in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Data Encryption Software: AMEX Site Fails Encryption, Fixes After Public Outing

You might have heard by now that American Express dropped the ball when it came to on-line encryption.  While it's not the same encryption that AlertBoot uses in its drive encryption--we use something far stronger--the case does highlight an important aspect of data encryption: following up and auditing.

AMEX's Mistake - Solved Less than 4 Hours After Going Public

It should be noted that the problem is already fixed, and it only affected people who received a particular e-mail (or had access to a particular html link, I take it).

The problem was first brought to light by Joe Damato at timetobleed.com.  He had received a signup e-mail from the American Express Network, via their "Daily Wish" program.  Damato visited the site, via a link provided in the e-mail, and found that the sign up form required a lot of personal information.

He did some sleuthing, and initially found that secure http (https) was not being used, at least not at first glance.  So, he decided to do a little more sleuthing to see if the data would be sent via https.  It turns out it didn't. (Secure https is an encrypted internet session, if you didn't know.)

Damato went public with the results by posting it on his blog (no mention on whether he gave Amex a heads up).

Following Up and Auditing

The fix was up and running in less than four hours, which is great.  What's not so great is that American Express had the problem to begin with.  I mean, we're talking about a credit card company that has plenty of reasons and experience not to make such a mistake.

While I'd like to be as incredulous as Damato regarding the situation, I've seen such instances before, more than often enough.  The best way to combat this?  Following up and routine audits, which are supposed to be part of your data security framework anyway.

In the above case, someone should have gone through the actual site and made sure that everything worked as intended.  I'm willing to bet that someone did, but wasn't as concentrated on security as on making sure "things worked."

When it comes to AlertBoot, following up and audits are especially important.  Because AlertBoot is a centrally managed encryption service, and doesn't require IT personnel to go around securing individual machines, it was necessary to find a method for ensuring that a corporate computer was securely encrypted.  Thus, an audit report was built in from the ground up when AlertBoot was designed.

An added benefit to this is that the same encryption audit report can be generated at any given time to provide a real-time picture of the encryption landscape.  So, in the event that a machine is lost or stolen, one can prove that the data is secure.


Related Articles and Sites:
http://timetobleed.com/warning-american-express-fails-miserably-at-basic-security/#
http://digg.com/security/American_Express_Might_Not_Be_Encrypting_Your_Transaction

 
<Previous Next>

Hard Drive Encryption: Bord Gais Introduces Data Security Measures

iPhone Encryption Is For Naught Under Linux

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.