in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

November 2012 - Posts

  • Anonymised Data In Europe: UK ICO And German ICPP Agree Impossible To Provide 100% Protection

    The UK's Information Commissioner's Office (ICO) and Germany's Independent Centre for Privacy Protection (more specifically, of the Schleswig-Holstein region) have agreed that anonymized (or, as American's generally spell it, "anonymized") personal data need guarantee full privacy.  In a sense, this makes sense when you consider that the use of encryption software like AlertBoot is seen as complying with data security laws, even if it cannot provide 100% protection either (for example, there's always the risk of someone Post-It'ing the username and password to a laptop's bottom).

    Compliance with DPA, German Privacy Laws

    The ICO, according to out-law.com, has released a new code of practice that deals with the anonymization of personal data.  In short, the ICO has come to the conclusion that perfect anonymity is not possible, and compliance with the Data Protection Act will be considered if certain guidelines are followed.  The fears of "re-identification" -- where anonymized data can be traced back to a particular individual by combining it with a different data set -- are acknowledged but also deemed "acceptable" (for the lack of a better description):

    "There is clear legal authority for the view that where an organisation converts personal data into an anonymised form and discloses it, this will not amount to a disclosure of personal data," the ICO said. "This is the case even though the organisation disclosing the data still holds the other data that would allow re-identification to take place."

    Germany's counterpart to the ICO, the ICPP (or in German, Unabhängigen Landeszentrums für Datenschutz), noted the same:

    "The [German] legal commentary argues that in some cases (similar to the ICO) 100% anonymity is not possible to achieve, but that the risk has to be minimal," Marit Hansen, deputy Privacy & Information Commissioner in Schleswig-Holstein said.

    The ICO was further quoted as stating:

    It can be difficult for organisations to know whether data they have anonymised can still be classed as 'personal data'. It said, though, that a High Court ruling had made clear that "the risk of identification must be greater than remote and reasonably likely for information to be classed as personal data under the DPA".

    In other words, you don't get carte blanche to spread personal via anonymized data: a real effort must have been made to ensure the protection of personal data.  This is not so surprising when you consider the level of importance that the ICO attaches to the protection of personal data.  This is especially so once you've read how the rate at which biscuits are made could be considered personal data under the Data Protection Act.

    Among other things of interest that were mentioned:

    • Care must be taken that attempts to re-identify information does not lead "to the misidentification of an individual"
    • Safeguards must be placed to limit the number of people who can access the anonymized data
    • Attempts to re-identify the data should be conducted (in order to see how well the anonymization is working)

    That last part was actually developed more by Marit Hansen:

    A later assessment [of anaonymized data] may reveal that the protection may not be regarded adequate anymore. But then harm may already be done, and it would not be sufficient to delete the data (copies may be available, the re-identification may have been conducted already).... anonymisation does not only mean to assess the risk once, but also to think of future risks, act accordingly (e.g. to refrain from publishing these data on the internet) and assess the risk again if the conditions may have changed."


    Related Articles and Sites:
    http://www.out-law.com/en/articles/2012/november/anonymising-personal-data-need-not-guarantee-privacy-says-ico-while-german-watchdog-raises-internet-disclosure-concerns/

     
  • Bring Your Device In Government: NTSB Also Ditching BlackBerry For iPhone

    Smartphones (as long as they have proper security and work) are big with the government.  And when they don't?  They get replaced: according to sources (link below), the National Transportation Security Board (NTSB) has published a "Notice of Intent to Sole Source iPhone Devices," noting that Apple's latest smartphone incarnation will "replace NTSB's existing blackberry devices."  In this regard, it doesn't sound too different from previous proclamations from government branches -- like ICE -- that they were dropping BlackBerries for Apple iPhones.

    However, NTSB has published a justification for the transition.

    Fails at Inopportune Times and at Unacceptable Levels

    The NTSB published in its "Justification for Other than Full & Open Competition (JOFOC) Apple iPhone 5" that they'll be replacing NTSB's BlackBerries with the iPhone 5.  The reason for the switch lies in the inopportune and unacceptable failure rates for BBs:

    This requirement is for the acquisition of Apple iPhone 5 devices. These Apple devices will replace the NTSB’s existing blackberry devices, which have been failing both at inopportune times and at an unacceptable rate.   The NTSB requires effective, reliable and stable communication capabilities to carry-out its primary investigative mission and to ensure employee safety in remote locations.

    LOL.  Fails at inopportune times.  And what would be an example of a BB failing at an opportune time?  When one's mother-in-law calls?  I kid, I kid.

    Anyhow, NTSB is correct in wanting to replace a device that shows significant levels of failure, although one wonders whether this is a reference to hardware or network reliability (BlackBerry had a couple of notorious communication blackouts in the past five years).  Or both.

    Apple Devices Already in Place and in Play

    Why Apple, though?  Why not Android?  Aside from the fact that the latter's open system means that, at least currently, hackers are having a field day with Google's mobile OS?

    Further justification comes from the fact that NTSB has already dabbled with Cupertino's patented rounded-cornered rectangles:

    The NTSB desires to transition from use of the blackberry device to the iPhone 5.  The NTSB is a small organization with limited resources.  As such, it needs to standardize on a minimum number of operating platforms.  The NTSB currently utilizes Apple iPad devices and operational support is already in place to support Apple’s IOS operating system.

    ... The NTSB also anticipates the benefit of synching of the iPad devices and the iPhone devices, allowing users to seamlessly transition between the use of multiple platforms while retaining the same applications and capabilities.

    Further justifications for selecting the iPhone 5 -- despite the fact that NTSB's carrier, Verizon Wireless, will not be offering them for free (but will definitely do so at a significant discount) -- lies in hidden total costs:

    Purchase of a device other than the iPhone 5 will require staff resources and additional software platform purchases that are not currently available.

    AlertBoot Mobile Security actually shines in this area: as a managed BYOD security service, it has one flat price (monthly or annual).  There is no need for an encryption expert to be on staff; or for the purchase of hardware, such as servers, to act as a central management hub; or software for that same hardware, such as OS licenses for running the server.  Just straight up MDM for controlling smartware under a BYOD program.


    Related Articles and Sites:
    https://www.fbo.gov/index?s=opportunity&mode=form&id=44cc59753207f806cc5488f8a3fe5b8e&tab=core&_cview=0

     
  • BYOD Security: IT Departments And Endusers See BYOD Differently

    The more one looks into BYOD issues, the more complex it turns out to be.  According to a new survey, most IT departments don't have a firm grasp on the levels of BYOD in their organizations, and employees have no clue as to how much mobile security control is in place.  A certain level of the findings, I'm sure, can be attributed to MDM tools like AlertBoot Mobile Security, which are transparent to endusers.

    In a way, it reminds me of that optical illusion where, depending on how you're conditioned, a picture can either be the portrait of an old lady or a young woman.

    IT Blind to Rogue BYOD

    According to cio.com, a survey involving 350 people found that:

    on average, IT staffers believe that 37 percent of employees access corporate resources from their own devices. But 71 percent of employees report they do so.[cio.com]

    In other words, there are twice as many BYOD users than the tech department is aware of.  This is a problem on many levels.  There are the usual security concerns, obviously, such as the potential for malware to make its way around a corporate network.  There is the unforeseen risk coming from a data breach due to the loss or theft of a device: if mobile device encryption is turned on, the risk is minimal, but if it isn't -- or is temporarily turned off... well, all I can say is that there have been plenty of million-dollar-plus settlements and finds over the years.

    But, problems can also be of your more quotidian variety.  For example, there are only so many devices you can have connected to a wireless router before its signal starts to degrade, meaning spotty internet coverage even if everyone's within 10 feet of the wireless hub.  An IT department that thinks they've got 30 devices connecting wirelessly to that hub might think it's time to get a new router -- one router, mind you -- when the right solution is to add another router.

    Employees Want Freedom and Won't Tolerate Anything Else (But They Already Do)

    The same survey found that employees "have relatively little tolerance for IT placing security controls on their personal devices."  Examples given include logging both data and web content access, or being restricted on what websites one is allowed to visit.

    "People who are accessing these corporate networks are being logged and they don't realize it," he says. "And the regulations have come down pretty clear on this: The corporate network is a corporate-owned resource and companies are allowed to log what they want."

    "Employees just don't realize how much control's already put on them already," Chiu adds. "They don't realize until they get a block or aren't able to get to a specific site."[cio.com]

    Such logging and blocking has always existed in the corporate environment and always will.  Granted, it would be verboten if this were true for a user accessing sites at home during his private time.  But in the office?  As long as a user is using corporate resources (accessing the internet via office-provide Wi-Fi counts as such), it's fair game as Chiu points out above.

    According to the survey, for mobile devices:

    • 41% of companies log corporate data access
    • 37% limit content that can be accessed
    • 34% log content accessed via the web


    Related Articles and Sites:
    http://www.cio.com/article/722035/IT_and_Employees_See_BYOD_Security_Much_Differently

     
  • BYOD Is A Backward Trend, Says IT Sec Company Head

    The founder of a security firm in the UK, Ian Mann at ECSC, has pointed out that "'ignorant' senior managers are putting their organisations at risk when it comes to the Bring Your Own Device (BYOD) culture," according to channelbiz.co.uk.  Mann points out that BYOD is a "backward trend" and it sounds like the use of BYOD security software will not change his mind on the current state of affairs.

    Mann is not inaccurate of his assessments of smart mobile devices (although one could argue he's a bit more cynical than others -- but then, what security professional worth his salt isn't?).  Let me give you an example why.

    A Personal Example of How Mann is Right

    Yours truly knows of a professional who set herself up for a data breach over this weekend due to the security status of a smartdevice -- in this case, an iPod Touch that is linked to her company's email.  Because of the presence of company data, the Touch (or as some call it, Apple's fake iPhone) usually has password protection turned "on."

    iOS devices -- iPads, iPhones, and iPod Touches -- already come with full disk encryption enabled.  However, it's up to the devices' users to supply a password that will ensure that the disk encryption lives up to its reputation of providing security.  (Without the password, disk encryption is "just sitting there."  Think of it as the world's strongest safe that opens the moment you turn the handle because it's not locked.)

    Anyhow, returning to the professional -- she was using the stopwatch on her Touch and found that she got locked out after one minute of inactivity.  She decided to get rid of her password temporarily, and enabling it back again once she was done using the timer.

    However, she forgot to do so.  It took her over a day to realize that she wasn't being prompted for a password when using her iPod Touch, which she promptly rectified.  They say that all's well that ends well, but the truth is that she had set herself up for a potential data breach.

    On a related note, the use of a certain BYOD security measures, such as AlertBoot's Mobile Security software, could have prevented the above.  One of the settings is the enforced use of a password.  My friend would have found it impossible to turn off her password had her company used our mobile security management software.

    Security vs. Everything Else

    As the above shows, smartphones and other BYOD-enabling tools can pose a real threat, even when they are supposedly secure.  But, is "banning these devices" the answer?

    Ian Mann, founder of ECSC, said  information security professionals all recognised the risks as devices outside of organisational control were a source of vulnerabilities.

    He added these devices were "a route" for hackers to obtain confidential information, and this area is likely to be the next big cause of security breaches.

    However, instead of banning these devices completely the company wants organisations to step back and "assess the risks". [channelbiz.co.uk]

    Completely banning devices.  Well, that's one answer -- and the best, in terms of maintaining top-notch security.  However, it comes at the detriment to productivity.  As it's often noted, the most secure computer in the world is one that is not connected to the internet; and is locked up in a room; and is not allowed to be touched by anyone.  It's also the world's most useless computer.

    Plus, what about the laptop computer, which is no different from a smartphone or a tablet as a data storage and processing device?  Would Mann also argue that laptops were a backward trend?  Possibly.  But I doubt it...although I do assume that Mann's quotes have been taken out of context.

    Truth be told, there's a higher risk of a laptop computer being at the heart of a data breach as opposed to a device being used as part of a BYOD program.  Records pertaining to HIPAA data breaches involving 500 or more patients, at least, prove this:  In 2012, to date, laptops account for 29 data breaches.  "Other portable electronic devices" account for 12 data breaches, which include not only smartdevices but external hard drives and USB memory sticks.  Paper documents account for 11 data breaches.

    The answer is something in the middle of the road, between digital laissez-faire and complete lockdown.  The use of MDM software like AlertBoot represents this middle road.


    Related Articles and Sites:
    http://www.channelbiz.co.uk/2012/11/19/byod-ignorant-managers-putting-it-security-at-risk/

     
  • Advanced Technology Encryption: NASA Will Encrypt All Laptops

    NASA, the US National Aeronautics and Space Administration, is forbidding staff from removing laptop computers until all of them have been protected with laptop encryption.  The order follows an announcement that NASA lost another computer on October 31.

    NASA: Not Actually Securing Anything?

    According to the BBC, NASA has ordered staff not to remove agency-issued laptops from facilities until they are protected with encryption software.  The straw that broke the camel's back is an October 31 incident: a laptop computer was stolen from an employee's car in Washington, D.C.  The computer contained sensitive, personally identifiable information (PII).  The report did not specify what it could be, although PII can range anything from names and addresses to SSNs, credit card numbers, and various forms of financial information.

    Password protection was used to secure the content, but as is common knowledge among geeks and technologists, password protection does not feature the same level of security as encryption.  The fact that this is lost on rocket scientists would tickle me silly if it were not so sad.

    NASA is alerting its employees that they should take care not to be phished.  A full review of the lost data could take up to 60 days.

    Fine Print

    Reading the actual agency-wide message, it's quite clear that NASA is not actually forbidding staff from taking home their agency laptops.  If you read the fine print (spaceref.com, my emphasis):

    The Administrator and the Chief Information Officer (CIO) have directed that, effective immediately, no NASA-issued laptops containing sensitive information can be removed from a NASA facility unless whole disk encryption software is enabled or the sensitive files are individually encrypted. This applies to laptops containing PII, International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR) data, procurement and human resources information, and other sensitive but unclassified (SBU) data.

    As long as the laptop doesn't contain information such as the above, it should be fine.  The problem in this era of terabytes, though, is whether one can be absolutely sure that he or she is not carrying sensitive information.

    Such pragmatic concerns are what led certain IT security advocates to deploy full disk encryption software on all laptops, regardless of who's using for which purpose, if there is even a remote chance of sensitive data ending up in them (because an organization handles sensitive data).

    NASA appears to be playing a page from that book:

    Center CIOs have been directed to complete the whole disk encryption of the maximum possible number of laptops by November 21, 2012. NASA plans to complete the laptop encryption effort by December 21, 2012, after which time no NASA-issued laptops without whole disk encryption software, whether or not they contain sensitive information, shall be removed from NASA facilities.

    So, for the time being, the US's premier (and only) space agency will allow unencrypted laptops to be taken in and out of facilities but all of it ends 10 days before the end of the year.  Why ten days?  Who knows -- maybe they like the fact that the dates are all ones and twos: 12/21/2012. (It's a stupid suggestion because, among other things, there's an errant zero in the mix).

    While one congratulates NASA for the above, one has to wonder what took them so long?  I mean, they had that situation over a year ago, in March 2011 and another earlier this year.

    I guess that saying about good and bad things coming in three must be true.


    Related Articles and Sites:
    http://www.bbc.co.uk/news/technology-20343745
    http://science.slashdot.org/story/12/11/15/1513227/nasa-to-encrypt-all-of-its-laptops

     
  • iPad Security: $1.5 Million In iPad Mini Tablets Stolen From JFK

    It's not news that smartdevices like tablets, such as iPads, and laptop computers are lost or stolen at airports.  Hence the existence (and need) for tablet and laptop encryption software like AlertBoot.

    But then, there is theft and then there is theft.  The New York Post is reporting, exclusively, of an airport heist that ties the movie Goodfellas to iPad Minis: $1.5 million dollars worth of the newly debuted tablets were stolen from the same JFK hangar that was a central plot device in the movie (and in real life).

    The More Things Change, the More They Stay the Same...Kind of

    Apparently, crooks used one of the airport's forklifts to load two pallets of iPad Minis onto a truck.  Three more pallets were left behind when an airport worker challenged the crooks.  An unfortunate event for the crooks, who appear to have done their homework:

    The crooks arrived at Building 261 around 11 p.m. in a white tractor trailer marked with the name CEVA on the side, according to the sources. They pulled up to the side of the airport building that faces onto a street and has less security than the other side, which is accessible from the airport tarmac.  [nypost.com]

    A total of 3,600 iPad Minis were stolen.  This latest heist pales in comparison to the Lufthansa robbery that was featured in Goodfellas.  As the nypost.com article goes on to note, "that haul would be some $21 million if adjusted for inflation."

    There's also reason to believe that it was an insider job, and some airport employees have gone through a polygraph test.

    A commentator, Christopher Shaw, left the following insight:

    This story's facts are wrong. I own an air freight forwarder at JFK. CAS, Cargo Airport Services is not a shipper, they are the contracted handling agent for many of the warehouses at JFK. The warehouse workers are employed by and report to them. They work on behalf of the airlines, onloading, offloading and handling the freight onto trucks and planes. CEVA is a freight forwarder. If their truck wasnt stolen or "borrowed" they were likely the forwarder involved in the job. If not, another forwarder imported these items and submitted the paperwork to the airline. Someone either at the forwarder or at the warehouse knew these were coming in and organized the theft. They will easily be tracked to the theft. it's not a question of if but when. Theft is a huge problem with CAS workers, we have had problems with high end computer equipment in the past. Security is also very lax, many of those employees from India, Pakistan and Guyana. The entire chain of command in the cargo areas is manned by 3rd world immigrants with pretty low standards. Not the way it used to be.

    I could do without the race-baiting -- I bet I can find plenty of people of any nation, color, or creed that are lax when it comes to security -- but the observations regarding the JFK's cargo terminal operations, if accurate, means that the situation could end up like the Lufthansa heist in 1978 (in terms of figuring out what happened.  The FBI eventually figured out who was behind the heist, although the whacking of known associates meant the authorities couldn't provide any evidence).

    I found the best parting shot on this story at cnet.com:

    Steve Jobs really was way off when he said no one would ever want a smaller tablet; turns out they're worth risking jail time for.

    The Other Type of Theft at Airports

    Of course, the above is not generally how tablets, smartphones, and laptops are lost at airports.  Generally, they're either left behind [http://www.alertboot.com/blog/blogs/endpoint_security/archive/2012/07/07/tablet-security-nearly-3500-tablets-and-smartphones-lost-at-top-us-airports.aspx ; ] (nearly 8,000 in the past year at the nation's top airports only) or stolen on a device-by-device basis (retail theft, if you will, as opposed to today's reported wholesale theft).

    It's important to remember that tablets, smartphones, and laptops (and any other portable digital devices) are essentially databases full of one's life; possibly databases full of other people's lives as well.  If a portable device is being used as designed -- being used while on the move -- it behooves the user to ensure proper portable device security and encryption is in place.

    For companies and organizations that are willing to step in where users may fail, the use of a MDM security suite that is cloud-based could provide an affordable yet powerful way to boost BYOD security.


    Related Articles and Sites:
    http://www.nypost.com/p/news/local/ipad_heist_at_jfk_KUg25OxRZ3Xgpk58H7fXwJ
    http://news.cnet.com/8301-13579_3-57550353-37/$1.5-million-worth-of-ipad-mini-tabs-stolen-from-jfk/

     
More Posts « Previous page - Next page »