in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based data and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

AlertBoot Endpoint Security

AlertBoot offers a cloud-based data and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

June 2010 - Posts

  • Data Security Issues Force Pizza Delivery Guys To Ask For ID?

    Sometimes, information security is not about the latest technology in disk encryption software like AlertBoot or antivirus software.  It's about being aware:

    So I'm seeing a number of sites covering a story about how a Domino's Pizza delivery guy asked a customer for his SSN or driver's license number before handing him over the pie (delivery guy had to write it on the copy of the receipt).  The customer declined. 

    The original story is found at consumerist.com, where it elicited quite a reaction.

    Domino's Has Card Fraud Issues

    The customer called up the store to make sure this wasn't some kind of scam on the delivery guy's part.  It wasn't.  Store management told him that asking for such information was now "company policy" because there was an increase in fraudulent pizza charges.

    A Domino's rep by the name of Phil dropped by the consumerist site to declare that this deviates from company policy, and that they're looking into the matter.  Perhaps what the manager meant was that it was "store policy," which decidedly sounds less authoritative than "company policy."

    As many point out in the comment section, most private enterprise have no legal reason to be collecting such information, not unless they are extending credit to you.  And, when you consider that a pizza place doesn't extend credit in any way or form (ever try setting up a running tab at Domino's?  No such thing), it's obvious why Domino's the corporation wouldn't have such a policy.

    But, corporate has a legal team, whereas franchises and regional managers might not be inclined to consult with lawyers.  If they had, the lawyers may have directed them to sites such as this one where it's quite clear that asking for identification (asking; not even jotting down the information, but asking for it) violates the merchant/retailer terms with the credit card company.

    There are caveats, of course, such as those instances where the card is not signed.  But generally, asking for identification is a no-no.  Whether anything is done of such instances, I don't know.  I have heard of people who've filed complaints and nothing has happened.  I don't think I've heard of instances where something did happen.

    Domino's is not the only company that's been involved in such problems.  Same thing happened at a Pizza Hut and countless other places.

    Why Do Merchants Collect Information?

    This anecdote does a great job of highlighting the reasons:

    My friend used to own a franchise of a national chain and a few people would repeatedly come in and buy a sandwich using their own credit card. These people would spend around $500 over the course of two to three months and then later call their credit card company and claim that they didn't make any purchases, the credit card was stolen, and it was fraud. One guy even had the nerve to walk back into the store to get more food AFTER he reported this. [commenter cheapist @ consumerist.com]

    And while in theory the credit card company "eats it" if it turns out to be fraud, that's not the practice, as I've heard it.  If a dispute comes in and the merchant can't prove that services were rendered to the actual cardholder, the merchant rarely gets paid.  That's why so many will make a copy of some kind of identifier.

    Practicing Data Security

    Whether the original person who had a less than stellar experience at Domino's is better off is hard to say.  On the one hand, he did eliminate what could eventually turn out to be a data breach.  Not that I'm accusing anyone of anything, but it wouldn't be the first time that paper records get dumped in the street, a renegade employee steals files, or a burglar breaks in and steals paperwork.

    On the other hand, the guy is out a pizza and twenty minutes of his life.  And for what?  The miniscule potential of ID theft.

    Your mileage may vary, but it is my opinion that the guy is better off.  A pizza is gone in ten minutes; the effects of identity theft last much longer, if not a lifetime.  Which is why solutions like laptop encryption have been developed to protect client information (and potentially save companies from some serious fines).


    Related Articles and Sites:
    http://consumerist.com/2010/06/dominos-delivery-guy-demanded-my-social-security-number.html

     
  • Encryption for Backup Tapes: St. Francis Federal Credit Union Has Potential Data Breach

    Saint Francis Federal Credit Union announced that nearly 8,400 clients could possibly be involved in a data breach when a backup tape went missing.  It hasn't been revealed whether any type of data encryption solution was used to protect the information.

    Dearth of Information

    In fact, not much has been made public about the breach, except for the number of people affected.  Customer information was present in the backup tape, but what type of information hasn't been revealed.  No doubt, more information will filter through once the affected receive their breach notification letters.

    (Or possibly not.  I've read plenty of breach notifications where the lawyers artfully write without giving out any particular details at all.)

    The bank added that the tape might have been "destroyed during a 'trash removal process.'"  I guess the implication is that the backup tape was earmarked to be thrown away?  Or perhaps it was thrown away by accident, and the trash was compacted and burned?

    Regardless, it means that the bank, as of yet, has no idea what happened to that tape.

    Backup Tape Encryption - An Easy Way to Prevent Breaches

    When it comes to data security, one of the problems companies face is finding a robust way of keeping track of information.  After all, if you can't keep track of sensitive information--where it is, who has it, etc.--there's no way to protect it.

    Actually, that last part is not entire accurate, is it?  If the information on the backup tape had been encrypted, the information is protected (there's a caveat to this which is: but only if the password is not compromised).

    While a responsible firm would still try to find a way to keep track of the tape, in the event that something goes wrong, the presence of encryption would effectively nullify any threats posed by the loss of the tape.

    This breach could potentially end up being a costly one for the St. Francis.  As people are becoming more aware of the personal ramification to company data breaches, they've become even more lawsuit-happy than usual.

    And while the courts have ruled time and time again that the "mere threat" of being harmed is not grounds for a lawsuit--you have to be able to prove there was real harm, financial or otherwise--it doesn't stop people from filing them all the time.

    Of course, some of these same people will not stop even if encryption software like AlertBoot is used.  On the other hand, the use of such means protection from sending the breach letters in many states and serving clients with the protection they need.

    It's win-win, really.


    Related Articles and Sites:
    http://www.tulsaworld.com/business/article.aspx?subjectid=51&articleid=20100618_51_0_SitFac67697

     
  • Data Encryption And Securing Personal Information: Hacker Blackmails Women Into Making Porn

    It's not every day you come across a story so bizarre that you just have to mention it.  According to stories making the rounds, a hacker blackmailed women into making porn for him after he got his hands on their personal information.  I've often mentioned "black swan situations" and the "you never know what's going to happen" factor as a reason for using data encryption programs like AlertBoot to safeguard information.  This story is truly out there, though.

    Hacker Used P2P to Spread Keystroke Loggers and Other Malware

    The hacker in question--already arrested by the FBI, by the way--used P2P networks to spread his wares that were used to compromise people.  He disguised his malware as popular songs, and went to work once a victim's computer was infected.

    Taking over the computers remotely, the hacker looked for "intimate images" and used it to blackmail the same women to create porn for him.  Otherwise, he would release the images.  It hasn't been revealed, as far as I can tell, whether he succeeded, although he did manage to get some women to create such videos by posing as their boyfriend (he found usernames and passwords for e-mails, instant messengers, etc.)

    Data Security and "Black Swans"

    The black swan I'm referring to is the one popularized by Taleb, where a remote event, unimagined by anyone, materializes to render previous arguments moot.

    (The term goes back to when black swans were found in Australia.  Before that, it was believed that all swans were white because...well, they could only find white ones.  But, just because you can only find white ones doesn't necessarily mean black ones don't exist.)

    Some data security products, such as antivirus software, are products that will always have their work cut out for them: AV can only protect against viruses that are found in the wilderness that is the internet.  AV can't protect you against "black swan" viruses, i.e., the ones that are out in the wild but haven't been identified or found yet.

    Other data security products, like full disk encryption software (FDE), are meant as a defense of such black swan events.  For example, think of all the ways that you wouldn't expect your computer to be stolen, because you assume your computer will be safe.  And then, pow!, black swan event: That nun?  She's a he, he's a con, and the nun's on the run...with your laptop under his habit.

    FDE will protect the contents of the laptop in such an event, since it's always on when your computer is off.  However, FDE cannot protect against all scenarios.  If a laptop computer is stolen while it's on, FDE is useless as a protective tool, unless the thief shuts down the computer (meaning FDE will kick in at that point).  Also, it can't protect you against viruses.  Which is why you need to have data security in layers.

    In the above case with our bizarro hacker, there were potentially two solutions: the first, making sure you don't create intimate videos and save it on your computer.  The best way not to have a breach is to not have the data in the first place.

    Second, use file encryption.  Unlike FDE, file encryption is specific to the file, and requires you to get rid of the protection each time you want to access it (which is why FDE is so much more popular).

    Neither solution, however, would ultimately have been successful, if given time, since the hacker would have been able to gain passwords that would have allowed him to override any type of protection.

    Actually, now that I think about it, there is one absolute solution in this case: don't engage in activities that increase the threat of becoming a victim.


    Related Articles and Sites:
    http://www.theregister.co.uk/2010/06/22/malware_extortion_charges/
    http://www.ocregister.com/news/mijangos-254531-victims-affidavit.html

     
  • Full Disk Encryption: Oregon National Guard Loses Laptop

    The Oregon National Guard is sending out an alert: guard members should be on the lookout for ID theft attempts.  A laptop computer with members' personal information was stolen, and although the device was password-protected, it did not make use of more advanced forms of data security like laptop encryption software from AlertBoot.

    How Many Breaches Could be Prevented By Banning Cars?

    It's a stupid question, but it's evoked because of the so many breaches I've read where a laptop or other data device was temporarily stored in a car.  Like in this particular case.

    A National Guard member, who was using the laptop to work from home, had left the laptop in his car.  It got stolen on Monday, triggering an investigation and breach notifications.  So far, there is no information on how many members were affected or what type of personal information was lost in the process. (SSNs?  Addresses?  Military ID numbers?)

    Now, the presence of password-protection provides some comfort; however, I've already noted before that bypassing the so-called password-protection is anything but hard (and you've got a number of different, yet equally easy, approaches, too).

    Military Encryption for Laptops

    I'm surprised that encryption software was not present in the laptop that was stolen.  After a number of embarrassing breaches, the US military effectively created a policy where any portable devices (and sometimes the less-portable ones, such as desktop computers) that carried sensitive data required the use of encryption.

    It could be that such protection was not deemed as necessary in this case because the information, while "sensitive," was not as sensitive as, say, classified information.  Or, it could be an oversight: the device was meant to be encrypted, but because the software the National Guard was using didn't have the correct encryption tracking reports, the device fell through the cracks.

    No doubt we'll hear more about this incident.

    People are More Aware About Data Security

    I've read some of the public commentary that accompany the stories, and I've seen that most people wondering if encryption was in place; how password protection is not enough; why the laptop was left in the car; etc.

    This is a far cry from a couple of years ago, when people were going ballistic over the fact that there was sensitive information stored on a laptop.  This certainly is a welcome development, since it means that people are more aware on the realities of protecting information.

    (For example, I'll choose to have my information on an encrypted laptop than an unencrypted server locked in a secured closet any day.  Servers are where they are because someone lifted them and put them there.  This means someone can also steal them and their data.)

    One can only hope that, as people in general become more aware, the need for protecting data the right way will trickle up to the actual decision-makers, and the correct investments will be made.


    Related Articles and Sites:
    http://www.katu.com/news/local/96935514.html
    http://www.statesmanjournal.com/article/20100622/UPDATE/100622042/-1/update

     
  • Drive Encryption Software: U of Nevada Health System Warms Of Patient Data Breaches

    Computers were stolen from the Reno offices of the University Health System, a clinical program run by the University of Nevada School of Medicine.  It appears that full disk encryption software like AlertBoot was not used to secure patient data, since potentially affected patients are being alerted that their information "may have been viewed without consent," something that is implausible with the correct data security software in place.

    Two Computer Servers Stolen

    According to kolotv.com, two computers (and only these two computers) were taken from the aforementioned offices on June 11.  There were no signs of forced entry.

    The computers not only contained information on patients--names, Social Security numbers, medical information, and account numbers--but also personal information for some physicians.

    It is not known at this point how many people are affected, although the university started mailing data breach notification letters last week. (It bears mentioning that the university is mailing out breach notifications to people "whose information would not have included details like social security numbers.")

    Complying with Nevada Breach Notification Laws and HIPAA?

    There are two laws that the University has to keep abreast of...but only if they had not used encryption software to safeguard patient information.  Besides protecting patients from the (real, in this case) possibility of becoming ID theft victims, the use of encryption affords certain protections from the law.

    In Nevada, for example, the use of server encryption software on the two stolen computers would have meant safe harbor from having to contact patients.

    At the federal level, my guess is that the university also has to deal with HIPAA, since their clinic is a covered-entity under federal laws.  As I've covered before, the latest decision by the Secretary of the HHS, via the HITECH Act, grants safe harbor from sending breach notifications to patients as long as encryption is used to protect patient data (also known as PHI, protected health information).


    Related Articles and Sites:
    http://www.ktvn.com/Global/story.asp?S=12675105
    http://nevadasagebrush.com/blog/2010/06/21/personal-info-on-health-system-servers-stolen/
    http://www.kolotv.com/home/headlines/96699144.html
    http://www.rgj.com/article/20100619/NEWS/6190319/1321/news

     
  • Data Encryption Software: Two Hong Kong Hospitals Go Public With Data Breach

    The Hospital Authority in Hong Kong announced two data breach incidents.  The breaches could have been easily avoided by following proper procedures and using information security software such as drive encryption software from AlertBoot.

    Caritas Medical Centre and Kowloon Hospital

    Caritas Medical Centre experienced a breach when a computer disk drive went missing  from a locked room.  The disk was "pending destruction" and contained the information for approximately 3,000 ophthalmology patients--including names, sex, ages, and identity card numbers.

    Kowloon Hospital saw a less excusable breach when a USB drive with the information of 300 student nurses was lost.  A clerk had stored the information for "daily contact purposes."  The information included names, sex, phone numbers, and e-mail addresses.

    Preventable Breaches

    Of the two, the Kowloon incident is more glaring.  It involved a personal USB drive, devices that have been banned from medical establishments ever since the tiny island started realizing that HK was suspect to medical data breaches just like any other city:  The United Christian Hospital lost a USB disk in April 2009. Yan Chai Hopsital lost floppy disks in July 2008, which were about to be encrypted, ironically enough.  These two are not the only breaches Hong Kong has had in the past, obviously; there were others that I didn't cover.

    And, while the Caritas situation is understandable, I'm not sure it's excusable.  Granted, the now-missing computer hard drive was in a locked room, but it wouldn't be the first time something went missing from a locked room at a hospital.

    It would have just made sense to use a solution like full data encryption (on both devices, now that I think about it) to ensure the information remains protected as it is destroyed.


    Related Articles and Sites:
    http://www.webnewswire.com/node/544824
    http://www.webnewswire.com/node/544795
    http://7thspace.com/headlines/348263/a_suspected_theft_case_ofa_computer_hard_disk_at_caritas_medical_centre.html
    http://www.rthk.org.hk/rthk/news/englishnews/20100619/news_20100619_56_676723.htm

     
More Posts « Previous page - Next page »