in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

November 2010 - Posts

  • Hard Disk Encryption: WikiLeaks has Bank Of America Executive's Hard Drive?

    After embarrassing the US government, it looks like WikiLeaks may be looking to turn its sights on the corporate world.  Media concerns around the world are speculating that Bank of America might next on WikiLeaks's list, seeing how WikiLeaks founder Assange had announced that a large bank would be the next target and the fact that, last year, Assange had admitted in passing to be "sitting on 5GB from Bank of America."  Laptop encryption software anyone?

    We Have BofA Executive Hard Drive

    Apparently, the Bank of America heard the rumors as well.  Per cnbc.com:

    "More than a year ago WikiLeaks claimed to have the computer hard drive of a Bank of America executive. Aside from the claims themselves, we have no evidence that supports this assertion."

    This claim, from a year ago, was also quoted by cnbc.com:

    "At the moment, for example, we are sitting on 5GB from Bank of America, one of the executive's hard drives," [Assange] said. "Now how do we present that? It's a difficult problem. We could just dump it all into one giant Zip file, but we know for a fact that has limited impact. To have impact, it needs to be easy for people to dive in and search it and get something out of it." [my emphasis]

    Maybe I'm reading too much into it, but it sounds like WikiLeaks has in their possession an entire hard drive belonging to a BOA executive.  This raises a number of questions:

    • Was encryption software like AlertBoot endpoint security used to protect the drive?  If not, why not?
    • If encryption was used, how did WikiLeaks manage to get past it?
    • What kind of hard drive has only 5 GB of capacity?
    • Does WikiLeaks mean they have a BOA executive's hard drive, and that it contains 5GB of sensitive material?

    Full Disk Encryption - Would It Have Been Useful?

    As this, and other, incidents show, the use of disk data encryption is recommend if you're carrying significant amounts of sensitive data, be it in your laptop, backup tape, external hard drive, or other type of data storage medium.

    For the most part, the use of cryptography helps organizations from experiencing a data breach, which is just a stepping stone to the real fallout of an information security incident: fines, legal action, letters of apology, consumer revolt, loss of competitive advantages, etc.

    For the most part, though.

    For example, when it comes to WikiLeaks, we have to assume that, encryption or not, the whistle-blowing site has access to the data.  I mean, it's a site dedicated to whistle blowers.  A whistle blower is generally an insider.  Insiders who blow the whistle tend to step forward with evidence in hand.  Hence, assuming it was a BOA executive that submitted the evidence, one would assume that any passcodes to the (presumably) encrypted data would also be revealed to WikeLeaks as well.

    Encryption cannot help you if an insider with access is involved--period.

    And yet, I'd have preferred that the hard drive mentioned above had been encrypted.  Not knowing how it made its way into WikiLeaks, there is always the possibility that someone other than an insider turned in the hard drive.  Plus, there are other ways, besides having your data published on WikiLeaks, that a data breach can negatively affect a company.

    (Ultimately, it's kind of like having a door for your house.  Even if you live in a safe area, nobody makes a point of not having a door.  I mean, you've got to keep the stray cats out, for starters.)


    Related Articles and Sites:
    http://www.cnbc.com/id/40437169/Bank_of_America_May_Be_Wikileak_s_Next_Target

     
  • Data Encryption Software: If So Good At Protecting Data, How To Account For Wikileak?

    The big news today is the release of US diplomatic cables via WikiLeaks.  I've read somewhere--sorry can't produce a link because today's been a blur of Wikileak-related stories--that the leaked embassy missives are classified as "secret," at least.  What this means is that the communiqués were protected with data encryption.

    A friend asked me, if encryption works so well, how can you explain WikiLeaks producing all this information?

    Insider Leak?  Vulnerability in the System?  Who Knows?

    It's obvious that someone leaked the information to WikiLeaks.  What's not so obvious is whether an insider to the US government did so or otherwise.  This observation is in sync with how encryption software can protect data...and how it cannot.

    Encryption cannot protect against data breaches when insiders that have access to the data are involved.  For example, an IT administrator working at the highest echelons of the CIA with the appropriate security clearance decides that he'll leak all this info before calling it quits, a decision that he came to just today.  The man has access to the data because he knows the passwords for accessing the encrypted content.

    This data breach cannot be prevented, short of someone figuring out the soon-to-quit employee's motives and stopping him from copying the data to another medium, such as a distant server, a USB stick, a DVD, etc.

    Even if insiders are not involved, however, it is possible for outsiders to gain information (possible but unlikely in this case).  A common way is to plant keystroke logging software in a computer, recording a computer-user's click-clacks from beginning to end.  This way, one can either gain access to the passwords required for accessing data, or one can just dispense with breaking in because he already has a copy of all the words typed.

    Is Encryption Useful At All?

    Yes, of course it is.  The reason why WikiLeaks's diplomatic cables are so fascinating is not because it comes from the government.  I mean, would you find DMV paperwork as enthralling?  Are you a regular viewer of C-SPAN?  Instead, everyone wants to take a peek because they couldn't do so before.  Because it was secret.

    What kept it secret all this time?  Encryption, plus other data protection technologies and policies.  Anyone who's involved in the encryption business knows there is no such thing as 100% security, in this industry or any other, for that matter.

    Remember, the only secret that is 100% is the one that you keep to yourself and share with no one.

     
  • Data Encryption Ransomware Making The Rounds, Asking for $120

    Graham Cluley at Sophos has sounded the alert on malware that partially encrypts your files and asks for ransom for your data's release.  Another demonstration that data encryption software like AlertBoot is extremely effective at protecting data, although an unpalatable one.

    Encrypts Media and (Microsoft) Office Files

    The malware apparently spreads via "malicious" PDFs, which I assume are PDFs that have had their vulnerabilities exploited to spread around the ransomware.  After the malware installs itself on your computer, it will encrypt the following types of files and request $120 for decryption them:

    .jpg, .jpeg, .psd, .cdr, .dwg, .max, .mov, .m2v, .3gp, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .rar, .zip, .mdb, .mp3, .cer, .p12, .pfx, .kwm, .pwm, .txt, .pdf, .avi, .flv, .lnk, .bmp, .1cd, .md, .mdf, .dbf, .mdb, .odt, .vob, .ifo, .mpeg, .mpg, .doc, .docx, .xls, and .xlsx.

    Cluley notes that the easiest way to ID infected files is to take a look at their extension: if the file name is file_name.ENCODED, then you've got a problem on your hands.

    Files are not encrypted in their entirety; however, partial encryption of a file is enough to render them useless since the file won't open.

    An interesting aspect of the ransomware is that it alerts you NOT to alert anyone about the fact that your files are encrypted.  Plus, it lets you, the victim, know that there is a limited amount of time to send in the $120 before files are deleted (in all likelihood, what they mean is that after X days, they won't send in that decryption key).

    It looks like this latest ransomware is not scareware--i.e., the files are actually encrypted, so there is some bite behind the bark.

    Attacks like this one are not new.  I had covered a similar wave of ransomware making the rounds over a year ago.

    Encryption Software is That Good

    At preventing people from accessing data, that is, assuming they don't have the right access codes for it.

    Time will tell whether this latest threat is a "real" one.  If I recollect correctly, the earlier ransomware actually had mistakes in its coding that allowed it to be reversed without paying anything to anyone.


    Related Articles and Sites:
    http://nakedsecurity.sophos.com/2010/11/26/drive-by-ransomware-attack-demands-120
    http://infoworld.com/t/malware/ransomware-returns-if-you-ever-want-see-your-data-again-449

     
  • Cost Of A Data Breach? How About 20 Years Of FTC Supervision?

    The holidays finally gave me the chance to read the Rite Aid decision and court order.  If you'll recall, Rite Aid had settled with the FTC on charges that it had failed to protect sensitive financial, medical, and health information.

    After a public comment period, the settlement was approved.  Nothing out of the ordinary, really.  Essentially, Rite Aid promises to protect the data it previously failed to do so.  Plus, it promises to create and document security procedures, educate employees, find someone accountable for information security, send progress and updated reports to the FTC, etc.

    Again, nothing out of the ordinary.  Except for this:

    This order will terminate on November 12, 2030, or twenty (20) years from the most recent date that the United States or the Federal Trade Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, whichever comes later. [my emphasis]

    This could very well be the ultimate cost of a data breach: having the FTC breathing down your neck for 20 years.

    (As always, I've got to let you know I'm not a lawyer, so I may be swinging blindly here.)


    Related Articles and Sites:
    http://www.ftc.gov/os/caselist/0723121/101122riteaiddo.pdf

     
  • Data Encryption On Tapes And Other Media When FedEx'ing Stuff: If They Can Lose Radioactive Rods...

    Nothing like a weird story for the day right after Thanksgiving Day.  According to reports, FedEx lost (and found) a customer's radioactive rods.  This loss comes as a surprise to me despite FedEx's record of losing stuff.  If this won't convince people to use data security products like disk encryption when sending sensitive data via courier services, nothing will.

    Calibrating CT Scans

    The missing radioactive rods were part of a shipment that contained three boxes, each box containing four rods of Germanium-68.  These rods were used to control the calibration of CT scanners.  While the word radioactive conjures images of Godzilla, these rods emitted low-level radiation.

    Indeed, FedEx's  nuclear physicist was quoted as saying, "the exposure from this rod, you'd have to be in close contact with it for 1,000 hours to get a skin blister."  This raises two important questions.  First, FedEx has a resident nuclear physicist? (Yes, they do.  He handles regulatory issues concerning radioactive cargo shipments.)

    Second, how does it fit with this following observation:

    "I don't believe it has the degree of radiation that, if it were opened, your skin would suddenly slop off. But the concern would be, if this got opened inadvertently and someone didn't know what it was and then was repeatedly exposed to it over several days, it could cause a problem with radiation poisoning," [Fox News Medical Contributor Dr. Marc] Siegel said. "The people that use this equipment in a hospital use protective shielding with it."

    Several days is 24 x 3 = 72 hours.  That's a huge difference from 1,000 hours.

    Finding the Rods and What It Means for Data Security

    Thankfully, the rods were found at one of FedEx's facilities.  One of the three boxes had separated from the shipment: it was 10 inches long, weighed 20 pounds, and was unmarked.  The thing is so nondescript that I wonder how FedEx found it.  Geiger counter, perhaps?

    The whole point to this story, and how it relates to encryption software:  While this might be one of those one-off, freakish stories that won't be repeated anytime soon, it shows you how sending packages via a general courier service is not necessarily "safe."  This story is even more pertinent because of the cargo involved: if you think there are some onerous laws regarding data security, you ought to see the paperwork for radioactive materials.

    I'm willing to bet that there were a lot of checks and counterchecks to this particular shipment, and still it ended up lost.  And, I'm willing to also bet that when it ended up lost, FedEx spent more resources than usual in trying to locate it.

    Would they do this for the usual lost shipments?  You know, shipments that don't have the potential to blister your skin after 1,000 hours of exposure from two feet away?

    I'm not saying don't ship your backup tapes, CDs, and portable hard drives via a courier service.  I am saying, though, protect yourself from a data breach: use data encryption programs to safeguard your data in case something happens.  If the above story is possible, then anything less extreme is even more so.


    Related Articles and Sites:
    http://news.slashdot.org/story/10/11/26/1948245/FedEx-Misplaces-Radioactive-Rods
    http://www.knoxnews.com/news/2010/nov/26/fedex-looking-missing-nuclear-rods-headed-knoxvill/
    http://www.foxnews.com/us/2010/11/26/fedex-searches-missing-radioactive-equipment/?test=latestnews

     
  • Was The ICO's Fine Too Small? Or Was It Just Right?

    The UK's Information Commissioner's Office first monetary penalties has left a lot of controversy in its wake.  It's kind of expected for a watershed moment.  Personally, I'm glad no one has stepped up and argued that the companies should not have been fined for not using disk encryption software.

    Penalty is Too Low

    Two organizations were fined.  One of them was Hertfordshire County Council, which was fined £100,000 for two separate instances of erroneously send faxes.  The other, which I covered yesterday, was A4e, which was fined £60,000 for the loss of laptop with sensitive information.

    Some state, as in this argument at newstatemsman.com, that the fines are too small when compared to the maximum fine the ICO can hand out: £500,000.

    Plus, compare it to the fine that the FSA handed out to a bank when its laptop got stolen:

    When the Nationwide [Nationwide Building Society, a bank based in the UK] admitted to the loss of an unencrypted laptop in November 2006, the Financial Services Authority (FSA) punished it with a fine of £980,000. That despite the Nationwide insisting that the data could not have been used for identity fraud because there were no PIN numbers, passwords or account balances on it.

    In that particular breach, over 11 million customer names were stored on the stolen computer.  There may have been addresses and account numbers as well.  Nationwide had not known that the information was stored on that particular laptop.

    The A4e penalty pales in comparison.

    Penalty is Just About Right

    Others note that the ICO handed out the appropriate penalty.  Stewart at stewartroom.com notes that the nature of penalty is meant to be symbolic.

    Plus, the ICO is working with a capped amount: Since the ICO knows that it's going to see worse offenders than A4e and the Hertfordshire County Council, it doesn't make sense for the Information Commissioner to reach for the maximum fines.  Stewart also delves into how larger fines could have created grounds for a legal challenge to the fines.

    My Take

    I'm in the "penalty is just about right" camp.  Because the ICO has to work with a capped limit, in this instance, they can't be handing out fines that are close to the potential maximum without creating weird situations in the future.

    For example, let's assume that the ICO had fined A4e £250,000 instead of the £60,000.  If the UK sees a repeat of the 2007 HMRC CD fiasco -- where 25 million people were affected by the loss of two CDs -- how will the ICO explain the fact that it'll be handing out a fine of £500,000, the maximum permitted?  The A4e breach involved 24,000 people which is only 1/1000th of the HMRC figures, but the fine is only doubled?  That sends the wrong message.

    On that same note, comparing a £60,000 fine with the £980,000 is not quite fair.  You also have to take into account the number of people affected.  In the A4e case, the fine amounts to £2.5 per person affected.  In the Nationwide case, the fine is £0.089 per person (that's not a typo -- that's essentially 9 pence).  Put in this frame, which of the two looks fair?

    What I especially love about this entire brouhaha (I'm being sarcastic) is that people are focusing on the appropriate penalty figure, when they really ought to be discussing whether companies will improve their data security based on this latest salvo by the ICO.

    I mean, isn't that what this is all about?

     
More Posts Next page »