in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

iPad Theft Leads To Data Breach For Eventbrite

Eventbrite, a ticketing and event management company based out of San Francisco, California, has alerted the authorities of a potential data breach, as well as publicizing the incident in their blog.  Two iPads with customer information were stolen.  Thankfully, iPads are always encrypted by default (they use something similar to AlertBoot full disk encryption) and there is the ability to perform a remote wipe.

One of the Most Straightforward Breach Notifications, Ever

I read a lot of breach notification letters in my job.  I estimate that I've read at least two hundred of them.  Eventbrite's blog entry is possibly the best and most transparent data breach notice I've read to date.

You can read it for yourself, but to summarize:

  • Two iPad stolen on September 20.
  • Data collected via "Eventbrite At The Door" App
  • Remote password lock and remote data wipe put into place
  • Authorities and credit card companies alerted

The breached data includes 1) names and email addresses, 2) email addresses and last four credit card digits, and 3) complete credit card numbers for 28 clients (the data was collected via separate methods).

It was also noted that the "Eventbrite at the Door" application had a bug which led to the improper encryption of the credit card data for the 28 clients.  The bug is currently fixed.

All in all, it sounds like the company has a firm grasp of what it had to do in the event of a data breach and, compared to all the other data breaches I've covered over the years, these guys deserve an "A" despite the circumstances surrounding this grade.

The Only Problems I Have....

Or maybe they deserve an "A-".  An "A+" is a grade you get if, obviously, you don't have a data breach.  I do see some problematic statements, though.

First, there is the issue that encryption was not implemented correctly for the 28 transactions.  I'm not sure what exactly they're referring to (is it encryption for data-in-motion?  Data-at-rest?), but if that's true for these 28 transactions, this implies that it was also true for previous transactions as well.  I won't say it was true for all transactions since the bug could have been introduced as an update, effectively breaking the process.

(It also leads me to wonder, why were they prompted to look into the issue in the first place?  I mean, a data breach generally doesn't lead you to check whether there are bugs in your encryption algorithm.  If I were my usual cynical self, I'd be wondering whether the "bug" was not having encryption in the first place; however, such a suggestion contradicts the levels of candor emanating from Eventbrite's blog.)

Second issue: Will the remote security work?  We don't know if the devices were 3G enabled or just operated under wi-fi.  If the latter, the remote wipe and remote lock can only work if the device is connected to the internet.  Conceivably, the iPads could be put in a wi-fi deadzone and attempts made to access the devices...although, I've got admit I find this highly unlikely.  Apple's iPads are pretty highly prized, and I can definitely see how the thieves were after the hardware and not the data inside of them.

Regardless, I would have preferred the use of local wipe, where entering the wrong password a certain number of times automatically wipes all data.

Apple's iPads Use Encryption by Default

These are direct quotes from Apple's "iPad in Business: Security Overview" paper.  While the security of present in the iPad is not perfect, it's pretty apparent that security was seriously considered during the design of the device.

"...if the device falls into the wrong hands, users and IT administrators can initiate a remote wipe command to help ensure that private information is erased."

Remote wipe
iPad supports remote wipe. If a device is lost or stolen, the administrator or device owner can issue a remote wipe command that removes all data and deactivates the device. If the device is configured with an Exchange account, the administrator can initiate a remote wipe command using the Exchange Management Console (Exchange Server 2007) or the Exchange ActiveSync Mobile Administration Web tool (Exchange Server 2003 or 2007). Users of Exchange Server 2007 can also initiate remote wipe commands directly using Outlook Web Access.

Local wipe
Devices can also be configured to automatically initiate a local wipe after several failed
passcode attempts. This is a key deterrent against brute force attempts to gain access to the device. By default, iPad will automatically wipe the device after 10 failed passcode attempts. As with other passcode policies, the maximum number of failed attempts can be established via a configuration profile or enforced over the air via Exchange ActiveSync policies.

Encryption
iPad offers 256-bit AES encoding hardware-based encryption to protect all data on the device. Encryption is always enabled and cannot be disabled by users.


Related Articles and Sites:
http://www.ticketnews.com/news/Eventbrite-suffers-possible-security-breach091130682
http://blog.eventbrite.com/our-commitment-to-security

 
<Previous Next>

Medical Data Encryption Software: Tricare/SAIC Backup Tape Theft Affects 4.9 Million

UK Disk Encryption Software: Surrey and Sussex Healthcare NHS Trust Loses USB Stick, 800 Affected

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.