in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

September 2011 - Posts

  • More X-Rays Stolen: Good Samaritan Hospital Has Data Breach

    Around this time last year, I covered a story that had absolutely nothing to do with data encryption software: the theft of old x-rays from a medical establishment.

    Well, it looks like such shenanigans are still on-going.  The Good Samaritan Hospital in Baltimore, Maryland has alerted the authorities that a man posed as an x-ray disposal vendor.  The man made off with two barrelfuls of x-rays that were at least 5 years old.

    As I noted in the post from a year ago, there is plenty of silver to be extracted from old x-rays, although it's not as true for modern x-rays.  Our web-traffic analytics data showed, however, that there was immense interest in that one article, with people specifically looking to see "how much silver is in x-rays."

    I still stand by the observation that, pound per pound of x-ray, you're better off collecting cans for their deposit money -- especially if you take into account that stealing anything from a hospital is grounds for appearing in front of a judge.  Or, you could go hunting for sunken treasure, like this ship that was blown up by a German U-boat in 1941.  It literally was carrying hundreds of tons of silver.

    The bigger problem, as far as I can see, is that this incident must be classified as a breach of protected health information (PHI), and the hospital must send notifications to patients and the HHS.  At least with digital data, you can use encryption software to protect it, and get some relief from going public with the breach.

    What protections has one got against x-ray stealing con artists?


    Related Articles and Sites:
    http://www.wbaltv.com/news/29210900/detail.html

     
  • Why Choose Desktop Encryption Over File Encryption?

    Desktop encryption software via the cloud is what AlertBoot does (and does very well).  Apparently, so does Laplink.  A review in law.com (link at the bottom of this article) titled "Desktop Encryption Moves to the Cloud" shows how Laplink's new encryption software is cloud-based.  However, there is one criticism I'd like to make: Laplink's product is not desktop computer encryption.  It's file encryption, and possibly not as secure as whole disk encryption.

    Same Crypto Power, Different Approach

    The term desktop encryption is admittedly pretty nebulous.  It could mean the encryption of a desktop computer's content in whole, or just the application of encryption to some files in a desktop computer.  However, in my opinion, the term desktop encryption refers to the former, since the latter is generally referred to as file encryption, regardless of whether a desktop computer is involved: people know that a file is a file, whether it's on a desktop, laptop, netbook, or even their phone.

    So, what's the difference?  I've already covered the difference in What is Disk Encryption and The Difference Between Disk Encryption and File Encryption, but essentially, disk encryption encrypts the entire disk, and file encryption only encrypts selected files.  As remarked in What is Disk Encryption?, there are advantages to using file encryption, especially if you're sending files around.

    In Laplink's case, the new software actually encrypts select file extensions: if you select Microsoft Word files to be encrypted, then all electronic documents pertaining to that file will be encrypted (as opposed to the one Word file you want to encrypt).

    File Encryption En Masse - It's Like Not Shredding Carbon Copies

    This is actually something of an improvement over individual file encryption.  For starters, you won't have the problem of forgetting or delaying to encrypt a sensitive file.  On the other hand, there are separate risks associated with any type of file encryption.

    A computer file's contents don't just reside in that one file you're using.  There are temp files, swap spaces, and other nooks and crannies where sensitive information can be automatically copied to...and not deleted by itself.  Attempting to use file encryption on these transitory but real (and potentially hazardous) data is next to impossible.

    And, you cannot ignore them either.  It'd be like putting a lot of effort into protecting a top secret paper document and dumping the carbon copies out into the street.

    Hence the existence of disk encryption software: you encrypt the disk in it entirety and all the problems of securing temporary files and swap spaces is dealt with.  Due to the fact that every computer on the market contains a hard disk drive of some type -- and the fact that most people don't know what's inside a computer -- disk computer is also known as laptop encryption and desktop encryption since it encrypts the entire contents of a computer (and hence my initial criticism).

    So, what's the better solution?  The truth is, you're best off if you use both of them together.  Disk encryption plus encrypting any files that are deemed sensitive -- this offers the best of both worlds and increases your data security.

    If you have to choose between the two, however, and if you're in a situation where you're encrypting pretty much all of your files, and need to control the "carbon copies" I've mentioned above, you're probably best off with disk encryption.

    (Do you need to take into consideration those carbon copies?  Let me put it this way: you can find free software in the internet that will search for a key words or a string of numbers regardless of what the file is.  A person could do a search for SSNs based on "SSN", "Social Security Number", or searching for a number pattern such as xxx-xx-xxxx.)

    Related Articles and Sites:
    http://www.law.com/jsp/lawtechnologynews/PubArticleLTN.jsp?id=1202516692374

     
  • Third Sector Encryption: Protecting Non-Profit, Non-Governmental Data

    The UK website thirdsector.co.uk, has an article on "Safeguarding the data of donors and users."  It's my opinion that of all types of organizations, charities should fear data breaches the most: the loss of information has negative effects on an organization, and charities that rely on donations to fund their operations could see a breach affect its cash flow.

    For similar and other reasons, thirdsector.co.uk recommends that proper security be put in place, including the use of laptop encryption software (which is offered by AlertBoot.  Plug: we offer discounts to charities.  Just ask in the comments section).

    In fact, as a UK site, it notes that the Information Commissioner's Office (ICO) demands the use of encryption software if sensitive data is stored on portable devices (I can confirm that observation, although I should add that there is nothing in the UK's law that forces you to use encryption).

    The article, if you're new to data security, covers a widerange of issues in a clear and concise manner, and I highly recommend that one read it.

    However, I have my two cents as well.

    Thin Clients: Some Security Issues to Check

    It's noted in the "Safeguarding the data of donors and users" article that some charities, such as the Salvation Army, have decided to use thin clients, computers with no storage capacity that connect to a central server.  Such a configuration makes it easy to secure data because all you have to ensure is that that server is properly protected.  For example, you only have to deal with one device when it comes to data encryption.

    However, if you're looking to deploy a similar strategy in your charity, you must remember that it's not just a matter of getting a thin client.  Issues I can think of:

    • USB ports - If the thin client you're using come with USB ports, it means that while nothing might be saved to the thin client itself, data can still leak via USB memory sticks and external hard drives.  In fact, it might pose more of a problem than company-issued laptops because one assumes these storage devices to be personal (which in turn means lack of oversight).

    • Internet - We live in the exciting era of the cloud.  If connecting to the internet is possible from the thin client, you have the potential for a data breach, such as information being copied to a web-based email program and being forwarded to someone, or posting the data to a personal blog.

    • Passwords - Password policies must still be well thought-out.  In fact, its importance grows since the potential for breaches from other sources decreases dramatically.  Assuming all the proper controls are in place, a data breach could only come about due to a weak or leaked password for accessing the thin client.

    I should note that for many charitable organizations, chucking current office assets to redesign the workplace for better data security is a pipedream.  If desktops and laptops are still prevalent in your office, using encryption to secure the hard disks and controlling the USB ports amounts to the same thing as having a thin client.  Of course, my above comments on accessing the internet and strong passwords apply as well.


    Related Articles and Sites:
    http://www.thirdsector.co.uk/news/Article/1092261/Safeguarding-data-donors-users/

     
  • Data Security: SK Communications Data Breach Due To "Cheap" Foreign Antivirus Software

    I'm stepping away from disk encryption today to explore an issue surrounding antivirus software (in a totally cursory, non in-depth way) that popped in the South Korean media.

    Norton is Cheap Software?

    According to news reports in Korean media, SK Communications (SK Comm ) has been accused of using "cheap" antivirus software.  If you're not aware, SK Comm is the company behind websites Nate and Cyworld: they had a total of 35 million members and their site was hacked in July.

    To put that into context, the official tally of the South Korean population is at 49 million.  In other words, 70% of Koreans were affected by this breach (including yours truly).  Obviously, there was going to be a government investigation.

    According to South Korean media, the Korean Committee on Culture, Sports, Tourism, Broadcasting & Communications released a report yesterday noting that, of the 50 or so antivirus software available in the Korean market, SK Comm used Norton from Symantec.

    Per the articles covering the issue, the specific malware that caused the SK Comm breach was detected by five particular antivirus solutions.  Norton was not part of that group of five.  However, it appears that Norton is less expensive than some solutions that were tested.

    This prompted the Committee to slam SK Comm for using "cheap" foreign antivirus software and accused it of being pennywise and pound foolish.  And by slammed SK Comm I mean they brought in the CEO and told it to his face.

    The report was also pointed out that of the six major Korean portals and telecommunications companies, five of them used a domestic antivirus solution (Ahn Lab) while SK Comm was the odd man out.  SK Comm was hacked, the others weren't.  The implication is, do the math.

    The CEO was also warned by a member of the Korean Assembly (and Committee member) that if SK Comm does not pay damages for the breach, there would be a class action lawsuit...led by the Assemblyman himself! (Link here if you read Korean).

    Cheap Also Means Worthless, Suspect

    It's debatable whether Ahn Lab's solution is better than Norton (some point out that Ahn Lab is totally focused on the Korean market and its electronic ills, possibly making it a better solution in the small East Asian peninsula, the nature of the internet notwithstanding).  It's also debatable whether Norton is any good along with all other antivirus software (I know plenty of people who've sworn off AV products in general because the protection/performance ratio is below their personal expectations while the annoyance ratio is off the charts).

    But to classify Norton as "cheap" antivirus software in relation to other similar solutions?  Like in many cultures, the word "cheap" in Korean doesn't necessarily mean "bargain" as much as it means "worthless" or "suspect" when it comes to goods and services, and the Korean populace has gone to the message boards to ridicule the Assemblyman and the Committee's report (and their cluelessness) for making such a statement.

    Personally, I'm beginning to understand why Korea has seen massive data breaches crop up every other week in the past four months (or, at least, it certainly feels that way).  It's quite obvious that people at the head of organizations, be it the government or companies, have absolutely no idea what is involved when it comes to data security, and are busy treating the symptoms while letting the wounds fester.

    I don't have a problem with the Committee's findings that somehow the right product would have prevented the breach from happening.  In hindsight, that's certainly true.

    However, there's also the implication that the "right" or expensive product will protect prevent data breaches from happening and that's patently untrue.  SK Comm shouldn't be criticized for choosing one antivirus software over another.

    Where's the report on the real issues?  How often does the company conduct a security audit?  How often / fast do they apply patches?  Do they have the correct policies in place?  What are they doing for access control?


    Related Articles and Sites:
    http://media.daum.net/digital/others/view.html?cateid=100031&newsid=20110922185613187&p=moneytoday&t__nil_economy=downtxt&nil_id=5
    http://ntn.seoul.co.kr/?c=news&m=view&idx=117411

     
  • Disk Encryption Software: Simon Yanez DDS Notifies Breach, 10,000 Affected

    Simon Yanez DDS (formerly Dr. Kenneth Silva's dental practice) has reported a data breach to the Department of Health and Human Services (HHS) and posted a notice on their site.  Three computers were stolen during an office break-in.  As a result, patient information was stolen.  It is not mentioned directly that full disk encryption was used, but it is implied that it wasn't.

    10,190 Affected

    According to medical data breach site phiprivacy.net, the Yanez breach shows up in the HHS's breach reporting tool.  The incident is listed as having affected 10,190 people.  According to the Yanez notification letter names, dates of birth, addresses, SSNs, phone numbers, and "etc." were breached.  As phiprivacy.net astutely observes, one has to wonder what's being hidden under the etc. mantra: Ever watch that yadda yadda yadda episode from Seinfeld?  That etc. could be something along the yadda yadda yadda lines....

    Anyhow, the same notification letter notes that the three computers that were stolen had "four levels of password protection."  The question is, is this really password-protection, or was there encryption software powering security beneath it?

    Why is this a critical question?  Well, it's been shown time and again that password-protection is not adequate protection (and in some cases, it's not protection at all.  Find out how password protection and encryption are different).

    So, the issue of whether cryptographic security was behind it is a very relevant matter.  There are signs, however, that this might not be the case.

    Why I Think Computer Encryption Software Was Not Used

    There are two reasons why I think encryption was not used.  First, there is the fact that there is a notification letter.  Under a federal law known as HIPAA, which was amended by the HITECH Act about a year ago, an organization that deals with medical data is not required to publicize a data breach if medical data encryption is used.

    This is due to the fact that encryption provides strong protection against unwanted access to data.  Now, most organizations are so averse to revealing such public relation mishaps such as data breaches (especially those that involve highly sensitive data such as Social Security numbers, as in the above case) that they'll delay making such an announcement, and I suspect, even go as far as break the law by not doing it.

    The fact that Yanez has sent a notification letter to over 10,000 patients and alerted the HHS (incidents involving over 500 people must be reported immediately to the HHS) is a strong indication that encryption software was not used in those stolen computers.

    The second signal comes directly from the dental company (their emphasis):

    We still have a copy of all your dental records and have increased security measure such encryption of electronic data.  This measure renders protected information undecipherable to any unauthorized individual a breach of these files is not possible.

    That's copied verbatim.  Despite the slightly weird grammar and the lack of an article (I'm assuming it's not on purpose, but actual typos and whatnot), it's quite obvious that they're saying encryption software was used after the incident.

    It's disappointing is what it is.  Encryption is a preventative measure: if it's not there to begin with, it cannot do anything for you when disaster strikes.


    Related Articles and Sites:
    http://simonyanezdds.com/var/kk/541423/2009355-New_PDF.pdf
    http://www.phiprivacy.net/?p=7733

     
  • Laptop Encryption Software: Sony Customers Send Broken Computers To Another Sony Customer

    The Consumerist website brings us the story of one man, Joe Litwin, whose address somehow ended up as Sony's address for computer repair services.  I've often blogged that one should use drive encryption software like AlertBoot to protect the contents of laptops and other devices "just in case" but this takes the cake in the realm of "whatifs."

    (If you're shipping a laptop or desktop computer for servicing, I'd suggest using encryption software on sensitive files and folders or wiping the data.  Heck, disk encryption might not be a bad idea since the actual practice nowadays seems to be to reformat the drive before doing anything.)

    • Waiting for a box
    • Lost of problems
    • You can't just keep the packages

    Waiting for a Box

    Litwin was experiencing problems with his Sony laptop and needed to get it serviced.  The Japanese electronics company promised to send him a box and label form.  Soon, computers start to arrive on his front porch.  He opens one up and sees that it's meant to be sent to the repair center but somehow his home address ended up on in the "To:" field.

    He spent long hours on the phone with Sony's call center who were unable to understand what the problem was and wouldn't pass him on to a supervisor (according to nbc4i.comconsumerist.org writes that a supervisor was involved and yet the problem couldn't get resolved; however, the latter seems to be getting its news from the former, so not sure where the contradiction is coming from).  It only took media coverage for the company to intervene.

    Sony finally tracked down the problem.  Sony, however, notched up its potential for derision by sending Litwin a box too small for his computer (he has to wait for another one) and sending him an email "advertising a new program that for $9 a month, the company will insure your computer in case it gets lost or stolen."

    On The Consumerist site, it is claimed that initially Sony told Litwin that he would have to return the computers to Sony on his own dime.

    Lots of Problems

    Even as I was laughing, I could see that there were numerous problems.  First off, it's quite obvious that someone changed Sony's address with Litwin's.  The question is, how?  For example, was Tier 1 support able to make the change?  If so, what a monumental mistake!  I mean, think of the possibilities for stealing computers with a partner on the outside.

    Second, if the person who took Litwin's call really refused to get a supervisor despite not understanding the problem, there must be some weird (not weird-good) work conditions wherever that person happens to be at.  I mean, it's not as if the guy understood the problem and then decided bothering the supervisor was not worth it.  The guy didn't understand and still didn't get his supervisor.  In my opinion, that usually reeks of fear (although I won't disallow the possibility of dealing with a buttmuncher).

    Third, on the customer's dime?  Really?  If so, this is probably worse than the other two since it involves more than aggravation.  Shipping anything over one pound costs serious dinero.  Over 10 boxes were sent to Litwin.  It's Sony's screw up.  After all, he's the recipient on the address and he doesn't control what Sony does.

    Can He Keep the Stuff? On Unsolicited Packages

    Just because Sony screwed up doesn't mean that Litwin can just keep the stuff.  From ynn.com:

    Another situation that can occur is when a customer gets an item by mistake from a company and it appears that the item was intended to be delivered to someone else. In this situation, the FTC recommends that you mail the sender a letter (using certified mail and keeping a copy) indicating the mistake, give the sender a reasonable amount of time to respond (to have it mailed back at no expense to you or to come pick it up), and inform the sender that you reserve the right to keep the merchandise if they fail to respond in that time period.

    The FTC’s recommendations are useful; failing to notify the sender or the intended customer could make you liable for criminal or civil theft. Criminal theft can cost you fines and/or jail time, depending on the value of the property. If the property is worth under $1,500, it is a misdemeanor (possible $4,000 fine and/or up to one year in jail). If the property is worth over $1,500, it constitutes a felony (possible $10,000 fine and up to a life sentence in state prison).

    In addition, either the company who sent you the goods by mistake or the intended customer can sue you for civil theft (or “conversion.”) You could be responsible to return the goods or pay damages.

    Fair warning has to be given, then you keep the stuff.  Of course, doubts abound as to whether giving fair waning to imbeciles is really "fair warning."

    Related Articles and Sites:
    http://gizmodo.com/5842511/instead-of-fixing-a-mans-laptop-sony-sends-seven-broken-computers-to-his-house-for-him-to-fix
    http://consumerist.com/2011/09/instead-of-fixing-his-computer-sony-sends-him-7-other-customers-broken-ones.html

     
More Posts « Previous page - Next page »