in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

September 2009 - Posts

  • Data Encryption: Could Kindle Be At The Heart Of A Data Breach?

    I was perusing some of the smaller breach stories today, when I happened on a story that shows how a company could have a data breach with a digital device that cannot make use of hard disk encryption software.

    The actual story involved a Kindle, but any of the current generation of e-ink readers will do.

    Auditor's Kindle Stolen

    The story that I read involved a college student that bought a stolen Kindle on Craigslist.  He realized that the Kindle he had purchased was hot--as in stolen.  I'm guessing that he was able to connect to the original owner's Amazon account, and got clued that way.

    The Kindle was stolen along with a Cadillac, a pair of necklaces, and a state laptop computer that was password protected (this latter device could definitely have made use of encryption software, assuming it had sensitive information on it).

    What If...?

    Now, it looks like a data breach didn't occur, but it left me wondering, "what if the auditor--anyone, really, when you think about it--had saved sensitive data to the Kindle?"

    It might be something of a stretch of the imagination, seeing how saving anything other than books downloaded from Amazon is a cumbersome process: depending on the model, you've got to e-mail documents to the Kindle and whatnot.  (And, it's got that screen-flickering thing which definitely doesn't rock my boat...but that's neither here nor there.)

    But, when you consider how you can read documents on the Kindle, and it's so much lighter than your traditional laptop--not even the Mac AIR compares...well, I'd say it's a matter of time before the Kindle, or any other e-reader, becomes the focus of a data breach: For example, you transfer a workplace PDF to the Kindle, and it gets stolen...along with that PDF that has an appendix full of SSNs for county constituents.  Personally, I don't find this to be implausible.

    Device Security Not Important Yet

    Unlike USB flashdrives, external hard disks, and computers, one cannot use encryption to protect the contents of an e-reader.  For one, it's not supported on the current generation of e-readers.  Well, aside from the DRM on electronic books, of course.

    (Off-thread: I'll bet that if anyone does do it, it'll probably be the guys over at iRex.  Have you taken a look at their newest reader, the DR800SG? Sexy.  And, they've always been above the competition when it comes to e-reader hardware.)

    I guess, technically, if a reader makes use of built-in external storage (that's an oxymoron, right?), such as SD cards, one could encrypt a file; save it to the SD card; and stick it into the e-reader.  This way, the file is protected and the form factor has increased a bit to prevent a breach from occurring while you're pulling out a smoke.

    On the other hand, you're dealing with file encryption--where a user makes the decision to encrypt the file.  That usually results in higher information security breach rates, whereas something like device encryption doesn't require an action on the user's part: the file is encrypted the moment you save it to the device. 

    As a pessimist, I'll bet that this issue with e-books comes to the forefront sooner than later.

    Related Articles and Sites:
    http://www.upi.com/Top_News/2009/09/29/Student-finds-auditors-stolen-Kindle/UPI-39121254241695/

     
  • Data Protection Software: Express Scripts Back In The News (Again)

    Several sources are reporting that Express Scripts, the pharmacy benefit managing (PMB) company, has been informed by the FBI that last year's extortionist has struck again.

    If you'll recall, Express Scripts received the personal information of 75 people, all of them in the company's database, via regular mail.  The sender had threatened to release millions of names if ransom demands were not met.  I had mused back then whether a stolen computer that did not make use of hard drive encryption could have been involved.

    What Happened In 2008

    Initially, the extortionist had contacted Express Scripts, asking for ransom and threatening the release of millions of names if demands were not met.  It was a threat that could be only too real, seeing how the company managed prescriptions for (supposedly) 50 million individuals, and no one knew how the data breach had occurred.

    About one week later, when Express Scripts did not show any signs of capitulating, the extortionist went after Express Scripts's clients, again trying to shake them down.

    Express Scripts, in turn, offered a $1 million reward for information leading to the arrest of those involved.

    Only 75 names were involved at this point, which seemed odd to me at the time, because, let's face it, it's a stupid number.  A guy has millions of names, and he sends only seventy-five of them as proof?  That's, like, two letter-sized sheets.  It's like me declaring to be omnipotent and squashing an ant to prove it.

    Seventy-five names...I just can't get over it.  It's like starting an NFL franchise bid because you have 75 dollars when you know it's going to run into the hundreds of millions of dollars for the rights alone...

    What Happened In 2009

    The FBI was contacted in August 2009 by a law firm that was suing Express Scripts for the above data breach.  The law firm had received "a data file"--it's not specified how; on a CD via regular mail?--that contained Express Scripts's member's information.  In turn, the FBI contacted the PBM.

    It's being mentioned that approximately 700,000 members were notified about the breach, although I'm not sure if it was in response to this latest revelation, or something that's been happening over the course of the year.  What is known is that 1,441 residents were contacted in NH alone (the Attorney General of the state makes public all breach notification letters it receives) because of the latest incident.

    1,771 in New Hampshire alone.  If we were to assume that's a representative sample, it'd mean that approximately 330,000 across the US were notified as well, based on ratios of US and NH populations.  On the other hand, the extortionist could have made a point of just sending NH data.

    Either way, the guy(s) have now made it known that they really do mean business.

    They Know The Origin Of The Leak

    Supposedly, Express Scripts was able to identify, a year ago, the source of the leak, based on the original 75 names.  It was even mentioned, I seem to hazily recall, that they weren't ruling out an inside job because of this revelation.

    A year after, we still don't have any closure, so it looks like all those leads fizzed out.

    What Now?

    Express Scripts stays the course.  They certainly cannot backtrack now.  The extortionists have proven that they're after money (duh).  When they were unsuccessful with the company, they went after Express Scripts's clients.  It doesn't take a giant leap of thought to assume that they've been peddling the personal information in underground markets during the past year.

    Besides not capitulating to demands, the company must continue to review and implement data security--encryption software, firewalls, auditing software, restrict access, etc.--like it has been doing for the past year.


    Related Articles and Sites:
    http://stlouis.bizjournals.com/stlouis/stories/2009/09/28/daily46.html
    http://online.wsj.com/article/BT-CO-20090930-712267.html
    http://www.consumeraffairs.com/news04/2009/09/express_scripts_breach.html
    http://doj.nh.gov/consumer/pdf/express_scripts.pdf
    http://www.esisupports.com/

     
  • Disk Encryption Software: Canada 2009 Hi-Tech Breach Costs Double From Last Year

    According to the ottawabusinessjournal.com, a new study from TELUS and the University of Toronto's Rotman School of Management has found that the average cost of a data breach in Canada has doubled from 2008's figures, to $834,000 (Canadian dollars, I assume).  While it can't prevent all breaches, the use of drive encryption software like AlertBoot would definitely have put a dent on those figures.

    600 Polled, Gov't And Private Companies Most Affected

    According to the poll:

    • Costs related to data breaches increased, from $423,000 to $834,000, a 97.2% increase
    • Average number of breaches per company increased from 3 to 11.3, almost four times as high
    • Government organizations costs increased over 200%; private companies' costs increased 174.5%; and publicly-traded companies saw a 6% increase (that last one is not a typo).

    As I expected while reading the article, the increases were attributed higher detection levels, in keeping with new compliance regulations that were passed recently.

    Of course, not all the breaches were, nor could they be, attributed to the new regulations; however, when you take into consideration that regulations were updated only for private companies and government organizations, it explains why publicly-traded companies didn't see a corresponding spike in terms of reported breaches or associated costs.

    Legislation Works

    Per my research, many countries have either passed laws or are debating passing legislation that requires companies to report data breaches.  There are opponents, of course (there's always opponents to any kind of new legislation.  Speaking of which, did you know the tomato is classified as vegetable in the US for tariff purposes only?  Botanically, it's still a fruit).

    Arguments against the revelation of data breaches includes the fact that they're expensive--legislation usually requires that people be contacted via mail...the paper kind.  Plus, according to a study, notifications don't decrease incidents of future breaches (the idea behind the breach announcements is to "shame" the companies into better protecting sensitive data).

    The counterargument is you can't fix something if you don't know that something's wrong.  I wholly agree.

    Furnishing A Solution - Encryption Software

    Let me give you an example.  Encryption software has been around for a while (think late 1970s).  And, yes, they were hard to implement on computers initially, but things got easier as time progressed.  (Today, the harder aspect, one could argue is managing encryption as opposed to implementing it.)

    And yet, most people are not using it to protect the contents of their laptops.  At the same time, the theft of laptops and other mobile devices have gone up: it has jumped 56% in Canada, according to the news site, which most probably has led to instances of data breaches. (Actually, one wonders whether thefts went up 56%, or the report of thefts went up 56%...I would imagine it's the latter.)

    Had organizations not been forced to reveal their data breaches...well, my guess is that it would be business as usual for them.  But now that they've got to make these announcements, they're open to criticism as well as suggestions.  If management had not known that encryption like AlertBoot was available as a solution, now they know.


    Related Articles and Sites:
    http://www.ottawabusinessjournal.com/295534920388939.php

     
  • Laptop Encryption Software: Jubilee House In Blackburn Loses 15 Computers

    Fifteen laptops being used at the Jubilee House in Blackburn were stolen this past June.  This breach could potentially affect up to 3,500 people, including children.  An internal review strongly hints that data-centric protection such as full disk encryption would have been ideal, although the UK's Information Commissioner is conducting an independent investigation, and may find otherwise.

    The Perfect (Data) Storm

    The "perfect storm" is used to describe a situation where rare elements come together to create an unheard of situation (usually bad).  This Jubilee House case is an example of a perfect storm, where everything that could go wrong, did.

    To begin with, disk encryption was not used to secure the contents of the laptops, which contained sensitive data (at least, one assumes so, seeing how there's so much brouhaha over this case).

    My own opinion is that the internal review seems to strongly hint that password protection was used: it has found that "anyone with 'good IT technical skills' could have accessed the data."  I take it to mean that the laptops' hard drives could have been slaved to a computer the thieves already use, and gain access to the data that way.  It's one common method of getting around that pesky windows password prompt.

    The review also found that the building's locks were not adequate; the alarms to these, while active, did not inform the occupants of the intrusion to the Jubilee House (there were people inside?!); and the security company responded slowly to the alarm.

    With so many "tripwires" in place, the thieves still managed to steal those laptops.  I wonder, if encryption had been used, would the passwords to access these laptops have been taped to the bottom of each machine, in keeping with the "spirit" of the situation?  It almost seems likely...

    No Backups In Place

    To make matters worse, it sounds like the staff didn't have any backups in place (or, perhaps, they, too, were stolen), so they had to attempt to guess what data was stolen by going through their e-mail accounts, and recollecting their thoughts on what was downloaded to the laptops.

    And, even then, the staff managed to send 100 notification letters to children, as opposed to their parents.  One wonders what else staff got wrong.

    Encryption products like AlertBoot are not a cure-all for your data security needs.  They won't, for example, provide you with backup data in the event a computer is stolen.

    However, can go a long way towards ensuring that sensitive information doesn't fall in the wrong hands.

    Related Articles and Sites:
    http://www.thisislancashire.co.uk/news/4651234.Personal_details_of_up_to_3_500_people_were_on_stolen_Blackburn_council_computers/

     
  • Hard Drive Encryption Software: NHSs in Devon Lose Patient Data 30 Times

    Three health trusts in the UK have had 30 data breaches in the past two years, according to reports.  The losses included laptop thefts and memory sticks with sensitive data.  These were not protected with encryption in all of the cases.  Irresponsible behavior, it seems, seeing how a simple solution like hard drive encryption software from AlertBoot could have easily minimized any instances of a data breach from occurring.

    Lost From Secured Premises

    According to the BBC, Devon Primary Care Trust, Derriford Hospital, and Torbay Primary Care Trust have reported that they've had 30 breaches in total.  Derriford lost data five times; Devon had two incidents; Torbay had one...which is weird, because, how does that add up to 30?  None of the other health trusts in Devon reported data losses.  Something's definitely not adding up.

    The lost information seems to be a mish-mash of patient data which may have included NHS numbers, names, medical conditions, and other information, depending on the breach.  In none of the cases is it mentioned that the information was protected, although the use of password-protection was mentioned in certain cases.  (There is very little "protection" present when you use password-protection, though.)

    We've Learned Our Lesson

    According to the BBC, "all the health trusts which lost data said they had learned from the cases."

    Really?  They must be some slow learners.  I mean, having one data breach...fine, ok; you've probably learnt a lesson, and perhaps you've started using encryption software to protect your devices at the workplace.

    But five incidents over two years?  What kind of lesson learned is that?

    Decentralized Offices = Delayed Encryption Deployments

    I have absolutely no idea how these health trusts are set up.  That is, is a trust made up of many individual centers, or is it just one big building?  Because, if trusts are composed of many different locations , it's somewhat understandable why data security is hard to achieve, including the deployment of encryption (and other software, actually).

    Or rather, it used to be in the past.  While I don't think one can claim updating security on hundreds or even thousands of computers will ever be easy, the presence of the internet has allowed some relief, at least in the area of deploying centralized encryption.

    With internet-based encryption, it's possible for an IT administrator to command and control the encryption statuses of computers anywhere an internet connection is available, as well as apply port control as necessary.


    Related Articles and Sites:
    http://www.thisissouthdevon.co.uk/news/Care-trust-reveals-theft-patients-data/article-1368942-detail/article.html
    http://news.bbc.co.uk/2/hi/uk_news/england/devon/8272194.stm

     
  • Drive Encryption Software: MoJ Lost Data on 1,500 in March 2009

    The Ministry of Justice (MoJ) in the UK has revealed in their annual financial report that they've had two data breaches.  In neither case did they use drive encryption, like AlertBoot, to protect the contents.

    Missing Memory Stick

    In one instance, a USB memory stick was lost, in March 2009.  It contained spreadsheets with the unencrypted information of 1,500 MoJ staff members, including names and national insurance numbers. (The other case was already covered earlier this year.

    The memory stick was described as being "non-issue," meaning (and I'm taking a guess here) that it was a staff member's personal property.  It was due to incidents like this one that prompted some in the UK government to announce that staff will be given secure memory sticks.  And by secure, I mean USB drives that feature encryption.

    However, that doesn't prevent people from using their own USB sticks, as we can tell from the above case.

    And it makes sense.  I found the other day that a 5 GB drive, the size of my index finger (and I've got some darn, small hands), was selling for the discounted price of $15.  At such prices, it's no wonder that everyone and their grandmother is carrying one of these...and what could be more natural that reaching for the USB stick in your pocket, as opposed to looking for the one that's secure and authorized at the work place?

    Disabling USB Ports - For Certain Devices Only

    Thankfully, we have the means to, not only stop this from happening, but to modify user behavior.  (If a device doesn't work on a computer, the natural behavior is to reach for the one that works, right?)

    This behavior-modifying technology exists in the form of USB port control software.  It allows an administrator to create a list of approved devices only (in the case of AlertBoot, using a whitelist.  A blacklist can also be used to prevent devices from working as well).

    If the USB drive in question is not on the approved list, it cannot connect to the computer even if it's plugged in.  It's a better way of blocking USB ports than using a combination of superglue and pennies, for example.


    Related Articles and Sites:
    http://www.cio.de/news/cio_worldnews/899249/
    http://www.networkworld.com/news/2009/092309-ministry-of-justice-loses-2000.html
    http://news.zdnet.co.uk/security/0,1000000189,39763712,00.htm

     
More Posts Next page »