Peter Gabriel shows, albeit indirectly and unwittingly, why one needs full disk encryption if data security is the ultimate objective. Gabriel’s servers that powered his website—hosted at a data center—were stolen. This affects more than a website with a litany of Gabriel’s accomplishments. I’ve never been to the site before, and it’s not operating at 100%, obviously, but a look at the temporary stand‑in makes it apparent the stolen servers were at the center for getting all things Gabriel‑related, including the sale of music and concert tickets.
Break-ins into data centers are nothing new. I’ve heard the entire gamut, from people strolling in while waving at the guard (and the guard waving back, which is why I dropped the word “security” from “security guard”) to using chainsaws and going through the walls, literally. Break‑ins of any kind are not common when it comes to data centers, especially if the facility was built with security in mind—RFID key cards, locked spaces with bullet‑proof glass built for identity checks, and guys with semi‑automatic weapons. But, it does happen once in a while (and, lately, it seems, with growing frequency). And, of course, if a server is stolen, all the data in it is stolen as well, and available for the perps to use.
Or is it? The digital world is an odd one, and what’s true for the physical world does not always translate to the digital world. If a file cabinet full of top secret documents gets stolen, all that information is stolen as well. The thief will have easy access to the documents. Even if the cabinet were locked, one could rip the walls of the cabinet to get to the contents. In the physical world, theft can easily result in an information breach.
Likewise, the physical theft of a server with digital information can result in an information breach. Sure, one can set up password protection, but the equivalent of “ripping the walls” to get to the data exists in the digital world as well. However, the digital world offers ways to protect information when it’s stolen so that it doesn’t fall into the wrong hands. This method of protection is called encryption, and generally comes in two forms: full disk encryption and file encryption.
The latter has a physical counterpart as well. File encryption, basically speaking, is just substituting one character for another via a particular set of rules. If you’ve ever come across a paper document full of gibberish, you’ve probably come across a document whose contents are encrypted (or, someone’s master’s thesis in electrical engineering).
Full disk encryption, on the other hand, doesn’t have a physical counterpart. Like file encryption, it uses rules of substitution, changing each bit found on the hard drive itself; however, the actual file is not encrypted if you use full disk encryption. For example, if you e-mail a file that’s found on a hard drive with full disk encryption, the file can be read by the recipient without any problems. If you send him a file that was protected with file encryption, he’ll require a key to unscramble the contents of the file.
The closest thing that full disk encryption comes to resembling in the physical world is really thick walls on a file cabinet, since the contents in the file cabinet don’t change. Really thick walls. I mean, we’re talking a thickness that’s incomprehensible. Like a safe whose walls have the thickness of Indiana. (You think driving across Indiana took forever, eh? Try blowing up or drilling through a wall the thickness of Indiana. Yep, that’d be a pretty secure cabinet.)
Both forms of securing your digital assets are available from AlertBoot. The idea is to use them together as complementary solutions and enhance security. After all, you don’t necessarily have to choose between an armed guard and a safe. You do have the option of using both for security purposes. Or, just use one or the other—just make sure you understand what you’re data security requirements are prior to making a decision.
Can a hard disk survive a fall of over 100,000 feet? No, but the data can be extracted from its remains. That’s how scientists were able to find that xenon gas changes to a liquid when stirred under very low gravity.
It’s under no ordinary circumstances that a hard disk can fall 100,000 feet. The disk in question was on board the ill-fated Columbia space shuttle, which disintegrated on re‑entry into earth in 2003. And, as one would expect for anything that re‑enters into earth without the usual protection of wings, parachutes, and heat‑proof coatings, the hard drive was found cracked and burnt. Specialists were able to extract 90% of the data, though.
Kind of surprising? After all, most people’s experience with falling hard disks tends to generally involve waist-high or lower, and it’s kind of hard to get any data from it at all; one imagines involving a drop from space would make it slightly harder. The above data retrieval is testament that you can do anything if you have the money.
From an engineering perspective, however, the above is not unusual or amazing. Usually, when you and I drop a laptop or an external hard drive, it’s broken because the intricate machinery that composes the whole of the disk drive is out of synch. However, the data recorded on the hard drive’s platters is still there. (If you weren’t aware, there’s a bunch of disks inside the a hard drive. That’s why they’re often called a hard disk.) Unless the drive with the xenon data had fallen near a refrigerator magnet, the information is still in place. Only the total annihilation of these platters would have prevented specialists from reading the data, like melting them into an amorphous mass.
This is something one should keep in mind when getting rid of old equipment like computers. A lot of people think that “deleting” the data or formatting the disk will get rid of the existing data. This is not so; such actions merely remove the method for computers to locate data without disturbing the data itself. It’s like poking a librarian’s eyes out during your first time to a foreign library: she can’t find the books you want, but the books are still there. Now you’re stuck trying to find the books. Some effort, time, and a couple of clues will help you in finding those books.
Savvy computer users will know this and physically attempt to destroy their drives. One of the time‑honored ways of doing so is using a refrigerator magnet; however, this, too, is not as reliable as the amorphous mass technique. Some use a drill to poke holes through the platters. This is pretty effective, but there is no guarantee that information on the unaffected parts of the platter will remain unread by someone hell‑bent on extracting data. These disks are pretty resilient. Unless you’re willing to spend $100 or more to pulverize a disk, your best option may be full disk encryption, like AlertBoot.
Plus, the beauty of full disk encryption is that it’s a form of data protection that is perfectly good while the disk is in use as well as when you decide to ditch it.
Banking giant HSBC is in the news again. This time, the bank has lost a computer server from the Kwun Tong branch, located in Hong Kong. Sometimes, having a huge international footprint just means having more problems. If you’ll recall, HSBC had announced last month that they had a data breach in the UK, when a disk with details of 370,000 customers went missing.
The lost server contained the data of 159,000 customers, and unlike the incident with the disk, customers should be worried about this particular incident. According to The Standard, a Hong Kong publication, the data in the lost server contains names, account numbers, and transaction records. The last could be used to zero-in on high value customers and attempt some kind of spear‑phishing type of scam, I reckon.
The bank has stated that the chances of a data break are minimal, since the “server is protected by multiple layers of security which are regularly reviewed.” No further details on security were given. The government is encouraging HSBC to release more details in order to further reassure the public.
One thing that caught my attention in the article was the following quote:
Internet Society chairman Charles Mok Nai-kwong said even though the server has been encrypted, there may still be ways to access the data.
"I do not know how advanced the system is or the skill of those who want to access the data. But if the server goes to the police, they will have ways to get the data," Mok said. [all emphases are mine]
Huh. Really? How did this guy know the server was encrypted? And, apparently, the NSA should outsource some of their work to the HK police. These guys are like, super cops. No wonder Jackie Chan took on the role of a HK police officer when he starred in the movie…SuperCop. Three times.
Maybe there were translation issues when the article was written. I’ll tell you this much, though. If the above quote is true and the HK police can easily break the encryption on HSBC’s servers, the bank must have teamed up with the worst data security company this side of the Mississippi.
The point of having full disk encryption is to prevent anyone not holding the passwords from getting to the data. If the police can get into it, chances are others can, too, and this defeats the purpose of having encryption. One could argue, well, perhaps the HK government requires a backdoor be installed on any encryption products used in Hong Kong, and only the police know about it. Again, that becomes a security risk. The best encryption software do not have backdoors—and people tend to migrate away from such products if a backdoor is found.
Consider AlertBoot, for example. It offers a number of different encryption algorithms at different strengths (RSA, AES; 128-bit vs. 256-bit or higher; etc.) that are considered by experts to be the encryption standards of this day. Plus, try as they may have, the experts haven’t been able to find a *** on these encryption methods, including backdoors. I don’t know what Mr. Mok knows, but if HSBC had gone with AlertBoot, he wouldn’t have offered that statement.
An employee for Northern Trust Bank was caught selling electronic office equipment on eBay, as well as putting them up at pawnshops and selling them to his own colleagues at the bank. The thefts occurred between May 2005 and Nov 2006, when he was arrested. Most of the equipment that was stolen consisted of computers and peripherals, such as laptops, desktops, LCD monitors, and printers.
Bank management became aware of the thefts when 12 laptop computers went missing. An investigation following the theft of the laptops revealed the true extent of the misdeeds. The above story highlights two things to keep in mind when practicing data security.
First, size does not matter when theft is the purpose; anything is fair game. A lot of people seem to forget this when an actual crime occurs. Too many people raise hell over sensitive information being stored on a laptop computer, for example. They’ll point out that laptop computers are designed for mobility. I’d like to point out, so are desktop computers. I mean, have you seen what IBM used to sell prior to the invention of the desktop computer? Desktops were not designed with convenience of mobility in mind, but they certainly don’t require a tow truck. Those machines were designed so an average joe could pick it up and move it about. If your information security manager is relying on a computer’s form factor as a security measure, I’ve got news for you: you’ve got a terrible security manager. Unless you happen to reside in a community of skinny‑armed Buddhist monks who live on a supercharged grain of rice a day, that is.
Plus, plenty of people are using laptops computers as desktop replacements nowadays, meaning “laptop” does not always equal mobility. I can point towards my own ThinkPad as proof. And for those who would continue to argue that they’re easier to steal, give me a break: if a thief is already within the security perimeters of a building, he can steal whatever he wants. Reiterating my point, size does not matter. It’s this obsession with size that prevents people from seeing the big picture: in the digital age, you’ve got new methods of protecting what’s really important, like hard drive encryption to ensure that a physical act (theft) can’t affect your metaphysical assets (your client data. You’ll want backups, obviously).
The second thing to keep in mind is, you need to perform audits regularly and ensure that it’s performed by a neutral party. For a bank, filled with management types inculcated in viewing the world in terms of profit and loss as well as risk management, it’s hard to understand that they have gone an entire year without realizing that stuff was missing—a sure sign that audits are not being performed by the bank. If they only spent as much time on their inventory as they would on ensuring the accuracy of balance sheets... I’m sure that it didn’t help that the person committing the crime was also the bank’s computer information technician.
There are products that were built with the above two points in mind. AlertBoot, for example, not only allows one to encrypt and manage thousands of computers from a central console. It also features powerful reporting so that audits can be performed on the encryption status of each computer and control user access to each machine. This way, if problems do arise, those in charge of security can act ASAP and lower the risks of an information breach.
It is being reported that the US Department of State is missing hundreds of laptops, perhaps thousands of them. The Department of State is in charge of conducting diplomacy. In case anyone doubts how important secrecy is for this particular department, the Anti‑Terrorism Assistance Program falls under its umbrella, according to the article at cqpolitics.com. Obviously, this particular department needs to especially ensure they’ve got adequate data security.
An internal audit has found that this is not necessarily the case, though. For example, as many as 400 laptops are missing from the Anti‑Terrorism Assistance Program alone. It is being pointed out, however, that in this case the missing laptops are not necessarily lost or stolen. The audit report is using the term “unaccounted for,” a term usually meaning “we have no idea what happened except” we can’t find them right now. The computers could be in some secure location within the Department of State buildings. The fact is, nobody knows.
This highlights one of the issues that take a backseat when it comes to security, be it information security or otherwise: the lack of follow up. Security is hardly a one‑time affair, where you install a particular solution and forget abut it—even if the solution is designed to be that way.
For example, consider full disk encryption solutions by AlertBoot. You can’t get simpler than full disk encryption. You install it and that’s the end of it. And with AlertBoot, there’s no way to stop the encryption process or reverse it mid‑encryption. However, for the paranoid manager in charge of security (the very best kind when it comes to security), the question becomes, “was it installed to begin with?” Without the proper follow up, there is no way to get an answer to the question.
This is the reason why AlertBoot also includes powerful reporting. The truth is that security is rarely about protecting something. It’s about being able to prove that something is protected. So, even if one’s got the best encryption algorithms protecting one’s data, that’s not good enough. If a laptop is unaccounted for in the State Department, people are not really concerned about $3000 worth of equipment missing; they’re concerned about who is accessing the information on that laptop. What better way to prove that these people have nothing to worry about by stating unequivocally that not only do you know the laptop is encrypted, but also to point out when it was encrypted?
Theft of memory sticks—the USB kind, I guess—account for the data breach of more than 6000 patients in Hong Kong public hospitals. In the past year, nine memory sticks have been stolen from five hospitals. A task force is being set up to investigate the security issue, and will recommend solutions in three months to avoid recurrences.
According to the Hospital Authority chief executive Shane Solomon, the small data storage devices were stolen not because of the data they contained, but because of the intrinsic value of the devices. This assessment comes from the fact that the patient data has not shown up anywhere to date. Of course, some would point out that this is a fallacy in reasoning, since there is no need for that information to show up. After all, patient information doesn’t have an expiration date. Whether the patient information shows up one year after the breach of five years afterwards (or much later) depends on the criminals’ intentions.
Of the 6000 cases, 2000 were encrypted and 3000 contained patient data without any identifiers. That leaves about 1000 cases where the patient information was not protected and has personal identifiers.
What’s galling about the entire thing is that Solomon doesn’t have the right mindset about this incident. I don’t think he would say that thefts were not a problem; far from it. However, he has been quoted as saying that this “is not a matter of staff negligence…It is a matter of people seeing a USB stick sitting around in a computer and thinking ‘I’ll take that, thank you very much.’” I have to applaud him for standing by his people, but I would argue that his staff was negligent.
Would it be negligence if a nurse left a vial of tuberculosis agent by a computer and someone snatched it? How about a syringe full of blood? The answer would be an unequivocal yes. What if a brand new, empty vial delivered fresh from the factory were left by a computer and that got stolen? How about an unopened syringe with no needle? The answer would be no; it wouldn’t even be an issue.
A lost USB drive is not an issue if patient information is not stored on it; otherwise, the loss of a USB drive is negligence. Would Mr. Solomon have drawn the same conclusion if hospital staff had left a bunch of patient files lying around without supervision, and someone had filched the files because he really, really needed some manila folders? Of course not. The fact that outsiders decided to commit a crime of opportunity does not negate nor relieve the hospital staff from the fact they were acting negligently when it came to patient files. And so one should apply the same logic to its electronic equivalent, since a USB device is nothing but a compact, energy sipping manila folder for the twenty‑first century.
Obviously, someone other than the chief executive was in charge of data security, because someone had the mind to encrypt data when they had the chance. It’s a shame that they weren’t able to extend this to all USB sticks, most probably because the thefts occurred across a number of hospitals. If they had AlertBoot, they could have used the internet and AlertBoot’s USB drive encryption to secure the data on those devices, as well as securing the contents of computers. Those can be stolen, too, when staff are not paying attention. It would be wise to secure their contents with full disk encryption.