in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based data and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

AlertBoot Endpoint Security

AlertBoot offers a cloud-based data and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

March 2012 - Posts

  • Backup Tape Encryption: California Department of Child Support Services Breaches Data On 800,000

    Numerous, numerous sources are reporting that the California Department of Child Support Services breached the personal information of approximately 800,000 California residents when four backup tapes went missing when they were sent via FedEx from Colorado to California.  Needless to say, encryption -- the same that powers AlertBoot's laptop encryption software -- should have been used.

    I mean, this is not the first time that sensitive material goes missing when FedEx'ed.  What were all involved parties thinking?

    IBM, Iron Mountain to Blame

    The story is one centered around irony.  From washingtonpost.com (my emphases):

    The cartridges had been sent to IBM’s facility in Boulder as part of a disaster simulation, so the technology company could test whether it could run the state’s child support system remotely, said Christine Lally, a spokeswoman for the state’s Office of Technology Services.

    After testing was completed successfully, the data cartridges were to be sent back to California. Typically, secure transportation for sensitive materials are provided to the state through Iron Mountain but the company doesn’t fly, so FedEx transported the cartridges.

    A disaster simulation effects a disaster.  And, apparently the tapes were not protected with encryption software.  When are they simulating that scenario, the one where tapes go missing when shipped via FedEx?

    Snark aside, people really ought to evaluate such scenarios.  After hearing how FedEx lost radioactive rods, it kinda sticks in your head that it might be a good idea.

    The blame for the situation lies less with the California Department of Child Support Services, and more with IBM and Iron Mountain: the former was testing the disaster simulation, and the latter had been contracted to transport the data.

    You know, this is not the first time that Iron Mountain has been involved in the loss of data tapes.  There is this instance, where GE's backup tape went missing from Iron Mountain's storage facilities.  And this other one where a box of tapes, being transported by Iron Mountain fell of the truck.

    However, you can't blame Iron Mountain solely for the breach.  What were they supposed to do, send a driver from Colorado to California?  That's over 1,000 miles! Cost-wise, it doesn't make sense.  Of course they're going to ship it.

    Since Iron Mountain is only transporting the tapes, it fell upon IBM to ensure that the data in those tapes were protected in the event something went wrong.  It seems to me that IBM ought to have used encryption to secure the data before backing it up to the tapes.

    The California Department of Child Support Services should get a pass on this one because it's obvious that they contracted out the data security to IBM.

    What about FedEx?  They get a pass, too, because they're constantly losing stuff.  They're good, but they're not perfect, and they're not in the business of security...and everybody knows this.  To rely on FedEx to not cause a data breach on 800,000 people is going about security the wrong way.

    Affects More than Children

    Now, just because the data belongs to Child Support Services doesn't mean that the information affects children.

    The backup storage cartridges also contained addresses, driver’s license numbers, names of health insurance providers and employers for custodial and non-custodial parents, and their children. [washingtonpost.com]

    The California Department of Child Support Services is recommending that everyone monitor their credit reports and such.


    Related Articles and Sites:
    http://www.washingtonpost.com/business/technology/lost-data-may-have-exposed-private-details-of-800000-in-calif-child-support-system/2012/03/30/gIQAlDigkS_story.html
    http://www.ktvu.com/news/ap/financial-services/lost-data-cartridges-may-have-exposed-800k-in-ca/nLgZM/
    http://www.mercurynews.com/california-budget/ci_20284770/sensitive-personal-information-missing-800-000-california-residents

     
  • Laptop Encryption Software: Howard University Hospital Notifies 34,000 Patients Of Data Breach

    Howard University Hospital has sent a breach notification letter, as required under HITECH's Breach Notification Rule, to 34,503 patients.  A contractor's laptop, protected only with password-protection, was stolen.  Technically speaking, though, wouldn't this have been a data breach even if the contractor had used disk encryption software like AlertBoot to secure his laptop's contents, or even if his laptop hadn't been stolen?

    Contractor Violated Hospital and Federal Rules

    According to wusa9.com,

    The contractor, who stopped working for the hospital in December 2011, reported the theft of the laptop to police on Jan. 25. The contractor subsequently notified hospital officials...data varied in the types of information contained, but included some or all of the following: names, addresses, Social Security numbers, identification numbers, medical record numbers, birthdates, admission dates, diagnosis-related information and discharge dates.

    Most of the patients affected received treatment between December 2010 and October 2011.  Some data goes as far back as 2007.  Patients are being offered one year of free identity theft monitoring service.

    The site nbcwashington.com notes that,

    Howard University Hospital said the contractor violated hospital and federal rules by downloading the data onto the personal computer. It said new procedures are now in place to prevent this from happening again.

    The above statement leaves me wondering, "which federal rules?"

    Which Rule Was Violated?

    It can't be HIPAA / HITECH because it applies to covered-entities, and not business associates or contractors, as far as I know.  In fact, under this arrangement, it's correct to note that Howard University is in breach of HIPAA because they didn't have the security that stopped the contractor from accessing PHI; copying the data; or an auditing mechanism that alerted them of the contractor's actions.

    The only other law that I can come up with (and this is a surefire sign that I'm not a lawyer) is the Computer Fraud and Abuse Act, which is generally applied to hackers and such.  Plus, it wouldn't really apply in this case because it covers "federal interest computers" which are defined as:

    • exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or
    • which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States.

    I'm not saying the contractor didn't do anything wrong.  If you're a contractor who deals with sensitive data, you really ought to be using encryption software on your work computer.  That the above contractor didn't do so could have had far-reaching effects:  for example, if he was offering his services at multiple institutions, he could have triggered a PHI data breach at other HIPAA-covered institutions as well.

    But, I'm wondering which federal rule he violated.


    Related Articles and Sites:
    http://www.nbcwashington.com/news/local/Stolen-Laptop-Howard-University-Hospital-Patients-Records-at-Risk-144635745.html
    http://huhealthcare.com/healthcare/hospital/data-breach
    http://www.wusa9.com/news/article/199008/158/Hospital-Acknowledges-Possible-Disclosure-Of-Patient-Records

     
  • Canada Disk Encryption: eHealth Data Breach Launches Internal Review

    According to cjme.com, eHealth Saskatchewan started a security review after computers to be disposed were mistakenly picked up by a computer refurbishing company.  It's incidences likes these that not only highlight the importance of drive encryption software like AlertBoot but show why encryption software is a valuable foundation on which to build an organization's data security policies.

    eHealth Saskatchewan said the computers were slated for recycling or reuse but were accidently collected by a computer refurbishing company....

    So far, 32 of the hard drives have been recovered and are being analysed to determine if any personal health information was stored on the.
    According to an initial inspection of the machines, no data had been accessed after the computers were picked up, the government said.
    The story suggests not only that the hard drives were not removed, but that the data on them were not erased.

    Further compounding the issue is that a total of 44 computers were taken by the refurbishing company, meaning some hard drives have yet to be recovered.

    This is why full disk encryption is valuable.  Unlike other data security solutions (for example, data loss protection software), disk encryption can be in place, and in force, until that point when a hard drive is crushed to pieces.  (The story also shows why you might want to keep in disk encryption in place until the very end).


    Related Articles and Sites:
    http://cjme.com/story/missing-ehealth-hard-drives-may-contain-personal-data/49817

     
  • Data Encryption Software: Citi Story Shows User Behavior Trumps Security In Unexpected Ways

    In certain security circles, it's said that people are the number one weakness when it comes to strong data encryption.  For example, it doesn't matter how excellent AlertBoot is when it comes to securing laptops' hard drives, it won't be of much use if users are able to set their password as "12345."

    Such failures do not pertain only to users.  It can extend to administrators as well, as Buzzblog relays to us in what could be an apocryphal story (although the author has gotten assurances that it's perfectly true).

    Online Comic's Story Goes Viral

    According to Paul McNamara at Buzzblog (networkworld.com), a web comic author put up a story based on his experience at a Citibank call center.  The artist later pulled the post, but not before nearly one million people saw it (and no doubt, shared it).

    Long story short: despite working a completely locked down environment -- in every sense of the word: physically, communication-wise (no phones or email), etc -- he found that certain websites were available.

    See, the employees needed to access the sites for the company they worked at. CitiBank, CitiMortgage, CitiFinancial... but since the company was constantly expanding, their IT department had decided that rather than keep updating the firewall, they would simply allow any site that started with the letters CITI, assuming that they would probably own it.

    The above shows more than people being lazy or stupid or any other pejorative you can think of: it shows how people approach risk management that, to a certain degree, is quite logical: Chances are that something won't happen, so we'll set draft security procesures to ignore it.

    Such flawed reasoning extends to laptop and device security as well:

    • Chances are that we won't have a break-in and people won't steal our desktop computers, so laptop encryption yes, desktop encryption no.
    • Our DLP solution prevents underlings from having sensitive data, so bigwigs' computers are secured with disk encryption, underlings laptops not so much.
    • Employee laptops user a VPN and virtual environments for accessing company data, so laptop security (be it antivirus or encryption software) is not necessary.  (What about screenshots and malware that records the screen?)

    You can't protect yourself against all threats, obviously; you have to draw a line somewhere.  However, you have to be prudent on where you draw the line.  Making the assumption that the CITI group will own all domains that start with "citi," or that employees' laptops won't be the source of a data breach because "they're not supposed to have that data" are line-drawing zones.  As the "consumerization of IT"* gathers steam, expect such issues to pop up more often.


    *Strunk and White must be rolling in their graves.

    Related Articles and Sites:
    http://www.networkworld.com/community/blog/firewall-fail-tale-both-funny-and-sad

     
  • External Drive Encryption: Kaiser Permanente Employee Data Breached

    According to a number of sources, including datalossdb.org and databreaches.net, a hard drive with information on Kaiser Permanente employees was found at a second-hand store in California.  Obviously, the use of data encryption software like AlertBoot would have prevented this breach.

    Because the information belonged to an HMO, you might be under the impression that this is a HIPAA data breach.  It's not.  Perhaps that's why it took nearly 6 months to notify the affected.

    Original Story Doesn't Show Up Anymore

    The original story that everyone is referencing can't be found anymore, at least at the time of this post.  I tried following the link and it gives me a 404 error notice.  Thankfully, I found a Google cache of the story, reproduced here:

    Wednesday, current and former employees of Kaiser Permanente started receiving letters in the mail telling them their personal information was found in a second hand store in California.

    A former employee who called KXL to talk about the letter said it is very concerning, "It's like a little gold mine of information that's out there now."

    Maryann Schwab with Kaiser Permanente says names, phone numbers, social security numbers and other personal information was found on a non-Kaiser external hard drive in September of 2011.  The person that bought the hard drive called Kaiser and is (sic) gave the hard dive (sic) up to police.  "The information on the hard drive was downloaded to it in 2009" said Schwab, "since then KP has taken steps to bolster the fire wall for sensitive data."

    Further details such as how many people were affected were apparently not shared.

    The story brings up a number of questions.  First, what does a firewall have to do with anything?  Couldn't the data have been copied by, say, connecting an external disk drive to KPs computers, be it the drive above, or something even more portable (such as a USB key drive) and subsequently transferring the data to the hard drive?

    Or, it could be a case where sensitive data is shared between KP and third-parties, as is the case for most companies that outsource jobs to vendors.  For example, seeing how it's employee information that was breached, perhaps the drive belongs to a firm that concentrates on resolving or optimizing employee insurance matters.  A firewall would mean nothing in this case since data is being sent outside on purpose.

    Second, where did this hard drive come from?  Was it sold by the original owner of the drive?  Was it stolen from someone that was authorized to have the data?  If the latter, why didn't they use external computer disk encryption to secure the data?  It would remiss to authorize someone to have data on a portable drive and not securing it properly.

    Employee Info Not Covered Under HITECH Notification Rule: Case is Proof That Mandatory Breach Notification Laws Serve a Purpose?

    According to databreaches.net, and I know this to be true myself, the HITECH Breach Notification Rule doesn't cover data breaches that involve employee data at HIPAA covered-entities.

    That is, if a hospital's computer is stolen and it contains patients' sensitive data, a breach notification letter must be sent within 60 calendar days.  However, if the computer next to it is also stolen, and this one only contains employees' sensitive data, there's no such requirement to send them a breach notification within the same period.

    You might it's crazy.  I think many would agree with you.  That includes yours truly.  But that's how things stand in many states.  The proffered reason is that the employees would be taken care of by a different set of laws; many states don't have such laws, or fall short of what HITECH requires.

    Without more details, it's tough to judge what the 6-month delay represents.  Did law enforcement ask KP to temporarily abstain from sending notifications, as it could interfere with their investigation?  Or does this represent Kaiser taking their time to figure out how the breach took place, what was stolen, etc.?

    I can't argue that, when notifying those whose data was breached, it's best that as much information is given to them.  I certainly would appreciate it over a letter that effectively states "we don't know how, where, or by whom, but your information was found on a hard drive in some second-hand store in California."  I mean, it's not particularly helpful.

    At the same time, there is something as taking too much time.  In fact, when the Department of Health and Human Services asked for feedback regarding their interpretation and implementation of HITECH, there were complaints that 60 calendar days may not afford time to figure out the whys and hows of a data breach.

    However, HHS stuck to the 60 days, noting that the point behind breach notification letters is to let patients know of the breach and give them a chance to protect themselves.  The longer one takes to notify patients, the greater the chances that they will be notified after being victimized.  And what's the point in that?


    Related Articles and Sites:
    http://www.databreaches.net/?p=23684
    http://datalossdb.org/incidents/5894-names-phone-numbers-social-security-numbers-and-other-personal-information-was-found-on-a-non-kaiser-external-hard-drive-sold-in-a-second-hand-shop

     
  • Mobile Security: Sell Used iPhones, BlackBerrys. Crush Used Android Devices

    According to a McAfee identity theft expert, you have nothing to fear from the sale of a "wiped" BlackBerry device or an Apple iPhone.  But, you might want to think twice about selling your Android device.  The same applies to Windows XP machines (but honestly, the use of drive encryption software like AlertBoot would easily fix any concerns related to "wiped data" on laptops running XP -- or any other operating system, for that matter).

    Not the Most Thorough Sampling in the World

    Contracostatimes.com relays a little survey carried out by Robert Siciliano, identify theft expert at McAfee.  Siciliano purchased 30 electronic devices from -- where else? -- Craigslist in order to see what type of personal data he could unearth from second-hand digital electronic devices.  It's not what I would call a representative sample, especially seeing how he uses only the 30 to discuss five different "operating systems": BlackBerry OS, iOS, Android OS, Windows 7, and Windows XP.  That's six devices per OS.  (Plus, if your sample is from CL, chances are you're sampling your neighborhood -- your city at best.  No way your sample is representative of what's going on in the US).

    But, long story short: from 15 devices he couldn't get anything.  From the remaining 15, he:

    was able to get bank account information, Social Security numbers, court documents, credit card account log-ins and a host of other personal data off those devices with not much effort.

    And the worst part? Most of those devices had already been "wiped" by their previous owner -- meaning all personal files had been deleted and the user had restored the device's factory settings as per the manufacturer's instructions.

    It turns out that BlackBerrys (BB) and iPhones did an excellent job when it came to wiping data, as did Windows 7 laptops, whereas laptops running Windows XP and Android devices did not.

    Of course, BB is celebrated for the implementation of data security.  Indeed, it's one of the main reasons why it was the device of choice in corporate settings during the early 2000s.  As for iPhones and other iApple-thingamajingy's, all of their devices come with hardware encryption built-in (AES-256).  Because the encryption is running fulltime, "wiping data" is just a matter of losing the encryption key.

    My understanding is that most, if not all, Android devices also come with hardware encryption, just like the iOS devices...but, there are so many forks to the Android OS, I can see how certain manufacturers did not do their homework when it comes to securing their devices.  In fact, even as the US's National Security Agency was releasing their specification sheets for a secure Android device, they were commenting that:

    [the] NSA has some misgivings about Android at any rate because the intelligence agency discovered that the phone manufacturers of Android smartphones are themselves changing the Android OS so much, that "Android is not Android. It's whatever the maker of the phone decides to put in."

    As for laptops and desktops, many people are confused on what it means to wipe data.  Some believe that formatting a hard drive will do the trick.  Nothing could be further from the truth.  The only way to "wipe" data saved to a computer's disk is to write it over with other data, such as with a string of zeros.

    An alternate data security option?  Do what Apple or BB does with their devices but for your laptop computers: use full disk encryption to protect the hard disk.


    Related Articles and Sites:
    http://www.contracostatimes.com/business/ci_20243032/mcafee-identity-theft-expert-which-devices-are-safe

     
More Posts Next page »