in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

October 2017 - Posts

  • FBI Unable to Access 7000 Encrypted Devices in 2017

    At the International Association of Chiefs of Police conference, held in Philadelphia last week, Federal Bureau of Investigation Director Christopher Wray noted that the FBI has nearly 7,000 encrypted devices it cannot access. Per the phillyvoice.com:
    In the first 11 months of the fiscal year [2017], federal agents were unable to access the content of more than 6,900 mobile devices, Wray said in a speech….
    Considering what Wray's predecessor had to say about the issue in 2016, the problem is growing, fast:
    [Former FBI Director James Comey] said, during the last three months of 2016 the FBI lab received 2,800 electronic devices sent in by local police and federal agents looking for evidence they contain. But analysts were unable to open 1,200 of them, "using any technique."
    Assuming that the influx of inaccessible encrypted devices to the FBI's labs remained relatively constant last year, the implication is that the FBI possessed 4,800 encrypted mobile devices in 2016. In other words, there was a 50% increase year-over-year.  

    A Growing Problem

    One can expect the number of inaccessible smartphones to keep growing for a number of reasons.
    First, older devices get replaced with new ones, eventually. That in of itself doesn't mean anything security-wise, except that encryption was not turned on by default for many older devices. Even if encryption were turned on, a password may not have been required.
    Smartphones and tablets now come with encryption turned on by default and require a form of password; one can assume that nearly 100% of the phones the FBI needs to search in the future will be inaccessible.
    Second, encryption tends to get stronger over time because researchers are constantly trying to find flaws in it. When found, they're patched up. Cracking techniques that may have worked in the past may not be available on newer devices.
    When the FBI filed and then dropped a lawsuit against Apple in 2016, the Bureau revealed that it had obtained a method to gain access to an iPhone 5C (they didn't reveal what it was). Thus, it didn't need to force Apple through the courts. It also noted that this method didn't work on iPhones newer than the 5C, so that's as far as that technique will go. Seeing how OS updates to the iPhone 5C ended this past summer, the FBI's mysterious technique will see limited action in the future.
    This tends to be the general pattern for flaws in security (assuming, of course, that you have bright people working on the problem; sometimes, flaws go undetected for years, possibly decades. Still, encryption performance points in one direction).
    Third, more people are aware of the power and need for encryption. When the FBI butted heads with Apple (and, indirectly, with the entire tech community) in 2016, many in Congress initially supported the FBI. Calls for encryption backdoors, explicit or otherwise, were in the air. As time went by and these representatives educated themselves on the pros and cons of purposefully hamstringing cryptography, they started backtracking.
    But, it's not just Congress. Ironically, the Apple vs. FBI case caused ripples and worked to educate a lot of people about encryption and its benefits, detriments, and importance. With more people aware of what encryption does and how it works, you can expect encryption to extend to even those devices that don't come with it by default.  

    How to Solve It?

    So, yeah, encryption is problematic for the FBI. And, it will continue to be problematic. Hence, it's not surprising to find that,
    The Justice Department under President Donald Trump has suggested it will be aggressive in seeking access to encrypted information from technology companies. But in a recent speech, Deputy Attorney General Rod Rosenstein stopped short of saying exactly what action it might take. [apnews.com]
    Honestly, short of a backdoor, there isn't a solution here, and a backdoor is not a solution. Still, seeing how strange 2017 has been (and will probably be for the next three years, at least), it wouldn't be surprising if the FBI finally got what they wished for. No matter how ill-advised it might be.
     
    Related Articles and Sites:
    http://www.phillyvoice.com/fbi-couldnt-access-nearly-7k-devices-because-of-en/
    https://gizmodo.com/the-fbi-cant-stop-fearmongering-about-encryption-1819772851
    https://www.nbcnews.com/news/us-news/comey-fbi-couldn-t-access-hundreds-devices-because-encryption-n730646
    https://apnews.com/04791dfbe30a4d3596e8d187b16d837e
     
  • 47.5 GB of PHI Left Exposed on the Cloud. (That's 316,000 PDFs)

    According to gizmodo.com, security researchers at Kromtech Security Center found a wide-open Amazon Web Services (AWS) bucket that contained over 300,000 PDFs, each one a medical file that would fall under the governance of the Health Insurance Portability and Accountability Act (or HIPAA which, arguably, finally jumpstarted the drive towards encrypting sensitive digital files thanks to generous fines levied on hospitals and other legally-covered entities that screwed up their data security).
    There have been (too) many similar cases over the years, although we're beginning to see a transition of sorts: while the past showed incorrectly configured servers at the center of an "accidental" data breach (that is, the blame didn't lie on hackers but on what a company's IT staff decided to do…or not do), today's incidents increasingly tend to involve incorrectly configured cloud services, be it AWS, Microsoft's Azure, Dropbox, or others.
    Technically, they're the same problem – misconfigured settings on boxes connected to the internet – but the former was more complex than what one deals with today: nowadays, you click on a checkbox in a webform, hit the save button, and companies like Amazon take care of the rest.
    (Although, if one were to play Devil's Advocate, it should be pointed out that AWS does support programmatic read-write permissions which are similar, but nowhere close, to server configurations of yore).  

    Quick Remediation

    When Kromtech alerted the healthcare company of the error, the situation was corrected the very same day. However, they appear to have remained incommunicado to subsequent reach outs by the security company. Not necessarily the height of gratitude but, hey, it doesn't look like they're ignorantly suing Kromtech "for hacking" them, so that's a plus. The downside: the PDFs contained,
    In addition to names, addresses, and other contact information, many of the records contained dates of birth, diagnoses, as well as the names of physicians overseeing care of the patients…
    No SSNs or credit card details. However, with information like the above, obtaining such data is literally a phone call away. In a world where millions get scammed for computer tech support they don't need, how hard would it be to socially engineer sensitive data by posing as hospital staff that know real details about someone's recent medical history?
    The answer is "not very hard."  

    Prevention

    One easy way to lower the odds of suffering similar data breaches is to use file encryption prior to uploading digital documents to the cloud. This was the case when people set up their own internet-facing databases in the past and still is the case with cloud services. Granted, AWS's security options are more than adequate, at least when it comes to conforming to data security requirements and regulations across the US.
    But that's within the confines of the cloud service (and assuming one doesn't screw it up by unchecking the wrong box). If the internet is used as a cloud-based document repository, then those files will descend from the cloud at some point (which seems pretty likely for PDFs). Will they be downloaded to a laptop or a desktop? Backed up to tape? Copied over to a USB drive? Emailed as an attachment?
    In each case, encrypting a file is basically the only way to secure the data. And if so, if the files are being uploaded and downloaded from the cloud, why not encrypt them before doing anything at all? The risk of something going awry may be small, but the expected ramifications are huge if or when something does go wrong.
     
    Related Articles and Sites:
    https://gizmodo.com/data-breach-exposed-medical-records-including-blood-te-1819322884