in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

June 2009 - Posts

  • New Jersey Personal Information Data Encryption Provision And Security Law

    New Jersey's personal information data breach laws contain a safe harbor for entities that use encryption (specifically, the New Jersey Statute 56:8-161 and 56:8-163).  I'm not a lawyer, but thankfully the law is written clearly and is easy to follow.

    Some Definitions

    As defined under 56:8-161, when it comes to data, a "breach of security" is

    ...unauthorized access to electronic files, media or data containing personal information that compromises the security, confidentiality or integrity of personal information when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable.  [my emphasis]

    Of course, the law being the law, a definition of "personal information" is also required.  It's actually a combination of factors.  First, personal information must include a last name and either a first name or the first initial, and it must be combined with any of the following:

    • Social Security number;
    • Driver's license number or State identification card number; or
    • Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.

    So, What If There Is A Breach?

    If your company loses, say, a laptop computer or a USB stick, and it was not protected via encryption software, it will have to disclose said breach to customers.

    The law does give the company some leeway.  According to 56:8-163, disclosure is not necessary if the company "establishes that misuse of the information is not reasonably possible."

    One can see how such a provision could be abused.  For example, even if hard disk encryption was not used on a stolen laptop with sensitive info, one could (in a state of denial or drug-induced misjudgment) come to the conclusion that there's no risk to the customers.  Which is why the law also requires that "any determination shall be documented in writing and retained for five years."

    In other words, you may have to justify your conclusions if the law comes knocking around.

    Notification Requirements

    OK, so you make the determination that you've got announce a data breach and contact those who were affected.  How do you do it?

    According to 56:8-163, if the cost of providing notice is $250,000 or less, it must be a "written notice" or an electronic notice that is consistent with "section 101 of the federal Electronic Signatures in Global and National Commerce Act (15 U.S.C. s.7001)."

    A substitute notice to the above can be made if:

    • Notification cost exceeds $250,000; or,
    • People to be notified exceeds 500,000; or,
    • There isn't sufficient contact information to notify all directly

    Substitute notices must include

    • Notification to major statewide media; and,
    • E-mail notice; and,
    • Posting on the company's website

    And that's just for getting in touch with people whose information was exposed.  There are other requirements dealing with law enforcement, consumer reporting agencies, and other issues.

    I guess the gist of the law is, use encryption programs to secure any sensitive information at your company.  Oh, and it goes withouth saying, get yourself a good lawyer...

     
  • Data Encryption Software: Sacramento Sutter Health Contacted About Laptop

    6,000 current and former employees at Sutter Health in Sacramento are being notified that they should keep an eye on their credit reports.  The warning stems from a surprise laptop data breach which looks to be contained.  Had a data security measure like laptop encryption software been used, the entire incident could have been avoided.  Nevertheless, Sutter should be counting its blessings.

    Repair Shop Contacts Sutter Health

    Sutter Health officials only learned of the data breach when a computer repair service called them last month regarding a laptop computer.  While there aren't enough details in the media as of yet, it looks like the computer was brought in for repairs, and in that process, the technicians found a file with sensitive information--SSNs and names, at least--and contacted Sutter.

    Sutter officials did not realize that the laptop was out and about.  According to an article at cbs13.com, it was believed that the laptop in question was still in possession of the employee who had been issued this computer back in 2007.

    It is not known who brought in the laptop for repairs, or what prompted the technicians to call up Sutter...which is pretty weird.  I mean, if a Sutter employee brings in a Sutter computer for repairs, what's so unusual about that?  So, the actions on the part of the technicians seems to imply that something was fishy about the entire affair.

    Data Security

    Sutter Health's computer technicians (not the repair guys) checked out the hard drive, and found that it was not accessed by anyone since 2007 (except for the guys who called in), according to cbs13.com.

    Wha-?

    The thing was issued back in 2007, it was unaccessed since 2007, and it only surfaced about a month ago?  Plus, Sutter didn't realize the laptop was missing, so the employee who had been issued the computer either a) only used the computer for a very short time since it was issued and lost it quite recently or b) lost it over one year ago and never reported it (nor was he required to produce it as part of a regular inventory checkup).

    There is also the possibility that the employee is being the fall guy: he could have returned the laptop in question, but the company lost track of it and ended up somewhere--like eBay.

    Regardless, it makes management look quite unfit (at least, as far as data security is concerned).  But, that doesn't mean that management is incompetent.  Since the breach, Sutter is quite belatedly starting to use encryption software on all laptop computers.  Employees are also being told not to save files locally, on hard drives, but on network drives that can be monitored and secured by the company.

    Furthermore, old computers will be kept track of when disposed, so that data breaches can't happen at the end of a computer's life.

    Using Encryption Software to Secure Data

    The use of encryption is very important when it comes to digital data, since these can be easily copied, transferred, and made publicly available (a fact that anyone in the media industry can readily attest to).

    So, how does encryption protect said data?  Basically, encryption software like AlertBoot will take your original data--composed of 1's and 0's--and scramble them up, in a logical fashion.  Of course, it's a little more complicated than that, but that's the gist of the matter.

    And don't let the simplicity fool you: encrypted data using strong encryption is so powerful that the ability to hack it is measured in geologic terms (eons, really).

    Related Articles and Sites:
    http://cbs13.com/local/sutter.health.laptop.2.1066081.html
    http://www.news10.net/news/local/story.aspx?storyid=62294&catid=2

     
  • Full Disk Encryption: Ghana Market Yields Northrop Grumman Hard Drive

    Journalists have found a computer hard drive that contained sensitive documents belonging to US defense contractor Northrop Grumman.  They found this disk drive--of all places--in a market in Ghana.  The disk didn't feature hard drive encryption software like AlertBoot, so the contents were readily accessible.  The cost?  $40.

    What Type of Information?

    It may be a fluke or it might be a worrisome sign; however, one thing's for sure: Northrop was pretty lucky that the drive was found by reporters working for Frontline, the investigative journalism show for PBS (and one of the reasons for supporting this TV channel--beats Fox News or CNN any day of the week, in my opinion).

    While the contents of those drives were not revealed, it was disclosed that the electronic documents were marked as "competitive sensitive."  That sounds like contracts were and other competitive practices were involved, and thankfully, it implies that, if crap were to hit the fan, it would have been Northrop Grumman that would have been most affected.

    On the other hand, a well-written contract gives one enough details to know what's going on.  It may not be as good as a weapon's blueprint, but it could give outsiders a good idea on what to expect in terms of future armament or shields, or what type of research and development is being carried out.

    Plus, other information was recorded as well, such as "how to recruit airport screeners" and "data security practices."

    Disposal Contractors

    Northrop Grumman has announced that they don't know how the drive could have ended up in Ghana.  The drive belonged to an employee in Fairfax, Virginia, and it's a long way from the suburbs of DC to the Dark Continent.

    I think the assumption is that an outside contractor that was supposed to dispose of the hard drive did not.  Whether this was an accident, an egregious breach of duty, or theft...who knows?

    This is the funny thing, though: it's weird for a used hard drive to end up in Africa.  For example, if I were an employee who had filched a hard drive from work, just to sell on eBay, you can bet I wouldn't be sending things to a continent that includes Nigeria (sorry, Nigeria, but your country's name is tied to scams for the time being, even if it's unwarranted).

    About the only way that I could imagine an American hard drive ending up in Africa?  If it were one of a batch of used hard drives.  The truth is, many developing countries are dumping grounds for electronic waste, which are reclaimed for the precious metals and other materials that are contained in them.

    A batch of hard drives implies...well, that perhaps Northrop should possibly be worried about other hard drives that were not uncovered by the journalists.

    Using Encryption Until The End

    There's a problem with recommending that disk drives be protected with encryption software when they're about to be discarded into the maw of a crushing and grinding machine.  It doesn't seem to make sense.  What's the use?  Who's going to glue together a mound of fine sand and metal together, and return it to its previous, uncrushed state?  Is it even possible?

    On the other hand, it doesn't make sense only because one makes the assumption that the disk will, indeed, be destroyed.  As the above case shows, there is no such guarantee.  Had Northrop been paranoid enough, it would have encrypted their computers' disks while in use, and kept them encrypted when they were sent to be destroyed.

    And, if someone had stolen one of these disks to drive his business on the side, the contents of Northrop's drives would have remained safe.

    If that's not an option, at least Northrop should have contracted out the job to a business that will drive the crushing machine to Northrop's facilities.  They'll crush the drives on-site, while an employee watches, and issue certificates with serial numbers and the works for auditing purposes.

    Related Articles and Sites:
    http://itworld.com/security/69758/reporters-find-northrop-grumman-data-ghana-market

     
  • Data Encryption Software: Alberta Hospital Loses Laptops

    The theft of two laptops on June 4th has affected 250,000 patients at the University of Alberta Hospital.  The information on the two machines includes names, birth dates, personal health numbers, and test results for STDs.  The question is, was drive encryption software like AlertBoot used on these machines?  Depending on who you quote, one gets different answers.

    The Hospital Says...

    According to ctv.ca, the hospital has announced that the laptops are protected by "a security program that requires multiple passwords" and as such "the public should not be concerned, we believe there's a very low, low risk of any information on those devices being made accessible to anybody else."

    Of course, the problem is that passwords can be bypassed.  When I say bypassed, I don't necessarily mean that data on a file can be accessed directly (to do so generally requires correctly guessing the password).

    I mean, there is software out there--hex editors, for example--that allows you to easily see the information in a file.  Also, depending on the situation, it could reveal the password as well.

    So, while having password-protection in place is better than nothing, if the thief happens to know what he's doing (or, at least, has the wits to do a couple of searches in Google), it's barely better than nothing.

    The Information and Privacy Commissioner Says...

    The Information and Privacy Commissioner, Frank Work, has claimed that he is "shocked" about the information security used in this case.  According to him, the standard for storing personal and other sensitive information--such as medical information--on portable devices is encryption.

    But, this is where the story takes a weird turn.   According to the hospital spokesman, "the latest laptops to be stolen were encrypted but not with the most up-to-date software."  I'm assuming he's referring to the two computers that were stolen, unless other laptops were stolen since then.

    So...since when is encryption not encryption?

    Well, when weak encryption is used.  Because of advances in technology, what was considered safe today may not be considered as such tomorrow.  For example, the standard right now is 128-bit AES encryption, or equivalent.  This is what you use for on-line bank transactions, for example.

    As computers get faster, though, at some point the protection offered by this encryption will not be considered powerful enough, and people will have to switch up, to 256-bit encryption (which won't be for some time...maybe, a decade or so?  It all depends).

    If you will, it's like finding that your castle walls are not effective anymore because the enemy has figured out how to build better, longer, and stronger ladders, so now you have to make your castle walls even higher--and now, the enemy has to figure out how to build even better, longer, stronger ladders....

    So, is the information on those two laptops secure or not?  It's hard to tell.  Obviously, it's better protected than originally thought (weak encryption beats password-protection any day).  But, it would be possible--with the right resources--to gain access to the contents on the laptops' hard disks.  It would, however, take considerable time as well.

    Related Articles and Sites:
    http://calgary.ctv.ca/servlet/an/local/CTVNews/20090624/edm-uofa_090624/20090624/?hub=CalgaryHome

     
  • Encrypt USB Key: Data Encryption Not Used On Missing Florida Department of Revenue USB Stick

    It's being reported that data encryption was not used on a stolen USB key that contained sensitive information.

    Florida Department of Revenue Employee Loses USB Memory Stick

    An employee working for the Florida Department of Revenue has reported the loss of a USB memory stick with the names, addresses, and Social Security numbers of 2,828 people employed by a number of "state businesses."

    The USB key was stolen from--wait for it--an unlocked car.  More specifically, the USB key was stuck into a laptop computer that was stolen from said unlocked car.  The car was, apparently, parked outside the employee's home in Georgia.

    Man, that's just asking for something to be stolen...

    USB Key Encryption Not Used (Why This Is Bad)

    The department has policies requiring encryption for laptops (I guess we can assume that whatever information that was on the laptop was protected); however, the same is not true for USB sticks.

    There is, it should be noted, a pending policy that would require encryption of USB keys and other mobile devices as well.  This latest case should push forward that policy.

    A stray light of sunshine is the fact that password-protection was used on the file with the sensitive data.  However, as the gainesville.com article points out, a sophisticated thief would be able to bypass that password, so the hope is that this particular thief is as dumb as a sack of bricks.

    But, let's face it, in this day and age, a thief can get all the "sophistication" he needs from the internet.  A simple search on Google for bypassing password-protection on files should suffice.

    If Only USB Key Encryption Had Been Used

    This is why encryption software is so necessary when it comes to protecting sensitive data.  Unlike simple password-protection, a well developed encryption software suite will not allow simple bypasses, nor will it reveal the contents of a protected file without the correct username and password.

    If you apply the encryption so that it protects the entire USB key, as opposed to individual files or folders, the thief would have difficulty (nay, it would be nearly impossible for him) to access any of the contents of USB stick.

    Related Articles and Sites:
    http://www.gainesville.com/article/20090624/ARTICLES/906249921/1002?Title=Stolen-flash-drive-held-personal-data-on-2-828-people

     
  • Drive Encryption Software Not Used On Stolen Tulsa CTP Server

    The Commission for Teacher Preparation (CTP) in Oklahoma has notified past test takers that they may be victims of a data breach, although there are indications that they should be safe.  Of course, if data protection software like drive encryption from AlertBoot had been used, there would be no need for "indicators": CTP would just know that test takers are safe.

    Recovered Server Stolen in 2007

    As far as I can tell, the commotion was started by a recovered server.  Oklahoma policy recovered two computers as part of an investigation, and one them happened to be the CTP server.  The commission hadn't noticed the server was missing because it was being stored off-site, as a backup to a new server they had received in 2007.

    The server contained the names and SSNs of candidates who had taken tests for certification and licensure between 1999 and 2007, inclusive.

    Server Not Accessed

    According to an analysis of the server, the computer was not accessed since the day it was retired (and put into storage).  This does not necessarily mean that the information on the server couldn't have been accessed: it's notoriously difficult to be certain that a drive was not accessed since dates on files and logs can be manipulated or deleted.

    However, my guess is that's highly probable that the conclusion by the commission is correct.  I mean, people don't try to hide what they did on a stolen computer.  The assumption by most thieves would be that the computer will not be returned to the victim.  Hence, no need to hide their activities.

    Luck is Not A Data Security Measure

    The CTP has been extremely lucky.  Their server was stolen; for over two years, they had no idea that it was stolen, so they couldn't contact possibly-affected victims; and it looks like the data was not compromised (again, highly improbable...but not impossible).  I mean, anything could have happened...and it did not.

    Well, at least so far it hasn't.  It could be that once the test-takers are contacted, a pattern of affected people starts to pop up.

    Using Encryption To Secure Data

    Apparently, the CTP has also woken up to the fact that they've gotten lucky this time.  According to a spokesperson, the data is being encrypted to protect it from future, potential breaches.

    Why does it matter that data security measures, like hard disk encryption or file encryption, are used?

    Encryption is not a panacea when it comes to data security, but it's one of the fundamental tools when it comes to securing information.  More often than not, it's the last security weapon available when all other forms of protection fail.  That's because encryption will still be in place even if a computer or portable disk is stolen (the fact that it was stolen means that other security measure such as guards, doors, and cable locks were defeated).

    The trick, though, is to have encryption in place before the device gets stolen.

    Related Articles and Sites:
    http://www.tulsaworld.com/news/article.aspx?subjectid=298&articleid=20090623_298_0_OKLAHO402850
    http://www.newsok.com/data-danger-not-foreseen-for-oklahoma-teachers/article/3380245
    http://www.ktul.com/news/stories/0609/634644.html

     
More Posts Next page »