control software.)

    What about your internet router?  Are you sure you've got a strong password to prevent port-sniffing hackers from taking over (it's supposed to be like 26 characters long)?  Do you use a wireless router?  Did you remember not to use WEP encryption, since it can be cracked in a matter of minutes?

    Remember, the name of the game is to protect data, and there's too many ways for that stuff to get stolen.  Using encryption software on a laptop's hard disk ensures that data remains safe if the computer gets stolen.  It cannot, and was not designed to, protect sensitive data against all possible forms of data theft.  Other measures are necessary as well, including physical security.


    Related Articles and Sites:
    http://www.databreaches.net/?p=7957
    http://www.orovillemr.com/news/ci_13598541&ct=ga&cd=cXuf8x5oP8w

     
  • Hard Drive Encryption Software: Roane State Community College Data Breach

    9,747 current and former students and 1,194 employees at Roane State Community College have been alerted to a data breach.  The data was stored on a USB drive.  While the academic institution does have "policies [to] define rules for protecting confidential data," it hasn't been revealed whether full disk encryption like AlertBoot was used to protect the contents of the memory stick.

    What's Missing?

    • Names and SSNs for 10,941 people (the students and employees mentioned above)
    • SSNs only for another 5,036 students, current and former.

    Academic records were not included.

    How'd It Happen?

    An employee copied the information to a 4GB USB drive that was "used for work-related purposes."  He took it with him on October 9 to work on it from home.  However, he forgot the device in his car, which he also forgot to lock.  The employee reported the theft the very next day.

    Hm.  "Used for work-related purposes."  Am I correct in reading that this was a college-sanctioned device?  Did they secure it by using encryption software on the contents?  On the other hand, I see this gem:

    "The employee did act against RSCC regulations by copying school data and taking it off the property." [wbir.com]

    I guess it was used for work-related purposes because work-related files were stored on the flashdrive.  Meaning it was not a sanctioned device, so I'm going to go with the odds and assume that USB flashdisk encryption was not used.

    What Are The Chances?

    Should people whose data was saved on that USB drive be concerned?  My opinion is most definitely.  Perhaps 10 years ago one could have claimed that there was little chance for worry.

    But, the issue of ID theft has garnered a lot of attention in recent years, and everyone and their grandmother knows to fear it.

    I wouldn't mind too much if the information had fallen into the hands of an average citizen, since there's a chance that the person would keep the device and delete the data, perhaps even return it.  But let's not kid ourselves, the information has fallen into the hands of a criminal.  How do I know this?  The average citizen doesn't go around breaking into unlocked cars.  It takes a thief to do that.

    Knowing this, the chances of someone accessing that data and using or selling have increased dramatically.  Had encryption been used, the issue would be a moot one.  Instead, Roanites (Roanians?) are stuck waiting to see what happens next.


    Related Articles and Sites:
    http://www.roanestate.edu/keyword.asp?keyword=IDALERT
    http://www.wbir.com/news/local/story.aspx?storyid=102422&catid=2

     
  • Wireless Encryption: TJX Lessons Not Learned At TimeWarner?

    Remember how TJX had that massive breach?  The one that's considered to be the largest to date?  Well, it looks like not all major companies learned the lesson.  The issue came down to the data encryption used to protect wireless data transfers.  Well, Time Warner has been caught using the same encryption standard on routers provided to customers.

    The TJX Lesson - Don't Use WEP!

    As mentioned above, the TJX breached occurred due to a weak wireless encryption standard used at its stores.  This encryption standard--WEP, Wired Equivalent Privacy--has been considered less than inadequate (you read that right, "inadequate"...it's that bad) since 2001.  In 2004, the IEEE had declared WEP as incapable of meeting any security goals.  In other words, it's useless in the year 2009.

    TJX had neglected to upgrade from WEP to WPA, and has been fending off lawsuits and fines for precisely this reason.  There is no other reason.  It can be traced back directly to the use of WEP and the decision not to upgrade to WPA.

    TimeWarner's Router/Modems At Issue

    The issue came to see the light of day when David Chen, co-founder of pip.io, was helping a friend set up his wireless network.  He found a number of issues with the security on the router, a model that's provided by TimeWarner.

    To start off, he found that the router had been crippled to provide WEP encryption only.  With a little digging he also found that access to the admin portion was disabled via Javascript (meaning, he could access it by turning Javascript off).  And, he was able to read the admin login creds when he did a data dump because it was saved in plaintext format.

    Now, I would be the first to defend TimeWarner and go after the router manufacturer.  After all, TimeWarner is not in the business of building routers.  However, from Chen's blog,

    Of course I got in touch with Time Warner’s security department and warned them about the security issue but their response was simply “we are aware of it but we cannot do anything about it”.

    Okay.  In other words, since it's their customers at risk, the company is willing to do nothing?  The lack of security on these routers doesn't really affect TimeWarner that much.  The risk lies with anyone using the router to connect to the internet, since the lack of adequate security means they're at risk of digital eavesdropping.

    However, it looks like going public with the issue has prompted the company to act.  According to thestandard.com, TimeWarner is waiting for the manufacturer to come through with a permanent fix.

    Keeping Up To Date

    Remember, there is encryption and then there is encryption.  A musket and an UZI are both firearms, but one is outdated and nearly useless in most situations.  Likewise, you've got to make sure you're using an encryption standard that can protect your data, first and foremost by not being outdated.

    Currently, that standard is 129-bit AES or equivalent.  Make sure your encryption software is using the right stuff.


    Related Articles and Sites:
    http://www.databreaches.net/?p=7908
    http://www.thestandard.com/news/2009/10/21/gaping-security-hole-turned-64-000-time-warner-cable-modems-hacker-prey
    http://chenosaurus.com/2009/10/

     
More Posts « Previous page - Next page »