in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

August 2009 - Posts

  • Drive Encryption Software Applied To Lost (And Recovered) Normandeau Laptop Computer

    New Hampshire is one of the few states that require a data breach notification even if sensitive information was protected via data protection programs like AlertBoot disk encryption software.  This means that companies like Normandeau Associates must file a letter with the Attorney General when a laptop gets stolen....even if they were practicing caution and used file encryption.

    Normandeau Associates Reports Stolen Laptop

    According to the letter filed with the AG, a computer with personal information of 277 NH residents (who knows how many more were affected) was stolen from an employee's home in November 2008.  It was recovered in February 2009.

    However, the fact that the laptop was stolen did not come to light until June 2009.

    According to a copy of the letter sent to affected residents, the laptop contained a database of past and current Normandeau employees, including SSNs, names, and bank account numbers.

    Computer Policy Not Followed (Unintentionally, Of Course)

    So, why was this database on the laptop computer?  Normandeau explained that while they do not normally allow the storage of such information on laptops, the file in this case was temporarily stored on the laptop while the company's network was being restored.

    The information was supposed to be deleted, but wasn't, which is being chalked up to an oversight.

    Thankfully enough, the file was encrypted, and required specific software to access the data.  So, why all the fuss?  Normandeau is recommending that all who were contacted place a fraud alert on their credit files.

    There Are Different Levels Of Encryption

    I can only suppose at this point, but I assume the hubbub is over the encryption itself.  There are different levels of encryption, and depending on how strong (or weak) the database's encryption happens to be, there could have been a data breach.

    For example, text documents written under the "Microsoft Word" word processing program can be encrypted.  However, the encryption used is the weak kind (at least, it was during the early 2000's, if I recall correctly), so if one has the wherewithal, one could gain access to a protected Word file.  I have found on-line sites advertising such services for $50 or less, with a turnaround time of a week or less.

    (What such services engage in is probably brute-force hacking, where all possible encryption key combinations are tried to see what works, not unlike going through all combinations on a three-wheeled lock.)

    Don't forget, the computer was outside the company's hands for at least 2 months (assuming it was lost on November 30 and recovered on February 1).  Again, depending on the type of encryption used, there could have been a serious breach.

    The use of whole disk encryption could have helped, but only because companies that make it their business of offering encryption software tend to concentrate to the strong stuff, and don't even allow outdated, weak encryption to be an option.

    Related Articles and Sites:
    http://doj.nh.gov/consumer/pdf/normandeau.pdf
    http://www.databreaches.net/?p=6945

     
  • Laptop Encryption Software: NHS Birmingham Issuing Security Alert

    The theft of three laptops has prompted Birmingham NHS to issue notification letters to more than 7,000 patients.  It has been confirmed that none of the computers were making use of hard drive encryption software.

    One of the computers was stolen from a car.  Another was stolen during a mugging (second such instance I have read of).  There is no mention of how the third one was lost.

    All three computers were owned by Trulife, a surgical firm whose services were used by various hospitals, including Birmingham Children's and City, Sandwell and Rowly Regis. The former saw approximately 3,500 patients affected, while the latter had over 3,600 patients affected.

    Letters of apology are being sent out from Trulife explaining the situation.  I can't help but notice that the UK seems to approach the issue of data breaches differently from the US.

    In the US, it's generally the original holder of the data that is deemed responsible.  That is, if the above data breach had occurred on this side of the Atlantic, it would have been the hospitals sending out the letter, possibly mentioning that an outside firm had experienced the data breach.

    The use of data security products, such as encryption software would have meant that such a fiasco could have been avoided.  Indeed, that's the reason why anyone would use data encryption at all.

    Actually, let me rephrase that.  The fiasco I'm referring to is the possibility of sensitive data falling into the wrong hands.  Obviously, the use of encryption couldn't have prevented the burglary itself, nor the mugging (otherwise, I bet the industry wouldn't have any problems selling this stuff--not that they're doing badly).

    Likewise, if I'm not wrong, under UK regulations, the affected hospitals would still have to announce the breaches, since sensitive data has been stolen.  But, they would get to mention that the data is unlikely to fall into the hands of criminals.

    The Information Commissioner's Office would get involved only minimally, and affected patients (and their parents) probably would let the issue slide....ever since the UK government lost those two CDs, with sensitive information on nearly half the country's population, the UK public seems to understand the benefits of encryption.


    Related Articles and Sites:
    http://www.sundaymercury.net/news/midlands-news/2009/08/30/birmingham-news-nhs-security-alert-over-stolen-laptop-66331-24563380/

     
  • Skype Encrypts Your Calls, Trojan Gets Around It

    I'm a Skype user.  While I'm not too crazy about the call quality, it's the cheapest way to make calls to the US while I'm drinking a cup of coffee at an overseas coffee shop that offers free wi-fi (the call itself is also free if the other guy uses Skype on his computer as well).  One of the things that I don't really think about it, but I'm sure I should appreciate, is the fact that all calls made via Skype make use of encryption.

    Why do I know this?  I covered a story nearly two years ago how the German government could not crack Skype's encryption and had to find a way around it if they wanted to do some wiretapping.

    Now, there's news that a new Trojan is making the rounds that gets around this "problem."  The new malware, Trojan.Peskyspy, gets around the issue of encryption by recording Skype calls.

    You see, any method of secure communication features a weak link.  In the case of Skype, it's the fact that you cannot listen to your friend on Skype unless the encrypted call is decrypted at some point.  The Trojan essentially records this decrypted audio and saves it as an MP3 file on your computer and is later sent to whoever controls the infected machine.

    Since encryption has proven to be too hard to break, the smart ones have decided to find some other way to eavesdrop.

    The only problem, as pointed out by Symantec, is the fact that any criminals wanting to use information gleaned via this method have to spend time listening to thousands of MP3 files.

    Or is it a problem?  I know of speech recognition software, like Dragon Naturally Speaking, that does a great job of transcribing audio (I use DNS myself).  I can already see a scenario where MP3s are sent to the malware creators; the audio is transcribed via speech recognition software; and a script is run to concentrate on number patterns that seem to match credit cards and SSNs.  The entire thing could be automated.

    Sure, the signal-to-noise ratio may be pretty high (this method may not be as efficient as hacking into a bank's database), but seeing how a lot of people put their guard down while on the phone, it may be worth the effort.  You know, like panning for gold is not exactly a better way to become rich than a 9-to5 job, but when you strike it big...


    Related Articles and Sites:
    http://www.pcauthority.com.au/News/154401,skype-trojan-can-log-voip-conversations.aspx

     
  • Data Encryption Software: Tapes With Sensitive Data Falls Off Truck, Rammed Into Oblivion

    Officials in Cuyahoga County, Ohio are looking for a box that contains data tapes with the personal information of 300 people.  Fortunately, drive encryption software was used to secure the  contents of the tapes, so the chances of a full-blown data breach are minimal, if not impossible.

    According to reports, a driver for Iron Mountain--a company that stores documents, and has been involved in data breaches in the past (which, is bound to happen on a statistical basis.  These guys do a lot of business)--dropped a container from his truck as he was speeding away.

    The entire incident was caught on a security camera.  Then, another car came around and knocked the box (don't people believe in swerving anymore?) out of the camera's line of sight.  By the time the Iron Mountain employee came back to search for the box, it had disappeared.

    The county--in a brilliant move--had already encrypted the contents of the tapes prior to packing them and handing them over for storage.  I say brilliant because:

    • The act has prevented a data breach, a real one, from occurring (depending on a person's point of view, the loss of the tapes may be considered a data breach regardless of the fact that encryption prevents access to the information).

    • Iron Mountain had an incident about two years ago where GE's tapes went missing while under storage (actually, I'm assuming this Iron Mountain is also that Iron Mountain).  While it's impossible to tell who was responsible for that past breach, I think everyone involved can agree that not having the tapes encrypted was a colossal mistake because it's that much easier to glean information from the tapes.

    When it comes to data security, encryption could very well be the last line of defense when everything else fails.  Unlike locked storage facilities, encryption software is a data-centric security tool.  In other words, it protects data by being part of the data--without the right password, it's impossible to separate the protection from the information.

    This differs with data protection solutions like physical locks, where a sledgehammer could easily separate the protection from the information.

    I wonder how much the county was prompted to encrypt their data because of that one data breach that plagued Ohio.  There was the case of the intern that left tapes in his car overnight, and resulted in all OH state workers having their names and SSNs breached.  The same incident then added another 225,000 names and SSNs, proving that when it comes to data, you should be rather safe than sorry....


    Related Articles and Sites:
    http://blog.cleveland.com/metro/2009/08/cuyahoga_county_officials_sear.html
    http://datalossdb.org/incidents/2308-cuyahoga-county-officials-are-searching-for-a-box-that-fell-off-a-truck-and-contained-personal-information

     
  • Drive Encryption Software Better Than Fake Newspaper Laptop Case

    I've come across a very fun product that purportedly keeps your laptop safe from theft.  I don't know that it would do a better job of protecting your sensitive data than disk encryption software like AlertBoot...but I guess, when you're supposed to have layered security, such a product would contribute towards security (even if it's admittedly only a little bit.  Tiny.  Infinitesimally small).

    The product in question is a laptop case that looks like a newspaper.  Available for 60 euros, it features luminary publications such as "Le Pais," "La Vanguarda," La Gretezza dello Sport," "The Herold Tribune," and the "Frankfurten Allgemeine."

    If you're familiar with these periodicals, you might notice that the names all feature typos.  I figure it must be so the manufacturer of the case doesn't get sued--you know, trademarks and what not.  I must say the typo kind of makes the thing more noticeable, and may invite more attention than not.  But then, I’m the type of person that goes around noticing typos on signs (even if I'm complicit in spreading typos into the digital realm).

    I'm not sure how they look like in real life, but pictures of the product certainly seem to do it some justice.  I could have sworn that the photograph featured on the product page shows an actual newspaper partially covering a Mac Book.

    (Oh, something to note.  The case was designed for Mac Book Pros.  But, there's no reason why it couldn’t be used on a regular laptop, right?)

    The only problem?  I've noticed that newspapers have become thinner over the years, so if someone were to see a newspaper that's about an inch thick or more...well, that, too might trigger some unwanted attention.

    There's also the fact that thick newspapers tend to sag in the middle, kind of taking a curved shape.  This laptop case, I'm assuming, features no such sag.

    Hm.  Why, contrary to my opening remarks, this case might just be a beacon call to laptop thieves.  I'd seriously suggest the use of encryption software if you decide to use this case to protect your laptop.

    Related Articles and Sites:
    http://dvice.com/archives/2009/08/fake-newspaper.php
    http://www.mitemite.es/st/laptop.html

     
  • Bank Data Security: Trojans Being Spread Via Mail (Postal Mail, That Is)

    It looks like some criminals are resorting to real-world exploits to further their virtual-world crimes.  It makes sense since the past couple of years or so has seen an unprecedented amount of interest in data security, like AlertBoot drive encryption software for laptops and storage devices, firewalls for on-line protection, etc.

    And, they're getting much more imaginative.

    According to the National Credit Union Administration, a scam is being perpetrated via the postal mail against financial institutions.  Fraudulent letters, accompanied by two CDs, are being sent to banks and the like, claiming these are training materials.  They, however, are actually disks carrying malicious programs.

    Since most computers are set to automatically run programs when CDs are inserted, if said malicious programs made use of the autorun feature, computers would be infected before the computer user knew what was going on.

    More likely, there's some made-up content that resembles training materials, and in the process of going through them, you click a button and you're infected.  The victim is never aware of the incident.

    There are certain ways of preventing this from happening.  One would be to disable the autorun feature.

    Another would be making use of application control whitelists--or blacklists...although, a blacklist would probably not work in this case.  I mean, how do you tell a computer not to run a program you didn't know existed until you popped the CD in?--so that only authorized programs are allowed to run on the computer.

    A third one, and the one that I prefer, is to have a separate computer just for checking stuff.  When I was in college, we had an old, beat-up computer that sat on the corner of the computer lab.  It was used to scan for known viruses on storage such as floppy drives, zip drives, and CDs.  It wasn't even that powerful...the year was 1998, and the computer was a 386, I think.  Like I said, beat up.  And, obviously, it was a standalone computer, disconnected from any networks.

    It's not the sexiest solution, but it's one of the most foolproof methods I know for preventing outside elements into your network.

    Update (28 AUG 2009): There are reports that the above may not be an actual attack, but part of a penetration test.  A penetration test is a paid attack, where professionals try to penetrate an organization's (data) defenses to see where its weaknesses may lie.  However, generally, higher-ups are aware of such penetration tests, and wouldn't have allowed its effects to spill over to other organizations--namely, the NCUA that is alerting all credit unions it knows of.  If this is a penetration test, they've (whoever "they" might be) certainly forgotten to cross their T's and dot their I's...

    Update II (28 AUG 2009): It's official: the CDs were sent as part of a penetration test.  And, the reaction by the banks receiving the CDs and by the NCUA was real.  The system works! (http://www.computerworld.com/s/article/9137215/Security_test_prompts_federal_fraud_alert?taxonomyId=17)

    Related Articles and Sites:
    http://www.securityfocus.com/brief/1002?ref=rss

     
More Posts Next page »