in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Data Encryption: Two Different Breached Entities Reassure People With "Password Protection"

It's hard to believe that in this day and age people still associate "password-protection" with actual, real data protection.  At least, that's what's implied by the people who've released breach notifications for Alaska's Mallott gubernatorial campaign and Sharper Future, a "private sector mental health provider."  Who, exactly, did these organizations consult with to make these outlandish claims?

Mallot: Laptop Theft from Premises

According to Alaska gubernatorial candidate Byron Mallot's campaign rep, a laptop in the campaign's offices was stolen:
"What we believe may have happened was the back door had not latched properly. Someone had come in through the back door while volunteers were working in the front public area of the campaign and it was removed."
Amazing.  It's like they didn't give an iota of thought towards security.  I mean, a latch?  That's what separated over one thousand contributors' names (and mailing addresses, phone numbers, bank accounts, or credit card and security code numbers, as well as occupations and employers) from a potential thief?

Well, not exactly, would say campaign spokespeople:
"Important to this entire incident is the fact that the computer was password protected and was shut down at the time," [campaign advisor] Botelho says. "In that respect that lessens the risk, I think, to any of our donors. But nevertheless, there still is a risk."
Password protection.  It's a funny set of words.  Does it mean that passwords are protected, or that stuff is protected with a password, or what does it mean?  Because I can assure you, password protection rarely means what it implies, just like the apocryphal Chinese proverb "May you live in interesting times" are not words of benevolence.

The only way that "passwords" + "shut down at the time" can equal "protection" is if "encryption" is added to the equation:

Password + encryption + shut down at the time = Protection of Data

Take out one of the three elements and the thing falls over like a stool missing a leg.

Sharper Future: Not as Sharp when it Comes to Info Sec

One could make the same argument for Sharper Future:
[Our office was] burglarized and we lost electronic equipment that stored our records and included personal information about some clients. The information stored on the stolen equipment was password-protected and it would be extremely difficult for someone to access it.
While I don't know whether something as prosaic as an unlatched door was the cause for the data breach, I know this much:
  1. Password-protection does not make it extremely difficult to access records (see Mallot section above).
  2. If we're hearing of this breach from the horse's mouth, then there's a very good chance (I'd say 95% and over) that encryption software was not used.
How do I justify the second observation?  Easy.  Under HIPAA, a public notice is not necessary if encryption software that complies with NIST guidelines is used to protect patient information (more specifically, PHI, protected health information).  Of course, there is nothing that prevents a HIPAA covered entity from sending breach notification letters even if PHI was encrypted...but most if not all will just take advantage of the HIPAA safe harbor clause.  (I assume, among other things, that HIPAA had to come into play in this particular case...never mind that California's own Department of Health has its own tough-as-nails policies)

Password-Protection: Why Doesn't It Work?

I hate repeating myself, some here's some past coverage that answers the question that is the above header:


Related Articles and Sites:
http://www.databreaches.net/ak-mallott-campaign-computer-stolen/
http://www.ktoo.org/2014/05/30/mallott-campaign-computer-stolen/
http://www.phiprivacy.net/sharper-future-reports-burglary-of-mental-health-data-of-clients/
http://www.sharperfuture.com/LCB%2052114.PDF
 
<Previous Next>

Full Disk Encryption: TrueCrypt Shuts Down, Conspiracy Theories Pop Up

Cryptography Is Fun, But Your Business Calls for Encryption

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.