in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

February 2009 - Posts

  • Encryption As A Service: Centrally Managed Encryption For Faster Deployments And Easier Maintenance

    • Fast and convenient encryption deployments mean better security
    • Maintenance - Government audits

    When it comes to data encryption, companies need more than adequate encryption software.  I mean, you can't just check to make sure the encryption software you've signed up for uses RSA or AES and pat yourself on the back for a job well done.  Two vendors may offer the same encryption algorithms, but one may successfully protect your computers, while the other becomes a white elephant.

    Making Deployments Easy Also Means More Security

    There are free encryption software packages out there.  Free, as in beer and money.  And, because there are only a handful of encryption algorithms that work, they offer the same protection that you would get from a mid-level or highly expensive encryption suite.

    If they afford the same protection, why the different prices?  And why so many of them?  There are many reasons and factors, but I'd say that a key element is convenience.  And when it comes to encryption, convenience is no laughing matter.

    Let me put it this way: what's more convenient, encrypting the hard disks of one thousand computers one by one, or doing it all at the same time?

    The latter obviously.  What's not so apparent at first glance, though, is that the latter also means that your company is better protected.

    How come, you might ask?  After all, convenience and security are inversely proportional.  If something is convenient, chances are some type of security aspect was handicapped.

    And that's generally true, I tend to find.  However, when it comes to encryption--or rather, to the deployment of encryption software--more convenience means faster and easier deployments which in turn mean more security.

    If you encrypt computers one by one, then it's going to take a long time (if you ever finish, that is).

    Where is the guarantee that computers will not be stolen while you're deploying the necessary data security software?  While you're encrypting the fifth computer, the 995th is getting stolen.  The longer it takes your IT department to protect information, the higher the chances that your company will experience a data breach.

    However, if you can rapidly deploy data security software across your organization...well, there's no guarantee that a laptop will not go missing, but it will prevent a disastrous data breach since the contents are encrypted.  I repeat, the faster you've got encryption in place, the more secure your information will be.

    The ability to encrypt computers en masse is a security benefit.

    Plus, there are plenty of reasons why people shouldn't thumb their noses at convenience.  If you ask around, you'll hear of many instances where a company signed up for encryption and never deployed it completely because the logistics were too overwhelming.  They start all gung-ho and eventually peter out...at which point your company's not protected and you've spent a good amount of resources, in both time and money.

    Generating Audit Reports

    Of course, deploying encryption is not the end of it.  There is, if you will, the on-going maintenance, which include:

    That last one, in particular, will grow in importance.  More and more governments are becoming aware that digital devices are vectors for ID theft and other forms of digital crime (which tends to spill over into the non-digital world) that cost individuals, companies, and governments billions of dollars every year.

    Hence, they're beginning to require companies that have contracts with the government to prove that sensitive data is encrypted.  However, this is not an easy task.

    For example, the Ministry of Defence in the UK claims that 8% of government contractors have admitted not complying with encryption requirements, and 18% have not responded at all.

    My guess: that 18% is not responding, not because they're ignoring government requirements, but because they don't know.

    If they had used centrally managed encryption software like AlertBoot, it wouldn't be a problem, though.  With its powerful and flexible data report engine, figuring out which computers are encrypted would be a piece of cake.  That, on top of conveniently deploying multiple computers at the same time.

     
  • Hard Drive Encryption Software: Steamboat Springs School District Victim Of Laptop Theft

    Why is hard drive encryption software like AlertBoot a better way to protect data than your average door?  Follow this link and you'll know why.

    That is a great picture.  Notice how the door-handle has been snapped off as well.  Apparently, a crowbar was used.  The leverage gained from long door-handles works wonders for destroying the door...until it snaps, that is.  (Yes, I know from personal experience, although it wasn't part of a criminal venture.)

    All this violence has led to the disappearance of a laptop computer from the Steamboat Springs School District office in Colorado.  It sounds like the laptop did not make use of full disk encryption to protected its contents; password-protection, which is possibly the worst type of computer security one can have, is the only thing standing between the thief and the contents of that laptop.

    And what contents!  According to the article in the link above, the laptop had a spreadsheet file with the names and Social Security numbers of 1,300 current and past employees of the school district.  A digital treasure trove to criminals with half a brain and plenty of gumption.

    File Encryption Software Would Have Sufficed

    It sounds like the only data that was blatantly sensitive was the spreadsheet with the 1,300 names and SSNs.  In such cases, one doesn't even have to use whole disk encryption, where the entire disk on a laptop is protected.  File encryption could have been used to protect the one file.

    From Bad To Worse

    Furthermore, the laptop was used by the owner, the District Finance Director, to access the district's financial database and direct-deposit system.  Thankfully, the latter has security systems in place for monitoring and preventing unauthorized access.

    Another headache is the fact that about two-thirds of the 1,300 are no longer in the district (the list includes employees from as far back as ten years ago), so there is no easy way to contact them, and alert them for the need to keep an eye out for their financial wellbeing.

    Will the lack of encryption result in ID thefts of these 1,300?  You be the judge.

    According to the article, only the financial office was broken into, and there was no sign outside the door that it was the financial office.  Plus, a blank deposit book was stolen, although it was from the Northwest Colorado Board of Cooperative Education Services, a separate organization housed in the same building.  Otherwise, everything else seems to be in place.

    In other words, this was targeted.

    Too bad AlertBoot wasn't used.  It would have rendered moot the theft of the laptop.  When it comes to ID thefts, that is.  The school district would still be out a laptop computer, which, when you consider the ramifications of this theft, doesn't appear to be a big deal in of itself.

     
  • Data Encryption Software Not As Good As A Screeching Laptop?

    Well, the laptop doesn't really screech, unless you want it to.  But I'm wondering whether this is a serious alternative to full disk encryption software like AlertBoot when it comes to data security.

    According to coverage by the washingtonpost.com, there is a company out in Colorado that's offering software that will display your contact information when a computer is turned on.  You can also post messages, like offering a reward for the safe return of the equipment, and track the location of your laptop if it connects to the internet after it's stolen.  The software has existed for years now.

    So why the sudden coverage?  Why now?

    Because of a new feature where the laptop will scream that it was stolen.  The default message seems to be, "help, this laptop is reported lost or stolen. If you are not my owner, please report me now."  You can also record your own.

    Retrieving Your Laptop

    There is the option to add a second password prompt--and additional one to the Windows prompt, I guess--but that seems to be it in terms of blocking access to your data.  Everything else seems to be geared towards the retrieval of the laptop.

    (I guess I could download it and test it out, but this is not a product review article.  All I want to do is point out the obvious, from a data security standpoint.)

    First off, I'd like to say that I don't think this software is useless.  Recovering stolen property is always a good thing, and if the software leads to recuperating stolen laptops 90% of the time, well, it's a very well-spent $30.

    Depending on the kindness of strangers is not a bad strategy--although, I'd have to say that solely depending on the kindness of strangers is a terrible strategy.

    Does It Really Protect Your Data?

    How good is the software when it comes to preventing the theft of data?  Password prompts can be bypassed quite easily.  In fact, methods of doing so are not difficult to find with Google.

    Or what if the hard drive is connected to a different computer?  My gut feeling is that it won't work anymore (it might not be the case.  Without actually testing out the software, it's impossible to tell.  I can say, though, that when I slave one computer drive to another, security software installed on the slaved drive, like antivirus applications, don't start up automatically since the drive is slaved).

    And, of course, if the computer is screaming, all you have to do is kill the sound.  If the volume control is disabled, then just pop a pair of headphones in.  Now the scream is a mosquito buzz.  Don't like the buzz?  Cut off the headphones but keep the jack plugged in.

    If I had to choose between the above software and whole disk encryption for my own computer, I'd go for the latter.  The main reason for that choice is because I actually have sensitive data on my computer; I can't afford to increase my chances of having a data breach if my computer gets stolen.

    On the other hand, if my computer didn't carry any sensitive data on it, I'd probably opt for the screaming software.  Without any sensitive data, the priority becomes rescuing my laptop from the greasy hands of some thief.  What do I care that he can see I'm over thirty and still a big fan of Looney Tunes?


    Related Articles:
    http://www.washingtonpost.com/wp-dyn/content/article/2009/02/25/AR2009022503170.html
    http://www.sciam.com/blog/60-second-science/post.cfm?id=security-software-that-gives-laptop-2009-02-26

     
  • Data Encryption Software Not Used In Missing UK Hospital Floppy Disks

    The North Wales NHS Trust has recently found that the Glan Clwyd hospital in the UK has lost one hundred computer disks. Disk encryption software like AlertBoot was not used to secure the contents of these disks, nor was there (the misleadingly-named) password protection in place.

    There shouldn't be any fears of some type of ID theft, however, since the missing computer disks are believed to be effectively destroyed.  Plus, they only contained patient discharge summaries, which doesn't sound like it could be used for anything at all (assuming patient ID numbers and the such were not included).

    How do they know the disks have been destroyed?  It is believed that the disks were tossed out with the trash, which summarily ended up at a waste disposal company.  The latter claims everything was crushed and buried in a landfill.

    Of course, the assumption is that the disks with patient data ultimately ended up with the waste disposal company.  With so man dumpster-diving enthusiasts around the world, and landfills not inventorying what they bury (it doesn't make sense...although, it probably would make the jobs of future archeologists much easier), you never know....

    Protecting Data On Small (Tiny) Digital Media

    While it's not specifically mentioned by the BBC that the lost disks are floppies (of the 3.5-inch variety), they included a picture of a green, translucent floppy disk in the article.

    As I recall, these things hold approximately 1 MB of information, after formatting.  With one hundred of these, we're talking about 100 MB.  The other day I saw a micro SD flash drive--also known as a TransFlash--that held 4 GB, which is equal to forty times the information on the lost 100 floppies.  The TransFlash was smaller than the size of the fingernail on my pinky.

    Wonder if that'll get lost, ever?

    Obviously, the use of encryption software to protect the contents of such devices is imperative, assuming private information is stored on them.  An entire USB memory stick can be encrypted, for example, to safeguard the contents that are being copied from one computer to another.

    However, you can't go around using full disk encryption on all of them.  Chances are the software required to encrypt and decrypt the information is not included or can't be run in the device that's using the memory device.

    For example, the TransFlash I was commenting on was the main storage for a camera.  I don't know of any camera manufacturers that include the ability to encrypt images as they're being taken.

    For such storage media, the only thing to do, if you're security-conscious, is to not save any private or sensitive information to them, since there is no realistic way to protect the data.

    Related Articles:
    http://news.bbc.co.uk/2/hi/uk_news/wales/north_east/7908856.stm

     
  • Data Security: Google Talk Phishing Scam. It's New But The Tactic Is Old

    There is a new phishing scam making the rounds.  All it involves is people on your Google Talk IM'ing you with "check this out!"  It just goes to show that there is nothing new under the sun, and why the use of drive encryption software like AlertBoot is sometimes necessary on seemingly public and innocuous data such as your address book.

    Don't see the connection?  Read on.

    A New Old Scam (Much Older Than You Imagine)

    Adam Ostrow at mashable.com is pointing out that if you follow the link to the "check this out" message, a page asks you to log in with your Google credentials to watch a video.  I don't know if there actually is a video at the end of the phishing rainbow, but I'm pretty certain that your creds are now compromised.

    Of course, the words "check this out" has been an old tactic for phishing.  Did you know, though, that phishing is as old as the hills?  That's because phishing is a classic numbers game: the more people you reach out to, the higher the chances that you'll bait someone.

    Variations exist.  I've already described before the stock market scam, where a letter is sent to random investors with predictions of the market's movements over a relatively long period of time (weeks, perhaps months).  Due to the way it's set up, the predictions are right 100% of the time for a select minority.

    But there are others.  For example, another scam making the rounds is when a person from court calls you up, demanding to know why you haven't show up for jury duty.  He offers you a fine and incarceration, or for jury duty to be deferred.  You're gonna defer?  Oh.  He'll need your full name and SSN to make sure he's talking to the right person and to complete the paperwork.

    How do you know he's not working for the court of looking-out-for-number-one, though?  You don't, and if you don't fall for this, there are plenty of others who will.  The criminal will continue to make those phone calls until he baits someone.  It's a matter of numbers.

    Targeting A Few Phish

    Of course, the above only works because people are willing to believe.  If you're the suspicious type, you may need other inducements to verify that the other party is who they claim to be.

    Which is why a person's stolen diary or schedule book comes in handy.  The names, addresses, and phone numbers found in such notes hold more significance than the same information from the phonebook, since there's an unwritten extra: a relationship between all names in that diary.  And a criminal can use this information in unexpected ways.

    For example, Jack's your friend, and you know Andy, via Jack.  You get a call from Frank, who's a good friend of Jack and Andy.  Frank is in a bind, and Andy thinks you can help.  Frank's facing a temporary liquidity crisis of $10,000, which you can easily loan, since you're the vice president of a good-sized bank.

    As collateral, he'll put up his top-of-the-line Ferrari, which is easily worth ten times the loan.  He'll pay back the loan with interest next Friday, when you, Andy, and Jack are scheduled to have lunch--a meeting that you never mentioned.  Frank brought it up.  You can drive up in the Ferrari on Friday, and everything will be settled, a good time will be had by all.

    Frank drives up in the car, you check it out--it all looks good.  Frank thanks you and leaves.  Come Friday, you drive up in the Ferrari, at which Andy remarks, "How did you find my stolen car!"

    Uh-oh.

    Turns out, "Frank" stole the Ferrari which contained Andy's business diary in the glove compartment.  Your bank is out $10,000 because Frank connected the dots between seemingly non-sensitive data, and applied some chutzpa and imagination.

    Should make you think twice about the implications of a stolen anything with supposedly non-sensitive data.

    Combine Both

    If a scammer combines the numbers game with just a little more data, he's got a formidable tool.

    If a broker loses a laptop with the name of 10,000 investors, and the information is not protected using file encryption software or hard disk encryption software, a criminally-minded person could use that data to perpetrate the classic stock market scam with better results.

    The unwritten extra in this case is that he already knows these 10,000 people have the means and the interest to seek a killing in the stock market (why else have a broker?), and hence there is a higher chance of baiting people for some real money.

    Or, the criminal could write a letter, pretending to be the broker, and say that he's moving to a new firm.  He's including new forms for authorizing debits and credits of monies from the client to the new brokerage and vice-versa.  Some will be taken by the letter, and the criminal will have the required information--and authorization--to clean out a person's accounts.

    If you think the loss of publically available information is the same thing as getting it from public sources....well, that's what scammers are hoping.

     
  • Laptop Encryption Software News: Starbucks Getting Sued For Stolen Laptop In November

    Well, it took some time, but it looks like the lack of laptop encryption software is translating into a headache for Starbucks.

    If you'll recall, the coffee company announced the theft of a laptop computer back in November.  There was talk at the time of a class-action suit, but I didn't think that nothing would come of it.

    I noted at the time that

    "...a stolen laptop with sensitive information is not grounds for a class-action suit.  Supposedly, it’s because you can’t sue for what may happen; you can only sue after something has happened -- and what has to happen is ID theft, which has to be directly tied to the laptop theft.  The theft of the laptop itself is considered to be no different from the theft of an ordinary object, like a car. (And, again, I'm not a lawyer)"

    I'm still not a lawyer...and, it looks like laws haven't changed in the meantime, either.  According to spamnotes.com, the site that broke the news, there have been other cases--outside of Washington state--where companies were sued for similar scenarios.  Plaintiffs lost in both cases.  Spamnotes.com notes, though, that it may be a different story this time due differences in regional laws.

    Plus, there are rumors that there are ID theft cases that can be tied directly to the stolen laptop.  If this is true, it certainly fulfills the conditions I've mentioned in the above quote.  The trick is to show that it ties directly and is the only source, though.

    With so many companies suffering from data breaches, who's to say that the ID theft experienced by SBUX employees didn't come from some other source?

    The Class Action Suit Is Asking For...

    • Extension of 1-year credit monitoring to 5 years.
    • Periodic audits of Starbucks's computer systems to ensure security

    I've already noted that the 1-year monitoring must be costing Starbucks nearly a million dollars, even with a discount.

    What Starbucks Has Already Done (Supposedly)

    According to commentators at the Starbucks gossip site, the company is already testing the use of whole disk encryption since the beginning of the year.

    Chances are, this will do more to protect the company--and its employees--from future breaches.  In fact, this probably should have been rolled out about a couple of years back, when they had a substantial data breach.

    Why the delay?  My guess is that the MBA-types at the company finally figured out that using data encryption programs to protect information on computers is much cheaper--in raw numbers as well as when trying to account for fuzzy externalities--than shelling out over half-a-million every couple of years for credit monitoring services.

    In Unrelated News...

    A 19-year old snatched a laptop computer from a Starbucks patron after he was told that the customer's computer could not be used to "check his Facebook account."

    He was arrested and charged with "robbery by sudden snatching."  I thought the term was made-up by a harried journalist.  Not so.

    Maybe it's just me, but aren't all snatchings sudden?  I mean, you can't have a languid snatching....

    Related Articles:
    http://www.networkworld.com/news/2009/022309-starbucks-sued-after-laptop-data.html
    http://www.sun-sentinel.com/news/nationworld/world/wire/sns-ap-odd-laptop-snatched,0,4456889.story

     
More Posts Next page »