in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

February 2012 - Posts

  • Data Encryption Software: Avnet Servers Stolen, ICO Looking Into Breach

    The UK's Information Commissioner's Office is looking into a data breach that occurred in December 2011.  According to channelregister.co.uk, Avnet Technology Solutions suffered a data breach on December 21 when "unknown parties broke into" their offices.  Could the use of data encryption software mollified the ICO?  Probably.  Was it an option?  Well...maybe.

    Server Hard Disks Stolen

    The Haslingden, Lancashire offices of Avnet were broken into on December 21, 2011.  Server hard disks -- and not the servers themselves -- were stolen.  These contained data on staff and customers related to the acquisition of Bell Micro.  While channelregister.co.uk originally reported that addresses, bank account numbers, sort codes, passport numbers, and national insurance numbers were stolen, it was later contacted by Avnet, and a correction was issued: passport and national insurance numbers were not part of the stolen data.

    Avnet would not confirm how many people were affected by the breach, or how many hard disk drives were stolen.

    The thing about servers is that, generally, people don't want to use disk encryption software on them because of its negative impact on system resources.  It depends from server to server, of course: if a server is accessed every five seconds, then encryption software would probably not impact it negatively.  However, if the server is running at 100% all the time, then that computer needs all the resources that can be spared and then some.

    What kinds of servers were involved in the Avnet case?  We don't know.  We do know, however, that the breached data was probably not needed on a 24/7 basis.  Of course, what else was on these servers is unknown, so it's hard to decide whether encryption would have been a viable data security measure in this particular case.

    Servers Stolen All the Time

    Servers getting stolen -- in whole or otherwise -- is not a new phenomenon.  I've read of servers getting stolen; of their hard disks getting stolen; of data centers being broken into -- in one case, by putting an electric saw to the wall -- and everything inside getting stolen.  It's as if *gasp* thieves will steal just about anything.

    Obviously, the occurrence of server thefts is rather low -- physical security may have its shortcomings, but let's face it, it generally works -- but this is not a reason for being lax about using encryption on servers.  Even if disk encryption is not an option due to performance issues, care should be taken to at least use file or folder encryption to protect any sensitive data.  Relying solely on physical security (locks, cages, guards, etc.) is not an option in this day and age.


    Related Articles and Sites:
    http://www.channelregister.co.uk/2012/01/20/avnet_tech_solutions_break_in/
    http://www.channelregister.co.uk/2012/02/28/avnet_ico_data_breach/

     
  • Hard Disk Encryption: Victoria House Children's Centre Data Breach

    A staff member at Victoria House Children's Centre in Barnstaple, UK breached protocol (and data security laws) when a USB flashdrive was stolen from her.  Obviously, the use of drive encryption like AlertBoot would have prevented the breach from ever taking place.

    Such technological solutions are always preferable over what Action for Children (AFC) -- which runs the center -- was using: guidelines.

    "No Legitimate Reason"

    According to an AFC spokesperson, the employee had "no legitimate reason for [having] that information."  Furthermore, it was revealed that the employee

    ...would have known she was in breach of strict company policy, and the Data Protection Act 2008, which states staff are banned from copying people’s sensitive personal data and taking it off the premises.

    "We have very clear guidelines in place. She will have been under no illusion, given the nature of our work."  [thisisnorthdevno.co.uk]

    Approximately 45 families were affected by the breach -- about two percent of the center's users.

    Statistics are not Things That Happen to Other People

    Action for Children has been very good at pointing fingers at the employee, and for good reason, too.  But, in defense of the staff member, she wasn't exactly planning on having her handbag stolen (the same handbag that contained the USB drive).

    It can try to blame the employee all it wants, but it appears as if it has engaged in very weak security practices.  I mean, where is the encryption software?  Where is the computer port control?  Do they have data leakage prevention software in place, in case employees email themselves sensitive data?

    Guidelines and policies are important; however, the past five years (and then some) have shown that these are not enough from a data security standpoint.  Employees are an integral part of a company, and they've got to do their part, but so does the rest of the company by instituting technological safeguards.

    Just pointing to usage policies and guidelines when things go awry is the last bastion of those unprepared for a data breach.


    Related Articles and Sites:
    http://www.thisisnorthdevon.co.uk/Children-8217-s-centre-loses-sensitive-family/story-15177841-detail/story.html

     
  • Disk Encryption Software: UC Berkeley Says Secure Desktop Computers

    It's not very often that I run across an article where the author asks readers to encrypt desktop computers.  But, the Chief Privacy and Information Risk Officer at UC Berkeley is doing exactly that in a post.

    Short but Straight to the Point

    Ms. Ann Geyer, CPO and CIO at University of California, Berkeley, has this blog post up and running at berkeley.edu.

    In summary:

    • Computer theft is one of the top three causes of data breaches
    • Desktop computers need to be secured physically (cable locks, office doors locked, etc)
    • Desktops need to be encrypted as well
    • These are cheap compared to lawsuits

    There was a time when desktop computers were about three feet high, three-quarters of a foot wide, and weigh no less than twenty pounds.  The chassis of the computer came with a built-in hole through which one could run a metal cable wire, to prevent the removal of the chassis (and hence securing the computer's inner hardware) and to prevent the removal of the entire desktop.

    Spring forward to 2012: desktops are quite rare.  They are in use but they're about as big as laptops.  Heck, sometimes they're even smaller and lighter than laptops because a desktop doesn't have a built-in monitor to weight it down.

    And yet, there are people who'd install encryption software on their laptops "because they're portable" but don't think of doing so for their desktop computers that happen to be just as portable.  Why?

    After all, data security focuses on, as the name indicates, the security of data.  Desktop computers traditionally hold more data than laptop computers due to higher capacity hard drives.  They are also traditionally used longer (implying your average desktop model will be much older than your laptop), again leading to more data being stored.

    And yet, when most people hear "encryption," they think of mobile devices such as laptops, netbook computers, external hard drives, and other devices designed to be portable.  But data security is not about whether something is portable or not.  As Geyer notes:

    The more data that is stored on the computer, the greater the importance of physical security measures.

    The part on "...the more data that is stored...the greater the importance" also applies to encryption.  One could say this especially applies to encryption.  Encryption is, for the lack of a better word, useless if there isn't any data to be encrypted.  At least with physical encryption, even if there's no data to protect, you're preventing the theft of equipment.

    But, if there is data to protect...well, then, my friend, data encryption is what you want because any guy with a $25 cable cutter or hammer can get rid of physical security.  Breaking strong encryption?  It can't be any guy, and $2500 will not quite cut it.


    Related Articles and Sites:
    http://inews.berkeley.edu/articles/Apr-May2012/secure-desktop-computers

     
  • Fifth Amendment Rights: Forcing Defendants To Decrypt Drives IS Against The Fifth

    The Eleventh Circuit Court of Appeals has ruled that being forced to decrypt hard drives violates the Fifth Amendment, the right not to incriminate oneself.  I've covered two previous cases that deal with data encryption where it was ruled that being forced to decrypt hard drives did was not a violation of the same law.

    Despite the outcome, all three cases are consistent in their rulings.

    It IS a Violation and It ISN'T?  Isn't That Contradictory?

    Not really.  As I learned quite recently, the Fifth Amendment is very specific on the subject of self-incrimination.  Most people think of it as a right not to incriminate oneself under any circumstances, period.  But, that's not true.

    Otherwise, it would imply that you have the right not to let anyone to search your house, even with a warrant.  That should strike most people as obviously false: if the government has a warrant, then you have to let them search the house, even if there's evidence in the house implicating you of a crime.  The fact that you opened the door for the government can't be used as a violation of the Fifth later on.

    As I noted in one of my Fricosu Fifth Amendment coverage posts,

    The 5th amendment is a protection against compelled testimony incriminating oneself. However, you don't have a right to refuse to turn over incriminating evidence — such as documents, video or records of any type.

    I should note before I go on that I'm not a lawyer.  I'm just reporting here on what I've found out.

    The point is, the Fifth Amendment doesn't cover all evidence that could possibly implicate oneself; in specific instances where the government knows or can prove that evidence exists, the accused must produce that evidence.

    The two cases I covered before are Boucher and Fricosu.  In both cases, encryption software prevented access to evidence that the government knew was there.  In other words, the government wasn't just speculating that something might be there because, gosh darn hey, that thing is encrypted!  Something must be hidden there, right?

    The Eleventh Court's decision, on the other hand, involved a case where the government was only speculating.

    The Case: Relevant Details

    An unnamed man (John Doe) was subpoenaed to decrypt a laptop computer and five external drives suspected of containing child pornography.  The government was planning on using any information gleaned from the decrypted disks' contents against John Doe.

    John Doe refused, saying he would invoke his Fifth Amendment rights.  He was held in contempt and jailed.

    Some key observations:

    • It's not in dispute that the disks belong to John Doe.
    • There was no evidence that only John Doe had access to these drives.
    • There was no evidence that John Doe was able to decrypt the drives.
    • The government's forensic examiners could not recover any data because all of the disks were protected with encryption.
    • The forensic examiners could tell that there was "an 'enormous amount of data'", over 5 TB in total.

    All interesting stuff, but the following is the most telling (my emphases):

    Although they were unable to find any files, [forensic examiner] McCrohan testified that they believed that data existed on the still-encrypted parts of the hard drive....

    When pressed by Doe to explain why investigators believed something may be hidden, McCrohan replied, "The scope of my examination didn't go that far."  In response to further prodding, "What makes you think that there are still portions that have data[?]," McCrohan responded, "We couldn't get into them, so we can't make that call."  Finally, when asked whether "random data is just random data," McCrohan concluded that "anything is possible."  At the conclusion of the hearing, the district court held Doe in contempt and committed him to the custody of the United States Marshal. 

    The government's case appears to be, in essence, "you've got 5 TB of data.  You've downloaded child porn online.  There must be something there."

    Eleventh Court Answers: More of the Same

    John Doe appealed, and the Eleventh judged on the proceedings.  According to the Appellate Court's findings:

    ...We hold that Doe's decryption and production of the hard drives' contents would trigger Fifth Amendment protection because it would be testimonial, and that such protection would extend to the Government's use of the drives' contents.  The district court...erred in concluding that Doe's act of decryption and production would not constitute testimony

    The court obviously offers a detailed explanation (begins on the second half of page 10) .  But the gist of it is this: there is no foregone conclusion that the encrypted disks contain the material the government is seeking.  The government has no way of showing "that it had knowledge of the contents of the documents from a source independent of the documents themselves," assuming those documents do exist in the encrypted disks (emphases are from the original text):

    ...the question becomes whether the purported testimony was a "foregone conclusion."  We think not.  Nothing in the record before us reveals that the Government knew whether any files exist or the location of those files on the hard drives; what's more, nothing in the record illustrates that the Government knew with reasonable particularity that Doe was even capable of accessing the encrypted portions of the drives....

    To be fair, the Government has shown that the combined storage space of the drives could contain files that number well into the millions.  And the Government has also shown that the drives are encrypted.  The Government has not shown, however, that the drives actually contain any files, nor has it shown which of the estimated twenty million files the drives are capable of holding may prove useful.  The Government has emphasized at every stage of the proceedings in this case that the forensic analysis showed random characters.  But random 24characters are not files; because the TrueCrypt program displays random characters if there are files and if there is empty space, we simply do not know what, if anything, was hidden based on the facts before us....

    Case law from the Supreme Court does not demand that the Government identify exactly the documents it seeks, but it does require some specificity in its requests—categorical requests for documents the Government anticipates are likely to exist simply will not suffice....

    This is a critical difference from Boucher (where a government official saw the kiddie porn on the accussed's laptop before encryption kicked in) and Fricosu (where government officials have a recorded conversation where the accused notes there are files she doesn't want the government to see on her laptop).

    So, again, all three cases regarding the Fifth Amendment are consistent, even if the rulings are different.  So far, c'est la meme chose.

    Something New

    There is one notable result coming out of this latest case, however.

    The Eleventh Court of Appeals has ruled that "the act of producing decrypted documents is testimonial, not merely a physical act."  This has been something of a contentious point that hasn't been ruled on before, as far as I know (reminder: I'm not a lawyer).

    In the Boucher and Fricosu cases, the foregone conclusion doctrine was used, so the courts didn't really have to make a judgment on whether providing decrypted documents is testimonial or not.  Some argued that it was not testimonial, since the documents were already there, just encrypted.  This latest finding (which could be contested all the way to the Supreme Court) appears to settle the matter on what's what


    Related Articles and Sites:
    http://volokh.com/2012/02/23/eleventh-circuit-finds-fifth-amendment-right-against-self-incrimination-not-to-decrypt-encyrpted-computer/
    http://it.slashdot.org/story/12/02/24/1315230/us-appeals-court-upholds-suspects-right-to-refuse-decryption
    http://www.ca11.uscourts.gov/opinions/ops/201112268.pdf

     
  • Disk Encryption Software: Preferred Skin Solutions Data Breach

    Reviewing a list of old stories I've missed over the past month, I see that a small skin care clinic, Preferred Skin Solutions, based out of Tulsa, Oklahoma has reported a data breach.  A computer was stolen, prompting the clinic to reach out to clients.  It's a situation that a simple remedy would have prevented: using drive encryption software like AlertBoot.

    However, the story is notable for how the clinic did things right.  Which one could say puts larger outfits with better resources to shame.

    We Always Shred Financial Information

    Thieves broke into the clinic on the night of January 24, 2012 and stole a laptop computer and a CD player.  The personal information for more than 400 clients were lost as a result.  Thankfully, no financial information was stored on the stolen laptop.

    The clinic's manager had this to say regarding financial information: "We've always made a point that we don't store anything like that on our laptop, and what we do is take their information one time and then we shred their information,"

    This is a smart move.  The best way to protect data against data breaches is to not store them.  Plus, such a procedure makes compliance with PCI-DSS immaterial, as far as data storage is concerned.  It's win-win for everyone, even for clients who face the annoyance of having to provide their information each time they visit the clinic, as subsequent events have revealed.

    However, this is a realistic option for businesses where volume is "low."  A company like, say, Walmart could never get away with this without adversely impacting their bottom line.

    What About Personal Data?

    There is the problem, however, of securing client data.  It wasn't revealed what kind of information was stored on the stolen laptop, but I would assume that at least first and last names were stored, as well as email addresses (clients were alerted of the breach via email).

    On the whole, such personal data is not deemed "sensitive" by most, and rarely is such data protected with encryption software.  However, seeing how identity theft is rampant across the world, and phishing attempts are made to gain such data on a global basis, it's always a good policy to keep this information secure. (Actually, for companies with hundreds of thousands of registrants, encrypting email addresses might be more than a good idea.)

    Had Preferred Skin Solutions used disk encryption software on their stolen laptop, I would have given them an "A+" as far as data security is concerned.


    Related Articles and Sites:
    http://www.phiprivacy.net/?p=8861
    http://www.fox23.com/news/local/story/Medical-records-stolen-from-skincare-company/GK1CwuUCB0qVJ1rpPn2CDA.cspx

     
  • Disk Encryption: UK East Lothian USB Stick Lost, Over 1000 Students Affected

    I'm late to the party as this story is concerned, but I thought it bore the marks of something that needed commenting.  Earlier this month, the East Lothian Council in the UK alerted the parents of 1,075 students that their children's information was lost.  A USB disk was lost by a council employee.  Data encryption like AlertBoot was not used on the device.

    The employee was in possession of the data in violation of council policies.

    Affects Schools in Dunbar, East Linton, Innerwick, Stenton and West Barns

    The council issued an unconditional apology.  According to them,

    A council statement said that "in breach of council policy, an employee downloaded the records on to a private memory stick for the purpose of working from home and later told the council that the stick had been lost. It is still missing despite every effort to find it." [eastlothiannews.co.uk]

    The information on the memory stick included children's names, school and class, emergency contacts, afterschool clubs, and possibly medical information, and affects 1,075 students in Dunbar, East Linton, Innerwick, Stenton and West Barns.  It was pointed out that the information was password-protected, although that makes a very poor substitute for encryption software.

    The person who lost the USB stick was not a teacher, but a staff member.  The employee has been suspended.

    Superglue for "Super" Security

    The introduction of USB ports on computers was a chicken-and-egg problem.  There were very few people using USB devices, so computer manufacturers didn't provide USB ports as a standard offering.  Since few computers had the ports, consumers didn't see a need to buy USB devices.

    This all changed when companies built USB ports on each model they sold.  There was an influx of USB device uptake by consumers...and companies all over the world started having data loss problems.  USB storage devices were tiny, drew power from the computer (no separate cord required), and had a relatively large capacity.

    Companies were facing a problem to which there was no answer.  Well, they update their data and computer usage policies, but people don't always follow these (as in the East Lothian story above).

    So, IT departments hacked up a solution: they superglued the USB ports shut using pieces of wood, plastic, pennies, etc.  It's unthinkable today due to the sheer variety of USB-based device offerings (and not just in the storage sector).  But back then, USB product offerings only included storage devices, mice, and keyboards.  And computers still had PS/2 ports.

    Today, we have lots of other gadgets.  But, that's about the only thing has changed in the equation.  People are still people doing people-ish things.  Data is still collected and worked on.  I'm not surprised that IT departments aren't supergluing USB ports anymore, but I am surprised that there are still organizations out there that are essentially using their computer usage policies to safeguard data, instead of using the appropriate tools like automatic USB encryption.


    Related Articles and Sites:
    http://datalossdb.org/incidents/5578-lost-memory-stick-contained-personal-details-of-1-075-young-children-attending-schools-in-the-dunbar-area
    http://www.eastlothiannews.co.uk/news/local-headlines/memory_stick_with_personal_information_about_children_goes_missing_1_2092754
    http://www.eastlothiancourier.com/news/roundup/articles/2012/02/09/423493-school-data-loss-apology/

     
More Posts Next page »