in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

June 2014 - Posts

  • Disk Encryption Legalities: Massachusetts Court Orders Lawyer To Decrypt Laptop

    The Massachusetts Supreme Judicial Court (MSJC) has ordered a lawyer to decrypt his laptop computers.  The lawyer, one Leon Gelfgatt, is a criminal suspect in an ongoing case involving Russians and mortgage fraud, and as far as I can tell (as a non-lawyer), his biggest mistake was in not following the aged maxim: "don't speak unless you have a lawyer present."

    MSJC Rules: Foregone Conclusion

    A long story short: Gelfgatt faked "mortgage documents to sham companies," making over $13 million in the process.  When arrested, he told state troopers that "[e]verything is encrypted and no one is going to get to it."  In fact, you've got to read it for yourself, because it almost sounds like Gelfgatt was gloating about it (although I could just be reading too much into it). From arstechnica.com:
    During his postarrest interview with State police Trooper Patrick M. Johnson, the defendant stated that he had performed real estate work for Baylor Holdings, which he understood to be a financial services company. He explained that his communications with this company, which purportedly was owned by Russian individuals, were highly encrypted because, according to the defendant, "[that] is how Russians do business." The defendant informed Trooper Johnson that he had more than one computer at his home, that the program for communicating with Baylor Holdings was installed on a laptop, and that "[e]verything is encrypted and no one is going to get to it." The defendant acknowledged that he was able to perform decryption. Further, and most significantly, the defendant said that because of encryption, the police were "not going to get to any of [his] computers," thereby implying that all of them were encrypted.
    The above summary by the MSJC, is followed by their conclusion that the information held within these laptops are "foregone conclusions" and not testimony.  That means that forcing Gelfgatt to decrypt the data does not impinge upon his Fifth Amendment rights (that of self-incrimination).

    How can that be?  Because of the magic words, foregone conclusion.

    Foregone Conclusion

    This is what I wrote in a previous post regarding encryption and the Fifth Amendment:
    I had never before looked into what the Fifth Amendment really protects.  I had a general idea, and I'd read the unwashed masses' opinions, comments, and whatnot, but never have I gone straight to the source (and supporting legal opinions) and read it.  What I've read today shows me that a lot of people out there, including myself, have a good, general idea of what it's about, but it's the technical exceptions that can trip us up.

    For example, everyone knows the government compelling one to produce incriminating evidence is illegal.  Sounds about right, right?  But, it turns out that the government compelling you to produce incriminating evidence can be legal (not is but can be).

    It's a question of what the government knows, and to what degree.  Under the "foregone conclusion doctrine," if the government already knows (not thinks it knows, or assumes, or believes it to be highly likely) about a particular piece of evidence and knows that you have it (and can prove that you have it), they can force you to present it.
    Now, take the above and re-read the MSJC's summary.  Note how our suspect:
    • Had admitted to working for the Russians.
    • Noted that his laptop computers were encrypted.  In fact, all of his laptop computers were protected.
    • Stated that he could decrypt the laptops.

    If Gelfgatt had kept his mouth shut, he wouldn't be in this situation.  Granted, not speaking or admitting to anything wouldn't have made it a slam-dunk case against forcing him to decrypt the data; however, by admitting to these three things, he made it easy for the prosecutors to make their case.

    Especially the second and third points, in my opinion.  A lot of the "the government forcing you to decrypt your laptop or putting you in jail" controversy (like in the UK's RIPA) stems from whether someone is put under duress unfairly.  For example, what if a person forgot his password?  It's not that he doesn't want to comply with the courts orders – it's just that he literally can't.

    Also, some have pointed out that the act of admitting to knowing the password to encrypted data lends to the foregone conclusion that you also knew what was contained in that data (since you encrypted it); hence, providing a password would be self-incriminating testimony.  But this is only true if you haven't admitted to knowing it.  Or admitting that it's your laptops, for that matter.

    Why Gelfgatt did what he did is a mystery.


    Related Articles and Sites:
    http://arstechnica.com/tech-policy/2014/06/massachusetts-high-court-orders-suspect-to-decrypt-his-computers/
     
  • Data Security: US Supreme Court Says Warrants Needed For Cellphone Search

    According to the US Supreme Court, US authorities require warrants in order to search the cellphones of people who are arrested [http://www.supremecourt.gov/opinions/13pdf/13-132_8l9c.pdf ; ].  The decision is not solely for cellphones, though: rummaging through information found on smartphones, tablet computers, laptops, etc. should also be affected, with personal privacy being the winner.

    Also, I imagine it will affect the debate surrounding data encryption [ http://www.alertboot.com/ ; managed disk encryption ].  For example, there are a number of cases in the US where people under arrest were coerced into either giving up passwords to their encrypted data or to providing the encrypted data (sans giving up the password).  The argument went back and forth whether the Fourth Amendment applied.  The latest legal decision emphatically declares that, yes, indeed it does.

    Cellphone is a Misnomer

    In a 9-0 decision, the judges of the highest court in the United States of America have agreed that routinely searching through a person's cellphone is unreasonable unless one has a warrant to do so.  Otherwise, it would be like allowing "British officers to rummage through homes in an unrestrained search for evidence of criminal activity" – one of the reasons why the American Independence movement took place.  (It's not lost on this blogger that the Fourth of July is next week).

    Cellphones, Chief Justice Roberts noted, "could just as easily be called cameras, video players, Rolodexes, calendars, tape recorders, libraries, diaries, albums, televisions, maps or newspapers."  Indeed, calling it a phone could very easily be a misnomer – something that hasn't been lost on tech evangelists.  It's been noted again and again that the modern cellphone – including feature phones like flip-phones – is not a portable phone: it's a computer with a phone element attached to it; God knows that was true when it came to the first generation iPhone.

    Law Enforcement Becomes More Difficult

    The Court's decision, the justices agreed, would make law enforcement more difficult.  However, it was noted that privacy has a price – and it's my personal interpretation that the increased difficulty for "the law" to do its thing is what you pay for not repeating the actions that caused a revolt almost 250 years ago.

    Plus, the same technology that aids criminals also aids law enforcement: warrants can be had in hand in 15 minutes using email.  It's not a complete loss for the good guys.

    Regarding the argument that there was a danger of evidence being destroyed remotely – a real danger.  The encryption software under AlertBoot management, for example, allows remote deletion – the court noted that "[t]he police may turn off a phone, remove its battery or place it in a bag made of aluminum foil."

    What Does this Mean for Encryption?

    Although there has been a lot of controversy over the government going after suspects' encrypted data, the truth is that the Justice Department never really pushed on the issue, probably knowing that it would be the beginning of the end.  In instances where a suspect landed in jail for not handing over a password or encrypted data, it was because they were defying a court order to do so (the court order, I assume, would have a similar effect to a warrant).

    In other instances, the Justice Department resolved to legal jiu-jitsu, such as asking for the encrypted data without the suspect revealing their password (because, apparently, it encroached upon the idea of a password being like a combination to a safe, as opposed to being a physical key to a safe.  The former is protected, the latter is not).  Practices like these would have to be eliminated now.

    All in all, I would say that this decision legitimizes the use of encryption by the public at large.  Any insinuations that "only those who have something to hide use encryption" are rejected as government flimflam, with the government having to prove that they're not on a fishing expedition.

    Related Articles and Sites:
    http://www.nytimes.com/2014/06/26/us/supreme-court-cellphones-search-privacy.html?_r=1
    http://www.supremecourt.gov/opinions/13pdf/13-132_8l9c.pdf
     
  • HIPAA Encryption: How Can You Tell Password-Protection Was Used Instead of Encryption?

    While I don't mean to pick on Colorado Neurodiagnostics, a Colorado company that recently experienced a patient data breach, the short article announcing the loss of their computer with medical data illustrates how one can conclude that HIPAA laptop encryption was not used.

    Colorado Neurodiagnostics PHI Breach

    According to denverpost.com, a Colorado Neurodiagnostics laptop containing "patient names, dates of birth and clinical information" was stolen (the article doesn't give details on when, where, or how).  Other information, such as SSNs, financial information (usually credit card numbers), addresses, or phone numbers were not stored on the machine.

    The article notes that password protection was used to secure the data.  The problem with this statement, though, is whether password protection was linked to medical encryption software, such as AlertBoot full disk encryption.  The difference in security is the difference between night and day.

    Password protection, if you will, is like hiding a house key under the welcome mat: check the usual places, and there's a very realistic chance that you'll find a way in.  Bypassing the usual password protection login prompt can be as simple as removing the hard disk from a computer and wiring it up to another one (it takes maybe 15 minutes and $5 worth of tools and cables).

    In contrast, using encryption software is like putting a moat with sharks around the house: if you know the password, you can get the drawbridge to be lowered down.  Otherwise, there's no realistic way in.

    Why would one use one over the other?  Well, for one, they look the same.  Like a brand new car that's missing its engine, you can't really tell that encryption is not linked to the password protection prompt just by looking (unless you crack open the hood).

    So how can one tell?  Well, when it comes to covered entities, you can tell because they make an announcement and otherwise contact affected patients.

    HIPAA Data Security: Encryption Gives You a Free Pass

    Under the federal statute known as HIPAA, a medical organization is required to do the following if patient data is lost, stolen, or otherwise unaccounted for:
    • Notify the Department of Health and Human Services, which oversees HIPAA.
    • Notify the people affected by the data breach.
    • Make a public announcement if over 500 people are affected or if it's impossible to notify them individually.
    The one caveat is that all of the above become optional if encryption is used to secure the data.  In other words, HIPAA covered entities that used encryption can choose whether to go public with the news of the data breach or not (and you can bet they do not.  Among other things, admission to such a breach invites a federal investigation, possibly resulting in a fine up to $1.5 million, not to mention lawsuits from those who were affected).

    The fact that Colorado Neurodiagnostics made the announcement indicates that encryption was not used to protect patient data.  Based on the information that was stored on the stolen laptop, perhaps Colorado Neurodiagnostics didn't think it was necessary to use encryption, although others may present a different opinion.

    And that's how you can tell.

    Related Articles and Sites:
    http://www.phiprivacy.net/laptop-stolen-from-colorado-neurodiagnostics-contained-phi/
    http://www.denverpost.com/news/ci_26008800/laptop-containing-medical-information-stole-from-littleton-medical
     
  • Is BYOD Leaving Your Company Wide Open to Security Breaches?

    The BYOD culture is saving companies about $1,300 per mobile user. Employees who bring their own devices also tend to be happier and more productive. How could a BYOD policy possibly have any downside?
     
    Unfortunately, BYOD also brings new security concerns. Recent data breaches have brought the need for data security to the news on a daily basis. Many people assume that Apple products are inherently safe. While there have been fewer incidents of viruses or malware disabling Apple systems, that’s simply due to its market share — no device is automatically safe.
     
    In this article, Tim Maliyil examines the rise of the BYOD culture and what the price of true security might be.

    The full article can be found here:

    http://nibletz.com/2014/06/20/bring-your-own-device/

     
  • UK Data Breaches: ICO Reviewing Impact Of Monetary Penalties, Threatens "Contempt Of Court" Charges

    The UK's Information Commissioner's Office (ICO) is investigating the effects of monetary penalties on organizations that breach the Data Protection Act (DPA).  With the ability to fine up to £500,000, the monetary penalty is a formidable way DPA enforcement tool: not only does the fear of a large fine prompt action, it spreads the news to people in charge who may not be familiar or aware (or downplay) data security.

    Opening Up Lines of Communication

    According to governmentcomputing.com,
    the commissioner's office had been speaking with councils and other bodies that have faced enforcement notices and financial penalties as a result of data breaches during this period to understand the impacts of its work.
    It's nice to know that the ICO cares.  On the other hand, perhaps this is not necessarily a concerned inquiry into the well-being of public agencies after being hit with a fine.
    Details of the review coincided with the ICO's decision to give Wolverhampton City Council 50 days to ensure all its staff are adequately trained in data protection.
    The warning was issued after the ICO found that about two thirds of council staff had not received mandatory training by an agreed deadline of February this year.
    Something about Wolverhampton must have set the ICO off, because (my emphasis),
    Rather than directly imposing a fine, the ICO has said that the council would be charged with contempt of court should it fail to meet the 50 day deadline to ensure all staff are provided with sufficient data protection training.
    Why a contempt of court versus a fine?

    Contempt of Court – How It Could Trump  Monetary Penalties

    According to the site findlaw.co.uk,
    If you are guilty of contempt of court you may be sent to prison...  Contempt of court is essentially where somebody is deemed to have interfered with the administration of justice....  By committing contempt of court you are betraying the entire justice system
    Seeing how all of the Wolverhampton City Council cannot be put in jail, it stands to reason that a representative would be – assuming the charges of contempt are valid.

    And assuming that it is valid, it would give the heads of organizations a personal stake in swiftly and completely effecting necessary changes to their approach to data security.  The problem with monetary penalties is that – at least for public sector organizations – the fine doesn't have a personal impact.  You could say that it delves into the Tragedy of the Commons since the money is ultimately comes from taxpayers.

    In fact, the ICO has been asking to be legally empowered with the ability to hand out prison sentences, something that hasn't happened yet (although is technically possible, apparently).

    Could this latest action by the ICO be the public servant looking to flex its muscles, as opposed to a legitimate move?  Perhaps not.

    Wolverhampton City Council Dragging Its Feet

    An ICO representative had this to say about finding Wolverhampton in contempt.
    Stephen Eckersley, head of enforcement at ICO said Wolverhampton City Council had shown a "lack of urgency" in dealing with data protection concerns.

    "Over two years ago, we reviewed the council's practices and highlighted the need for guidance and mandatory training to help its staff keep residents' information secure," he said.

    "Despite numerous warnings the council has failed to act, with over two thirds of its staff still remaining untrained. We have taken positive steps and acted before this situation is allowed to continue any longer and more people's personal information is lost."
    Wow.  Two years.  For training.  No wonder the ICO feels rubbed the wrong way.  Even technically complex remedial actions like installing laptop encryption software across an entire organization takes less time than that, from researching a list of candidates to ensuring to protecting the last machine.

    Related Articles and Sites:
    http://central-government.governmentcomputing.com/news/ico-examines-data-breach-penalty-impacts-4280970
    http://www.findlaw.co.uk/law/criminal/criminal_courts/500317.html
     
  • HIPAA Encryption Report: HHS/OCR Releases 2011/2012 Annual Report on PHI Breaches

    The US Department of Health and Human Services, Office for Civil Rights has released their annual report on data breaches involving protected health information.  The report covers the dates of January 1, 2011 through December 31, 2012, according to phiprivacy.net.  While it may reflect the near past, it shows why HIPAA encryption is so important: theft accounted for more than 50% of all data breaches that involved 500 or more PHI.

    Adding instances of loss, the figures rise to around 66% (accounting for nearly two-thirds of all reported data breaches).

    Individuals Affected

    Of course, just because two-thirds of all data breaches are tied to theft and loss does not mean that this will correspond to the number of people affected: for example, if you have one online hacking incident that affects the whole of the US (300 million people and then some), chances are that it will dominate the numbers.  So, how many people were affected by theft and loss?
    • 2009: 60% (theft), 0% (loss) – total of 60%
    • 2010: 58%, 22% – total of 80%
    • 2011: 24%, 54% – total of 80%
    • 2012: 36%, 13% – total of 49%

    There is a dramatic 30% drop of affected people in 2012 but the number of data breaches attributed to theft and loss have remained consistent over the years (approx.. 66%).  This can either mean that (a) people have started limiting how much information is stored on mobile devices like laptops and smartphones (e.g., if one laptop is stolen each year but the PHI count goes from 2 to 1, there's an instant 50% reduction in affected people) or (b) seeing how we're dealing with percentages, there were more people involved in a different type of data breach (which is the HHS/OCR report is classified as "other").

    Business Associates

    In 2011, Business Associates (BA) accounted for 27% of all data breaches reported to the HHS that involved 500 or more people.  However, they accounted for 64% of all people affected.

    In 2012, BAs account for 25% of data breaches.  It accounted for 42% of all people affected.

    Desktop Computers Come In Third

    In 2011, paper-based breaches accounted for 27% of all data breaches, followed by laptop computers (20%) and desktop computers (14%).  Other portable devices followed very closely, at 13%.

    I've argued often that desktop computers require the same level of attention and dedication to security as laptop computers, and the above numbers bear me out.  Especially when you consider the number of people affected: the "Other" category accounts for a whopping 70% of people affected, followed by desktop computers (18%) and laptop computers (4%).

    What's with the "Other" category?  Well, that's where storage media like backup tapes end up, seeing how they're rarely involved in a data breach.  If you'll recall, we've had a number of big breaches centered around data tapes, such as SAIC/Tricare.

    In 2012, paper accounted for 23% of breaches, followed by laptop computers (27%) and network servers (13%).  Desktop computers came in fourth place with 12%.

    Resolution Agreements (i.e., Fines)

    In addition to the above data, the HHS/OCR report lists a number of enforcement actions that were pursued.  You can get more details from the report itself but I thought I'd list what people are really interested in.  The fines:
    • Blue Cross Blue Shield of Tennessee: $1.5 Million resolution amount
    • Alaska Dept. of Health and Social Services: $1.7 Million 
    • Mass. Eye and Ear Infirmary and Mass. Eye and Ear Associates: $1.5 Million
    • Hospice of North Idaho: $50,000
    • Idaho State University: $400,000
    • WellPoint: $1.7 Million
    • Affinity Health Plan: $1,215,780

    The types of breaches vary (paper, computers, photocopiers), as well as the number of people affected, whether it be in the millions or in the hundreds.  The only thing that is consistent is that there appear to have been multiple failures/non-compliance to HIPAA Security and Privacy rules.


    Related Articles and Sites:
    http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachreport2011-2012.pdf
    http://www.phiprivacy.net/hhs-issues-report-to-congress-under-hitech/
     
More Posts Next page »