in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

February 2013 - Posts

  • Apple iPhone Protection: NYPD Team Dedicated To Apple Device Recovery

    According to a New York Post exclusive, the New York Police Department has a team that works with Apple to recover stolen iPhones and iPads.  AlertBoot's mobile device management and security services pale in comparison, but there's one area where we outshine New York's finest: we're faster.  Plus, our MDM can prevent data breaches whereas the cops can only act after a crime takes place.

    2012 NYC Crime Up Due to Apple Products

    Over at slashdot.org, the above news has rekindled the observation that New York City's crime stats for 2012 would have been done had it not been for the Apple effect:
    At the time, Mayor Bloomberg's press secretary Marc La Vorgna explained that 'if you just took away the jump in Apple', crime in New York City would have been down year over year. Indeed, the number of major crimes reported in 2011 in NYC came in at 104,948 compared to 108.432 in 2012.
    Of course, the argument is a bit specious, since not all "Apple crimes" have at heart Cupertino's products: a percentage of them must have been crimes of opportunity where something would have been stolen no matter what the brand.

    Write Down Those Serial Numbers!

    The New York Post describes the alliance thusly:  When an Apple device is stolen, the cops try to obtain tracking numbers (specifically pointed out as being an "International Mobile Station Equipment Identity" or IMEI) which gets passed on to Apple.  The company takes that information and updates the NYPD on the whereabouts of the device, who set up a sting to not only recover the device but to also "learn the pattern [of] who is stealing" the popular hardware.

    The article goes on to note that devices can be tracked even if it is "reregistered with a different wireless provider."  And why not?  After all, the IMEI is nothing but a serial number that is unique to a device, like the VIN on a car.

    This fact, however, brings up a number of questions.  For example, what do they do for phones where an ESN is used in place of the IMEI, a similar sort of hardware serial number for certain carriers like Verizon?  And, are the police able to recover devices that don't feature an IMEI or an ESN?  For example, iPads that are Wi-Fi only – are these unrecoverable by law enforcement?  Are they unable to track devices by UDID, which caused quite the controversy late last year?

    Lag between Theft and Recovery

    All's well that ends well, or so the saying goes.  But, even if the NYPD were to brag a 100% recovery rate for Apple products, many people could still remain a victim to a crime.  How?

    Data theft.  Even if the police can recover all stolen smartphones and tablets, they admit themselves that they'll take the time to learn who's behind it – time during which a thief could go through a device's content.  When you consider that only a minority of smart mobile device owners take the time to ensure their devices are secure, like putting in place a password, this lag between theft and recovery could give thieves a chance to a bigger score.

    So, if you're storing confidential information of any sort, prevention makes more sense than recovery.  Thankfully, preventing data breaches stemming from mobile devices is easy with management software like AlertBoot's MDM service.

    Related Articles and Sites:
    http://www.nypost.com/p/news/local/nypd_apple_corps_PmTgzglhsHAGKoRFfsrDJI
    http://apple.slashdot.org/story/13/02/22/2143245/apple-now-working-with-the-nypd-to-curb-iphone-thefts
     
  • Smartphone Encryption: Canada Law Enforcement Requires Warrants For Searching Cellphones

    A Canadian appellate court has ruled that the police need a warrant if they want to search a person's phone – but only if there's a password in place (or if the phone is physically locked up).  Otherwise, it's open season for going through your phone, which – depending on whether it's a smartphone or not – could contain a whole lot of personal data.  But, you might want something stronger in place, like smartphone encryption.

    Thus Spake Court of Appeal for Ontario

    The ruling overturns an appeal involving armed robbery.  You can read some of the details by visiting thestar.com (link below) and other fine publications but, in a nutshell, the police were able to arrest the appellant because they found on his body a phone which, "after manipulating [it], police officers found it contained photographs of a gun and cash as well as an incriminating text message."

    In other words, the alleged bank robber was arrested because he was carrying incriminating evidence on his person at the time of the arrest.  This subsequently led to a conviction.  The question is – aside from "how stupid can you be?" – whether the search was a legal one.

    Experts' opinions are divided on this one.  Take, for instance, laptop computers: according to the globeandmail.com, a Canadian judge ruled last year that accessing computers requires a warrant:
    Justice Thomas Heeney decided [that a warrant is required to search through a laptop's contents], because in the 21st century, a computer is no longer a "thing," but rather a "place" - a repository of vast amounts of personal information.

    The judge's ruling stemmed in large part from an earlier court ruling, also involving a high-profile murder.
    Whether the laptop computer was protected with encryption software, or other safeguards were in place, doesn't matter: if the police are going to search through a laptop's files, they need a warrant.

    And yet, the Court of Appeals' ruling on searching phones appears to present a significant difference.  If the phone was protected with a password – or locked in a drawer, which moots the "in plain view" aspect of the law – a warrant is required.  If not, it's open season on the phone.  This despite the fact that certain phones, such as smartphones, are in essence miniature computers with a phone chip attached to them.

    (One wonders where tablets would fall.  If I use my tablet to Skype people on a paid plan – meaning that I'm using it as a phone – is my tablet a phone or a computing device like a laptop?  The absence of a password means the cops can go through it in the former; if the latter, they'd need a warrant.)

    Going with Something a Little Stronger.  (OK, a Lot Stronger)

    We'll have to see what happens.  The discrepancy between how searches on "phones" are being approaches vs. laptops is quite glaring, and it's quite obvious that there is a case here to take it all the way to the Supreme Court.

    In the meantime, let's talk security: do you really think that a simple little password will keep someone out of your phone?  Most phones – smart or "dumb" – come with the ability to apply a 4-digit passcode, at least.  Because the numbers run from 0000 to 9999, it actually represents 10,000 different combinations.  I'm not bragging, but I can go through all 10,000 combos in an afternoon.  It will only take me 3 hours at one second per passcode.

    If you have it, what you really want is a password that is coupled to phone disk encryption.  This gives you some flexibility in terms of security:

    • If possible, choose an extended password as opposed to a 4-digit passcode.  The longer the password and the more complex it can be (aka, lower-case letters, upper-case, letters, and number), the more secure it is.
    • Enable automatic wiping of data after 10 erroneous tries.  This setting will delete the encryption key if the wrong passcode or password is entered more ten times.  If you're using a 4-digit passcode, this is definitely a "want."

    Related Articles and Sites:
    http://www.thestar.com/news/crime/2013/02/20/privacy_rights_police_can_search_unprotected_cellphone_without_warrant_appeal_court_rules.html
    http://www.theglobeandmail.com/news/national/can-police-look-through-your-cellphone-depends-on-whether-theres-a-password/article8908107/
    http://yro.slashdot.org/story/13/02/21/1343231/cellphone-privacy-in-canada-encryption-triggers-need-for-warrant
     
  • Deleting Solid State Drives: Cleaning SSDs Almost Impossible, So Use Encryption

    According to the National Association of Information Destruction (NAID), solid state drives (SSD) used in ultrabooks, tablets, smartphones, and other devices are proving to be a headache when it comes to end-of-life operations.  Namely, the usual methods of deleting digital data – so that hardware may be discarded safely – are proving to be ineffective when it comes to flash-based storage media.  This shouldn't be news, however, at least not to NAID.

    The solution to the above difficulty is at least 2 years old: place laptop disk encryption at the heart of your data destruction strategy.

    SSDs an Unknown Quantity

    According to a NAID conference that was held in Sydney, Australia, NAID chief Bob Johnson noted that:
    SSDs are an unknown quantity when it comes to being sterilised for disposal at the end of their working lives.

    "There is currently work being done at the University of California, San Diego, about the best ways to make sure these solid state drives are clean before they're disposed of," he said. "Unfortunately the information out there at the moment is very squirrelly."
    I'm not sure what information Johnson's referring to, but I've known for at least two years that the best way to ensure that information is properly wiped is to encrypt it and lose the encryption key:
    The researchers propose an approach called SAFE (Scramble and Finally Erase) that sanitizes the stored key:

    The technique, called Scramble and Finally Erase (SAFE), stores encrypted data in the drive and uses a two step process for sanitization. First, it destroys the key. Then, SAFE erases every physical page in the SSD. After this step, verification is a simple matter of dismantling the drive and verifying that the flash chips are actually erased.

    Encryption is at the heart of this technique, you'll notice, with attention given to the key's destruction.
    The above is from a post I wrote in 2011 on why media sanitation requires encryption, and is based on research done by a team at the University of California, San Diego.

    If that looks like déjà vu to you, it's because it's the same San Diego team that Johnson is referring to.

    Encryption Sometimes CANNOT be the Solution for SSD

    And now that I've revealed how encryption software is the only way to secure devices during their EOL, here's a kick to the head: under certain circumstances, encryption is not an option from a policy perspective.  For example, under HIPAA.

    HIPAA is a set of rules, overseen by the Department of Health and Human Services (HHS), that governs healthcare companies and their business associates.  While the use of encryption is strongly encouraged to protect patient data (indeed, the director for the Office for Civil Rights at the HHS was quoted as saying "we love encryption, and those who use encryption love it, too"), there is one area where encryption is not to be used as a tool when it comes to medical data: when a device is being disposed of.

    When a computer, external drive, flashdrive, or other data storage device that used to store health data is to be discarded – be it in a landfill or via a donation – the information on it has to be scrubbed.  The usual methods include overwriting every sector of the storage device; degaussing it by placing the medium in a magnetic field; or physical destroying it, all of them procedures approved by NIST.  Encryption, on the other hand, is not considered to be a reliable method of destroying data because it is designed to "recover" data when the correct key is applied.

    This is problematic as organizations start to embrace BYOD, bring your own device.  One wonders how the HHS will react as more and more devices that use SSDs – like smartphones and tablets – make their way into hospitals and other businesses that handle protected health information.  Degaussing will not work, since SSDs don't store data in a magnetic medium.  Overwriting does not work due to SSDs' internal workings.  Destroying devices would work but is wasteful when they might still be useful to some.

    Plus, I've got to assume that the owners of these devices would be quite against destroying their phones and tablets.

    It seems that an exception will have to be made for flash-based devices, or that the use of encryption to "destroy" data will be accepted as a norm.


    Related Articles and Sites:
    http://www.itnews.com.au/News/333677,solid-state-drives-pose-data-security-risk.aspx

     

     
  • BYOD Onboarding: One Of Top Five IT Gripes For Corporate Bring Your Own Device Policies

    According to appstechnews.com, a survey by wireless specialist iPass shows that nearly half the companies that become BYOD-friendly by green-lighting a corporate "Bring Your Own Device" policy see increased IT department activity.  They ponder whether BYOD is IT's worst nightmare.  The answer: it doesn't have to be, at least not with AlertBoot Mobile Security, a turnkey MDM solution that is completely web-driven.

    Top 5 Gripes of Company BYOD

    The survey notes that the top five gripes by IT departments that recently implemented BYOD policies are the following:
    • Personal device onboarding;
    • Support for specialized members' non-provisioned devices; 
    • Data encryption, backup and recovery; 
    • Help desk ticketing; and,
    • Corporate device onboarding.
    I'm not sure whether they're listed in order of annoyance; however, based on the fact that onboarding is positioned at #1 and #5, and based on personal experience, I'm assuming that the list does show a hierarchical bent.

    The fact that device onboarding is listed is not surprising.  If there's one thing that eats up a lot of time, it's the addition of new employees to an organization's identity and access management system.  Generally, it's the first step towards other time-consuming tasks, like prepping a machine for use, ensuring that it works correctly, etc.

    The tasks also begets other tasks as employees changes roles in the organization or decide to leave for greener pastures (offboarding), or as new privileges are granted regardless of the position.

    Like being allowed to bring one's own smartphone or tablet to the workplace, I guess.

    Clearing at Least 4 of the Complaints in One Fell Swoop

    There's no reason why the right technological service cannot knock out at least four of the complaints listed above.  Consider AlertBoot Mobile Security, the MDM solution that handles Apple devices, Android devices, and that can also take care of encrypting Windows OS laptops with disk encryption...from within the same unified console.

    The product is designed to lessen the impact on a company's IT department by transferring the time consuming deployment process to the end users themselves.  The first procedure is to upload a list of users and their email addresses into an AlertBoot account.

    The next is sending out emails to end users: they will get a pre-configured link.  Click, click, click, and their device is now installed with MDM software.  Clicking on the end users' part is literally all it takes.

    Within an hour, the IT department has knocked out gripes #1, #5, and part of #3 – and #4, helping users with installation issues, is taken over by AlertBoot's own 24/7 support.

    Related Articles and Sites:
    http://www.appstechnews.com/news/2013/feb/11/ipass-report-examines-how-byod-makes-its-job-tougher/
     
  • Laptop Data Encryption And Mobile Security: Cbr Systems Settles With FTC, Nearly 300,000 Affected

    Cbr Systems, a cord-blood bank, has agreed to settle with the US Federal Trade Commission over a number of charges.  Among them lies the accusation that Cbr didn't provide adequate data security, a situation that could have been partially addressed via the use of AlertBoot endpoint encryption for laptops and external hard drives.

    Over 300,000 Affected in 2011

    In 2011, I had lightly covered the Cbr situation, noting that "customer names, SSNs, driver's license numbers, and credit card numbers" were lost due to the theft of a laptop computer and backup tapes from an employee's car.  However, my biggest question at the time was, is this or is this not a HIPAA breach?

    To HIPAA or Not to HIPAA?

    Cbr had expressly stated that HIPAA does not apply to them, despite the fact that they worked in a sector that many would consider as "medical": handling blood and tissue from umbilical cords of newly-born infants.  Today, we know that the statement must have been true because the company came to a settlement with the FTC and not with the Office of Civil Rights at the Department of Health and Human Services (HHS), which is in charge of enforcing HIPAA regulations.

    You might be wondering what's going.  In a nutshell, it comes down to this:  Not all medical organizations are subject to HIPAA/HITECH.  That's because organizations need to meet certain conditions before they are subject to HIPAA.  For example, an organization is subject to HIPAA if it receives payments electronically.  Consequently, those who only deal with cash wouldn't need to follow HIPAA (not that this is the only condition).

    However, this does not mean that medical organizations not subject to HIPAA do not need to follow the rules found under HIPAA: Those who are not accountable to the HHS, which enforces HIPAA, are accountable to the FTC, which, according to some experts, has even stricter rules.  For one thing, not only do they require that an organization protect personal data at the same level that HIPAA requires (well, they don't actually state that...but it's a given, really), the FTC can add other charges that are unrelated to medical issues.

    Like charges of fraud and deception.

    FTC Works to Prevent Fraudulent, Deceptive, and Unfair Business Practices

    The mission of the FTC reads as follows:
    To prevent business practices that are anticompetitive or deceptive or unfair to consumers; to enhance informed consumer choice and public understanding of the competitive process; and to accomplish this without unduly burdening legitimate business activity. [ftc.gov]
    What is "deceptive," though, exactly?  Well, if we are to take a cue from the FTC's past actions, it turns out that promises made but not kept are deceptive business practices.  For example, take the Cbr case:
    In its privacy policy, Cbr claimed that "[w]henever CBR handles personal information, regardless of where this occurs, CBR takes steps to ensure that your information is treated securely and in accordance with the relevant Terms of Service and this Privacy Policy..."
    However, the FTC found that the US's leading cord blood bank wasn't quite living up to its promises in its privacy policy (my emphasis):
    ...Cbr failed to use reasonable and appropriate procedures for handling customers' personal information, making its privacy policy claim deceptive under the FTC Act.  According to the complaint, Cbr did not have reasonable policies and procedures to protect the security of information it collected and maintained.  In addition, Cbr allegedly created unnecessary risks to personal information by, among other things, transporting backup tapes, a thumb drive, and other portable data storage devices containing personal information in a way that made the information vulnerable to theft.  According to the FTC, Cbr also failed to take sufficient measures to prevent, detect, and investigate unauthorized access to computer networks.
    The non-use of proven and established security technologies like full disk encryption for laptops, which are de rigueur in any company that handles sensitive personal data – and, dare I say, pretty well established as a breach prevention policy – can only add fuel to the charges in this case.

    Related Articles and Sites:
    http://www.ftc.gov/opa/2013/01/cbr.shtm
    http://www.ftc.gov/os/caselist/1123120/130128cbragree.pdf
    http://business.ftc.gov/blog/2013/01/bank-data-security-not-kind-bank