in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

January 2010 - Posts

  • Laptop Encryption Software Not Used For UK Retinal Scans: Southampton University Hospitals NHS Trust

    Southampton University Hospitals NHS Trust (SUHT) has admitted to a data breach and promised to do better by signing an Undertaking with the Information Commissioner, one of the promises being the use of laptop encryption software on all portable devices that contain sensitive data.

    Stolen From A Van

    The breach occurred on October 19, 2009.  A laptop computer was stolen from a "retinal screening vehicle."

    A quick search on Google shows that retinal screening has a deep connection with diabetes.  Not so surprising, seeing how diabetes is the leading cause of blindness among adults (diabetic retinopathy.  According to diabetes.org.uk, diabetes can cause the blockage of the blood vessels in the eyes, causing blindness).

    And, seeing how such scanning can be effective in taking actions to prevent the onset of blindness and many people don't get it, it's understandable that the retinal scanners go to you (that may sound too much like that internet meme about the former Soviet Union, but whatever).

    Now, SUHT was not unaware of the need for data security.  In fact, while the computer was not protected via disk encryption, password-protection was set up for the computer (not that it's worth much in terms of data security) and the device was secured to the van via a laptop security cable.

    The thieves cut it off.

    As a result, approximately 33,000 patient records were lost, including diabetes conditions and "retinal screening tests."

    Not Such A Big Deal?

    On the one hand, what's lost here is medical data.  Medical data means it must remain private.  It means that, among other things, whether protecting it with encryption software is a valid debate.

    On the other hand, the general public knowing that a person has diabetes is not exactly embarrassing.  Plus, I'm assuming the "retinal screen test" is not, say, a copy of a person's retina per se, but whether a blockage was found (if a copy of a person's retina was lost, I can see how this could pose a problem in the future...a distant, dystopian future).


    Related Articles and Sites:
    http://www.phiprivacy.net/?p=1878
    http://www.ico.gov.uk/upload/documents/library/data_protection/notices/southampton_gh_undertaking.pdf
    http://www.diabetes.org.uk/About_us/Our_Views/Position_statements/Retinal_screening/

     
  • Full Disk Encryption: When Passwords Are Easy To Guess

    When it comes to the use of disk encryption, there's one crucial weak link: the selection of passwords.  And as the New York Times has noted, "if you password is 12345, just make it HackMe."

    RockYou Breach Allows Analysis

    The Times story is based on the data breach that occurred late last year at RockYou.  In that particular breach, 32 million passwords were exposed by a hacker.  This has allowed security researchers to download the passwords and analyze them.

    Among the findings (which are not surprising at all): one in five (20%) users still use easy-to-guess passwords such as "iloveyou," "password," and "abc123."  The most popular one was "123456."

    (Ironically enough, the Times has got it wrong.  "HackMe" is a more secure password than 123456: it uses a combination of uppercase and lowercase numbers, which, when compared to a string of plain numbers, arguably offers more resistance to hacking--but not by much).

    Guessing passwords is a time-consuming process.  Hence, hackers try to find workarounds to shorten it.  One of those methods is to try popular passwords.  Hackers know that there's someone out there using such passwords, they just don't know who.

    So, hackers will try the passwords on one account; if the pool of passwords doesn't work, they move to the next user.  At some point they're going to hit their mark.

    Freezing Accounts, Locking People Out

    A method of countering such hacking attempts is to lock people out after a certain number of incorrect guesses.  After how many guesses, though?

    And, as the Times has noted, locking accounts is not an option for certain companies.  eBay, for example, notes that someone could be "hacking into an account" in order to prevent competitors from bidding on a particular auction: once the account is frozen, they can't place higher bids.

    How It Affects Encryption Software

    Guessing passwords in order to reveal encrypted content is a real threat when it comes to computers with full disk encryption.

    Why would hackers prey on the password?  Because it's the weakest link: the encryption key, which is what actually protects data when encrypted, is too long, complicated, and random to guess at.  Since hackers are looking for an easy way in, the only option they've got is to try cracking the password.

    What this means is that data encryption software like AlertBoot must also be mindful not just of protecting data, but coming up with ways of minimizing the chances of someone hacking a password.

    Thankfully, locking out a user after repeated incorrect attempts is an option for disk encryption software, unlike eBay.

    Also in the department of minimizing password hacks are password policy controls, where an administrator can establish what types of passwords are not allowed, specifying that uppercase and lowercase, numbers, and special characters be used, for example, or that the passwords have to be at least a minimum set length.

    At the same time, there must be a way to recover the encrypted data in the even the user's access is not allowed, yet the computer has been found.  Otherwise, recovering the information becomes a complicated effort--but not an impossible one, since the encryption keys are still present in AlertBoot's protected console.

    Related Articles and Sites:
    http://www.nytimes.com/2010/01/21/technology/21password.html?em

     
  • Missouri Data Breach Notification Law: Does UM Need To Claim Data Breach For "Envelope Glitch"?

    A story regarding the University of Missouri is making me wonder whether they've not had a breach, as they're claiming.  After all, some conditions under the Missouri data breach notification law are met.  On the other hand, the law specifically states that notification is for computerized data.

    Missouri Data Privacy Law

    Data security breach notification laws went into effect in Missouri last August.  One of the big highlights was that the use of encryption software like disk encryption provided safe harbor from making a breach public.  I assume this is because the use of encryption software renders the breach moot--even if the data is in the hands of some criminal, the information cannot be accessed.

    So what constitutes a breach?  While there are numerous factors, I'd like to point out that losing an individual's first name and last name and a Social Security number is considered a breach. (Lose just two out of the three, and it isn't a breach).

    Envelope Glitch At University of Missouri

    The reason I bring up the above is because UM had an envelope glitch, where students' SSNs were displayed through the window on the envelopes.  (The SSNs were there because these were IRS tax forms regarding tuition payments.)

    The university does not know how many people were affected.  It's believed that the mistake arose from incorrect folding or the like.

    This is where it gets interesting.  This implies that SSNs were viewable through the address window on the envelopes.  I assume addresses were also viewable through this same window.  Addresses generally contain the recipient's first and last names.

    First name, last name, and Social Security numbers: this is a data breach per the Missouri breach notification laws.

    Or is it?

    The university doesn't think so:

    "The university takes very seriously the protection of its student information,” [university spokeswoman Hollingshead] said. “We always regret when something happens. But it wasn’t a security breach. While we’re sensitive to the issue, we’re thinking the risk is relatively low."

    I'd agree with this assessment that this is not a data security breach (and, no, I'm not a lawyer, so none of this represents legal advice).

    Note that I'm not saying there is a relatively low risk of anything: even with a low risk of anything untoward happening, like ID theft, a breach is a breach, period.

    However, I had to change my stance regarding the issue.  Initially, I reasoned that the name and SSN combo would mean that this is a data breach.  I took another peak at the legislation, though, and noticed the following definition for "breach of security:"

    Breach of security" or "breach", unauthorized access to and unauthorized acquisition of personal information maintained in computerized form by a person that compromises the security, confidentiality, or integrity of the personal information. Good faith acquisition of personal information by a person or that person's employee or agent for a legitimate purpose of that person is not a breach of security, provided that the personal information is not used in violation of applicable law or in a manner that harms or poses an actual threat to the security, confidentiality, or integrity of the personal information. [my emphasis]

    Per the law, the University of Missouri is right; they didn't have a security breach since the information that was breach is not in computerized form.  It's been printed on paper.

    And I'm guessing that's pretty significant, because other states have passed similar breach notification laws where a breach occurring from incorrectly discarded paper documents also triggers breach notifications.


    Related Articles and Sites:
    http://www.columbiatribune.com/news/2010/jan/20/envelope-glitch-gives-peek-at-data/
    http://www.columbiamissourian.com/stories/2010/01/19/mu-student-social-security-numbers-may-have-been-visible-tax-form-envelope/
    http://www.house.mo.gov/billtracking/bills091/biltxt/truly/HB0062T.HTM

     
  • Disk Encryption: 4500 USB Thumbdrives Lost At UK Dry Cleaners

    Sometimes, drive encryption is useful not to thwart super-hackers, but to prevent breaches arising from living our daily lives.  Consider this recently released survey:  A study has found that 4,500 memory sticks were lost last year at the cleaners in the UK.

    Or rather, it was left in the pockets of garments; whether they ultimately disappeared or were returned with the clothes has not been revealed.  The good news?  Similar incidents were down 50% from the previous year.

    It is assumed, though, that this reduction is a result not because people have become more aware of the need for security and changed their behavior.  Rather, it probably stems from the change in how people store and access data: the use of smartphones and netbooks and other lightweight devices is spreading, and thus the relative need for a USB disk is declining in proportion.

    That's both good news and bad news.

    The bad news is that people will still experience theft or loss of devices, so the move from USB disks to larger, multipurpose devices doesn't mean the need for data security is diminished in any way.  What's lost on the USB devices' column will probably be reflected in the netbook and smartphone columns.

    Furthermore, I'd guess that people have more sensitive information saved on such devices because these feel "safer," in the sense people are not going to "forget about them".  The problem is, what people think will happen, and what actually does happen, are two different things.

    Consider, for example, the statistic that 600,000 laptops are lost at US airports each year.  This is at an airport, where people's awareness level is raised because stuff routinely gets lost or stolen.  In everyday life, I'd assume lower levels of "security awareness"--we're talking about everyday life, after all--would lead to higher rates of device losses.

    The good news?  The move towards larger devices should curtail objections towards using data protection tools like encryption software.  For example, while not acknowledged, people do have reservations about spending more for security than for the device itself.

    For example, if someone gets a 32 GB flash drive (current retail price: $70) but finds that the cost of encrypting it comes to around $50, well, how many people will spring for it?  The fact that you're able to use the encryption tool on as many flash drives as you want is rendered moot because, with 32 GB, how many more USB drives does a guy need?

    However, if people are opting to carry around laptops and smartphones that retail for $400 or more, then the psychological block is diminished, and protecting its data becomes viable. (Not that I'm crazy about it; sensitive data ought to be protected, regardless of what type of "container" it's stored in.  However, we've got to work with what we have.)


    Related Articles and Sites:
    http://www.csoonline.com/article/519330/Taken_to_the_Cleaners
    http://www.nymity.com/Free_Privacy_Resources/Previews/ReferencePreview.aspx?guid=fe5b4c2c-d07f-4d3e-a1ba-76594de5a4db

     
  • Drive Encryption Software: NIE Loses Backup Tape With Customer Data

    Northern Ireland Electricity (NIE) has lot a backup tape that contained the bills 12,799 homes.  Billing information and names and addresses were included, but nothing that would be considered sensitive under the DPA--meaning, in some ways, that data protection software like data encryption from AlertBoot was not necessary.

    Lost During Transportation

    The backup information on the tape is further backed up onto microfiche files, and the tape was lost en route to the microfiche-copying facilities.

    The actual information on the data tape included account names, addresses, customer numbers, billing amount, previous payments, and account balances for August 10, 2009.  (This was a single day's billing information.)

    All in all, I'd agree that this is not sensitive, personal information.  However, there are two things I don't like about this case.

    Argumentative

    "...while we have not been able to locate this tape, there is absolutely no evidence to suggest that it has fallen into the wrong hands."

    These are the words spoken by the NIE Energy managing director, Mr. McCully.  And while I'm sure that there's a very low probability of something coming out of this data tape loss, the fact is that there is also absolutely no evidence to suggest that it has not fallen into the wrong hands.

    I don't know where I read it, but as I understand it, most crimes go unresolved.  Why do they go unresolved?  Because there's no evidence.  The fact that there is "absolutely no evidence" of a crime, but that it may be an accidental loss, is meaningless, if you consider that in most cases there is no evidence, period.  It'd be more accurate to say, "we don't know what happened."

    Of course, no self-respecting company is going to go around releasing such announcements.

    Still Dangerous

    While the information lost on the tape is not sensitive, it's only one step removed from gaining sensitive information.

    Consider the following scenario: an enterprising hacker or hackers steal the tape, not really knowing what to find in it.  They access the data--as far as I know, encryption software was not used to secure the information--and see information that pertains to NIE and NIE alone.

    The information in its present state is useless.  However, they see the glimmers of possibility.

    Could it not be possible to concoct some kind of story where the 12,000-plus people are promised a reduction in their energy bills by following a link that's printed on a NIE letter (using counterfeit letterhead, of course)?

    Perhaps based on their account balance as of August 2009, or whatever: there's certainly enough information to give the letter some "authoritative" context.

    And, when people type in the URL, malicious code is automatically downloaded and installed on the unwitting customer to steal passwords to on-line banking and whatnot.

    The above is one of the ways that phishing campaigns are carried out, although it's more work than usual: most phishers carry out their attacks via e-mail, not regular mail.  But, criminals are not really a fussy bunch, and will use whatever methods they can.

    Instead of the empty arguments of "no evidence" of criminals behind the situation, I would have preferred, and been comforted by, the use of encryption if I were one of the 12,000.


    Related Articles and Sites:
    http://www.wexfordpeople.ie/breaking-news/national-news/data-tape-with-bill-details-lost-2022377.html
    http://www.belfasttelegraph.co.uk/news/local-national/nie-data-tape-with-13000-bill-details-lost-14641958.html

     
  • Data Encryption Software: Lincoln National Corp Alerts Of Potential Breach Regarding Passwords

    Lincoln National, a financial services company based out of Concord, NH, has alerted the New Hampshire AG about a potential data breach involving passwords.  It's type of thing that can easily subvert any type of data security scheme, including hard disk encryption.

    Shared Passwords

    According to the letter to the AG, subsidiaries to Lincoln National shared passwords for accessing their portfolio information system, possibly impacting 1.2 million clients.  The system is not used for actual financial transactions (that's my interpretation), but SSNs, addresses, names, dates of birth, e-mail addresses, transaction details, account numbers, and balances are accessible from within the system's database.

    Six shared usernames and passwords were created, dating back to 2002, with the purpose of facilitating administrative and customer support duties.

    Outside forensic examiners found that there is no reason to believe that shared access has resulted in the misuse of client data.

    All of the above was instigated after someone tipped off FINRA, the Financial Industry Regulatory Authority.

    While nothing has come out of it, probably, the use of shared passwords poses a risk to data security.

    Undermining Security

    An easy way to undermine data security is to share passwords.  While nothing has come out of the above situation (well, nothing that was found), there are plenty of instances across the world where shared passwords have led to less than appealing situations.

    Consider Société Générale, the French financial services company that saw losses of over 7.2 billion dollars in 2008 due to fraud.  Among several reasons, the sharing of passwords allowed the perpetration of the crime.

    Furthermore, every other week I read about how people illegally access databases to steal personal information.  Keep in mind, these are people using their own usernames and passwords; chances are they'd go wild with someone else's username and password.

    Sharing passwords is convenient.  Some would say it's "efficient," since things can be done in record time, as opposed to putting in a request to IT and waiting for something to happen.  However, the truth is that it also allows data breaches to occur, conveniently and efficiently.

    No matter how big a hassle, care must be given not to reveal passwords.


    Related Articles and Sites:
    http://www.computerworld.com/s/article/9145240/Financial_firm_notifies_1.2M_after_password_mistake
    http://www.fiercecio.com/story/financial-firm-warns-1-2-million-files-exposed/2010-01-17
    http://doj.nh.gov/consumer/pdf/lincoln_financial.pdf

     
More Posts « Previous page - Next page »