in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

August 2011 - Posts

  • Laptop Encryption Software Second Most Important For PHI Breaches?

    A new survey released by Veriphyr shows that over seventy percent of healthcare organizations have experienced at least one data breach over the past 12 months.  Darkreading.com notes that insiders accounted for more breaches than cybercriminals, which has always been the case.  But, it also turns out that insider attacks were more prevalent than the loss or theft of laptops and other portable storage media.  Could this mean the end of disk encryption software like AlertBoot in medical settings?

    Employees Peeking on Employees #1 Problem

    According to darkreading.com's summary of the survey's results, the most common sources of breaches were:

    • 35% - employees peeking on colleagues' medical records
    • 27% - employees peeking on acquaintances' records (friends and family)
    • 25% - loss or theft of physical records [Ed. - paper records?]
    • 20% - loss or theft of equipment that contains patient data

    Obviously, there must be other sources of breaches, but these are the top four.  You'll also notice that the above four alone add up to 107%, meaning a significant amount of overlap must exist.

    Different Results from HHS Public Data

    The above runs counter to everything that I've read so far about medical data breaches.  In analyses using the medical data breaches from the HHS's wall of shame (where breaches involving 500 or more PHI data sets are made public), the loss of laptops is the number one reason for PHI data breaches.  This is generally followed by the loss of other portable digital media devices.

    In fact, the loss of laptops, USB drives, CDs, backup tapes, and other digital media accounts for at least 66% of all data breaches reported to date.

    On the other hand, this could be easily explained by the fact that the HHS's publicized data has a requirement of 500 or more breached entities.  I mean, it would be quite the chore to snoop on 500 of your friends and relatives.  So, while there might be many independent instances of such breaches, the affected numbers per breach is lower -- and hence the disparate results when it comes to Veriphyr vs. HHS data.

    Not the End for Hospital Laptop Encryption

    If my above reasoning is true, this is not the end for laptop encryption in medical settings.  Not by a long shot, for at least two reasons.

    First, while employees' internal breaches might actually be the #1 form of data breach on a case per case basis (we'd need further surveys to establish it as a fact), it's not #1 when it comes to negative outcome.  When it comes to affecting a significant number of people, significant enough to make the news, you can bet that it will involve a portable device of some sort.

    Second, in a given population most people are not as concerned of medical employees peeking on other medical employees' records.  Many also don't care that medical employees are peeking on patients' medical records: a nurse is a nurse is a nurse, a doctor is a doctor is a doctor. (I won't argue whether it's naive to hold such an attitude.)

    No, most people's concerns are for their own records, meaning the effect of losing one laptop holding 500 patients' protected health information will have a disproportionate effect than that one of one employee looking at 500 other colleagues' records.

    As long as laptops and other storage devices are being used in hospitals, laptop and hard disk encryption will be around as well.


    Related Articles and Sites:
    http://www.darkreading.com/insider-threat/167801100/security/attacks-breaches/231600598/insiders-behind-most-breaches-of-patient-health-data.html
    http://eon.businesswire.com/news/eon/20110831005344/en/Healthcare-information/HIPAA/data-breaches

     
  • Data Encryption Banned In Pakistan

    Data encryption on-line, that is.  According to many, many (many) media outlets, the government of Pakistan has pressed forward in eliminating the use of encryption software for on-line activities.  The law does not appear to affect other types of encryption such as data at rest encryption.

    Encryption Works

    Moves such as these go to show that the security benefits that stem from the use of encryption, such as laptop encryption provided by AlertBoot, are not imaginary.  Contrary to myriad claims of "I work in IT and I can hack into any encryption in less than an hour" (I troll through the internet a lot, sometimes in the darker corners of it), properly worked out encryption is nearly impossible to break into.

    I don't doubt that there are poorly-implemented encryption packages out there, but that one can break into any encrypted material in an hour?  Hey, buddy, I know a government in Asia that wants to hire you.

    Pakistan Ban Result of Telco Law

    The decision to make on-line encryption illegal stems from a telecommunications regulation that went into effect in March 2010.  According to the regulation, licensees of telephony services must monitor information passing through their equipment (read: spying).

    ISPs and other telcos were caught between a rock and hard place: cracking encryption is virtually impossible, as other governments found out in the past, such as in this instance and in this one.  So, I guess one way to get around this particular hardship is to get rid of it completely.

    But is this a good idea?

    It's a Bad Idea

    It's encryption that creates a secure connection between your computer and your bank for on-line banking.  It's encryption that ensures your on-line activities are not monitored by some random guy at Starbucks.  It's encryption that ensures corporate secrets remain secret even as you communicate with your office, via VPN.

    To ban encryption on-line in Pakistan means that you couldn't have SSH, SSL, TLS, HTTPS, nor wifi encryption.  In other words, no on-line commerce.  Plus, a less-than-secure on-line experience (if you want it; nothing prevents you from surfing the web in an insecure manner, obviously).


    Related Articles and Sites:
    http://www.guardian.co.uk/world/2011/aug/30/pakistan-bans-encryption-software
    http://yro.slashdot.org/story/11/08/30/2228214/Pakistan-Bans-Encryption
    http://www.techdirt.com/articles/20110729/03142715310/reports-claim-that-pakistan-is-trying-to-ban-encryption-under-telco-law.shtml

     
  • Data Encryption Software Non-Use Causes WikiLeaks Leak. Supposedly

    Media organizations around the world are reporting the "fact" that diplomatic leaks under WikiLeaks's control have been leaked.  The twist?  WikiLeaks hadn't leaked them, meaning that they had a data breach.  Makes me wonder why the leaked file was not protected with data encryption; it's not as if WikiLeaks doesn't know the value of a good encryption program.  On the other hand, would it have mattered under the circumstances?

    Password-Protection No Use.  Encryption No Use, Either

    German newspaper Der Freitag broke the news and was confirmed by Der Spiegel.  The former was able to access a password-protected 1.73 GB file full of diplomatic cables.

    As readers of this blog know, password-protection is not exactly "protection," at least when it comes to protecting data on a hard disk.  When it comes to files, password-protection provides, in my opinion, a little more protection; however, it cannot take the place of encryption software.

    And yet, in this particular case, it would have been a moot point: according to Der Freitag, the "file's password was easy to find" [pcmag.com].  Other sources, like the washingtonpost.com notes that:

    WikiLeaks supporters uploaded them all [a number of files] to the Internet without knowing the hidden file [the one being pointed out in this blog post] was among the stash. Then, a third-party published the password to the files, the report said, without realizing that the password would grant full access to the unredacted files.

    According to wired.com, the file in question is a csv file that's titled "cables.csv" and contains unredacted, raw information -- meaning names of informants and intelligence agents are displayed.  Also, they must know something the other news organizations don't know because, as far as I can see, wired.com is the only one claiming the file was an encrypted one (well, aside from Der Spiegel.  I don't read German and I don't trust Google Translate):

    Information about the exposed file and password was also confirmed by the German newsweekly Der Spiegel. According to that publication, the cables were contained in an encrypted file that WikiLeaks founder Julian Assange had stored on a subdirectory of the organization’s server last year, which wasn’t searchable from the internet by anyone who didn’t already know its location.

    WikiLeaks has denied that there are any major problems:

    WikiLeaks 'insurance' files have not been decrypted. All press are currently misreporting. There is an issue, but not that issue.[twitter]

    There has been no 'leak at WikiLeaks'. The issue relates to a mainstream media partner and a malicious individual.[twitter]

    Totally false that any WikiLeaks sources have been exposed or will be exposed. NYT drooling, senile, and evil.[twitter]

    Well, the NYT is known as The Gray Lady....

    Rule #1 of Encryption is...

    Encryption is like Fight Club.

    The first rule of Fight Club is that you do not talk about Fight Club.
    The first rule of encryption is you do not talk to others about your password.

    The second rule of Fight Club is that you DO NOT talk about Fight Club.
    The second rule of encryption is you DO NOT talk to others about your password.

    Much less publish it on the web.  Why the heck would you publish a password?


    Related Articles and Sites:
    http://www.pcmag.com/article2/0,2817,2392009,00.asp
    http://www.wired.com/threatlevel/2011/08/wikileaks-leak/
    https://www.nytimes.com/external/readwriteweb/2011/08/29/29readwriteweb-wikileaks-loses-control-over-diplo-cables-e-84478.html?ref=technology

     
  • Best Laptop Encryption Software: Some Criteria

    I've covered a couple of posts in the past on the topic of what is the best disk encryption software.  In one particular post, I ranted that the best laptop disk encryption software does not exist as much as you have the "bests."  (Which, in my opinion, includes AlertBoot managed disk encryption, but, hey, that's just my opinion).

    Some people thought I ought to be more practical, however, so here are a number of criteria for finding the best encryption software.

    #1.  Find Out Your Requirements

    The truth of the matter is that you'll have to find out if there are any requirements to protect your data.  For example, if you work in the medical field, you might be subject to HIPAA.  Under HIPAA, safe harbor from sending out patient notification letters is extended if you have a data breach -- but only if you use the adequate level of protection.

    While HIPAA doesn't come and say so, the current (as of 2011) acceptable level of protection is AES-128 encryption or equivalent.  In fact, you probably want to stick to AES-128 as a minimum regardless of which industry you work in.

    That brings us to the next criterion.

    #2.  Weak Encryption: Don't Use It

    There is strong and weak encryption out there.  Weak encryption is called that because, while it's technically encryption, it's also useless as a data protection measure.  From a previous post:

    Bad/Weak encryption algorithms exist: Encryption is big business, and people are always on the look to create a better/stronger way to encrypt data.  But, it turns out that creating a strong encryption algorithm is extremely difficult (which explains why most of the encryption algorithms out there that are in use are pretty old).

    Many companies will announce a new method of encrypting information, but sooner or later, most of these algorithms are found not to work. [FDE - How Secure is It?]

    Like I stated in #1: stick toAES-128 or equivalent.  Or stronger, obviously: for example, AlertBoot uses AES-256 for its full disk encryption solution.

    #3.  Find Something Easy to Manage

    Once the number of machines you manage get big enough, encrypting machines goes to the backburner and management becomes the bigger problem.  Sure, you've encrypted your machines, but can you prove it? (It comes back to HIPAA and other similar regulations).  You're going to need something that will make it easy for you to create an audit report of some kind.

    What about calls from users professing problems?  What if someone forgets their password (or worse, their username?)  What if disk encryption fails?

    Easy management is something you should definitely be looking for.

    #4.  Extras that Increase Security

    The truth of the matter is that, once you have an appropriate encryption package selected, most of your security risks will come from your users' behavior.  Sharing passwords.  Posting passwords on a sticky note.  Never shutting down the computer.  Using weak passwords.  The list goes on and on.

    You might want to ensure that the encryption software you use offer at least the following

    • Password limits.  Just so you can make sure users are not selecting weak passwords for themselves.
    • Rate limiting.  A time delay gets introduced for typing in the username and password if the wrong password is entered more than three times.
    • Lock out.  After a certain number of wrong password entries, the encryption locks out everyone.  Entering the correct password doesn't work.
    • USB Encryption.  Laptop encryption only protects data on that laptop.  If you copy data off of it, that data won't be encrypted.  Automatic USB encryption such as found in AlertBoot will encrypt all digital storage devices connected to a computer that had its internal HDD encrypted.

    There are other things to consider, but the above four should be the least you should be looking for in an encryption solution.
     

     
  • Data Encryption Software: VA Medical Center Employee Takes Unauthorized Data Home

    VA officials have announced that a staff member at the Lexington VA Medical Center (in Kentucky) took patient files home, causing a data breach.  The employee was not authorized to do so.  Instances like these show why the use of disk encryption software like AlertBoot are not a silver bullet against data breaches.

    Undereducated Staff Leads to Insider Attacks

    When you hear the words "insider attack" combined with "data breaches," I'm pretty sure you'll think of rogue or less-than-ethical employees that dabble in selling data such as credit card numbers or SSNs.

    Depending on who you talk to, though, there are those to also include people who cause a data breach even when their purposes were far from heinous or downright noble.  The VA medical breach in Lexington is, as far as one can tell, is of this nature.  According to the lex18.com article," the information was [not] used maliciously by this employee or anyone else."

    The type of data that got stolen seems to back this up: names, last four digits of SSNs, dates of birth, and medical diagnoses for 1,900 veterans in the forms of patient files, slides, images, and other data.  The information was downloaded to the staff member's laptop.  No doubt someone didn't feel like working overtime at the office and thought it would be better to work from home.

    Encryption Software Can Only Do So Much

    Now, I'm pretty sure that the VA has had a policy in place where any and all laptops issued at the Veteran Affairs office are protected with laptop encryption.  And yet, here we have another instance of a laptop data breach.

    Or do we?

    The problem with this story is that it doesn't specify whether the staffer's laptop is a government-issued one or a personal one.  If the former, we know the VA has completed encrypting all portable computers as of 2009 (as I pointed out in this VA data breach story involving another employee's personal laptop).  Under such circumstances, it would be unusual but not surprising that there is a data breach (just because an organization has deployed laptops doesn't mean that it sometimes finds that a number of computers were overlooked).

    If the latter, then this is less of a laptop data breach and more of a "insider attack," however unintentional it might have been, since (arguably) the government doesn't have a say on whether you should encrypt your personal laptop or not.

    What might of have been useful in this case is the automatic USB encryption we have in the AlertBoot endpoint security suite.  Under AlertBoot you have the option to automatically encrypt all digital storage devices connected to a computer that had its internal HDD encrypted.

    This ensures that encrypted content on the computer cannot be copied off to some other storage device and rendering the original data protection useless.  It also works as an excellent reminder to not plug unauthorized data devices into a work computer's USB port (imagine what the encryption would do to an iPhone).


    Related Articles and Sites:
    http://www.lex18.com/news/va-medical-center-possible-privacy-violation

     
  • Full Disk Encryption: Texas Health Presbyterian Hospital Flower Mound Announces HIPAA Breach

    Texas Health Presbyterian Hospital Flower Mound has begun notifying patients of a data breach that occurred on June 21, 2011.  According to the notification letter, a laptop that does not appear to be protected with laptop encryption software like AlertBoot was stolen.

    Company-Issued Laptop

    According to the breach notice posted at the Texas Health Presbyterian Hospital Flower Mound site, the laptop was company-issued to an employee of Texas Health Partners.  The latter was a business associate and provided management oversight.

    The information on the now-missing notebook computer contained

    name and account number, plus at least one or more of the following elements: age, allergies, chief complaint, date and time of admission, date and time of laboratory order, date and time of specimen collection, date of birth, dates of service, diagnosis, discharge instructions, discharge summary, employer, gender, height, history and physical report, insurance, group number, ID number, subscriber’s name and/or subscriber’s date of birth, lab results, marital status, medical history, medical record number, Medicare Questionnaire report data, medication, name of account guarantor, name of lab test, name of physician, name and address of spouse, operative report, phone number, procedure, procedure start and stop time, radiology report results, room number, total charges, type of anesthesia, type of service, vital signs, weight, and x-ray number.  It may have also included the social security number for a very small number of patients. [phfmtexas.com]

    It has not been revealed how many patients were affected or how the laptop computer was stolen -- from an open office?  From the employee's vehicle?  By a UFO with Star Trek-like tractor beam?  It was revealed, though, that the laptop required a user ID and 12-character password to logon to the laptop.

    Is that Tied to Laptop Encryption?

    Furthermore, the use of this 12-character password has led the hospital to conclude that "there is no significant risk of identity theft or financial fraud" (at least, that's the implication).  Is this a realistic assessment?

    Well, it depends on a couple of factors.  First, is the 12-character password tied to encryption software or to a password-prompt?  The difference is like asking whether we're talking about money stored in a bank vault vs. a high school locker: for the former, figuring out the combination is the easiest way to get to the money; for the latter, you might not bother with a combo and just bash the locker's door.

    Likewise, when it comes to computer data: encryption is like the vault and password-protection is like the locker.  In other words, there are other ways of getting around password-protection other than finding out what the actual password happens to be (slaving a hard drive or using a Linux LiveCD, for starters).

    Second, how/where was the laptop stolen from?  If it was stolen from the trunk of a car, perhaps the thief will assume that there is very little of substance in the laptop and just reformat the hard drive and install the operating system over it (this does NOT guarantee data security, by the way).  If it was stolen from a medical office, then perhaps the laptop was stolen expressly because it was assumed medical and other useful data was in it, meaning that the thief has an interest in breaking into the computer (which brings us to the first point above).

    Long story short: password tied to encryption, then, yes, there is no significant risk.  If the password is not tied to encryption, well, things are not as safe as they seem.


    Related Articles and Sites:
    http://www.databreaches.net/?p=20240
    http://www.phfmtexas.com/LinkClick.aspx?fileticket=Lo%2b7DL2fEsM%3d&tabid=310

     
More Posts Next page »