AlertBoot Endpoint Security Blog

Drive Encryption Software: VA Experiences New Breach, Signs Point To Better Security

sang_lee — Sat, 13 Mar 2010 00:43:00 GMT

The Veteran Affairs (VA) Department has announced a breach of patient data, which is reminiscent of a breach back in 2006. However, based on the response the VA took, I'd say that they've definitely gotten better at handing data security. And, it's not because they've gone ahead and used data encryption like AlertBoot on their laptops.

Physician Assistant Stores Data On Personal Laptop

The entire situation was blown wide open when a nurse scientist alerted the compliance officer that a physician assistant would not destroy illegitimately-obtained VA patient information from her personal laptop. The physician assistant resigned on February 26 due to subsequent events.

Apparently, the physician assistant had two sets of patient data: one set with three years of information and the other with more than 18 years' worth of data. Despite what seems to be an inordinate amount of information, the VA's CIO has noted that:

"The employee in question was never able to connect her unencrypted laptop to the VA network. Port-blocking technologies are enforced in Atlanta, and she was denied access. Thus, no ‘downloading' of information ever occurred. Any information existent on the personal laptop was hand-entered, and as you point out this violates all kinds of policies and training at the VA."

Of course, that doesn't make sense: I mean, 18 years' worth data is "hand entered?" That physician assistant is going to need some medical assistance herself, on her wrist, especially when you consider she started working at the VA on October 2009.

There are reports, however, that the VA inspector general is investigating the possible use by the physician assistant of USB flash drives to transfer the data to her laptop.

Why did the physician assistant have all this data? They were for an unapproved research project, according to the inspector general's office.

Layers Of Security Includes Employee Education

While there was a data breach in the technical sense, we can see from the above that the VA department has made great strides in their data security. To begin with, I know that disk encryption is used on all VA-issued laptops, the deployment of encryption software having been completed last year (if memory serves, regarding the completion of the project).

But, as the above story shows, it's not just the use of encryption that guarantees the security of patient information. While there is the need for many tools--notice the presence of port-blocking for non-VA laptops mentioned the VA's CIO--ultimately, it's people that will make a difference on whether data will remain secure or not.

This is especially true when it comes to people who are supposed to have access to the data but decide to repurpose that information for other uses. Not that I'm saying there should be a culture of employees spying on each other. However, when people become aware of unauthorized uses, procedures, etc, people need to know that they should come forward and rectify the situation, like the nurse scientist did in the above case.

Full Disk Encryption: Not Really Understood By People, Hints Ponemon Study

sang_lee — Fri, 12 Mar 2010 03:27:00 GMT

So I'm continuing to read the new report released by Absolute and the Ponemon Institute, and their survey seems to back up what I've felt for a long time: people don't really understand what disk encryption software does, even when they sign up for it.

Consider the following result:

Assuming their laptops are encrypted, 57 percent of business managers believe there is no chance or less than a 10 percent chance of having their sensitive information accessed if they should access an insecure wireless network. In contrast, only 27 percent of IT security practitioners are confident that there would be zero or less than a 10 percent chance of losing data when accessing an insecure wireless network. [my emphasis]

What's jawdropping to me is that figure of 27% for IT security practitioners. Granted, this may be because of how the survey question is interpreted:

Q11b. If you were accessing the Internet from an insecure wireless network, what do you think is the probability that someone else would be able to access your sensitive or confidential information assuming the laptop computer had an encryption solution? [my emphasis]

I should point out that "laptops are encrypted" and "laptop computer had an encryption solution" can be interpreted differently. The former implies, at least to me, the use of a full disk encryption solution, whereas the latter could include disk encryption as well as file or folder encryption solutions.

If all of your files or folders are encrypted, I can understand why some security professionals would think using an insecure wireless network wouldn't lead to a data breach: the information is encrypted no matter what. If someone intercepts an encrypted attachment because it's traveling through an unsecured network, the contents of that attachment are still secure.

Full Disk Encryption (FDE) - Your Encrypting Your Disk, Not Your Data

However, when it comes to an encryption solution like FDE, one can't assume his data will be protected when using insecure wireless networks.

Consider this example using a more familiar product: the owner of a strongbox puts the key into the strongbox and opens it to work with the contents of the strongbox. In such a state, the strongbox cannot protect its contents until it's closed and locked again.

Likewise with FDE: the disk with encryption is the strongbox, the data is the content of the strongbox, and the password is the key to the strongbox. As long as a user is working on an encrypted computer, the contents/data are vulnerable.

Also, just like with the strongbox, if you copy data off a computer that employs full disk encryption--say, to an unprotected USB flashdrive or e-mailed to a co-worker--that data will not be encrypted any longer because it's not on your encrypted drive anymore. This is a crucial point to understand.

FDE doesn't encrypt your data; it encrypts your hard drive. Since your data is saved to the protected hard drive, your data is protected as well...but only as long as it's on that drive. Again, e-mail it, and it won't be protected anymore. And, like I noted, FDE cannot protect your data while you're using the computer.

In many instances, I use the strongbox as a metaphor, and people quickly understand what FDE solutions like AlertBoot can and cannot do when it comes to data protection.

Data Encryption Software: Proving That Your Lost Laptop Was Encrypted

sang_lee — Thu, 11 Mar 2010 03:03:00 GMT

44% report they were able to prove the use of encryption

Proving encryption was used is important: regulators

Third parties for resolving conflict of interest

Absolute Software and the Ponemon Institute have come out with a number of reports on the "human factor" when it comes to data security. It turns out that a huge factor when it comes to data security is people (just like Soylent Green); nothing surprising there. For example, business managers think that their laptop computer is secure once hard disk encryption is in place.

IT managers, on the other, realize that they still need to employ other forms or security, such as using cable locks on their laptops. However, what really caught my eye is the following:

Ninety-five percent of IT practitioners report that someone in their organization has had a laptop lost or stolen and 72 percent report that it resulted in a data breach. Only 44 percent report that the organization was able to prove the contents were encrypted.

In other words, slightly more than half of those surveyed were unable to provide evidence that sensitive information was encrypted--even if they had it in place!

Prove It

Not being able to provide positive proof of encryption is problematic for at least a couple of reasons.

First, it makes one wonder how the IT department knows which machines were protected and which ones weren't. Sure, one could send a command for "all computers" to be protected over a network. However, the IT department still needs to follow up and ensure that those machines are indeed protected. I mean, what if the process failed, possibly because a number of machines were unpatched with the latest updates? There are so many things that could go wrong.

Remember, the point is not to go through motions--pushing buttons on a software package--but to safeguard sensitive, confidential data.

Second, how else are you going to convince regulators, state attorneys general, and the like that you did have adequate protection on a machine? You need some kind of proof other than, "Bob from the IT department KNOWS that machine was encrypted." You have to be able to put forward something other than a guy's word.

Conflict of Interest - Managed Encryption

Many companies opt for in-house deployment of encryption software (which I encourage, if that's what your company needs; and that's saying something, since what we at AlertBoot offer is a managed encryption service--disk security as a service, if you will) because of security concerns.

I've found out that in significant instances, clients will opt for outsourced encryption like AlertBoot despite their misgivings.

Initially, I figured it was due to the cost savings involved with managed encryption services: no need to invest in more hardware; no need to update and upgrade, both hardware and software; no need for ongoing maintenance; etc.

Turns out that a chief consideration among these clients was the conflict of interest when it comes to proving that their machines are encrypted: When people are accused of lying and doctoring documents, how can a company prove--without a trace of doubt--that a computer is indeed protected?

The answer: get an outside organization to take care of it. Essentially, the idea is that "Chinese Walls" don't work, and the guys in the IT department can feel as much pressure to do questionable things as, say, accountants. After all, they have the same boss.

Of course, the clients wanted to make sure that the ability to audit the encryption status of their machines was accurate (one might say this borders on cynicism and paranoia, but I'd disagree: do you know how many reports I read where hard drives bought from on-line auction sites still contain confidential data, in certain cases confidential corporate data? In many such instances, outside contractors hired to pulverize a disk just sold it).

The true cynic, naturally, would point out that third-parties are as likely to succumb to corporate pressure: Arthur Andersen's financial audit of Enron, for example, is now considered a classic case.

However, remember that at the time there five large accounting firms (the so-called Big Five): the other four firms didn't succumb to the same pressure, which is the rule, not the exception.

Disk Encryption: Server Stolen From McNair Eye Center

sang_lee — Wed, 10 Mar 2010 02:17:00 GMT

McNair Eye Center on Industrial Park Road, Arkansas, has had a data breach that could affect 9,000 patients. A server, which I'll assume was not protected with data encryption software like AlertBoot, was stolen.

Burglars Target Server Only?

The server was stolen from McNair Eye Center (as opposed to a break-in at a data center). The burglars entered the building by pulling a window air conditioning unit. They also had the sense to turn security cameras towards walls. Me thinks that these people knew the lay of the land beforehand. Wouldn't be surprised if this was an inside job.

According to the article by thesuntimes.com, only the server was taken, which was "very heavy." No details on the actual weight.

Size Not A Factor When It Comes To Computer Security

I've often found that many people don't really think of encryption software as a necessary precaution for their servers, whereas they might ponder on it a bit if we were talking about laptops. Generally, there's two reasons for the lack of enthusiasm on encrypting servers.

First reason: it slows down the server. This is true but must be put into context: most people won't really notice the difference.

If you process as much data as Google, yes, you'll definitely feel the lag. But if you happen to be a smaller business, like our clinic above, chances are "slowing down the server" doesn't quite mean "slow performance," just like a car going down the highway at 120 mph is slower than one going at 150 mph but by no means slow.

Second reason: servers are heavy. Yes, they are. They're heavy...er than a laptop, but not so heavy that a guy would have a problem stealing it. I mean, let's face it, a guy put the server there so chances are another guy can take it away. What kind of security is that?

(Pointing out that there are other forms of security, such as locked doors and whatnot, do not count. The same security would be present if the server in question was a laptop. But, people would cry foul for not having the information encrypted if it actually was a laptop.)

Besides, even if a server is super heavy (say, the size of a mainframe) so that it cannot be stolen, where is the guarantee that the data on that server cannot be stolen? A guy could connect an external disk and copy off data from that server with the instruction of a few commands.

Data Encryption Required: MA Property Managers And Data Protection

sang_lee — Tue, 09 Mar 2010 03:02:00 GMT

I found an interesting article over at meeb.com, lawyers that seem to specialize in real estate and properties. I was looking up 201 CMR 17.00 compliance information--the compliance date was March 1, 2010--and happened upon how condominium managers are affected by Massachusetts's data breach notification and encryption laws.

201 CMR 17 - Encrypt Your Information Or Face Fines of $5,000 Per Violation

As already discussed a couple of times previously, MA 201 CMR 17 penalties have some teeth to them (maximum of $5,000 per violation, although it's not quite yet known what "violation" means exactly: per file? Per name of resident affected? Per computer lost?)

Obviously, many businesses are affected by this law. However, I kind of forgot that it's a data protection law, not a "consumer" data protection law. Which is why the fact that condo managers need to follow this law came as something of a surprise, although it shouldn't have.

Direct Payment and Employees

Why do condo managers need to see if they're in compliance with 201 CMR 17? For two reasons, at least:

They have employees. If a company has any employees--even just one--it is required to keep W-4 and I-9 forms (for tax withholding and employment eligibility verification). These forms require first and last names; SSNs and/or other forms of identifying information; and are to be retained by a company for at least three years. Obviously, this data has to be protected per 201 CMR 17.

Direct payment / Automatic withdrawal. As noted in the article, many property management companies make available a direct payment program, where a biller automatically withdraws money from a person's bank account. Financial information--such as bank account numbers--is also required to be protected from breaches if they happen to be combined with first and last names.

Guess who's making a trip down to the lobby, where the management office is, to see if his information is protected?

Remember: Affects Digital and Paper Documents

One thing to constantly keep in mind is that this is an information breach law. The fines and penalties apply even if a file full of paper documents are lost. For example, a folder full of direct payment authorization documents are lost? Chances are you'll be fined for that, assuming the folder was not secured in a locking file cabinet.

What's important is not what form the information takes. Ensure that you're not just concentrating your efforts on laptop encryption like AlertBoot, internet firewalls, anti-virus software, and the like.

Related Articles and Sites:
http://www.meeb.com/articles/ID%20theft.pdf

Laptop Encryption Software: Arrow Electronics Goes Public With Data Breach

sang_lee — Tue, 09 Mar 2010 00:58:00 GMT

Arrow Electronics has notified the New Hampshire Attorney General's office that they have recently experienced a data breach, and have sent out breach notification letters to all who are potentially affected. It looks like disk encryption and other security products and services, such as AlertBoot, were not used in this case.

Personal (Not And Corporate) Credit Card Info Stolen

The breach took place on February 18, when burglars broke into Arrow's New York office and stole a laptop computer. Via backups, it was determined that the stolen device contained the personal information for over 4,000 employees (current and former).

The personal information included names, addresses, and telephone numbers. In some instances SSNs were included, as well as corporate and personal credit card numbers--including the security codes and expiration dates.

Which is disturbing. Why would my employer need to know my personal credit card information? I'm sure there must be a logical explanation, but still seems unusual.

It appears that the breach of credit card information is relegated to those who used company-issued BlackBerries, wireless AirCards, and calling card services.

Arrow Electronics is offering the credit monitoring services.

Backups Are Important

And not just for obvious reasons. Obviously, computer data backups, whether it be just important files or the contents of an entire hard drive, are necessary because one never knows when an emergency or disaster is going to strike. I mean, that's why they're called emergencies, right?

But, in this new world where computers are stolen, not because of their hardware value, but because of the data that's in them, only backups allow a company to determine the true extent of a data breach. One of the things you definitely do not want to do is rely upon people's memories to make that determination.

Plenty of companies have done that initially--perhaps as a means of speeding up their notifications to various agencies--only to later find via their backups that even more people are involved, or that other, sensitive data was present in stolen machines. People's memories are fallible, and it seems to be even more true when dealing with emergencies.

So, when drafting up your data security plans, definitely make sure encryption software for your computers is in place. But, also make sure you've got adequate backup plans as well, for the obvious reasons as well as the not-so-obvious ones, such as legal compliance and notifications.

This is especially true if you operate in more than one state. Breach notification rules vary from state to state, and there are those that don't provide safe harbor due to the use of encryption as a means of data protection.

Why Do Companies Not Pay A Fine For A Data Breach?

sang_lee — Sat, 06 Mar 2010 04:09:00 GMT

Data Breach Notification Laws - Pretty Much All States Have Theirs

The landmark California regulation that was passed in 2002 requires companies to go public when they've experienced a data breach. Today, eight years later, most states have passed their own version of that seminal legislation, and even the federal government is debating whether to pass one. Other nations have passed similar laws as well.

The legislation varies state by state: for example, many US states provide safe harbor from sending data breach notification letters to clients if the information was protected with encryption software like AlertBoot endpoint encryption; other states do not. Some states allow companies to determine whether a breach notification is necessary; other states do not.

But there is one thing in common among all the states' laws: in no instance do the laws penalize a company for suffering a data breach, as far as I can tell. Instead penalties and fines are assessed for instances where a company does not report a data breach, assuming such legislation is in place.

Technically, if a junior banker loses a laptop full of client account numbers and routing codes, because he decided to take said laptop on an all-night partying and drinking binge, well, the company's safe as long as they report the data breach. (And, again, in some states they're OK even if they don't report it.)

Of course, the public relations fallout and any other regulators--from the banking associations, for example--might not be as forgiving about the breach. And the same goes for the bank in relation to the junior banker: he most probably will get fired. However, it still remains that the breach laws cannot penalize the company.

Which is weird. Generally, the law tends to ensure penalties are assessed for things that are bad for society. And personal information data breaches are bad for society. So what's going on here?

Encouraging Companies To Come Forward

Well, the problem lies in that no one wants to come forward regarding a data breach. Companies especially don't want to come forward if they're going to be penalized as a result. Sure, maybe a company has in its mission statement something about the "welfare of their clients" and whatnot, but consider the financial impact of a breach:

Cost of notifying clients (the law usually requires first class mail)

Cost of setting up toll-free numbers where clients can call for more information

Cost of running security audits; patching and updating weaknesses; etc.

Costs for defending against lawsuits due to the breach

Cost in offering identity theft protection, credit protection, etc.

Costs associated with lost productivity--someone's got to run and write the reports to show to auditors and others

Potential costs of client turnover

Tack on substantive fines on top of these and, of course, the hiring of lawyers to defend the company against levying such fines (companies have to pretty much defend themselves against everything; to do otherwise would mean the C-level guys are in breach of their fiduciary duties to shareholders), and you've got to imagine that some companies will not be as forthcoming.

At the same time, one's got to admit that there's no way to prevent data breaches 100%--the flipside of that coin meaning that the chances of a breach are pretty much 100%. When you know that the chances of a breach equal certainty, well, does assigning penalties even make sense?

Consider, too, the reason behind breach notifications: ultimately, it's the companies' clients--you know, people, average joes--that are disaffected. Hiding a data breach, or not reporting it as soon as possible, means that it's the clients that will suffer the most.

It only makes sense that there wouldn't be any legislation gunning for companies that have a data breach: the idea is to encourage companies to do the right thing and come forward.

Incidentally, that's the reason why companies are penalized for not reporting a data breach: another encouragement for doing the right thing. And, of course, the safe harbor provided by many states when employing encryption is basically to encourage companies to use this method of data protection.

Can't We Be More Active When It Comes To Data Security?

The problem with these breach notification laws is that they're a form of defense after the crime. An ounce of prevention is worth a pound of cure, right? So is there any way to be more proactive when it comes to data breaches?

Well, it's debatable. Let's say the government passes a law requiring the use of disk encryption on any laptops that may contain sensitive information--not ifs and buts. Well, that's great and all, but what's important is not that the laws were passed; the point is whether people comply with those laws. Otherwise, we're still stuck in the same situation.

How can we tell that companies are complying with such laws, assuming they are passed? The only way to know for sure is to inspect companies, by performing an audit. Just like the Health Department does when inspecting restaurants for health code violations.

Obviously, the government can't audit all companies. And, auditing the top companies only--say, Fortune 1000--would not quite make a dent on the problem: Census stats show that firms with 500+ employees comprise less than 1% of all firms in the US, but breaches of massive amounts of data can come from pretty much anywhere.

You can see where this is going: it's going to be pretty much impossible to ensure everyone's following a law designed for better data security and enforce it.

Responsibility at the Individual Level

Personally, I don't think that auditing all companies would even work, even if it were possible. We must remember that it's generally people that are allowing breaches to occur: sure, hackers can gain access to sensitive information on databases due to patches not being applied correctly; because there are bugs in the code; etc.

But, a good 33% of the data breaches in the US occur due to good, old theft: break-ins to cars and homes, loss and misplacement, surreptitious lifting while at the coffee shop, etc.

Considering this, legislation that penalizes companies may not necessarily be the answer.

Related Sites and Articles:
http://www.census.gov/epcd/www/smallbus.html

Data Encryption Vs. Seven Years Of Credit Monitoring

sang_lee — Fri, 05 Mar 2010 00:36:00 GMT

The Iowa Racing and Gaming Commission is offering people an unprecedented 7 years of fraud alerts on their credit reports. That's the result of a January data breach where 80,000 people's sensitive information was potentially compromised. (There's no way the utilization of encryption software like AlertBoot would have helped in this case, since the breach was a result of an unpatched firewall).

Residents From 7 States Affected: Jockeys, Slot Machine Technicians, ETC

The state started notifying employees on January 26 that their information was breached. A third-party contractor had forgotten to patch a firewall, which allowed hackers--possibly from China--to gain access to the Iowa Communications Network.

There appears to be a dispute whether having had all patches would have prevented the breach:

"There is nothing to show that even if all the patches had been installed, they still wouldn't have gotten in because they had already gotten through the state's firewall," said Robert Keller, chief technology officer, Ambient Consulting of Minneapolis.[SC Magazine]

Huh? Maybe Keller was misquoted--that's one weird proclamation to make; "they still wouldn't have gotten in?" That makes it sound as if the hackers never made it into the network...

Anyhow, hackers were able to gain access to the gaming commission's database, although it's hard to tell whether any information was downloaded.

The attack compromised the information of employees, such as jockeys, trainers, card dealers, horse and greyhound owners (technically, not employees, I would imagine), etc.

Seven Years of Fraud Alerts

I don't think I've ever seen more than 3 years offered for fraud alerts when similar information was breached. Seven years! Assuming that 100% of the people take up this offer, and assuming that the Iowa Racing and Gaming Commission was able to get a deal where the annual cost, over those seven years, is $5 on average...that would end up costing $2.8 million.

Potentially three million bucks for an unpatched firewall. Of course, you could say that that's the gaming commission's own doing: they could have offered two years of fraud alerts, just like everyone else.

On the other hand, if one's truly concerned about people and wants to help them, seven years' worth of protection is probably much more realistic. It's not unknown for criminals to steal data and then wait a couple of years to use it. Not because most companies offer two year's worth of credit protection, fraud alert, and other forms of minimizing identity theft.

Rather, the waiting period pretty much hides the criminals' traces: once people find out they've become victims, they have no idea where their information could have possibly been breached from. At least, that was the case before states started passing laws regarding data breach notifications.

However, criminals would probably not extend their waiting period to seven years. Can you imagine any organization waiting seven years for a payoff? Especially when there is so much fish in the sea?

Disk Encryption Software: UK Oldham Council Breached Again, Why Data Security Requires Layers

sang_lee — Thu, 04 Mar 2010 02:14:00 GMT

The Manchester Evening News is reporting that the Oldham council in the UK has experienced another data breach. This follows an ordeal where the same council lost 17 laptops, stolen by a guy pushing a trashcan on wheels. The need for data encryption like AlertBoot endpoint encryption was quite apparent in that instance.

Security Updates, Lots Of Money Spent

While an actual figure has not been reported yet, the Oldham council invested in a host of security updates when the 17 laptops were stolen, including computerized swipe card systems.

So, this recent data breach--where sensitive documents went missing--came as something of a shock. According to MEN, "the authority reveals the latest swoop and urges staff to lock their laptops away. It is thought that despite the new systems, bosses do not know exactly when the theft took place."

Well, that's not surprising, really. To begin with, computerized swipe cards, while arguably better than your average keys, are still susceptible to the same weaknesses: theft and loss of keys (cards); forcing the doors open; holding the door for strangers (the khaki bandit from three years ago took the cake in that area); etc.

Swipe cards, in more ways than not, are really more about convenience, not necessarily better security. For example, if an employee needs access to a general area and two separate secure areas, he'd have to carry three keys or just one card programmed with access to all three areas. The thing to note is that, ultimately, the security is provided by doors; whether they're unlocked by key or card does not contribute towards better security.

And, once you are made aware of this, you'll understand why laptops should have been locked away regardless of these new-fangled doors used by the Oldham council. Nothing has changed, really, except that things feel more secure.

Dealing With Different "Security"

I'm not sure whether encryption software was part of the security update, although I've got to imagine that it was. It would have been the first thing I would have sprung for if I was really interested in protecting sensitive information.

The council is effectively dealing with different types of security scenarios. One is physical security/asset security and the other is data security. Seeing how this entire security overhaul was prompted by the theft of laptops with sensitive data, the keywords being sensitive data, it only makes sense that they would have used encryption on any remaining and new laptops.

Of course, that doesn't do much for sensitive paper documents. These, as always, should be locked up at the end of the day.

Laptop Encryption Software And Wi-Fi: Signals Lead To Break-Ins, Theft (Updated)

sang_lee — Wed, 03 Mar 2010 01:50:00 GMT

A couple of days back I read an article describing how thieves in Jamaica use wi-fi detectors to find laptops in parked cars. I couldn't quite make sense of it, and dropped the matter despite being interesting. Hard disk encryption like AlertBoot would be extremely useful if this were true, since the protection of data becomes even more paramount. I mean, thieves can now find your laptop despite your best intentions to hide it?

(Please jump to the bottom for an update)

Only Affects Laptops That Are Not Fully Shut Down

I notice today, however, that Credant Technologies has warned laptop owners to shut down their laptops completely, or at least turn their wi-fi signals off when laptops are put away, with a direct reference to the "Jamaica news" I had read.

According to Credant, it can take up to half an hour for a computer to actually turn off when it is put into sleep mode by closing the laptop lid; and that long for the wi-fi signal to turn off as well. While it's still up and running, a wi-fi signal locator can be used to find the laptop.

This is the part that puzzles me. I've used a wi-fi signal locator, and never have I had it point to anything other than an internet access point, like a router or such. I mean, when I'm at a Starbucks, and there are dozens of customers pecking away at their machines, and I hit the button on the signal locator...I don't see 13 signals; I see the one wi-fi connection offered by Starbucks.

I've done some research on-line, though, and it looks like detecting laptops as a wi-fi access point happens often enough.

Same Problem Affects Bluetooth?

In hindsight, perhaps this is not so surprising. There were reports, back in 2005, that laptops with Bluetooth connectivity were being stolen from cars. Thieves used Bluetooth-enabled phones to find the laptops, so it didn't matter whether people placed their computers out of sight: inside the trunk, beneath the passenger seat, in an inconspicuous plastic bag, etc.

If I'm not wrong, though, further updates to Bluetooth put an end to those shenanigans...

How Prevalent Is The Problem?

I've got to say I'm pretty skeptical about thefts happening in either way. Maybe I'm just anchoring on my own personal experience, but it just doesn't seem to make sense nor happen frequently enough.

If anything, the tried-and-true method of thieves waiting in parking lots and observing drivers place their laptops in their car trunks seems like a better option. This way, they can get machines that are fully shut off as well as the ones that are in sleep mode.

Regardless, leaving a laptop behind in your car is always a bad idea, especially if you're carrying around sensitive data and the information is not protected with encryption software. Remember, people hardly ever get fired for having a laptop stolen. But having a laptop with sensitive information stolen? That's an entirely different story.

Update, March 03, 2010

Well, several other sources have picked up on the story, including Wired, and I guess I gave Credant waaaay too much credence: Wired points out that the article--a press release, actually--was written up by a person in marketing (Wired link at the bottom). OK, I can understand that I've been had. At least I can take comfort that in the fact that I didn't believe the story nilly-willy the first time I heard of it.

Disk Encryption: Shands HealthCare Loses Laptop, 12500 Notified

sang_lee — Tue, 02 Mar 2010 01:47:00 GMT

Shands HealthCare has notified approximately 12,500 patients and referrals that there was a information security breach when a laptop was stolen during a burglary. Hard drive encryption was not used to protect the contents of the stolen computer.

Burglary at Employee Home

The theft took place on January 27, at the home an employee of Shands HealthCare. The employee had downloaded sensitive information to a company computer and taken it home for "work-related purposes."

The breached patient data includes "names, addresses, physician name, medical record numbers and abbreviated medical procedure or condition codes. The laptop also contained the Social Security numbers of about 650 people."

HIPAA Violation?

I'm not a lawyer, but the last time I checked, patient data needs to be kept secure. One of the conditions I've often noticed is that sensitive data must be kept in a secure environment at all times.

For example, files need to be kept in a locked file cabinet. Doors to data repositories must be kept locked (a closet full of patient charts, e.g.). Computer monitors must be facing away from hallways and windows, in case someone's able to read the screen over the shoulder of an authorized person. The list goes on and on (and on).

If I'm not wrong, digital data need not be encrypted, but it is highly encouraged--unless, of course, the data happens to be in an unsecure environment; in that case, there is little alternative to the use of encryption software.

Now, arguably, someone's home or car is a safe environment. I mean, they've got locks on doors as well. On the other hand, car and home burglaries are myriad, and not just because there's more of these than hospitals. Generally speaking, hospitals tend to be more secure environments, despite their "open" structure: besides patient data, they've got to ensure those vials of medical cocaine and other hard-hitting drugs are not accessed by some random guy.

Security in hospitals has always been of paramount importance, and securing a vial of controlled substances is no different from securing a laptop. Your average home doesn't have such a setup.

So...let's trace our steps, shall we? The employee downloads patient information to a work-issued computer for work-related purposes...and the machine is not protected with encryption? Sounds to me that Shands is in a lot of trouble.

Fixing The Stable Afterwards

"Shands leaders have since launched a systemwide encryption initiative to better safeguard protected health information stored on Shands-owned computers, laptops and other portable communications devices as well as on employee-owned devices used to support Shands work."

Well, I guess they're going in the right direction. One of the notable things in the above announcement is that the company is going as far as encrypting employee-owned devices.

Which makes sense: once an employee is authorized to work out of home, that person may opt to use their home machines vs. their work machine, assuming they were issued one. Why? For starters, perhaps his home machine is a brand new one, and it feels "faster," meaning that work will also finish "faster."

The only thing to remember is that encryption does not offer a panacea to all the data security risks out there. For example, I don't doubt that a Trojan that harvests SSNs exists out there in the wild. While whole disk encryption can prevent a lot of ills, it's ineffective against such threats, and a different security product is required.

Related Articles and Sites:
http://shands.org/news/archive/NewsDetails.asp?ID=496

Drive Encryption Software: Arkansas National Guard Hard Drive Missing

sang_lee — Mon, 01 Mar 2010 17:06:00 GMT

The Arkansas National Guard has announced that a backup hard drive has gone missing. The drive, which contained sensitive information on current and former soldiers, was not protected with full disk encryption like AlertBoot endpoint security software.

Discovered Missing on February 15; Had Information For Past 6 Years

A search for the missing drive has turned up nothing. It is currently unknown whether the hard drive is stolen, just missing, or misplaced.

Names, Social Security numbers, and other personal information were present on the disk, and primarily involve soldiers that served with the "Arkansas Guard’s 1st Battalion, 153rd Infantry Regiment of the 39th Infantry Brigade Combat Team, from January 2004 to March 2009."

The drive may also include information for soldiers from the "39th Brigade Special Troops Battalion from April 2009 to the present."

One thing to note is that the Arkansas National Guard is warning soldiers to monitor their bank statements from November 2009 onwards. Apparently, that's when the last backup was made ("when the device was last used"). In other words, someone noticed that the drive was missing on February 15; they have no idea, however, when the hard dive actually went missing.

One of the things that worries me about the situation, aside from ID theft and the like, is that the Arkansas National Guard apparently makes backups only every four months. That's kind of a long time between backups, no?

Whole Disk Encryption For Securing Information

The National Guard ought to have used encryption software to protect the contents of this hard drive; that goes without saying. And, when you think about it, it would have been very easy. Consider AlertBoot.

One of the settings in AlertBoot is to automatically encrypt any external data devices when connected to an encrypted computer. (The idea is that, since copying information off of an encrypted computer means the data won't be protected in the transferred medium, we'll encrypt the new one as well.)

This external hard drive, used as a backup, would have been protected with the same level of encryption found on the original computer.

Furthermore, the encryption policies would allow the drive to work with a group of computers to which the original computer belongs. In other words, the same external drive can be used for backing up data on a different computer at the military base, but plug it into your home computer and the data cannot be accessed.

With whole disk encryption, there would have been a virtual guarantee that there wouldn't be a data breach. As it stands, the affected servicemen can only hope that there won't be one.

Virginia Personal Information Data Privacy Notification And Encryption Laws: Va. Code § 18.2-186.6

sang_lee — Sat, 27 Feb 2010 02:44:00 GMT

The state of Virginia's data breach notification law went into effect on July 1, 2008. It is similarly worded to other state legislation in that the use of data encryption software provides safe harbor from costly and embarrassing breach notifications.

It differs in one crucial aspect. Unlike similar state laws, a provision for imposing financial penalties has been included. (Note: I'm not a lawyer, and you should consult with your legal representatives if you experienced a data breach).

Data Encryption Provides Safe Harbor From Breach Notification

Virginia Code § 18.2-186.6 was designed, like many such state legislation, to encourage entities to improve their customers' data security measures. As such, it provides safe harbor when encryption software is used to protect customer data:

If unencrypted or unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person and causes...[it] shall disclose any breach of the security of the system following discovery or notification of the breach of the security of the system to the Office of the Attorney General and any affected resident of the Commonwealth without unreasonable delay [my emphasis]

This is one of the few laws I've seen where the use of encryption provides a direct relief from going public with a data breach. In most legislation I've seen, safe harbor seems to be provided by defining personal information as "unencrypted data."

I think the reasoning might be, since encrypted personal information is not unecrypted data, by definition it's not personal information anymore--so, losing this encrypted information cannot be constituted as a data breach. A confusing and roundabout way, certainly, but it gets the job done.

It's also one of the few laws that also specifies that encryption is not enough:

...disclose the breach of the security of the system if encrypted information is accessed and acquired in an unencrypted form, or if the security breach involves a person with access to the encryption key and the individual or entity reasonably believes that such a breach has caused or will cause identity theft...

Most state laws have not gone as far as taking into the possibility of the encryption keys (or passwords) being compromised as well. While it would be up to the courts to decide upon it, there are criticisms directed at the data breach laws because safe harbor is afforded regardless of whether the encryption in question really provides personal information security, unlike the above.

What Is Considered A Personal Information Security Breach In Virginia?

According to the law a "breach" is:

"Breach of the security of the system" means the unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of personal information maintained by an individual or entity as part of a database of personal information regarding multiple individuals and that causes, or the individual or entity reasonably believes has caused, or will cause, identity theft or other fraud to any resident of the Commonwealth.

Note how the breach is relegated to computerized data only. There are states that are updating their data breach notification laws to include the breach of data stemming from paper documents as well, and barring the passage of a federal law governing data breach notifications, we may very well see an update to account for its absence.

"Personal information" follows the conventional definition found in most state laws. It's the first name (or initial) and last name combined with:

• Social security number
• Driver's license information
• Financial information, such as account numbers, credit card numbers, etc.

What Needs to Be Included In The Customer Notification Letter?

The law is pretty straightforward. To quote it directly:

Notice required by this section shall include a description of the following:
(1) The incident in general terms;
(2) The type of personal information that was subject to the unauthorized access and acquisition;
(3) The general acts of the individual or entity to protect the personal information from further unauthorized access;
(4) A telephone number that the person may call for further information and assistance, if one exists; and
(5) Advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports.

Also, if the breach involves more than 1,000 people, the Office of Attorney General must be alerted of the breach without unreasonable delay, as well as consumer reporting agencies.

Notices can be via letter, telephone, "electronic" (meaning what? There is no definition), or a substitute notice. The last is only possible if the cost of notification exceeds $50,000; if more than 100,000 VA residents need to be notified; or if the company that experienced the breach doesn't have contact details for customers.

Penalties

Virginia has given its AG the express ability to impose fines as a penalty (a maximum of $150,000 per incident):

The Office of the Attorney General may impose a civil penalty not to exceed $150,000 per breach of the security of the system or a series of breaches of a similar nature that are discovered in a single investigation. Nothing in this section shall limit an individual from recovering direct economic damages from a violation of this section.

The above law, and many others like it, may not require the use of encryption software like AlertBoot; however, they do seem to be pushing hard towards their adoption where sensitive information is concerned.

Why? Because encryption is probably one of the most cost-effective and effective ways of protecting sensitive information.

However, as an entity that collects sensitive information, you must remember that encryption is not a cure-all for your data security needs. Just like the body experiences many ailments--and you have different medication for them--you'll find that your company needs different security prescriptions depending on your company's IT infrastructure.

Full Disk Encryption And Other Considerations: Security Of Corporate Data On Laptops

sang_lee — Fri, 26 Feb 2010 02:10:00 GMT

TechTarget has a list of considerations that midmarket IT managers should take into account when it comes to "securing corporate data for users on the go." The use of disk encryption, such as Alertboot endpoint security, is included. More important, though, it also includes recommendations (some of them non-technical issues) that also require implementation for successfully securing corporate data.

The recommendations, in no particular order, are:

Education on the importance of laptop security and enforcement of policies

Using full disk encryption to secure laptop data

Impose login requirements

Ensure that machines automatically apply security patches

Be aware of non-compliant machines

Interestingly enough, a number of these recommendations can be implemented by choosing the right encryption software.

Take AlertBoot, for example. It's a full disk encryption software that's easily deployed over the internet and is centrally managed. An administrator can easily push policy updates, including login requirements such as password lengths; the inclusion of special characters, letters, and numbers in passwords; how often they should be changed, etc.

Also, due to its integrated reporting, an administrator can easily see which computers have successfully installed the encryption package, and which ones have not. It's also possible to see how many times incorrect login attempts were made.

By selecting AlertBoot or other similar encryption software, three of the five recommendations are already fulfilled. What's left?

Applying security patches can be automated to an extent--just set your computer to apply any and all patches that are recommended by our OS. (Personally, I don't do this because I turn off my computer at the end of the day, and I've been caught unawares when a computer restarts automatically after applying patches. I religiously monitor for updates, though, and will apply them at the end of the day).

Probably most important above all is educating employees about laptop security. Regardless of which encryption product you decide to use, it will require the cooperation of employees: ensuring they don't stick up passwords on their computer screens; share passwords; etc. Otherwise, the environment guarantees a data breach will eventually take place.

Data Security: UT Gas Pumps Carry Card Skimmers

sang_lee — Thu, 25 Feb 2010 03:31:00 GMT

One of the difficulties I have face when speaking to people about the need for better data security is denial, "because we're too small, it won't happen to us." "It" being a data breach. In other words, we're too small to be targeted (usually followed by the proclamation, "that kind of stuff only happens at the movies, anyway.")

With such attitudes, it's always a little challenging to convince people that they should be using full disk encryption for securing their sensitive data on their laptops. But, as the following story shows, life imitates art.

Fingernail-sized Device Attached to Gas Pumps To Steal Data

Criminals attached credit-card skimming devices inside gas pumps across Utah, according to darkreading.com. These devices were Bluetooth-enabled, meaning data could be collected from a distance, and was "the size of a cellular phone SIM card."

If you're not aware, because you've been using, say, Verizon as you cellphone provider, a SIM card is about the size of a dime. Put a sticker over it--say, a warning message: "Please don't remove"--and you probably wouldn't. I mean, it's electronic, it's attached to the gas pump's internals...it's probably a doohickey of some sort; removing it might break the pump, or perhaps transport you to Middle Earth...

Anyway, this way of pilfering data is not as uncommon as it appears: apparently, similar situations have cropped up across Europe, and California had its own situation. The case in Utah involved some 180 pumps. It's believed that the devices were in place for two months. They were removed in January.

It Only Happens In Movies?

The thought that someone would go around not only installing stuff inside gas pumps (how do you even do this without the employees noticing?), but would take the time to buy 180 doodads, configure them, and install them (again, 180 times)...well, it's unheard of, right?

The above sounds like something that would only happen in the movies (maybe it can be the script to Ocean's 14: Clooney & Co. Hits Bottom). But no, it's being done by some real criminal organization (in Utah, of all places).

And, the gas stations are not being targeted because they've got money, or happen to be big business: my guess is that they've been targeted regardless of whether it's a franchisee or a corporate-owned one, whether the location is profitable or not (granted, you usually don't have too many of the latter when it comes to gas stations).

What are the criminals after? They saw an opportunity to make a buck (illegally) and took it. Just because it doesn't happen often enough doesn't mean it doesn't happen, nor that it won't happen. Credit card skimming has been around for a long time, and this latest one is just an advanced twist on what used to happen at ATM machines with skimmers that were much, much bigger in size.

Likewise with laptops and other data storage devices. People have this general feeling that their laptops will not be targeted for the data in them because they're not rich; or perhaps they do have money but they're not famous enough, so why would they be targeted; or whatever. The reasons are myriad.

I've even had a discussion with a person who never stores any sensitive info on a particular laptop, but does use it for on-line banking. If the laptop gets stolen...well, so what? Passwords are not stored, so it doesn't matter.

Here's one scenario I can think of: thief takes a look at the computer and notices the guy does on-line banking. He installs a keystroke logger and returns the laptop. Owner checks his balance on-line using compromised computer. On-line banking compromised.

What are the chances of this happening? What are the chances your credit card number got compromised at a gas pump on your road trip to Vegas?

Now, if the laptop in my scenario had been protected with disk encryption, there would have been no way of knowing what the laptop contained, so any harm real or imagined would have been prevented.

Data Encryption Software: HHS Publishes List Of Breaches Affecting 500 Or More People

sang_lee — Wed, 24 Feb 2010 01:55:00 GMT

The US Department of Health and Human Services (HHS) is charged, under the HITECH act, with collecting data breach notifications for any HIPAA-covered entities. Under the act, these entities are required to immediately send an official letter of notification if the breach involved more than 500 people (breaches where 500 or less people affected are reported annually. The use of data encryption like AlertBoot provides the equivalent of a safe harbor).

36 Entities Reported - A Summary

Thirty-six hospitals, clinics, private practices, and other medical facilities are listed in this first report. In the six months between September 2009 and January 2010, over 1 million people were affected in total.

Types of Breaches

The types of breaches listed are pretty straightforward.

Theft: 27
Unauthorized Access: 7
Loss: 3
Phishing Scam: 1
Hacking/IT Incident: 1
Incorrect Mailing: 1
Misdirected E-mail: 1

The sum exceeds 36 because there are overlapping descriptions.

Location of Breached Information

Laptops: 9
Desktops: 7
Portable Electronic Devices/USB/Hard Drives: 6
Network Servers/Computers: 3
E-mail: 2
Backup Tapes/CDs: 3
Others (paper-based and such): 7

The sum also exceeds 36 because of overlapping devices/documents. I've also taken the liberty of combining certain categories together (e.g., portable electronic devices and portable USB devices).

Breakdown and Analysis

It doesn't take a genius to see that the thefts and losses of computers and similar devices (laptops, desktops, servers, USB devices, etc.) is the leading cause of data breaches--at least, where HIPAA-covered entities are involved. In fact, it's more than the leading cause. They compromise well over the majority of reported data breaches. There's not much to analyze, actually.

(Here's something to think about: are the thefts and losses of computers the real leading reason for data breaches, or are they just better reported? I'd notice if a laptop were stolen at my office. I'd probably never notice that a folder full of files was missing out of my file cabinet, which I haven't even peeked into in years. Hmph; why do I still have that thing around?).

A further breakdown and analysis is done at this site, waynerino.com. The numbers over there are a little different from what I've reported, no doubt because I've taken the liberty of combining certain figures, but the conclusions are essentially the same.

Something to note at waynerino.com is the breakdown by geographic location. The state with the leading number of reported breaches is California, with 28%. My guess is that this doesn't quite indicate that California is full of data thieves. Rather, it probably indicates that California entities are better informed about the notifying the HHS. This is the state that started the entire breach notification trend, after all.

What I find most unfortunate about the above is that the use of encryption software would have prevented most of these breaches. Not the actual theft of the devices, mind you; I mean that it would have eliminated the chances of the thieves also accessing the patient information.

The use of disk encryption, for example, on desktops and laptops would essentially prevent access to the computer--in fact, with pre-boot authentication, the thief wouldn't even be able to start up the computer.

As an alternative, file encryption could also have been used, and may even have been the only option for files saved to backup tapes and CDs.

Laptop Encryption Software: Laptop Tracking 75% Effective For Recovery?

sang_lee — Tue, 23 Feb 2010 02:06:00 GMT

Anyone who's bothered to check any news sources over the weekend has probably heard of the situation at Lower Merion School District: the school was monitoring student activities at home. But it was something else that caught my eye today as I was reading computerworld.com's write-up of the situation, and why full disk encryption like AlertBoot may still be around for a while.

The Case at Lower Merion So Far...

A student in the Lower Merion School District, Pennsylvania, was accused by a vice-principal of engaging in "improper activity" at the student's home, and produced a picture of him purportedly taking drugs. Turns out that the "drugs" were Mike & Ike candy. (Not familiar with it, so can't comment. I mean, do you snort it or something? Why did the school assume it was drugs? I mean, Tic-Tacs look like pills, too.)

When I first read of the situation I told myself that the school was in deep doo-doo, drugs or no drugs: you can't go around monitoring what students do outside school. And if you're monitoring what they do at home, well...I was pretty sure that couldn't be legal.

Also, besides the violations of privacy and wiretapping and whatnot, I was wondering "what if the kid was naked or something?" All around a bad idea to be monitoring a kid in his room.

The school claims, of course, that they don't monitor kids. The cameras are only turned on when a laptop is reported lost or stolen, etc. Seeing how the candy-popping student never reported the laptop stolen, though, the school's explanation falls flat.

I woke up today to find that the feds are now involved, since there may be violations of wiretapping and privacy laws. It was just a matter of time, really.

What Caught My Eye

I wasn't really going to comment on the issue, since it was bound to be covered by everyone.

Besides, I had noted in the past that security needs to come in layers, so using encryption doesn't mean tracking software can't be used, which definitely has its uses. For example, encryption software, while it can protect your data, cannot realistically do anything about recovering the stolen hardware (you could place a startup screen with your contact info and offer for its safe return...but how likely is it that someone will do so?)

But then I found an article at computerworld.com that covered the story. In the article, it was noted that "Absolute [providers of LoJack-like services for stolen laptops] claims that it recovers about 75% of all laptops reported stolen."

I've been looking for some stats on recovery rates, and there you have it. Seventy-five percent. It is an excellent recovery rate. I mean, without tracking software, recovery is like, what, 0.2%? I don't think anybody knows, really.

On the other hand, the same stat shows why there needs to be different layers to security for the same machine. There's that 25% of the cases where your stolen computer can't be traced and recovered.

Also, as I've noted in the past, you can't just rely on tracking software for your security needs even if the recovery rate is 100%: There is no guarantee that sensitive data will be stolen between the time your laptop disappears and the time it's recovered.

Hard Disk Encryption: "Please Rob Me" Site Shows How Innocuous Information Is Not Trivial

sang_lee — Sat, 20 Feb 2010 03:24:00 GMT

And now for something completely different...from what I usually blog about. A Dutch group has created a site called pleaserobme.com (please rob me dot com) that essentially goes through twitter posts and plucks only those tweets that "check-in" using Foursquare. Essentially, you can tell when someone's not home, and that's great information for would-be burglars.

Foursquare

I've got to say this is the first time I've heard of Foursquare. According to Wikipedia, it's a "location-based social networking website, software for mobile devices, and game. Users "check-in" at venues using text messaging or a device specific application."

I guess the idea is that, if you're at a particular bar or something, and a friend sees that he's also in the neighborhood, he can just kind of drop by and say hello.

The problem, though, is that the act of checking in, and making the information public and easily available, also means that pretty much anyone can keep tabs on where you are. And how much more public or far-reaching can you get than Twitter?

What Does This Have To Do With Disk Encryption?

Nothing, and yet, everything. Obviously, it makes no sense to encrypt the above data: social media sites and services like Twitter and Foursquare are meant to be public. Sharing information is a given.

On the other hand, it plays into the observation I made in yesterday's post about the "hidden dimension": Just because the information seems innocuous at first glance doesn't mean it cannot be easily tweaked and used for nefarious deeds.

Consider e-mail addresses. No one really thinks of it as private, sensitive information. You'd be crazy to do so; I mean, if you kept your e-mail address truly private, you'd probably never receive any e-mail. However, consolidate 10,000 of the same, and suddenly there may be a way to use it for criminal purposes.

Companies (OK, most companies) make it a policy to encrypt or hash client passwords, but don't extend the policy to other data such as e-mail addresses. The idea is that, if their security perimeter is breached, passwords are sensitive information while e-mail addresses are not.

But, as I pointed out in yesterday's post, plain-vanilla e-mail addresses can be used for carrying out scams as well. It seems to me that anytime you've got a large enough database of any type of data identifying people, you should really take a look into securing it.

Disk Encryption Missing On USB Memory Stick For Budget Travel

sang_lee — Fri, 19 Feb 2010 00:34:00 GMT

A break-in at Budget Travel headquarters in Ireland has resulted in the breach of information for 90,000 customers, although the figure is yet to be confirmed. The information was stored on a memory stick--that was not secured with data encryption software like AlertBoot--which was stolen during the break-in.

Information Stored As Part of Business Transfer

According to the irishtimes.com, the names, e-mail addresses, and, possibly, phone numbers and home addresses of 90,000 customers were stored on the USB memory stick. It's a little unusual to have such massive amounts of data stored on so little a device. The explanation that was given? "The information had been stored on the memory stick as part of the transfer of business from Budget Travel, which is being bought by Club Travel."

That still seems a little unusual to me. I mean, the crown jewels may very well be the customer list (I've seen companies acquired for nothing more than that), but save the information on a memory stick? I mean, the servers retaining the information have some value as well. Plus, wouldn't a company want purchase histories as well?

Incidentally, the thieves were identified (not sure if it means they were apprehended as well), but the memory stick is yet to be recovered.

Customer Concerns

A former customer to Budget Travel was quoted on the irishtimes.com, stating that "I just can’t believe that an organisation [sic] would put a database on a key that was not protected or encrypted in any way. Obviously that information is valuable to somebody, and the email addresses are useful to people who are trying to sell holidays."

I do agree about the need for encryption software to protect the data, but I disagree on "selling holidays." The world is a little bit more twisted than that. I can see how the information could be used for an effective phishing scam.

The Hidden Data Dimension

The fact that the information contains only publicly available information, while not false, is not entirely true. There is an extra dimension that people are not considering: the thieves know that this information belonged to Budget Travel, which is not publicly available information, and this is more than enough to let them carry off a spectacular scam.

For example, it wouldn't take much time to set up a fake site; e-mail customers with a message (claiming that Budget Travel customers have a chance to win a free trip from Club Travel as part of the successful acquisition); and wait for the personal information to roll in, typed in by the same people who are to be scammed.

In fact, if I recollect correctly, something similar to this happened to users of monster.com, the job listing board based out of the US.

While it may seem like going overboard to use full disk encryption on something so readily available as e-mail addresses, the reality is that there are legitimate reasons for keeping them secure.

Drive Encryption Software: Cardiology Consultants Lose Laptop With Ultrasound Scans

sang_lee — Thu, 18 Feb 2010 02:01:00 GMT

Cardiology Consultants Inc. is notifying patients that a computer with ultrasound images was stolen. They have admitted that data encryption was not used to secure the data, although "a special key" was required to access the information.

8,000 Notified

According to pnj.com, Cardiology Consultants is notifying about 8,000 patients that their names, dates of birth, medical record numbers, exam dates, ultrasound images, and, in some cases, the reasons for performing the ultrasound were on the stolen laptop. Thankfully, financial information nor SSNs were included.

If I had to assign a risk level to this particular incident, I would say there is low risk (had encryption software been used, I would have said that there was negligible to no risk).

Why low risk? If the data is accessed, the thief could decide to use the information in what's called "social engineering" to obtain more rewarding information. For example, if someone's last name is unique, and their home number is listed publically, one could pose as a doctor (with ultrasound information on hand) to obtain someone's SSN (oops...we seem to have the wrong one on file, by the way; would you be kind enough to give it to us again?)

It sounds far-fetched until the day you actually fall for it.

Proprietary Configuration?

Further according to pnj.com, "because of the proprietary configuration of the computer, it is unlikely that the computer’s information can be accessed by the average user," and "the computer does require a special key to access the data."

Hm. Not sure what to make of those statements. It seems to imply that password-protection is in place, but as I've covered it before, password-protection is not really security. I would much prefer to see some kind of disk encryption being used on the computer, or at least file encryption to protect just the digital documents.

Related Articles and Sites:
http://www.pnj.com/article/20100217/NEWS01/100217031

Data Encryption Software: More Laptops Stolen At Home Than Anywhere Else

sang_lee — Wed, 17 Feb 2010 04:18:00 GMT

New research by Absolute Software, providers of a LoJack-like service for computers, shows that most laptops are stolen at home. And when you consider that most laptops today carry too much personal information, a disk encryption software solution like AlertBoot may be the key towards ensuring your information is not stolen.

33% of UK Laptop Thefts At Home

The research has revealed that one third of all UK laptop thefts take place at home. In France, the count is at 22%; the US, 18%; and Germany shows 17% of thefts at home.

Furthermore, theft from cars are at 24%. Eight percent occur in public transportation, and two percent are stolen from coffee shops and airports.

While the numbers appear surprising at first glance, they shouldn't be. All things being equal, laptops tend to spend more time at a fixed location (I'm surprised corporate thefts/break-ins are not included), so it just makes sense that the stats would reflect this.

It's similar to that statistic that shows most car accidents happen within 15 miles from one's home: it's not because everyone's neighborhood happens to be a disaster-prone area; rather, it's because most people don't venture further than 15 miles from their homes, even while driving.

Or consider banks: all robberies involving $100,000 or more probably occur at banks. This doesn't mean that banks are terrible places for parking one-hundred grand in cash, right? You'd be crazy to park one-hundred grand in cash anywhere else, even with the above stat that "proves" how terrible banks are at keeping big money.

I'd say that the lesson to be taken from this research is that you need data protection at all times. Not only when you're on the move, as the representative from Absolute Software noted for the story, but even when a device is parked at home.

After all, sensitive data doesn't stop being sensitive data once you get home.

So, what can you do protect your data at all times? Protect it with software that was meant and designed to safeguard data, such as encryption software. While tracking software such as LoJack is great at recovering stolen goods (an internet connection is necessary), there's no guarantee that any sensitive data will not be accessed between theft and recovery. (Of course, having both may be an even better solution. After all, encryption cannot recover your goods for you, just ensure that unauthorized people don't gain access to your information.)

Laptop Encryption Software: Australian Department Of Primary Industry Loses 77 Laptops And PDAs

sang_lee — Wed, 17 Feb 2010 01:48:00 GMT

The Department of Primary Industries in Australia has come under fire for losing "77 laptops or palm computers" over the past 4 years, according to theage.com.au. That's a loss of one laptop per every 2.5 weeks. Disk encryption was not used to secure the contents of the laptops, although password-protection was present.

25,000 Staff Members - Not So Bad?

The losses were revealed while the department head was answering to Parliament. The devices were lost between "January 2006 and October 2009, with a value of about $218,000." The laptops could contain sensitive information; however, the department head seems to think it should be alright because password-protection was used.

There are a couple of things to note. First, with 25,000 staff members, the loss of 77 laptops over 4 years is not so bad. I mean, it's not great (not even good, to say the least) that sensitive information was lost; however, it means that there was a loss of 0.308%. That's a loss of 3 laptops per 1,000 people over four years, or less than one loss per 1,000 people per year.

I mean, that's not too bad. I don't think that can be classified as "incompetence," as some have decided to call the situation. Of course, I am assuming that 25,000 staff members equals 25,000 portable devices being handed out, which clearly is not the case. If it turned out only 25 people were given laptops and such, and they had lost 77 devices in 4 years, that would be a calamity.

Second thing to note: password-protection is anything but!

Password-protection, while better than nothing, is a very poor substitute to encryption software when it comes to data protection. Indeed, it reminds me of a Donald Duck cartoon that I watched as a child, where Donald was the only private guarding a perimeter.

While our feisty duck was the only guard about, he had rigged up some painted wood boards ("rifles") to give the impression than four people in perfect synchronization were guarding the perimeter. No one was the wiser because only the barrels of the rifles were seen above a brick wall. If someone were to get inside, though, there'd be little to no security. I mean, it's a duck with painted boards, for God's sake! He doesn't even wear pants!

Likewise, password-protection only tends to give the impression of protection being in place. Once the laptop itself is stolen though, there is very little to separate the data from the thieves.

Only a solution like AlertBoot endpoint encryption, designed to protect data, can help prevent a data theft or loss from becoming a data breach.

Drive Encryption Software: Abbot Medical Optics Backup Tapes Stolen

sang_lee — Wed, 10 Feb 2010 01:43:00 GMT

Abbot Medical Optics (AMO) has alerted the NH Attorney General's office that they have a potential data breach on their hands. Three locked boxes containing backup tapes were stolen. "Security features" were present, but there is no specific discussion on whether data encryption software.

Personal Information Stolen

The backup tapes included data from human resources and consumer information departments, so, it only makes sense that employee names, addresses, and Social Security numbers were included. Also included was financial information such as bank and other financial numbers used for payroll.

Foreigners may have been affected as well--the letter mentions "visa application information related to authorization to work in the US."

The incident took place on December 29, 2009. Someone broke into one of AMO's facilities and took the three locked, metal boxes.

Physical Security Inadequate For Digital Data

No doubt the metal boxes were meant to prevent unwanted people from getting physical access to the tapes--you know, in light of them containing personal information and what not. And, I'm willing to bet that the locked box was stored in a locked room.

And the end result...? Someone breaks in and steal the tapes, locked boxes and all! So much for preventing a data breach.

Now, while there are hardly any other options for securing physical things, aside from locking stuff up, one can hardly claim the same for digital media.

When it comes to information stored on backup tapes, external drives, servers, and the like, there are two ways of securing data. One is locking stuff down or locking them up: closets, bolts to the floor, locks, etc. This prevents a data breach by ensuring a device does not get stolen.

The other is the use of data encryption software like AlertBoot. While it can't prevent someone from actually lifting a backup tape or external drive, it makes it virtually impossible to access the information in the event something is stolen.

Related Articles and Sites:
http://doj.nh.gov/consumer/pdf/abbott_medical_optics.pdf

Laptop Encryption Software Not Installed Properly On Stolen AvMed Laptops, 200,000 Affected

sang_lee — Mon, 08 Feb 2010 23:56:00 GMT

Two computers were stolen from AvMed Health Plans, compromising the information for nearly 210,000 subscribers and dependents. It sounds like disk encryption was used to protect the laptops; however, there is a fear that "one of the laptops may not have been encrypted properly."

Current And Former Members Affected

The information security breach affects 80,000 current subscribers and dependents, as well as 128,000 former subscribers and their dependents. The information dates back to April 2003.

The theft of laptops occurred on December 10 of last year from a locked conference room. The rooms remained secured throughout the night until being discovered missing the next day. The implication seems to be that someone with keys to the locked room was involved, such as janitors or night security staff.

It was not revealed how AvMed arrived to the conclusion that encryption software, meant to protect the information, was not installed properly.

It could mean that it was only done partially, such as encrypting a partition in the computer's drive instead of using full disk encryption to protect the entire thing. Or, perhaps, the company used file encryption to protect individual files, and only realized after an investigation that important files were not protected. Or, the company could be referring to their overall encryption program: it could be that the one computer was found not to be encrypted at all, when it should have been.

Auditing Encryption Status

Let's face it: figuring out what was encrypted and what wasn't is hard, and becomes harder the more equipment you've got to protect.

Imagine an organization that has 1,000 employees. Chances are, there are also 1,000 computers. And while not all of them store sensitive information, management has decided to encrypt all computers because it's impossible to figure out which computers will end up with sensitive information.

Now, I'm not going to argue that that is a terrible approach to security. It's quite apparent, just by taking a peek at data breach news, that people really have no idea where sensitive data ends up, so it's definitely a valid approach.

However, it does create a logistical problem: how can administrators tell whether all computers have been properly protected? Just like security tends to be an afterthought to software programs, such administrative needs seem to be afterthoughts when it comes to security software as well.

Not so with centrally-managed AlertBoot encryption software, which was developed with the above in mind. The audit reporting is integrated with the encryption software, allowing one to easily see login attempts, user actions, and the encryption status of computers.

Full Disk Encryption: St Albans Finds Using Encryption Is Not The End Of The Story

sang_lee — Sat, 06 Feb 2010 01:39:00 GMT

St. Albans Council has found that data protection does not end at using data encryption software.

If you'll recall, St. Albans experienced a breach nearly one year ago, when four laptops were stolen, affecting 14,500. Since then, the council has made a number of changes to better protect sensitive information, including the physical lockdown of computers and the use of encryption software to protect data.

A security consulting firm brought in to check on the changes. The firm has found that while data is better protected from before, the council could make some changes to even better guarantee information security.

Staff Sharing Passwords

One of the suggested changes was to better educate staff not to share passwords. Other recommendations included "audit files for all log-ins and access to databases."

Clearly, the latter recommendation hinges upon the security of passwords. Think about it: if everyone uses the same password to log in to a computer, then the auditing of files and logs is worthless--they'd all point to one person.

Data Security, Constant Vigilance

The thing about data security is that you really can't let your guard down since it's never known in advance when a threat will strike. Unfortunately, it's nearly impossible to keep your guard up all the time. Heck, even the military has various stages of "alerts," and never do they stay at high alert all the time.

When it comes to data security, then, the trick is to use different methods that will complement one another. For example, if passwords are being shared, then a policy of periodically changing passwords is definitely necessary. (As opposed to policy of changing passwords every six months and requiring the user to create a 24-character-long, mixed-character password; in my opinion, that latter one usually doesn't require periodic password changes at all, regardless of what best security practices happen to be).