in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

December 2013 - Posts

  • Encryption ROI: You Can Sometimes Calculate A True Return On Investment For Encryption...

    ...but I really wouldn't recommend it.  For one, it's highly illegal.  But, as far as I can see, it's the only way you can really calculate a return on investment (ROI) when it comes to deploying and installing encryption on laptop computers.  Other reasons for not engaging in it: it's illegal; you have to deal with malware; you're scum if you do this; and it's illegal.  Did I mention it's illegal?

    First, Define ROI

    ROI.  These three simple letters have an unusual impact in business decision-making.  There's no shortage of efficiency experts in the business world, and everyone seems to be in agreement: you can only maximize profitability if you maximize efficiency.  Since a business concern's objective is to make money, everyone is looking to maximize their return on investment on every aspect of their business.  "What's the ROI on that particular proposal?" they ask.

    The thing is, ROI only applies to assets, which is why sometimes ROI is known as ROA, return on assets.  One really shouldn't ask for an ROI for something that's not asset; it just doesn’t make sense.  For example, your janitors are not assets, no matter how well they maintain your offices, because they don't make you money.  That is, they're not an asset in the accounting sense and thus ROI/ROA cannot be calculated for them.

    This is also true for office furniture, the kitchen utilities in the break room, the shredder in the corner, and the toner cartridge in your printer, among other things.

    Likewise, encryption software is also not an asset, at least not in the accounting sense.  And yet when IT departments try to justify their need for the use of laptop encryption and other types of data security solutions, one of the things they are tasked with is to figure out the ROI.  If the "ROI" is not up to snuff, the proposals for certain types of information solutions are quashed.

    I repeat, encryption cannot give you an ROI because it's not a money maker.  There's always exceptions, of course.

    Ransomware

    It sounds like a non-sequitur, but bear with me: according to ibtimes.co.uk, a band of hackers made millions of dollars in 100 days using encryption (note: a little note on the math further below).  Talk about ROI, eh?

    How did they do this?  The hackers distribute a particular brand of malware known as Cryptolocker.  The malware gets downloaded to a person's computer and encrypts the hard drive.  It will only be unencrypted if the owner of the computer pays a ransom.  The cost?  $300.  If the ransom is not paid within 72 hours, the encryption key is deleted, making impossible to recover the data.  Ever.

    Well, not ever; that's a little dramatic.  But it's going to take a while, ranging anywhere from centuries to millennia, if the hackers did it right.

    Of course, not all pay the ransom.  According to estimates, a minimum of 0.4% of people hit by the malware do pony up the cash.  Another estimate puts the number of affected machines between 200,000 and 250,000.  Based on these figures, the folk over at ibtimes.com conservatively estimate that the hacker crew made $3,000,000 since the malware's release, in September of this year.

    (Well, they initially calculated $3 million based on their estimate parameters.  I see that it's been changed to $300,000, which is the correct figure...)

    Anyhow, let's return to the subject at hand, shall we?  Can we calculate an ROI in this case?  Yes.  The encryption is an instrumental part for convincing people to send in money.  You could say it's the enforcing element.  The ROI is the money the hackers made ($300 k) divided by how much it has cost the hackers to run their operations.

    But, aside from pulling off a scam like the above, you're going to have problems calculating an ROI for encryption.  Honest businesses can only calculate an ROI if their laptops are stolen.  Even then, it's a theoretical exercise, since the use of encryption tends to provide safe harbor from federal and state laws that govern sensitive private data.

    Of course, when a laptop is not stolen, the ROI of encryption is zero (as it should be, seeing how encryption is not an asset in the accounting sense).

    Related Articles and Sites:
    http://www.ibtimes.co.uk/cryptolocker-criminals-earn-30-million-100-days-1429607

     

     
  • BYOD Full Encryption: Because Sensitive Data Will Drift To Where You Least Expect It

    If your workplace offers BYOD (bring your own device) or similar programs where an employee is authorized to bring and take portable computing devices for work-related purposes, it really pays to take a second look at full disk encryption like AlertBoot.  Why?  Because sensitive information, no matter how much or how hard you try, will end up where it shouldn't, as Washington University in St. Louis's recent case shows us.

    Unencrypted Laptop with PII Stolen

    Washington University in St. Louis (WUSL) has alerted the Maryland Attorney General's Office that they suffered a data breach when a laptop computer was stolen from one of their employees.  As it turns out, the information was limited to business partners and one Maryland resident.  As data breaches go, it's a very small one.

    There is no doubt that WUSL did a great job of managing their data.  Here you have a data breach that involves personal sensitive data, and instead of affecting hundreds of thousands of people, it affected one.  Sure, you have a number of business partners (probably not innumerable), but the letter to the AG implies that only one SSN was breached in this fiasco.  In a sense, there was no need for encryption; the breach was not dire enough or big enough.

    On the other hand, here you have an organization that is forced to alert the authorities that they suffered a data breach because they missed one guy's data.  What kind of damages, intangible or otherwise, are associated with this breach report?  What if the AG decides to investigate the incident, regardless of what the reason might be (political, legal, what have you)?  You know, the proverbial camel's back?

    Users Decide?

    One thing in the breach notification letter that caught my attention was the following passage:
    To help prevent something like this from happening in the future, Washington University has re-educated its staff in the importance of handling personal information securely and continues to enhance its information security safeguards.
    Education works.  It makes people more aware, it changes behavior, and definitely increases overall security levels.  But this statement is not true for everyone.  You will have people who will sit through the seminars and whatnot because they have to.  You will have people who initially respond and engage but start to slowly (but surely) ignore security issues as days turn into months.  You will have people in denial ("it happens to others but not me").

    If data security is an issue at the workplace, one must do a little more than educate people, especially when research shows that people are either unwilling or incapable of change.
    Behavioral science, for example, shows us that results can change drastically depending on whether one follows an opt-in or opt-out model since people tend to stick with the default settings.  For example, if it's up to the user to encrypt a laptop, then most laptops will go unencrypted, even if people know that encrypting is better.

    When such realizations are factored into computer data security, it only makes sense for organizations like WUSL to require encryption (possibly use a centrally managed encryption solution to keep track of encryption rates), and not stop just at educating employees.
    Related Articles and Sites:
    http://www.databreaches.net/washington-university-in-st-louis-notifies-business-partners-after-laptop-with-unencrypted-pii-stolen/
    http://www.oag.state.md.us/idtheft/Breach%20Notices/itu-234645.pdf

     

     
  • Smartphone Security: California Bill Could Force Industry To Implement Device Kill Switch

    A new California bill is aiming to curb the theft of smartphones.  According to networkworld.com, Senator Mark Leno and San Francisco DA George Gascón proposed a mandate that requiring kill-switch technologies to be implemented as a smartphone security feature on all smartphones that are sold in the Golden State.

    Due to the size of the California market, the bill could indirectly force manufacturers to implement the technology as a standard feature, seeing how producing two separate models for each phone would be cost-prohibitive.

    Smartphone Theft: Leading Type of Street Crime

    The impetus for the new bill comes from the rise of crime involving smartphones.  Assault and battery linked to the theft of smartphones has been on the rise for years.

    New York City, for example, experienced over 15,000 mobile device thefts in 2012, and Apple's iPhones had a measurable impact on the Big Apple's crime stats: Mayor Bloomberg noted that "if you took out thefts of Apple products — not Galaxies, Samsungs — just Apple products, our total crime rate would be lower than it was last year."  Not that Samsung is not doing its share when it comes to keeping crime levels up (although I doubt that this is part of their objective).

    New York is not the only city struggling with such "smart" issues; most if not all major metropolitan cities are struggling with it.

    Nobody Wants a Brick

    The idea behind kill-switches is simple: give the owner of a phone the power to kill the device if it gets stolen.  The thief ends up with an expensive brick that he cannot easily unload.  Once this happens more often than not, people think twice about stealing a smartphone.  This is sometimes known as the Lo-Jack effect.

    When Lo-Jack was first introduced to a region, you could see a continuous decline in car thefts because thieves couldn't tell whether a car was tagged with the tracking device or not.  As more and more people signed up for the service, the harder and harder it became to steal a car without eventually getting caught.  Thieves employed tactics like stealing the car and keeping it parked for a couple of days to see what happened, but then the cops started playing the waiting game, too.  Ultimately, many car thieves called it quits.

    An added bonus was that the effect spread to cars without Lo-Jack because, again, one couldn't tell whether a car was fitted with the tracker.

    Which is why I kind of disagree with the following quote from DA Gascón:
    A recent survey undertaken by [Gascón's] office found around four in five iPhone users were using the activation lock, but that's still a problem, he said earlier this week.
    "Until Activation Lock is fully opt-out, it appears many iPhone owners will not have the solution enabled," he said in a statement. "This leaves iPhone users at risk, as thieves cannot distinguish between those devices that have the feature enabled and those that do not."
    A voluntary utilization rate of eighty percent is tremendous.  If this is not a statistical error, the dividends from this group's actions will spill over to people who don't have Activation Lock turned on.  Thieves are not exactly stupid: if they find that 4 out of 5 stolen iPhones will ultimately results into a shiny paperweight that cannot be sold, they'll look for something else to steal.  The demand for stolen smartphones would also dry up as well.

    The problem is, of course, cities will begin to see an increase of smartphone thefts that don't involve iPhones.  And for that reason alone, I believe that the kill-switch bill is a great idea: pressure the manufacturers to give users an option.  There's no real need to make it opt-out (although the converse is true as well: there's no real reason to make it opt-in, either).

    Why Not Include Encryption?

    What really puzzles me is that there are no references to smartphone encryption.  I can think of at least one reason why thieves would steal a smartphone even if it ends up being killed remotely.  It's the same reason why HIPAA laws regarding laptops and computers exist: the theft of personal information.

    Smartphones are underpowered computers with tiny screens that go everywhere the owner goes.  As such, these devices usually contain a lot of personal information about its owner, and possibly the owner's friends and families.  There's enough there to do a lot of harm: fraud, phishing (you and your loved ones), etc.

    Here's one potential scenario: a person steals a smartphone.  He places it in a bag lined with aluminum as soon as possible. (My own experiments revealed that triple-lining effectively isolates a phone from all electronic signals).  He goes to a basement or other location where he knows there's no reception.  He accesses the smartphone's contents: without encryption, it's easier than you think.  He has hit the jackpot because he can review all communications.

    He can pick up on linguistic patterns, expressions, typography, emoticons, etc.  The stage is set for a very successful confidence game via email, text messaging, what  have you.

    Kill switches are good.  Encryption is great.
    Related Articles and Sites:
    http://www.networkworld.com/news/2013/121913-proposed-california-law-would-mandate-277107.html
     
  • HIPAA Encryption: UHS-Pruitt Has Two Laptop Thefts In Two Weeks

    The blog-keeper over at phiprivacy.net, Dissent, notes the difficulties she was having making heads or tails of a data breach story involving a laptop computer at UHS-Pruitt Corporation.  It turns out that she was dealing with two data breaches, both of them involving laptop thefts (disk encryption software wasn't used in either case) out of employees' vehicles.

    What are the chances?  Well, yours truly cannot really answer that question without data, but let's say that it would be unlikely.  On the other hand, the fact that it happened makes it not unlikely in the future.

    UHS-Pruitt Data Breach #1

    On September 26, 2013, a laptop computer was stolen from a UHS-Pruitt employee's car (the car was locked).  It appears that the laptop was primarily used to access remote databases; however, documents containing PHI were also present, including SSNs.

    While the use of encryption software is not mentioned, the presence of the public notice makes it quite probable that cryptography was not used to secure the patient data.

    Approximately 1,300 people were affected.

    UHS-Pruitt Data Breach #2

    This data breach actually was caused by an affiliate (a business associate, under HIPAA parlance?).  On December 6, 2013 a different laptop was stolen from another employee's car (parked in front of her home!), causing another HIPAA breach.  The PHI breach was limited in this case, as the data contained first and last names and potential diagnoses.

    Approximately 4,500 people were affected.

    Again, encryption software is not mentioned, but there's a very strong possibility that it was not used.

    What are the Odds?

    What are the odds of such a thing happening, that the same HIPAA covered entity would experience the same type of data breach within a period of two weeks?  I don't know, as I stated before.  But, it's not illogical to observe that the chances of this happening are infinitely higher than breaking into an encrypted machine.

    Of course, laptop encryption doesn't prevent laptops from being stolen.  However, it does prevent a data breach from happening (the HIPAA definition of a data breach provides an exception for encrypted PHI).

    If UHS-Pruitt had not been using medical laptop encryption before, I'd say that there is no time like the present.
    Related Articles and Sites:
    www.phiprivacy.net/two-laptops-with-phi-stolen-from-uhs-pruitt-employees-cars-in-a-two-week-period/

     

     
  • Laptop Encryption: Turns Out Poker Players Need Computer Security Too

    Sometimes I'm surprised by who needs the protection afforded by laptop encryption software.  According to various sources, a professional poker player from Finland had his laptop computer hacked by unknown assailants.  While it's debatable whether encryption software would have helped in this case, it certainly would have posed a formidable barrier.

    Online and Offline Poker Professional

    According to verge.com, which in turn got the story from f-secure.com, reported earlier in the week that pro poker player Jens Kyllönen had an unusual experience while playing the European Poker Tour in Barcelona.  Kyllönen had returned to his hotel room to find his laptop missing.  Believing that his hotel roommate, Henri Jaakkola, took his laptop, Kyllönen left the room looking for him.  When they both returned, the laptop was back where Kyllönen had originally left it.

    It was readily evident that the laptop had been tampered with.  According to pcmag.com, the laptop didn't require Kyllönen's login credentials, a change from previous settings.  Furthermore, it wasn't booting up properly.  Other sources note that the hotel room's key (the computerized kind) wasn't working correctly, either.

    Kyllönen doesn't appear to have been the only one who was targeted, however.  This September entry at pokerstrategy.com mentions that "several high profile online players had their laptops stolen" during the Barcelona leg of the tournament, and listed advice such as being aware of phishing attempts and keeping laptops encrypted.

    What good would a laptop do at a poker tournament, you might ask?  I've seen plenty of poker tournaments up close.  AlertBoot is based in Las Vegas, after all, and there are three things that I cannot help but run into every year while I'm visiting headquarters: poker tournament players, Black Hat conference participants, and random Miss USA contestants.  (That last one will be no more, though).  Anyhow, returning to poker: at the tables, there is no use for a laptop.  Even smaller devices like your phone, smart or otherwise, are not allowed anywhere near the table.

    As it turns out, people who play poker for a living will play any venues where poker is offered, including online, assuming it's worthwhile.  Kyllönen wasn't an exception.  Seeing how he cleared over $2 million last year, you can presume that there's a lot virtual chips trading hands in the intertubes, and for poker pros a laptop is the only device that makes sense if they venture between offline and online gaming tables.

    Evil Maid Attack

    So, why was Kyllönen's laptop taken?  Apparently, to surreptitiously install remote viewing software.  Security professionals would call it a RAT (remote access trojan), but it's really nothing more than a secret installation of software similar to remote conference software like join.me, GoToMeeting, or WebEx.  (Ironically enough, some also call it a RAT when the software is legitimate: remote access tool).

    The RAT would allow the hotel-room intruders to monitor Kyllönen's cards when playing online, giving them an upper hand when playing against him, or any of the other players whose laptops were stolen in Barcelona.

    This type of hacking – where a device is stolen, tampered with, and returned – is known as an evil maid attack among some, as a janitor attack in others (it depends on the building, I guess.  It's kind of hard to imagine a maid making the rounds in an office building).  Sometimes there's an extra step, where the evil maid returns to retrieve whatever was planted in the device.  For example, instead of installing software, the laptop's hardware may have been tampered with, such as by installing gizmo between the keyboard and everything else (a physical keylogger).

    An evil maid attack is difficult to pull off.  First, there's no guarantee that the target will not return to his or her room while a laptop is being tampered with. (Ideally, you want more than one person to be carrying out the attack).  Even if the device is taken, there's no guarantee that the owner will return to find it missing, as Kyllönen did, exposing the attack.

    Second, there's no way to know what kind of protection is in place beforehand.  For example, had Kyllönen protected his laptop with full disk encryption, chances are that it would have been impossible (or at least extremely hard) to infect it with a RAT.

    In professional security circles, evil maid attacks are known as being impossible to protect against.  However, impossible in this case doesn't mean easy, just like it's impossible to prevent an airplane crash.  Yet, airplanes remain the safest form of transportation.  With FDE in place, an attempt could be made if one had the appropriate tools to crack encryption, which takes considerable time to operate.  All bets are off if a well-funded government organization is playing, though.

    Chances are they won't be going after a poker player's laptop, though, so no worries there.
    Related Articles and Sites:
    http://www.theverge.com/2013/12/10/5196266/hackers-broke-into-poker-pros-hotel-room-to-install-sharking-malware
    http://www.f-secure.com/weblog/archives/00002647.html
    http://securitywatch.pcmag.com/malware/318835-poker-shark-s-laptop-pwned-by-evil-maid-attack
    http://www.pokerstrategy.com/news/world-of-poker/Security-reminder:-protect-your-poker-accounts_76440/
     
  • HIPAA Encryption: Horizon BCBS Of New Jersey Data Breach Affects 840k People

    In this day and age, it's hard to believe that any HIPAA covered entity or business associate would not be using encryption software on their laptops on purpose.  Except that they are, as the following story on Horizon Blue Cross Blue Shield, based in New Jersey, shows.  And, technically, BCBSNJ could be HIPAA compliant even if the theft of said laptops affects hundreds of thousands of patients.

    Cable-Lock Secured Laptops

    Sales of desktop computers have been declining for decades now.  Laptops reigned supreme during the desktop's downward trajectory and it wasn't (and isn't) unusual to see people using stationary laptops for their computing needs, even if laptops are designed for non-stationary needs.

    One way to ensure that laptops do not make their way outside a building is to affix them in some manner.  Generally, a cable lock is used to secure laptops to desks.  Since the machines cannot be taken outside the building's perimeters, it's assumed that it – and the data stored in it – are safe from unauthorized eyes.

    Except, of course, that all it takes to trump the cable lock is a pair of $20 bolt cutters.  The types you can get at any hardware store and hide in your jacket.  Contrast that to a properly designed medical encryption solution like AlertBoot, which requires anywhere from thousands to tens of thousands of dollars to even begin to make a dent in its security, and you can see why encryption is a better way to protect data.

    (Actually, to be completely fair, I should note that you can also "decrypt" a laptop with a pair of $20 bolt cutters.  You tie down a guy who knows the password and start whacking him with the bolt cutter.  At some point he will spit out the password.  But then, the charges against the owner of the bolt cutter will be much, much graver than snipping a 1/8" wire.)

    This is the thing, though: under HIPAA, locking down a laptop computer is actually seen as an adequate alternative to the use of encryption, depending on the circumstances.

    BCBSNJ Data Breach

    So, Horizon Blue Cross Blue Shield was perfectly in their right and was compliant with HIPAA (as far as I can see) if they opted to lock down their laptops as opposed to locking down their data.  As nj.com reported:
    The stolen laptops were password-protected, but had unencrypted data....  At the time they were stolen, the computers were cable-locked to employee workstations...the cable-locks apparently were "tampered with and damaged" in the incident, which took place on the eighth floor of 3 Penn Plaza. The laptops were MacBook Pros, the report said.
    As a result, nearly 840,000 people were affected by the theft of two laptops.  PHI such as names, addresses, dates of birth, SSNs, and clinical information were breached.

    There are two things that are scandalous about this story, at least in my eyes.  First, this is not the first time that the company has experienced a data breach.  In 2008, approximately 300,000 people were affected when a laptop was stolen.  In that case, the data was "programmed" to be destroyed after the laptop was stolen, but the word "encryption" is missing from any stories I've unearthed regarding it, leading me to believe that encryption may not have been used.

    On the other hand, aside from encryption, there's very little that can be used to remotely destroy data. (The data is destroyed by losing the encryption key, making the data irrecoverable).  Regardless, BCBS had already experienced a data breach, so excusing the lack of encryption is difficult to justify.

    Second, Macs come with free encryption.  Depending on the operating system, a free copy of FileVault or FileVault2 (the latter being the true FDE solution, although the former is also a decent option) is available on MacBooks; they don't even have to be downloaded or anything.  As a company that is bound by HIPAA, it's astounding that they didn't make use of it.  Especially considering that using it is no different than using password protection.

    While BCBSNJ may have followed the letter of the law, it's debatable whether they followed the spirit of it.  The Office of Civil Rights at the HHS, which is charged with investigating such incidents, may not look too kindly on BCBS if they arrive to the same conclusion.
     
    Related Articles and Sites:
    http://www.phiprivacy.net/horizon-bcbs-notifying-840000-members-after-laptops-stolen-with-personal-data/
    http://www.nj.com/business/index.ssf/2013/12/horizon_bcbs_notifying_840000.html
     
More Posts Next page »