in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

August 2017 - Posts

  • Delaware Updates Data Breach Notification Rules

    Delaware, the second-smallest state but the leader in business incorporations, at least within the USA, has updated its legal framework regarding data breach notifications. Beginning on August 14, 2018, companies that experience a data breach must notify any affected individuals in Delaware within 60 days. In addition, credit monitoring – free of charge, of course – is now a legal requirement, not a "favor" or "show of goodwill" on the part of the companies.

    And there's more, much more.  

    Changes, Long Time Coming

    Delaware is famous for being a pro-business state; there's a reason why over 60% of Fortune 500 business are legally incorporated there. Indeed, it's so pro-business that sometimes it seems that Delaware residents take a back seat to their "legally-people" brethren. Case in point: the original data breach laws Delaware passed in 2005, and all the problems it had.

    Well, in less than one year, real people will see their rights elevated:

    • Reasonable protection of personal information.
      • Includes an update on the definition of "encryption."
      • A change in the language so that, if encryption is compromised in the data breach, encryption as safe harbor doesn't kick in.
    • Updated definition of "personal information."
      • Under the new law, medical information; biometric data; user names and passwords; health insurance policy numbers; passport numbers; financial account routing numbers; and individual taxpayer identification numbers, among others, have been added as personal information.
    • Notification to residents within 60 days of a data breach.
    • Notification to the Attorney General if more than 500 people are affected.
    • Free credit monitoring for one year.
    Obviously, the above doesn't cover everything. The legislature included a handy synopsis in the bill, copied verbatim below. As you read over the list, you'll notice that an effort was made to remove certain things, which is interesting as well.
    This Act revises HB 180 to reflect input from a wide group of stakeholders. This Substitute Act differs from HB 180 as follows:
    • Terminology has been revised to be more accurate and consistent.
    • A definition of "person" is added and includes government, consistent with current law.
    • A definition of “determination of breach of security” is added.
    • Marriage certificates, full birth dates and birth certificates, shared secrets and security tokens, and digital or electronic signatures are removed from the definition of "personal information."
    • An application for health insurance is removed from the definition of personal information because all of the information in an application that is of concern is separately listed in the definition of personal information.
    • Removes the requirement that the Department of Justice develop regulations and a model form of notice.
    • Clarifies how to provide notice if a breach involves login credentials of an email account that is the basis of the breach.
    • Clarifies that notice of a breach can be provided after 60 days from discovery when it is determined at a later time that the breach includes additional residents.
    • Provides examples of federal laws that can be complied with to constitute compliance with this chapter.
    • Removes the private right of action for the failure of a person to provide notice under this chapter. The Common Law cause of action for actual damages as a result of a breach is unaffected by this change.

    Some Controversy

    On providing credit monitoring for free, some have pointed out the potential outsized effect on small and medium sized businesses.

    In this day and age when it's easier than ever to compile extremely large databases, even for the smallest mom-and-pop store, the concerns are more than valid. Indeed, when you think about it, many things work against small businesses, especially when it comes to data security. For example, they ostensibly have less money than a megacorporation, meaning they cannot afford the best digital security on offer. Nor can they afford to upgrade their existing security as often. Nor can they guarantee access to dedicated IT professionals who could potentially lower the risk of a data breach in their day-to-day jobs.

    On the other hand, hackers don't give breaks just because you happen to be an SMB. And, at the end of the day, if 100,000 people (or more!) are affected by a data breach, the damage is the same whether the breached entity is a business operated by two people or twenty-thousand people.

     

    Related Articles and Sites:
    https://www.bna.com/delaware-adds-stringent-n73014463341/
    https://www.lexology.com/library/detail.aspx?g=4a54016c-c241-4327-8127-e35a36bcb6a1
    http://legis.delaware.gov/BillDetail/26009

     
  • NIST Guy Who Came Up With Hair-Tearing Password Requirements Says He's Sorry

    The "NIST midlevel manager" who came up with the crazy password requirements – well, technically, recommendations. You know, must include special characters, uppercase and lower case letters, alphanumeric – says that he's sorry and that "much of what [he] did [he] now regret[s]."
    As the Wall Street Journal explains, Bill Burr was a manager at the NIST – not a security researcher – who was under a deadline to produce a document on password security. In addition to not being a security researcher, he was also hampered in his efforts by the lack of and access to data. In the end, he based his guide on an outdated white paper.
    And ever since, people all over the world have been struggling with passwords.  

    It Doesn't Work (But For the Lack of Trying… and Not)

    Burr should give himself a break. The reason why his requirements don't work is because people are quite tenacious when it comes to abusing loopholes in the digital realm. That, and the inexorable progress when it comes to the speed of computing hardware.
    The NIST document made its debut in 2003. We're living in 2017. When you consider that Moore's Law – the one regarding computer processing power, that it doubles every two years or so – is still valid as of right now, it means that today's processors are 128 times faster than those of 2003; password lengths, though, have barely budged from between 8 and 12 characters long.
    In addition, in the realm of brute-forcing passwords, pure CPU processing power has been surpassed by other approaches. GPUs have left them in the dust, as have distributed and parallel processing. In the face of tremendous brute-force processing power, there's only a handful ways to ensure that a password can retain its integrity in the face of attacks:
    1. Make the password longer,
    2. Increase the number of values for each character (e.g., lowercase alphabet is 26 values; upper and lowercase is 52 values; the addition of numbers to that is 62 values; etc.),
    3. Change your password frequently, or
    4. Slow down how quickly a password is processed (e.g., even if hardware can run through a gazillion passwords per second, the system is designed so that it can check one password per second).
    Data breaches the world over have shown that certain passwords are used over and over. Regardless of how long or crazily complicated a password is, if a sizable sample of the population uses the same passwords, #1 through #3 become meaningless.
    And, #4 becomes meaningless when you have data breaches the world over.
    People may complain that frequent password changes, complex passwords, etc. "don't work" but what's the option? Never change passwords? Make passwords as simple as possible?  

    Regarding That XKCD Comic…

    And, of course, the WSJ made a reference to the classic XKCD strip regarding "correcthorsebatterystaple" as a password.
    The problem with creating passwords using this approach is that, when enough people in the population start using it, it will become the weak link of passwords.
    As noted in the comic strip (which is a bit dated, from 2011), correcthorsebatterystaple has 44 bits of entropy, which is based on 4 words randomly chosen from a list of 2048 common words. It notes that it would take hundreds of years to break.
    A comparable way of looking at this is that it offers the same level of protection of a password that is 8 characters long, each character chosen from a list that is made from lower and uppercase alphabet letters; all numbers from 0 to 9; and four special characters.
    Here's the thing: researchers have shown that they can brute-force passwords with 10 characters or less within a couple of weeks. Indeed, passwords have to be about 22 characters long or so to pass muster.
    So, hitting on correcthorsebatterystaple wouldn't take hundreds of years; I doubt if it would take a week – using an iPhone, no less. Could people use words from a bigger, thicker dictionary? Sure. But they won't. Mesothelioma will show up – and its spelling be correctly recollected from memory – as often as Tr0ub4dor&3 (There is the advantage, though, that mesothelioma can be looked up in a dictionary).
    Of course, you could also use the same 2048 words but make the password longer (more than 4 random words)…but the equivalent to the 22 characters I mentioned above would be 12 randomly picked words. All of a sudden, it's not so easy to remember anymore.
    Take a bow, Mr. Burr. It's not that your guidelines don't work; it's just that technology razes everything in its path, and most humans are terrible at remembering anything that is unfamiliar and beyond a certain length

     

    Related Articles and Sites:
    https://www.wsj.com/articles/the-man-who-wrote-those-password-rules-has-a-new-tip-n3v-r-m1-d-1502124118
    http://gizmodo.com/the-guy-who-invented-those-annoying-password-rules-now-1797643987