Update (Dec 4, 2008): According to the site www.pogowasright.org, C-W Agencies was able to recover the stolen tape and forensic experts are examining it to see whether their data was accessed or not.
According to the Vancouver Sun, C-W Agencies in Canada is claiming to be a victim of a data breach. The alleged perpetrator is the former vice-president of IT of the company, and the accusation is that he stole a backup tape with information on 3.2 million customers. The good news? Data encryption was used to protect the client data. The bad news? According to C-W Agencies, the information necessary to decrypt it is also stored on the tape.
The potential worth of the customer information, which includes credit card and bank account information of more than 800,000 customers, has been pegged at $10 million (Canadian, I assume…an observation that would have meant something a year ago), or about $12.50 per name. Shocking how worthless your personal information is on the market, black or otherwise, when you consider the damages that can be effected.
How Can Encryption Help In Such Scenarios?
Sorry to say, it cannot, because of the specifics of the situation. It’d be like asking how can you prevent the Brinks guy from driving away in his armored truck when he suddenly decides to steal the money instead of making his rounds. You just can’t.
When a guy knows the passwords to decrypt protected data decides to go “rogue,” the security game is over. This is why encryption is never, and cannot be, considered the be all, end all for all of your data security woes. Encryption merely plays a part, but admittedly an important part, in a more holistic information security approach that involves inventorying, encryption, audits, firewalls, physical locks, and employee education (and their interest in security), among other factors.
For example, consider the above story: The former IT guy was not exactly trusted; he was supposedly a problem employee. But, due to his status as VP of IT, he had access to sensitive information. By all accounts, his theft would have been the perfect crime, except for one thing: the network administrator reported his suspicions of hanky-panky to the chief executive. The potential, negative ramifications of the data breach were foiled by the least sophisticated method possible: telling on someone.
Keep Your Passwords Safe
The importance of keeping passwords safe can be gleaned from the above story. Rogue agents, the theory goes, are unstoppable because we already trust them. But, I would say that trust is not the main reason. The main reason that rogues cannot be stopped is because they already have access. It just goes to show the importance of keeping passwords safe -- an organization shouldn’t accept nor allow passwords to be shared or posted.
The US Department of Defense is banning USB memory stick as well as all other forms of removable media storage devices. (Makes me wonder why they didn’t react this quickly when they decided data encryption software was necessary to safeguard the information on their computers.) In the face of this ban, it seems like a good time to point out that there is software out there that will allow administrators to control USB ports on their computers.
Why The Ban?The ban was initially reported as the result of a worm spreading in the military’s computer networks. The worm, a variation of the SillyFDC, is spreading in the military’s networks. This particular worm spreads from an infected disk to another. For example, if you stick an infected flash drive into a computer that’s not infected, the virus copies itself to the hard drive of the computer, infecting it. Any other removable storage media that are plugged into the now-infected computer will be affected as well. This is a little different from other computer worms that spread, for example, via a computer network.
A further update, however, has the military claiming that the ban is not due to the spreading of the worm per se. They’re claiming that the ban of removable media storage is one aspect of an effort to improve the military’s information system protection. Which is weird. This worm has been around forever. USB sticks have been around forever. And enemies have been around forever as well. What the heck changed that merits an immediate ban?
Déjà Vu?The issue of removable storage has cropped several times in the past. Just a couple of years ago, it was claimed that the UK military was looking to ban iPods. The argument was that iPods are hard drives that double up as music players, so it wouldn’t be improbable for secrets to slip out of military bases accompanied to their own soundtrack. The British military denied it, as reported by the BBC.
Control Ports Using Superglue…Or WhitelistsIt’s been reported that some companies have superglued USB ports shut in an attempt to prevent data breaches. While it makes for great conversation at a party, superglue is not necessarily the best solution. What if you have to use that port at some point in the future? You’d be better off using application control software.
Software exists to control what devices work when connected to USB ports, and it’s usually programmable via whitelists or blacklists (or both, if using AlertBoot data encryption and protection suites) to easily control the desired outcome. A whitelist would allow a device to connect to the computer, whereas the blacklist would do the opposite. Better yet, it allows you to control port availability based on the user profile.
What this means for the military is, if a four-star general decides he needs to stick his flash drive to a computer, he’s able to do so, whereas Private Jenkins cannot.
Certainly a better solution than superglue (messy) or assuming soldiers always follow orders. I mean, if they did, the term AWOL wouldn’t exist now, would it?
The Irish police, the gardai, are investigating the break-in and burglary of a Labour member. The office of Jack Wall TD, a member of the lower Parliament of Ireland, was found ransacked on Monday. The thieves made off with two laptop computers, one of them with sensitive information; a scanner; and some money that was raised during a fundraiser. Thankfully, hard drive encryption was used on the laptop computer with the sensitive information.
Off the top of my head, I can think of at least four information security instances in Ireland this year. There was the case of the blood bank that suffered a breach in New York; two instances involving the Bank of Ireland; and this latest one. No doubt there are others that are escaping my mind at this moment. Call it selective memory, but it seems that Ireland understands what it means to protect data.
This latest case is a good example. The main door to the building had three locks. I personally don’t believe this represents adequate security, but when you consider that most business, across the world, believe one lock is sufficient security, well, these guys have gone the extra mile. Plus, the doors were wrecked, leading gardai to believe that the perpetrators used a sledge hammer or iron bar to break in. When violence is used to gain entry, it generally means that existing security wasn’t just for show. Compare this to instances where burglars entered the premises via unlocked windows or fiddled with the door.
However, what’s really commendable is that full disk encryption is being used on top of these physical security measures. Unlike organizations that believe a locked door is all that’s required to protect the contents of a computer, many Irish organizations have opted to have their data encrypted, no buts or ifs. Why?
Obviously because the law requires it. But if we’re to be a bit more philosophical, I suppose it’s an admission that there are no guarantees in life. There is no guarantee that a trusted employee will not rob your offices during the night. There is no guarantee that a security guard won’t do the same. Or that someone won’t drive a car through the doors. Or that someone will use a sledgehammer. I mean, there are just so many ways of committing theft…how to you guarantee the security of a computer with so many variables out in the world? You can’t. You do the next best thing, which is to somehow guarantee the safety of the data.
Encryption products like file encryption and usb disk data security software to protect external hard drives cannot protect data at all times. For example, encryption can’t protect you from employees who have a beef to grind with you and happen to know the encryption passwords. But, it can guarantee safety when a computer is missing due to theft or misplacement, which comprise over half of all data breaches.
Several blogs have reported that Starbucks employees are receiving letters asking them to watch out for funny business. According to the letter, a laptop computer with personal information (including name, address and SSN) on 97,000 employees was stolen. The coffee company last had a major breach approximately two years ago. It seems likely that laptop computer encryption was not used in this case, if my interpretation of Washington data breach notification laws is correct. Thankfully, the law is written mostly in civilian-speak, which is good, since I’m not a lawyer,
According to RCW 19.255.010, the breach notification law in Washington,
Any person or business that conducts business in this state and that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of this state whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
The above emphasis is mine, of course. It seems to me that had Starbucks used data encryption software (the letter, a copy of which is available here, does not mention whether data protection measures were in place), it wouldn’t be required to notify the theft of the laptop computer to 97,000 employees. But the company did, and also offered Equifax credit monitoring for one year to all affected, which will cost plenty of ducat; even with a discount, it probably means plunking down close to $1 million, if not more. What public company would offer such a package when the use of encryption would have protected personal data? All signs point to “no encryption.”
On the other hand, it could be that Starbucks did encrypt the data and is just being cautious. After all, Starbucks does try to be a socially conscious company. Plus, one would imagine that the inventors of the Frapuccino would have the sense to employ information security after the first major breach. But then why not mention the presence of data protection measures? My experience is that usually the lack of information is quite revealing as well.
A claim is made in the gossip site that the laptop computer was stolen from an employee’s home:
I called the PCC [Partner Contact Center] after I got my letter and they informed me that the laptop was stolen out of someone's home. Apparently the partner who had the laptop stolen worked at the enterprise help desk, but worked out of the home. They were running something related to the databases, and that night i guess his laptop was stolen out of the home. [Posted by: tomokun]
It seems to me that if this guy was officially working out of home, he definitely should have had his laptop contents encrypted. Many say that the information shouldn’t have been on the laptop to begin with. I’d agree, on principle, that information on 97,000 current and ex-employees shouldn’t be stored on a laptop in an unsecured environment.
But, let’s be realistic. Stuff like this happens all the time. Even logging in remotely doesn’t prevent someone from downloading information to their laptop: Ever feel the frustration of having to wait for your mouse’s pointer to move from one side of the screen to the other, two seconds after you actually moved your mouse? As long as minor technological hurdles remain, people will attempt to download work to a local machine. The pragmatic thing to do is to ensure the safety of that data by using encryption.
Other things to point out, based on what I’ve read at the Starbucks Gossip site so far:
That last one really irks me. I’ve had people proclaim to me that encryption doesn’t work, and have used the cold-air case as their “proof.” How is it possible to be so misinformed? Let me put it this way: would you say that a condom is not an effective means of contraception because a pregnancy will result in 2% of the cases when it’s used properly? Is Lysol not an effective disinfectant because it only kills 99.9% of germs?
Approximately 2000 teachers, assistants, and support staff in Manchester, England are irate over the theft of two laptop computers from a secure area. The computer had names, dates of birth, and national insurance numbers. While the theft was discovered three weeks ago, the affected education workers have been notified only recently. As the warning letter pointed out, full disk encryption software was not used, although password protection was present.
Of course, password protection doesn’t really mean protection. And, it seems that a lot of UK residents are now aware of the fact. As one of the support staff has exclaimed, “It stinks - I cannot believe that these computers were not encrypted.” [mancheserterveningnews.co.uk]
It’s a sad, sad day when support staff are more knowledgeable about data security procedures than the administration. I guess the administration was busy playing golf or something while the UK suffered breach after information breach this past year. Otherwise, how could they not be aware of the need to secure data in laptops? Or, maybe, the administration thought that the data was secure, despite the lack of information security software, since so many breaches happened when data was being moved about: in a car, sent over the mail, etc. The laptops in question, though, were stored in a room that offered an “automatic door-lock system” that opened with a swipe-card. High-tech and all that jazz. They say that the thieves tampered with the door to get in.
Pfft. Since when is a door considered to be “security?” Unless we’re talking about doors to a bank vault with steel plates thirteen inches thick, I think most people will admit that doors offer little security, if at all. The high-tech aspect -- a magnetic card as opposed to a tried-and-true metal key -- doesn’t contribute to security at all. Chalk this up to another case of “security theater,” where things look secure but in retrospect are not.
What the administration should have invested in is in some old school-style technology, like disk encryption software. Such data protection solutions can’t prevent someone from stealing computers, but the thieves wouldn’t have access to the computer’s data. And this way, the administration would have to deal only with the loss of two computers, not the loss of two computers; 2000 irate people; and a government investigation (which I’m assuming is pending).
So you’re selling your computer. Or it’s so old that you have to toss it away. But you’ve also read how discarded computers can lead to identity theft. How’s that work, anyway? And what can you do to prevent it from happening? The answer lies in how much time you have. I’d personally use encryption software like hard drive encryption software, since it makes things a little easier and convenient, but you may not find it applies to you at this stage.
The secret about data deletion is this: data cannot be deleted, only replaced. You’ve read how computers store data in patterns of 1’s and 0’s, which are also known as bits. When you click on “empty recycle bin” on your computer’s desktop, all those bits remain in place. What you’ve “deleted” by emptying the recycle bin is the instruction set the computer uses to find those bits: the 1’s and 0’s are still there, it’s just that the computer doesn’t know where to look for them. If you will, it’s like a bank losing its accounting books. The money is still in the bank, but the bankers don’t know how much belongs to whom. Pandemonium ensues.
The implication is that, if given the right software, “deleted” data can be uncovered. Actually, it’s more than an implication. I know I bought Norton Disk Doctor back in the 90’s specifically because it allowed me recover files I deleted accidentally, so the technology to recover deleted data has been around for decades.
As you can conclude from the above explanation, when experts say that data should be deleted prior to computers being sold or recycled, what they really mean is that data should be overwritten. Turn those sequences of 1’s and 0’s entirely to 1’s, for example. What most overwriting software will do is randomly generate bits and write that to your hard drive. Since those bits are random, they don’t represent any information. More importantly, two bits can’t share the same space, so the randomly generated data (new) replaces the original data (old).
The problem with data overwrites is that it takes time and, because every single bit has to be replaced, the bigger your computer’s hard drive, the longer it takes. It’s not unusual to see a computer chugging away at this task for 10 or more hours when it comes to 100 Gb hard drives.
Plus, it’s understood that one pass is not enough. The Department of Defense, for example, requires that three passes be done per disk. Some advocate 35 passes! This is because a study found anything less increased the chances of someone being able to glean data in your drives. Thirty-five passes is, however, not necessary. Even the original author of the study has called it overkill for most people.
Yep, you read it right. I’ve just told you that it takes time to overwrite data, and yet here’s a Japanese company that claims otherwise. It’s because their new hard drives will be using AES-256 encryption. They can make their claim because all they have to do is destroy the encryption key, which does take only seconds to destroy. And since encryption protects data by randomizing bits and bytes (the same type of randomizing that goes on when overwriting data), Fujitsu’s in the clear with such a claim.
The only problem? These hard drives are not available until sometime next year. So, until then, you’ll have to do data overwrites when disposing of your old computer.
However, Fujitsu does bring up an interesting point: what would you prefer, having to spend hours of extra time prepping a computer just so you can dispose of it, or spending seconds only? Remember, there is the added benefit that drive encryption software will protect your data while you’re using the computer.
If you’re concerned about data security the choice is obvious. Again, the bad news is that these falutin’ drives won’t be available until next year. However, if you’re really looking to protect your sensitive data, then you have the option to encrypt your data today. Encryption as a service is available from companies like AlertBoot, and make encryption a snap. And, such encryption software is not just for computers. If you’ve got external hard drives, you’ll probably want something that will do usb disk data security as well.
Of course, encryption doesn’t make sense if you are looking to dispose of your old computer today, like, right now. But, it’s something you should keep in mind for when you get your new computer.