in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

November 2009 - Posts

  • Data Security: 41% Of Employees Steal Corporate Data

    A survey carried out in the US and UK has found that 41% of employees have willingly taken corporate information.  When one has a data breach due to accidental loss or theft, data protection solutions like full disk encryption can mitigate the ensuing developments.  However, what can one do when the threat comes from the inside?

    Canary Wharf and Wall Street

    The survey takers worked in the financial centers of London and New York, which may account for the high rates of data pilfering (I know, unfair and uncalled for.  But, I'm still ticked off about the global financial meltdown).  Regardless, the numbers are quite surprising:

    • 41% of the respondents have taken data from their jobs (85% of respondents knew it was illegal to do so)
    • 33% would take data to help someone get a job
    • 13% of workers would take usernames and passwords to use at a later date
    • 57% of employees found it easy to take sensitive data, an increase from 29% last year

    Plus others, found at the cyber-ark.com link at the bottom.  The following types of information were stolen, most popular to least:

    • Customer and contact details
    • Business plans and proposals
    • Product details

    The above dovetails perfectly with the survey's findings that people are stealing such data to get an edge when procuring a new job.

    Perhaps Companies Are Not Doing Enough?

    That 57% figure, about finding it easy to steal data, weighs on my mind.  It could mean, for example, that companies have relaxed their data security controls over the past year.  I find this unlikely.  I don't mean to imply that there were no such companies.  Rather, I find it dubious that so many companies decided to do so over the past year.

    Instead, another interpretation--and in my opinion, a more likely one--is that there were even more employees who have attempted to take sensitive data over the past year.  In other words, the statistic represents a tremendous growth in employees engaged in data theft.

    Think about it: if companies don't curtail their data security expenses, but there is an increase in successful data theft rates over the previous year--meaning there wasn't enough time for a new technology to make past defenses ineffective--what other conclusion can one come to?  Combine this with the fact that the economy has been steadily worsening, and it seems to me that this is the correct interpretation.

    This in turn implies that corporate data security in place last year was not adequate enough.  It just appeared good enough because there weren't enough people engaging in data theft.

    How To Prevent Data Theft?

    Admittedly, it's difficult to prevent internal data theft.  However, that doesn't mean that a company cannot minimize data breach instances.

    To begin with, data monitoring is necessary.  If your employees know that the company is not monitoring its data, they are likely to engage in data theft.  Even with monitoring, employees may attempt to steal data.  However, overseeing improper data access will point out infractions; following up with such employees lets everyone know that the company is actively engaged in monitoring and leads to less people attempting data theft.

    Also, companies may want to engage in USB port control and blocking.  According to the survey, saving information to USB memory sticks is the most popular way of stealing information.  And why wouldn't it be?  They're easy to carry, easy to hide, and easy to use.

    Plus, their capacity is increasing exponentially, while their costs are plummeting on a per byte basis.  If a company decides not to engage in monitoring, the least it can do is prevent their employees from saving corporate information to personal devices.

    Changing passwords from time to time is also recommended.  Obviously, accounts and passwords used by employees who've been let go should be disabled.  However, in an office environment, passwords are shared, more often than one can imagine; hence, changing passwords is advisable.

    Last but not least, never forget that threats are everywhere.  In other words, don't forego disk encryption just because you've decided to go gung-ho on internal security.  External threats are not going anywhere either.


    Related Articles and Sites:
    http://www.out-law.com/page-10546
    http://www.cyber-ark.com/news-events/pr_20091123.asp

     
  • Data Security: House Of Reps. Passing P2P Bill? Secure Federal File Sharing Act

    A bill was introduced this week by Rep. Edolphus Towns (D-N.Y.), chairman of the House Oversight and Government Affairs Committee.  The bill, the Secure Federal File Sharing Act, is aimed at restricting the use of peer-to-peer (P2P) software by government employees and contractors. (If they could only do something similar for hard drive encryption software as well...I mean, the problem of lost and stolen laptops precedes P2P-related problems.)

    Of course, the bill won't govern their private lives.  Rather, it's a ban on using P2P software on federal computers or computers used for federal government work.  Exceptions can be made if approved.

    The bill is a response to the many P2P-related breaches the US government has been experiencing of late.  Earlier this year:

    • In January, President Obama's Marine One details were found in P2P networks.  Schematics for the helicopter had been leaked from a defense contractor.  In fact, due to the extremely sensitive nature of the breach, the government went into overdrive and found on which computer the leak originated

    • In July, documents pointing out the First Family's safe house were leaked.  Motorcade routes were found as well

    • In October, documents related to misconduct investigations were leaked.  It was all the more scandalous because the committee that conducts the investigation is very tightlipped about its activities

    Is Banning P2P From Government Computers A Good Idea?

    I would say so.  I know the issue is not entirely black and white, but in this particular world of grays, it definitely leans towards the darker side.  Yes, P2P is just a piece of technology, and there's nothing inherently "evil" about it--no more than a pencil, which can be used to produce art or used to draw the schematics of a dirty nuclear bomb.

    However, consider the following:

    • Most government workers probably deal with stuff that shouldn't be made public.  Take the case of some paper pusher at the DMV.  Would you want to risk having his work exposed to the public?  Seeing how he or she probably deals with SSNs and addresses, I would personally say no.

      I'm all for open, transparent governments and whatnot, but I think the main idea is to make sure we can keep an eye on what the government is doing.  A transparent government is certainly not about anyone being able to see the nitty-gritty details; otherwise, any schmucks would be able to steal SSNs and other sensitive data to their hearts' content, as if it were their federally mandated right.

    • If we're talking about work computers, chances are most people are not scrutinizing their actions on it.  People tend to be more careful with their own property than with stuff given to them for "free," i.e., money is not leaving their pockets if stuff happens to it.  Work computers dovetail into this description admirably.

      If one allows P2P software to be installed on work computers...well, maybe people won't pay as much attention to the security settings.  They should.  But will they?  If history is any indication, the answer is no.

    • No one's looking for government files on P2P networks.  Compterworld.com notes that:
      Some groups, such as the Electronic Frontier Foundation (EFF), have said that a broad governmentwide restriction on P2P use would limit the government's ability to take advantage of potentially useful file-sharing tools such as BitTorrent.
      But, honestly, besides security professionals and potential terrorists, who's looking for government files on P2P networks?  No one.  They're busy downloading movies and music and games.  And, if they do need access to some government file...well, I'd recommend they visit the official government site.

      I mean, isn't one of the big dangers about the P2P world the fact that we don't know which files out there have been modified to carry trojans and other malware?  Why would anyone want to be searching for legitimate documents in such an environment?


    Related Articles and Sites:
    http://www.computerworld.com/s/article/9141099/Bill_would_restrict_P2P_use_on_government_networks_?source=rss_security
    http://government.zdnet.com/?p=4387

     
  • Disk Encryption Software: City Of Alberta Loses One Laptop A Month

    The head privacy honcho for the city of Alberta, Canada recently found the city lost 48 laptops over the past four years.  Hard drive encryption was not used to protect the contents.  More glaringly, there were no efforts to find out what type of information was stored on the missing computers: of the 48 cases, only in one instance was there an investigation made.

    Resumes Lost.  What Else?

    In that one instance where a post-breach investigation was conducted, it was found that the stolen computer stored resumes.  Alberta's privacy watchdog, Frank Work, has been left "stunned" and wondering what was on the 47 other laptops.

    Work also notes--with a certain degree of irony, I'm sure--that "We were screaming about encryption (in 2006)...and over the same period you have a laptop a month going out the door, and the city has done what about it? They're not even looking at the contents of the devices."

    All that screaming for encryption was directed towards private-sector, however:

    A bill going through the legislature will require private-sector organizations to report lost personal information to the privacy commissioner's office, Work said.

    "We don't have an equivalent for the city. I just never thought it was necessary for public bodies. I naively thought they would be more responsible, but this report has kind of woken me up." [edmontonjournal.com]

    Erm...I don't know if I would go around calling it naivet√©: based on my research into breaches, governments are up there when it comes to appalling data security.  It's kind of hard to believe that someone with the title of "information and privacy commissioner" would believe that government bodies don't require the use of encryption software.

    Thankfully, the past need not be the present, nor the future: encryption of laptops started this year, and most have been deployed with it.  Also, a specialist will be assigned to investigate whether missing computers held personal information.


    Related Articles and Sites:
    http://www.edmontonjournal.com/technology/Lost+laptops+shock+watchdog/2244883/story.html

     
  • Data Encryption Not Used On Stolen Scottish Ambulance Service Laptop

    When it comes to data security, one of the best ways of receiving catcalls is by having "robust security measures" in place and not using them.  Like signing up for laptop encryption software from AlertBoot and not using it, which I've seen happen before.

    Scottish Ambulance Service Laptop Stolen

    According to thesun.co.uk, Scottish Ambulance Service experienced a data breach.  A laptop computer with 600 patient records was stolen from their headquarters.

    The computer was not encrypted.  Furthermore, "robust security measures were in place but had not been followed."  However, it was password-protected and, as a spokesperson pointed out, "the laptop is password protected and would be difficult to access without specialist IT skills."

    What is one to make of a statement such as these?  Well, to begin with, they've been wasting their resources.  Robust security measures that are in place but are not followed?  Worthless.  But it happens, as I've found out personally.

    Occasionally, I will talk to some of our clients who've signed up for AlertBoot endpoint encryption and, a year later, they still haven't encrypted their laptops.  They think that the username and password prompt--part of their pre-boot authorization screen--is the encryption.  They never took the 10 minutes it takes to make sure their computers' hard drives are protected.

    Which brings me to the following.  Relying on password-protection?  Worthless.  Regardless of what the spokesperson has said, defeating password-protection is not as hard as it sounds.  I wouldn't go as far as saying that specialist IT skills are required to do so.

    Or, perhaps the spokeperson's definition of a specialist differs from mine.  For example, our building supervisor knows exactly where to kick the boiler in order to get it working.  I guess you could say he's a specialist in boilers...although I wouldn't say so.  Likewise, bypassing password-protection requires this level of "specialization": if you can unscrew stuff with a precision driver, you're golden.

    There's A Reason Why The Information Commissioner's Office Calls For Encryption

    Whenever a people's information is breached in the UK, the ICO steps in.  I'm pretty sure they'll do so in this case as well.  If you've been keeping track of their Underwritings, you'll know that the ICO pretty much requires that laptops be protected with encryption software.

    (Which is weird because, the last time I checked, they'll only suggest the use of encryption in their guidelines on how to prevent a breach.  I guess things are different once you've lost data.)

    Why encryption?  Because, unlike password-protection, it's actually designed to protect your data.

    Related Articles and Sites:
    http://www.thesun.co.uk/scotsol/homepage/news/2738339/Records-on-600-patients-pinched.html
    http://www.phiprivacy.net/?p=1495

     
  • Hard Disk Encryption: Health Net Revises Breach Figures Upwards - 1.5 Million Affected

    Well, I guess sometimes you just have to go with your gut feeling.  Yesterday, I had made a comment on the Health Net data breach.  The breach occurred because a portable drive was lost (and, drive encryption wasn't used to protect the contents).  The figures of affected patients has jumped from 446,000 to 1.5 Million in four states.

    Gut Feeling

    I was suspicious that this latest breach would be limited to the 446,000 people initially reported.  My logic was that Health Net was reporting the number of Connecticut residents affected by the breach to the CT Attorney General.  What of non-CT residents?

    However, I reversed myself because Health Net is a company based out of California, and the theft of the external drive was in Connecticut.  Theft out of Connecticut that involves that state's residents only?  It made sense.

    Plus, we had heard nothing out of California, where the company is headquartered.  (What I had forgotten, though, was that Cali requires breach notifications if Cali residents are affected.  If only people on the east coast affected, there's no reason for a California announcement.)

    1.5 Million Patients, Dating Back To 2002

    It turns out I should have trusted my gut feeling.  Today, the courant.com has released more details.  The loss of the hard drive will affect residents in Arizona, New Jersey, and New York, in addition to Connecticut.  It will affect 1.5 million people, and the information goes all the way back to 2002.

    Let's see...assume $10 per person for identity theft monitoring.  It was promised free to the affected for at least two years.  1.5 million people.  That's $30 million over two years.

    There could have been a better use of that money.  For example, if talking about managed encryption software like AlertBoot, $30 million pays for the protection of 3000 hard disks for 64 years.


    Related Articles and Sites:
    http://www.courant.com/health/hc-healthbreach1119.artnov19,0,1798384.story

     
  • Laptop Encryption Software: Using PS3s To Crack Encryption Passwords

    Federal officers are employing Playstation 3 game consoles to crack the password to digital files protected with encryption software.

    To Catch A Predator - ICE C3

    The operation is being spearheaded by the ICE, more specifically the C3 division/branch: U.S. Immigration and Customs Enforcement Cyber Crimes Center.  The target?  People traveling with child pornography.  Although, I can see how this would be applied to other areas as well, seeing how C3 engages in the fight against the following:

    • Possession, manufacture and distribution of child pornography.
    • International money laundering and illegal cyber-banking.
    • Illegal arms trafficking and illegal export of strategic/controlled commodities.
    • Drug trafficking (including prohibited pharmaceuticals).
    • Trafficking in stolen art and antiquities.
    • Intellectual property rights violations (including music and software).

    The above was taken from the ice.gov site.  For example, if someone at the border thinks a passenger was a drug dealer, the suspect's laptop could be taken and scanned for any encrypted files (such as locally saved e-mails) to see if there's any incriminating evidence. (I think.  I'm not a lawyer, so....but, if they scan for kiddie porn, why not do so for incriminating evidence as well?)

    Why Crack Passwords?

    The US Fourth Amendment prohibits the government from forcing suspects to give up passwords to encrypted data.  So, if ICE wants to know what's in a suspect's computer--and the content happens to be secured with file encryption software--the only option is to guess the correct password (or pray for the suspect to just give up the password).

    Because anything can be a password, ICE has to engage in "brute-force" guessing: trying as many passwords as possible to see what works.  However, it's easier said than done.  As a forensic agent quoted by axcessnews.com remarked:  "...the number of possible combinations in a six-digit password is 256 to the sixth power.  In other words: 281,474,976,710,656 possibilities - that's nearly 282 trillion."

    And that's for 6-digit passwords only.  It's less for 5-digit passwords (109 billion) and much more for 7-digit ones (720 quadrillion), and even more so for 8-digits passwords...you get the idea. 

    The C3's network of PS3 consoles, though, allow 4 million password tries per second.  In other words, if they know a password is 6-digits long, it should only take them...815 days to go through all possible passwords.

    Whoa.  That's a long time.  Even going through half of the combos would take a year and three months!

    People Use Weak Passwords

    If you keep the above in mind, it almost sounds like it's not worth it.  After all, C3 probably has many suspects, and just breaking into 20 computers would take decades at the given rate.

    What C3 does, however, is a little bit more intelligent than brute-forcing from alpha to omega.  They employ the PS3s in what they call a "library attack," more commonly known as a dictionary attack.

    People tend to use words as their passwords, so if a suspect used a word that can be found in the dictionary, such as "pneumonoultramicroscopicsilicovolcanokoniosis," well, it's a long password...but it's one out of less than 250,000 words used in the English language.  With 4 million tries a second, the PS3s should be able to spit out the password in a blink of an eye.

    Even if letters and numbers were added to the beginning or the end of such, people don't put too much thought into it, and can be broken must sooner than in one year.

    Does this mean that encryption does not work?  Au contraire, mon fraire...it means that encryption works: note that they're not even going after the encryption key, since it would take forever to break that one.  But, it does mean that some thought has to be given to the use of encryption.

    Any data protection tool has its weaknesses, and using simple passwords happens to be one of them.


    Related Articles and Sites:
    http://www.axcessnews.com/index.php/articles/show/id/19037?31
    http://www.ice.gov/partners/investigations/services/cyberbranch.htm

     
More Posts « Previous page - Next page »