in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

July 2011 - Posts

  • Strong Data Encryption Is Protecting My Hacked Data. So Says SK (The Company, Not The Country)

    Ah, nuts.  I knew the day would come when it would happen to me.  Yesterday, I ran across an npr.org story where Korean social media sites Nate and Cyworld were hacked.  I just checked, and I'm one of the 35 million affected.  Thankfully, what most people would generally deem "sensitive information" was protected with data encryption, such as that used in AlertBoot.

    I guess I'll have to keep an eye out for phishing attempts in the upcoming months.

    What was Stolen

    According to the NPR article, the hack originated from China.  The hackers made off with the following:

    The stolen data included user IDs, passwords, social security numbers, names, mobile phone numbers and email addresses. Nate said the social security numbers and passwords are encrypted so that they are not available for illegal use.

    I've logged into SK's (the company that operates Nate and Cyworld) website where they have an breach notification with the details.  According to it, the hacked information (or rather, my hacked information) includes:

    ID, name, date of birth, email address, sex, blood type, physical address, phone numbers (wireless and landline), encrypted citizen ID number (aka, SSN), and encrypted password.

    The hack occurred on July 26, and it was confirmed by SK on July 28.  SK maintains that the encryption used in this case is the "highest level of encryption."  I'm hoping that means something like AES-256 or equivalent, the strong encryption for computers that we use over here at AlertBoot.

    Helpful Site

    Aside from the notification, there are warnings about voice phishing and phishing (SPAM).  Plus, there are two helpful tools.

    One is a link for changing your passwords, with the explanation that if a user's hacked password was composed of one's birthdate, cell phone number, or simple number arrangements (I'm guessing something like 1234), it would be better to change them immediately, despite the encrypted nature of the password.

    The idea is that the hackers could use the non-encrypted data to figure out the password.  For example, if your password is your birth date, the fact that your password is encrypted is quite moot because the hackers have your date of birth.

    The other tool is a breach verifier.  You type in your name and SSN/Citizen ID and it lets you know whether you were hacked, and what was stolen.

    What's with the Blood Type?  Do You Need a DNA Test Before Signing Up or Something?

    You might be wondering why my blood type, sex (gender), and SSN, are part of the hacked data.  The implication is that it was collected.  For the former, it wasn't, actually.  It was provided by me.

    In Korea, there is this lore that blood types can predict your personality.  It's actually a Japanese thing.  Regardless, it's a conversation starter.  Hence, it is displayed in social media sites, including Facebook, if you're living in Asia.  (And, yeah, I don't buy it.  Some call it a pseudoscience; I take offense at it being linked to science in any way or form.)

    As for the SSN, defamation laws are very strict in Korea, so signing up for anything on-line pretty much requires an SSN, in case the authorities have to track one down for trouble one creates on the internet.  In fact, signing up for free email accounts required such information.  This trend, however, is dying out due to online hacks such as the above one.

    Am I Concerned?

    Yes, but not overly concerned.  I mean, I know what the risks are, and if I take at face value what SK tells me about my data being encrypted, it looks like I'm on the safe side.  Unlike others who voice doubt about encryption, I see what encryption can do when it comes to data security every day.  It might not be perfect, but the odds of me being safe are very good.

    I mean, it could be worse, such as what my boss faced a couple of years back.  No encryption on that one.

     

    Related Articles and Sites:
    http://www.npr.org/templates/story/story.php?storyId=138775663

     
  • Data Encryption: Tallaght Hospital In Dublin Says It Doesn't Have A Data Breach

    Ireland's busiest hospital has gone into defensive mode after it was accused of having a data security breach.  According to a statement, Tallaght Hospital has notified the Data Protection Commissioner's office because of the allegations.  I find this story very interesting.  It shows that data security is not necessarily about the proper security tools you have in place, like drive encryption software from AlertBoot.  Sometimes, you have allegations of a data breach because of politics.

    The Breach?  We've Decided to Hire...Filipinos?

    As far as I can tell, the entire controversy lies upon the fact that medical transcription work was outsourced to a firm in the Philippines.  It's not that the proper data security wasn't in place, or that no thought was given to data security.  Here's what the hospital has to say about the situation (from rte.ie):

    In a recent letter to the TD, Tallaght Hospital said it had a limited number of medical typists and has outsourced some dictation since 2004.

    The process involves a hospital clinician dialling [sic] codes on a phone and dictating.

    An audio file is created on a server in the hospital.

    This file is encrypted and sent to an outside firm, typed up and sent back to Tallaght the next day.

    Other sources, such as the irishexaminer.com, note that (my emphases):

    ...such data was encrypted and the company concerned was bound by a confidentiality agreement...[it] encrypts the content of the correspondence and no patient identifiers were used.

    And there is also this:

    It is believed that some patients' data was sent to the Philippines for medical reports on Irish patients to be typed up. The hospital said it had found it efficient and cost effective to outsource some transcription services. It said such data was encrypted and the company concerned was bound by a confidentiality agreement.

    So, to sum up, all the files were protected with encryption software -- the strong type, one assumes -- with the personal details stripped out.  These are sent to a company that listens to the audio, types up a transcription, and sends is back (also encrypted, I hope).

    Uh...besides the fact that the work is taking place overseas, where is the data breach?  I just don't see it.  Then there is this observation by a government official:

    Labour TD Robert Dowds, who raised the issue in the Dáil last month, said he found it odd that the hospital found it necessary to out-source the work to the Far East. "You’d imagine important medical letters need to be typed up accurately and close to the source of the information."

    Other hospitals in Dublin recently stated that they were not engaged in a similar arrangement with foreign companies.

    Where are the accusations that the work was not done right, or that quality suffered, or that information was leaked, or that the proper data security controls were not in place?

    As far as I can see, such criticisms or observations are not covered anywhere; the implication being that there is not such criticism.  If so, what does it matter whether the work is done in the Far East, South America, or Mars?

    And, how are "letters being typed up accurately" tied to "being close to the source of the information"? (Which is what, exactly?  The doctor, who's speaking into a tape recorder, essentially?  Under those circumstances, how would "being close" matter?)

    The more I read about the situation, the more I get the feeling that this is not about data breaches at all.  This is not the blog for it, but it seems that there is more afoot, possibly political in nature.

    Now, this is not necessarily a bad thing.  Perhaps it will bring more attention to data security issues, and will clarify what is and is not allowed under the law.  However, from a technical standpoint, I don't see a reason why this should be considered a data breach.


    Related Articles and Sites:
    http://irishexaminer.com/ireland/health/hospital-no-evidence-of-patient-data-breach-162120.html
    http://www.rte.ie/news/2011/0726/tallaght.html

     
  • Computer Encryption With Multiple Logins For Proper Access Control In A Medical Setting

    • Can AlertBoot provide individual login credentials to a shared computer resource?  Yes
    • HIPAA / HITECH violation if passwords are shared
    • Plug: Free webinar for encryption users and channel partners on HIPAA / HITECH compliance

    I was in a meeting with potential clients when they asked if AlertBoot data encryption software would allow multiple logins on a shared, encrypted computer.  Our answer is yes.

    The clients are in the medical field, and as such, have workstations that are shared resources.  Think, for example, of computers in a hospital's nurse's station (for those who haven't been inside a hospital, it's where you can find the nurses).  The station is permanent but obviously the nurses are not.  They have rotating shifts, with nurses at the station 24 hours a day.  Under the circumstances, the computers have to be shared at least between three people (8-hour shifts).

    This presents something of a conundrum under HIPAA / HITECH.  On the one hand, the computers may require the use of full disk encryption to protect the PHI stored inside them.  On the other, though, if the encryption software employed does not support multiple users, it means that passwords for accessing the computers must be shared.

    Violating One Rule for Another

    The sharing of passwords is a violation of HIPAA rules (access control), so depending on one's particular choice of encryption software, he or she has to violate one HIPAA mandate in order to fulfill another one.

    As the above shows, choosing the correct tools to be in compliance with HIPAA / HITECH is not as straightforward as "buying encryption."  And it's not just a matter of access controls, either.  For example, the biggest reason many HIPAA covered-entities are earmarking funds for encryption lies in the safe harbor clause under the Breach Notification Rule found under HITECH.

    If encryption is used, a covered-entity doesn't have go public with a data breach of PHI, protected health information.  If encryption is not used, notice has to be sent no later than 60 calendar days to disaffected patients.  But, there's a catch.

    For the safe harbor to kick in, strong encryption (such as AES-256, which is used in AlertBoot) must be used.  If a weak form of encryption is used -- weak enough that no respectable information security specialist will vouch for it -- you still have a data breach in your hands and you will have to send out those notification letters.

    Free Webinar

    If you'd like to learn more about HIPAA / HITECH and the appropriate use of encryption and other requirements in a medical setting (or as a partner or associate to a covered-entity), you're welcome to join free webinars being conducted by eGestalt and AlertBoot.

    Register today by clicking on the preferred link above.  First webinar starts tomorrow!

     
  • Data Encryption Software: UNLV Announces 2008 Data Breach In 2011

    The University of Nevada at Las Vegas (UNLV) has announced the potential data breach of 2,000 current and former students' information.  The information was compromised, if it was compromised, in 2008.  Would full disk encryption like AlertBoot have helped in this situation?  Possibly.

    2008 Breach Found in 2011

    According to several reports, UNLV has announced that it found evidence of "unauthorized user access" to computers in the Controllers' Office during routine maintenance.  While no financial information was present in these computers, Social Security numbers were present as part of a computer-purchasing loan program.

    The details are sketchy enough that I can't quite tell whether this was an on-line hack (say, by a guy in Belarus) or an insider attack.  You know, where you pull up your chair to someone else's computer and start inspecting files.

    Now, in the former case, the use of encryption software would have helped by cryptographically protecting any important files (assuming that the hacker bypassed other security controls that ought to be in place for an on-line computer).

    In the latter, the use of disk encryption would have helped, assuming that the password was not being shared.  Disk encryption would ensure that information is not accessed by "slaving" the hard disk, and the use of strong passwords (along with rate-limiting and automatic logout after too many unsuccessful attempts) would have prevented an insider attack.

    As of the time of the report, UNLV was "working on how to prevent similar data breaches, including reviewing information security policies and increasing employee training."

    If they're in need of any cryptographic computer protection for their computers, UNLV should give us a call.  We can literally see their campus from where we work, so perhaps we'll give them a "part of our breathtaking-vista" discount.  (Obviously that's an exclusive deal that can't be extended to most companies and organizations.)

    As for the fact that they're alerting students about a three-year-old breach...I've got to give them kudos.  One way of looking at the situation is that it took UNLV three years to alert affected students.  And, if one assumes that there is yearly maintenance, one also ponders why they didn't detect this in the past couple of years.  It sounds criminal.

    On the other hand, the breach of SSNs has a different order of magnitude than the breach of, say, credit cards.  With credit cards, your exposure is limited both in terms of financial hit as well as period (cards have expiration dates as well as the ability to cancel them).  The effects of stolen SSNs, as anyone who follows fraud stories on-line as well as on TV (such as CNBC's show, American Greed) knows, is much more affecting, with the potential to drag on for years with no ceiling on losses.

    In this case, better late than never is most apt, and UNLV's decision to sound the alarm instead of just brushing it under the rug is to applauded.

    (I'll admit that I'm not too crazy about the three-year delay, though.  But again, it was the right thing to do.  You can fault someone for delaying a notification, but it's a gray area when it comes to criticizing someone for not finding out sooner about an issue).

    PS - Oh, yeah.  Some people commented that it's not just the right thing to do, it's the law in Nevada.  Of course.  How could I forget?  I've blogged about it before.  For example, what does NRS 603A require and do non-profits have to follow Nevada's privacy and encryption law? (Answer: yes.)


    Related Articles and Sites:
    http://www.lasvegassun.com/news/2011/jul/26/information-security-breach-2008-reported-unlv/
    http://www.ktnv.com/news/local/126225528.html
    http://www.infosecurity-us.com/view/19700/unlv-notifies-2000-employees-about-possible-breach-of-personal-data/

     
  • Disk Encryption Software: Estee Lauder Alerts NH Attorney General Of Laptop Theft

    Databreaches.net reports that cosmetics powerhouse Estee Lauder has alerted the New Hampshire Attorney General's Office about a data breach.  The loss of a laptop compromised employee information, including SSNs.  It has not been revealed where the laptop was stolen or whether it was protected with laptop encryption software.

    Minimal Details

    Dissent at databreaches.net notes that the letter to the NH AG is very light on the details of the data breach.

    We know this much for sure: a laptop was stolen, which contained employee information (current and former).  Some of the information involved includes names and Social Security numbers.  The laptop was company-issued.  It was also noted that the company "changed all passwords assigned to the employee for access to the stolen laptop."

    Anything apart from the above is speculation.  Here's my two cents: I get the feeling that the laptop was encrypted.

    The Reasoning

    First, there is the fact that the laptop was company-issued.  While there are plenty of stories in the media about companies losing laptops that were not encrypted, we've got to remember that that's exactly why it's being reported.  I mean, who's going to publish news where encryption software like AlertBoot was used so "everything's alright"?  That's not news.

    So, if you will, there is a "silent majority" out there that has their encryption in place.  (If this had been a personal laptop that was stolen, I'd be betting on encryption not having been used.)

    Second, the company had enough security programs installed on the now-missing device that they could go ahead and change the password on it.  Now, your average Windows boot-up password cannot be changed in that way.  Ergo, there is something installed on the laptop that will "call home" and update itself, most probably via the internet.  It's not a stretch to presume that laptop encryption was used under such circumstances.

    Of course, there is the unsettling fact that the use of encryption was not mentioned in the letter to the Attorney General.  However, I've been burned in the past (more than a couple of times, actually) where I speculated that cryptographic solutions were not used because they were not mentioned...but it turned out that they were.


    Related Articles and Sites:
    http://www.databreaches.net/?p=19817
    http://doj.nh.gov/consumer/security-breaches/documents/estee-20110713.pdf

     
  • Errata: Wrong Dates For AlertBoot/eGestalt Webinars

    It has come to my attention that I announced the wrong dates on this blog for the following webinars, hosted by AlertBoot and eGestalt:

    "HIPAA/HITECH Compliance: Data Privacy and Security Best Practices for Medical Practitioners and Small Businesses" will take place on July 29th (not July 29th) and August 9th. (Click here to register).  If you're a small HIPAA covered-entity, you will find this webinar of interest.

    "HIPAA/HITECH Compliance Demystified - How to navigate the various requirements with implementation guidelines and best practices" will take place on July 28th (not July 29th) and August 9th.  (Click here to register).  If you're in the security channel, you'll find this webinar very informative.

    Both webinars deal with HIPAA and HITECH updates, and how different solutions, including AlertBoot endpoint encryption for computers, help maintain compliance.

     
More Posts Next page »