in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

December 2012 - Posts

  • Medical BYOD: Use Of Smartphones Means HIPAA Breaches To Increase

    BYOD is making quick strides into numerous businesses, agencies, and organizations.  It might not be surprising to find, then, that many medical establishments are either taking interest in the "Bring Your Own Device" trend or actively embracing it.  However, BYOD requires proper security, a couple of reports warn.

    HITRUST and Ponemon: Most Breaches from Loss or Theft

    The site csoonline.com notes that HITRUST – the Health Information Trust Alliance – and the Ponemon Institute have released reports about data breaches in medical settings.  The HITRUST report notes that between 2009 and 2012, data breaches decreased at hospitals and health systems, but increased in smaller practices.  The latter account for 60% of the 459 breaches that involve 500 or more people.  The report also notes that as of May 2012, approximately 57,000 breaches involving less than 500 have been reported to the department of Health and Human Services.

    The Ponemon report found that "94% of healthcare organizations reported at least one data breach during the past two years. [45%] reported more than five breaches."

    And, despite all the coverage devoted to hackers and malicious software being spread online, the cause of the breaches, according to both reports, were skewed towards the ordinary:
    Both studies found that the most common causes of the breaches were not from hacking or malware but the loss or theft of devices and employee errors. The HITRUST report found that only 8% of the breaches were caused by hacking and/or malware. [csoonline.com]
    In other words, a FIPS 140-2 compliant encryption software package would significantly cut down on medical data breach incidents.

    What Does This Mean for BYOD in Medical Settings?

    What do people tend to lose more than laptops?  Phones.  Statistics-wise, this only makes sense because of the numbers involved: on any given day, you've literally got hundreds of millions of people moving about with cellphones in the US.  How many actually carry their laptops everywhere they go on a daily basis?  Whatever the actual figure, it's probably many factors lower than mobile phones.

    Could mobile phones and other smartdevices become a new frontier where data breaches are concerned?  They already are, according to Ponemon:
    Ponemon reported that 81% of its survey respondents said they allowed BYOD to access organizational data, and 54% said they were not sure if those devices were secure. [csoonline.com, my emphasis]
    Csoonline.com also notes that a separate report showed that:
    two-thirds of hospitals ... reported that their nurses use their personal smartphones while on the job for personal and clinical communications ... [but] IT support for those devices is lacking
    Uh....what?  Medical organizations tend to be one of the most regulated.  HIPAA concerns, at least, should be on the forefront of anyone working in such a setting, be it a doctor, nurse, security guard, or administrator.  That includes IT personnel.

    The fact that they are allowing personnel to move data in and out of the organization in devices that are not secure is bonkers.  Yeah, there are other words I could have used, but that's what it is: bonkers.

    Perhaps some think that the use of BYOD currently occupies a legally gray area where one's not sure whether the organization or the individual would be to blame if a data breach were to occur.  Although I'm not a lawyer, I can vehemently assert that no such gray area exists: under HIPAA, it's the "owner" of the data that is held responsible.  Since patient data is legally collected by the medical organization, it is up to the organization to ensure that the data is not breached.

    So, if PHI ended up on someone's iPhone; this got lost; was retrieved by a well-meaning citizen; and he/she poked about in the device and found this PHI – that is a HIPAA data breach.

    In order to ensure this doesn't happen, it's advised that the devices in use at least be encrypted and secured by a password.  BYOD management software like AlertBoot's Mobile Security can help ensure that smartphones and tablets are properly encrypted and secured with a password that is strong (and also guarantee that the user doesn't turn off this protection).

    Related Articles and Sites:
    http://www.csoonline.com/article/723678/with-byod-data-breaches-just-waiting-to-happen
     
  • Australia Encryption Problems: Russian Hackers Use Crypto For Data Ransom

    Hackers of the Russian variety are holding the Miami Family Medical Centre hostage for $4,000.  That's Miami, Queensland (Australia) and not Miami, Florida.  That's right, there's a Miami in Australia.  As surprising might be the news that encryption software like AlertBoot can be used, not to protect data, but to corrupt it.

    Server Hijacked, Encrypted

    The Miami Family Medical Centre has announced that hackers are demanding $4,000 (Australian.  That's $4,200 American) to provide the encryption key that will unlock the center's own data.  According to spokespeople for the center, they had proper security in place – firewalls, antivirus software, etc. – and believe that in this case

    the hackers had "literally got in, hijacked the server and then ran their encryption software".

    "It's people who know how to break in past firewalls and hack passwords to get onto the server. We're trying to work out how to pay the hackers or find someone to decrypt the information." [pulseitmagazine.com.au]

    Well, I'm sure Mr. Wood doesn't mean "literally got in."  But, the rest of the statement sounds par for the course: "ransomware" usually involves hackers infiltrating an organization's network, finding a server with essential data, and encrypting it.  Since only the hackers know what the key is, they'll offer it in exchange for money, in this case, $4,000.

    When you consider that cracking crypto is nearly impossible if strong encryption is used, such as the AES-256 used in AlertBoot's full disk encryption, the $4,000 is almost worth it.  Even if the data can be regained via methods other than acquiring the hackers' encryption key, it would probably end up cheaper to pay off the aggressors.

    On the other hand, if one has daily backups, it might be easier and cheaper to restore the data using these than paying off the extortionists.  After all, where's the guarantee that they'll send the key after being paid?

    Encryption: One Facet of Data Protection

    Many people hear the word "encryption" and assume "data protection."  It's not an incorrect reaction to have.  After all, one of the best ways to secure data is via the use of good, strong crypto.  However, it's not the only method.  And, like most tools, it can be used for good or evil.

    In order to maximize the protection that comes from using encryption, you must also ensure that you have proper backups of the data (which should also be encrypted).  Proper backups are necessary not only as a contingency plan for instances where hackers hijack you data, but as an arrangement for all the other things that could happen: your computer gets stolen; your data gets corrupted; your office burns down; etc.

    In other words, the same reasons why backups for data are a good idea in the first place, with or without encryption.  Except, with encryption in place, there's even more of a reason why you should be using it.


    Related Articles and Sites:
    http://www.pulseitmagazine.com.au/index.php?option=com_content&view=article&id=1250:hacked-medical-centre-not-the-first&catid=16:australian-ehealth&Itemid=327
    http://www.bbc.co.uk/news/technology-20663685
    http://www.net-security.org/secworld.php?id=14091

     
  • Android Security: Google's Application Verification Service "Nascent," Lacking

    According to a researcher at North Carolina State University (who's been quite prodigious when it comes to Google Android security issues), Android's application verification in JellyBean -- aka, Android 4.2 -- is a welcome feature but also lacking when it comes to mobile security.  But, he appears to foresee an improvement.  For the time being, it looks like third party mobile security programs are still necessary on the world's most popular mobile platform.

    What is Application Verification?

    Google's application verification (app verification) is a security enhancement that "can alert the user if they try to install an app that might be harmful; if an application is especially bad, it can block installation" (andoid.com).

    How does it work?  According to Dr. Jiang at NCSU,

    When an app is being installed (Step 1), the service, if turned on, will be invoked (Step 2) to collect and send information about the app (e.g., the app name, size, SHA1 value, version, and the URL associated with it) as well as information about the device (e.g., the device ID and IP address) back to the Google cloud (Step 3). After that, the Google cloud will respond with a detection result (Step 4). If the app is not safe, the user is then shown a warning popup (Step 5) flagging the app as either dangerous or potentially dangerous. Dangerous apps are blocked from being installed, while potentially dangerous ones instead alert users and provide an option to either continue or abort the installation (Step 6) with a warning popup. [ncsu.edu]

    The original site has a helpful diagram.

    Does it Work?

    According to the Dr. Jiang, it does but has an error detection rate of 15 percent when run against malware samples obtained via the Android Malware Genome Project.  If the figure appears to be low, you'd be right.  When a separate test was run using randomly selected malware, the detection rates for third party security tools ranged from 51% to 100%, whereas Google's app verification detected 20% of the malware.

    One of the problems appears to be how Google's app verification detects malware signatures:

    our study indicates that the app verification service mainly uses an app's SHA1 value and the package name to determine whether it is dangerous or potentially dangerous. This mechanism is fragile and can be easily bypassed. It is already known that attackers can change with ease the checksums of existing malware (e.g., by repackaging or mutating it). [ncsu.edu]

    Another problem: Google's set of known malware: "it is not realistic to assume that the server side has all existing malware samples (especially with limited information such as app checksums and package names)."

    For the time being, it looks like users of Android devices should give a good, hard look at what they're installing and consider the use of security apps, including those that come with AlertBoot's MDM software for Android and iPhone.


    Related Articles and Sites:
    http://www.cs.ncsu.edu/faculty/jiang/appverify/
    http://it.slashdot.org/story/12/12/10/1428204/google-app-verification-service-detects-only-15-of-infected-apps
    http://developer.android.com/about/versions/jelly-bean.html

     
  • HIPAA Data Security: You Use A Safe? What If That Safe Gets Stolen?

    News from Dayton, Ohio: a chiropractor reported the theft of a safe (strongbox) and a laptop from his (her?) office.  The safe was "full of computer disks."  It is not known whether data disk encryption like AlertBoot was used to safeguard the contents of the disks and the laptop (although yours truly believes that, in the case of the safe-bound disks, the answer is probably "no).

    Who Protects the Protectors?

    Storing sensitive data like PHI – protected health information – in safes is very strongly encouraged by many guidelines that deal with HIPAA/HITECH issues.  In light of this, the above theft is quite ironic: sure, the disks are protected, but what's protecting the safe?  Apparently, the answer is "nothing."

    In contrast to physical deterrents like the afore-mentioned safe, one of the advantages of full disk encryption or any other type of encryption solution, is that the protection moves in tandem with the data.  Under ordinary circumstances, it's well-nigh impossible to reach the actual data without having to defeat the encryption protection in place.  It's no surprise, then, that the use of encryption provides safe harbor from the Breach Notification Rule that is part of HITECH.

    This rule specifies that individuals affected by a PHI breach must be contacted in 60 calendars or less.  Other requirements are also triggered depending on the circumstances, such as the number of people affected: if more than 500 are involved, the covered entity must report it to the Health and Human Services.  The agency will go public with the information.

    To make a long story short: safes are good; encryption is better; safes and encryption is best....unless you're actually looking forward to being involved in a HIPAA data breach.

    Is the Above a HIPAA Breach?

    Well, it depends.  The article at newstalkradiowhio.com notes that "it is unknown if any patient records were taken during the theft," implying that there is a chance that those disks stored in the safe didn't contain patient info (which begs the question: what did it contain?).

    But, even if PHI was stored in either the laptop or the disks, their theft is not an automatic HIPAA breach.  While the chiropractor does have to reach out to his/her clients, it could very well be that an investigation rules the above as anything but a HIPAA breach.  How so?

    I'm no lawyer, but after reading and listening to the opinions and arguments of legal eagles who focus on health information and privacy issues, it turns out that a HIPAA breach, among other things, must show, in essence, recklessness or contempt (or both).  A guy who stores disks in a safe shows neither.


    Related Articles and Sites:
    http://www.phiprivacy.net/?p=10723
    http://www.newstalkradiowhio.com/news/news/crime-law/safe-stolen-from-dayton-chiropractic-office/nTFwF/

     
  • Laptop Data Security In China: Always Keep It With You??

    Are you traveling to China or Russia for business?  Taking a laptop computer or smartphone?  You might want to rethink that, according to inforworld.com.  If you must, you should "assume government or industry spooks will steal your data and install spyware."  One of the ways to combat this particular sense of paranoia?  Laptop encryption – like AlertBoot, which fully encrypts a laptop's hard drive – among other tips and practices.

    China, Russia Frequently Identified as High Risk Areas

    "Just because you're paranoid doesn't mean they aren't after you" is how Joseph Heller described one of life's little ironies in Catch-22.  And while the book might be a work of fiction, it certainly translates to real life.  The paranoia, I mean.  An article at inforworld.com shows how:

    • A traveler's Android phone automatically updates itself without the consent of the owner at a Chinese hotel.
    • Another businessman's BlackBerry phone won't boot up after his trip to China.  Forensic analysis is being conducted on the device.
    • It is known that hotel personnel will enter guests' rooms and plant spyware.

    The examples run on and on....

    Paranoia or reality?  Probably a little from column A, a little from column B.  Wherever the truth may lie, one thing's for certain: if you're taking computing devices overseas, and these contain sensitive information, applying proper protection in the form of encryption software is a good idea.  In fact, it's a good idea even if you're not going overseas.

    (And it's one of a number that are listed: never leave your laptop alone; take a spare, scrubbed device; be aware of internet connections; and limit remote access to devices).

    Data Breaches: They Strike like Dust in Brownian Motion

    In other words, there's really no way to tell when a data breach might strike.  For example, perhaps you've never lost a laptop in your life, either due to a mistake or theft.  But, this is not entirely because you happen to be really conscientious: you may be able to control the former, but the latter is out of your hands.

    Having established, then, that a data breach can strike anyone at any time, why would it make more sense to use encryption if you have to travel overseas but not while you're in your own home country?  After all, it's not as if the western world is immune to "home field" data breaches.

    It might be appropriate in the sense that since you're going into a high risk area, the risks are elevated, and so encryption is necessary.  But risk is not independent of time.  If you're in a high risk area for a short time but in a low risk area for a long time, then, the latter might actually present more of a risk.

    Think of it this way: what are the chances that you'll be able to flip a coin and get 10 heads in a row in 30 seconds versus getting 15 heads in a row in a lifetime?


    Related Articles and Sites:
    http://www.infoworld.com/d/security/when-in-china-dont-leave-your-laptop-alone-208168?page=0,0

     
  • Password Security: Researcher's Rig Cracks 348 Billion Hash Checks Per Second

    A key foundation of practical modern encryption rests with the password.  For example, users of AlertBoot Mobile Security provide a password when trying to access the contents of an encrypted computer; otherwise, there is no way to get around the strong encryption protection.  So, the security associated with the password is of intense interest.  One especially debated password security parameter: length.

    Depending on the situation, some researchers have noted that password less than 12 characters in length should be considered "weak" (in other words, unusable).

    Passwords lengths are under attack again (still?): researcher Jeremi Gosney has debuted at the Passwords^12 Conference a server rig that can bruteforce 348 billion password hashes per second.

    Windows XP Password Defeated in 6 Minutes

    According to securityledger.com, the organizer of the conference, Per Thorsheim, noted that "Passwords on Windows XP? Not good enough anymore."  The reason?  The system can go through passwords like a hot butter knife through...well, butter:

    348 billion NTLM password hashes per second.  In other words, any WinXP password would fall in approximately 6 minutes:

    LM Is what is used on Win XP, and  LM converts all lowercase chars to uppercase, is at most 14 chars long, and splits the password into two 7 char strings before hashing -- so we only have to crack 69^7 combinations at most for LM. At 20 G/s we can get through that in about 6 minutes. With 348 billion NTLM per second, this means we could rip through any 8 character password (95^8 combinations) in 5.5 hours. [securityledger.com]

    Of course, under certain instances, things like this are a moot point.  For example, you can defeat the same Windows XP password by slaving the hard drive to another computer, or booting up the computer in question with a Linux distro CD.  Still, the fact that it only takes 6 minutes to guarantee entry into a machine running XP is very impressive.

    What Does this Mean for Encryption?

    In some ways, not much.  Passwords tend to be the bane of encryption for many reasons: people post them on sticky notes, tape them to the computer, pass them around, etc.  From a technical standpoint, passwords are the bane of encryption because it's the weakest link.  Unlike encryption keys, passwords generally are not random enough, short, and easily guessable.  So, any person worth his salt tries to figure out the password, not the encryption key.

    What's the difference?  You can change passwords to encrypted data easily.  Changing the encryption key is not possible in the truest sense.  To do so, one would have to decrypt the data then encrypt it again with another key.  It's like the difference between changing clothes and changing one's face like in the movie Face/Off, with Cage and Travolta.

    Thankfully, the ability to change passwords easily also means that it's easy to disable their use.  AlertBoot's laptop encryption, for example, has a setting that disables the entry of any passwords after, say, the tenth incorrect try.  This way, bruteforce attacks aimed at defeating passwords can be effectively fended off.


    Related Articles and Sites:
    http://it.slashdot.org/story/12/12/05/0623215/new-25-gpu-monster-devours-strong-passwords-in-minutes
    http://securityledger.com/new-25-gpu-monster-devours-passwords-in-seconds/

     
More Posts « Previous page - Next page »