in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

March 2010 - Posts

  • Data Security: Credit In The Dumps? Personal Info Can Still Be Misused

    In the course of searching and reading up on data security breach stories, and how data encryption software like AlertBoot can help prevent these, I come across comments such as, "Ha! My credit is shot anyway!  Let the hackers have my Social Security number; we'll see how far they can go with THAT."

    How far can they go?  Pretty far.

    Tax Refunds - Just One of Many Ways SSNs Can Be Misused

    There are many ways of misusing personal information like SSNs: Getting loans, applying for credit cards and mortgages, and other forms of ID theft based on obtaining credit.  It's one of the many reasons why people steal this information, and why many companies (but not all) try to protect it.

    If your credit score is on the low side, chances are the SSN cannot be used for obtaining money this way.  There are other ways, though.  One of the methods that have popped up in the news over the past couple of years--always around this time of the year--is the filing of fake tax returns.

    If you read the following story, you'll see that two women stole $289,000 in tax refunds this year, and the money spread around 17 different bank accounts, at least.  Their scam was helped by the fact that one of the perpetrators worked at H&R Block, and so pertinent information such as SSNs or TINs, addresses, etc. were available to the duo.

    However, past stories I've read have included instances where a similar scam was carried out by knowing a name and SSN only.  The taxes were filed on-line, with fake earnings and deductions.  The refunds were to be wired to bank accounts, instead of waiting for a check in the mail: the longer the wait, the greater the chances that the scam will be revealed.

    Of course, the chances of any given person being embroiled in such fraud are pretty small.  The point is, however, that SSNs are used in many ways, and criminals are a resourceful bunch; when you add up all the different ways that stolen SSNs can be used, shot credit ratings or not, it behooves you to be concerned about the security of your personal information.


    Related Articles and Sites:
    http://www.chicagobreakingnews.com/2010/03/2-women-accused-of-using-tax-data-to-file-false-returns.html
    http://www.msnbc.msn.com/id/12137393/ns/business-consumer_news/

     
  • Full Disk Encryption, Victorinox Presentation Master, Being All Thumbs

    If you haven't heard by now, Victorinox (the guys that make Swiss Army Knives, SAKs) has come out with a SAK that dubs as a presentation tool, which includes a laser pointer and a USB drive that is protected with disk encryption, along with the traditional blade, nail file, and other assorted tools.

    The company issued a challenge to be held this week in London, where it will pay £100,000 to anyone who manages to hack into the encrypted USB drive--which can be accessed via a built-in fingerprint scanner.  There is a condition, though: the hacking has to occur in two hours.  And, the devices are not being given out in advance, as far as I can tell.

    Of course, this means the competition is geared towards nobody successfully hacking the contraption (a successful hack being very bad for PR); two hours is generally not enough, and hackers in the real world don't face such restrictions.

    I have even read a comment somewhere that the challenge is further geared towards preventing a successful hack since anyone--hacker or not--can show up at the challenge, preventing or slowing down actual hackers from reaching the counter where the knives would be handed out (which is a rather tortuous argument: I'd imagine the two-hour limit would kick in once the knife is in the hands of the potential hacker, and not at the official start of the event?)

    Knives on Planes

    The greater problem that I foresee is uniformed guys at airports and other restricted areas confiscating such a device because it comes with a blade.  Sure, they're these tiny things, depending on the model, but they're still knives, see? (Actually, I don't, but that's the argument given to me by one airport official.)

    Victorinox, however, also makes a bladeless version, supposedly, so you can still play at being MacGyver at the airport's gates, if you so desire.  Just don't blow anything up....

    Counting to Nine?  Google "Malaysia Machete Mercedes"

    Whenever I read about thumbprint scanners, I remember the Mythbusters episode where such biometric security was easily defeated with a photocopy of an authorized print.

    I'm also reminded of all the jokes people make about cutting off someone's finger to gain access to such security measures.  Well, I thought it was a joke until I read a comment on reghardware.co.uk:

    "Every time somebody shows me biometrics i ask them to google "malaysia machete mercedes" which leads to a grisly story of a man who can only count to nine after robbers took his 'key'."

    I did google it, and the story is not pretty.  Apparently, a gang in Malaysia hacked off a man's thumb after finding that a Mercedes-Benz S-class wouldn't start without scanning the owner's fingerprint.  Yikes!

    On the other hand, with nearly seven billion people in the world, it was bound to happen to some guy at some point.  I love technology and all, but for the time being, I'd rather stick to password-based access to my data protected by encryption software.  Paranoid?  Sure.  But, if it's happened before, it's bound to happen again....


    Related Articles and Sites:
    http://www.reghardware.co.uk/2010/03/22/victorinox_swiss_army_knife_hack/
    http://www.gadling.com/2010/01/12/review-victorinox-presentation-master-bluetooth-usb/
    http://news.bbc.co.uk/2/hi/asia-pacific/4396831.stm

     
  • UK Information Commissioner Can Fine Company £500,000

    The title is not a typo.  As of April 6, 2010, the Information Commissioner's Office (ICO) in the UK can fine organizations up to £500,000 for data breaches and other forms of non-compliance of the Data Protection Act (DPA).

    • Fines From £5,000 to £500,000
    • ICO Looking To Make An Example?
    • Monetary Penalty Guidance
    • Fines Necessary

    One of the ways these fines can be minimized, perhaps even eliminated, is by having adequate information security measures in place, such as laptop encryption software for any portable computers an organization is using (there are other things to do as well, obviously, besides using encryption software, though).

    Maximum Fines Jump From £5,000 to £500,000

    If you've been following the news, the ICO got the go-ahead to assess fines last year, and this new power becomes effective starting April 6.  I've read that the ICO had the power to assess fines of £5,000 to date, although so far most companies were let off with the signing of an Undertaking.

    What's an Undertaking?  That's where the CEOs promise to improve their security measures after they had an information security breach.  In many cases, the use of encryption software on any portable devices such as laptop computers and external hard disk drives is included as part of such improvements.

    Here's an example of the promises as per the Undertaking (my emphases) in one particular case involving the Alzheimer's Society, although this copy can be found pretty much on every Undertaking:

    1. Portable and mobile devices including laptops and other portable media used to store and transmit personal data, the loss of which could cause damage or distress to individuals, are encrypted using encryption software which meets the current standard or equivalent;
    2. Physical security measures are adequate to prevent unauthorised access to personal data;
    3. Staff are aware of the data controller’s policy for the storage and use of personal data and are appropriately trained how to follow that policy;
    4. The data controller shall implement such other security measures as it deems appropriate to ensure that personal data is protected against unauthorised and unlawful

    Like I mentioned before, data protection involves more than the use of data encryption software.

    For example, if an organization does not use computers but has an extensive collection of sensitive personal information in files, they must make sure there's adequate security in the form of locking files cabinets and the like.  Yep, the ICO also looks into the security of information on printed materials.  After all, data is data.

    Will The First Breaches Will Set The Agenda?

    The opinion out there is that the ICO will come down hard on the first set of breaches that come its way after April 6.

    The reason? For setting a standard for future breaches and penalties.  Of course, the ICO denies this, noting that the "ICO would not make an example of an organisation for the sake of making an example, it would be done on a case-by-case basis," according to a spokesperson.

    In other words, the fines would be assessed depending on the situation: the nature of the breach, whether it was possible to prevent it, whether the protections in place--if any--were adequate, etc.  This is probably why there are reports that the ICO will be able to issue about 25 fines a year.

    ICO Has Guidelines For Assessing Fines

    Sections 3 and 4 of the "Information Commissioner’s guidance about the issue of monetary penalties prepared and issued under section 55C (1) of the Data Protection Act 1998" provide guidance on the circumstances under which monetary fines would be handed out, including examples.

    (Among the eye-raising things about the guideline?  Under section 7.4, organizations get an early payment discount of 20% if full payment of the fine is made within 28 calendar days of the penalty notice being served.  I understand what the purpose of the discount is, but I still find it surprising: it makes it look as if the government has set up shop.)

    Here's an interesting excerpt from the guideline that bears analysis:

    As a general rule a data controller with substantial financial resources is more likely to attract a higher monetary penalty than a data controller with limited resources for a similar contravention of the data protection principles. It is not possible to provide specific examples at this early stage until actual cases present themselves. However, when precedents are available from either the monetary penalty notices served by the Commissioner or the decisions of the Tribunals, further guidance will be produced so that a data controller can better assess its position [Section 2, p.4; my emphases]

    Perhaps I'm reading too much into the above, but it seems to me that examples will be made of for the initial companies that have significant breaches.  After all, if the government hands out too low of a fine, won't future organizations complain if their fines are higher?

    Fines Perhaps Controversial, Definitely Necessary

    Absolute Software and the Ponemon Institute have released a survey showing that nearly 90% of UK organizations admit to losing a laptop.  Of these 61% resulted in a data breach.

    Mind you, this is three years into the numerous data breaches that rocked the UK, such as the loss of two CDs with child benefits records that affected nearly one-third of the UK's population.

    Even after all these stories in the media, we find that companies have not woken up to the need for better data security.  Or rather, if you philosophize about the nature of the fines to be handed out soon, perhaps it would be more accurate to say that organizations don't feel the need for better data security: serving the customer is one thing, plunking down relatively big money for their data security is something else.

    Will the fine change the behavior of companies?  It won't at first; but then, stories about sizable fines will make the round sin the media, and that will probably prompt many companies to take a second look at the data security procedures they have in place (which, I should point out, will also require the ability for a company to prove they have information security controls in place.)


    Related Articles and Sites:
    http://www.infosecurity-magazine.com/view/8155/industry-prepares-for-new-ico-penalties-starting-next-month/
    http://www.computing.co.uk/computing/analysis/2259581/watchdog-pounce
    http://www.networkworld.com/news/2010/031510-humans-continue-to-be-weak.html?page=1

     
  • Hard Drive Encryption: Royal London Mutual Insurance Society Loses 8 Laptops

    The UK's Information Commissioner's Office reports has reported a breach of personal details for 2,135 people by the Royal London Mutual Insurance Society, the largest mutual life and pensions company in the United Kingdom.  Nothing that disk encryption software like AlertBoot could have prevented, had it been used.

    8 Laptops Stolen, 2 Contained Sensitive Information

    Eight laptop computers were stolen from the insurance company's offices in Edinburgh.  Of those, two computers stored the information of clients' employees.  The computers did not make use of encryption software, but were password protected, which is pretty much useless.

    An internal report to Royal London showed that the company failed in many aspects.  The company "was uncertain about the precise location of the laptops at any given time and that physical security measures were inadequate," per scmagazineuk.com.

    Even more damning, though, is that "managers were not aware that personal information was stored on any of the laptops, which meant no additional precautions to control and secure the data had been taken."

    Keeping Track of Information

    In yesterday's post, I had noted that not storing sensitive information is always the best form of data protection, in the sense that not having sensitive data means there is nothing to protect.  I also noted that it doesn't work very well.

    The above story illustrates why.  The crux of the matter lies in knowing if there's any sensitive data and, if so, where.  In other words, someone or something must keep track of the information.  This is easier said than done.

    Now, it could be that company policy prohibits sensitive information from being stored on laptop computers at all.  My guess is that Royal London, being the one of the largest pensions companies in the UK, had such a policy in place--most big companies that deal with sensitive data have one, especially when they don't have adequate security, like encryption for laptops in place.  Did it work?

    No.  It almost never does--I'd like to put the figure of companies that can make it work at 1%.  The problem is that most companies think they're that 1%, which clearly can't be.


    Related Articles and Sites:
    http://www.scmagazineuk.com/royal-london-mutual-insurance-society-loses-eight-laptops-and-the-personal-details-of-2135-people/article/166024/
    http://www.insurancedaily.co.uk/2010/03/18/royal-london-faces-up-to-data-protection-breach/
    http://en.wikipedia.org/wiki/Royal_London

     
  • Disk Encryption: Vanderbilt U. Students' Information Breached

    Insidevandy.com is reporting that the theft of a professor's desktop computer has resulted in the data theft of information for 7,174 current and former students.  There is no mention on whether data security products, such as drive encryption software like AlertBoot was used.

    1,347 Current Students Affected

    Of the 7,174 students, 174 are current grad students and 1,173 are current undergraduates.  The stolen data included names and Social Security numbers, which were part of the professor's grade book information (not all students' SSNs were included, it looks like: the story notes that the SSNs were "for some students").

    The theft occurred on February 6, but the letters alerting of the breach were sent out on March 10 and 11.  Seeing how the university was able to accurately able to detail how many students were affected, I guess they took the time to do some forensic investigation, most probably on backup data.

    The computer was stolen from a locked office.  The provost has asked "all academic deans...to purge information like this from their files and to not collect it in the future" in a memo.

    Disk Encryption or Purging?

    I'd say there's a good chance that the information on the stolen computer was not protected--otherwise, it would have been mentioned.  Going forward, though, would it be a good idea?

    It depends.  If everyone purges sensitive information from their computers, the obvious answer is, "data protection is not necessary," mostly because there is no data to protect.  The question is, though, how many people will:

    • Actually read the letter?
    • Take the time to delete sensitive data?
    • Not miss a particular file or files that contain sensitive information?

    The provost's memo would have had more bite to it if he had also provided software that scans through a computer's contents and pinpoints any instances where sensitive information--such as credit cards or SSNs.  I mean, this is what a number of malware programs do to steal data, and plenty of similar commercial (i.e., for legal purposes) software exists for finding such information in order to delete it.

    Also, not storing sensitive data is always better form of data security than, say, the use of encryption software.  For example, full disk encryption can only protect data when computers get stolen; it's 0% effective against other threats, such as Trojans.  But, again, it all revolves around whether the data does get deleted.

    In my experience, people lose track of what's saved where and which files contain what.  While deleting and not storing sensitive data is the best form of data security one could have, when theory diverges from reality, a different approach must be tried.

    And theory tends to diverge from reality a lot.


    Related Articles and Sites:
    http://www.insidevandy.com/drupal/node/13438
    http://www.vanderbilt.edu/info/identity-protection/

     
  • Laptop Encryption Software Issues: How Secure Is Your Password? Cracking It Becomes Easier

    • Product designed to retrieve forgotten passwords: 100,000 guesses/second
    • Is encryption safe?

    One of the best ways of keeping your data safe in case a laptop computer gets stolen is via the use of disk encryption software like AlertBoot.  However, there are ways of getting around it, the easiest being cracking the password.

    Cracking Passwords - Brute Force

    The easiest way of obtaining a password, but also, perhaps, the most illegal way, is to physically threaten someone.  Another easy way is to happen upon said password (think: Post-It note).  These are not what we refer to when talking about "cracking passwords."

    Cracking passwords requires the element of guessing what the actual password might be: trying past passwords a person has used; trying personal information, such as birthdates and names; or just plain guessing.  This process is fraught with long times at the keyboard.

    Unless you can get a computer to do it for you, which would try all possible passwords.  Trying all combinations systematically (usually alphabetically), from A to Z, is often called cracking by brute force.

    Well, cracking those passwords has gotten easier, if not a bit more expensive.  ElcomSoft has come up with their latest "password retrieval" device that can try 103,000 passwords per second.  It looks like this rate is actually for cracking WPA (basically, wireless router) passwords, but imagine for a second that this could be applied to everything.

    Do Encryption Solutions Work Anymore?  Hacking Passwords

    There are two ways of accessing encrypted data: know the encryption key or know the password.  Of the two, the key is almost always the longer, complex one; thus, it makes sense to hack passwords which are shorter and--theoretically--easier and faster to guess.

    How easy?  Well, let's take into consideration an eight-character long password which uses both letters and numbers (although not necessarily both: 12345678 would be a valid, but poor, password under the conditions).  This means each placeholder on that 8-character long password has 36 possible alternatives (26, A through Z; 10, zero through nine).  Or, 368 attempts which equals 2.8 trillion combinations.

    At a rate of 103,000 passwords per second, it would take 10.5 months to go through all possible 2.8 trillion combinations.  Normally, experts assume the password will be guessed before 50% of the guesses are tried, so one could expect a breakthrough in 5 months, on average (on average meaning "for the same attempts across many machines."  Results from machine to individual machine will vary, obviously).

    It should be noted that the above is for a case where one knows the password is an eight-character password: if one doesn't know how long the password is, a person would have to start with one-, then two-, then three-character passwords, and so on.  Under such circumstances, it would take...about 10.8 months to go through all possible tries.

    Interestingly enough, a 9-character long password, just by itself, under the same conditions, would take 31 years to go through all tries (369).  A 10-character long password would take 1,125 years (3610).  How come?  Exponential growth.

    The above explains why IT personnel ask that passwords be reset every 3 months or so if an 8-character password is used.  It follows that, for shorter passwords, the reset has to be even more frequent.

    Encryption is Still Safe - Rate Limiting

    It would depend on what one's talking about, but when it comes to laptop encryption, there are ways to counter password cracking attempts.  The first would be to use a sufficiently long-enough password, one that's at least 9 characters long.

    But even if one were using a 6-character long password (366, crackable in 6 hours), the use of rate limiting (in the case of AlertBoot endpoint security, exponential rate limiters) would foil such brute-forcing attempts.

    What is rate limiting?  The introduction of a time-out period between password tries: even if a device can attempt 103,000 passwords per second, all that raw power is useless if the laptop only allows you to try one password per second: the 2.8 trillion tries would require 2.8 trillion seconds (89,000 years).

    An exponential rate limiting is where the time-out period grows exponentially, from one second to two seconds, from two seconds to four seconds, from 4 to 8, and so on.  By the tenth try or so, the cracking attempts crawl down to minutes.

    For the time being, encryption software still provides the data security many people and business require.


    Related Articles and Sites:
    http://www.net-security.org/secworld.php?id=9021

     
More Posts « Previous page - Next page »