I ran across a story that, as far as I know, is the first of its kind: proof that laptop thieves don't just blast away the current information on a stolen laptop and sell it as quickly as possible. Oh, no. They're willing to see what they can find on the laptop, which is why some kind of deterrence solution, like AlertBoot's laptop encryption software is necessary.
According to the sacbee.com, two men were arrested for burglarizing a home – a laptop computer was stolen, presumably among other items – and then burglarizing a second home that belonged to the owners of the first home.Investigators believe that information contained in the victim's laptop computer, taken in the first burglary, directed the suspects to the victim's vacation home. Both homes were ransacked, and the victims reported the theft of more than $50,000 in personnel property, including electronics, furniture, fine art and sterling silver. Sheriff's officials said several thousand dollars [sic] worth of property were recovered.It doesn't take a genius to figure out what happened here: once the laptop was stolen from the first home, the two perpetrators took a gander at the computer's content. Perhaps there was an electronic address book that listed the second home's address. Perhaps there were vacation photos and these were tagged with GPS coordinates, which could be looked up in Google Maps. Maybe there was an accounting software that showed utility bills for two locations.Who knows? Whatever the actual details might be, the thieves didn't just "go for the hardware" and decide to reformat the laptop's disk and put the hotware on Craigslist, which is what many people assume is what happens.But then again, why would people assume that? I never understood it. The assumption you're supposed to make, from a security perspective, is the worst-case scenario. Plus, remember, the computer as we know it – monitor, computer body, keyboard, and mouse – has been around for over 30 years. Of those, the internet has existed as a popular medium for, say, fifteen years.Are you honestly telling me that under these circumstances, you're willing to believe that thieves won't boot up your stolen computer and take a look at what they can find?I can't emphasize it enough: if you store any sensitive data on a digital medium, you really should use encryption software to secure it.
Investigators believe that information contained in the victim's laptop computer, taken in the first burglary, directed the suspects to the victim's vacation home. Both homes were ransacked, and the victims reported the theft of more than $50,000 in personnel property, including electronics, furniture, fine art and sterling silver. Sheriff's officials said several thousand dollars [sic] worth of property were recovered.
If you are looking for an excuse that involves robots to sign up for MDM mobile security software like AlertBoot, look no further: researchers will be debuting a PIN-cracking robot at the 2013 DefCon in Las Vegas. The robot not only brute-forces your PIN, its schematics can be obtained for free and the necessary hardware can be 3D-printed.It's not scandalous at all. After all, wouldn't it just be a physical manifestation of password-cracking software?
Why create such a robot? Why upload instructions for creating it? According to an interview of the researchers at forbes.com:"There's nothing to stop someone from guessing all the possible PINs," says Engler, a security engineer at San Francisco-based security consultancy iSec Partners. "We often hear 'no one would ever do that.' We wanted to eliminate that argument. This was already easy, it had just never been done before."I don't know about "never been done before." I've run across another robot that does the same thing, except it was cracking a safe and not a smartphone. Plus, the same forbes.com article has a video of a similar robot cracking the PIN on a Garmin GPS.I'll also have you know that yours truly has brute-forced a 5-wheel combination bicycle lock while watching all four seasons of Battlestar Galactica. The lock gave way in about 6 hours, although there are easier, faster ways. For example, the thief who stole my friend's bicycle managed to bypass the same lock in 10 seconds using a bolt cutter.Regardless, Engler is right. The argument does pop up quite often. And while some might point towards the use of a bolt cutter as an indication that "no one would ever do that," the truth is that the bolt cutter is used because it works. When the only option is to punch in the correct PIN, that's what people will attack. (Although, you can't really discount the use of a bolt cutter when it comes to accessing smartphones).
"There's nothing to stop someone from guessing all the possible PINs," says Engler, a security engineer at San Francisco-based security consultancy iSec Partners. "We often hear 'no one would ever do that.' We wanted to eliminate that argument. This was already easy, it had just never been done before."
The researchers in the forbes.com article noted that not all devices would be susceptible to the robot's attack. Apple's iPads and iPhones, for example, feature rate-limiting by default. That's when you have to wait increasing minutes between erroneous PIN entries. (Apparently, most Android devices don't come with rate-limiting turned on.)Furthermore, an even better form of security is found in the auto-wipe feature: enter the wrong PIN more than 10 times and the device's contents are erased without any chance of recovery.Because of the potentially disastrous nature of such a setting, however, it's not turned on by default by any devices, as far as I know (the one exception might be BlackBerry devices; my memory fails me at the moment).Thankfully, companies that are engaged in BYOD and COPE can turn on auto-wipe (well, technically, remote-wipe) on mobile devices by creating the correct policy in an MDM solution like AlertBoot Mobile Security.This will further limit the chances of a data breach – unless the smartphone user decided to etch their PIN to the back of their device or some other nonsense.
The government has argued that veterans who are suing the William Jennings Bryan Dorn VA Medical Center for a data breach did not formally experience any harm, and that the lawsuit ought to be dismissed. Honestly, I don't know why the government is this position. Per my understanding, the VA was set to have laptop encryption on all portable computers by February 2012. The data breach occurred on February 11, 2013, a full year after the VA supposedly had 100% of their laptops encrypted.
On February 11, 2013, a laptop computer containing personal information for over 7,500 US veterans was stolen from the Dorn VAMC Respiratory Therapy Department. The hard drive contained names, addresses, phone numbers, SSNs, and dates of birth, as well as medical and disability information for an "unknown number" of vets.The information was not protected with medical encryption software. Because the VA had been promising to encrypt laptops (and, among other things, implied that they were fully protected), and because it had already experienced numerous data failings – including the 2006 data breach where 26 million veterans were affected when a laptop was stolen – the plaintiffs are claiming that the VA and assorted defendants "failed to properly performs the duties and responsibilities of their respective VA positions."
The claim is further supported by an Office of Inspector General report:VA's own Office of Inspector General reported only a few months before the February 13, 2013, incident that, although VA spent $3,700,000.00 in 2006 to purchase encryption software, the Department had installed that software on only 16% of the devices for which it was purchased. [Official complaint, Civil Action No.: 3.13-CV-999-TLW]I'm not sure that the software will ever be installed. My understanding is that the software was found to be incompatible with most of the VA's computers, forcing the VA to purchase new encryption software. So, the fact that on 16% of devices were protected with this particular software is a moot point: the VA could have protected the remaining 84% with something that was purchased after 2006.The only thing incompetent here is that the VA blew $3.7 million on software they can't use.
VA's own Office of Inspector General reported only a few months before the February 13, 2013, incident that, although VA spent $3,700,000.00 in 2006 to purchase encryption software, the Department had installed that software on only 16% of the devices for which it was purchased. [Official complaint, Civil Action No.: 3.13-CV-999-TLW]
Regardless, the government's position is that the lawsuit should be dismissed because the plaintiffs have not been harmed. Yes, a laptop full of their information was stolen. But, aside from the fact that some of the more paranoid members decided to sign up for credit monitoring, what actual harm did they suffer, especially as a collective?Plus, the US courts don't judge on future harm that derives from an event. They need to rule on something that has happened. For example, perhaps the names and SSNs found on that list were used in mortgage fraud or for opening fraudulent lines of credit at banks across and outside the US; that's a concrete harm resulting from the VA data breach and fair game.The problem with this argument – aside from the fact that it's the go-to defense of choice for the many inept companies that can't seem to bother to secure their clients' data – is that the courts are slowly beginning to shy away from such an interpretation.How will this end up? As a clusterfrock that shouldn't have happened (or wouldn't have happened with a liberal application of encryption software and other data security tools).
Ineptitude. This is the word that leapt to my mind as I read a story about Canadian bureaucrats who considered a couple of different ways to "avoid repercussions over" the loss of a USB memory stick. These kinds of incidents wouldn't make the news if encryption software is used to protect and secure sensitive data.
According to o.canada.com, senior bureaucrats at Human Resources and Skills Development Canada, upon learning of a USB stick's disappearance, considered hiring professional dumpster divers (for $15,000) to find the electronic device. When the companies refused the job, HRSD considered burning the garbage in which the USB stick was suspected of being; however, Ottawa lacked the "incineration capacity" to do so. The plans were scrapped.The device contained disability pension applications for 5,049 people.Department policies regarding the encryption of sensitive information were in place, but they were not followed in this particular case. However, that did not trigger my incredulousness. No, the disbelief came into its own when I heard that the department was considering hiring dumpster divers for $15,000.(The fact that they did, if anything, seems to indicate that the Canadian government, takes data breaches seriously. Perhaps such bungles reflect poorly on one's resume and affects his or her chances of advancing in the workplace. I honestly cannot think of any other reason for even considering hiring professional trash trampoliners. Assuming it takes 24 hours to go through the entire contents, that's $625 per hour.)
Based on what I've read at o.canada.com, it looks like the USB stick's loss was an accident. The lack of data encryption also looks like an accident (although, to be honest, a solution like AlertBoot FDE would have nipped that particular problem in the bud – external storage devices are automatically encrypted with our software and tagged for sharing around the office).But trying to cover up an accident....that's no accident. It takes willpower to do it, and it takes willpower to consider doing it. If they had followed through, it would have been pretty irresponsible, not only because of the cost involved, but because burning trash that is suspected of harboring a lost USB thumbdrive doesn't guarantee data security. (Burning trash that you know contains the USB, on the other hand, is a different story....).The best way to deal with data breaches is not to have one to begin with. Of course, that's impossible. That's why encryption is used.
Mobisante, a Redmond, Washington based company has released a tablet version of its popular ultrasound machine, previously only available on smartphones. Just like PCs in its 1990s heydays, mobile devices like smartphones and tablets are coming into their own. And just like PCs, it looks like it won't be too long before mobile device protection and management becomes necessary. Especially if it involves medical data.
Mobisante's first offering, MobiUS SP1, was a smartphone-based $10,000 ultrasound device. It was a smash hit (although the company is not releasing any figures), with its big selling point being the price and portability: ultrasound machines apparently sell for as much as $100,000.You'll notice that it's "smartphone-based" which means it doesn't actually use a smartphone. Instead of installing an app on your iPhone or Android phone, the company gives you a small device that looks like a smartphone. However, people cannot make calls on it. The hardware is strictly for operating the ultrasound.While it's not listed on their website, I assume the device also is data security-enabled since protected health information (PHI) is stored on it. Mobisante's website lists the data as first names, last names, IDs, dates of birth, and any scanned pictures, which under HIPAA and HITECH regulations require compliance with the Security Rule and the Privacy Rule.The new tablet version, the MobiUS TC1, pretty much does the same thing, according to the reports. It doesn't sound too revolutionary (remember how the iPad was just a really big iPhone?), except that it is:
physicians told us they also wanted something larger, particularly when they were working on guided procedures, so that's why we decided to go the tablet route."[24x7mag.com]
When working with images, you can have a monitor that is too small....or too big. The use of a tablet, even if extra functionality is not built-in to the software, can mean better diagnoses.
physicians told us they also wanted something larger, particularly when they were working on guided procedures, so that's why we decided to go the tablet route."[24x7mag.com]
While Mobisante's products are "based" on smartphones and tablets, I assume it won't be too long before medical tools will actually be delivered as apps for actual smartphones and tablets. When that day comes (if it's not already here), hospitals, clinics, and other medical entities will have to start paying attention to what's going on with people's smartphones, especially if they operate a BYOD program.Technically, they're already supposed to be paying attention, but AlertBoot Data Security's surveying efforts have shown that HIPAA covered entities are putting more focus on laptops and external hard drives while smartphones in the organization take a backseat (and even less attention is paid when it comes to tablets).This is likely due to the device count in an organization. Usually, an organization has more laptops than smartphones (or at least, smartphones that are authorized to be used in the workplace), and more smartphones than tablets. However, in this day and age, it makes little sense to focus on one group of devices while not paying as much attention on other devices. Data breaches can come from anywhere.
Sony has decided not to appeal the £250,000 monetary penalty that was assessed by the UK Information Commissioner's Office (ICO). The penalty stands as the largest assessed to date under the ICO's purview. This decision gives added impetus for companies in the United Kingdom to properly secure any personal information they have collected and resides in their computers (by using managed laptop encryption software) or smartphones and tablets (via the use of mobile device management software).
According to v3.co.uk, the Japanese electronics powerhouse decided to drop the appeal after considering what it would have to reveal in court:Sony said that it was giving up the appeal because it was wary of revealing more information on its security procedures the process would have required, rather than because of any change of heart."After careful consideration we are withdrawing our appeal. This decision reflects our commitment to protect the confidentiality of our network security from disclosures in the course of the proceeding. We continue to disagree with the decision on the merits," a spokesperson said.Depending on your point of view, this is an artful dodge. On the one hand, it makes sense. Security types are highly critical of "security through obscurity," where obfuscation is the basis for safety; but, there's no reason why one should make it easy for the attackers even if one's security is state of the art.On the other hand, any errors should have been corrected by now. Plus, the perpetrators have not been caught, meaning they already know the weaknesses that were present in Sony's network. And, last but not least, hackers do share with each other (gratis or for a price) the weaknesses they have unearthed.In short, there's very little that Sony would be revealing to the criminal world in general. If anything, the company could be caught in a position where it reveals to the public at large at how they failed miserably when it came to securing its networks (and protecting its customers). Some of the stories I've heard, both confirmed and otherwise, include not encrypting sensitive data (when it was possible to do so) and not applying critical updated and patches, even after smaller attacks (but before the Big One), among others. Plus, there is the fact that Sony will debuting the PlayStation 4 next week. While an appeal will take considerably longer to resolve than next week – heck, it'll probably take years – the last thing Sony wants to do is bring the wrong type of attention to its PlayStation Network for years to come.On the other hand, there is something to the "confidentially of the network" claim Sony has made. Have you seen the ICO's public release of Sony's Monetary Penalty Notice? The interesting parts have been censored as if a Cold War NSA lackey went crazy with a black marker. I don't know of any other MPN that looks like that.For its part, the Information Commissioner's Office makes no bones about their position:There's no disguising that this is a business that should have known better. It is a company that trades on its technical expertise, and there's no doubt in my mind that they had access to both the technical knowledge and the resources to keep this information safe.The penalty we've issued today is clearly substantial, but we make no apologies for that. [ico.org]
Sony said that it was giving up the appeal because it was wary of revealing more information on its security procedures the process would have required, rather than because of any change of heart."After careful consideration we are withdrawing our appeal. This decision reflects our commitment to protect the confidentiality of our network security from disclosures in the course of the proceeding. We continue to disagree with the decision on the merits," a spokesperson said.
There's no disguising that this is a business that should have known better. It is a company that trades on its technical expertise, and there's no doubt in my mind that they had access to both the technical knowledge and the resources to keep this information safe.The penalty we've issued today is clearly substantial, but we make no apologies for that. [ico.org]
Most companies are not global conglomerates. In fact, small and medium sized enterprises account for 75% to 90% of all companies in any given nation; however, SMEs can also be embroiled in a situation that affects too many clients. For example, the ICO's website is littered with monetary penalties for the loss of laptops, USB flash drives, and other digital data storage devices (not to mention their analog counterparts: paper documents). It won't be long before we see a fine for the loss of a smartphone or tablet computer, especially with the growing popularity of BYOD as well as company-issued mobile devices.There is hope, however. The ICO constantly issues reminders, and notes in Monetary Penalty Notices, that the use of disk encryption is a very effective method of preventing data breaches that involve personal information.The use of encryption and other security-enhancing tools – such as AlertBoot's mobile device management (MDM) for smartphones and tablets – has the double-effect of protecting clients as well as protecting one's company. It's very win-win.