in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

November 2011 - Posts

  • ICO Issues Penalties To North Somerset And Worcestershire Councils

    The UK's Information Commissioner has assessed penalties of £80,000 and £60,000 to Worcestershire County Council and North Somerset Council, respectively.  These fines were assessed for sending emails to the wrong recipients.  Of course, there is nothing that a laptop encryption software solution like AlertBoot could have done to prevent this.  Perhaps email encryption could have made an impact.  Well, at least in one of the cases.

    Worcestershire County Council

    Worcestershire County Council was fined £80,000 for a March 2011 incident.  An employee emailed sensitive information to 23 people who shouldn't have been recipients of the electronic missive.  The situation arose because an additional email list (containing the addresses of the 23) was added to the email by accident.

    The employee realized the mistake immediately and tried to contain the situation, which was successful and probably only possible because they were also working in similar organizations.

    It was not revealed how many people were affected by the breach, only that it involved "a large number of vulnerable people."  I hope it involved a lot of people because...well, otherwise, this is the reason for the penalty (my emphasis):

    Enquiries by the ICO found that Worcestershire County Council had failed to take appropriate measures to guard against the unauthorised processing of personal data, such as providing employees with appropriate training and clearly distinguishing between internal and external email distribution lists. The council had also failed to properly consider an alternative means of handling the information, such as holding it in a secure system that could only be accessed by members of staff who needed to see it.

    80,000 quid for not officially separating internal and external email lists?  There are companies who've been fined less for more.

    North Somerset Council

    North Somerset Council was fined £60,000 and, of the two cases, is the more entertaining one.  In November and December 2010, a North Somerset employee sent an email to an NHS employee.  The NHS employee alerted this person of the error.  After this, the NHS employee was further emailed an extra three times.

    At this point, the NHS employee must have done something because two North Somerset Assistant Directors talked to their employee about the continued data breaches.  A fifth email was sent to the NHS employee that very same day.

    Of the five emails, two of them contained sensitive and confidential information.

    The incident occurred because the NHS employee was added to a mailing list by mistake.

    Mitigating Circumstances

    The Information Commissioner had this to say about the two incidents (my emphasis, ico.gov.uk):

    "Personal information in cases involving vulnerable people is about the most sensitive personal information imaginable. It is of great concern that this sort of information was simply sent to the wrong recipients by staff at two separate councils. It was fortunate that in both cases at least the email recipients worked in a similar sector and so were used to handling sensitive information. This mitigating factor has been taken into account in assessing the amount of the penalties.

    Apparently, it wasn't much of a mitigating factor is the penalties are that big.  It should be noted that the amount is one of the lowest to date, but larger than the one assessed on the one private company that was fined to date.


    Related Articles and Sites:
    http://www.csoonline.com/article/695362/ico-fines-councils-after-serious-email-data-breaches
    http://www.guardian.co.uk/government-computing-network/2011/nov/28/ico-fines-worcestershire-north-somerset-data-breaches?newsfeed=true
    http://www.ico.gov.uk/news/latest_news/2011/monetary-penalties-served-to-councils-for-serious-email-errors-28112011.aspx
    http://www.publicservice.co.uk/feature_story.asp?id=18195

     
  • Full Disk Encryption: Study Proves It Works (And Law Enforcement Has Problems With It)

    Full disk encryption (FDE) solutions, like AlertBoot, work.  If someone tries to force their way into a laptop protected with FDE, chances are he won't get in.

    But, once in a blue moon, I hear (or read) comments from supposed IT professionals who say that encryption in of itself is a joke, or that they can bypass it easily (in 5 minutes or less!), and that, generally, it doesn't work.  I'm not sure where they get this information.

    Is it personal experience?  (If so, I feel for them.  One wonders where they obtained their encryption software that soured them on the entire technological gamut).  Is it something they read or saw? (I'm looking in your direction, Hollywood).  Are they just trolling?

    Research Calls for Technology to Break FDE

    A new paper -- The Growing Impact of Full Disk Encryption on Digital Forensics (unfortunately, behind a paywall) -- has pointed out that, from a law enforcement point of view, full disk encryption used on laptops create insurmountable or costly problems.

    In fact, the authors of the paper go on to propose that methods to bypass and break FDE ought to be developed.  The proposal is quite amusing: those who develop encryption are always on the lookout to ensure that such methods wont' work on encrypted data.  The revelation of a valid bypass would, naturally, be shared with other forensic experts, which would make it to the radar of encryption specialists, who would develop a countermeasure.

    Things would be back to square one, and encryption would be stronger for it.  This is why the encryption community tends to welcome news of weaknesses.

    This is not to say that there aren't methods, today, for gleaning data from computers already protected with the likes of laptop encryption.  However, to call these methods "breaking encryption" or "bypassing encryption" is misleading since they only work when encryption is technically not active.

    For example, one method of gaining access to encrypted data is to acquire an image of live data": that is, making a full copy of a computer's entire disk content while the computer is up and running.  When it comes to FDE, the only time when it's protecting your data is when the computer's off.  Encryption is momentarily switched off when you turn on the computer and provide the correct password (if you're going to work on your computer, you've got to be able to see what you're doing.  This requires that encryption be turned off).

    So, if a computer is up and running, by definition it means that whatever disk encryption was in place was temporarily deactivated.  Obviously, you can't claim to have bypassed encryption if it's not being used.

    Technicalities, Schmenicalities

    On the other hand, what do these little technicalities matter if your data is available to the "wrong" people due to such methods?  After all, the point of encryption is to protect data.

    Well, unfortunately, nobody said that FDE was a silver bullet against all data attacks (and if someone did, he was trying to sell you something).  This admission, despite being an admission of weakness, goes a long way towards better protecting you.

    For example, knowing that full disk encryption only protects your laptop's contents when the device is in the "off" state, now you know that you should never leave it up and running 24/7 (also a good thing for the environment, supposedly) while you're away from your desk.  I can think of at least one situation where a medical organization had to send out HIPAA breach notices because a doctor had left her computer in that state when someone burglarized her home while she was away.

    Also, if you're in an emergency, you know you can pull the plug out from your computer the moment you hear someone breaking in.  That'll instantly shut down your computer, allowing the full power of FDE to kick in (don't forget about the batteries).

    Long story, short: encryption really works, and it works well.  Just be aware that there are certain limitations


    Related Articles and Sites:
    http://it.slashdot.org/story/11/11/19/2011228/full-disk-encryption-hard-for-law-enforcement-to-crack
    http://www.extremetech.com/computing/105931-full-disk-encryption-is-too-good-says-us-intelligence-agency

     
  • Data Encryption Software: In The UK, Computer Encryption Is Half Empty Glass

    Or a half full glass, depending on how you view it.  According to a study, about half of UK businesses have installed data encryption, something similar to AlertBoot, on their computers.

    52% Use Encryption

    According to the survey, 52% have confirmed the use of data encryption software on their laptops, 43% have say they did not have encryption deployed, and 5% said that they don't know.

    The 52% figure represents an increase from 40% when a similar survey was carried out last year.

    The survey also found that only half of those polled used encryption on removable media, such as USB sticks.

    Only 13% reported a data breach due to a missing laptop.

    12% Growth Rate?  Nope.  Much Higher

    Many are noting that a 12% growth rate (going from 40% to 52%) sounds great but is still low when you consider that nearly half the laptops out there are not adequately protected.

    I'm not sure these people are doing their math correctly.  We're dealing with percentages, where you can't just add or subtract two percentages together and get a valid result in terms of growth.  You can talk about differences ("there's a 12% difference") but that certainly doesn't imply growth.  A growth rate is the difference between A and B, based on an initial point (let's designate it A).  For computational purposes, let's assume that the percentages correspond to the number of computers.

    That would mean that there were 40 computers encrypted last year, and there are 52 computers encrypted this year.  So, (52 - 40) / 40.

    That's a 30% increase.  That's huge.  That's enormous.  If you change the numbers to 5,200 and 4,000, or some other fixed ratio, you'll still get that same 30% figure.

    I can understand looking at the data security landscape out there and regarding it as full of holes and weaknesses.  But, if you're dealing with real world aspects, you have to compare the (correct) results with how the real world works.  A 30% increase is something to be congratulated -- and looked upon as a glass half-full.

    Of course, that rate is bound to drop off.  A continued 30% growth rate would imply that all laptops in the UK would be encrypted three years from now.

    (All of this assumes, of course, that the number of laptops being used in the UK remains about the same throughout the years.)

    Related Articles and Sites:
    http://www.theregister.co.uk/2011/11/17/encryption_deployment_survey/
    http://www.channelemea.com/spip.php?article4769
    http://www.eweekeurope.co.uk/news/uk-companies-dont-encrypt-enough-says-survey-46254

     
  • Password Strength: Entropy (How Those Password Strength Checkers Work)

    I've written about the need for computer users to employ better passwords over the years.  Since I try to keep the content light, I've tried to stay away from math.  On the other hand, the math in this case is not very hard.  In fact, it's much easier to digest than the math behind data encryption software like AlertBoot.

    How Do Password Strength Checks Work?

    If you're a user of Gmail, you've probably run across this at some point:

    I only use the above to give you an example.  I'm not saying that Gmail's password checker is optimal or anything (in fact, here's one critic of the Gmail password strength bar).

    Anyhow, how does Google know whether the password you've entered is poor, fair, or good, criticisms not withstanding?  Well, it harkens back to a concept known as password entropy.

    Entropy, of course, is a physical property that's associated with disorder.  The classic example is of a salad being tossed: as you toss it, the ingredients -- which were dumped in a bowl, sliced but in their respective forms -- takes on the form of a tossed salad, and chances are it won't magically reconstitute itself back into their original, albeit sliced, forms.

    When referring to password entropy, we're talking about the disorder of a password, i.e., how random the password can be.  The more random it is, the more secure it is.  How random, though?  Over the years, different ways of calculating a password's entropy have been developed.

    However, it all appears to link back to Claude Shannon, the father of information theory.

    His formula for figuring out the entropy of a password is based on the password's length and the entropy (essentially possibilities) of each character on that password:

    Password entropy = L * log2(n)

    Where "n" is the pool size of characters and "L" is the length of the password

    The log function represents the "entropy per character."  For example, if your password can only contain letters in small cap, your n is 26 (a through z).  Using the log2 (n), function, you'll find that the entropy per character is 4.7 (with a unit of bits).

    • Upper and lower case gives you n = 52  (5.7 bits)
    • Upper and lower case, and numbers: n = 62  (5.95 bits)
    • Using all keyboard characters: n = 94  (6.55 bits)

    Your password entropy is dependent on how many of these you use together.  Obviously, the longer the password, the more entropy, and, hence, the more secure your password.  In theory.

    Just set some kind of limit to delineate what's poor, fair, good, etc. and you've got yourself a password strength checker.

    Limitations

    I say in theory because there are clear instances where this is not true.  Consider, for example, the RockYou hack from 2010.  In that hacking incident, a list of passwords stored by RockYou was published online.  The big controversy at the time was that these passwords were stored in plaintext.  But, every cloud has its silver-lining: it was a chance to see what types of passwords were used by real people.

    The top ten passwords were:

    1. 123456
    2. 12345
    3. 123456789
    4. Password
    5. iloveyou
    6. princess
    7. rockyou
    8. 1234567
    9. 12345678
    10. abc123

    Based on our handy formula, #4 would be considered more secure than #10.  The truth, is though, that #10 is probably more secure than #4 (the latter being a plain dictionary word).  Of course, neither of them are actually secure.

    Or, take this example: let's say that you're comparing password A vs. password B:

    A. 111111111111111111111111111111111111111111111111111111111111111111111
    B. axC398zzz

    Under the formula, A is the stronger password due to its length.  In reality, B would be considered the stronger formula.  (Actually, there is some room for debate here since the point of contention would be whether a hacker would stick around to brute-forcing scenario A).

    What is Brute-Forcing?

    Brute forcing is when a given set of passwords are tried in sequence.  If "a" doesn't work, then try "b".  If that doesn't work, try "c".  Then "d".  Once you finish that round, you try "aa", "ab", ac", and so on.  By doing it this way, you'll eventually try nonsensical passwords like "ddddddddddcacac" as well as perfectly good works like "invincible".  This is but one way to trying to guess a password.

    Hackers know that many people use passwords based on a word.  Often times, it is a word.  Based on this, some brute-force using a dictionary (a list of words), where nonsensical words are stricken.

    "Dictionaries" can also include word-number combinations and other passwords that hackers come across, such as in the RockYou scenario.  Hence the warning that users change their passwords immediately in such events.

    Overcoming Limitations

    As I noted, any formulas for determining the strength of a password started with Shannon's insight into entropy.  This formula is not used as-is.

    For example, if you go to sign up for a new Gmail account and type in my passwords A and B from above, you'll find that axC398zzz is "strong" while the repeating 1 (one) is labeled as "fair."  Other sites might think of it differently.


    Related Articles and Sites:
    http://en.wikipedia.org/wiki/Password_strength#Entropy_as_a_measure_of_password_strength
    http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf

     
  • Laptop Encryption Software: UK MoD Lost Over 150 Laptops In 18 Months

    The United Kingdom's Ministry of Defence has admitted to losing over 150 laptops in the past year and a half.  It has noted that "it is almost inevitable".  How pessimistic.  On the other hand, it's undoubtedly the reason why the ministry makes use of disk encryption software like AlertBoot.

    188 Devices Lost or Stolen

    The MoD has lost 188 laptops, with 20 of them recovered eventually.  The admission comes, according to the guardian.co.uk, as a response to stories in the media.  The MoD has noted that the loss of devices is "almost inevitable."

    While the MoD hasn't specified whether all of the lost devices were protected with encryption software, it has noted that,

    "Where encryption is not possible we ensure that additional security measures are in place," it said. "Processes, instructions and technological aids are being continually reviewed, revised and implemented to mitigate human errors and further raise the awareness of every individual in the department of their vital role in protecting MoD information and assets. The level of detail with which we record these incidents of loss and theft is indicative of the importance we place on this matter."

    It's a rare laptop that cannot be protected with cryptographic solutions.  I'm not saying such machines don't exist, but, knowing how government departments make their hardware purchases, it would be unlikely the MoD would chance upon such a machine (I would imagine one of their requirements would be that the equipment being purchased support or have the ability to be encrypted).

    Besides the laptops, the MoD has admitted to losing 18 phones, 10 BlackBerrys, and 194 disks (CDs and DVDs).

    Human Element the Weakest Link

    In computer security circles, it's said that people are ultimately the weakest link when it comes to data security.  True, there are bugs in any software or hardware; however, they can be fixed.  Over time, fixes here and there would end up producing a very strong, secure program.  Some think that creating a perfectly security system -- from a software, hardware point of view -- is possible (I'm doubt if this can be proven in theory: Godel's theorem).

    With people, though, plenty of psychological, neurological, and behavioral research shows that you can't have a person who's prone to making to mistakes.

    In light of such evidence, it only makes sense to use technology in those areas where people come up short.  An already highlighted example: if you can't prevent people from losing laptops, at least ensure that any computer with sensitive data is being safeguarded with encryption software.

    (Least because it's the least you can do in terms of actually protecting data.  Stuff like not doing anything or using password protection don't count because they don't protect anything).


    Related Articles and Sites:
    http://www.guardian.co.uk/government-computing-network/2011/nov/25/mod-150-laptop-losses

     
  • Data Security: Korea's MapleStory (Nexon) Gets Hacked, Second Largest SK Breach

    South Korea has seen another massive data breach less than three months after its largest breach ever (Cyworld).  A backup server for MapleStory, an MMPORG particularly popular among teens and people in their 20s, was hacked.  Hackers made off with information for 13.2 million South Koreans.  Although MapleStory is a popular game around the world, this latest breach affected Koreans only.

    Nexon, the company that runs the game, has gone public with the breach, apologized, and recommended that people change passwords.

    Breach Timeline, Details

    After compiling the information from numerous sources, it looks like the hack and its aftermath progressed in the following way:

    • NOV 18 - Backup server for MapleStory is hacked
    • NOV 21 - Nexon suspects hack
    • NOV 24 -  Forensics completed, hack confirmed
    • NOV 25 - Korea Communications Commission notified of the breach; Nexon goes public with the story

    The breach affects 13.2 million game subscribers out of a total 18 million.  Again, only South Koreans' information was breached.  This breach is ranked the second largest in Korea, the largest being the Cyworld breach from three months ago.

    Stolen information includes account IDs, names, and encrypted resident registration numbers and passwords (I assume that the passwords were, technically, hashed, and not actually protected with encryption).

    Nexon also collects bank account numbers and other related information (for buying in-game items), but the company clarified that such data couldn't be breached because a third-party company takes care of such details.

    The government is investigating the incident, of course.  According to an unnamed government source, there are similarities to the Cyworld hack from three months ago.  Unlike that case, however, the hackers' IP addresses were domestic.  The Cyworld incident was tied to Chinese IP addresses.  At least one media outlet has claimed that this hack was an instance of an advanced persistent threat, where a company is targeted and attacked until the attack is successful.

    Criticism

    As breaches go, a 7-day turnover from initial breach to public notification is not a particularly slow one.  In fact, it's pretty fast.  Yet, the Korean social media-sphere (or whatever terminology is being used nowadays) is slamming Nexon for being slow.

    It sort of reminds me of the Sony PS3 network breach: in that case, Sony had gone public in 8 days or so, and the on-line community's reaction had been about the same.

    Plenty of people are showing signs of "breach fatigue". There are more than a handful of instances where the reaction is a "meh, what's new?"

    A more germane criticism is that Nexon continued to promote, throughout the week, the advertisement of limited edition virtual items (to go on sale between Nov 24 and Dec 15) for the MapleStory game even as the company was conducting their forensic investigation.  The company chalked up the incident as an oversight due to the personnel being focused on the breach, at the expense of everyday operations.

    Personally, I can understand that buying/selling such "items" didn't really pose a problem.  After all, it was a backup server that was hacked, and, again, money issues are handled by a separate company that hasn't been hacked.  From a public relations point of view, though, I've got admit that it's a bit unusual.  I can only imagine that people in marketing weren't made aware of the hack until the company decided to go public with the information, in an attempt to control the message.


    Related Articles and Sites:
    http://www.koreatimes.co.kr/www/news/biz/2011/11/123_99573.html
    http://news.sbs.co.kr/section_news/news_read.jsp?news_id=N1001032800 (Korean)
    http://news.sbs.co.kr/section_news/news_read.jsp?news_id=N1001032873 (Korean)
    http://news.inews24.com/php/news_view.php?g_serial=620850&g_menu=020200 (Korean)
    http://news.jkn.co.kr/article/news/20111126/3591918.htm (Korean)

     
More Posts Next page »