A desktop computer containing the personal information of 7,000 City College of New York students was stolen about three weeks ago. The computer was not protected with drive encryption software like AlertBoot, which could mean the difference between a non-event and a full-blown crisis down the line.
Despite the fact that encryption software was not used, there is a glimmer of hope: password-protection was used on the now-missing computer. The unfortunate thing is, it's not going to be of much use against thieves bent on stealing data. To the average person, password-protection appears to be a data security tool: if you don't know the password, you don't get access. But, as a quick Google search will evidence, it's pretty easy to bypass it. Indeed, there are various methods of doing so, none of them so complex that a fifth grader couldn't do it. If the desktop computer was stolen for resale, there is a good chance that things will stop at the theft of the hardware; however, if the thief is even remotely interested in data theft (at least, interested enough to do a google search), then all bets are off. It's that easy to get past a password prompt for the computer.
Despite the fact that encryption software was not used, there is a glimmer of hope: password-protection was used on the now-missing computer. The unfortunate thing is, it's not going to be of much use against thieves bent on stealing data.
To the average person, password-protection appears to be a data security tool: if you don't know the password, you don't get access. But, as a quick Google search will evidence, it's pretty easy to bypass it. Indeed, there are various methods of doing so, none of them so complex that a fifth grader couldn't do it.
If the desktop computer was stolen for resale, there is a good chance that things will stop at the theft of the hardware; however, if the thief is even remotely interested in data theft (at least, interested enough to do a google search), then all bets are off. It's that easy to get past a password prompt for the computer.
Encryption--while it may look exactly the same like password-protection to the average user--is a completely different technology. If encryption can be compared to a car, password-protection is like a car without wheels: it looks like a car and you can hear the motor rev, but it's going nowhere. How does encryption protect data? Encryption scrambles information so that it doesn't make sense (think of those computer screens with the scrolling gibberish in The Matrix, except not readable by anyone, including Joe Pantoliano). The only way to jumble back the data together is to provide an encryption key. Modern encryption ties access to the key with the password. No password, no access. (Well, kind of. You could try to figure out the encryption key. Estimates show that it'd take a guy a couple of centuries even if he had all the computing power in the world right now.) One CUNY student supposedly asked, "Why was that all on one computer? It's a good question right?" according to WABC in NY. Yes, but it's also the wrong question. Generally, people collect data because they need it, or at least think they need it. Once collected, people work with it, meaning a computer is necessary. While some may criticize the practice of not using a secured central database, this is just a case of a guy with a hammer seeing everything as nails: there are plenty of reasons why such a setup is not used, technical and financial. The question is not why all that information was on that one computer. Physically secured computers--including ones in data centers--are known to get stolen. The question is, why was that computer not secured with full disk encryption software seeing how it contained sensitive data?
Encryption--while it may look exactly the same like password-protection to the average user--is a completely different technology. If encryption can be compared to a car, password-protection is like a car without wheels: it looks like a car and you can hear the motor rev, but it's going nowhere.
How does encryption protect data? Encryption scrambles information so that it doesn't make sense (think of those computer screens with the scrolling gibberish in The Matrix, except not readable by anyone, including Joe Pantoliano). The only way to jumble back the data together is to provide an encryption key. Modern encryption ties access to the key with the password. No password, no access.
(Well, kind of. You could try to figure out the encryption key. Estimates show that it'd take a guy a couple of centuries even if he had all the computing power in the world right now.)
One CUNY student supposedly asked, "Why was that all on one computer? It's a good question right?" according to WABC in NY. Yes, but it's also the wrong question.
Generally, people collect data because they need it, or at least think they need it. Once collected, people work with it, meaning a computer is necessary. While some may criticize the practice of not using a secured central database, this is just a case of a guy with a hammer seeing everything as nails: there are plenty of reasons why such a setup is not used, technical and financial.
The question is not why all that information was on that one computer. Physically secured computers--including ones in data centers--are known to get stolen. The question is, why was that computer not secured with full disk encryption software seeing how it contained sensitive data?
Related Articles and Sites:http://www.nydailynews.com/ny_local/2010/09/07/2010-09-07_data_theft_hits_cuny_students.htmlhttp://abclocal.go.com/wabc/story?section=news/local&id=7653406