Tennessee is alerting Nashville residents that 337,000 voters in the city have had their information compromised. Thieves stole laptop computers that contained the names and Social Security numbers of every registered voter. Initially, it was reported that only the last four digits of the SSNs were included, but further examination showed that this is not the case. The election commission office is preparing to send notices to those affected. There’s no mention on whether the stolen laptops had any security measures in place, so one must assume the worst.
Also, the Department of Safety is reporting that a desktop computer and laptops were stolen from their offices. A spokesman for the department said that the computers were blank because they were about to be distributed to employees, and there shouldn’t have been any personal information on the stolen devices:
“Even if they did get access to it, they’re almost worthless to them,” said Browning, the spokesperson. “They wouldn’t be able to access the information – security would prevent them.”
The only security to protect the contents of those computers was in the form of a password, not encryption, though.
What’s ironic about the Department of Safety incident, other than that the department is not safe from break‑ins, is that they believe that passwords = security.
They’re not wrong, in a sense. Even if you were to encrypt a computer via AlertBoot, a username and password is assigned so only those with the right to access encrypted data are able to do so. Otherwise, no one would be able to access the encrypted data, and what good is that? However, a password tied to an operating system like Windows, as opposed to an encryption system, means the password can be bypassed by bypassing that operating system.
For example, the hard drives on the stolen machines could be hooked up to another computer. Or, one could run a CD-based Linux OS (which are free, by the way) on the stolen machine and gain access to the data that way. There are other ways of doing this besides the two listed.
Is the Department of Safety safe from a data breach? After all, there’s nothing on those computers, regardless of whether the passwords in place actually offer protection—they were wiped clean. Well, perhaps. The problems with “deleting” data is that it doesn’t really delete the data; that’s why Norton Utilities has the ability to recover deleted data. Nope, what really happens is that by deleting data, the operating system has no way to access it anymore. Not even formatting a hard drive does the job, since formatting a disk technically checks and prepares the disk for further recording, so you’re still stuck in a situation where previous data still reside in the hard drive but, again, not easily accessible.
With the correct, specialized software, the data is recoverable. And don’t let the word “specialized” fool you—such software is easily (and cheaply) available over the internet. Only by securing information via encryption can you ensure that information doesn’t fall into the wrong hands.
The associated Oregon senate bill, The Oregon Identity Theft Protection Act (SB 583), is surprisingly short but to the point—and extremely readable. It feels like someone other than lawyers wrote it up. It also seems to build on past legislation already in place for personal data protection. For example, those who are already in compliance with HIPAA would also be in compliance with SB 583. The former may carry a tag of ‘96 (as in, Health Insurance Portability and Accountability Act of 1996), but eleven years later, the concept on how to protect someone’s information hasn’t changed; it’s the implementation that had to catch up.
And catch up it did.
There are numerous regulations in HIPAA for protecting patient information, including what people have termed “shoulder surfing,” the act of getting information by looking over someone’s shoulder. Back in 1996, there was no method to prevent that unless you had a wall against your back. And even then, if you were on a plane, chances are your fellow passengers could see what you were doing. Now, companies such as 3M sell screen privacy shields so the user can see the screen, whereas someone to the side of the user cannot. The technology already existed back then, but there wasn’t enough of a marketing push, I think.
However, in this day and age, shoulder surfing is the least of one’s worries. The big news, time and again, has been the loss of massive amounts of data via the loss or theft of laptops, CDs, and other portable, mobile devices. The problem, of course, is that theft and loss cannot be prevented one hundred percent of the time. It can be minimized and that’s the best one can do, no matter how serious the consequences of something going wrong. Don’t believe me?
Two months ago, the US Air Force had six nuclear missiles end up on a cross‑country flight by mistake. If the plane had gone down during the 36 hours those missiles were technically missing…I can imagine The Siege becoming reality while people try hash things out. Despite proclamations by wags that “military intelligence” is an oxymoron, the military does have some of the best minds available for making sure stuff like this doesn’t happen. And yet, a complete break‑down of procedures by multiple people, at multiple levels did happen (a rarity, granted). One would be a fool not to expect it to happen ever, despite all the paperwork, code punching, military guards, and whatever other protection the USAF has in place to make sure nothing untoward happens to those nukes.
How do you and your business compare when it comes to protection? Can you afford sentries armed with M-16s to ensure no one breaks into your offices? Are your employees any less inclined to make mistakes or to flaunt policies and regulations, despite the fact that military personnel face a court‑martial (and a dishonorable discharge) for such actions and your employees face a pink‑slip at worst? The answer, and I would assume that this is a safe guess, would have be “no” to that last question. There is only so much a person can do to control the behavior of employees at any organization.
So how does one comply with HIPAA or the new Oregon law if theft and loss can only be minimized? Why even bother? Disaster in the form of a data breach will strike sooner or later, right? Well, the point is to lower the odds of it happening. So low, in fact, that it may never happen in the next couple hundred years.
And since what needs to be protected is customer data, not the computer itself, a solution for ensuring the data doesn’t fall into the wrong hands is the correct option. Enter AlertBoot. Encryption services like AlertBoot secure the data on digital devices, so that the potential for a data breach associated with theft or loss isn’t an issue anymore. Back in 1996, encryption was an option but the technology had some catching up to do to be useful for everyday users. The only thing one has to worry about today when it comes to encryption is making sure employees don’t write the password on a Post‑It note and stick it to the bottom of the keyboard.
Of course, if you find an employee doing this, you’ve got other things to do besides worry about loss of data. For example, you’ll need to spend some time carving a couple of notches below “military intelligence” on your “data policy enforcement stick.” You know, before you beat that employee to death with it. I’m sure the judge and jury will understand once they realize that you took the best approach to protecting people’s data and ensuring it stays protected.
The holidays are almost over, and many people across the world have probably bought—for themselves as well as for other people—plenty of nifty gadgets as presents, such as a computer. And, when it’s in with the new, it’s also out with the old. Extra care must be taken to ensure that the data in the computer being thrown out doesn’t fall into the wrong hands.
For example, the Sun in England has a little story about an engineer who was looking for computer parts at a recycling center (you, as a concerned earthling, are recycling those machines, right?) He happened on a computer disk which, when loaded, showed the names, ranks, addresses, phone numbers, and job qualifications for thousands of police officers. Plus, there were details for “civilians working for the police.” It could’ve easily been a bad day for rats and weasels. Thankfully, the engineer alerted the newspaper as opposed to the local Don.
What could have the cops done to ensure that the information did not fall into the wrong hands? Deleted it? Not quite. As many websites and blogs are pointing out—due to the international old/new gadget swap that happens around this time of the year—deleting files in no way guarantees that the information is gone.
A non‑technical explanation for the layman is that when you delete a digital file on your computer—and, for Windows machines, hit the “empty” button—what you’re really erasing is a way for you to find that file; however, the contents of that file still exist in a spot in your computer, and will exist in your computer until something else takes over that spot (aka, something is “written over” it). When, what, and how that spot will be taken over by another file is completely random: it could be today, it could be five years from now. The data could be replaced by another similar file, or a digital picture, or a spreadsheet, or a movie—the only way to guarantee that the old data will be knocked out is to force something to be written in that spot. Since the process is random, however, the entire hard drive is written over. It’s like napalming the data. Plus, the write over process requires multiple passes; I’ve heard of three being a minimum for “sanitizing” a disk by the Department of Defense (DoD), but it’s supposedly not acceptable for Top Secret information.
The process, of course, takes quite a bit of time—not that you need to baby‑sit the process. If this takes too much time for your taste, an alternate method is to have the disk encrypted using services like AlertBoot and to toss the keys, which is akin to locking up the vault at Fort Knox and melting the key and the keyhole. Of course, if you’re going to encrypt something, it’s usually advantageous to do it when you get the computer or laptop (or some other digital device) as opposed to when you’re about to throw it away. This way, come garbage collection day, you can safely put out the computer by the curb without any worries that someone will have access to the “deleted” contents—and in the meantime, you get the benefits of the protection offered by data encryption. You know, just in case there’s a burglary or some other unforeseen or unexpected event.
If you're really paranoid, the only way to ensure perfect security is to melt the contents of your hard drive into one solid and amorphous mass. Just take care not to burn down the house with a blowtoch when doing it....
There is news that a church in the state of Georgia fell victim to burglary. The thieves, however, seem to have been after a particular item: data.
The effort was well coordinated, according to an article at thecitizen.com. The thieves entered the church from the darkest point outside the church. A window was left unlocked prior to the theft, so there was no forcing into the building. Once inside, the thieves went straight to the church office. The doors were knocked in—and in one case a sledge hammer was used to knock a hole in the wall, and unlock another door from the inside, as it were.
This case is particularly interesting because the article implies that the thieves spent the time to take out the hard drives from two computers and stealing those, instead of stealing the entire machine. Also, they stole a computer monitor as well, which, frankly, doesn’t make sense to me. If one decides to steal only the hard drive, presumably it’s so one is not weighed down by the size or the weight. Why go ahead and steal something that’s equally as big? (In some cases, bigger.) Cash and blank checks in plain sight were not stolen. Yet, it doesn’t sound like the thieves didn’t notice the money because they were in a hurry: they also broke into file cabinets and drawers, so it seems that they were actively searching for objects of value. Regardless, it seems only the hard drives and the monitor were the only things stolen.
This is probably the first case I’ve read of where there is no confusion on why the thieves stole a “computer.” When computers or laptops get stolen, there is generally what I call the standard disclaimer by the spokesperson: “we don’t feel that the machines were stolen for identity theft reasons, but was a theft of opportunity. The criminals was probably after the street value of the machine in question,” etc. But when people plan out a burglary and take the time to disassemble a computer and steal the hard disk only…. Well, no room for confusion there, eh?
Thankfully, the church didn’t keep any sensitive information on those computers. Critical employee and contributor information is kept somewhere else, so the thieves made off with something of questionable value. On the other hand, information has a tendency of ending up where it shouldn’t, so only time will tell if the thieves expended their energies for naught.
AlertBoot was made situations like these, of course. Had both hard drives been encrypted with whole disk encryption, the thieves wouldn’t be able to access the information at all. As far as I can tell, there was no encryption on those drives—and this means that those thieves will be accessing that data soon, if they haven’t already. After all, there are no obstructions in place, and I think it’s a safe assumption that anyone who takes the time to steal only the core of a computer also knows how to gain tap information from an unencrypted data source.
But, according to the Dormitory Authority, potentially affected employees shouldn’t be worried because they require special equipment and software to be read. Also, the spokesperson for the Dormitory Authority (DA) said the tapes were not encrypted.
Social Security numbers, addresses, names, and phone numbers were included in the tape for current and past employees. The tapes are backups sent from the DA to a separate location for safekeeping purposes.
I find that one of the more frustrating aspects of recent press releases when it comes to data breaches is that people equate “I don’t use it personally” with “special equipment.” I guess it depends on what your definition of special happens to be, but just because you don’t have the equipment at home doesn’t mean that a cassette-like cartridge is “special.” Depending on what type of data cartridge was used, there are people who possibly have the right equipment at home. For example, a simple search shows me that I can have a brand‑new HP 5U Rackmount Tape Drive for a measly $1000. With the above information supposedly trading at $2 a name, that’s a profit of $600 if I decide to buy the equipment. If I already have the equipment, even better. But even if you don't, so what? With today's generous return policies, you can get your hands on anything temporarily (not that I condone it...especially with huge HDTVs. Especially with the SuperBowl coming up).
But let us consider this scenario, shall we? Guy finds the tape, has no idea what’s in it. However, he reads the press release and now knows it’s not encrypted, so he puts it up for sale in one of the underground data brokerage centers (read: hacker‑palooza). He connects with some guy who happens to have a tape drive for that particular data tape. Does the fact that it feels “special” to some (possibly earnest) spokesman mean that 800 people are not about to become victims of identity theft? I don’t think so.
Let’s say that the guy who found the tape doesn’t know what type of tape it is? Take a digital picture and post it on-line. Someone will recognize it and classify it. Or what if he hasn’t read the press release? Just offer it for sale “as is” with no guarantee of worthwhile information residing on that tape. A bonanza for whoever decided to bid for it. Regardless, that information is not protected by the “special” properties of a floppy disk in cassette‑like format.
The point is that general obstacles for the average population are not really obstacles for criminals. That’s why doors work, although they’re the easiest things to kick down: ordinary people give up on a locked door; criminals force their way. Likewise, if you have a data tape and the contents are not encrypted with tools like AlertBoot, then it most probably will mean nothing to the layman. The data is secure, in a sense. But for the criminally‑inclined, it might very well pay for his next French meal and his plane ticket to Paris.
There is a short article at the AP that makes one wonder what exactly they do at Los Alamos National Laboratory. I’ve read enough technology‑centric books to know that Los Alamos was where the first nuclear bomb was developed under Manhattan Project. It is currently home to many math, physics, and other science and engineering researchers working on some of the most cutting‑edge technologies and basic and/or applied sciences. You bomb this place and the average IQ in the USA falls by, like, 125 points.
So, the image I get of the place is that of a desert location dealing with extremely hush‑hush, top‑secret projects. At the same time, it’s described as one of those places where scientifically‑minded people get together to comingle and share information, sparking all sorts of revolutionary ideas. Due to this dichotomy of being top‑secret (= extreme security a là Mission: Impossible) and free‑exchange of ideas (= hippie commune), you wonder how they deal with data security—again, assuming it’s top secret stuff you’re working with.
Well, based on the AP article, it seems that they don’t really do much about security, which makes me wonder if they actually have top-secret stuff going on over there. A former lab contractor who was converting lab documents into electronic format took home classified documents and computer files. Just like that. She didn’t do it out of malice, it sounds like—she was just overwhelmed with work, and decided to do some of it from the comfort of her home. It wouldn’t be the first time that somebody decided to take sensitive files home for work‑related purposes.
It’s also not the first time that Los Alamos has had data breaches: In 1999, a scientist was charged with nuclear espionage, which was later dropped. He had supposedly (and quite easily) taken data out of the lab. Then, in 2000, computer hard drives with classified data (is there any other kind at this place?) went missing for a brief while. They were found behind a photocopier. There’s always been talk about the lax in security at this place. As I recall, some argued that they couldn’t be too harsh with security, since it would prevent the flow and exchange of information—the reason Los Alamos is so successful in being what it is in the first place: a cauldron of new theories and ideas.
It seems to me that data security could easily be implemented at Los Alamos with AlertBoot. Encrypting hard drives is one of the key features of AlerBoot, as well as controlling device ports such as USB or COM ports. And, this control can be based on the user, so it is not necessary to configure each machine—whatever rights extended to the user will follow them around. This way, scientists can access computers and databases to their hearts’ delight—and create the next scientific breakthrough—while contractors digitizing documents can access only certain data—and not copy it over to their personal data devices.
At the same time, if there aren’t any people ensuring that somebody doesn’t take classified paper documents (and entire disks) out of the premises, encryption will do no good. Good security ensures that the weakest link is not scandalously weak—like some 23 year‑old rooming with a drug user.
Oh, yeah. I forgot to mention: the data breach was found out by accident when police busted the roommate during a drug raid.