Or any other form of note that will stick to the computer. UK government workers may want to keep that in mind: An internal memo has been passed around, acknowledging that the Department for Work and Pensions (DPW) has been effectively providing a way to breach their own security procedures:
From politics.co.uk:
“I have been advised of instances where password protected data has been sent out with the password being sent separately as detailed in Security Notice 02/07.“However, once the data and the separate password are received, staff are then forwarding the data and password on together. This defeats the purpose of the security measure entirely.”
And how. Perhaps it’s just a matter of educating how protection measures work in the digital age. Data security solutions like full disk encryption from AlertBoot are very secure. They work by scrambling the original data so that no one can make sense of it. The effect is very hard to reverse because there are too many ways that could have been used to scramble the data in the first place.
Imagine, if you will, that Moby Dick was written on glass by etching the words with a needle, aided by a powerful microscope. Then, you take a hammer and pulverize the glass, so that all the letters (not words) are in a pile a jumble. Cracking modern encryption methods would be like piecing the glass‑novel back so you can read it. It could be done. It’d also take forever. Plus, in your quest to piece things together, you would encounter those instances where you’ve used up every single letter except one—say a “z”—but every single sentence makes sense. That one “z,” though, is an implication that you probably haven’t gotten it right.
Of course, the point of data encryption is not only to protect the data; one also wants to be able piece it back together—assuming that it’s the person who should have access to the data. This is easily done in digital encryption. The data is pieced back by supplying the correct password (or in the case of AlertBoot, two passwords: the username and the password).
And this is why you don’t keep your passwords near your computer. Not on a Post‑it. Not taped to the bottom of the keyboard. Not on your monitor. Not…you get the idea. If your organization is going to (or have to) secure its digital assets and are planning on using full disk encryption, make sure people understand the consequences of their actions.
Saks Fifth Avenue, one of the premier names when it comes to shopping, has filed a letter with the Attorney General of New Hampshire, notifying them of an information security incident. In April, four company laptops were stolen, two of them with sensitive information.
The sensitive information included names, addresses, and credit card numbers. Expiration dates, pin numbers, passwords, codes and other sensitive data were not included (as they shouldn’t have, since it would run counter to PCI-DSS rules, which states such information should not be stored, including credit card numbers). The letter mentions the laptops had password‑protection, but there is no mention of any kind of encryption, be it hard drive encryption or file encryption.
Because the lost information is limited in its sensitivity, Saks believes that there is a very low risk of identity theft or credit card fraud. Regardless, they have alerted their customers about the incident and asked them to be on the lookout for irregular credit card activity. There was no offer of the standard one‑year (increasing, two‑year) credit monitoring program that other companies in similar situations tend to provide. In many ways, this is logical but unusual: if you don’t think there’s going to be credit card fraud, why offer such services? It sends mixed messages to customers. If I was a customer of Saks, though, I’d feel cheated under the guise of “well, everyone else is offering it….”
But is the risk of credit card fraud or identity theft really low? Well, yes. (And, chances are the layperson would interpret that to mean “there is no risk of any type of crime.”) The truth is, though, that risk really depends on how astute these thieves happen to be, not on the (extremely) limited data safety precautions Saks had on those laptops.
For example, most on‑line stores, when processing payment for a purchase, now require not only the credit card number and expiration date, but the CSC code as well, which is generally not recorded (and wasn’t, in the Saks incident). However, not all stores require it. So, what the criminals have to do is start looking for on‑line stores not requiring CSC codes. Also, the use of CSC codes are not as actively encouraged overseas, so another method of getting around this obstacle is to sell the information to foreign buyers of such stolen data.
The lack of expiration dates arguably poses a bigger problem, albeit not a complicated one: just try different combinations of dates and months. The maximum “valid thru” date is usually capped at five years from the date of issuance, so there’s at most a total of sixty combinations one has to run through for each card.
And last not but least, names and addresses may appear as bits of innocuous information; they’re easily available in the white pages, for example. Hence, the argument goes, this is not data that can be used for perpetrating crime. However, this kind of thinking is a fallacy because one forgets to put it in context. Names in the white pages are meaningless only if nothing else is known about the person or the address itself. If I add more information on top of that, it exponentially increases the type of scams and different approaches to scamming people. In the Saks case, the thieves would know the names, addresses, and the fact that these people shop at Saks. Would it be too much of a chore to create a fake letter from Saks Fifth Avenue stationery (counterfeit as well) asking people to call a number since their credit card, as shown in the letter, has been compromised? The courteous “customer service representative” will guide them through the process of doing…whatever it is they have to do.
Furthermore, the above example could be used to further glean information from the victims. “To confirm that you are Bob Smith, could you please tell me your mother’s maiden name?” Now they’ve got your mother’s maiden name, your name, and your address. And they know you shop at Saks. Plus, if they have caller ID, they’ve got your phone number.
Yeah, Saks is right in saying that the stolen data represents a low probability of it being used, as is, for fraud. However, there is nothing preventing the thieves from being creative in their criminal endeavors. And the seminal incident that could potentially lead to the above scenario? If you guessed the theft of laptops, you’re halfway there. If you wanted a gold star, however, you would have answered “lack of data security solutions.”
A stolen laptop is no good for committing fraud if the information on it cannot be accessed. Password‑protection could be a deterrent (or not), just like pepper spray could be a deterrent to a bank heist (probably not). There is a reason why the Federal Reserve Banks arm their guards with automatic weapons instead of cans of pepper spray: the need for real protection.
Real protection when it comes to data at rest—as well as for data in motion, now that I think about it—comes in the form of encryption. There are generally two different ways of encrypting such data: full disk encryption and file encryption, both available from AlertBoot.
Peter Gabriel shows, albeit indirectly and unwittingly, why one needs full disk encryption if data security is the ultimate objective. Gabriel’s servers that powered his website—hosted at a data center—were stolen. This affects more than a website with a litany of Gabriel’s accomplishments. I’ve never been to the site before, and it’s not operating at 100%, obviously, but a look at the temporary stand‑in makes it apparent the stolen servers were at the center for getting all things Gabriel‑related, including the sale of music and concert tickets.
Break-ins into data centers are nothing new. I’ve heard the entire gamut, from people strolling in while waving at the guard (and the guard waving back, which is why I dropped the word “security” from “security guard”) to using chainsaws and going through the walls, literally. Break‑ins of any kind are not common when it comes to data centers, especially if the facility was built with security in mind—RFID key cards, locked spaces with bullet‑proof glass built for identity checks, and guys with semi‑automatic weapons. But, it does happen once in a while (and, lately, it seems, with growing frequency). And, of course, if a server is stolen, all the data in it is stolen as well, and available for the perps to use.
Or is it? The digital world is an odd one, and what’s true for the physical world does not always translate to the digital world. If a file cabinet full of top secret documents gets stolen, all that information is stolen as well. The thief will have easy access to the documents. Even if the cabinet were locked, one could rip the walls of the cabinet to get to the contents. In the physical world, theft can easily result in an information breach.
Likewise, the physical theft of a server with digital information can result in an information breach. Sure, one can set up password protection, but the equivalent of “ripping the walls” to get to the data exists in the digital world as well. However, the digital world offers ways to protect information when it’s stolen so that it doesn’t fall into the wrong hands. This method of protection is called encryption, and generally comes in two forms: full disk encryption and file encryption.
The latter has a physical counterpart as well. File encryption, basically speaking, is just substituting one character for another via a particular set of rules. If you’ve ever come across a paper document full of gibberish, you’ve probably come across a document whose contents are encrypted (or, someone’s master’s thesis in electrical engineering).
Full disk encryption, on the other hand, doesn’t have a physical counterpart. Like file encryption, it uses rules of substitution, changing each bit found on the hard drive itself; however, the actual file is not encrypted if you use full disk encryption. For example, if you e-mail a file that’s found on a hard drive with full disk encryption, the file can be read by the recipient without any problems. If you send him a file that was protected with file encryption, he’ll require a key to unscramble the contents of the file.
The closest thing that full disk encryption comes to resembling in the physical world is really thick walls on a file cabinet, since the contents in the file cabinet don’t change. Really thick walls. I mean, we’re talking a thickness that’s incomprehensible. Like a safe whose walls have the thickness of Indiana. (You think driving across Indiana took forever, eh? Try blowing up or drilling through a wall the thickness of Indiana. Yep, that’d be a pretty secure cabinet.)
Both forms of securing your digital assets are available from AlertBoot. The idea is to use them together as complementary solutions and enhance security. After all, you don’t necessarily have to choose between an armed guard and a safe. You do have the option of using both for security purposes. Or, just use one or the other—just make sure you understand what you’re data security requirements are prior to making a decision.
Can a hard disk survive a fall of over 100,000 feet? No, but the data can be extracted from its remains. That’s how scientists were able to find that xenon gas changes to a liquid when stirred under very low gravity.
It’s under no ordinary circumstances that a hard disk can fall 100,000 feet. The disk in question was on board the ill-fated Columbia space shuttle, which disintegrated on re‑entry into earth in 2003. And, as one would expect for anything that re‑enters into earth without the usual protection of wings, parachutes, and heat‑proof coatings, the hard drive was found cracked and burnt. Specialists were able to extract 90% of the data, though.
Kind of surprising? After all, most people’s experience with falling hard disks tends to generally involve waist-high or lower, and it’s kind of hard to get any data from it at all; one imagines involving a drop from space would make it slightly harder. The above data retrieval is testament that you can do anything if you have the money.
From an engineering perspective, however, the above is not unusual or amazing. Usually, when you and I drop a laptop or an external hard drive, it’s broken because the intricate machinery that composes the whole of the disk drive is out of synch. However, the data recorded on the hard drive’s platters is still there. (If you weren’t aware, there’s a bunch of disks inside the a hard drive. That’s why they’re often called a hard disk.) Unless the drive with the xenon data had fallen near a refrigerator magnet, the information is still in place. Only the total annihilation of these platters would have prevented specialists from reading the data, like melting them into an amorphous mass.
This is something one should keep in mind when getting rid of old equipment like computers. A lot of people think that “deleting” the data or formatting the disk will get rid of the existing data. This is not so; such actions merely remove the method for computers to locate data without disturbing the data itself. It’s like poking a librarian’s eyes out during your first time to a foreign library: she can’t find the books you want, but the books are still there. Now you’re stuck trying to find the books. Some effort, time, and a couple of clues will help you in finding those books.
Savvy computer users will know this and physically attempt to destroy their drives. One of the time‑honored ways of doing so is using a refrigerator magnet; however, this, too, is not as reliable as the amorphous mass technique. Some use a drill to poke holes through the platters. This is pretty effective, but there is no guarantee that information on the unaffected parts of the platter will remain unread by someone hell‑bent on extracting data. These disks are pretty resilient. Unless you’re willing to spend $100 or more to pulverize a disk, your best option may be full disk encryption, like AlertBoot.
Plus, the beauty of full disk encryption is that it’s a form of data protection that is perfectly good while the disk is in use as well as when you decide to ditch it.
Banking giant HSBC is in the news again. This time, the bank has lost a computer server from the Kwun Tong branch, located in Hong Kong. Sometimes, having a huge international footprint just means having more problems. If you’ll recall, HSBC had announced last month that they had a data breach in the UK, when a disk with details of 370,000 customers went missing.
The lost server contained the data of 159,000 customers, and unlike the incident with the disk, customers should be worried about this particular incident. According to The Standard, a Hong Kong publication, the data in the lost server contains names, account numbers, and transaction records. The last could be used to zero-in on high value customers and attempt some kind of spear‑phishing type of scam, I reckon.
The bank has stated that the chances of a data break are minimal, since the “server is protected by multiple layers of security which are regularly reviewed.” No further details on security were given. The government is encouraging HSBC to release more details in order to further reassure the public.
One thing that caught my attention in the article was the following quote:
Internet Society chairman Charles Mok Nai-kwong said even though the server has been encrypted, there may still be ways to access the data.
"I do not know how advanced the system is or the skill of those who want to access the data. But if the server goes to the police, they will have ways to get the data," Mok said. [all emphases are mine]
Huh. Really? How did this guy know the server was encrypted? And, apparently, the NSA should outsource some of their work to the HK police. These guys are like, super cops. No wonder Jackie Chan took on the role of a HK police officer when he starred in the movie…SuperCop. Three times.
Maybe there were translation issues when the article was written. I’ll tell you this much, though. If the above quote is true and the HK police can easily break the encryption on HSBC’s servers, the bank must have teamed up with the worst data security company this side of the Mississippi.
The point of having full disk encryption is to prevent anyone not holding the passwords from getting to the data. If the police can get into it, chances are others can, too, and this defeats the purpose of having encryption. One could argue, well, perhaps the HK government requires a backdoor be installed on any encryption products used in Hong Kong, and only the police know about it. Again, that becomes a security risk. The best encryption software do not have backdoors—and people tend to migrate away from such products if a backdoor is found.
Consider AlertBoot, for example. It offers a number of different encryption algorithms at different strengths (RSA, AES; 128-bit vs. 256-bit or higher; etc.) that are considered by experts to be the encryption standards of this day. Plus, try as they may have, the experts haven’t been able to find a *** on these encryption methods, including backdoors. I don’t know what Mr. Mok knows, but if HSBC had gone with AlertBoot, he wouldn’t have offered that statement.
An employee for Northern Trust Bank was caught selling electronic office equipment on eBay, as well as putting them up at pawnshops and selling them to his own colleagues at the bank. The thefts occurred between May 2005 and Nov 2006, when he was arrested. Most of the equipment that was stolen consisted of computers and peripherals, such as laptops, desktops, LCD monitors, and printers.
Bank management became aware of the thefts when 12 laptop computers went missing. An investigation following the theft of the laptops revealed the true extent of the misdeeds. The above story highlights two things to keep in mind when practicing data security.
First, size does not matter when theft is the purpose; anything is fair game. A lot of people seem to forget this when an actual crime occurs. Too many people raise hell over sensitive information being stored on a laptop computer, for example. They’ll point out that laptop computers are designed for mobility. I’d like to point out, so are desktop computers. I mean, have you seen what IBM used to sell prior to the invention of the desktop computer? Desktops were not designed with convenience of mobility in mind, but they certainly don’t require a tow truck. Those machines were designed so an average joe could pick it up and move it about. If your information security manager is relying on a computer’s form factor as a security measure, I’ve got news for you: you’ve got a terrible security manager. Unless you happen to reside in a community of skinny‑armed Buddhist monks who live on a supercharged grain of rice a day, that is.
Plus, plenty of people are using laptops computers as desktop replacements nowadays, meaning “laptop” does not always equal mobility. I can point towards my own ThinkPad as proof. And for those who would continue to argue that they’re easier to steal, give me a break: if a thief is already within the security perimeters of a building, he can steal whatever he wants. Reiterating my point, size does not matter. It’s this obsession with size that prevents people from seeing the big picture: in the digital age, you’ve got new methods of protecting what’s really important, like hard drive encryption to ensure that a physical act (theft) can’t affect your metaphysical assets (your client data. You’ll want backups, obviously).
The second thing to keep in mind is, you need to perform audits regularly and ensure that it’s performed by a neutral party. For a bank, filled with management types inculcated in viewing the world in terms of profit and loss as well as risk management, it’s hard to understand that they have gone an entire year without realizing that stuff was missing—a sure sign that audits are not being performed by the bank. If they only spent as much time on their inventory as they would on ensuring the accuracy of balance sheets... I’m sure that it didn’t help that the person committing the crime was also the bank’s computer information technician.
There are products that were built with the above two points in mind. AlertBoot, for example, not only allows one to encrypt and manage thousands of computers from a central console. It also features powerful reporting so that audits can be performed on the encryption status of each computer and control user access to each machine. This way, if problems do arise, those in charge of security can act ASAP and lower the risks of an information breach.