in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

January 2011 - Posts

  • Laptop Encryption Software: Computers Stolen From Bend Ophthalmology In Oregon

    An eye clinic in Bend, Oregon was burglarized, leading to the theft of five computers.  It is not yet known if there was any sensitive information lost, and if so, whether hard drive encryption like AlertBoot was used to protect the information.

    Three Laptops, Two Desktops Stolen

    This is one of those stories that exemplifies not only the need for data protection applications like encryption software, but also that they be used on both portables and "non-portables" alike.  The facts of the story are as follows.

    Three laptops and two desktop computers were stolen between last Wednesday and Thursday.  The burglars threw a "lava rock through a sliding glass door" and unscrewed an "exterior light fixture," to make it less apparent that the glass was broken.  (In fact, my guess is that the bulb was removed first, the door smashed after.)

    That's pretty much it.  It's pretty surprising that we know what kind of rock was thrown against the door, but not whether sensitive data was stolen nor whether there was adequate protection on those computers.  Lord knows there wasn't adequate protection for the establishment: a glass door?

    Are Glass Doors HIPAA-Compliant?

    If the physical barrier to a building with plenty of valuables is a glass door....well, you'd better be a police department or the headquarters of the NRA or some place that screams you just *try* stealing from us (meaning, of course, don't try).  Otherwise, what's the point of having a door?  Well, besides the time-honored objective of keeping out the natural elements like snow and rain.

    On the other hand, who am I to judge what type of design you favor in terms of architecture?  If you want sliding glass doors because it makes your business venue look that much more inviting, accommodating, professional, or even luxurious, well, that's your prerogative.

    A medical facility, however, must also keep in mind that they've got a number of laws and regulations that they have to comply with.  The big one, for example, is HIPAA.  This particular federal regulation forces medical entities to protect confidential, sensitive private information, which can range from medical treatment to medical billing info.

    While I'm not sure whether a glass door would be considered adequate physical security under HIPAA, I do know that the use of computer encryption is definitely an allowed (and encouraged) form of patient health information.


    Related Articles and Sites:
    http://www.ktvz.com/news/26656618/detail.html

     
  • Wallet Protection: Dunhill's Biometric Wallet

    Have seen you the $825 wallet yet?  From Dunhill, it's a carbon-fiber covered bill keeper with a biometric fingerprint reader.  Apparently, there's no other way to open, lest you use a blunt or sharp instrument, destroying whatever might be inside of it (a hacksaw can probably cut through it, also cutting the cards and dollar bills along with it).

    Terrible Solution?

    The wallet looks nice enough, but it feels like a half-arsed solution.  If you go over to the Gizmodo post on the wallet, you can read plenty of commentary on why this is a bad idea, starting with the price tag.  But, let's assume you get this for free; would you still use it?  I wouldn't.

    • My wallets traditionally look like George Constanza's from Seinfeld fame.  The biometric security can't help if you can't close your wallet.
    • Biometric security and Bluetooth connectivity?  This thing uses batteries.  I forget to recharge my phone once in a while.  Don't you?

    Plus, what about it exactly makes your money secure?  Like many have noted, all you need is something like a hacksaw to get into it.  Sure, your credit cards will also be sawed in half, along with any C-notes you've got in there.

    But, you can just tape your bills and use them (or have them exchanged for fresh, intact ones at any bank).  As for the credit cards, it's not a problem if you decide to use it on-line.  All the numbers will be there on the front, and the CVV will be on the back.

    Actually, now that I think about it, why not just saw the extremities?  The cards will not be touched at all, although I don't know if I can say the same for greenbacks.

    I Rag on Biometrics

    I rag a bit on biometrics, perhaps unfairly so.  After all, it's not that there is no use to biometric solutions or that they're inherently bad.  It's just that biometric solutions in of themselves are not security solutions.  Generally, a biometric solution is nothing but a high tech key.  Do you feel that your house is better protected because your door key is made of nearly indestructible graphite-titanium combo?

    Of course not.  You'd probably feel safe if the lock were a double dead-bolt, the keyhole un-pickable, the door made of 12-inch steel, etc. even if the key were made of frozen gummi bear tears, not the world's most secure material.

    And that's my source of frustration.  If you have a laptop with biometric access, is the data on it as secure, less secure, or more secure than a computer secured with laptop encryption that can only be accessed by typing in the correct password?

    The correct answer is "less secure," because biometric access is to password as what is to encryption?  Nothing.  There's nothing protecting the data.  And yet, everyone's like, "biometric?  Ooooohhhhh, it must be really secure...."


    Related Articles and Sites:
    http://gizmodo.com/5746126/paranoid-about-theft-try-this-biometrically-secured-carbon-fiber-wallet

     
  • Disk Encryption Software Protected 10 Stolen Irish Revenue Laptops

    Today is Data Protection Day in Europe.  As such, it's the day to show an example of how to do things right when it comes to data protection.  Three men have done us the honors by stealing 10 laptops from an Office of the Revenue Commissioners in Dublin, Ireland.  Why is this a great example of how to secure data?  The computers were protected with laptop encryption software, as well as chained and padlocked to their desks, and everything was recorded.

    Yeah, it didn't prevent the laptops from getting stolen.  At least, there won't be much to this particular "data breach."

    Emergency Entrance Forced

    Three hooded men forced open a side entrance to offices of the Revenue Commissioner at Ashtown Gate on Navan Road around 7:15 PM.  They stole ten laptops, all of them chained and padlocked to their desks.  Thankfully, encryption software is used on all laptops as a matter of policy.

    While it hasn't been revealed yet what the laptops contained, in all likelihood it contained tax-related information, such as names, addresses, whatever Ireland uses for tax IDs, annual earnings, etc.

    I'm not sure where techeye.net got their information, but they had this to say:

    Revenue officials are not yet clear on what was on the laptops, but it is likely that the robbery was designed to hide information relating to taxes paid or owed by an individual or company as part of a larger fraud cover up.

    That's a little too much conspiracy theory for me (Apparently, I was rash in assuming this was being spread around by people wearing tin-foil hats.  Officers at the revenue agency feel the same way).

    Encryption Saves the Day

    There's a saying that a chain is as strong as its weakest link.  In this case, there were a couple of "weak links."  First and foremost is the emergency entrance.  Why'd the thieves force their way in via this particular door?  Because it's generally easier to force.  An emergency door, by definition, has to be easy to open.  This means that you can't make it as secure as you want it to be.  No deadbolts on those, for example.

    (Of course, it sounds funny calling an emergency door as a weak link or a security risk; you can't not have emergency doors.  History shows us that's not a good idea.  On the other hand, strictly from a security perspective, it cannot be anything but a security risk.  Imagine putting an emergency door inside a bank vault, in case someone gets locked in.  Sounds like a bad idea, right?)

    Then there are the padlocked chains.  Certainly sounds secure, but I'm assuming it's one of those lockable computer cables which aren't that hard to get rid of, given the right tools and enough time.  That caveat also works for actual chains and actual padlocks, actually.

    Physically securing objects are an important part of data security: if you can't remove a laptop, there is no data breach.  Unfortunately, physical security has its limits in your everyday settings.  That's why if you're looking to secure data, more specifically digital data, then you need to use encryption (the physical security becomes less of a data security tool and more of an asset security tool).

    Certainly, given enough time, encryption can be broken as well.  However, the time we're referring to runs into the hundreds of years, if not more.


    Related Articles and Sites:
    http://www.rte.ie/news/2011/0128/revenue.html
    http://www.thejournal.ie/revenue-laptops-stolen-2011-01/
    http://www.techeye.net/security/10-laptops-stolen-from-irish-tax-office
    http://www.businessandleadership.com/business/item/28092-laptops-stolen-from-revenue/

     
  • Laptop Encryption Software: UIT Phoenix And Warner Pacific College Notify NH AG About Data Breach

    Databreaches.net has posted a couple of links to information security breaches tied to a couple of institutions of higher learning.  Both notified the New Hampshire Attorney General's office of the breach, and in both cases laptop computers with Social Security numbers were stolen.  While specific details differ, both are instances where the use of full disk encryption like AlertBoot would have prevented a breach.

    UIT Phoenix

    Universal Technical Institute of Phoenix has announced that a password-protected computer wa stolen from UIT offices on November 18, 2010.  The computer contained a file with personal data -- names and SSNs of 98 student applicants -- which was not protected with encryption software.

    Warner Pacific College

    Warner Pacific College announced that an employee's laptop computer, issued by the college, was stolen during a residential break-in on January 3, 2011.  Not much detail is offered besides noting that 1,536 individuals are affected and that personal information was present in the laptop (student names, addresses, dates of birth, phone numbers, and SSNs).

    It was pointed out that the burglary seemed to be an "ordinary" one, with various high-priced items stolen.  Data was not the objective behind the theft; on the other hand, there doesn't appear to be anything preventing the thief from checking out the laptop's contents (there is no mention on whether data encryption programs were used or not).

    Comparisons

    If we were playing the comparison game, I'd have to congratulate WP over UIT for acting fast: they notified affected individuals within a month, whereas UIT Phoenix appears to have done so almost three months after the fact, despite the latter having to contact less people.

    On the other hand, UIT's breach was smaller, 98 vs. 1,536.  Plus, their unencrypted laptop was stolen from their offices, whereas WP's (I assume unencrypted) laptop was stolen from a staff member's residence.

    In fact, if that laptop did not feature encryption protection, I have to wonder what administrators at WP were thinking.  After all, stories of data breaches are legion, and it includes countless academic institutions, ranging from elementary schools to the most prestigious halls of academia like Georgetown. 

    The more things change, the more they remain the same.


    Related Articles and Sites:
    http://www.databreaches.net/?p=16548
    http://www.databreaches.net/?p=16552

     
  • Portable Hard Disk Encryption: NC Dept Of Health And Human Services Loses External Computer Disks

    The North Carolina Department of Health and Human Services (DHHS) has announced a data breach.  While they're playing it as probably being inconsequential, it is a data breach, and under NC Senate Bill 1048, DHHS has to alert people of the data breach unless the information was secured, such as with drive encryption software from AlertBoot.

    Division for the Deaf and the Hard of Hearing

    DHHS has announced that computer disks belonging to the Division of Services for the Deaf and the Hard of Hearing (DSDHH) are missing.  It is their belief that the missing disks ended up at a local landfill, the result of a recent office renovation.

    The disks contained information that is "accessible only using special software."  It was not revealed what type of information could be found on the disks.  The DHHS has only divulged that those who applied for DSDHH services between January 2005 and December 2008 are affected.

    The disclosure -- at least, the public one; who knows about the notification letters sent to those who were affected? -- is not very helpful.  The missing disks could be at the landfill, but who's to say they weren't stolen while offices were being renovated?  And if so, should one be concerned about the data in those disks?  We don't know.  Were the devices encrypted?  We don't know.

    North Carolina Has a Data Breach Law

    It wouldn't be illogical to suppose that encryption software [http://www.alertboot.com/disk_encryption/central_encryption_software_management.aspx ; centralized disk management software ] was not used since the DHHS is making going public with the breach: NC has a personal information breach disclosure law, and the only way an organization can legally avoid going public with a breach is if used encryption. (On the other hand, the law doesn't prevent them from going public even if encryption had been used.)

    One thing that bothers me is the "special software" language.  Normally, I would have taken it at face value, that some obscure software package would be necessary to access the data.  However, I recently ran into this story, where a company claimed that sensitive files were saved in a format that was not easily accessible.  The format?  TIFFs, which are image files that can be opened with the most rudimentary image viewing software, including web-browsers.

    And, unfortunately, it makes me kinda wonder...


    Related Articles and Sites:
    http://www2.wnct.com/news/2011/jan/26/2/dhhs-alerts-clients-missing-records-ar-727598/

     
  • Information Security: FaceBook Using HTTPS And Social Authentication Captcha

    Various sites have covered FaceBook's new data security measures.  First, there is the use of https (with an "s" at the end) connections.  The "s" stands for "secure," and in this case security is provided in the form of data encryption, which is what powers AlertBoot endpoint security software.

    Second, there is an update to the use of captchas.  Instead of identifying squiggly, hard-to-read words, you identify your friends to prove that you're human.

    HTTPS

    What's the difference between "http" and "https"?  That little "s" stands for "secure", and is a combination of the regular http with SSL/TLS.  In short, all your communications between your computer and FaceBook's servers are protected with cryptographic security.

    This means, for example, that your internet service provider cannot read your communications (under regular http, it would be possible).  While the risk of your ISP surreptitiously creating copies of your status updates is hardly something you generally need to worry about, there have been instances where security was a concern.

    Over the weekend, for example, FaceBook was able to confirm that the entire country of Tunisia was recording FaceBook users' login credentials.  This was easily rectified by redirecting all Tunisian users (based on their IP address) to a secured login page.

    Why isn't https used by default?  Well, the connections could be a bit slower due to the extra time required to encrypt and decrypt the protected information.  This can be resolved with extra hardware, but when you've got over 500 million users, "extra" means lots of additional capital.

    Social Authentication

    Many sites have already covered FB's new Social Authentication: it shows you pictures of your friends and asks you to identify them.  It uses the fact that pictures can be tagged with people's names, which are linked to their actual FB profile.

    If you can identify your friends correctly, you're in.  If not, maybe "you" are some hacker in Australia that managed to gain someone else's username and password.  Of course, there are critics: what if your friends make it a habit to tag gummi bears with their names, or if one of your friends tries to break into your account?  Your friends are his friends.

    Not much can be done about the latter.  For the former, it looks like up to three pictures will be shown, so unless one of your friends makes it a habit to tag all pictures of gummi bears as "him," there should be very little confusion.

    What I really like though, and I'm inferring based on some screenshots, is that it seems FB's Social Authentication will ask you to indentify a sequence of 5 friends.  Furthermore, it offers you 6 names per friend to be ID'ed.  If you do the math, and assuming you have to get all of your friends ID'ed correctly, there is a 0.0129% chance of some guessing it correctly by pure chance.  Those are odds I can live with.  Of course, it also means that around 60,000 accounts out of 500 million will also be accessible due to chance alone, but it would require that person have 500 million valid user login credentials.

    As security goes, it's not a bad idea.


    Related Articles and Sites:
    http://www.pcmag.com/article2/0,2817,2376670,00.asp
    http://www.webpronews.com/topnews/2011/01/26/facebook-introduces-secured-connection-social-authentication-security-features

     
More Posts Next page »