in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

October 2011 - Posts

  • Data Breach Costs: The Ongoing Hannaford Breach Saga

    The Hannaford Brothers data breach saga chugs along: The US Circuit Court of Appeals in Boston has deemed that plaintiffs can recover for claims of identity theft insurance and replacement card fees.

    Previous posts regarding Hannaford can be found here and here.

    If you'll recall, in 2008 the supermarket chain Hannaford Brothers made a splash in the news when they admitted that over 4 million credit and debit card numbers were stolen.  This was later tied to the TJX hacking incident, both incidents being tied to the same hacker.  In both cases, not using proper encryption in the companies' wireless network allowed the hackers in.

    One thing to note about the Hannaford case is that only credit card numbers were stolen.  As such, in most (if not all) states, the incident is not classified as a data breach: other information, such as a last name, would be required for the data theft to become a data breach under the law -- or, at least, to become a notifiable data breach..

    Watershed Mark?

    While I'm not a legal expert by any means, I've found out over the years that lawsuits brought forth by the victims of data breaches are invariably tossed out because there are no grounds for the lawsuits:

    • The fear of being victimized in the future is not grounds for winning cases.  Courts deal with damages that have happened, not damages that will happen (or might happen).
    • Fraudulent charges are made whole by the credit card companies, so there are no damages.
    • Lost time dealing with fixing one's credit statement are not "recoverable."

    To the lower courts, their main role in such cases is ensuring that victims are "made whole."  If there is nothing to be made whole, there is not much the courts can do.

    However, the Court of Appeals notes in its latest ruling:

    "Plaintiffs' claims for identify theft insurance and replacement card fees involve actual financial losses from credit and debit card misuse," a three-judge appeals court panel said in its Oct. 20 ruling. "Under Maine contract law, these financial losses are recoverable as mitigation damages as long as they are reasonable," the court ruled in partly affirming and partly reversing a lower court ruling. [businessinsurance.com]

    Hannaford Bothers Data Breach Timeline

    Seeing how the Hannaford case doesn't show any signs of going away any time soon, I thought I'd create a timeline for future reference.

    2007 - DEC - 07 Attack against Hannaford begins (msnbc.com)
    2008 - FEB - 27 Breach discovered (msnbc.com)
    2008 - MAR - 08 Incident discovered by Hannaford (datalossdb.org)
    2008 - MAR - 10 Attack is contained (msnbc.com)
    2008 - MAR - 10 Major credit card associations given compromised card numbers (thefreelibrary.com)
    2008 - MAR - 13 Card associations notify member banks of the compromised card numbers (thefreelibrary.com)
    2008 - MAR - 17 Hannaford reports incident / makes announcement (datalossdb.org)
    2008 - MAR - 19 First lawsuit against Hannaford is filed in Maine (thefreelibrary.com)
    2009 - MAY - 12 All claims against Hannaford dismissed by Judge Hornby except for one (thefreelibrary.com)
    2007 - DEC - 07 Attack against Hannaford begins (msnbc.com)
    2009 - OCT - 05 Judge Hornby files for input from Maine Supreme Judicial Court (cuna.org)
    2011 - OCT - 20 United States Court of Appeals, First Circuit decides affected Hannaford customers have a valid
    claim for identity theft insurance and credit card replacement fees
    (uscourts.gov)

    [ datalossdb.org ]
    [ msnbc.com ]
    [ wired.com ]
    [ thefreelibrary.com ]
    [ uscourts.gov ]
    [ cuna.org ]


    Related Articles and Sites:
    http://www.businessinsurance.com/article/20111024/NEWS07/111029958

     
  • Data Encryption Software: The CD Is Dead (AdvancePierre Foods Breach)

    The demise of the CD has been long predicted.  After all, it's a nearly 40-year technology, ancient by any technological standards.  However, I was one of those people who didn't quite believe that it was dead.  Until today, that is, when I read of a data breach that, for me, marks the beginning of the end.  The good news is that information protection using data encryption might become easier.

    AdvancePierre Foods Breach Notification

    According to databreaches.net, AdvancePierre Foods has notified the NH Attorney General's Office that it lost a flash drive with employee information.  Apparently, this flashdrive was sent via mail from AdvancePierre Foods to its 401K provider.  The envelope was damaged, and the financial services firm alerted AdvancePierre Foods of the fact.

    The small device contained names, SSNs, dates of birth, employee's hiring date, and compensation data for 2009 and 2010.  Passwords for accessing 401K accounts were not present.

    It is wasn't revealed what protective measures were on the flashdrive, be it password protection or encryption software for flashdrives.

    (The former, of course, is not real data protection, as I've detailed elsewhere on this blog numerous times, while encryption is the real deal.  However, I'd prefer it over nothing at all.  In fact, the layperson can be excused for thinking that password-protection provides "protection" -- the word is in there, for goodness' sake! -- but if nothing was used at all?

    That's just stupidity, plain and simple.)

    Was Encryption Software Used?  Notifications Being Sent

    The fact that the letter was filed with the Attorney General, and that NH residents are being notified of the breach, cannot be used as evidence that the flashdrive was unencrypted.  Many states offer safe harbor from breach notification letters; however, New Hampshire is not one of them.

    Likewise for breach notification letters received by residents of other states: in this connected world, notifying one set of people while not notifying others is public relations suicide.  And, of course, once you notify people, respective state AGs might take exception of not being notified, regardless of what the law states.

    Why is this the Clarion Call for CDs?

    Well, first off, I want to clarify that this is a sign of the CD's demise to me; it's a personal one.  We all take signs from some particular event or statistic or what-have-you, and this event is mine.

    Why this one?  Over the past four years or so, I've read of many instances where a data breach was triggered due to lost mail or damaged mail.  The most unique case I recall, which is not tied to a data breach, by the way, is when nuclear material was lost while being Fedexed.

    Anyhow, most data breaches involving the postal system invariably revolve around CDs and DVDs.  You also have backup tapes and external drives going missing in the mail; however, people don't use backup tapes and external drives as replacements for CDs and DVDs.

    Flashdrives, on the other hand, are.  Some would argue that it was the rise of flashdrives that allowed Apple and other computer manufacturers to get rid of CD drives (the argument that it was the cloud that did CDs in is, in my opinion, incorrect; at least, when it comes to storage).

    This is the first story I've read where a flashdrive was sent over the mail and caused a data breach.  Granted, this is most probably not the first one to be sent over the mail; however, the fact that such a story appeared must indicate that there are plenty of these going around in the mail.

    And, despite the fact that such devices are many times more costly than a pack of 10 CDs, people are willing to send them over the mail, most probably never to be returned.  In other words, USB flashdrives are now considered disposable.

    Yep, you can kiss CDs good-bye now.  Which is not a bad thing from an encryption perspective.  CDs are, as far as I know, impossible to encrypt in whole.  Any encryption is first done on the file, then burned to a CD -- in other words, file encryption.

    Related Articles and Sites:
    http://www.databreaches.net/?p=21072
    http://doj.nh.gov/consumer/security-breaches/documents/advancepierre-20111006.pdf

     
  • Hard Drive Encryption Not Used In Stolen PSEG Laptop

    PSEG, a NJ-based power company, has notified the New Hampshire Attorney General's office about a September data breach, according to a letter unearthed by databreaches.net.  A break-in into an employee's home resulted in the theft of a laptop and other items.  Apparently, the computer in question was not protected with hard drive encryption software like AlertBoot.

    3 NH Residents Affected - How Many More?

    According to the letter to the AG, the burglary occurred on September 25.  Multiple items were stolen from a PSEG employee's home, including the aforementioned laptop.  Personal information of PSEG employees, including names and Social Security numbers, could potentially have been in the computer.  Three New Hampshire residents were affected, although how many were affected in total is unknown.

    Although databreaches.net notes that it wasn't noted whether the laptop was a company-issued one, I can't help but believing that it was.  When the employee found that the laptop was missing, he "promptly reported the incident to the police and appropriate PSEG personnel."

    Generally, you don't go around reporting the loss of your personal laptop to the company.  Of course, we can't dismiss the possibility that it was the employee's personal computer, and that he was aware of the presence of sensitive employee data in it -- and that's why he got in touch with the appropriate PSEG people.

    If the latter is the case, I applaud the employee: it would have been so easy not to report the incident and let the chips fall where they may.

    Password-Protection? So?

    It's pointed out that password protection was used on this laptop computer; however, the use of encryption software to protect the laptop from unauthorized access is not mentioned.  Password-protection, of course, is not really protection.  Why, earlier today I was talking to a computer repair technician who was having problems servicing a computer.  Had encryption not been in place, he noted, he could just use a Linux CD to bypass the Windows username and password prompt!

    The use of laptop full disk encryption, on the other hand, was preventing him from accessing the computer.  (What can I say, but that that's the point?)

    Had encryption software been installed on the now-stolen computer, the fear that employee SSNs would have fallen into the wrong hands could have been dismissed.  So, had it?

    Normally, I would take the fact that A) a breach was made public and B) the use of encryption is not mentioned, and naturally assume that encryption was not used.  After all, many states provide safe harbor from data breach notification laws if proper encryption is used.

    New Hampshire is not one of those states.  A breach must be reported regardless of the presence of encryption.  Maryland, New Jersey, Connecticut, and Delaware, on the other hand, are one of those states.  If a notification letter shows up in one of those states as well, I think we can assume encryption was not used.


    Related Articles and Sites:
    http://www.databreaches.net/?p=21076
    http://doj.nh.gov/consumer/security-breaches/documents/pseg-20111010.pdf

     
  • German Government Spyware Not Surprising, Data Encryption Mistakes In It

    So, I finally found the time to read up on the spyware that was created and deployed by the German government.  On the one hand, it's surprising.  On the other hand, not so much.

    Cloudy Past

    Much of the controversy not only stems from the fact that it's the government spying on its citizens, but on the fact that it's the German government doing so.  One cannot escape that the surreptitious deployment and installation of spyware, designed to collect information on private citizens, is something that a totalitarian government would do: Germany doesn't have enough of a distance from its past to look at such instances in their own backyard and sigh out a collective "meh."

    I mean, this is the country that is so clouded by its past that it took about 60 years and the World Cup for its people to fly their flags with pride.  So, the fact that this is happening in Germany is kind of surprising.  On the other hand, what country doesn't spy on its citizens?

    Easy to Remove

    Another surprising thing: According to the Chaos Computer Club (CCC) -- which blew wide open the story on the spyware, dubbed Bundestrojan by some -- the program is very easy to block and remove from infected computers.  I totally buy into that "German efficiency" and "German work ethic" and other fine qualities (thank you, German car ads, for brainwashing me), so finding that the spyware is quite easily defeated comes as a surprise:

    [The software always uses] the same encryption key," said Felix Leder, a German security architect in the Malware Detection Team at Norman, a Norwegian computer security firm.

    "Since some of the bytes are always the same, you can detect them and then you can detect that you have Bundestrojan traffic on your network. We are seeing similar mistakes made in spyware. Normally they forget simple stuff." [dw-world.de]

    The same encryption key, eh?  That's something you won't find in our AlertBoot encryption MSP solution for protecting computer disk drives.  For one thing, if your encryption key falls into the wrong hands, any computer using that key (assuming there's more than one computer) would be vulnerable to data theft if the laptop is stolen.

    Is It Surprising at Its Core, Though?

    There are little surprises here and there, and the entire thing is scandalous, of course, but I think the "news" that the German government was utilizing spyware is...not really news, and hence not a surprise.

    In July of last year, I had suggested the use of spyware:

    If I recollect correctly, the German government has been having a heck of a time trying to eavesdrop on Skype calls.  I seem to recall that they announced that they were successful in tapping those calls, but it sounded as if they had to use a specially-designed Trojan, essentially exploiting the fact that Skype's encrypted calls must decrypt at some point for people to hear each other.

    It was the only logical explanation when you consider how Skype works, and I think pretty much anyone interested in security came to the same conclusion.

    I guess the big controversy is whether the trojan was used in an illegal manner.  But, for now, the focus in the media seems to lie on the fact that the German government is using it at all.  However, I see people's eyes turning to the real issue.  I guess we'll have to keep our eyes peeled to see what developments arise.


    Related Articles and Sites:
    http://www.dw-world.de/dw/article/0,,15453150,00.html

     
  • Full Disk Encryption: Seoul Wedding Consultant's Hard Drive Stolen, 1500 Affected

    A wedding consultancy in Seoul, Korea has filed a report with local authorities regarding the theft of a hard disk drive.  The incident has affected approximately1,500 people.  It wasn't revealed whether hard disk encryption software like AlertBoot was used to protect the contents.  It would have been a good idea, though, seeing how police think the thief or thieves were after the data.

    Matchmaker, Matchmaker Make Me a Match

    I say wedding consultancy, but in reality we're talking about a matchmaker (technically, a matchmaking company).  Matchmakers in Korea require a lot of information to find out if people are compatible, as must be the case for matchmakers around the globe.  So, it shouldn't come as a surprise that the information in the stolen disk contained names; addresses; contact information; details on employment, education, and net worth; and family background, among other personal details.

    At least one report states that "the entire computer" was stolen, leading me to believe that it wasn't a hard drive that was stolen, but a desktop computer's main body sans monitor, keyboard, etc. (regardless, I'll continue referring to it as a "disk").  If so, it might aid police who are checking video footage, including those from nearby businesses.

    Police believe that the burglary targeted the information found in the computer because nothing else was missing.  The incident took place over the October 8 weekend.

    Encryption Software Used?

    Was encryption used to protect the data found in the missing disk?  None of the reports say.  Password protection?  That's not reported either, although it wouldn't be hard to bypass.  Which company was at the center of the breach?  Not there.

    That last one can be partly attributed to strong privacy and defamation laws in Korea: it's very rare to find news reports which name names.  People are labeled "Mr. A," Ms. B," and so on.  Likewise for companies which are often referred to as "Company A," Company B," etc.

    Which is, of course, quite ironic, because the Mr. As and Ms. Bs can't tell whether their private info has been breached, their privacy invaded.  So much for strong privacy laws.


    Related Articles and Sites:
    http://media.daum.net/economic/others/view.html?cateid=1041&newsid=20111020222406983&p=segye
    http://economy.hankooki.com/lpage/finance/201110/e20111020210951117450.htm
    http://www.newscj.com/news/articleView.html?idxno=100656

     
  • Drive Encryption Software: Strawberry Point Elementary Laptop Theft

    Sometimes, physical security for laptops is anything but.  According milvalley.patch.com, Strawberry Point Elementary School in California was victim to a burglary.  Twenty laptops were stolen from their premises about a week ago.  It looks like the computers were used by students, so there was probably no need for drive encryption software like AlertBoot.  However, the incident highlights something one shouldn't do when it comes to protecting laptops (and data).

    Tightly Locked in Cart

    It is assumed that at least two people broke into the school's library.  The door was pried open and a white steel cart, heavy enough that at least two people were required to lift it, was stolen.  The cart was found abandoned in a hiking trail.  The 20 Apple MacBook laptops inside the cart were missing, naturally.

    The cart in question was a lockable one.  Whether the cart was actually locked is not revealed; however, seeing how it was ditched in a considerably remote place, I think it's safe to assume that perhaps the burglars needed a quiet place with little foot-traffic where lots of noise could be made without attracting attention.  That is, they needed to bust open the lock.

    Locks: that's good security.  But, the use of a cart is bad security.  It doesn't matter whether a cart is heavy enough that it requires two people to lift it; by definition, it rolls on flat surfaces.  Add the fact that schools have handicap access and you've got an excellent way to steal 20 laptops.  Heck, if you need to run (literally) and steal more than 10 laptops, a cart is probably the way to go.

    If you're considering security for your laptops, locking them up is a great way to protect them.  Combine it with data security, such as AlertBoot's secure FDE service (encryption software), and now you've ensured asset and data protection.  But, pay attention to details.  If I had seen where the laptops were being locked at Strawberry Point Elementary, I would have pointed out how easy it would be to steal the laptops.


    Related Articles and Sites:
    http://millvalley.patch.com/articles/burglars-strike-school-district-again-in-alleged-strawberry-laptop-heist
    http://www.mercurynews.com/breaking-news/ci_19097319
    http://marinscope.com/articles/2011/10/12/all/breaking/doc4e95e477f0418992168233.txt

     
More Posts « Previous page - Next page »