According to the site perens.com, a laptop thief was nabbed thanks to an on-line backup program. And, while this is preferable to not recovering a lost laptop, it's not something people should rely on for protecting their data. I would advocated the use of drive encryption software like AlertBoot, but such data protection would have impeded in the laptop's recovery in this case.
A laptop was stolen from the backseat of a car. The twist is that the owner of the laptop used automatic on-line backups to save the contents of his laptop. However, the thief didn't know this.
The thief took pictures of himself using the built-in camera. And, he also must have accessed the internet, because those pictures ended up on the on-line backup site.
The pictures were turned over to the police who recognized the thief. He was promptly arrested.
Stories where thieves are identified and arrested because they don't know much about technology have surfaced a couple of times over the year. I remember that a Mac thief was caught late last year because of the remote camera installed on a computer.
And while memorable, let's face it, this is not data security. Yes, you could (not will, could) possibly get your computer back...but, there's no guarantee that information on that laptop was already sold or used illegally prior to catching the thief.
If you recover your $1,000 laptop, but damages from a data breach cost you $30,000...well, I'd prefer to lose my laptop and keep my personal information safe, thank you very much.
Related Articles and Sites:http://perens.com/works/articles/Burglar/
According to InformationWeek, the Department of the Interior is unable to locate 20% of their computers. Technically, it's 20% of a sample of computers, but assuming that sample's big enough, it should be representative of the entire number of computers (2500). Even more worrisome is the fact that the department does not have any requirements for the use of data encryption software like AlertBoot, so they could be the victim of a data breach.
Missing 20% of your computers is...not a good thing. With 2500 computers in total, that would imply that 500 computers are lost. But, even more egregious is the fact that nobody knew they were missing. According to the InformationWeek article, the government agency is unable to "tell where or to whom agency computers are assigned." The Fish and Wildlife Service has been fingered out as being especially egregious when it comes to keeping track of the computers. With such scintillating record-keeping and asset-tracking, it's no wonder that things are getting lost. I mean, you know why things get stolen from office supply closet? Because no one's keeping track of that stuff. Just imagine what would happen if you were to apply the same policy to computers. Wait, no; no need to do so. The Department of the Interior has already shown us what happens: computers go missing.
Missing 20% of your computers is...not a good thing. With 2500 computers in total, that would imply that 500 computers are lost. But, even more egregious is the fact that nobody knew they were missing.
According to the InformationWeek article, the government agency is unable to "tell where or to whom agency computers are assigned." The Fish and Wildlife Service has been fingered out as being especially egregious when it comes to keeping track of the computers.
With such scintillating record-keeping and asset-tracking, it's no wonder that things are getting lost. I mean, you know why things get stolen from office supply closet? Because no one's keeping track of that stuff. Just imagine what would happen if you were to apply the same policy to computers. Wait, no; no need to do so. The Department of the Interior has already shown us what happens: computers go missing.
One of the key reasons why asset-tracking is not in place for computers is because the Department of the Interior doesn't require any hardware costing less than $5,000 to be tracked. And, you know, that may be a valid requirement if you're constantly dealing with equipment that costs $10,000 and up. On the other hand, if the missing 500 computers cost $1,000 each, they add up to half a million dollars, which is nothing to sneeze at. Plus, the information on those computers could be worth much, much more. What the Department of the Interior should do is obvious: make an exception for computers, and track them in their asset-management software regardless of what the computers cost. On the other hand, keeping track of computers is not really security. If they are concerned with data security what they could do is sign up with a managed encryption program like AlertBoot. Not only is it easy to encrypt computers, it's possible to keep track of which computers are encrypted and assigned to whom.
One of the key reasons why asset-tracking is not in place for computers is because the Department of the Interior doesn't require any hardware costing less than $5,000 to be tracked.
And, you know, that may be a valid requirement if you're constantly dealing with equipment that costs $10,000 and up. On the other hand, if the missing 500 computers cost $1,000 each, they add up to half a million dollars, which is nothing to sneeze at.
Plus, the information on those computers could be worth much, much more.
What the Department of the Interior should do is obvious: make an exception for computers, and track them in their asset-management software regardless of what the computers cost.
On the other hand, keeping track of computers is not really security. If they are concerned with data security what they could do is sign up with a managed encryption program like AlertBoot. Not only is it easy to encrypt computers, it's possible to keep track of which computers are encrypted and assigned to whom.
Related Articles and Sites:http://74.125.155.132/search?q=cache:498hLKDPXYsJ:www.informationweek.com/news/government/technology/showArticle.jhtml%3FarticleID%3D217700161+http://www.informationweek.com/news/government/technology/showArticle.jhtml%3FarticleID%3D217700161&cd=1&hl=en&ct=clnk&client=firefox-a (google cache)
NorthgateArinso, a software provider to The Pensions Trust, lost a laptop computer that contained the personal information for 109,000 people. Laptop encryption software such as AlertBoot endpoint security systems was not used to secure the device, although password-protection was used.
The data breached in this latest set of UK-based data fiascos includes names, addresses, dates of birth, national insurance numbers, employer name, and salary details. If currently receiving a pension, it also includes bank account details. The laptop contained all this data because it was being used for development, training, and performance testing.
The data breached in this latest set of UK-based data fiascos includes names, addresses, dates of birth, national insurance numbers, employer name, and salary details. If currently receiving a pension, it also includes bank account details.
The laptop contained all this data because it was being used for development, training, and performance testing.
The Pensions Trust cannot be blamed for this latest data breach. While their data, they cannot monitor what a third party is doing with it all the time. Sure, they can check up on things, but 24/7 monitoring? Impossible. No doubt there will be those asking why the data was not encrypted. Newsflash: we don't know that. It could very well be that the information was protected with the use of encryption software. However, The Pensions Trust encrypting data and NorthgateArinso keeping it encrypted, once they receive that data, are two separate issues. In other words, what we do know is that the contractor did not employ adequate data protection measures.
The Pensions Trust cannot be blamed for this latest data breach. While their data, they cannot monitor what a third party is doing with it all the time. Sure, they can check up on things, but 24/7 monitoring? Impossible.
No doubt there will be those asking why the data was not encrypted. Newsflash: we don't know that. It could very well be that the information was protected with the use of encryption software. However, The Pensions Trust encrypting data and NorthgateArinso keeping it encrypted, once they receive that data, are two separate issues. In other words, what we do know is that the contractor did not employ adequate data protection measures.
On the other hand, I guess The Pensions Trust could have done something to control the possibility of a data breach taking place. No, I don't mean having the third party sign a contract stating they'd use encryption and other data security processes--things are too easy to sign and then ignore. Rather, The Pensions Trust could have sent NorthgateArinso modified data. If the developer needed the data in order to customize software for the trust, then the actual information is not necessary. For example, "real" data such as the following: Name: John SmithDOB: 05/05/2005National Insurance Number: AB 12 32 45 C Could be modified to: Name: Xcms SmithDOB: 12/31/02National Insurance Number; BZ 32 12 43 D After all, developers don't need the actual data; what they need is the format of the actual data. Take for example the date of birth. 5/5/0505/05/0505/05/200505 May 2005 All the above are the same DOBs, but depending on how The Pensions Trust saves the information internally, software developers will need to customize their software accordingly. It's the format that's important for these people. So, had The Pensions Trust sent modified customer information to NorthgateArinso, there would be no data security breach under any circumstances--even if someone managed to steal a laptop computer--and the contractor would still be able to do its job. However, this does not absolve NorthgateArinso from their failure to protect the data. After all, if the ball's in your court, it's up to you to take action.
On the other hand, I guess The Pensions Trust could have done something to control the possibility of a data breach taking place.
No, I don't mean having the third party sign a contract stating they'd use encryption and other data security processes--things are too easy to sign and then ignore.
Rather, The Pensions Trust could have sent NorthgateArinso modified data. If the developer needed the data in order to customize software for the trust, then the actual information is not necessary. For example, "real" data such as the following:
Name: John SmithDOB: 05/05/2005National Insurance Number: AB 12 32 45 C
Could be modified to:
Name: Xcms SmithDOB: 12/31/02National Insurance Number; BZ 32 12 43 D
After all, developers don't need the actual data; what they need is the format of the actual data. Take for example the date of birth.
5/5/0505/05/0505/05/200505 May 2005
All the above are the same DOBs, but depending on how The Pensions Trust saves the information internally, software developers will need to customize their software accordingly. It's the format that's important for these people.
So, had The Pensions Trust sent modified customer information to NorthgateArinso, there would be no data security breach under any circumstances--even if someone managed to steal a laptop computer--and the contractor would still be able to do its job.
However, this does not absolve NorthgateArinso from their failure to protect the data. After all, if the ball's in your court, it's up to you to take action.
Related Articles and Sites:http://news.bbc.co.uk/2/hi/business/8072524.stmhttp://www.thisislocallondon.co.uk/news/4404416.Laptop_with_109_000_people_s_pension_details_stolen/
You carry, on a daily basis, a device that can create a data breach. This device is known as a smartphone, for the lack of a better term. And, according to my reading of a research report, the presence of data encryption could be indicative of the device's overall security.
As most people know, not all smartphones are created equally. The iPhone by Apple is considered by many as the best thing since Jesus consecrated toast. Others will pooh-pooh this device, claiming that nothing beats a BlackBerry. Then there are others that will swear by a Windows-powered device (although most of them will not...they're just stuck with it).
The reasons why one is better than the other is myriad: bigger screen, better web-surfing, the presence of keys (and physical feedback), etc. But what about security?
When it comes to security, the report claims that BlackBerrys are best, followed by Windows devices. Coming in last is the iPhone. This is not really news. BlackBerrys have always been known to have a high degree of data security built-in; otherwise, it would never have been accepted so enthusiastically the business community.
Windows machines have a somewhat high degree of security just because they've been around so long. It's one of those cases where a company is forced to think about security issues because it's had so many security issues.
Then there's the iPhone, which hasn't been around as long. And, plenty of businesses are loath to support it because they see security issues.
So, nothing new in the report. However, I thought it was pretty interesting to note that Windows devices and BlackBerrys didn't show much difference when it came to security. The former got a 3 out of 4 when it came to security, while the BlackBerry got 4/4. The difference mainly seems to lie on how effectively encryption has been implemented into the devices and data transmissions.
Which just goes to show that data security is better achieved if you plan it ahead and then implement it, as opposed to adding it on an ad hoc basis. Encryption software like AlertBoot will do a better job of protecting your company's digital assets if some thought is put into it; plus, it will help you figure out which areas cannot be protected by encryption--and give you a chance to shore up those areas as well.
Related Articles and Sites:http://web.mac.com/mardelibre/Lopez_Research/Research/Entries/2009/5/25_Mobile_security_files/Final%20Mobile%20Deployments%20Require%20Robust%20Security%20May%2009.pdfhttp://www.eweek.com/c/a/Mobile-and-Wireless/Research-In-Motion-Tops-Security-Assessment-783185/?kc=rss
Approximately a week ago, I had blogged on the loss of a laptop by the United Food and Commercial Workers Union. I had noted then that use of hard drive encryption software like AlertBoot was not mentioned, and assumed that, since it was not mentioned, it was not used to secure the contents of the now-missing laptop.
Well, it turns out that I was wrong. According to a report by The Calgary Sun, a stolen laptop computer belonging to the UFCW contained sensitive information of Canadians. Comparing dates, one can only conclude that this laptop is the same UFCW laptop from last week.
The total number of Canadians affected is unknown, although 28,000 Alberta UFCW members are affected; I assume that the total would be higher. More significant may be the statement, by UFCW Local 401 President Doug O'Halloran, that encryption was used.
It's not known what kind of protection, though, which could have pretty important ramifications. For example, if the laptop was secured with full disk encryption [ ; whole disk encryption], then all the contents of the lost laptop were protected. It stands to reason, then, the UFCW members in last week's blog, out in Oregon and Washington, need not worry about identity theft no more than their Canadian brethren.
On the other hand, if it was file encryption that was used to protect the Canadians' personal information...well, then there is still the question whether U.S. west coast members had their files encrypted as well.
One would assume that it would have been (why treat one sensitive file differently from another?), but seeing how one group was informed about the use of encryption while the other wasn't... well, let's just say that consistency is a huge aspect of security.
Related Articles and Sites:http://cnews.canoe.ca/CNEWS/Crime/2009/05/26/9571661-sun.html
The Guardian has found out, via a Freedom of Information Act, that a military data breach from last year involved more than meets the eye (or its press release). In September 2008, the Royal Air Force had announced that three hard disk drives that weren't protected with full disk encryption were stolen from a high-security area.
At that time, it was announced that the private information of 50,000 RAF personnel could be compromised. However, it turns out that there was just a wee bit more involved.
According to new details, there was information on 500 people that was more private than others. Private enough that they could be used to blackmail servicemen (and women?), such as "details of criminal convictions, investigations, precise details of debt, medical conditions, drug abuse, use of prostitutes, extra-marital affairs including the names of third parties."
Wow. (On the whole, though, it's not surprising that military personnel are involved in such activities; after all, uniform or not, these are still people).
Keeping track of such information is required, if the military ends up knowing about it, since it could compromise the integrity of the military. For example, if you knew someone with a high rank had cheated on one's spouse, would you give that person a security clearance to the most secret of military secrets? After all, if you know about it, chances are there's someone else out there that knows about it as well...and plenty of caught-spouses will turn over information to keep their marital bliss (which is weird, because, if there was bliss to begin with, why the philandering?).
Now, this is the thing: it could be that you know about it, but nobody else does. But if you want to keep it that way, you've got to keep that information secret. For example, by not having the hard disk with such information stolen. Otherwise, you may just have done your enemy a great favor. Now, they've got a list of targets.
As I pointed out the last time, important information needs to be protected with the use of encryption like AlertBoot endpoint security. The more important information is, the more layers of security involved in protecting that information. Physical protection is all well and good, but what's one going to do once if enemies make it past all physical barriers?
Related Articles and Sites:http://www.guardian.co.uk/uk/2009/may/24/raf-military-files-stolen-blackmail