Lifehacker.com has listed some ways on how one might bypass Windows computer password prompts. They list the different ways, how it works, and how to ensure you don't fall victim to these. For the latter, the answer is pretty much the same: use encryption, such as AlertBoot's disk encryption. And, in the one case where it's not the answer (brute force cracking), they recommend that you use a strong password. Personally, this is not news. I've covered the lifehacker.com methods in this blog already, many times (and will probably do so in the future as well). However, one could claim that I'm not a disinterested party seeing who I work for. Not that I'm one to claim that encryption software cures all ills and then some (I regularly point out why/how computer encryption can't protect you, depending on the situation), but it does begin to sound suspicious when I list out all the ways that simple password-protection does not protect you from data thieves but disk encryption does. Hey, if you're not gonna believe me because of who I work for, at least listen to the guys who don't work for a security company.
Lifehacker.com has listed some ways on how one might bypass Windows computer password prompts. They list the different ways, how it works, and how to ensure you don't fall victim to these. For the latter, the answer is pretty much the same: use encryption, such as AlertBoot's disk encryption.
And, in the one case where it's not the answer (brute force cracking), they recommend that you use a strong password.
Personally, this is not news. I've covered the lifehacker.com methods in this blog already, many times (and will probably do so in the future as well).
However, one could claim that I'm not a disinterested party seeing who I work for. Not that I'm one to claim that encryption software cures all ills and then some (I regularly point out why/how computer encryption can't protect you, depending on the situation), but it does begin to sound suspicious when I list out all the ways that simple password-protection does not protect you from data thieves but disk encryption does.
Hey, if you're not gonna believe me because of who I work for, at least listen to the guys who don't work for a security company.
Related Articles and Sites:http://lifehacker.com/5674972/how-to-break-into-a-windows-pc-and-prevent-it-from-happening-to-you
The San Diego Regional Center has alerted their clients that a backup tape with sensitive data was lost while being shipped. It looks like encryption software was not used to protect the contents of the tape.
The tape was created for "disaster recovery testing." If only this were part of that test. The backup contained names, addresses, telephone numbers, Social Security numbers, program benefits numbers, and health and medical diagnostic information. Parents' SSNs were also included if the client was a minor. (SDRC works with disabled individuals.) The tape was lost when it was sent via courier service, from SDRC to the Department of Developmental Services, which is the California department that supports "individuals with developmental disabilities." An explanation as to why a backup tape created for disaster recovery testing was sent to the DDS was not included. (Hmm...maybe the tape was sent in case of disaster; you know, after the testing was done, they figured the DSS holding the data was a good policy). Since we only know of this incident because one of those notified in turn alerted phiprivacy.net, there is no way to know how many have been affected.
The tape was created for "disaster recovery testing." If only this were part of that test.
The backup contained names, addresses, telephone numbers, Social Security numbers, program benefits numbers, and health and medical diagnostic information. Parents' SSNs were also included if the client was a minor. (SDRC works with disabled individuals.)
The tape was lost when it was sent via courier service, from SDRC to the Department of Developmental Services, which is the California department that supports "individuals with developmental disabilities."
An explanation as to why a backup tape created for disaster recovery testing was sent to the DDS was not included. (Hmm...maybe the tape was sent in case of disaster; you know, after the testing was done, they figured the DSS holding the data was a good policy).
Since we only know of this incident because one of those notified in turn alerted phiprivacy.net, there is no way to know how many have been affected.
In order to find out whether SDRC was covered under HIPAA, I venture over to their homepage. Lo and behold, I see that they have a "Quick Facts" section with a link that reads "SECURING CONFIDERNTIAL INFORMATION" So the link turns out to be a PDF by the DDS on "Securing Confidential Information and Data" published in November 2009, and under the recommended best practices it clearly states: Encrypt information sent via email or provide as a password protected attachment and send the password in a separate communication; When possible, use registered mail to send information to confirm it wasn’t intercepted or delivered to the wrong party; Do not store confidential, sensitive, or personal data on non-encrypted laptops or mobile devices. Do not backup data to non-encrypted media such as diskettes, memory sticks, or CDs.[from http://www.sdrc.org/publications/secureinfo.pdf, my emphasis] Oh. Oops. At least it's good to know that they had at least given some thought to the issue of data protection. While encryption software like AlertBoot disk encryption is not the be all, end all of data security, it cannot be argued that it would have a made a world of difference in this particular case. The SDRC claims that the chances of a data theft are tiny because of the need for the appropriate tape drive and software ("highly specialized tape drive" is what they called it), but this is a debatable matter (as I've pointed out in this other post regarding NASA's FR-900 Ampex tape drives).
In order to find out whether SDRC was covered under HIPAA, I venture over to their homepage. Lo and behold, I see that they have a "Quick Facts" section with a link that reads "SECURING CONFIDERNTIAL INFORMATION"
So the link turns out to be a PDF by the DDS on "Securing Confidential Information and Data" published in November 2009, and under the recommended best practices it clearly states:
Oh. Oops.
At least it's good to know that they had at least given some thought to the issue of data protection. While encryption software like AlertBoot disk encryption is not the be all, end all of data security, it cannot be argued that it would have a made a world of difference in this particular case.
The SDRC claims that the chances of a data theft are tiny because of the need for the appropriate tape drive and software ("highly specialized tape drive" is what they called it), but this is a debatable matter (as I've pointed out in this other post regarding NASA's FR-900 Ampex tape drives).
Related Articles and Sites:http://www.phiprivacy.net/?p=4794http://www.phiprivacy.net/wp-content/uploads/sdrc_2010.pdf
The Treasury Solicitor's Department (TSol) has issued guidance for selecting data encryption software and data deletion products. This is meant to aid Bar Council members, who now must use disk data encryption to "removable devices or removable storage media and laptop computers." In fact, the guidance states that "level of encryption must [my emphasis] meet the minimum standards sets out below." It's only a three-page document; you can find it here.
The Treasury Solicitor's Department (TSol) has issued guidance for selecting data encryption software and data deletion products. This is meant to aid Bar Council members, who now must use disk data encryption to "removable devices or removable storage media and laptop computers."
In fact, the guidance states that "level of encryption must [my emphasis] meet the minimum standards sets out below." It's only a three-page document; you can find it here.
TSol offers a list of seven products when it comes to choosing the correct whole disk encryption software. However, the list is not exhaustive, as TSol points out. What do these seven products have in common? The fact that they are FIPS 140-2 validated. (They also mention CCTM, the CESG Claims Tested Mark, but the focus is on FIPS.) Sidebar: What is disk encryption? Disk encryption goes by many names: full disk encryption, whole disk encryption, drive encryption, and other myriad combinations using the words "disk" and "drive." Essentially, it is encryption specifically designed to protect the entire storage device on your computer, as opposed to individual files. The choice of FIPS 140-2 might be a little odd, since it's actually an American-Canadian standard that is administered by the US's National Institute of Standards Technology. On the other hand, it does dovetail with the belief in the encryption community that once you have a good process in place, you shouldn't reinvent the wheel for the fear of introducing unforeseen errors.
TSol offers a list of seven products when it comes to choosing the correct whole disk encryption software. However, the list is not exhaustive, as TSol points out. What do these seven products have in common? The fact that they are FIPS 140-2 validated. (They also mention CCTM, the CESG Claims Tested Mark, but the focus is on FIPS.)
Sidebar: What is disk encryption? Disk encryption goes by many names: full disk encryption, whole disk encryption, drive encryption, and other myriad combinations using the words "disk" and "drive." Essentially, it is encryption specifically designed to protect the entire storage device on your computer, as opposed to individual files.
Sidebar: What is disk encryption?
Disk encryption goes by many names: full disk encryption, whole disk encryption, drive encryption, and other myriad combinations using the words "disk" and "drive." Essentially, it is encryption specifically designed to protect the entire storage device on your computer, as opposed to individual files.
The choice of FIPS 140-2 might be a little odd, since it's actually an American-Canadian standard that is administered by the US's National Institute of Standards Technology. On the other hand, it does dovetail with the belief in the encryption community that once you have a good process in place, you shouldn't reinvent the wheel for the fear of introducing unforeseen errors.
There are many other things to consider other than FIPS 140-2, and TSol has pointed the importance of the following: Ensure the vendor is committed to the ongoing development of the product. For all intents and purposes, this is hardly a consideration for FIPS 140-2 validated encryption software. The process of receiving validation takes a long time and tens of thousands of US dollars, so the developer of a product that's been validated will usually continue to develop it. Ensure the vendor is committed to issuing patches for vulnerabilities and other issues. Likewise, companies with validated products have a lot of interest in ensuring that any vulnerabilities that come to light are addressed.
There are many other things to consider other than FIPS 140-2, and TSol has pointed the importance of the following:
Not mentioned is this small, and sometimes confusing, fact: disk encryption is not file encryption. As I noted in the sidebar above, disk encryption is about encrypting the storage device on the computer. This is great in case one's computer or external, portable media is stolen because it prevents access to sensitive data, regardless of what the thief may try. However, if you decide to copy a file from an encrypted disk to another non-encrypted disk, or to e-mail a file from an encrypted disk, then that particular file is not encrypted anymore on the recipient's end. This is why some organizations opt to disable USB ports on an encrypted computer, or also sign up for e-mail encryption and other forms of data loss prevention software in addition to using full disk encryption. In fact, it's for this reason that AlertBoot endpoint security software--for laptops, netbooks, and any devices that makes use of computer hard drives for storage--offers not only FIPS 140-2 validated encryption (using Sophos's SafeGuard which is on the TSol's list) but USB port blocking, automatic encryption of external portable drives, and other security features. It's all about making it convenient to plug up those other issues that can chip away at your data integrity.
Not mentioned is this small, and sometimes confusing, fact: disk encryption is not file encryption. As I noted in the sidebar above, disk encryption is about encrypting the storage device on the computer. This is great in case one's computer or external, portable media is stolen because it prevents access to sensitive data, regardless of what the thief may try.
However, if you decide to copy a file from an encrypted disk to another non-encrypted disk, or to e-mail a file from an encrypted disk, then that particular file is not encrypted anymore on the recipient's end. This is why some organizations opt to disable USB ports on an encrypted computer, or also sign up for e-mail encryption and other forms of data loss prevention software in addition to using full disk encryption.
In fact, it's for this reason that AlertBoot endpoint security software--for laptops, netbooks, and any devices that makes use of computer hard drives for storage--offers not only FIPS 140-2 validated encryption (using Sophos's SafeGuard which is on the TSol's list) but USB port blocking, automatic encryption of external portable drives, and other security features.
It's all about making it convenient to plug up those other issues that can chip away at your data integrity.
Related Articles and Sites:http://www.tsol.gov.uk/PanelCounsel/pdf/Encryption_and_Erasure_Guidance_for_Panel_Counsel_October_2010.pdf
Kroll has announced that this is the year that companies are losing more to electronic theft over physical theft. It remains to be seen whether this is a watershed moment or just a random blip in history. Regardless, the fact that the two are neck to neck means that data security tools like full disk encryption from AlertBoot are as important as ever, just like the physical security most spring for without a second thought.
Some of the shocking figures: 98% of businesses in China suffer fraud, 94% in Colombia, and 90% in Brazil 50% of companies have deferred from investing in foreign countries due to fears of electronic theft 1.7 million is lost to fraud for every 1 billion in sales. That's only 0.17%, a surprisingly low number; however, it's also a 20% increase from the year before Despite all of this, the most surprising is this quote from businessday.co.za: Danny Myburgh, MD of computer forensic analysis company Cyanre, said yesterday: “The sad reality is that 80%- 90% of the fraud is likely to be committed by someone within your company.” Yet only 48% of the companies surveyed planned to improve their security in the next 12 months, down on last year’s 51%.
Some of the shocking figures:
Despite all of this, the most surprising is this quote from businessday.co.za:
Danny Myburgh, MD of computer forensic analysis company Cyanre, said yesterday: “The sad reality is that 80%- 90% of the fraud is likely to be committed by someone within your company.” Yet only 48% of the companies surveyed planned to improve their security in the next 12 months, down on last year’s 51%.
Danny Myburgh, MD of computer forensic analysis company Cyanre, said yesterday: “The sad reality is that 80%- 90% of the fraud is likely to be committed by someone within your company.”
Yet only 48% of the companies surveyed planned to improve their security in the next 12 months, down on last year’s 51%.
Perhaps the above quote shouldn't hit me as surprising. After all, I keep seeing the same type of thinking when it comes to the use of encryption software. I haven't seen many people complain about the use of encryption on laptops, if one travels around with it. In certain cases where a laptop is substituted for a desktop (that is, that laptop is not moving from the desk), I've seen people wonder why encryption is necessary. The explanation of how the laptop could be stolen seems to convince them of the need. However, the case is different with desktop computer encryption. Despite the fact that these can be stolen as well, for some reason most people think that desktops are immune from theft (if "boxiness" is all that it takes to stop theft, Volvos from the 1980s are the pinnacle of anti-theft design). Encryption on desktops? Nobody really gives it a second thought; the answer to most is "no need." It's obvious that there is a lot of fuzzy thinking when it comes to "what does protecting data mean?"
Perhaps the above quote shouldn't hit me as surprising. After all, I keep seeing the same type of thinking when it comes to the use of encryption software.
I haven't seen many people complain about the use of encryption on laptops, if one travels around with it. In certain cases where a laptop is substituted for a desktop (that is, that laptop is not moving from the desk), I've seen people wonder why encryption is necessary. The explanation of how the laptop could be stolen seems to convince them of the need.
However, the case is different with desktop computer encryption. Despite the fact that these can be stolen as well, for some reason most people think that desktops are immune from theft (if "boxiness" is all that it takes to stop theft, Volvos from the 1980s are the pinnacle of anti-theft design). Encryption on desktops? Nobody really gives it a second thought; the answer to most is "no need."
It's obvious that there is a lot of fuzzy thinking when it comes to "what does protecting data mean?"
Related Articles and Sites:http://www.businessday.co.za/articles/Content.aspx?id=124848http://www.allgov.com/Controversies/ViewNews/Commercial_Digital_Theft_Tops_Physical_Theft_for_First_Time_101026http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=227900228
Phiprivacy.net has found that Mt. Sinai Medical Center suffered a data breach when a hard drive with "some patient information" was found missing from their WTC monitoring program offices. It appears that drive encryption software like AlertBoot was not used to protect the contents.
The missing hard drive contained "potentially identifying information" such as names, phone numbers, addresses, and limited mental health information, partially or wholly, for 1,500 patients. The breach notification letter from Mt. Sinai pointed out that SSNs were not included. Phiprivacy.net noted the incident does not show up on the HHS's medical data breach site (but I figure it will in a couple of weeks or so...patients were sent notification letters on or before September 16, and breached entities have 60 calendar days to notify the HHS). What I'm most interested in, however, is the following line in the notification letter: "Mount Sinai recently discovered that the hard drive is missing from a computer in the offices of the [WTC] Medical Monitoring and Treatment Program" (my emphasis). Does this mean what I think it means? That a hard drive was literally taken out of a computer, and nobody knows what happened to it? If so, the word "stolen" seems more apt that "missing" even if it's the latter, technically speaking ("stolen" is a subset to "missing.")
The missing hard drive contained "potentially identifying information" such as names, phone numbers, addresses, and limited mental health information, partially or wholly, for 1,500 patients. The breach notification letter from Mt. Sinai pointed out that SSNs were not included.
Phiprivacy.net noted the incident does not show up on the HHS's medical data breach site (but I figure it will in a couple of weeks or so...patients were sent notification letters on or before September 16, and breached entities have 60 calendar days to notify the HHS).
What I'm most interested in, however, is the following line in the notification letter: "Mount Sinai recently discovered that the hard drive is missing from a computer in the offices of the [WTC] Medical Monitoring and Treatment Program" (my emphasis).
Does this mean what I think it means? That a hard drive was literally taken out of a computer, and nobody knows what happened to it? If so, the word "stolen" seems more apt that "missing" even if it's the latter, technically speaking ("stolen" is a subset to "missing.")
Phiprivacy.net has taken Mt. Sinai to task for encrypting their hard drives after the above breach incident. Not because it was the wrong thing to do, but because Mr. Sinai had a breach in 2005 when a laptop was stolen. Obviously, that incident should have been used to ensure that encryption software is used to protect all computers that are used to store sensitive data. In my experience, though, there are many people that don't really understand data protection. It's the same type of people who ensure their doors are locked when they leave home, but also leave their windows unlocked. They'll encrypt laptops, because they're portable and "at risk of theft," but not do the same for desktop computers, because "they're not portable." Trust me, desktops are "portable," not in the "designed to be carried around" sense but in the "possible for a guy to steal in whole by picking it up" sense. Plus, as we see in the above case, there is nothing stopping a guy from stealing the one component in a computer that leads to data breaches, no matter how heavy a computer it happens to be. So, going back to why Mt. Sinai didn't encrypt all of their computers back in 2005: my guess is a guy in management ran some risk analysis and decided that the breach risk posed by laptops vs other types of computers was higher for the former, and decided to protect laptops only (although, whether they even protected all laptops is speculation on my part). The thing is, that's the wrong type of risk analysis. I mean, it might work for certain assets, such as gold bullion--making the bullion big enough that you need a crane to lift it up is security in of itself, so all you need to do is concentrate on providing protection for gold coins or whatever--but this is not what you do with data on computers. Encryption of data ought to be based on what type of information a computer is holding, not whether it weighs less than five pounds.
Phiprivacy.net has taken Mt. Sinai to task for encrypting their hard drives after the above breach incident. Not because it was the wrong thing to do, but because Mr. Sinai had a breach in 2005 when a laptop was stolen. Obviously, that incident should have been used to ensure that encryption software is used to protect all computers that are used to store sensitive data.
In my experience, though, there are many people that don't really understand data protection. It's the same type of people who ensure their doors are locked when they leave home, but also leave their windows unlocked. They'll encrypt laptops, because they're portable and "at risk of theft," but not do the same for desktop computers, because "they're not portable."
Trust me, desktops are "portable," not in the "designed to be carried around" sense but in the "possible for a guy to steal in whole by picking it up" sense. Plus, as we see in the above case, there is nothing stopping a guy from stealing the one component in a computer that leads to data breaches, no matter how heavy a computer it happens to be.
So, going back to why Mt. Sinai didn't encrypt all of their computers back in 2005: my guess is a guy in management ran some risk analysis and decided that the breach risk posed by laptops vs other types of computers was higher for the former, and decided to protect laptops only (although, whether they even protected all laptops is speculation on my part).
The thing is, that's the wrong type of risk analysis. I mean, it might work for certain assets, such as gold bullion--making the bullion big enough that you need a crane to lift it up is security in of itself, so all you need to do is concentrate on providing protection for gold coins or whatever--but this is not what you do with data on computers. Encryption of data ought to be based on what type of information a computer is holding, not whether it weighs less than five pounds.
Related Articles and Sites:http://www.phiprivacy.net/?p=4725
Ryan Leslie is offering a big reward for the return of his laptop. His MacBook was stolen while he was in Germany. The device had a lot of information that would have merited the use of disk encryption software like AlertBoot.
(Update: The offer has now been upped to $1 million. Plus, Leslie has admitted that he should've remembered to back up his data) Leslie's laptop was stolen from a car outside of a nightclub. He claims that it had "so many amazing music & visual projects" that the $20,000 reward is nothing in comparison. Beside his music, he also had "rare concert footage as well as [his] personal information." You could say that his entire life was in it. The reward amount is unheard of--I've never seen such a big figure for the return of a laptop--so I'm wondering whether he even had backups of his material. If not, it certainly would have meant certain disaster: this guy is a globetrotter if I've ever seen one, and logic dictates that they'd have more problems than most with lost or stolen equipment. I mean, the more you're on the move, the greater the chances of losing stuff. It's like a universal law of some sort. On the other hand, it's quite clear that Leslie couldn't possibly have backups of everything that he does, as he seems to work while on the move.
(Update: The offer has now been upped to $1 million. Plus, Leslie has admitted that he should've remembered to back up his data)
Leslie's laptop was stolen from a car outside of a nightclub. He claims that it had "so many amazing music & visual projects" that the $20,000 reward is nothing in comparison.
Beside his music, he also had "rare concert footage as well as [his] personal information." You could say that his entire life was in it. The reward amount is unheard of--I've never seen such a big figure for the return of a laptop--so I'm wondering whether he even had backups of his material.
If not, it certainly would have meant certain disaster: this guy is a globetrotter if I've ever seen one, and logic dictates that they'd have more problems than most with lost or stolen equipment. I mean, the more you're on the move, the greater the chances of losing stuff. It's like a universal law of some sort.
On the other hand, it's quite clear that Leslie couldn't possibly have backups of everything that he does, as he seems to work while on the move.
Hindsight is 20/20, so I'll keep it short and just mention that Leslie ought to have backed up his laptop and used encryption. The backups make sense. But why encryption? Most artists, at least the ones I know of, hate to have their projects released prematurely to the public, for financial, artistic, and other reasons. I mean, the general round of condemnation by the artists when soon-to-released music gets leaked to P2P networks ought to clue one in. The use of laptop encryption ensures that there is no such leak if a laptop computer is stolen.
Hindsight is 20/20, so I'll keep it short and just mention that Leslie ought to have backed up his laptop and used encryption. The backups make sense. But why encryption?
Most artists, at least the ones I know of, hate to have their projects released prematurely to the public, for financial, artistic, and other reasons. I mean, the general round of condemnation by the artists when soon-to-released music gets leaked to P2P networks ought to clue one in.
The use of laptop encryption ensures that there is no such leak if a laptop computer is stolen.
Related Articles and Sites:http://www.theboombox.com/2010/10/26/ryan-leslie-offers-20k-reward-for-stolen-laptop/http://hiphopwired.com/2010/10/26/ryan-leslie-offers-20000-reward-for-return-of-stolen-laptop-2222/