in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

September 2012 - Posts

  • A Case For Mobile Data Security Software: Employee Actions Still #1 When It Comes To Data Breaches

    According to a new survey of 7,000 IT executives and employees, most data breaches are caused by "mundane events" (news.idg.no), such as devices being lost or stolen.  It's the reason why solutions like AlertBoot Mobile Security, which protects companies from experiencing breaches due to the loss or theft of smartphones and tablets, are so in demand.

    Loss and Theft Accounts for 31% of Breaches

    The survey by Forrester Research, as reported by idg.no, shows that:

    • 31% of breaches are due to employees losing devices, or being victims of theft
    • 27% mentioned "inadvertent misuse by an employee"
    • 25% quoted external attacks
    • 12% noted malicious attacks by insiders

    These results are quite unsurprising.  Over the past five years or so that I've been tracking such surveys, the loss of laptops and other portable data storage devices ranked as the top reason for a data breach, survey after survey (with one or two exceptions).

    With the BYOD trend gaining momentum, we can expect the numbers to rise higher.  Or can we?  Something I've been musing about lately is the fact that, unlike most laptop computers, today's smartphones and tablets come with great protection built-in from the start.

    Apple and Android smartphones and tablets, for example, come with disk encryption that -- while not vetted and approved by formal agencies (not yet, anyhow) -- use the same technology that stymies law enforcement agencies from gathering evidence.  On the other hand:

    The commonest form of mobile device security is password entry plus remote lock and wipe with almost a quarter admitting they haven't started using any form of data protection at all. [idg.no]

    No amount of protective tools will help you safeguard your data if you don't use it.  And not using it is a great way of increasing the odds of a data breach.

    MDM to the Rescue

    Thankfully, one doesn't have to leave it up to employees to use their devices' built-in security.  By using an advanced MDM (mobile device management) solution, many aspects of a device's security and operations can be controlled and managed.  For example, with AlertBoot Mobile Security, an administrator can require that passwords or passcodes are used on devices; whether certain apps should not be installed on the device; if particular device was rooted or jailbroken; etc.

    To learn more about AlertBoot Mobile Security, visit us at alertboot.com.

    Related Articles and Sites:
    http://news.idg.no/cw/art.cfm?id=BF6999BD-B339-F3D2-006128291C1BEC20

     
  • Mobile Security: 73 Percent Of SMBs In US Looking To Buy Tablets

    Over half of all small and medium businesses in the US are looking to purchase tablet devices in the next 12 months.  And it's understandable why: The extremely portable, always-on devices allow one to be extremely flexible when it comes to completing tasks.  And yet, there is some cause to be alarmed, since each device is a vector for data breaches and information leaks.  The same level of enthusiasm, one hopes, will also be focused on mobile data security like AlertBoot.

    The Bigger They are, the Bigger the Investment

    According to techweekeurope.co.uk, The NPD group has a survey showing that, of companies with fewer than 1,000 employees, the following are expected:

    • 73% of all companies will purchase a tablet device for employees in the next 12 months.
    • This is an increase from last year's figure, 68%.  Of companies that did purchase tablets in the past 12 months, 90% will spend the same amount or more on tablets in the next 12 months.
    • The average purchase will be more than $21,000.
    • Firms with 501 to 999 employees will spend approximately $39,000 in the next 12 months.
    • Firms with less than 50 employees will spend less than $2,000 on new tablets

    The conclusion, based on the report, appears to be that most SMBs that have jumped on the tablet bandwagon have not experienced any reasons to discontinue their enthusiasm in snapping up the devices.

    Mobile Device Security: Like That Extended Warranty

    Extended warranties, the saying usually goes, are a scam because most people don't need it.  Except, of course, if you are the proud owner of a high-end electronic device that's been designed to accompany you wherever you go, like a smartphone or a tablet like the iPad.

    Why?  Unlike the CRT TV I bought during my college years -- which was ponderous and stayed in one place -- tablets and other devices are portable.  This means you increase the risks of getting it lost, stolen, sat upon, stepped upon, dropped, and other actions that end up crushing or breaking the device.  Most people (defined as more than half of any given statistical population) may not require extended warranties for their devices, but you won't find as many making the "scam" observation.

    Mobile device security software -- AlertBoot's includes an MDM platform with antivirus software, remote wiping and locking capabilities, secure Wi-Fi provisioning, and a multitude of other features meant to secure smartphones and tablets -- is kind of like an extended warranty, except it makes even more sense to sign up for it, especially if devices are being purchased as part of a BYOD-like initiative.


    Related Articles and Sites:
    http://www.techweekeurope.co.uk/news/smbs-favouring-tablets-with-ipad-topping-wish-list-51766

     
  • Data Security: IEEE 100K Username And Password Breach Analyzed By Whistleblower

    Radu Dragusin, who on September 24 alerted the IEEE (Institute of Electrical and Electronics Engineers) that they were inadvertently exposing members' unhashed usernames and passwords, has released an analysis of the breached data.  Conclusions based on what I've read:  (1) IEEE members are human, (2) a site's logs should be guarded carefully (and set up correctly), and (3) something's up in Ecuador.

    Of course, I'm not listing the biggest, most obvious conclusion: data security tools, such as AlertBoot's Mobile Security, can only do so much.

    How the Breach Came To Be

    According to Dragusin, he happened on a server log kept by the IEEE:

    Due to several undoubtedly grave mistakes, the ieee.org account username and plaintext password of around 100,000 IEEE members were publicly available on the IEEE FTP server for at least one month. Furthermore, all the actions these users performed on the ieee.org website were also available. [ieeelog.com]

    In the logs, he found 422,308 entries that showed both the username and password.  Of these, 99,979 were unique.  The directory holding the log files contained 100 GB of data.

    As discussed previously, passwords need to be hashed, although this doesn't necessarily mean that passwords cannot be figured out (more on this later).

    In essence, the breach occurred due to dumb luck: someone at IEEE forgot to apply the correct restrictions for a directory and a security researched happened on that directory.

    I would imagine that the IEEE properly protected their actual list or lists of usernames and passwords (usually, it's only the password that gets hashed).  But, they still had a plaintext password breach because they weren't completely aware of where their data was ending up.

    IEEE: Smart People but Still Human

    One would imagine that members of the IEEE, who Dragusin points out "are highly [specialized] individuals, many of them working in critical industry, governmental and military projects" would be more security-conscious about, well, about everything.  And yet, an analysis of the top passwords shows that this is not necessarily the case.

    According to Dragusin, the top 18 most used passwords are, in descending order:

    1. 123456
    2. ieee2012
    3. 12345678
    4. 123456789
    5. password
    6. library
    7. 1234567890
    8. 123
    9. 12345
    10. 1234
    11. ADMIN123
    12. IEEE2012
    13. student
    14. ieee2011
    15. SUNIV358
    16. Password
    17. abcd1234
    18. admin

    With the exception of library, student, and SUNIV358 (the last one being an interesting choice; does it represent a university and course number?) the list of passwords should look familiar to anyone who's taken the time to analyze a password log.  (As an aside: You know what's really interesting?  Some of these passwords used at IEEE are shorter than 6 characters in length).

    In fact, it's the power law at work: the top password, 123456, represents 0.3% of the exposed passwords.  If you look at past breaches, like Gawker's, you'll notice that the top password also represents 0.3% of all compromised passwords: around 3,000 out of 1,000,000 were "123456" (the same top password at IEEE's site).

    As I noted earlier (and elsewhere), the use of hashed passwords does not mean you get total security -- not that I'm advocating not using hashes.  However, there are limits to the security that hashes provide.  For example, Gawker's data breach shows us a common password is 123456.  This actually corresponds to a password in the top 20 at IEEE.  So, even if the passwords in the logs were hashed (with salt) at IEEE, all a hacker would have to do is count and sum up the number of each repeating hash string; get a list of top 20 hashed passwords; and figure out which one of them is 123456 via trial and error (after all, the usernames are also there).

    What's Going on in Ecuador?

    This has nothing to do with data security, but I noticed that Ecuador appears to be a hotbed of IEEE member activity: in a map showing the geographic location from where people were logging in to the IEEE site, based on the breached log data, of course, the relatively small South American nation shows up as a hotbed of pink-hot activity in a sea of yellows and blues.

    (Why do I mention it?  No reason; just thought it was interesting, that's all.  Personally, I would have expected to see Brazil as another outlier to what I'm calling "the crimson band," but perhaps it's because its numbers are spread out.)


    Related Articles and Sites:
    http://ieeelog.com/
    http://it.slashdot.org/story/12/09/25/1356211/data-breach-reveals-100k-ieeeorg-members-plaintext-passwords

     
  • BYOD Security: Most Samsung Phones Currently Vulnerable To Remote Wipe Hack

    While doing a presentation at a security conference in Argentina, a German researcher showed how only Samsung smartphones running Google Android could be forced to perform a factory reset, wiping the handsets' contents, just by visiting a malicious site.  This is more than a smartphone security issue, though: it's a story that shows how BYOD security can come to a screeching halt by slow-moving parties.

    Samsung Touchwiz at Heart of Problem

    It should be noted that the hack only affects Samsung smart phones, but not all Samsung smart phones.  At the core of the problem is Samsung's Touchwiz user interface.  Apparently, it's been setup so that they automatically run a USSD code for a factory reset.  As far as I can tell, pcmag.com has the best description of what's going on:

    On Tuesday, researcher Ravi Borgaonkar demonstrated how he wiped out a Samsung Galaxy SIII simply by opening a website containing an HTML tag for a call function, and replacing the telephone number with the USSD [Unstructured Supplementary Service Data] code for a factory reset. USSD codes are commands that are executed by entering them in your keypad—for instance if you dial #*#INFO"*" you can access certain menu settings. For every Samsung phone running Touchwiz, there's a unique set of USSD codes that performs various commands.

    The problem appears to lie within both the Samsung dialer and Touchwiz's stock Android browser. Unlike most dialers, Samsung's automatically makes the call while others still require the user to hit "send."

    The Fix: Already Here

    A quick "fix," according to a comment I've read is to have two dialers in the phone.  This way, Android will always prompt which one to use, interfering with the autodial aspect.  However, a hack to the hack should not be necessary because the vulnerability was disclosed "to manufacturers and carriers in June, and a patch for the firmware was quickly released," according to pcmag.com.

    So, technically, the screw up is not with Samsung.  In fact, it was confirmed by TeamAndIRC via Twitter that "the USSD code issue in the SGS3 is patched, and has been for some time. Current i747 and i9300 firmware are not vulnerable."  This means that the Galaxy S III on AT&T and the European Galaxy S III are not vulnerable at the time the news is making its way via the internet, and confirms the presence of a fix.

    What's keeping the other carriers?  It might be Samsung's vulnerability, but it feels like the carriers' screw-up.

    I don't get it.  BYOD promises to be the next big trend in business, which means that it will push more people towards adopting smartphones.  Hardware manufacturers are obviously salivating over the possibilities, but so, too, must be the carriers.  Why are they working arduously to hamstring themselves by letting easily fixable thing like these fester?


    Related Articles and Sites:
    http://securitywatch.pcmag.com/none/303097-dirty-ussd-hack-wipes-samsung-phones-is-yours-vulnerable
    http://www.cnet.com/8301-17918_1-57519690-85/multiple-samsung-handsets-vulnerable-to-remote-wipe-hack/
    http://androidcommunity.com/some-samsung-handsets-vulnerable-to-factory-wipe-hack-20120925/

     
  • UK BYOD Protection: Information Commissioner's Office Seeking Custodial Sentences, Clarifies Monetary Penalty Not About Data Breaches

    The Deputy Information Commissioner David Smith, from the UK's Information Commissioner's Office (ICO), made an appearance at the 13th Gartner Security and Risk Management Summit in London.  Among other things, he noted that the ICO is still actively seeking custodial sentences -- another way of saying jail time -- for data breaches, and has noted that the enormous monetary fines are not actually about data breaches.

    Long story short: if you're dealing with personal data, as defined under the Data Protection Act, it's a wise thought to engage the use of mobile security software like AlertBoot to protect the loss or theft of a device from burgeoning into a malfeasance. 

    Custodial Sentences: Even Worse than Fines is a Little Cell

    During the summit, Smith admitted that the ICO was "'pressing for' custodial sentences for malicious data loss," according to scmagazineuk.com.  The technology-geared site noted that Smith also said,

    ...it [the ICO] had powers of criminal prosecution, but they were not its ‘primary way of enforcing the law' as its only power was to fine.

    I've actually covered this before.  In a previous blog post I noted that, regarding penalties for DPA violations,

    The Information Commissioner's Office has been seeking custodial sentences for people who endanger personal data since 2006, and the recent and past trends seem to further strengthen the ICO's position.

    And in a separate post more focused on the lack of prison sentences for those who breach the UK's DPA,

    In October 2011, British politicos openly supported giving the ICO the ability to hand out prison terms to those who break the DPA.  This Information Commissioner had been very publicly asking for such powers since at least early 2010.

    However, a little-known fact is that Parliament has already voted on this issue and approved the matter: the Secretary of State was given the power to introduce custodial sentences in the Criminal Justice and Immigration Act 2008.  This has yet to be implemented, however.

    When can the ICO expect to see the implementation of a power that's been waning, sidelined for whatever reason?  According to Smith, "the government will have to introduce legislation, but I don't think it will be less than 18 months" (my emphasis).

    Smith added the observation that it would be hard to hand out such a sanction:

    "You can't jail an organisation," said Smith. "And when these are organisational failures, it's very hard to say that one person in the organisation was so responsible for this failure that they're criminally liable. [A custodial sentence requires] proof beyond all reasonable doubt, whereas here we're talking about balance of probabilities." [computing.co.uk]

    Data Breach Fines are not About Data Breaches

    Regarding some of the more aggressive monetary punishments that were handed out by the ICO over the past 18 months, Smith noted that

    It is not the breach itself that is attracting monetary penalties, but the lack of security behind it, what training staff have had and the way systems have been setup. [scmagazineuk.com]

    This might explain why the figures for the ICO's fines are all over the place: Brighton and Sussex General was fined £375,000 for having 232 hard drives stolen, but other public sector bodies were also fined hundreds of thousands of pounds where the data was breach involved less than a handful of people.

    If the focus lies on what an organization is (or is not) doing regarding the security of their data, however, it makes sense: the more egregious the lack of security, the higher the penalties, regardless of how many were affected by the latest incident.

    Regarding criticism that the fines may be too much and could affect patient health care, Smith noted that "It's up to organisations how they find the money – Brighton and Sussex did pay the fine, despite all these protestations, and it's a tiny fraction of a percentage of their total money, and they have all sorts of ways to pay," according to computing.co.uk, and that one "could [counter] argue that paying the chief executive a bonus every year detracts from patient care, because they could have spent that on patients. It's for them to balance their business."

    Data protection is not, as Americans say, "small potatoes."  A company doing business in the UK might feel that data protection is not as important as their core business operations, the "meat" in a main dish.  The ICO appears to be bent on proving that that's not necessarily the case.


    Related Articles and Sites:
    http://www.computing.co.uk/ctg/news/2207131/deputy-ico-says-big-rise-in-reported-breaches-is-no-cause-for-alarm
    http://www.scmagazineuk.com/ico-we-are-pressing-for-custodial-sentences/article/260084/

     
  • BYOD Security: Microsoft Hotmail Passwords Must Be 16 Characters Or Less

    It's being reported that Hotmail, Microsoft's free on-line email service, is alerting users that account passwords can "contain up to 16 characters."  Common sense tells us that this is not necessarily the most secure practice in the world.  In fact, when it comes to portable device security, such as protecting a smartphone that is part of a BYOD initiative, such artificial limits are a bad idea.

    But, that's not necessarily the case for everyrhing, according to the blue chip company.  Microsoft is justifying its position by noting that password uniqueness is more important than length.

    It's Always Been that Way

    Folks over at thenextweb.com commented on the story :

    This is ridiculous. It might not seem like a big deal to you as you probably don’t have such a long password, but the issue goes deeper. If Microsoft is suddenly only accepting the first 16 characters of long passwords, this can only mean one of two things, according to Kaspersky:

    • Store full plaintext passwords in their database and then compare the first 16 chars only.
    • Calculate the hash only on the first 16 and ignore the rest.

    But then again, maybe not.  It was later pointed out that Microsoft had always limited password to 16 characters.  A further update by Microsoft noted that:

    Please note our research has shown uniqueness is more important than length and (like all major account systems) we see criminals attempt to victimize our customers in various ways; however, while we agree that in general longer is better, we’ve found the vast majority of attacks are through phishing, malware infected machines and the reuse of passwords on third-party sites – none of which are helped by very long passwords. Sixteen characters has been the limit for years now. [thenextweb.com]

    The Problem in My View

    Microsoft is correct in pointing out that password uniqueness is more important than length.  However, they're wrong in limiting passwords to 16 characters because they're curbing uniqueness (the same thing they're recommending) and affecting usability/memorization.

    Whaaaa? you may ask.  How is a longer, more complex password more usable?  The answer lies in how you decide to structure your password.

    For example, let's say I have a Hotmail email account.  Perhaps my password will take this form, since it's for Hotmail:  caliente1234arara$36c2736.  That's 25 characters.  Broken down:

    • "Caliente" is Spanish for "hot"
    • 1234 because numbers are necessary
    • "Arara" is a macaw in Portuguese
    • $ to fulfill any special character needs
    • 36c-27-36 is supposedly Angelina Jolie's measurements (I caught The Tourist on TV the other day)

    All I have to do to recall my password is to imagine Angelina Jolie feeding a dollar sign to four Brazilian macaws on a hot Spanish day.  (I can't "unsee" this image now.  Can you?)

    Weird mental imagery makes things easier to remember.  The more unique (or weird) it is, the easier to remember it is.  In my experience, in order to make it more unique, you need at least four elements.  String them together and there's your password.  The online comic xkcd pointed this out as well.  A 16 character limit means I've got to be careful on what elements I bring into play: namely, short-named ones.  I guess I could go around trying to memorize something like @#WFe9wj#29w!!@!.  That's 16 characters.

    But I can assure you it's pretty @#WFe9wj#29w!!@! unlikely that I will.  If anything, I'll memorize it and forget it. 


    Related Articles and Sites:
    http://thenextweb.com/microsoft/2012/09/21/this-ridiculous-microsoft-longer-accepts-long-passwords-shortens/
    http://it.slashdot.org/story/12/09/21/2311239/hotmail-no-longer-accepts-long-passwords-shortens-them-for-you
    http://howto.cnet.com/8301-11310_39-57510064-285/how-to-prevent-phone-and-tablet-theft/

     
More Posts Next page »