in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

October 2012 - Posts

  • Maine Personal Information Data Privacy Notification And Encryption Laws: Title 10 §1346 - §1350

    Maine, like many states in the US, has a personal data breach notification law on its books.  The law also is similar to other states' legislation in that the use of encryption software like AlertBoot provides an exception from the onerous business of having to send such notifications.

    If encryption is not used (or the wrong kind of encryption is used), then a breached entity will have to go public with the data breach, as TD Bank found out recently, or face the consequences.  The consequences are not so dire, though, relatively speaking.

    Penalties For Violating South Carolina's Data Privacy Law

    According to Title 10 §1349 of the Notice of Risk to Personal Data Act, not complying with the law is a civil violation that will lead to one or more of the following:

    1. A maximum fine of $500 per violation that will not exceed $2,500 for each day of violation.
    2. Equitable relief.
    3. Enjoinment from further violations.

    As a non-lawyer, I had to look up equitable relief.  An enjoinment is, as I noted way, way back, just a fancy way of saying "stopping someone from doing something."  What's interesting is the monetary fine.

    If I understand it correctly, the daily cap for a data breach in Maine is five people (2500 / 500 = 5).  Well, not really.  I guess if the fine per violation is valued at $1, technically the cap is 2,500 people.  But then, $1 is a ridiculously low amount.  The question is, is $500 to large an amount to fine?  And if so, what is an "acceptable" amount? $100 per violation?

    It doesn't matter how you slice it, it appears to be small.  TD Bank's data breach, for example, affected 267,000 people -- 35,000 of them Maine residents.

    The one redeeming feature is that the cap is on daily figures.  As the law states under the same penalties section, "the right and remedies available under this section are cumulative" and there doesn't appear to be a limit to how long it can go.

    What Is Personal Identifying Information Under Maine Law?

    Personal information is defined under the Risk to Personal Data Act as a person's first name (or initial) and last name combined with any of the following:

    • Social Security number
    • Driver's license number or state identification number
    • Financial account numbers
    • Passwords and other access codes

    This is in keeping with many state laws.  And, As I pointed out in posts regarding data breach laws in other states, this technically means the loss of SSNs alone would not be considered a data breach.

    Maine, however, is a bit different.  They included the following:

    Any of the data elements....when not in connection with the individual's first name, or first initial, and last name, if the information if compromised would be sufficient to permit a person to fraudulently assume or attempt to assume the identity of the person whose information was compromised.

    In other words, losing a database full of SSNs only would also be considered a data breach in Maine, as it should be.

    Another novelty in Maine law?  It makes it illegal for an unauthorized person to take advantage of information that was breached.

    Notification Clauses for Maine Data Breaches

    In Maine, pretty much anyone whose had a data breach must notify those residents who are affected by it.  For some reason, though, the law goes to great lengths to divide them into "information brokers" and everyone else.

    One disappointing aspect of the breach notification requirement is the following (my emphasis):

    ....determine the likelihood that personal information has been or will be misused and shall give notice of a breach of the security of the system following discovery or notification of the security breach to a resident of this State whose personal information has been, or is reasonably believed to have been, acquired by an unauthorized person.

    I may be reading more to it than there is, but the underlined parts appear to put into play what is called a "harm threshold," where the person who was breached gets to judge if residents are affected, and to what degree.

    If that sounds to you like putting the fox in charge of the chicken coop, you're not too off the mark.  Plenty of privacy experts have pointed time and again that harm threshold clauses are a bad idea.

    Another disappointment lies in the fact that the Maine legislature has not defined an acceptable period by which residents have to be notified.  Currently, the law states that:

    The notices required...must be made as expediently as possible and without unreasonable delay, consistent with the legitimate needs of law enforcement...or with measures necessary to determine the scope of the security breach and restore the reasonable integrity, security and confidentiality of the data in the system.

    Let's go back to TD Bank as an example.  They took 8 months to notify Maine clients affected by the breach (and it sounds like residents of other states along the east coast weren't notified any sooner).  Compare this to HIPAA/HITECH rules, where a person whose protected health information is breached must be contacted within 60 calendar days by the covered-entity.  It's quite the difference.

    Laws directing people to notify residents ASAP will get exactly that.  Maine is not alone in this, though.  Even Massachusetts -- which by some accounts has one of the strictest data breach prevention / data protection and notification laws in the country -- doesn't have fixed deadlines for notifications.

    Other particulars to Maine's breach notification law:

    • Consumer reporting agencies must also be notified for breaches involving more than 1,000 people
    • In addition to residents, either the Department of Professional and Financial Regulation, or the Attorney General will be notified as well.

    Encryption Means Safe Harbor

    Hey, here's an idea: use our super-easy to set up encryption software to protect your data (for example, on your laptops) and forget about the intricacies of the law.  Our solution uses AES-256, which is in accordance with the definition of encryption under Maine's statutes:

    Encryption.  "Encryption" means the disguising of data using generally accepted practices.

    AES most certainly is that and more.


    Related Articles and Sites:
    http://www.mainelegislature.org/legis/statutes/10/title10ch210-Bsec0.html

     
  • More On TD Bank Data Breach Involving Backup Tapes

    Encryption software is not a magical cure-all for digital data woes, but it certainly can cut down on the risks of them coming to fruition.  Take, for example, the TD Bank data breach that I had blogged about earlier this month.

    In that particular case, computer tapes that contained Social Security numbers and other sensitive personal data were lost, and those affected by the breach remained ignorant of the fact for eight months.

    I found an update on that situation.  Nothing new, but more details.

    Explanation on How Tapes Lost Still Not Forthcoming

    The new details that I've found, according to onlinesentinel.com:

    • TD Bank has 54 branches in Maine alone.
    • The bank has more than 7.4 million clients and over 1,275 retail locations.
    • The tapes were lost in Massachusetts.
    • The number of people affected was not revealed (but I found earlier reports that 267,000 people were affected).

    Maine Law Does Not Have Deadline for Notifying Residents Affected by Breaches

    Maine has a data breach notification law in place.  I also know that there isn't a deadline by which people must be notified.  Instead, the law requires people to be notified as soon as possible, a condition that is not exclusive to Maine only.

    And -- surprise, surprise -- that means that you'll see instances where a company that has been victim to a data breach will wait for a long time before notifying those who are most at risk: clients whose information has been breached.  I'm not sure why the law was drafted the way it was.  It's only logical that companies would end up using soft deadlines to their advantage.

    Can we expect the state of Maine to update legislation to change what is an obvious shortcoming?


    Related Articles and Sites:
    http://www.onlinesentinel.com/news/td-bank-says-it-worked-diligently-to-find-lost-tapes_2012-10-10.html

     
  • Weak Encryption: Researchers Crack Encryption On Australian Public Transportation

    Researchers revealed at an Australian security conference that they cracked the encryption used by a state public transport system for issuing tickets (read: free rides).  Unlike the encryption algorithm used by AlertBoot laptop encryption -- AES-256, which is open to public poking -- the transportation system was using a custom-designed one.  Usually, that's a bad sign.  The other bad sign?  It's decades old.  This particular public service had them both.

    Older Than I Am - A Bad Sign for Crypto

    The researchers did not reveal which transportation system it was (although, that hasn't stopped people from speculating), but noted that the encryption system being used was very old:

    "The custom cryptography was made before I was born." [scmagazine.com.au]

    At that rate, it's no wonder that one week's worth of work and $300 was all it took to gain access to what could possibly be free rides for life (or at least, the foreseeable future).

    Encryption is susceptible to "inflation" of sorts.  "Techflation," if you will: the relentless march of technology means that many things that were brand new just a number of years ago are considered average or even below average today, and will be positively ancient in ten years.  Encryption, while taking a different form from shiny new things, is no different.

    Properly vetted encryption algorithms start out strong (why would anyone use weak security, right?) but become weaker over time as technology progresses.  The algorithm itself doesn't change, but the tools that can crack it do.  I have no sources for the speculation I'm about to make, but I'm guessing that today's digital watch would probably crack whatever encryption was being used back in the 1970s.  This makes sense when you consider all the reports pointing out how today's digital watches have more computing power than computers from that era.

    Right now, the encryption standard is AES, and chances are a digital watch created 30 years from now won't be able to crack it.  Per some calculations, an attempt to crack it would require more energy than what is available in the universe.  Other calculations make it less dramatic, but still guarantee at least 30 years worth of protection before having to slowly find a replacement.  If something does crack AES -- and turns into weak encryption -- it will probably be a supercomputer, not some flashing device on someone's wrist.

    The Other Bad Sign: Custom, Not Open to the Public

    Generally speaking, encryption algorithms that are open to public inspection are almost always more secure than custom-made ones.  The reason for this can be likened to Darwinian survival: there are more people trying to break the algorithm, using their own approaches.  This is like an animal having to survive against all the different dangers nature is throwing its way (weather, predators, lack of prey, terrain, etc.); the animals that survive are bound to be strong.  Likewise, an encryption algorithm that survives a public assault is generally strong.

    Custom encryption jobs, on the other hand, are like animals that are raised in captivity.  They're bred and raised in a safe environment, and they're big and strong, but the creatures will never make it on the outside.

    Of course, not all custom jobs are bad.  If you hire the guy who designed a successful, open-to-the-public encryption algorithm to create a custom one for you, chances are it will work as intended without any surprises.  But even then, you can't beat the sense of security coming from a bank of professional researchers looking to break it and failing.


    Related Articles and Sites:
    http://www.scmagazine.com.au/News/320026,researchers-crack-aussie-state-transport-system-get-free-rides.aspx
    http://it.slashdot.org/story/12/10/22/0755244/aussie-researchers-crack-transport-crypto-get-free-rides

     
  • BYOD Encryption: Android App Shows Encryption Faults

    It's been noted time and time again that Android tends to be less secure than its competitor because of its "open ecosystem."  It's the perfect reason to use something like AlertBoot's mobile device encryption solution if a company is hopping on to the BYOD wagon (and plenty are).

    However, not all mobile data security threats stem from the fact that the Android platform is so open.  Sometimes, the apps that are designed to incorporate security were not designed as carefully as they should be.

    As Many as 185 Million Exposed

    According to researchers, Android apps downloaded by as many as 185 million people could

    expose end users' online banking and social networking credentials, e-mail and instant-messaging contents because the programs use inadequate encryption protections. [arstechnica.com]

    Forty-one applications available on Google Play -- Google's answer to criticisms that every scammer who can code under the sun was offering something fishy in the Android app store -- were identified.  The one silver lining in the cloud: researchers had tested it under Android's Ice Cream Sandwich.  There's a good chance that the latest iteration of Android OS -- Jellybean -- is not affected, since the latter has instilled previous safeguards that were missing previous versions of Android.

    More than Android

    But, then again, maybe not (my emphasis):

    The findings underscore the fragility of the SSL and TLS protocols, which together form the basis for virtually all encryption between websites and end users. While the technology itself is generally considered secure, its protection can be undermined when certificate authorities fail to secure their infrastructure or websites don't take proper precautions. The paper, presented at this week's Computer and Communications Security conference, exposes yet another point of failure, which is poor implementation by app developers. [arstechnica.com]

    The listed methods that undermine SSL and TLS are the same whether it's Android's newest (or oldest), Apple's iOS for iPhones and iPads, or even Microsoft's new Windows Phone 8.  (The impact on each platform will be different, though.  For example, iOS is sandboxes all applications, so there's a lower risk level.)

    What does this mean for organizations that are invested in BYOD programs, either fully or partially?  After all, choosing the "right device" is not the answer in this particular case.  Choosing the right app could be, but there's no real way to ensure that an app is truly secure.

    One way to manage the threat might be via the use of an integrated MDM solution [http://www.alertboot.com/disk_encryption/disk_encryption_product_tour.aspx ; Android and iPhone MDM solution ] that, in addition to providing a way to manage devices and their policies, also controls which apps can and cannot be installed.  Such control would require the use of whitelists, blacklists, or both.


    Related Articles and Sites:
    http://arstechnica.com/security/2012/10/android-apps-expose-passwords-e-mail-and-more/
    http://gizmodo.com/5953686/researchers-reveal-massive-encryption-faults-in-android-apps-used-by-millions

     
  • Mobile BYOD: Feds Find BlackBerries Dowdy, Go With iPhone

    Poor BlackBerry: not only is the once-celebrated device getting some very public licks, the one pillar that seemed unshakable is beginning to see signs of strain: even the government is giving it the cold shoulder.  Of course, the signs were already there but, seeing how the device is the yardstick by which other mobile device security levels are measured, it's still odd to see the fact in print.

    Immigration and Customs Enforcement Dumping BB, Other US Govt Agencies, Too

    According to numerous sources, the Immigration and Customs Enforcement (ICE) -- which belongs to the Department of Homeland Security -- has officially declared that it will no longer using BlackBerries.  According to informationweek.com, this means ICE is "joining a growing list of agencies that are increasing their use of Android and iOS devices and, in some cases, switching away from the BlackBerry entirely."

    Instead of BBs, ICE has opted to use the iPhone.  That's 17,676 less users of BlackBerries, and 17,000 more for Apple's iconic smartphone (also, $2 million in La Pomme's pockets).  RIM, the maker of the BlackBerry, has further bad news.

    The Department of Defense might not be far behind. Procurement documents released Monday by the Pentagon for mobile device management software included BlackBerry management only as a nice-to-have. The change is also happening at government contractors. Booz Allen Hamilton will move 25,000 employees from BlackBerrys to iPhones and Android devices, the company said last week. [informationweek.com]

    That the government was looking into using the iPhone and iPad in their work environment is not quite "news."  I've already mentioned how there's a pilot program at the VA, and how it held up to scrutiny despite its "lack" of approved AES-256 encryption.

    But, to find that the entire departments are looking to completely rid themselves of BlackBerries?

    This truly is news.

    It speaks volumes not only of BlackBerries -- I'm hearing "good riddance.  We couldn't wait to wash our hands from the device," which surprises me.  A lot -- but also of Apple's iOS.  Essentially, it's giving the government stamp of approval, meaning that businesses out there cannot dismiss Apple's iDevices out of hand because "they're shiny toys," "look too pretty, so it can't honestly be for business," or " overpriced" (an argument that I can foresee being made: those extra $$$ are the price of security).

    More Security than Mobile Security

    Of course, when it comes to government agencies, or any organization with a big enough body of employees, security of the device is not the only issue.  There are also concerns on ensuring that administrative process related to security -- such as audits, device tracking, proper deployments, updates, etc. -- can be carried out reliably and in a timely fashion.

    In other words, some kind of mobile device management (MDM) solution is necessary to make it work.  Otherwise, you'd be stuck with thousands (or maybe tens of thousands, if you're ICE) of employee devices out in the field with no centralized control.

    Central control.  Among Tibetan monks, probably not such a big issue.  Among people who have access to Angry Birds?  Definitely an issue.


    Related Articles and Sites:
    http://money.msn.com/top-stocks/post.aspx?post=c3eabd17-f1c6-4cb5-a6b7-5cf3f12c6370
    http://www.informationweek.com/government/mobile/blackberry-loses-its-grip-on-federal-gov/240009689
    http://www.pcmag.com/article2/0,2817,2411269,00.asp

     
  • University Data Security: Northwest Florida State College Data Breach Bigger Than Expected

    One of the areas where you can always expect to find data breaches is academia.  For as long as I have been following data security news stories for this blog, data breaches involving a university setting has cropped up at least every six months.  It makes sense, in a way: university settings generally tend to be more technologically advanced, with laptops being almost de rigeur, and a host of other electronic devices making it into the hands of young adults.

    (An excellent surrounding where services like AlertBoot's mobile security services would ensure a better "data safe" environment.  Check us out).

    But, as the recent escalation of Northwest Florida State College's data breach shows, data breaches generally tend to be associated with the institution itself, not the preponderance of students' devices.

    About 275,000 Students Affected

    A data breach that lasted from May 2012 through September 2012 has affected nearly 300,000 students across Florida.  Initially, it was thought to be contained to Northwest Florida State College's employees (3,000 employee records were stolen); however, the investigation into the hack grew and now encompasses:

    • 3,000 employee records that include information like direct deposit account numbers
    • 76,000 records of current and former students at Northwest Florida State College that contain personal information
    • 200,000 records that included names, SSNs, birthdates, etc., for any student eligible for the Bright Futures scholarships for 2005 - 2006 and 2006 - 2007

    Crime in Progress

    Unlike past instances where a disk full of sensitive data goes missing and nothing happens, this latest university data breach has shown some teeth: at least 50 people have already been victims of identity theft, with the most notable of them being the president of Northwest Florida State College.

    "I recognize that this is a significant hassle for those whose information is used to commit identity theft," stated [Northwest Florida State College President Ty ] Handy. "I was one of the first seven or eight to be hit personally and I have spent several hours on the phone working with my bank and others to protect myself. It is not an enjoyable experience and for that I apologize." [heraldtribune.com]

    As a victim of identity theft myself -- although, granted, I had it better than most -- I know how it feels...except that for me, it was an enjoyable experience.  Well, not enjoyable per se, but it wasn't as bad as it could have been.


    Related Articles and Sites:
    http://www.heraldtribune.com/article/20121010/ARTICLE/121019953

     
More Posts Next page »