in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

December 2009 - Posts

  • Data Encryption Software: Northern Ireland Department of Finance and Personnel Loses 12 Laptops

    The Information Commissioner's Office has a formal undertaking with the Department of Finance and Personnel (DFP) of Northern Ireland.  The department lost 12 laptops, none of them secured with drive encryption. (Otherwise, there would be no need for an undertaking.) 

    Two Laptops, 37,000 People

    Of the 12 laptops stolen, two of them contained personal data on a total of 37,000 people.  They included payroll, employment, health data, or a combination of these.  Bank details were also included for 900 people.

    What's of note in this particular case is that the laptops were secured to desks or stored in locked cabinets.  In other words, there was no laxity when it comes to security.  Sure, it's physical security; however, most regulations I've encountered seem to equate physical security of computers as equal to data protection via encryption software.

    I'm not sure where I read it, but there was a specific regulation (perhaps under the USA's HIPAA?) that essentially instructed for physically unsecured laptops to be protected with encryption.  The implication is that, if the laptop is being used as a stand-in for a desktop--and will hence remain in the office--then the use of encryption is not necessary.

    Not so with the UK's Information Commissioner, though.  Despite the fact that the DFP has physical security measures in place, the ICO is still requiring for the department to use encryption on "laptops and other portable media used to store and transmit personal data."

    My Beef With The Decision

    I don't have an issue with the decision per se, but what the UK regulations imply.  The law notes that anything that's portable ought to be included if sensitive information is saved on it, but what does it mean by portable?

    I don’t think "portable" refers to the literal definition, "easily or conveniently transported," but that something was designed for portability.  Let us make use of thought experiment, shall we?

    What if the DFP had used, instead of laptop computers, desktop computers at its offices?  Would they still have had a data breach?  I'd emphatically answer yes.  If they had time to steal physically secured laptops, then they probably would have been able to pull the same stunt with desktop computers as well.

    Especially with the newer models.  Take the case of the Dell Inspiron (Model: I545S-3055NBK...this is not a plug for a product.  I'm just leaving evidence that this thing exists).  It weighs 16 lbs (that's about 8 kg, for you metric guys), and has dimensions of 14.9" x 4.2" x 17".

    I mean, I know of Chihuahuas that are bigger and heavier than that!

    I know the ICO means well, but this ruling on how laptops have to be encrypted, but desktops of similar size don't need to be, seems quite arbitrary.


    Related Articles and Sites:
    http://news.zdnet.co.uk/security/0,1000000189,39948421,00.htm?s_cid=248
    http://www.ico.gov.uk/upload/documents/pressreleases/2009/dept_for_finance_and_personnel_171209.pdf
    http://reviews.cnet.com/desktops/dell-inspiron-i545s-3055nbk/4505-3118_7-33777296.html

     
  • Laptop Encryption Software: MBNA Contractor Loses Credit Card Data

    MBNA, the largest credit card provider in the UK, has announced a data breach due to the theft of a laptop computer.  Data encryption software like AlertBoot was not used to protect the information, it looks like.

    Thousands Affected

    The breach, while announced by MBNA, actually stems from the actions (or, rather, the lack of action) of a third party vendor.  The Lancashire Evening Post has identified the vendor as NCO Europe.

    If one is to believe online forums, then it's my opinion that it's only too self-evident that something like this would have happened.  What does NCO do?  I'm sure they do a lot of stuff, but information I've found online--none of it official--points towards a debt collection agency.  It makes sense, then, that MBNA would announce a data breach where credit card numbers were lost, but not PINs--debt collectors don't need PINs.

    But, they do need conduct themselves as a business.  NCO is a debt collection agency that's been branded as unprofessional, discourteous, and incompetent: for example, there are complaints of NCO calling a person, just to place them on hold forever.  The person calls NCO back, and they have no idea why they called the person--he's not in their records.

    Other horror stories abound, including one employee answering and calling under different names, and constant hang ups from NCO's end when the conversation is not in their favor. (You can get an eyeful by following the moneysavingexpert.com link below.)

    When you're dealing with a company like this, it's not surprising that the company would be carrying credit card information on a computer that's not protected with encryption software.  You know, despite the fact that news abounds in the UK where lost or stolen laptops without data encryption are investigated by the Information Commissioner's Office.  (I hear they get the power to charge fines next year.)

    What's MBNA doing with a company like this?  Well, seeing how NCO also seems to deal with debt collections for eBay/PayPal, Orange (the phone company), and Barclay's, it looks like it's no small time organization.

    Of course, what boggles the mind is that a debt collection company is just allowing a laptop to be carried around without encryption being used to secure their data.  I mean, don't debt collection agencies by definition hold the sort of information that fraudsters and hackers are looking for?


    Related Articles and Sites:
    http://www.scmagazineuk.com/mbna-confirms-data-loss-after-laptop-containing-personal-details-of-thousands-of-customers-was-stolen-from-vendor/article/160217/
    http://www.lep.co.uk/news/Customer-credit-card-details-stolen.5929370.jp
    http://forums.moneysavingexpert.com/showthread.html?t=389079

     
  • Laptop Data Encryption For SMBs - Small And Medium Sized Businesses

    Data encryption for SMBs: It's an issue that bears looking into because of the upcoming compliance requirements with Massachusetts's 201 CMR 17.00 legislation (aka the "data breach laws").

    While there are many aspects to cover under 201 CMR 17.00--including the protection of paper documents under lock--perhaps the issue that has raised the most ruckus is the fact that laptop computers have to be protected with encryption.

    The 201 CMR 17.00 rules have been updated, amended, and changed numerous times over the past year, but one thing that has remained steadfast is the fact that laptop computers that store sensitive, personal information must be encrypted.  (If you read the law, it explicitly states that laptops must be encrypted, whereas desktop computers, for example, are not pointed out by name).

    SMB Encryption - What To Look For (Not Legal Advice!...But Hopefully Helpful)

    Per the latest published revisions in November 2009, any requirements for encryption have been deemed technology neutral: that is, the legislature will not define any specs or standards on what is acceptable encryption.

    So, what do you use, then?  Will any type of encryption work?  For an answer, you may have to turn to Federal law.  While there is nothing in place for consumer data protection, as of December 2009 a data breach bill has passed in the House of Commons, and is waiting to be voted on by the US Senate.

    In that bill, the issue of "what type of encryption to use" is resolved by stating that, when selecting encryption, "the method of encryption or such other technology or methodology is generally accepted by experts in the information security field" as being adequate. (Read more on the Federal law on data breaches.)

    Problem solved.  Kind of.  Currently, acceptable levels of encryption are AES-128 and equivalent or higher.  This will change in time, although it'll probably be good enough for at least a good decade or so, unless there is a significant breakthrough in computing technology.

    A Matter of Cost

    There is the matter of cost to consider, and not the obvious ones an SMB may normally be subjected to.

    Multiple initial licenses, for example, impede the use of easy-to-use full disk encryption software.  A small or medium sized business may only need anywhere from one license to, say, five licenses (one for each computer they use at their business).

    The problem?  Many of the established encryption providers will only go into business with companies that are willing to sign up with a minimum of, say, 25 licenses.  What's an SMB going to do with the remaining 20 licenses that it has to pay for, but remain unused?

    There is the problem of upfront payments as well: There are providers that will claim that it only costs "so many dollars a month."  The truth, though, is that in many cases a SMB has to prepay for the entire year.  Technically, you are only paying so many dollars a month--but, the cash flow impact is much more dire.

    For example, if each license is for $100 per computer per year, then at 25 licenses, you'd be facing a one-time charge of $2500!  Sure, it's $208.33 per month if you do the calculation.  But, the cash flow story is an entirely different thing.  (Plug: AlertBoot actually charges month to month, and doesn't have minimum license requirements).

    A Matter of Time

    Also, if you're in a rush to get your laptops encrypted, you may have to wait a bit.  With most encryption companies, if not the majority, someone has to do the installation for you, with the exception of a handful of companies.

    There are probably other issues that SMBs face when getting into the spirit of following the new Massachusetts regulations, but when it comes to laptop encryption, the above should cover the bases, not just in terms of compliance but also from an SMB's business perspective.

    (If not, or there are other questions, feel free to send us an e-mail at info@alertboot.com)

    Related Articles and Sites:
    http://www.mass.gov/Eoca/docs/idtheft/201CMR17faqs.pdf
    http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf
    http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=111_cong_bills&docid=f:h2221eh.txt.pdf

     
  • Disk Encryption Software: Durham, Canada Health Department Has 80,000 Data Breach

    A clinic in Durham, Canada--just north of Toronto--has suffered a data breach that affects 83,524 people who've received flu shots, H1N1 as well as seasonal, between October 23 and December 15.  Hard disk encryption was not used to secure the information, although it was mentioned that "the ability to read that data is limited."

    What Do They Mean "Limited?"

    It was not mentioned.  Perhaps they mean the ability to read it is limited to those who try to read it?  More realistically (and less sarcastically), I'm guessing password protection must have been used--perhaps on the file itself--although at this point I can only guess.

    (Update:  I've found what they mean by limited: "The files found on the USB key contain a 'lot of gobbledegook, and then some information that is clearly legible,' Dr. Robert Kyle, Durham Region's Medical Officer of Health, told CBC News.")

    Regardless, the point is that it was not secured with data encryption, and the information for 80,000-plus Canadians--including patient names, addresses, phone numbers, dates of birth, health card numbers, physicians' names, patient allergies, and chronic medical conditions--is at the mercy of some random guy, literally:

    "We have absolutely no evidence nor any belief that it was deliberately stolen," Dr. Kyle [Durham Region's Medical Officer of Health] said adding surveillance video shows the USB being placed on a rock on the property after it was lost by the nurse. "The only conclusion we can reach is it was out there in the open, somebody saw it, they picked it up and carried it away."

    Being placed on a rock after it was lost by the nurse?  Hmm, so random guy #1 finds the USB device and places it on a noticeable place so that random guy #2 can take it.  Niiiice.

    Why The Fuss Over Encryption?

    Research--and the real world as well--shows over and over again that encryption software goes a long way when it comes to data protection.

    Don't believe me?  Go take a look at UK law: it allows the incarceration of a person who refuses to divulge the password to encrypted information.  This law came about because breaking encryption in real life is as hard as the eggheads claim.  There are probably many countries that would love to have this law...except it poses problems along the lines of freedom and liberty and other abstract concepts (the UK has received a lot of criticism over adopting it).

    Knowing even the government has problems cracking encryption, what are the chances than the average guy would be able to bypass encryption like AlertBoot?  Pretty much nil.  That's why there's a fuss over encryption (or rather, over the lack of encryption).


    Related Articles and Sites:
    http://www.citytv.com/toronto/citynews/news/local/article/66378--health-unit-lost-usb-key-containing-health-info-for-more-than-80-000-people
    http://www.nationalpost.com/news/story.html?id=2371723
    http://www.cbc.ca/health/story/2009/12/22/health-information.html

     
  • File Encryption: Securing USB Sticks

    Does a database fit on a USB stick?  Yep, and it can be lost in the mail, too.  It's for reasons like this that USB sticks need to be protected with some kind of encryption software, be it full disk encryption or file encryption.

    Shropshire Council Found In Breach of DPA By Information Commissioner

    The Shropshire Council in the UK was found in violation of the Data Protection Act.  They had lost, in the mail, a memory stick with the information of 3,554 clients and 188 staff members.  The reason for the extensive breach was twofold: the use of encryption was passed over, and the device "contained records that were excessive for their purpose and out of date."

    In other words, the council kept information they should have deleted.  Often times, it's this type of wait-and-see attitude (hey, we might need those records some day!...even if the law says we don't!) that makes bad things worse.

    I've got to admit, though, that in lawsuit-happy countries like the US, this attitude is somewhat required (thank goodness for statutes of limitation...although that doesn't really prevent someone from filing a lawsuit).

    What File Encryption Software Can Do For You

    If you can't delete the info (or at least, think you can't), then encryption may be the solution for you.  Data encryption was designed to protect information from prying eyes.

    File encryption is used to protect individual files.  For example, if you've got two documents on your computer, and you use file encryption on one of them only, only that file is protected.  The other, copied to a USB disk, would still be accessible by anyone.

    Contrast this with something like drive encryption from AlertBoot, which encrypts the entire drive, be it on a USB flashdrive, external portable drive, or a laptop computer.  In that case, any documents saved on the device itself would be protected.  (Although, if you copy it off to another device, then the document wouldn't be protected anymore.)

    One thing to note is that these two are not an "either-or" product.  You can use both drive encryption and file encryption at the same time.  This eliminates the risks of having a breach when, for example, you e-mail (to the wrong address) an attachment from your encrypted computer.

    Since the file makes use of data protection, the fact that the wrong recipient has it means little to no risk of a information security breach.
     

    Related Articles and Sites:
    http://www.phiprivacy.net/?p=1669
    http://www.ico.gov.uk/upload/documents/library/data_protection/notices/shropshire_council_undertaking.pdf

     
  • Drive Encryption: Lockface USB Drive Makes Me Ruminate

    A Japanese company, Futen, has come out with a USB disk that comes with data encryption called Lockface.  There's nothing new or novel about a pre-encrypted USB disk.  What's new and novel is this device's use of your computer's webcam: Lockface uses it for running its face recognition software, used instead of a password to access the USB drive.

    Biometrics: Good or Bad?

    You have to supply several pictures of your face so Lockface can recognize you; separate software is not necessary.  Lockface uses AES-256 to protect the contents of the device, and has error rates of around 2%.  Welcome to the Brave New World of biometrics.

    Error rates of 2% go both ways, of course.  In 1.91% of instances, it allows the wrong person to access the contents.  In 1.98% of cases, the right person is not admitted access to the files.

    There aren't any explanations regarding the use of photographs to defeat the biometric process, etc.  But let's assume that such attempts are included into the error rates.  With error rates of 2%, how secure are you and your data?

    Not very.  If I'm understanding it correctly, it means that a person could use makeup to resemble the device's owner, and at least once in one hundred attempts the poseur will be given access.  Perhaps, you don't even have to look like the owner and will still be given access to the contents.  (Although, for $110--anywhere from twice to four times the price of a standard 4 GB USB memory stick--I'd hope there's real technology behind it that's more than a gimmick.)

    I don't know about you, but I'd rather stick to an alphanumeric password that is at list six characters long and contains at least a couple of special characters.  In terms of the odds of bypassing it, it's much lower than 2%.

    Encryption is a powerful way of securing important files.  But there are ways of hamstringing it.


    Related Articles and Sites:
    http://www.crunchgear.com/2009/12/16/lockface-usb-drive-that-uses-face-recognition-to-verify-users/

     
More Posts « Previous page - Next page »