in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

December 2010 - Posts

  • Drive Encryption Software: Armstrong Atlantic State University Loses Storage Device, Has Data Breach

    Armstrong Atlantic State University alumni have received letters alerting them of a data breach.  A portable device that stored personal information was stolen in October and the university is recommending that those contacted put security freezes on their credit reports and engage in other forms of preventing ID theft.  While not mentioned, it seems pretty apparent that hard disk encryption was not used to protect the contents of the device.

    Nursing Students Pre-2007 Affected

    The data device was stolen from the health professions building and affects only nursing students who attended Armstrong "before late 2006."  I'm guessing they're referring to any students who attended the institution before the 2005-2006 academic year.  The data breach notification letter is signed by the Dean of the College of Health Professions.

    Not that information on students from later academic years was not included in the stolen portable device.  But, seeing how SSNs were phased out as student ID numbers beginning in late 2006, students enrolled since then are not thought to be potential ID victims.

    Use of Portable Device Violates Policies

    It was observed that the "use of the portable device to store confidential information was a violation of university policy."  Combined with the phasing out of SSNs as student IDs, it's quite clear that the university has put some efforts to ensure they have, if not good, at least adequate, data security.  And yet, I'm not sure they have done all they could have done to ensure a data-secure environment.

    First, there is the fact that no one was disciplined about the use (and hence violation) of the portable data device.  Instead, additional training was provided, which is not a bad thing to do; however, not handing a form of punishment for violations of policies tends to imply that the policy is to be flaunted.

    Second, there is the fact that prior to the theft of the device, there were reports of other petty thefts in the health professions building which led to the conclusion that "someone had obtained a key...and gained access when [the building] was closed."  Yet, someone was able to saunter in and steal more stuff?

    Such a lax physical security environment leads to an increased risk of data breaches, since these are often tied to the theft of computer hardware, be it laptops, desktops, external storage hardware, or even computer media such as CDs and DVDs.

    If you're going to have lax physical security, at least ensure that encryption software is being used to help minimize the risk of a data breach.


    Related Articles and Sites:
    http://chronicle.augusta.com/latest-news/2010-12-31/security-breach-savannah-college

     
  • Disk Encryption Software Is Trumped By Private Couriers? Is That What I'm Supposed To Conclude?

    I ran across a weird requirement by the CDPH, the California Department of Public Health, today.  According to an article, the CDPH "requires the state to use a private courier instead of the U.S. Postal Service for" transporting sensitive material.  I don't understand.  If they want to protect sensitive material, wouldn't it be better to use drive encryption or some other form of cryptographic technology, such as those provided by AlertBoot and others?

    It's Protocol

    I was reading an entry over at the HIPAA Blog where the author linked to an article and observed:

    Sometimes the Regulators Screw Up, Too: The California Department of Public Health used the mail when they should've used a private courier, and lost some data. I wonder how much they're going to fine themselves.

    Now this didn't make sense to me because:

    1. I'm under the impression that regulators screw up all the time, not just sometimes.  Well, OK; nearly all the time.
    2. No regulator is going to fine itself - nothing to wonder there.
    3. What does a private courier have to do anything?

    Obviously, the first two are tongue-in-cheek (although less so for #2).

    I clicked on the link, and presto, it leads me to a story I had commented on -- the loss of a medical data tape by the CDPH.

    The story by healthleadersmedia.com has some additional details that I didn't know at the time I wrote up the post, but the most shocking piece of information I obtained was the CDPH protocol I quoted at the beginning of this post.

    Why the requirement to use a private courier, such as UPS or FedEx?  I mean, the point of their service is not better rates of successful deliveries.  The point of using private couriers is to get stuff to the destination, faster (and at a hefty premium, I should add).

    Why is it Protocol?  Better Security?

    Here are some of the stories I've covered over the years where a private courier lost stuff (and was the reason for a data breach):

    I'm pretty sure there are others, but I couldn't find them with the limited time I have.  And, remember, I generally cover instances where digital data is lost.  Instances where regular mail or packages are lost are not covered at this blog.  But Google does a great job of searching them up.

    As the above evidences, "private courier" is not tantamount to "security" -- whatever that might mean under the circumstances.  How a department that is tasked with overseeing data security manages to drum up this particular protocol is beyond me.

    If you want security for your digital data, and it's being handed over to a proxy until it arrives at another secure location, there is no other method of guaranteeing security to using encryption software.  With a private courier service, you're just kidding yourself (at a premium rate, I might add).


    Related Articles and Sites:
    http://hipaablog.blogspot.com/2010/12/sometimes-regulators-screw-up-too.html
    http://www.healthleadersmedia.com/content/TEC-260264/CDPH-Reports-Big-Data-Security-Breach##

     
  • USB Drive Encryption: Korean Military Loses USB With Military Exercise Plans

    News from the Korean peninsula: An Army major lost a USB flash drive containing military secrets, lied about it, and his superiors tried to the hush the case when the true details surfaced.  I don't know that this would be less scandalous had the contents of the memory stick been protected with drive encryption software like AlertBoot.

    Lies, Damned Lies, and Fabrications

    According to the English article at yonhapnews.co.kr, the Army major was stationed at the front-lines of Gangwon Province in South Korea.  (For those who are not aware, Gangwon is the land that borders North Korea at the 38th parallel.)

    He is accused of lying about losing a "portable drive" in July and of his superiors trying to hush the case.  The Korean version of the article gives us more details.

    According to the Korean version, the major lost a USB drive which contained military training plans and other classified secrets (one level short of being top secret), such as the organizational hierarchy of his military regiment.  Unable to find the missing USB after a month of searching, the major bought an identical USB memory stick and presented it to his superiors as the one he had lost.

    The major noted that the USB stick was so damaged that it should be discarded.  (Did the major perhaps take the device and break it on purpose?)

    Another officer, who's asked for anonymity, found out that this was quite the fabrication and alerted his superiors as well as the Defense Security Command.  He never heard back from the DSC.  As for his superiors, they noted that -- and I'm trying to translate it as closely as possible from its Korean counterpart -- "it's not problematic that the missing USB stick does not reappear."

    Huh?  What?  I mean, technically, the missing USB device wouldn't reappear if a North Korean spy had it in his hands...

    Hm...Was It Perhaps Encrypted?

    I can see how one could claim that ("not a problem!") if encryption software had been used on the still missing USB.  On the other hand, I doubt this was the case.  Had an encrypted USB drive been missing, things would have been on the up-and-up.  Why try to hush up anything?  The encryption is there in case things get stolen or go missing.

    Instead, we've got this guy who went out there and bought an identical device to assuage the situation.

    That's never good.

    Related Articles and Sites:
    http://media.daum.net/politics/view.html?cateid=1068&newsid=20101230083412613&p=yonhap

     
  • Data Encryption: Bottled Civil War Message Used Vigenere Cipher (Updated)

    Today, a little detour from modern disk encryption stories to take a look at a centuries-old message.  If you're into cryptography, the American Civil War, or both, you might have heard that a US Civil War message was recently cracked.  The message was coded using a Vigenere cipher which has been around since at least the 1400's.

    The best write-up of the story is with Steve Szkotak for the Associated Press, and you can find it either here or here.

    Update (30 DEC 2010): Looks like the readers over at schenier.com happend upon this post when searching for more info on the story.  Being the crypto-buffs that they are, they have lots useful links, including this one at Left Coast Rebel where it's shown how the message is deciphered using the secret keyword (not revealed on this page, since it would be a spoiler to anyone trying to figure it out).  They also pointed out that my transcription of the coded message below was full of errors, which I readily admit to; that's why included a link to a big scan of the original message.  You can find the correct transcription by clicking the schenier.com link and looking in the comments section.

    The Bottle and the Bullet

    The encrypted message, which we'll cover shortly, was inside a corked glass vial along with a bullet.

    The bullet, it's theorized, served as a weight to sink the message to the bottom of the Mississippi River in case the messenger got intercepted.  Makes sense: cork floats.  It's also an effective sealant (think wine bottles) so the glass vial would float due to the trapped air as well.

    The weight of a lead bullet could easily override the sealed vial's buoyancy, ensuring the message is lost forever: while the Mississippi might be a big river, there is a limit to how far one can throw.  Thus, it wouldn't be too hard to visually follow and eventually retrieve a 2-inch floating vial, assuming the waters were calm.

    If I may digress, despite the fact that the message was protected with encryption -- a weak one by today's standards, but still pretty tough to break by hand -- the Civil War general still took pains to ensure the message is destroyed should anything untoward happen to the messenger.  The need to do so is as true today as back then.  That's why computer data security manuals recommend the destruction of a decommissioned computer's hard drive that stored sensitive data, even if it is protected with encryption software.

    The Civil War-era bottle, and its message, lay with the Museum of the Confederacy since 1896 but no one thought of looking at the message until this year.  In fact, it was left alone for so long that collections manager Catherine M. Wright used the services of an art conservator to open the bottle and extract its message, and another to unfurl it from its folded position.

    That's when she found that the message was encrypted.  Wright's attempt to figure out the contents came up empty-handed, and she contacted a retired CIA code breaker David Gaddy to work on it.

    The Message

    I've managed to find a big image of the original message at the washingtonexaminer.com.  It seems to read (the original was in capital letters):

    stan witviivz dtg cnp lbnxok oz bjqb feqt feqt xzbw jjoa
    tk fhr tpzwk pbw rvsq vowpzxqq oedh ek waskipw plvo
    jkz hmn nvaeuo xve dwaj boypa sk mlv fyyroelvpl
    mfysiu xy fqeo npk m obpc fvxjfhoht as etov b ocajosvqu
    m ztzv tpjy daw fqti wttj j dqgoaia flwhtxti qmtr
    sta lvlflxfo

    To be honest, I'm not sure if the above is correct (I transcribed it incorrectly; see the update above) because the letters are slightly hard to figure out in the scan of the original.  The writer of the coded message sometimes dots his is and sometimes doesn't, and his Es and Fs look remarkably similar, especially where the ink blurred.  His Us and Vs are also hard to discern apart.

    Regardless, Gaddy managed to break the code.  It took several weeks to break by hand and it reads:

    "Gen'l Pemberton:
    You can expect no help from this side of the river. Let Gen'l Johnston know, if possible, when you can attack the same point on the enemy's lines. Inform me also and I will endeavor to make a diversion. I have sent some caps (explosive devices). I subjoin a despatch from General Johnston."

    You'll notice that the name Johnston shows up twice in the message.  If you look at the original, you won't find a repeating string of letters matching the length of the name.  This indicates that we don't have a simple substitution (where the alphabet is shifted a set number of places, so that A is D, B is E, C is F, and so on.)

    So what was used?  The South made use of the Vigenere Cipher during the Civil War, according to the article by Szkotak.

    Vigenere Cipher

    The Vigenere Cipher (Wikipedia explanation and the CryptoMuseum explanation) is a fortified Caesar Cipher, the latter being the simple substitution I described earlier.  Vigenere is complicated enough that it was at one point known as the "indecipherable cipher."  In fact, it's one of the first instances where a secret key is used to encrypt and decipher a message, a concept that is still used in encryption today (now known as the encryption key).

    How does the Vigenere Cipher work?  Basically, a total of 26 Caesar Ciphers can be used:

    A   A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
    B   B C D E F G H I J K L M N O P Q R S T U V W X Y Z A
    C   C D E F G H I J K L M N O P Q R S T U V W X Y Z A B
      ..............................................................................
    Z    Z A B C D E F G H I J K L M N O P Q R S T U V W X Y


    The first cipher has no shift (i.e., it's a normal alphabet; technically, it's not a cipher).  The second is shifted one place (so B is now A), the third is shifted two places (so C is now A), and so on until Z.  These are all Caesar Ciphers.

    When encrypting a message under Vigenere, say, "this is a secret message" you choose a secret key, a.k.a, a secret word.  If the secret key is "cab" then using row C, the first t of "this is..." becomes a v (the 20th letter for row C).

    The next letter of "this is..." is h, the 8th letter in the alphabet, and now we use row A (A is the second letter in cab).  Since it's a normal alphabet, h remains an h.  Using the same, the i in "this" becomes j because of its position in row B.  So,

    "This  is  a  secret message" becomes
    "Vhjk si  c   sferfv   mfusbie"

    The beauty of this method is that the same letter in the original message can come up as multiple letters when encrypted (the s shows up as a j, i, and s in the encrypted version), so you can't work your way backwards to figure out the message.

    How to Crack the Cipher

    There are ways of cracking the cipher; the Vigenere is not as unbreakable as it first appears.  The second half of this page goes into the theory and process (I first encountered the method in Simon Singh's highly-readable The Code Book).

    One thing to note: if the message is short and the secret key is long, chances are it would be impossible to crack the message.  About the only way to crack it in that case would be to stumble upon the key by accident.

    Although how Gaddy broke the encryption hasn't been revealed, I'm assuming his efforts must have been considerably aided by the fact that the message in the bottle, while encrypted, showed how long each word was.

    The English language has only two variations of one-letter words -- I and A -- and also limited sets of two-letter words -- if, on, in, to, us, we, as, no, by, be, etc.  So, I would assume Gaddy would have started the attack here.

    Had specialized analytical software been used, the process would have been finished in hours, perhaps minutes, as a computer churns out the possibilities.  Hook up the results so each word is scanned against a dictionary, and when, say, 80% of the cracked words in the message are found in the dictionary, you alert the person (80%, to account for misspellings, words not found in dictionaries, etc.)

    As mentioned previously, it took Gaddy several weeks to break it manually.  Based on what we know of the message's contents, imagine the level of security that the encryption provided: by the time the message had been intercepted and decoded by Union forces, it would have been useless!

    The Aftermath

    Pemberton surrendered.  His raising of the white flag is generally considered as the beginning of the end for the Confederates.  In fact, that might explain why the bottle still had the message inside of it:

    The Confederate messenger probably arrived to the river's edge and saw a U.S. flag flying over the city [of Vicksburg, which Pemberton was defending].

    "He figured out what was going on and said, 'Well, this is pointless,' and turned back," Wright said. [macon.com]


    Related Articles and Sites:
    http://gawker.com/5718584/cia-codebreaker-decodes-civil-war-message-147-years-too-late
    http://www.allvoices.com/contributed-news/7721551-the-decoded-civil-war-message-said-no-help-is-on-the-way/content/69395363-vicksburg-unknown-graves-from-the-civil-war

     
  • Data Encryption Software: UK Calderdale and Huddersfield Foundation Trust Announces Breach (Updated)

    The theft of a computer means breach disclosures to 1,500 patients that were treated at Calderdale Royal Hospital.  It appears that disk encryption software like AlertBoot was not used to protect its contents, resulting in the breach of data (password protection was used, but this is a poor substitute to encryption software).

    Update (02 MAR 2011): It is now believed that the theft of the computer was an inside job [ http://www.examiner.co.uk/news/local-west-yorkshire-news/2011/03/02/patient-personal-details-will-now-be-encrypted-after-laptop-theft-say-hospital-bosses-86081-28266278/ ; ].

    Computer Stolen From Locked Office

    The medical director overseeing the hospital had this to say:

    At the end of November it was found that part of an electromyography (EMG) machine, a computer which drives it, had been taken from a locked office in the neurophysiology department at Calderdale Royal Hospital ... We have written to some of the department's patients because limited personal data, such as names and dates of birth, was on the password protected computer. [zdnet.co.uk]

    This is not a surprising occurrence.  First, the NHS has had numerous data breaches over the years involving lost and stolen computers and other storage devices.  In fact, there's a case in there where a laptop was stolen from a locked cupboard in a locked office, if memory servers.

    Second, even if this were the first such occurrence for NHS, it certainly wouldn't be unheard of elsewhere.  People break in to steal stuff?  Who'd have thought of it?

    I still cannot believe that we're still reading about instances where NHS computers trigger a data breach because the contents of those computers were not protected with computer encryption software.  I mean, is it too much to ask?

    Sometimes, Yes

    I assume that there are computers out there that are part of medical equipment that are used in the gravest of emergencies.  In such cases every second counts, which is why such equipment is designed to be as error-free as possible.  I'm not only referring to its uptime -- whether the equipment will fail when most needed -- but also to its operability: will trained and un-trained people alike be able to use it correctly?

    Take for example the heart defibrillator: used when one is having a heart-attack, it's the last thing you want someone losing valuable seconds deciding, "uh, what does this knob here do again?"  These machines don't come with a computer in them (hmm...maybe this one from Phillips does), but assume that they did and that they stored patient information.  Do you really want doctors having to mess around with encryption passwords?  Clearly encryption is not a good idea in such a machine even if someone boneheadedly decided to infuse the equipment with sensitive data, somehow.

    So, again, there are instances where having encryption software protecting access to a machine is not a good idea.  On the other hand, an EMG machine doesn't sound like something that would constitute an emergency piece of equipment.  And, since it does store patient data, why not do the right thing and protect the data that is stored in the computer that works with it?

    We already know that people other than Houdini can make their way into locked offices.


    Related Articles and Sites:
    http://www.zdnet.co.uk/news/security/2010/12/23/hospital-trust-reports-data-breach-to-1500-patients-40091245/?s_cid=938

     
  • Email Encryption: Geisinger Health System Has Data Breach (Updated 30 DEC 2010)

    Even if you use full disk encryption like AlertBoot security software on your computers, there are ways for information to leak out.  One common way is via e-mails, as Geisinger Health System found out.

    Update (30 DEC 2010): According to this link the doctor who caused the breach at Geisinger no longer works for the medical center.  It's not specified whether he resigned, got fired, etc.

    3,000 Affected, Doctor Wanted to Work from Home

    A gastroenterologist emailed to himself a file with medical information on nearly 3,000 patients.  Apparently, the doctor wanted to finish a medical analysis from home.  The breached information included patient names, medical record numbers, procedures, and physician impressions.  These are some of the most basic information that constitute PHI, protected health information, and requires safeguarding under HIPAA.

    It did not include telephone numbers, addresses, SSNs, patient account information, and any other information that would lead to financial fraud.

    The information was not protected with encryption software before being sent, which is why Geisigner had to notify the patients under the HITECH Act which amended HIPAA: if electronic PHI is lost or stolen, and it wasn't protected with encryption, full disclosure is to be made to the patients and to the HHS, which oversees and enforces the implementations under HITECH.

    Why is Emailing a Problem?

    It should be pointed out that the doctor's file arrived at its intended destination.  So, where is the breach?  I mean, the doctor could have easily copied the information to an encrypted external hard drive and used that on his home computer, which would have amounted to the same thing.  Email is just another way of transporting the data, right?

    Right.  But, it's a data breach because of the way email works.  When an email is sent it bounces from server to server until it reaches its final destination.  Technically, any servers that bounced the message can look into the contents of that e-mail.  Plus, the ISP that the doctor uses would have a copy of the e-mail as well.

    Seeing how many unauthorized people (technicians working at ISPs and whatnot) theoretically have access to this information, sending a file without encrypting it first is a bad idea.  And this is not an unsubstantiated fear.  For example, last month the world was stunned (and alarmed) to find that 15% of all internet traffic went through China for a full 18 minutes earlier this year.  It even caught the attention of the Pentagon.

    Plus, there is also the improbable possibility that the ISP's machines have been compromised, so this medical file could be compromised as well without the power of encryption safeguarding it.


    Related Articles and Sites:
    http://www.phiprivacy.net/?p=5368
    http://www.beckershospitalreview.com/healthcare-information-technology/health-information-of-3k-geisinger-patients-disclosed-in-unencrypted-email.html
    https://webapps.geisinger.org/ghsnews/articles/Geisingerinformspatientsof8477.html

     
More Posts Next page »