in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Hard Drive Encryption Not Present On Oklahoma DHS Stolen Laptop - 500,000 Families Affected

The Oklahoma Department of Human Services (DHS) is notifying 500,000 households that they may be affected by one laptop that was stolen from an employee's car.  The DHS has also announced that the laptop in question only featured password protection.  If I were one of the 500,000 families, I would rest much easier if I the laptop had used disk encryption software to secure its contents.

The number of people affected is so large because the employee who had the laptop stolen was a developer of DHS programs.  She was a handful of people who had access to such a large amount of data.

You know what's really stupid about the entire situation?  She "left the windows cracked in her vehicle."  Both her purse and laptop computer were stolen.  No encryption software and terrible asset protection practices.  That's just asking for trouble.

Number Affected: 500,000 Families...One Million Residents

According to scmagazineus.com, over one million people are being notified.

The Personal Information Involved In The Breach

According to the OK DHS page, it looks like you may be affected if you provided personal information to receive aid related to the following:

  • Medicaid
  • Child Care assistance
  • Temporary Assistance to Needy Families (TANF)
  • Aid to the Aged, Blind and Disabled (AABD)
  • Supplemental Nutrition Assistance Program (SNAP or Food Stamps)

The actual information affected includes:

  • Names
  • Social Security numbers
  • Dates of birth
  • Home addresses

The data did not contain driver’s license numbers, credit card, or banking information.

Low Risk? I Don't Think So.  Lower Risk

The DHS has announced that the "risk of the data being accessed is low because the computer uses a password-protected system," according to newsok.com.  I take exception to that statement.

What the DHS really means is that the risk of data being accessed is lower because the computer uses password-protection.  It may sound like semantics but it isn't, really.  Consider the risks of falling from a 50-story building: would you say that the risks of dying are low?  It certainly would be if you compare it to the damage your body would take if jumping from a plane without a parachute.

But, a more accurate statement would be that the risks of dying are lower than jumping from a plane on its way to Africa, but higher than slipping on a banana peel.  In other words, you need to gain some perspective.

One way of gaining this perspective is considering how long it would take, theoretically, to gain access to a computer.  The assumption is that all systems can be broken into, given enough time.

  • No protection: 2 minutes
    All you have to do is turn on the computer, and you're there.
  • Password-protection only (Windows startup prompt): 5 minutes to 30 minutes
    The delay depends on which track you take, and how quick you are with your fingers.  I won't go into details, but one way of getting around the Windows password prompt is to hook up the hard drive to another computer.  A child can do it, and you need is a screwdriver.
  • Using encryption: A couple of decades, maybe millennia
    Estimating how long it will take to break encryption is kind of hard to guess, but it's agreed that AES-125 encryption would require quite a long time.

Now, considering the above numbers, would you say that the presence of password-protection means the risks of a data breach are low?

Related Articles and Sites:
http://www.tulsaworld.com/news/article.aspx?subjectid=11&articleid=20090424_11_A11_TheOkl984763
http://www.newsok.com/oklahoma-dhs-data-loss-puts-1m-at-risk/article/3364058
http://www.upi.com/Top_News/2009/04/24/Stolen-govt-laptop-has-info-on-1-million/UPI-31911240578090/

 
<Previous Next>

Cost of Data Breaches: Lost Laptops Cost $50,000 Per Incident

Data Encryption On Medical USB Drives From Kaiser Permanente

Comments

Hard Drive Encryption Not Present On Oklahoma DHS Stolen Laptop - 500,000 Families Affected - AlertBoot Endpoint Security said:

Pingback from  Hard Drive Encryption Not Present On Oklahoma DHS Stolen Laptop - 500,000 Families Affected - AlertBoot Endpoint Security

April 24, 2009 8:48 PM
 

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.