A Reynoldsburg City School district laptop, which did not make use of hard drive encryption like AlertBoot to protect the information on the computer’s internal disk, was stolen from an employee while he attended a wedding. The laptop was stolen from his car, a not so infrequent data breach scenario covered by this blog. Makes one wonder if cars ought to be banned in the name of data security.
Of course, that would be a stupid solution. Let me play a bit with that thought, though. What if I told you I kept $1 million in cash in my van? Well, most people would might think it’s stupid and that, heck, it’s your money…you do whatever you want with it, blogger dude. What if I told you I kept $1 million of your cash that you entrusted to me in my van? We’ll assume you’re a billionaire and I didn’t show signs of being a complete imbecile.
I’d expect at least a little ruckus on your part. What if I revealed that the van was an armored car, with bulletproof glass and guards armed with automatic weapons? Some might still be unsatisfied that it’s kept in a car. I personally believe that such people also don’t trust banks, and keep their money hidden in their homes. As if thieves don’t break into people’s homes every day.
What’s the difference between an armored car and a van? The security associated with it. Granted, an armored truck is not a place to continuously park your cash, but it does the job of minimizing the chances of something going awry when moving money from one secure place to another. And so it is with laptop encryption.
One of the first rules of data security is to not save or store any sensitive data that you don’t need. In a matter of speaking, that’s the rule that was broken in the Reynoldsburg breach mentioned at the beginning of the article. The officials were phasing out Social Security numbers in the student database, a logical procedure when one considers that SSNs are not supposed to be used as an identifier. And the work was finished without incident.
However, the computer technician who was working on the project did not delete the sensitive data from his own laptop after the job was done. And about a week later he attended the ill‑fated wedding. If he had used encryption software to secure the contents of his laptop computer, the school district wouldn’t have to ruefully admit responsibility for the loss. The employee in question is on paid leave—I guess until an investigation is completed.
£6.99. That’s how much a 36 year old anonymous computer programmer paid for a computer on eBay that held the details of 35,000 taxpayers in the UK. This is the second case where a computer sold on eBay with sensitive information ended up in the hands of a civic‑minded person. And this is just another example where the use of full disk encryption solutions like AlertBoot would have stopped the incident from turning into a full‑blown data breach.
The hard drive in question contained names; addresses; bank account details, such as account numbers and sort codes; and tax bills of residents of the Charnwood Borough Council area in Leicestershire. Also, photographs, memos, and other types of electronic documents were stored on the same computer.
A spokesman for the Charnwood Borough Council has stated, according to the BBC, that they have a policy of securely disposing of all computer hardware, and that it’s not “ever resold, donated, or given away to any party, staff or otherwise.” Furthermore, it was stated that a “reputable third-party organisation [provides] certification for each batch of disposed equipment, stating that drives have been wiped, or are destroyed.”
I’ll take bets that this is another case of a third party contractor messing up (I’d hedge that bet with another bet, though, that it could have been a case of staff stealing office equipment. God knows it happens often enough). If my initial suspicion is correct, this is very worrisome. I mean, a company that makes it its business to ensure data is destroyed is not doing a good job if the computer ends up on eBay.
Now, some will point out, well, the company did its job—the computer programmer didn’t have access to the data directly; he used data recovery software to undelete the deleted data (which is available for, like, $50 or less). This is where one has to start blaming semantics for spreading around ignorance.
When it comes to computers and electronic data storage, the word “delete” doesn’t mean to erase in the traditional sense. When people ponder the meaning of delete, they tend to think of the relationship between pencil and eraser: you rub the eraser, and the pencil marks are wiped away. With computers, it’s a little different. When you delete a computer file, information still exists in the computer—it’s just that you’ve destroyed the way for your computer to easily find that file, meaning the computer can’t retrieve the data anymore (but can still be unearthed via recovery software), and have authorized the computer to write new data over that file you “deleted.” As long as you don’t add any more documents to that computer, any guy with $50 (or less) would be able to recover such data.
That’s why when companies claim they’ve wiped data, it actually means they’ve added data: they add random data to write over sensitive files. And they do this at least three times. It’s not unlike taking your diary written in with a blue pen, and in order to ensure that no one can ever read it, dunking it into a vat of blue ink.
Granted, this process works after the life term of a computer. The US Department of Defense uses it for wiping disks that carried sensitive (but not classified) information. (Disks containing top secret information supposedly get pulverized into dust.) But what do you do while the computer is still on active duty and something like the eBay scenario like the above unfolds, i.e., a computer shows up for sale on an auction site when it shouldn’t have?
Having honest, competent staff works wonders as well as having the correct security‑minded computer and data policies. But, that still can’t take care of those vicissitudes in life where things don’t go according to plan, where the computer can’t be protected because it’s not under the physical aegis of your company.
In such instances, it only makes sense that the protection follow around the computer. There are many computer security solutions out there. Some are conditional, as in they have to be connected to the internet to work. Personally, I think such solutions are designed to recover hardware, not to protect data. If one is really looking to prevent an information security breach, there’s no two ways about it: disk encryption or file encryption must be used.
The newspaper Scotland on Sunday broke the story that the NHS Dumfries and Galloway has lost two USB flash drives with information on patients. The memory sticks in question did not feature disk encryption that would have ensured information security. And, the breach was only made public because Scotland on Sunday filed a Freedom of Information request.
In a sign that muckraking works wonders, the health authority has modified their procedures. And yet, there’s something of a rushed feel to them, and I think the NHS honchos may not have consulted information security experts. According to The Herald, “new guidelines are now being implemented concerning the use of USB storage devices, and all information on the sticks must be encrypted or password protected to make it impossible for others to use the data” at NHS Dumfries and Galloway.
The use of encryption is highly recommended when dealing with sensitive data. But, as a number of cases have shown in the past—and in the UK alone—password protection in of itself is not really protection. Indeed, I would have thought this was already common knowledge among UK residents, what with the number of potentially disastrous data breaches that have littered 2008.
It should be pointed out that the above guidelines will also apply to any laptop and desktop computers…but only in areas accessible by the public (i.e., non‑NHS employees). Again, this seems to indicate that an expert in the area of information security was not consulted. Or, at least, an expert with adequate levels of paranoia.
Here’s my twist: the loss of the two USB devices was perpetrated by NHS staff. So, why would you only protect data devices that are accessible by the public? I mean, it makes sense to protect those, yes; but I’d say it makes even more sense to protect any devices handled by staff. It’s not the non‑NHS people that are actively stealing these devices…it’s the NHS staff that’s actively losing them (which is not the same as deliberately losing them). This is clearly a case where the staff need to be protected from themselves.
A security consultant worth his mettle would probably have scouted out the physical environment before making his or her recommendations. A computer, be it a desktop or a laptop, that is in a restricted area may not need full disk encryption to protect the devices’ hard drives—but only if that same restricted area happens to have barred windows. If the “restricted area” happens to be on the ground floor, facing a dark alley, and has unbarred windows, making it a restricted area on paper only, I’d say it’d be a good idea to either further restrict the area by securing the windows or ensuring that the hard drives of the computers are encrypted. The latter won’t stop a burglary but it will astronomically lessen the chances of a data breach.
Another day, another case where full disk encryption such as AlertBoot would have helped to prevent a data breach. Several sources are reporting that over 1 million customer details have been sold on eBay. Not that eBay would have allowed this to happen. They constantly monitor auctions for stuff that shouldn’t be there, such as human organs. One presumes that selling customer details in the open would be flagged as well.
The computer in question was actually being used by a firm called Graphic Data, who was contracted to archive data for RBS. According to RBS, Graphic Data has admitted that “one of their machines appears to have been inappropriately sold on via a third party.” This can be interpreted in so many ways.
For example, I took it to mean that the computer was sold when it shouldn’t have, which would be pretty messed up: I mean, the computer was not stolen; someone in the company decided to sell it out of the blue? That’s pretty random. But then I realized that the statement could be construed in other ways, such as “the server was sold before all the appropriate data security steps were followed, such as deleting the data and performing a three‑pass disk overwrite.”
Then I read this statement from a spokeswoman at Graphic Data: “The IT equipment that appeared on eBay was neither planned nor instructed by the company to be disposed.” That’s pretty messed up. (I guess there’s something to the saying that first impressions are generally right…)
I’ve often point out that full disk encryption solutions like laptop encryption are no panacea. And I stand by that statement—doing otherwise would be hubris of the highest level. However, let me point out that penicillin is no panacea either. In fact, there is no one drug out there to solve all of the world’s ailments. But penicillin has come close to the status of a miracle drug. Likewise, disk encryption cannot solve all of a company’s data security needs. But when it comes to protecting data, it can put a dent on information breaches for all those unexpected instances where a computer or external disk goes missing.
A data breach affecting over 8 million Best Western customers was reported over the weekend by the Sunday Herald, a newspaper in Glasgow, Scotland. The Best Western hotel chain has released a statement earlier today saying that the claim is “grossly unsubstantiated.” The company has also listed a number of methods they’ve used to protect customer information, and has noted that they use encryption to protect the credit card information in their databases (data at rest) and moving through their networks. Those are magic words to my ears. It doesn’t mean that a data breach cannot occur—after all, the hacker got into their system. Who knows if he installed packet sniffers and whatnot, and managed to record the password to decrypt the information, right?
But, this is a company that has implemented at least an important facet of data security. Here’s a list of what else they’ve implemented:
Supposedly, Best Western does this to be in compliance with PCI DSS. That last bullet point implies that customer data going all the way back to 2007 couldn’t have been part of the data breach, as reported by the Sunday Herald, unless Best Western has 8 million guests who’ve been staying with them for eight months, which I’d find impossible and weird. I mean, their rooms are OK, but they’re not the penthouse at the Four Seasons…
What I do find weird, though, is also the last point. If they actually delete all personal information, how do they keep track of their customers? Isn’t the hospitality industry famous—perhaps even notorious—for keeping track of customers?
The University of Pennsylvania Health System (UPHS) is contacting people to alert them that an encrypted backup tape was lost in transit. The tape contains personal information such as names, addresses and checking account numbers. The tape was being transported by an outside carrier—my guess is to a “safe” location. The important thing is that encryption software like AlertBoot was used to secure the information. So, barring any foolishness on the part of the UPHS, the tape’s disappearance shouldn’t be a cause of alarm.
What types of foolishness? Well, if they had stuck a post‑it with the password to the tape. Or, if they had used a short or weak password. When it comes to encryption, there are two ways of breaking it: figuring out the password or figuring out the encryption key. The key tends to be a really long string of characters, whereas the password is usually much, much shorter. Hence, no surprise that people try to figure out the password.
There are two ways to figuring out the password: 1) find out the actual password via devious methods, such as social engineering, keystroke‑logging, or just looking for a possibly‑existing post‑it note (unfathomable that such things exist from a data security standpoint) or 2) trying out all possible password combinations: start with “a” and move on to b, c, d, e…aa, ab, ac, ad…aaa, aab, aac…and so on. This latter way of figuring out the password is known as a “brute force attack.” Obviously, the longer the password, the longer it will take to figure it out. However, length is not the only factor when it comes to ensuring a password’s security.
There are twenty‑six letters in the English alphabet. If you add numbers to the mix, you’ve got thirty‑six individual placeholders, which means even more password combinations: once you reach “az” there’s still “a1” through “a0.” It’s a small change initially, but as the password become longer overall, it contributes significantly to the total number of different passwords one can have. Add special characters, make the password capital and lowercase sensitive, and the number of different available passwords increases exponentially.
There are caveats, of course. If you use a word that can be found in a dictionary, chances are it doesn’t matter how long that password happens to be: pneumonoultramicroscopicsilicovolcanoconiosis is long, and it would take forever to figure out if you were to try to guess each letter one by one: it’d probably take over one trillion tries. However, the above being a real word, one could also get an electronic dictionary and try all words listed to see if there is a match. And that brings down the number of guesses, since there are approximately three quarters of a million words in the English language.