in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

September 2010 - Posts

  • Data Encryption: Heartland Payment Systems Offers End To End Encryption

    Could encryption turn out to be Heartland Payment Systems' competitive advantage?  It would be a nice twist to all the negative press the payment processor received early last year, when HPS became the focus of the largest data breach in US history.

    I've previously blogged about it here, here, and here, in the latter arguing for a distinction between transaction records and accounts/people.

    (Nearly two years later, I still cannot find how many people were actually affected.  All numbers seem to point to 130 million, which I'll use, but that was initially revealed as the number of transaction records over three months.)

    130,000,000 Records Compromised

    When you think of it, the breach was not as devastating as it could have been.  Approximately 130 million records were compromised, the largest in US history so far, but it was only credit card information.  Imagine if that had been a database full of Social Security numbers: it would have amounted to one third of the US population; at least, per the 2009 US Census.

    One in three Americans' SSN in the hands of an organized mob; can you imagine how much worse it could have gotten?

    Lots of Controversy, Finger-pointing

    As can be expected from the largest-anything-negative situation, there was a lot of finger-pointing on who was to blame.  Since HPS's database had been breached, many blamed HPS.  The company, in turn, blamed their PCI auditor, which opened another can of worms (i.e., can PCI be relied upon?  Is it effective?  Is PCI meant to protect afford full protection from all breaches?  The answer to that last one is "no," by the way.)

    HPS, stuck to its story, and soon began espousing the need for end-to-end encryption.  Based on the many data breach stories I've been reading lately, where credit card information is routinely being stolen from point-of-sale terminals and computers, HPS might be on to something.

    Offering End-to-End Encryption

    Actually, Heartland Payment Systems did more than stick to its story: it started offering end-to-end encryption for their point-of-sale terminals in May (5,000 merchants are currently using it), and will also offer a device called the "E3 magnetic stripe reader wedge."

    The use of encryption to protect data is a no-brainer.  For example, banks deploy disk data encryption software to secure sensitive information in their employees' laptop computers.  And, cloud-based encryption like AlertBoot makes it easy to deploy encryption it across thousands of computers in one go.  Governments the world over use encryption to secure their communication channels.  On-line banking needs encryption; it wouldn't work otherwise, since the internet is an open medium, and technically anyone can read information passing through their networks.

    As far as I know, HPS is the only major player when it comes to end-to-end encryption for point of sale systems.  In the great tradition of innovators and cunning industrialists, the company may have turned risk into opportunity.


    Related Articles and Sites:
    http://www.networkworld.com/news/2010/092810-heartland-bolsters-encryption.html?hpg1=bn

     
  • Full Disk Encryption: Sandiegofit.com Break-In Results In Data Breach

    Databreaches.net noted that sandiegofit.com has alerted the NH Attorney General's Office about a data breach that took place on August 30, 2010.  A computer was stolen from a protected area, and it is sensitive information was breached as a result.  The letter to the AG noted that disk encryption had not been used.

    Computer Stolen from Secure Area

    The sensitive information included names, addresses, phone numbers, and credit cards (in some instances).  The information was stored in a computer file, and password-protection on the computer was enabled.  But, as I've already noted, encryption software had not been used.

    The letter to the AG further goes to note that the computer was kept in a "locked, alarm-protected" office.  Sandiegofit.com probably thought that was enough.  After all, they had alarms--which, I'm betting, was being monitored by a security company (something a la ADT), and would have alerted the cops.

    If those services are anything like what home security firms offer you, though, they might not be as effective at deterring thieves as one thinks.  It's the reason why smartmoney.com create a top-ten list of things home security firms won't tell you.  Sometimes, a particular security service is there to give you peace of mind.

    Which, in some ways, is what password-protection is all about.

    Encryption and Password-Protection: What's Different

    Password-protection doesn't quite live up to its name.  There are a number of ways of bypassing it, such as using a LiveCD (freely available from the internet), or connecting the computer's hard drive to another computer you have control over (a 10-minute task, max).

    This is why most states and professional organizations don't establish safe harbor exceptions to sending notifications when password-protection is used.  It's different with encryption, though.

    With encryption, data is protected.  In fact, the sole purpose of encryption is the protection of data (encryption has a long history: Julius Caesar used a rudimentary version of it to communicate with his field generals).  I suspect that password-protection is a by-product from yonder years when computers didn't really need security because you literally needed a Ph.D. to operate one.  We've come a long way from those days.


    Related Articles and Sites:
    http://www.databreaches.net/?p=13919
    http://doj.nh.gov/consumer/pdf/sandiegofit.pdf

     
  • Disk Encryption: UK's ICO Will Start Fining Companies To Set Examples

    Nearly six months ago, the Information Commissioner's Office in the UK gained the power to fine companies that are in breach of the Data Protection Act, up to £500,000 in penalties.  As I've pointed out before, the use of drive encryption software for protecting entire laptops and other portable devices, and file encryption for protecting individual files and folders, would help in radically reducing or even eliminating such fines.

    I thought that this message would get lost, since in the six months since, the ICO hasn't fined a single organization that was involved in a data breach, no matter how egregious the loss of data.  This could be changing though: the ICO has "confirmed that it is in the process of imposing fines against organisations that have breached the Data Protection Act," according to v3.co.uk.

    "We Will Be Actively Using This Power"

    Deputy information commissioner David Smith was quoted as saying the following:

    "This will be a landmark moment in ensuring that firms take [data protection] seriously," he said.

    "There have been a lot of questions asked of us about whether we are actually going to fine firms, and I can assure people that we will be actively using this power."

    Smith declined to reveal any details of the companies involved, but said that information will be posted online "in the near future".[v3.co.uk]

    There are a number of other points Smith goes into, including how companies should not be collecting just because they can; if they don't have a use for it, don't collect it.  This is actually one of the keystone principles of data security: you don't need to secure what you don't have.

    And, seeing how data breaches are revealing themselves to be a "when, not if" situation, not collecting unnecessary information is something to think about.  Not collecting information other companies are collecting might be a competitive disadvantage, but so is getting involved in a data breach.

    The Importance of Encryption Software

    In the past, the ICO has made a point of ensuring companies promise to use encryption on their portable devices as part of an Undertaking.  In fact, I have a post--UK Information Commissioner Can Fine Company £500,000--quoting an Undertaking straight from the ICO's website.

    If you follow the link, you'll see that there are other issues to consider aside from the use of encryption, such as ensuring adequate physical security and education of staff, but the very first item is the use of encryption.  Not that I believe that these things are ranked in order of importance, but still, wouldn't you say it's symbolic?


    Related Articles and Sites:
    http://www.v3.co.uk/v3/news/2270673/ico-confirms-breach-fines
    http://www.alertboot.com/blog/blogs/endpoint_security/archive/2010/01/15/data-encryption-uk-information-commissioner-can-fine-up-to-500-000-pounds.aspx

     
  • Data Security: How Kern Medical Center Responded To A Data Breach

    I was reading a Forbes article on how Kern Medical Center's IT systems stopped working due to a malware infestation this past July when I burst out laughing.  The story has absolutely nothing to do with data encryption software, but I thought I'd share it, both for the humorous incident and the insight.

    MSFT's .lmk File Security Threat

    Not too long ago, Microsoft had announced that malware was spreading by exploiting the lnk files (shortcut files) in MSFT's operating systems.  Kern Medical Center found out that it had been affected, finding 13 types of malware infecting their computers.  Prior to the IT department finding this out:

    The first thing that happened was people called us saying their printers were printing long jobs gibberish until it would run out of paper. When we asked what they were doing about it, they told us they were adding more paper to the printers. That was the first indication we had a problem [forbes.com, my emphasis]

    Problems is more like it, and I'm not referring just to the malware infestation.  Sadly enough, I'm reminded of an incident from my college years, in the engineering computer lab, where some of my fellow students were doing the same thing, not in response to malware, but because some guy had printed his computer code in 72-point size font and then split when he couldn't figure out how to add paper to the tray.  In turn, they added the paper because they couldn't proceed with their own print jobs until this guy's was finished.  (I think of this incident whenever I'm feeling particularly stupid and want to feel better.)

    Jokes aside, the Forbes article has several insights that any company--medical or otherwise--could use:

    • Have a diverse computing environment: MSFT, Linux, Mac, whatever.  This way, malware written for one environment won't bring down everything.
    • Engage in "protection through depth" or as I usually refer to, layered protection.

    For example, if your only data protection at your company is antivirus software--and we'll say for now that it protects 100% against all viruses and other malware--you're still risking a data security incident due to theft or loss (where encryption software would be much more appropriate), or because the wrong file was e-mail to the wrong person (where DLP, data loss prevention, programs are necessary), or because a file was saved to the wrong server and made public to the world via Google's indexing program, i.e., the internet.

    Some Guy Slips A Ransom Note to CEO

    It was also mentioned that at some hospital, not Kerns,

    someone broke into the system, then walked down the hallway and slipped a note under the CEO's door. He said, "Here's my Cayman Island bank account and put money in or I'll release your records." At another hospital, the FBI had a video the hacker had made of himself and in 4 minutes and 26 seconds he broke into the hospital. He put it on YouTube afterward. The potential lawsuits that come from the release of patient information are huge.[forbes.com]

    Damn.  It sounds like someone literally broke into a company's data center/room in the first incident (definitely in the second).  Under the circumstances, there would have been nothing to prevent these people from stealing servers with data outright.  If that happens, a solution like AlertBoot disk encryption software would ensure data security.  Crashing through doors and windows is easy; guessing a properly conceived password not so much.  And guessing the encryption key, even less.


    Related Articles and Sites:
    http://www.forbes.com/2010/09/24/hack-pornography-microsoft-technology-cio-network-security.html

     
  • Data Encryption Software: TX Dept Of Health Sells Data, Recipient Uses It For Non-Research Purposes

    I've mentioned in the past that data encryption ought to be considered for seemingly trivial--yet personal--data, in certain cases.  For example, if a massive database of e-mail addresses is breached...so what, right?

    On the other hand, that's what happened to monster.com a few years back, and that seemingly trivial information was used to infect people's computers with a Trojan: an e-mail from monster.com was spoofed, encouraging members to download a new "toolbar" that would enhance their monster.com experience.

    It's just one example of the things that can be done with seemingly trivial information.  I've also mentioned a number of other scams that exploit data that most don't consider sensitive.

    Today, I'd like to add another one to my list, although I'm not sure the perpetrators will admit to it being a scam (it sounds like one, though).  And, man is it a doozy.

    Texas Department of State Health Services Sells Data

    The Texas Department of State Health Services (DSHS) is mandated with enforcing the protection of patients' health records.  However, it is also allowed to sell patient information for research purposes.  It's also allowed to sell data for non-research purposes, as long as the information is de-identified, i.e., personal details are substituted with other unique identifiers.  For example, a person's name might be substituted with an internally created identifier such as "A99S2ISNN."

    The idea is to give people a chance to use massive databases to identify trends: for example, residents of a particular zip code have higher incidences of a particular type of cancer (why?), or people of in a particular age range have lower incidences of heart disease compared to people from 10 years ago in the same age range (again, why?).  The data can become a powerful tool for figuring out better health practices and policies, among other things.

    It can also be used for other stuff.  Here's how America's Health Insurance Plans got embroiled in a scam after obtaining the same data (they got the "research" version, which does not de-identify data):

    The group gained notoriety in 2009 when a New England newspaper discovered AHIP's political-marketing consultant was in fact the author of numerous letters to the editor railing against health care reform. The letters were signed with the names of local citizens who, the newspaper learned, had not written the letters and objected to the use of their names without permission. [theaustinbulldog.org]

    Of course, you'll notice that technically this was not AHIP's doing: a consultant did it.  And, there's the issue on whether this constitutes a scam, or merely just deceit.  (Sounds like a scam to me...and, why use real names?  Why not make them up?  Sheesh, some people...)

    Anyhow, the above is just another way that seemingly trivial information can be used for less-than-innocent purposes.  It's also a situation where the use of encryption wouldn't have an impact at all.

    Encryption software like AlertBoot would have been less than useful in this case because the information was legally obtained (but illegally used...I'm pretty sure it must have run afoul of any contractual agreements between AHIP and Texas DSHS).  I mean, you could deliver the information in encrypted form--always a good policy--but the appropriate passwords would also be provided, rendering the point moot.

    On the other hand, it just confirms the fact that there are situations where encryption cannot be counted on for data security: when people who've been authorized to access data turn out to be the same people who you're trying to keep out.  This, among other reasons, is why any good data security policy combines different layers of security (such as keeping tabs on who accesses data by keeping logs and running periodic audits).

    Related Articles and Sites:
    http://www.theaustinbulldog.org/index.php/Main-Articles/Main-Articles/department-of-state-health-services.html

     
  • Laptop Encryption Software: St. Vincent Hospital Loses 1,200 Patient Data

    St. Vincent Hospital in Indianapolis has announced the data breach of 1,200 people.  An employee's laptop was stolen when the employee's home was burglarized.  It is not mentioned whether disk encryption software like AlertBoot was used to protect the data.

    Dearth of Details

    Frankly, there's not much to report on.  A laptop computer was stolen from an employee's home, resulting in the breach of names, SSNs, dates of birth, addresses, and "personal health information." (Personally, I suspect that the last one is actually protected health information; I, too, sometimes get confused on what PHI stands for; at least, I used to, until I read a handful of HIPAA-compliance publications).

    The burglary took place on July 25th.  It wasn't revealed whether the employee had been authorized to take the information home, although it wasn't announced that the employee in question had been reprimanded in anyway (which, could be because he had been authorized to have that data).

    Assuming that the employee was authorized to carry this information, one also assumes that St. Vincent had also used encryption software to protect the information.  Indeed, under HIPAA, encryption is pretty much required for any portable media that is not secured physically; furthermore, the (relatively) recently passed HITECH Act further strengthens the use of encryption to protect PHI (it might be an interim requirement, but I think pretty much all expect it to be enforced in the end).

    Not the First Data Breach

    St. Vincent had another, unrelated breach in 2007.  In that case, a third party was responsible for the breach (but not for the consequences, seeing how the hospital was the owner of the breached data): they exposed persona information on the internet.

    That should have been a wakeup call for the hospital.  Usually, the first breach tends to create a domino effect, where other data security weaknesses are investigated and shored up.  Between this, HIPAA, and HITECH, I'd have imagined the use of laptop encryption would have been required for all laptops.  The question is, was it?

    Why Encryption?

    Why do I keep emphasizing the use of encryption?  Well, to begin with, it's the only known, and proven, method for keeping sensitive data secure in the event of a data breach.  Even if a laptop, desktop, external portable, etc. is stolen, the information on it cannot be accessed if data encryption was used to secure the information.

    Also, under HITECH, the use of encryption means that a data breach is given safe harbor from having to notify patients and the HHS about the "data breach": since encryption is used, the loss of data does not pose a risk, and hence, no need to report it as a data breach.  You know, for the same reason that you wouldn't report that an empty folder labeled "patient data" has gone missing (what's the point?)

    Furthermore, Indiana is a state that gives the same safe harbor for the same reason: in fact, per state law, it doesn't even consider the loss of encrypted information a data breach.

    The use of encryption, in this particular case, means real protection from potential ID theft for the 1,200 people, as well as compliance with the law, both at the federal and state level.  Why wouldn't one keep emphasizing the use of encryption?


    Related Articles and Sites:
    http://www.theindychannel.com/news/25153883/detail.html
    http://www.wishtv.com/dpp/news/local/patients-personal-information-stolen
    http://www.wthr.com/story/13215674/st-vincent-patient-information-compromised
    http://www.in.gov/legislative/bills/2009/HE/HE1121.1.html

     
More Posts Next page »