in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

April 2018 - Posts

  • Florida Government Hard Drives Stolen For Games

    Many, if not most, data security professionals will tell you that you should run a risk assessment and accordingly develop your plans for securing information, sensitive or otherwise. Then there are others who will counsel that one should secure as much as possible: obviously protect what represents a high risk situation, but never discount the possibilities of what seems like a low or no-risk situation blowing up beyond expectations.
    The idea is that dealing with the legal, financial, and public relations fallout of a data breach are comparable regardless of the initial risk classification.
    For example, one might recommend that disk encryption be deployed to all computers – not just laptops – because it's never guaranteed that a desktop computer won't be leaving a business's premises in an unapproved manner. There is history to back this up: burglaries; theft or loss of computers that have fallen into disuse and put into "temporary" storage; computers where information was inadequately scrubbed (or not at all) before being retired; etc., have been reported in the media over the years.
    The motives behind such data breaches are as varied as the data breaches themselves. Some people may be after the data. Others may want to replace their aging computer back home. Yet others may be looking to flip the hardware on craigslist. And, of course, there is the time-honored, ever-surging, never-can-kill-it "oops" situation.
    And then you have the guy who really, really wants to play Xbox.  

    Custodian Swipes Hard Drives

    According to wtxl.com and other sources, a Florida man was arrested for stealing hard drives from the Florida Department of Revenue. The hard drives contained taxpayer information and their disappearance, needless to say, triggered a data breach.
    A swift investigation led to one Andru Reed, a 21 year-old who eventually admitted to the theft. Reed confessed that he had stolen four hard drives so that he could connect them to his Xbox and download video games. Law enforcement is still conducting data forensics to sniff out any conflicts in Reed's story, but they're pretty certain that the taxpayer data was never accessed.
    How was Reed able to steal these hard drives? Pretty easily. He was a custodian who was working the premises. So, he didn't have to "Mission Impossible" himself into the offices. He just walked in. Furthermore, the four hard drives in question were external hard drives. All he had to do was pick them up, ideally when no one was watching (which he bungled, apparently. When the police started the investigation, employees in the office mentioned seeing Reed acting suspiciously).  

    Encrypted or Not?

    As noted before, there are competing schools of thought when it comes to data security. The loss or theft of external hard drives can be deemed a low data risk situation if they never leave a secure area.
    That's a big if, though. Security breaches where employees or outside contractors purposefully steal sensitive data, usually to sell to legal and illegal data brokers, are not unusual. So, did the Florida Department of Revenue (FDR) encrypt these hard drives or not?
    We don't know. The March 27 statement from the FDR is pretty nebulous:
    At this time, we are taking all necessary precautions to review the established physical and digital internal security procedures to ensure uniform implementation across the Department. If after the full investigation it is found that any employee did not take the proper steps to protect taxpayer information they will be held accountable. [floridarevenue.com]
    And then on April 17:
    Through the details presented, we are confident that the information on the drives was not accessed. As a result of the Department of Revenue’s thorough processes and procedures to monitor and maintain equipment, we were able to rapidly identify and report the property missing. [floridarevenue.com]
    Florida, like most US states, has a data breach notification law. It states that notifications to individuals must be made no later than 30 days after the breach has been identified. If encryption was not used on any of the four storage devices, it will be known before the month is over. (That the drives were recovered does not negate that a breach took place).
    For the time being, for speculation purposes, all signs appear to point towards encryption not being used: the public announcement, which is required by law; the weeks-long digital forensics (it really shouldn't be taking that long with encryption in place); and the lack of the word encryption in any materials covering the case (it's usually mentioned if it was present).
    On the other hand, the words "data breach" are not linked to this situation in any form whatsoever. The fact that the theft and the recovery have been dealt with by the media without alluding to a data breach is unusual, and reason enough to wonder whether the external hard drives were secured correctly after all.  
     
    Related Articles and Sites:
    https://gizmodo.com/florida-cops-missing-hard-drives-with-taxpayer-info-we-1825352653
    http://www.tampabay.com/florida-politics/buzz/2018/04/17/missing-revenue-department-hard-drives-found-suspect-arrested/
    http://www.wtxl.com/news/fdle-tallahassee-man-charged-for-intellectual-property-computer-crimes/article_056c9876-427b-11e8-acf9-f74cf555c91a.html
    http://floridarevenue.com/Pages/media.aspx
     
  • Panera Data Breach: Further Proof That People Need Strong Data Security Laws

    Panera Bread has a public relations fiasco on its hands. It has embroiled itself in one of the most tragicomic data breaches the world has seen in a while, a breach that could have been easily avoided.

    Dylan Houlihan, the finder and eventual whistleblower of the security issue, has created a post providing the authoritative breakdown of what happened and when. But, the story can be summarized thus:

    • Dylan finds a security issue – the leaking of customers' personal information – at Panera's website and contacts the company.
    • Panera eventually acknowledges the issue and promises a fix.
    • Eight months later, with no fix, Dylan reaches out to someone who can effect change via public pressure.
    • Panera fixes the problem within hours of being contacted by Brian Krebs, the security blogger at krebsonsecurity.com.
    • Further poking around shows that Panera didn't really fix anything. Furthermore, the poking around shows that the same problem exists in various places across Panera's online presence.
    • This finding blows holes into Panera's public announcement that they "take data security issues seriously."
    • Panera takes down their entire online presence, which is still down 48 hours after the entire fiasco first made news.

    Of course, one of the bigger questions is, if Panera was really able to fix the thing in two hours, what was it doing dragging its butt for eight months? In hindsight, it's obvious that they couldn't and didn't. And, seeing how 48 hours after the story broke, panerabread.com's homepage is showing essentially a 404 page, we can strongly presume that they still don't have a handle on the problem.

    Which further leads one to believe that they didn't spend the past eight months trying to fix the problem at all.  

    What Does the Panera Bread Fiasco Show Us?

    Panera's actions are, unfortunately, not an exception to the rule. Certainly, there are plenty of companies that have tried to do right by their customers, either because they feel it's their duty or because it's the law, or some combination of the two.

    Then we have the companies like Equifax, Yahoo, Facebook, and others that offer some canned words about taking data security seriously…but an investigation shows otherwise. Panera looks like it might be joining this disgraced group. (While Facebook is promising change – and by the looks of recent events, they may mean it – it's still fair to lump them in this category because the internet giant has a history).

    The fact that some of the biggest, most powerful companies in the US (possibly in the world) are acting in this manner proves that the US needs strong data privacy laws. Now, some may point out that we only get to hear of the companies that failed in securing their data; thus, it makes it "seem" as if most companies are not doing anything to secure data, but that's far from the case.

    However, that the companies with the money to do something are caught being cavalier about data security issues can only give weight to the thought that those with less money are probably doing even less security-wise… or, at least, not the most they could be doing. And even if this is not the case, it wouldn't be wrong to assume that current data security laws had a strong hand in ensuring, ah, shall we say not-so-reprehensible? responses.

    Like fixing obvious data security problems, going public with the breach, offering credit monitoring – all things that are codified in state laws (although not all states have identical laws).

    Don't hold your breath on those stronger data security laws, though.

    Recently, thirty-two state Attorneys General sent a letter to Congress noting that the proposed federal "Data Acquisition and Technology Accountability and Security Act" replaces stronger state-level privacy laws. And, as they point out, this would essentially give companies like Equifax a slap on the wrist if they experience data breaches.

     

    Related Articles and Sites:

    https://medium.com/@djhoulihan/no-panera-bread-doesnt-take-security-seriously-bf078027f815
    https://krebsonsecurity.com/2018/04/panerabread-com-leaks-millions-of-customer-records/
    https://uspirg.org/blogs/blog/usp/32-state-attorneys-general-congress-dont-replace-our-stronger-privacy-laws
    https://www.theverge.com/2018/4/4/17200034/facebook-broke-tinder-down-privacy-api-fixes