in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

October 2009 - Posts

  • File Security: Junior Staffer Leaks US House Ethics Doc Via P2P

    The US Ethics Committee has announced that a recent document leak was caused by junior staffer who installed file-sharing software on his personal computer.  This statement actually raises questions.  It is also testament to how data security requires a holistic approach that includes data loss prevention and data encryption software, among other information leak prevention practices.

    Numerous Files Leaked

    Prior to the announcement by the House Committee on Standards of Official Conduct (aka, the Ethics Committee), it was assumed that the leak was via hacker activity.  However, what really happened was that a junior staffer, since fired, took sensitive documents home and used his personal computer to work on them.  His personal computer had file-sharing software.

    Other documents, besides the Ethics Committee's document, were also leaked via the same manner.

    Questions Raised

    I'm not sure how this could have happened.  I understand the technical aspects of how, but there are too many questions to resolve:

    • Why's a junior staffer carrying around such documents?  According to the washingtonpost.com, the Ethics committee is one of the most secretive panels in Congress.  And a junior staffer is allowed to take documents related to investigations home?

    • Assuming a junior staffer is allowed to take said documents, where are the data protection tools?  Even if a junior staffer is allowed to home such documents (heck, he's already working on it at the office, so he knows the contents), I'm pretty sure losing such documents wouldn't be allowed.

      I take it the documents that were leaked were digital files.  Where's the encryption to protect these files from unauthorized access?

    • If the file wasn't encrypted, was he at least using an encrypted storage device?  I mean, if a sensitive file is not encrypted because it's in a secure environment--both in terms of destination and origin--at least that file must be protected while in transit from point A to point B.  Did the staffer use a USB disk or something similar?  Was it encrypted?  Did he save it directly to his personal laptop while at work?

    I could go on and on...

    People's Behavior Part Of Data Loss Prevention Policies

    The major problem and security loophole in this case is the staffer's behavior.  Granted, if the documents he had transferred to his personal laptop were protected with file encryption, the ramifications of a P2P-based data breach would have been negated.

    (Encrypted files are protected at the file level, and would require the right authorization code to gain access.  Note that this is not the same as having password-protection, which is virtually useless.)

    However, seeing how the staffer was not exercising proper data security practices, chances are he had malware installed on his computer already.  One of these could have been a keystroke logger.

    With one of these installed, the use of encryption is often nullified because a third party is able to obtain the passwords for accessing data.

    The best policy may have been not have these document taken out from the Ethics Committee's perimeter (which I'm assuming had the right data protection tools in place).

    Related Articles and Sites:
    http://www.computerworld.com/s/article/9140154/Leaked_House_Ethics_document_spreads_on_the_Net_via_P2P?source=rss_security
    http://www.washingtonpost.com/wp-dyn/content/story/2009/10/29/ST2009102904609.html?sid=ST2009102904609

     
  • Drive Encryption: Missing Tape Affects UK Farmers Tied To RPA

    If you're a farmer in the UK, and have ever taken a payment from the Rural Payments Agency (RPA), consider yourself a victim of a data breach.  The RPA has lost computer tapes with information on farmers who have ever received a EU subsidy payment.  The tapes were not protected with encryption, as required.

    39 Backup Tapes Go Missing, RPA Was Keeping Mum

    The story was brought forth by whistleblowers from within the RPA as well as a consultant that has been advising the agency.  They did this because the situation has been festering since September, when the breach was discovered, and believed that the RPA and DEFRA (Department of Environment Food and Rural Affairs) would keep silent on the issue unless their hand was forced, per computerweekly.com.

    According to sources, 39 tapes and one CD went missing (37 of the tapes were recovered) some time in May.  Currently two tapes are still missing.  The tapes included information on farmers' "bank details, addresses, passwords, and security questions."

    IBM Blamed

    The tapes were not lost while being transported, but misplaced at a data center run by IBM.  Supposedly, Accenture--an IT consultant--worked with the tapes and these were filed in the wrong section when IBM got them back.  A DEFRA spokesperson labeled it as "bad book-keeping" on IBM's part.

    Of course, that doesn't explain what happened to the missing two tapes (nor does it make the situation excusable).  It is currently assumed that they were destroyed, but, let's face it: the possibility of these tapes having been stolen is as valid as assuming they were tossed.

    Not Making The Breach Public Was DEFRA's Fault

    From the story at computerweekly.com, it's quite clear that DEFRA ought to be blamed, too.  After all, the scandal doesn't only lie with the loss of the tapes, which by all accounts should be attributed to IBM.  What's scandalous is the fact that a government agency:

    • Did not use encryption software to protect the information, when it was required to.

    • Covered up a data breach.  As far as I know, there aren't any data breach notification laws in the UK.  However, it is mandatory for government agencies to share the loss of personal information with the Information Commissioner's Office.  The fact that this is coming as news across the UK's political echelons indicates it wasn't.

    DEFRA Insists That Risk To Farmers Is Low

    Because the information on the tapes cannot "be accessed without specialized technical equipment and knowledge," DEFRA insists that the risk of accessing the information is low.

    Such an argument is not untrue.  After all, most people do not have access to a tape drive.  Assuming that the two missing tapes were stolen, the thieves won't be able to access the information easily (unlike stolen CDs or USB sticks).

    On the other hand, if someone steals data tapes, it's generally because they have a method of extracting the data.  Otherwise, why steal them in the first place?

    Instead of relying a passive form of security (hoping that the thieves won't be able to access the data), DEFRA ought to have used file encryption and actively suppressed any potential attempts to access the data.


    Related Articles and Sites:
    http://www.computerweekly.com/Articles/2009/10/29/238341/farmers-bank-account-details-lost-by-rural-payments.htm
    http://news.bbc.co.uk/2/hi/uk_news/8331759.stm
    http://www.dailymail.co.uk/news/article-1223990/Personal-details-100-000-farmers-lost-Government-officials.html
    http://www.telegraph.co.uk/earth/earthnews/6462293/Confidential-details-of-every-farmer-in-England-go-missing.html

     
  • Data Security Update: Lost CalOptima CDs Found

    We got the following notice in our e-mail from Laer Pearce & Associates:

    Regarding the item you ran recently regarding a data breach at CalOptima, this matter has been resolved successfully.

    From the healthcare blog at today's Orange County Register: Lost personal information of Medical members is found

    October 29th, 2009, 6:00 am by Courtney Perkes

    CalOptima, the county's Medi-Cal provider, has found lost electronic claims records that contain identifying information belonging to as many as 68,000 members.

    Discs of data were lost two weeks ago after being sent certified mail by CalOptima's scanning vendor.

    When only the packaging arrived, but not the box with the discs, CalOptima notified the state.

    On Wednesday, the U.S. Postal Service located the discs in Atlanta, said Margaret Tatar, director of public affairs.

    The discs were not password protected, but it appears no one accessed the confidential information, Tatar said.

    CalOptima had planned to send letters notifying members of the lost information and offering them credit monitoring services.

    Anyone with questions should call 800-509-4225 or visit http://www.caloptima.org/

    The medical record data for adults and children included names, addresses, birthdays and some Social Security numbers.

    Emphases are mine.

    Well, that's surprising. My understanding is that one usually doesn't recover contents lost in the mail.  On the other hand, I've never seen actual numbers backing up such claims, which is probably apocryphal anyway.  Regardless, kudos to the US Postal Service.

    I'm not too crazy about one aspect, though:  The disks were not password-protected.  I dislike that word, password-protection.  It's better than nothing, but as countless data security guys will tell you, password-protection is worth next to nothing.  Mentioning password-protection in notices such as this one spreads around the opposite notion: "Ah! If only the CDs had password-protection!  The data would have been safe!"

    What they really should be mentioning is the lack of use of encryption.  I'm surprised; CalOptima's spokesperson had already said that they plan to "find out why the third-party claims-scanning vendor did not encrypt the data," meaning they already knew what the correct data protection tool was.

    Overall, though, all's well that ends well.  CalOptima lucked out big time, though.  They really ought to follow up with their vendor, and make sure it doesn't happen again.

     
  • Disk Encryption Software: Ashford and St Peter's Loses USB Drives, Pledges Better Handling

    Three missing USB memory drives have prompted the Ashford and St Peter’s Hospitals NHS Trust to sign an undertaking with the Information Commissioner's Office.  The missing devices, which did not use full disk encryption, held cancer patient data.

    The Details

    The data included full treatment and diagnosis of cancer patients, and was stored in Microsoft Word format.  This last detail is sufficient to deem that the information "could have been easily accessed by anyone with use of a computer." (I've often wondered about this.  More on that later.)

    The USB sticks were used to transfer patient data at "weekly multi-disciplinary clinical team meetings." (More on this later a well).

    Information Saved In Word Format

    When sensitive data goes missing, spokesmen for the affected organizations often proclaim that the risk of accessing the data is low because they're stored in an uncommon (not easy to access) format.  I've often wondered what this means.

    I've often presupposed that it meant the missing files were stored in a relatively "obscure" format like Microsoft Access (a database program, if you're familiar with it).

    Only in a couple of cases was the missing data in proprietary format (meaning, the software was custom created for a company and cannot be found off-the-shelf).  Just because data happens to be saved in a proprietary format doesn't mean that it cannot be read, however.

    I remember how I tested out Google Desktop back in the day.  It's software that, among other things, can index your computer's files for easier and faster search.

    My recollection may be wrong, but I seem to recall that Google Desktop was able to find content within files that I forgotten about.  Files to which the corresponding applications I had deleted in order to free up some space.  With such search software (and there are many others similar to Google Desktop, but geared towards mining information, such as SSNs), the format of a file doesn't matter.

    About the only thing that can stop such software from finding sensitive information is encryption software, in the above case, file encryption.

    Using USB Sticks

    Some of the more frequent comments I read when sensitive information goes missing is "sensitive information should always be on a secure server, and accessed via some dumb terminal," or something thereabouts.

    My own stance has been, yes--but there's always exceptions, and this probably one of them.  Medical establishments are generally a mishmash of different technologies.  The truth is, whatever technology one has in place probably cannot cater to the demands of a multi-disciplinary team.

    Which is why methods that don't follow the workflow in place are invented and used--the transfer of data via USB sticks being one of them.  Instead of blowing money on a custom-built solution that promises more than it can deliver, maybe a more pragmatic approach can have more impact.  For example, using USB drives that are protected with whole disk encryption.  The devices are already being used, and it's just a little step to secure them.


    Related Articles and Sites:
    http://www.databreaches.net/?p=8001
    http://www.ico.gov.uk/upload/documents/library/data_protection/notices/ashford_hospital_undertaking.pdf

     
  • North Carolina Data Privacy, Data Breach, And Encryption Law

    North Carolina does not have a data encryption law per se; instead, it has a personal data breach notification law that gives safe harbor to people who use encryption to protect personal data.

    Warning: I'm not a lawyer--the following is strictly what I've taken from the various state laws found on-line.

    North Carolina Senate Bill 1048 - Identity Theft Protection Act

    The Identity Theft Protection Act gives places a lot of emphasis on the protection of Social Security numbers, meriting its own section, "§ 75-62: Social security number protection."  Under this section, a company is forbidden from making SSNs public; printing them on anything (exceptions do apply); transmitting them without first using encryption on them; or (obviously) selling them, plus a host of other restrictions.

    Also, under "§ 75-65: Protection from security breaches," a business is instructed to notify anyone of a data breach--regardless of its format (computerized, paper, or otherwise).

    North Carolina Data Breach Notification Letter: What To Include

    Unlike most states, N.C. does point out what to include in a data breach letter.  Under § 75-65(d):

    • A description of the data breach incident in general terms
    • The type of personal information that was breached
    • What the affected business is doing to prevent similar future incidents
    • A telephone number so that clients can call for more information, if one's available
    • Advice for people to review their account statements and monitor their credit

    North Carolina Data Breach Notification Letter: How To Contact Them

    There are several options, depending on availability.

    • Written notice
    • Electronic notice (valid e-mail addresses and permission to be contacted must be in place)
    • Via telephone, assuming phone numbers are available (and the affected person is talked to directly.  Can't leave a message with a roommate or family member, I take it to mean)
    • Substitute notice.  Only if the cost of notifying people exceeds $250,000 or there's more than 500,000 people to contact, or the business just doesn't have the contact information for all involved (notification to statewide media, e.g.)

    There is one additional condition.  If more than 1,000 North Carolina residents were affected, the Consumer Protection Division of the Attorney General's Office and all consumer reporting agencies (Equivax et al.) must be notified as well.

    Penalties Under North Carolina Senate Bill 1048 - Identity Theft Protection Act

    Under "§ 1 539.2C. Damages for identity," it is stated that:

    Any person whose property or person is injured may sue for civil damages of up to $5,000 but not less than $500 for each incident OR three times the actual damages, whichever is greater. [my emphasis]

    Of course, there's more (much more) on what you have to do when you've had a breach, so make sure you consult with your legal reps.  And maybe looking into getting any identity information protected with encryption software, such as AlertBoot.


    Related Articles and Sites:
    http://www.ncga.state.nc.us/Sessions/2005/Bills/Senate/HTML/S1048v6.html

     
  • Drive Encryption Software: UK Companies Report 356 Data Breaches In Less Than One Year

    A Freedom of Information request has revealed that UK CIOs have reported 356 instances of data breaches since November 2008.  Of these, 222 instances (60%) would have been fully preventable via the use of drive encryption like AlertBoot.

    The 222 instances I mentioned include the loss or theft of hardware (memory sticks, laptops, etc.) and any instances where packages were lost in transit (such as by couriers).  The story has had enough of an impact that several sites are covering the story.

    Self Reported And Increasing Instances

    The breaches are self-reported, so it stands to reason that the figures are underreported, either because companies don't want the publicity--and think they can get away with it--or because they're not aware of a breach, or the legal requirements to report it.

    The FOI request also showed that there were 546 total incidences beginning from October 2007.  Simply put, the total incidents have increased on an annual basis.

    Tim Holyoake, lead technologist at Software AG, the company that requested the information, noted, "The chronic problem of data loss should be in decline, and not increasing, as these figures seem to indicate."

    Personally, I beg to differ.

    These Are Increases In Reporting

    As noted before, these numbers are self-reported, so there could be other factors for their increasing numbers.  For example, actual breaches (regardless of whether they are reported) could be approximately the same, year after year, but,

    • More people have decided to become honest recently (not likely)
    • More people have become aware of the legal responsibility of reporting breaches (much more likely)

    Of course, asserting that actual breaches have increased is as valid as the above (maybe even more so).  But, when you consider that it was only two years ago that laptops outsold desktops, it could just be that breach incidents are increasing because laptops and memory sticks are selling like hotcakes.

    In other words, if one million laptops were sold and there were 100 breaches one year, and the next year two million laptops were sold and there were 300 breaches...well, the rates are the same, at 0.01%, even if the actual numbers are not (remember, in this example, there's about three million laptops out there in total).  I'm not saying that it's justifiable, but one could argue it's not an increase per se.

    There's also the problem that we're only measuring breaches in the above case.  Meaning instances where stolen laptops that used encryption to protect its contents are not factored in.  With more devices being sold each year, we've biased the report to show increases in breaches: the actual rates, when including protected devices, could reveal opposite trends--that is, the loss of laptops have increased, but because a majority of them used encryption, the number of potential breaches are not as bad as it could actually be.  (Yeah, it's probably wishful thinking.)

    I won't argue, though, that I'd like to see more companies using data protection tools like encryption software in anticipation of any breaches, instead of deploying it after they've had a breach.

    Related Articles and Sites:
    http://www.theregister.co.uk/2009/10/27/data_losses_growing/
    http://www.infosecurity-magazine.com/view/4800/uk-cios-reported-356-data-loss-incidents-last-year/
    http://www.computerweekly.com/blogs/read-all-about-it/FOI-Request-Software-AG-26-Oct.pdf
    http://www.computerweekly.com/Articles/2009/10/26/238297/stolen-laptops-biggest-danger-as-extent-of-uk-data-losses.htm

     
More Posts Next page »