in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

January 2013 - Posts

  • Smartphone GPS Craziness: Sprint Sends Smartphone Owners To Wrong Address For Device Retrieval

    One of the security recommendations in this era of BYOD (Bring Your Own Device) is to turn on device tracking on your smartphone or tablet, assuming you have the option.  This way, if you lose the device, or if it gets stolen, there is a more than a fighting chance that you'll be able to retrieve it. (I should note, though, that without the proper smartphone data security like AlertBoot Mobile Security, it's probable that the "temporary owner" of a lost smartphone will browse its contents).

    But, it turns out that in certain situations, a lost device's GPS can lead people to the wrong address time and time again.

    Sprint Sends Device Owners to the Wrong Address

    Las Vegas is an exciting town.  There's the lights, the nightlife, the clubs, and the people who've eaten up the slogan, "what happens in Vegas, stays in Vegas."  They make things so exciting that sometimes the police get involved.

    Then there is local resident Wayne Dobson.  According to lvrj.com, Dobson's life is so exciting he can't get regular sleep during the weekends.  Why?  He gets woken up at odd hours by people looking to retrieve their phone.  They bang on his door and tell him that Dobson has their phone.  The smartphone tracking app tells them so.  See?

    As it turns out Dobson doesn't have their phone.  Some glitch in Sprint's network is sending phone trackers to the wrong destination.  Furthermore, police responding to 911 calls are sometimes misdirected to Dobson's home.

    Experts are puzzled by the events and Sprint has vowed to figure out what's going on.  Apparently, this has also happened to some woman in New Orleans.  She ended up suing Sprint.

    Tracking vs. Protecting

    The loss of a tablet or a smartphone is generally deemed more disastrous than the loss of a laptop computer because the phone tends to store more personal information.  Emails can be found in both phones and laptops.  That's also true for phone contacts.  But, SMS messages, who you called recently and how long you talked to them, everyday pictures (now that the smartphone has supplanted the digital camera), and other data generally resides on the phone.  And how many of us back up their phones, at least often enough for it to matter?

    Hence, one might be excused for wanting to retrieve a missing device from the hands of some stranger.  On the other hand, tracking phones is not without its problems.  You've got outlier incidents like the above but also the more run-of-the-mill incidents, such as when a device's SIM card is swapped out; the device is returned to factory settings; or the device is in a place where GPS or Wi-Fi signals aren't reachable.

    Plus, just because you can retrieve your phone doesn't mean that you've not suffered an information security breach.  Without the proper passcode in place or without the activation of mobile encryption software, who's to say someone won't steal your data while you're waiting for the device to be back in your possession?

    When you think about it, tracking is not about data security.  It's about asset security.  If you want to secure data, you have to opt for something that will protect your data from the moment a device is lost, like encryption.


    Related Articles and Sites:
    http://www.lvrj.com/news/if-you-lose-your-cellphone-don-t-blame-wayne-dobson-186670171.html
    http://www.networkworld.com/community/blog/unlucky-las-vegas-man-besieged-lost-phone-seekers

     

     
  • Canada Computer Disk Encryption: Human Resources and Skills Development Loses Information On 583,000

    Numerous Canadian media outposts are reporting on the loss of student loan information by Human Resources and Skills Development Canada.  It's being labeled as a "new" data breach by the government but let's be honest, the only thing new about it is the press release.  It's part of the same old story, a continuance of an affliction that has been ongoing due to the lack of data security software like AlertBoot laptop encryption SaaS.

    583,000 Canadians Affected

    According to theglobeandmail.com, the latest fiasco on the part of Human Resources and Skills Development Canada (HRSD) was reported this past Friday.  HRSD alerted in a press release this past Friday that a storage device containing data on 583,000 Canada Student Loans Program borrowers from 2000 to 2006 was lost.

    Depending on which article you read, the device is described as a "portable hard drive" or a "USB key."  Technically, the latter would be included under the former, but generally a USB key is in a category by itself.  Regardless, either would have been protected with the use of AlertBoot Mobile Security, which not only encrypts a laptop computer's hard drive, but also automatically encrypts any external data storage devices that connect to a protected drive (and, in order not to hamstring a USB key's utility, it is shareable between AlertBoot-encrypted computers).

    Of course, it's not really the medium that's important, but the data contained in that medium: "student names, social insurance numbers, dates of birth, contact information and loan balances of borrowers" were present, according to the theglobeandmail.com, but no banking or medical information.  People in Quebec, Nunavut, and the Northwest Territories were not affected because these territories manage their own student loan programs.

    Interestingly enough, Quebec is not entirely in the clear: personal contact information of 250 department employees working out of a Gatineau, Quebec office were also affected by the data breach.

    A toll-free number has been set-up at 866-885-1866 (416-572-1113 outside of North America) for inquiries by affected individuals.

    Of course, if the callers are as mad as these people, perhaps those fielding calls won't be answering inquiries as much as taking an earful of complaints.  (To which, I note, the people answering the phones at these two numbers are probably temps, so go easy on them).

    "Second" Data Breach

    If you follow data security news, you'll know that HRSD is already involved in a separate data breach due to the loss of a USB drive that contained personal information for approximately 5,000 Canadians.  Indeed, it was an investigation into this breach that revealed the larger one:
    The loss of the hard drive from an office in Gatineau, Que., came to light as the department looked into another breach — a missing USB key containing the personal information of more than 5,000 Canadians.

    The privacy commissioner's office has already begun a probe of that incident, which was publicized last month.
    Needless to say, the privacy commissioner is extending her investigation into this one as well.  As she should, as this is being labeled Canada's largest data breach to date.

    But, as I already pointed out, can you honestly call this a second data breach?  Wouldn't it just be a symptom of what the public already knew?  Namely, that HRSD doesn't have the proper solution to prevent such confidentiality breaches from occurring?

    I'm not even sure what to make of the following quote:
    "It's definitely unfortunate," said Adam Awad, national chairman of the Canadian Federation of Students, which received a briefing on the loss.

    "It highlights how easy it is for information in today's age to be misplaced, to be misappropriated, to be stolen — if that's what the case was."
    Yes, it is unfortunate....  It's also fully preventable.  And, it's not new.  It' not as if Canada has been immune to the problem of information security breaches.  Canada's own Office of the Privacy Commissioner has been blowing the horn on this one, year after year.

    Not to continue harping the obvious, but a disk encryption solution that allows USB sharing between protected computers would have nipped this in the bud.  Not to mention other instances of data breaches outside of an organization's control, such as burglaries (at home and at work).

    What this case really goes on to show is not how easy it is to lose data, but how an organization's data security problems are never over as long as the correct policies, training, and technical solutions are not in place.


    Related Articles and Sites:
    http://www.ipolitics.ca/2013/01/11/538000-canadians-info-on-lost-usb-human-resources/
    http://www.theglobeandmail.com/news/politics/federal-agency-loses-personal-data-on-more-than-500000-student-loan-borrowers/article7288222/

     

     
  • High-Tech Encryption: South Carolina Legislator Notes Not All Security Solutions Need To Be High Tech

    Strengthening computer security is one of the goals listed by the South Carolina caucus for this year.  While it may sound like a knee-jerk reaction to the ginormous data breach The Palmetto State experienced late last year, it looks like clarity of mind and sanity prevails in the SC legislature.  The House Majority Leader noted that not all approaches to data security require highly technical solutions, which is true.  On the other hand, there are those instances where high-tech solutions like AlertBoot's laptop encryption software would be preferred over non-technical ones.

    Education Also Part of the Solution

    According to legislators quoted at chronicle.augusta.com, training and awareness are also another tool in the fight against data breaches:
    Legislators hope actions taken since then will prevent another such breach at the Revenue Department, but all state agencies’ computer systems must be evaluated and updated to prevent breaches elsewhere. How much that will cost is unknown. The state is in the process of hiring consultants.

    Legislators noted the solutions aren’t all high-tech. [House Majority Leader Bruce] Bannister said training is key, because state workers ought to know when not to open an e-mail. [House Minority Leader Harry] Ott said agencies need protocol for when a computer virus or malicious e-mail is detected.
    Like they say in computer security circles, the weakest link in the chain is people.  Educating personnel so that they are aware of when they might be walking into a trap (be in phishing, virus installation, or any of the other myriad forms a data security breach can be triggered) is definitely necessary.  One does should not forego human awareness for the latest technical solution.

    People Don't Follow the Rules

    On the other hand, there is something to be said about technical solutions, especially in those instances where you know human nature will most likely cause a data breach.  Consider, for instance, what happened at NASA, where you literally have rocket scientists and people managing these rocket scientists.

    Despite all the intellect at the organization, it has suffered so many data breaches that NASA has declared an ultimatum: laptop encryption will be used on all NASA laptops, and those that are not encrypted will have to remain within NASA buildings until they are secured.

    It just goes to prove that in certain instances education doesn't work.  If a technical solution presents itself that happens to be idiot-proof, then it behooves an organization to use it.  Full disk encryption is one such solution because of its simplicity: it's always on, only requires a password (which, depending on the solution, can be reset if forgotten), and is otherwise transparent to the end user.

    Related Articles and Sites:
    http://chronicle.augusta.com/news/metro/2013-01-03/sc-house-party-leaders-cyber-security-ethics-and-election-law-top-agenda
    http://www2.wspa.com/news/your-side/2013/jan/03/2/sc-house-leaders-present-2013-priorities-ar-5288320/
     
  • Managed Full Disk Encryption: City Of Macon Could Have Prevented Loss Of Data The Easy Way

    According to The Telegraph at macon.com, the Sheriff's Office is investigating how computers that contained sensitive data ended up on the auction block at govdeals.com.  The use of managed full disk encryption like AlertBoot would have prevented this particular data breach quite easily: it would have been a matter of "deleting" the machine from the central console, ensuring that the encryption keys are lost forever.

    Government Deal Gone Bad

    From the information I can find, the reconstructed scenario is as follows: it is decided that city computers need replacing.  The old computers are to be sold, and in order to do so these are turned over to the city's Information Technology Department.  The IT Department sanitizes the computers (i.e., deletes any data contained within).  The city then puts the inventory for sale at govdeals.com.  According to the site,
    GovDeals provides services to various government agencies that allow them to sell surplus and confiscated items via the Internet.  Each participating agency has its own auction rules and regulations and may be subject to government ordinances.
    And what deals!  A 1998 Ford Econoline E150 is going for $99 as I write this sentence.  The scrap metal value alone is much more than that!

    Anywhooo, there is some controversy as to who sold the computers: the police department or Macon's finance department.  The finance department notes that they don't sell old computers.  The police department notes that they're not in charge of prepping the computers for sale.

    And they're right.  One's attention should really be directed to the city's IT Department, which one assumes is in charge of vetting whether city computers – be they from the police department, finance department, or any other type of government department – to be sold, retired, disposed, etc. are free and clear of any sensitive data.

    Deleting Computerized Content, Preventing a Data Breach

    Deleting data on a computer is an arduous process.  While the process is automated for the most part, it takes forever because every single byte found on a computer must be written over.  That's right.  In the world of paper, you can get rid of data by deleting the information (e.g., using an eraser to get rid of pencil markings) or writing over it (e.g., using a marker and covering pencil markings).

    In the digital realm, only the latter is available.  That's why when you go to the "recycle bin" on a Window's machine and permanently delete something, it doesn't do squat for digital privacy.  You'll notice that the process takes seconds, a couple of minutes if you're deleting a large amount of data, whereas writing over the same amount of data takes much, much more time.  In fact, with today's hard disk capacities, it's not unusual for the process to take five to six hours per disk.

    If encryption software had been used to protect the data on these same disks, the process would have been much shorter and much easier: lose the encryption key.  Without this vital key, it is impossible to retrieve the data.  And losing it takes mere seconds, even if we're talking about a disk drive with over 100 TB of data.  Plus, the presence of encryption means that the computers would have been protected while they were being used, for example, if there had been a burglary at a city department.

    Full disk encryption is no panacea.  It doesn't even come close to being one.  But, it's certainly worth its price.

    Related Articles and Sites:
    http://www.macon.com/2013/01/08/2309218/computers-containing-personal.html
    http://www.41nbc.com/news/local-news/18526-davis-personal-info-left-on-city-computer-hard-drives-sold-to-computer-repair-shop
     
  • Hacking Disk Encryption: "Inception" For Cracking Encryption Released, Is Bwooooong-tastic

    Not too long ago, a tool for cracking laptop disk encryption was released by Elcomsoft.  In the latter's case, it targeted machines that were using PGP, TrueCrypt, and Microsoft's BitLocker.  The cracking tool made use of a vulnerability found on FireWire / iLink / 1394 port, a weakness that has been around for a while.

    Well, now there's a software tool that makes use of the vulnerability in other encryption products as well.

    Inception – Bwong, Bwong, Your Computer's Hacked!

    According to breaknenter.org,
    Inception is a FireWire physical memory manipulation and hacking tool exploiting IEEE 1394 SBP-2 DMA. The tool can unlock (any password accepted) and escalate privileges to Administrator/root on almost* any powered on machine you have physical access to. The tool can attack over FireWire, Thunderbolt, ExpressCard, PC Card and any other PCI/PCIe interfaces.
    That asterisk does represent caveats, which you can read here.  Again, this is nothing out of the ordinary, which is probably the main criticism most security experts offered when Elcomsoft made their product announcement.  The creators of Inception are aware of this themselves:
    DMA attacks has been known for many years, so this is nothing new (except for the fact that I will reverse engineer new signatures and update the tool's functionality until the problem is fixed). However, vendors generally dismiss DMA attacks as a non-issue, which I hope that the awareness that this tool generates will change. Users deserve secure devices, even when attackers gain physical access.
    Also, I gleaned a little extra information that I had not considered before.  The attack also works if you don't have a FireWire port.  According to the FAQ,
    You can use any interface that expands the PCIe bus, for example PCMCIA, ExpressCards, the new Thunderbolt interface and perhaps SD/IO to hotplug a FireWire interface into the victim machine. The OS will install the necessary drivers on the fly, even when the machine is locked. [my emphasis]
    Which makes me wonder why the Inception team offers the following "attack mitigation" practices, some of them based on uninstalling drivers:
    Windows
    Block the SBP-2 driver
    Remove FireWire drivers from your system if you don't need to use FireWire

    OS X
    Don't panic – if you are using FileVault2 and OS X Lion (10.7.2) and higher, the OS will automatically turn off DMA when locked – you're still vulnerable to attacks when unlocked, though
    Set a firmware password

    Linux
    Disable DMA or remove the 1394 drivers (see the 'Mitigation: Linux' section)
    Granted, it could be that other cracking tools that exploit the vulnerability do not incorporate the "install drivers on the fly" approach, making the above a valid security practice in those particular cases.  

    A key point, and what I consider the basis for the main mitigation method that I'm aware of, is not mentioned: namely, this attack can only work while data can be found in a computer's RAM.  No content in the RAM means an attack is impossible.  The natural question following this observation is: when is your RAM empty or purged?

    Learn to Dispense with Hibernation, Turn Your Computer Off

    Your computer's RAM is devoid of any content when it is turned off.  Not in hibernation mode, but when it's off.  This is, as far as I know, the only way to impede what I call a FireWire attack.  In fact, it's not just a matter of turning off the computer.  Because it takes some time for the data in RAM to degrade (half a minute to a couple of hours, depending on a number of factors, but mainly dependent on temperature), it would be possible to run the FireWire attack under the following scenario:
    1. You start the process of shutting down the computer but because you're in a hurry you don't hang around for it to complete the process, knowing it will turn off eventually.
    2. While you're gone but the computer is still shutting down, someone grabs your computer, opens the cover, and freezes the RAM (canned air sprayed upside down works in a pinch).  This probably won't really work for most laptops unless the attackers decide to bust the keyboard or something.  I mean, have you ever tried to get to the RAM in a laptop?  There's a lot of unscrewing you have to do, no way you're freezing RAM in less than a minute, electric screwdrivers notwithstanding.  On the other hand, it's not completely impossible.
    3. The attacker connects Inception or some similar data retrieval tool to the computer.
    4. Data breach.  Possibly, you're none the wiser!
    If you value your data, and you're paranoid enough, you'll stand by your computer until it shuts off fully, and stay by it around a minute or so.  Me, I just make sure it's been shut off.  I'm paranoid, but not paranoid enough.

    Related Articles and Sites:
    http://www.jwz.org/blog/2013/01/bypass-full-disk-encryption-and-passwords-on-any-powered-on-computer-via-firewire/
    http://www.breaknenter.org/projects/inception/
     
  • HIPAA Disk Encryption: HHS Announces Settlement For Less Than 500 Patients HIPAA Breach

    The Hospice of North Idaho (HONI) has agreed to settle with the Department of Health and Human Services (HHS) by paying $50,000 for a HIPAA breach.  When you consider that Mass General Hospital settled for $1 million (technically, it wasn't a settlement.  They got fined) for a breach, the amount HONI is paying seems like peanuts.  But this HONI case is a historic one because it's the first time the HHS has brought action for a data breach involving less than 500 PHI.  Of course, a solution like AlertBoot's full disk encryption for medical laptops would have prevented all of this.  But then, who are we to stand in the way of history?

    441 Protected Health Records Stolen

    According to the government's own press release, the Hospice of North Idaho experienced a data breach when a laptop computer –which was lacking protection in the form of encryption software, it being the only way to get safe harbor from the HIPAA/HITECH Breach Notification Rule – was stolen in June 2010.

    Although less than 500 PHI were breached in this case, an investigation by the HHS OCR found that HONI had not addressed security concerns:
    Over the course of the investigation, OCR discovered that HONI had not conducted a risk analysis to safeguard ePHI.  Further, HONI did not have in place policies or procedures to address mobile device security as required by the HIPAA Security Rule.  Since the June 2010 theft, HONI has taken extensive additional steps to improve their HIPAA Privacy and Security compliance program. [hhs.gov]
    Of course, there's nothing really magical about the number 500.  It's just an arbitrary figure that delineates whether a data breach is reportable at the HHS's "Wall of Shame" or not.  In terms of potential threats affecting patients, one doesn't face more or less of a threat because 500 or more people are involved.  Also, how is 500 affected much more of a risk than 499 people affected?

    The HHS finally seems to want the world to realize that:
    "This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information," said OCR Director Leon Rodriguez. "Encryption is an easy method for making lost information unusable, unreadable and undecipherable."[hhs.gov]
    A strong message it is, indeed.  There was much speculation that the name and shame policy would not have much of an impact because most data breaches tend to involve less than 500 people's records.  Indeed, if memory serves, over 95% of HIPAA data breaches involve less than 500 PHI, which meant that shaming a particular set of breaches would miss most instances.

    ROI – Kinda Worth It?

    You know, monetary settlements, fines, etc. at such levels always leave me a little bit concerned.  On the one hand, $50,000 is nothing to sneeze at.  On the other hand, I can imagine all kinds of wheels turning in accountants' heads.

    For example, let's say that a particular disk encryption solution costs about $200 per endpoint, including the installation of back-office infrastructure and other digital accoutrements that accompany it (AlertBoot, by the way, is of significantly lower cost because it's an entirely cloud-based solution).

    If a particular health organization has to protect 250 laptop computers, the solution already costs $50,000.  Assuming one has a data breach every 5 years, not using disk encryption would show savings of 80% under this particular model, assuming (1) their data breaches always involve less than 500 PHIs and (2) the HHS hands out a fine of $50,000 each time.

    It's messed up, but some people honestly think of these issues in this manner.  Thankfully, fines are not confined to such low amounts (under an update to HIPAA rules, up to $1 million can be assessed on covered entities), and there's no guarantee that a medical data breach will remain below a head count of 500.

    Related Articles:
    http://www.hhs.gov/news/press/2013pres/01/20130102a.html
    http://www.beckershospitalreview.com/healthcare-information-technology/idaho-hospice-to-pay-hhs-50k-in-hipaa-breach-settlement.html
    http://www.modernhealthcare.com/article/20130102/NEWS/301029890/hhs-announces-first-settlement-in-smaller-data-breach
     
More Posts « Previous page