in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

November 2014 - Posts

  • Data Security: Home Depot's Execs Switch To Macs, iPhones After Data Breach

    The Wall Street Journal reports on the Home Depot data breach.  Among some of the revelations is that (a) they had actually upgraded to the latest security measures when the data breach was discovered and (b) executives were handed Apple devices to counteract the immediate damage.  Seeing how these were "secure," it sounds like disk encryption had been enabled, among with the installation of other security solutions.  Plus, it made sense because the problem the facing company originated from Windows.

    A Timeline and Revelations

    The site wsj.com has a very good summary of how and when Home Depot was alerted of the data breach, and what happened in the following days.  It appears that they were notified of the data breach via multiple avenues, including the Secret Service as well as a financial institution's analyst.

    After that, well… the story has been covered via multiple channels, thanks to it being one of the largest data breaches in US history.  What might be news to people, however, is that when all of this was going down, Home Depot had already upgraded their security.  Unfortunately, the hackers were already inside their system by then (the application of a patch by Microsoft, meant to deal with the security vulnerability, was also powerless for this same exact reason), so Home Depot's efforts were for naught in this particular case.

    The other revelation is the switch to Macs once the company found out that they had a problem in their computer network:
    The company was able to confirm a breach, but it couldn’t be sure its critical business information was out of danger. An IT employee bought two dozen new, secure iPhones and MacBooks for senior executives, who referred to their new devices as "Bat phones."
    Seeing how a Windows vulnerability was at the heart of the problem, it makes sense that Macs were employed.  On the other hand, there's nothing magical about Macs, is there?  Switching to Macs is a temporary band-aid.

    Growing Problem

    One of the purported reasons why Macs are more secure than Windows is that there is less malware for it.  And the reason for that lies in Macs not being as "popular" – that is, it's footprint in the world is much, much smaller than Windows machines.  Since hackers are looking to infect as many machines as possible, it only makes sense to expend their time going after Windows machines.

    The problem with this is that it is an old argument.  Macs are becoming every more popular.  And, thanks to the growing popularity of Apple's smartphones, more and more people are learning to code in a Mac environment. (In fact, one of the reasons why viruses and other malware were not as prevalent in the past for Macs could very well have been due to the smaller number of people who programmed for Macs.  Hackers who were looking to make the switch form Windows or other OSes may ultimately have decided it was not worth it because they'd have to re-learn a substantial amount).

    But, again, it's an old, irrelevant argument.  We can readily see that Apple's malware-free environment is being encroached upon every day, with iPhone and Mac-specific malicious software being identified in the wild more and more often.  The users of Macs today must be as aware of the potential pitfalls as their Windows counterparts.

    Related Articles and Sites:
    http://online.wsj.com/articles/home-depot-hackers-used-password-stolen-from-vendor-1415309282
    http://www.macobserver.com/tmo/article/countermeasure-in-home-depot-data-breach-macbooks-iphones-for-execs
     
  • HIPAA Data Breach: You're Still More Likely To Lose Data Than Get Hacked

    The site hitconsultant.net relays that HIPAA covered entities are still more likely to experience a data breach by losing data than by being hacked online – which is why a managed HIPAA encryption solution like AlertBoot is very important in a medical environment.  The site's conclusions are supported not only by an analysis of the HHS's "Wall of Shame," where data breaches involving more than 500 people's personal information are listed, but by a report released from the California Attorney General's Office.

    Some Stats

    Based on the analysis, the Wall of Shame shows that 68% of all HIPAA data breaches since 2010 are due to the theft or loss of a device (be it a laptop, external hard drive, USB thumbdrive, backup tapes, etc).  Data from the AG's office shows similar figures despite the time period being shorter (70% of data breaches attributed to missing devices since 2012).  So, despite the recent prominence of online hacks being reported in the media, it appears that more attention should be given to what's happening at the local, un-virtual level.

    If there's criticism to be levied above, it's that the "number of data breaches" does not necessarily mean that the "most people were affected" by it.  But that's covered as well.  The article notes that,

    4% of breaches accounted for 80% of total records compromised. Of these 100k record and above mega-breaches, an above-average 78% of compromised records were the result of loss or theft.
     
    A couple of things are notable about the above.  The 80/20 rule (aka, Pareto law or Power law, although specifics can differ when you get to the nitty-gritty) is broken, possibly pointing towards something quite unusual going on here.  For example, maybe it means that because online hacks generally involve millions of data points, these tend to bias the overall figures.  In turn, this could mean that online hacks should not be bunched together with other types of data breaches, possibly because online data breaches involve figures in the hundreds of thousands, at least, whereas everything else tends to include much lower numbers (e.g., 500, in the case of HIPAA).

    What I find more surprising is that the loss and theft of devices account for well nearly 80% of breaches involving 100,000 records or more.  Why would anyone be carrying such large amounts of data on a computer that is not protected with encryption software?   Many would say that the risk is not there, or that they cannot justify it financially.

    A Simple Risk Analysis

    From a simple risk analysis point of view, assuming that each person's data point is worth a measly 10 cents, the loss of a database with 100,000 personal records would be like losing $10,000.

    Of course, the 10-cent figure is from the perspective of the attacker (since that's how much it fetches in online black markets; the world is saturated in such data).  To the defender, the covered entity that has to deal with cleaning up a data breach, the per capita cost is actually in the hundreds of dollars.  That means an unencrypted computer is a silicon satchel potentially worth $10,000,000 or more if something untoward were to occur: disruption to its business operations; costs involving the notification of clients; setting up call centers for answering any follow up questions; hiring forensic experts; dealing with regulators; loss of brand reputation and goodwill; defending against lawsuits; etc.  There are a lot of intangible costs, as you can see.

    A Little More Complicated Risk Analysis

    Of course, the individual probability of a computer being lost or stolen is relatively low.  But the point is that it just takes one laptop loss or theft to trigger a data breach.  So, it's not about the individual risk as it is about the company's risk.

    If the individual odds of something happening to a laptop in a given year is 1%, and you have 100 people in a company who have laptops with sensitive data, then the odds of a data breach in any give year is:

    1 – (the odds of no one losing their laptops)

    In order to trigger a data breach in a give year, you could have two laptop losses in a year, or three losses, or four losses, etc. all the way up to a theoretical 100 losses.  The only way you can avoid a data breach is if none of the 100 employees have their laptops nicked.

    So, the calculation becomes easier if the "1% probability of losing a laptop" becomes a "99% probability of not losing a laptop."  Since the loss of laptops can be thought of as independent events:

    1 – (.99)^100 = your odds of having a data breach in a give year = 0.634 (or 63%)

    Now, it could be that the initial assumption of 1% is too high.  But even if the initial assumption is 0.1%, the resulting probability is 9%, still pretty high (you'll see what I mean in the next calculation).  Make it 0.01% and it finally sinks to 1%.

    Now, a 1% probability of a data breach in a given year across 100 employees doesn't sound too bad (again, assuming the probability of losing any individual laptop is 0.01% or 1 in 10,000) but you have to incorporate the cost of data breach.  In my earlier calculation, I had given that amount as $10 million.

    $10,000,000 x 1% = $100,000

    So, a company would still be facing the possibility of losing $100,000 any given year because of a data breach.  It's definitely cheaper to encrypt 100 laptops, especially when you consider that the actual losses, when it hits, will not be the statistical $100,000 but a very large $10,000,000 – enough to sink most commercial concerns.

    Related Articles and Sites:
    http://www.phiprivacy.net/68-of-healthcare-data-breaches-due-to-device-loss-or-theft-not-hacking/
    http://hitconsultant.net/2014/11/04/healthcare-data-breaches-device-theft-loss/
     
  • Disk Encryption: Laptops Stolen From DC Polling Locations

    According to wusa9.com, a break-in in Southeast D.C. has resulted in the theft of laptops and other items.  While the use of laptop encryption software was not disclosed, a Board of Elections official noted that voter information was not compromised.

    Elementary School = Low Physical Security

    Three laptop computers were stolen when the voting site – really an elementary school – was broken into.  In addition, refreshments for volunteers were stolen as well.  Conspiracy theories not withstanding, it looks like it was just your average break-in: you have high-value items, low security, and, apparently, zero monitoring: it seems that nobody knew anything was amiss until volunteers arrived around in the wee hours of the morning.

    As mentioned above, an election official was quoted as saying that voter information was not compromised.  How does he know?  Because "the laptops have to be connected to the BOE network for anyone to gain access to that information."

    If I may put on my tin-foil hat, however, it should be noted that the wording here was very specific to voter information.  It sounds like things were set up so that voter info resided on secure servers, and the laptop was merely acting as a "thin-client."  That is, a device for remotely accessing the data.  Assuming the correct app was available, the same could have been accomplished with an iPad.  However, laptops being what they are, one has to wonder if there was any sensitive information stored on any of the stolen devices.

    Not voter information per se, but other information.  Had disk encryption been used, these refreshment and computer stealing thieves would be stopped from digitally poking around in the laptops.  So, was encryption used?  Was it necessary?  If yes, one only hopes that encryption was used.

    Related Articles and Sites:
    http://www.databreaches.net/voter-info-stolen-in-southeast-dc/
    http://www.wusa9.com/story/news/politics/elections/2014/11/04/voter-information-laptop-stolen-se-dc/18455153/
     
  • The 5th Amendment: Fingerprints Not Protected Like Passwords Are

    When it comes to smartphone encryption, it seems that Apple's fingerprint-based TouchID unlocking feature is not so great (although most people seem to readily agree that the same, when it comes to mobile payments, is nothing short of miraculous).  A Circuit Court judge has ruled that a defendant can be compelled to give up his fingerprint when it comes to unlocking his cellphone, something that would be illegal (or at least questionable) when it comes to entering a 4-character PIN or a longer password.

    This is in keeping with decisions over the years that required a judgment whether a person can be compelled to reveal encrypted data.

    Video Stored on Cellphone

    The question on fingerprints and passwords was prompted by a case where prosecutors believed that evidence, in the form of digital video, may be stored on the defendant's cellphone.  They went to a judge to have the defendant to unlock his cell phone, but the judge nixed that idea:
    Judge Steven C. Frucci ruled this week that giving police a fingerprint is akin to providing a DNA or handwriting sample or an actual key, which the law permits. A pass code, though, requires the defendant to divulge knowledge, which the law protects against, according to Frucci's written opinion. [macrumors.com]
    As mentioned before, the latter is in keeping with previous rulings; the former, on the question of fingerprints – which I assume extends to any and all biometric data – is new, although not surprising.

    What will be surprising, though, will be the unintended consequences of this ruling.  For example, will it stop journalists from buying an iPhone, or not turning on TouchID if they do get an Apple device?  Will Android or some other mobile OS (or – gasp – 2g flip phones) be the beneficiaries of this ruling?  What will criminals do?  Will the lack of fingerprint-based entry systems act as a proxy for "someone who has something to hide"?  Because that's the way encryption is described in certain circles.  Will companies that use disk encryption on their laptops do away with any physical tokens, electing to only use passwords?

    Related Articles and Sites:
    http://www.macrumors.com/2014/10/31/fingerprints-not-protected-by-fifth-amendment/
    http://www.wired.com/2013/09/the-unexpected-result-of-fingerprint-authentication-that-you-cant-take-the-fifth/
     
More Posts « Previous page