This Blog




AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.


AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.
  • Discontinued TrueCrypt Full Disk Encryption Shows Vulnerabilities

    Usually, the end of life for a software solution tends to be its death knell. It may resurface years later in the popular media, usually on a specific anniversary: its 20th year since making its initial splash, its 30th year since it stopped selling, etc. TrueCrypt, the celebrated full disk encryption solution, appears to be an exception to the rule. It's been officially discontinued last year and yet it's been showing up in the news more than ever before.
    Earlier this month, it was revealed that TrueCrypt has a vulnerability that "allows [a] full system compromise" on Windows machines. In a sense, it's not a vulnerability with TrueCrypt itself. A top-to-bottom analysis of the encryption solution's code that finished earlier this year showed it to be remarkably robust. "Remarkably," because TrueCrypt's provenance was and remains unknown. During the time it was being supported, plenty of people wouldn't use the disk encryption solution for this reason alone: who knew what devious schemes or unintended vulnerabilities lay hidden within its code?
    The 2015 review of the code assuaged those fears. And yet, here we are, six months later.  

    Elevation Privileges

    More specifically, the problem that was unearthed relates to the Windows drivers used by TrueCrypt. Whether this is truly a problem with TrueCrypt or not appears to be of some debate. But there's no question that it introduces vulnerabilities to TrueCrypt's effectiveness in keeping data secure. Or that any fixes would have to come from TrueCrypt (a fork of the disk encryption solution, called VeraCrypt, has already provided patches to fix the problem).
    Whether similar problems exist with the Mac version of TrueCrypt is unknown.  

    It Takes More than a Village

    Of course, the latest findings opens up a can of worms. Knowing that TrueCrypt had already passed a quite comprehensive review, and that the vulnerabilities were found less than a year later, what other problems reside within the solution's code? Possibly none, although that's quite unlikely.
    As the discoverer of the flaw noted, Windows drivers are complex. Missing the flaw during the original review is understandable. Plus, let us not forget that complexity imbues any code that is worth its salt; there's no escaping it, really, whether it's TrueCrypt or some other program.
    There is, then, an argument to be made for disk encryption solutions that are sold (yes, for money), where a company with financial means can bring together people whose skills cover a wide array of expertise. TrueCrypt was, supposedly, created and maintained by a handful of developers in their spare time. TrueCrypt's power, and that it is surprisingly free of problems, does credit to these developers' skills and expertise. But they, too, must have limits to what they can tackle. The counterargument, of course, is that the code was open for inspection by anyone, so the potential number of eyeballs looking over it was many factors higher than the resources a company can allocate to the same task.
    And yet, there's no escaping that a comprehensive review was only carried out ten years after the solution saw daylight, or that the latest flaw was discovered after the product was off the market. Or that a fix won't be forthcoming, at least not for the original TrueCrypt.
    For all the grumblings one hears, there is something to be said about a full disk encryption solution that undergoes FIPS 140-2 validation, is proactively supported, and is constantly tested.  
    Related Articles and Sites:
  • Courts Concrete FTC As Nation's Cyber Supercop

    That the Federal Trade Commission (FTC) has court-approved authority to bring legal action against companies embroiled in data breaches is old news by now. Of course, when you consider that the FTC has been suing companies over data breaches since 2005, and has over 40 such cases under its belt to date, this doesn't sound like groundbreaking news. Indeed, for all intents and purposes, everyone appeared to accept that the FTC should be playing cybercop.  

    It's a Bold Move

    Everyone, that is, except Wyndham Worldwide Corporation, a hotel and resorts company. After being sued by the FTC – how could they not? Wyndham had experienced three data breaches over two years; let's face it, that's up there as data breaches go – the company argued that the FTC did not have the authority to bring legal actions against companies for data breaches.

    Last month, the courts declared otherwise. The Third US Circuit Court of Appeals sided with the FTC and declared that the Commission did indeed have the right (some might even say the duty) to go after companies that were remiss in protecting customers' sensitive data. Wyndham begs to differ (my emphasis):

    "While we are disappointed by today's opinion, we continue to contend the FTC lacks the authority to pursue this type of case against American businesses, and has failed to publish any regulations that would give such businesses fair notice of any proposed standards for data security," Michael Valentino, a spokesperson for Wyndham Worldwide, told BuzzFeed News.
    I guess Wyndham could try to get an opinion from the US Supreme Court. If anything, Wyndham cannot be accused of not having enough panache. I'll bet their hotels are excellent.  

    Where's the Beef?

    One of the arguments that Wyndham made, and will probably make once they're back in the lower courts (they still have to defend themselves against the FTC's accusations), is that the FTC didn't make clear what comprised the level of security it was looking for. It turns out that it may be a moot point: according to the FTC accusations, which the court made a point to draw attention to, Wyndham was being sued because it did not have certain security in place, never mind the level of security:
    the complaint does not allege that Wyndham used weak firewalls, IP address restrictions, encryption software, and passwords. Rather, it alleges that Wyndham failed to use any firewall at critical network points, … did not restrict specific IP addresses at all, … did not use any encryption for certain customer files, … and did not require some users to change their default or factory-setting passwords at all.
    Think of it this way: if a friend asks you to pick up some beer at the store, there's a heck of difference between saying,
    • hey, I didn't know what kind you liked, so I got this (nice. It's the thought that counts)
    • hey, I didn't know what kind you liked, so I got all of these different ones (generous, although there's a chance you missed the mark)
    • hey, I didn't know what kind you liked, so I didn't get you any (no need to comment, I imagine)

    Likewise, the complaints Wyndham are throwing around about security levels is a deflated one if the FTC is right.

    The court also pointed out that FTC action was brought against a different company in the past for essentially the same issues Wyndham was being accused of. It goes without saying that if one company was sued because of certain security shortcomings, then a different company would also be sued for the same.

    Also, consider that (a) there was a period of 6 years between Wyndham and the company given as an example, meaning the former had more than adequate time to put something in place and (b) Wyndham had been hacked three times in two years. Three times!

    Furthermore, if the accusation holds, Wyndham's three data breaches were essentially more of the same: if shortcomings were shored up after the first breach, the second and third data breaches could very well not have taken place.  

    Fair Notice of Proposed Standards for Data Security

    Among all the untenable things that Wyndham has proclaimed, there is one salient truth: the FTC has never issued guidance on what cybersecurity measures are considered reasonable. It could be argued that Wyndham failed to use and to implement specific data security and protection measures and policies because such guidance was lacking. There is no denying that the dissemination of an official to-do list would make it easier to adhere to best practices.

    The thing is, there are plenty of companies around the size of Wyndham that are doing an excellent job of protecting customer data – or at least, meeting the lowest possible acceptable standards – despite the lack of a data security guideline from the FTC.

    (Wyndham ranked #497 in the 2015 Fortune 500 list, in case you're wondering whether the company has the financial wherewithal to properly secure data.)

    True, many companies in the Fortune 500 tend to be in the technology sector, making things a little bit easier for them. But, Wyndham being in the hospitality business is not much of a defense: they can always hire consultants. Chances are, they already have, currently do, and will continue to do so. After all, someone in the tech sector has to set up and run their global POS network, customer loyalty tracking software, global CRM, etc. The argument that Wyndham didn't have the proper data security and technology in place because, simply put, they didn't know what to use, is a shallow one and an impermissible one at that.

    The argument seems even less believable when you consider that there are many laws and industry regulations and agreements geared towards preventing the types of blunders that Wyndham is accused of engaging in. It's the 2010's; one does not simply argue that they failed to properly secure their network because there were no guidelines.  


    Related Articles and Sites:

  • Ashley Madison Passwords Easy To Crack After All

    Ah, Ashley Madison. Even as one tries to move away from it to other issues, new problems surface like toxic malaise at a swamp: fraudulent $19 data scrubbings, men being conned by bots, some of the weakest passwords known to mankind securing their servers, an ex-CTO who supposedly hacked the competition… Michael Corleone, I get you now

    Remember how, at the beginning, despite everything that happened, Ashley Madison was given something of a tentative kudos for using bcrypt to secure their clients' passwords? The hashing algorithm that hinders brute-force hacking, and thus the unauthorized recovery, of passwords?  

    Congratulations Released Prematurely

    Well, according to Ars Technica, a team of crypto-cracking enthusiasts has found that the Ashley Madison passwords – released into the internet on August 18, along with internal emails and other data – were not strongly secured when you really get down to it. Yes, bcrypt was used. Yes, bcrypt is one of the better ways to secure passwords against brute-forcing. But it became a moot point (from
    CynoSure Prime…an astounding discovery: included in the same database of formidable bcrypt hashes was a subset of 15.26 million passwords obscured using MD5, a hashing algorithm that was designed for speed and efficiency rather than slowing down crackers.
    Digging into emails, the hobbyist hackers discovered that prior to June 14 of 2012, MD5 was used to secure passwords. It was only after this date that bcrypt was used. Furthermore, it turns out that Ashley Madison's engineers only used the lowercase of the alphabet when creating and storing MD5 hashes, which could indicate that Ashley Madison's customers may not have been as irresponsible when creating their passwords. For what it's worth, pasSworD is nominally more secure than password, but there's no way for us to know now if potential philanderers were cognizant of this detail. Incidentally, this is not the first time that I've run across a company transforming customers' passwords into less secure versions of themselves. Amazon, for example, supposedly was truncating and capitalizing passwords in the past. What are the ramifications when passwords are transmogrified in this manner? Again, from
    If the setting was a nearly impenetrable vault preventing the wholesale leak of passwords, the programming errors—which both involve an MD5-generated variable the programmers called $loginkey—were the equivalent of stashing the key in a padlock-secured box in plain sight of that vault
    In other words, because the MD5 passwords correspond to a subset of the bcrypt passwords, the former were attacked, since it was much easier to do, to gain the latter. It should be noted that this means only a subset of the passwords were easily compromised (if you can call 15 million out of 36 million a subset; it certainly is, but so is 36 million out of 36 million). As a client, if you signed up after June 2012, the assumption is that your password is still safe, assuming you didn't pick a weak one.  

    What Happened in 2012?

    "[Ashley Madison's] parent company Avid Life Media was at risk of a security breach," predicted the company's CTO in 2012. This was a comment, according to, on the Grindr hack of January 2012. He also wrote (from

    "With what we inherited with Ashley [Madison], security was an obvious afterthought and I didn't focus on it either," the company's founding CTO Raja Bhatia wrote at the beginning of 2012. "I am pretty sure we stored passwords without any cryptography so a database leak would expose all account credentials.

    Could this have been the impetus behind the switch to bcrypt from MD5 - a bungled one, obviously? If so, perhaps the criticism that they weren't interested in security at all should be curtailed a bit. Naturally, all other criticisms are still valid.


    Related Articles and Sites:
  • Password Security: Ashley Madison Patrons Had Terrible Passwords

    Last week, reported that 4000 cracked passwords belonging to Ashley Madison customers were "awful," security-wise. The site went on to conclude that:
    It's understandable for users to be frustrated with Ashley Madison for failing to protect their data. But when customers are choosing passwords that could probably just be guessed, they need to take some responsibility for their own security.
    How bad were these passwords? Well, the usual suspects did make an appearance: 12345, password, abc123, etc. – the type of passwords data security professionals worth their salt would cry over. You can see the list by visiting Notice anything unusual about the three passwords I've listed?

    Password Requirements Like It's 1999

    One of the things that immediately came to my attention was the password length. Over the past five years or so security researchers published papers showing that short passwords are worthless. The last time I checked, an adequate password (in this case, "adequate" is being used in its pejorative sense) was around 15 characters long.

    When looking at the cracked Ashley Madison passwords, there is more than a handful of passwords that are only 5 characters long. Plus, many of them were straight up numbers like 12345. No letters, no special characters, etc.

    I thought it odd, so I visited the Ashley Madison site to see what type of password requirements they had for wannabe adulterers and adultery-enablers. In essence, they had no requirements. Passwords have to have at least 5 characters. They max out at 28 characters. There appear to be no requirements for mixing numbers, letters, capitalization, and special characters. Just make sure they're 5 characters long. That's all.

    In light of this, I find it amazing that, of the list of nearly 4000 cracked passwords, only 417 passwords were 5 characters long:


    Password length      1      2      3      4
      5 6 7 8     9    10    11    12
    Instances found 9 0 0 1  417  1859  804  696  157   36  6 0


    Let's face it, this doesn't mean that Ashley Madison clients were, ahem, "security conscious." The popularity for passwords longer than the bare minimum could be explained by other factors, such as most words being longer than 5 characters (I don't know if this is factual; I'm just floating it as a possibility).

    But I did notice that a subset of the passwords were non-words like 12345. So, I went through the list and fished out the ones that were numbers-only or nonsensical (like zxcvbnm).


    Password length     1     2     3     4 5 6 7 8 9   10   11   12
    Instances found 9 0 0 1   153   453   48   61    36 8 2 0


    As you can see, even when a person is making up a password from scratch, it tends to be longer than 5 characters in length. Why? Some of it is, no doubt, because of the keyboard layout. For example, zxcvbnm represents the lower row for a QWERTY keyboard layout. Likewise, qwertyuiop and 1234567890 represent the upper rows. But, this fails to explain passwords like 1111111111 (that's 10 ones).

    I can only conclude that people are using passwords that are longer than the required minimum because all the chatter about data security and passwords is finally sinking in. This is something we should be happy about.

    Still, password length is not the end all, be all of password security. When it comes to passwords, even more important than length is variety. There is a reason why most websites will force a user for a password that is at least 6 characters in length and uses a mix of upper and lower case letters, numbers, and special characters.

    Some will even go as far as check that the email handle is not used as part of the password. Which, unsurprisingly, wasn't part of Ashley Madison's password requirements. One of the commentators at was doing his own research on the breached passwords, and he posted 18,000 instances where the passwords were an exact match to the email address.

    When you consider all the rudimentary things Ashley Madison did not require of their clients' passwords, I'm not sure if I can agree with's assessment that "customers [who] are choosing passwords that could probably just be guessed…need to take some responsibility for their own security."

    Rightly or wrongly, people are going to opt for the least hassle when it comes to passwords. We know that this is true; this is why websites put up password requirements. The lack of such requirements is enough to make me wonder if Ashley Madison was taking security seriously.

    Fault's on Ashley Madison, Not the Users

    Of course, now that we know that the company set up a bunch of bots to lure men into paying for full access to the site; that pass1234 gave the hackers full access to the company's servers; that the $19 charge for completely deleting a user's data from their servers was less than effective, and possibly fraudulent; and a bunch of other accusations… well, its obvious that security – or running a legitimate business – was probably not at the top of Ashley Madison's to-do list.

    Indeed, it makes me wonder whether their use of bcrypt to hash passwords was a fluke. Bcrypt is supposedly one of the best methods for hashing passwords because it's slower than other hashing algorithms (slow is good when it comes to hashes. It means you can't test and crack encrypted passwords as fast as possible. With bcrypt, you'd find one password when other hashes already gave up 100).

    Of course, in this light, the users can be faulted for their own security, as the use of weak passwords means that they've also potentially compromised the security at other websites…assuming they've been reusing their passwords, which is very highly probable.

    Ultimately, though, a data breach is a matter of "when" and not "if." If you value not being associated with a site like Ashley Madison, the only winning move is not to play.


    Related Articles and Sites:

  • I Can't Believe People Are Trying To Erase Themselves From The A. Madison Hack

    One of the things you quickly learn when you work for a data security company is that data security doesn't work the way normal people think it does.  For example, "normal people," apparently, think that they can somehow get off the leaked Ashley Madison list, the latest data breach story du jour:  Now that the hackers of Ashley Madison have released the full 9.7 gigabytes of information, some former patrons (and current victims/penitents) are searching for hackers that will scrub their info from the list.  Which is crazy. And laughable.  And not doable.  The sitcom Newsradio explained it very well back in the late 1990s:

    Like he said.  It's like getting pee out of the pool.  Most people can probably appreciate the folly of even searching for a "solution" to this problem.  

    "once information has been sufficiently socialised and redistributed (which the Ashley Madison data has certainly been), the exposure is irretrievable"

    But for those who don't get it, and don't understand what the above means (quote from this article), basically, it means you're screwed because the hacked data isn't found in a central depository.

    Many people have the information now: Security researchers.  Journalists.  Bloggers.  The honestly curious.  Hackers with some kind of agenda.  Your girlfriend majoring in comp sci.  Sure, a hacker for hire could delete your specific entry from one list.  But that leaves a million other lists that are on other people's computers.

    Do you really think that a guy you've paid $2000 is going to be able to (and want to) track down all these founts of dismay?

    It Extends to People in the Business

    This lunacy of unachievable expectations, however, is not relegated to "normal" people.  For example, in the course of this business, I have fielded more than a handful of inquiries where callers were looking for "NSA-proof encryption."  Such encryption exists…but also doesn't exist.

    Let me explain.  As the Snowden disclosures have shown over the past couple of years, modern encryption tools like AES are definitely NSA-proof; that is, even the NSA has problems cracking particular encryption algorithms.  Because of that, the NSA finds other weak points to exploit outside of encryption itself, such as the inherent weaknesses of passwords; man-in-the-middle attacks; the injection of customized malware; and other forms of procuring the data they need.

    So, in this context, what exactly is "NSA-proof encryption?"  This is my counter-question to the callers, and the often condescending response coming from the phone's receiver is, "we don't want the NSA to be able to get our data in any way or form."  As if it could mean anything else.

    Now, as far as I can tell, these callers weren't engaged in illegal activities.  So, chances are that the NSA weren't even looking to get their data.  But let's say that's not the case.  Do these callers really believe that a full disk encryption solution for their laptops will stop the NSA or any intelligence agency worth their salt from acquiring their data, especially when they have so many other tools at their disposal for extracting it?  Including the possible use of physical pain?

    I tell the callers that we use AES-256, that the disk encryption solution is FIPS 140-2 validated and certified, answer any questions they have, and let the chips fall where they may.  If they ask pointedly whether we're "NSA proof,", I answer in the negative.  On every single instance, I was given an unmeaning but not unfriendly thanks and never heard from them again.

    The kicker: every single one of these people called in inquiring about the AlertBoot partnership program.  They were people working in the data security sector.  They supposedly knew about data security.  They were not "normal" people.  They knew better (or, at least, they should have known better).

    I personally think of these instances as dodging particularly pernicious bullets.  But, the observation remains that, if so-called professionals fail to understand the limits of the security tools that they use, does the general populace stand a chance?  Perhaps faeepalming shouldn't be the immediate response to finding out that people are looking to extricate themselves from the Ashley Madison fiasco.

    But then, the last ten years have shown us that no company or organization is immune to the ravages of hacking.  If top-tier banks and security companies experience data breaches because they can only but curb attempts at stealing data, why would anyone believe that a peccadillo-peddling dot-com would succeed at stopping hackers?

    Related Articles and Sites:
  • HIPAA Encryption: Indiana Medical Firm Data Breach Affects 230 Healthcare Organizations

    Last week, a Indiana medical firm saw a massive medical data breach that extended throughout the entire U.S.  Per online reports, possibly 4 million people in more than 230 hospitals and other healthcare organizations were affected by the breach, which occurred in May of this year.

    Hackers stole protected health information that included:
    "patients’ names, mailing addresses, email addresses and dates of birth … additional information stolen included Social Security Numbers, lab results, dictated reports, and medical conditions."
    It's the type of data that sells at a premium in online black markets that, admittedly, are just flooded with such information (and that premium shows how much more in demand detailed medical info happens to be).  Needless to say, the company that got hacked – Medical Informatics Engineering (MIE), providers of the NoMoreClipBoard EHR system – went into full damage-control mode, as did its clients.

    Where's the Security?

    Despite the disastrous results that MIE is seeing, it appears that the company had been as proactive as possible when it comes to data security.  For one, they uncovered the breach internally, which contrasts with the many companies who become aware of a data breach only when a third party (like the FBI) gets in touch with them.

    Also, forensic analysis shows that the breach took place as early as May 7 and was discovered in May 26.  While two-and-a-half weeks is an eternity in internet time, it's also not a bad performance from overworked IT staff (that's not to say that it couldn't be better).

    And Encryption?

    Of course, if data encryption had been used to protect the information, retrieving useful information would have been harder for whoever hacked MIE.  But, encryption was probably not a viable option for the company.  The thing to understand about encryption is that it protects data when that data is not being used.  (If that's news to you, just give it some thought: encryption works by scrambling information.  In order for a legitimate user to work with encrypted data, it has to be unscrambled first; that is, the information is not encrypted).

    Now, seeing how medical organizations may need to access patient info in any given 24 hours, MIE would have no option but to ensure that medical information is always accessible.  Ergo, it cannot be encrypted, at least not for live databases, which is what the hacker or hackers targeted – the story is different for data going into semi-permanent storage, obviously.

    Encryption is Appropriate in Many Cases

    Despite what appears to be a terrible flaw regarding cryptographic security, the truth is that encryption is an excellent way to protect data.  After all, there's a lot of data out there that's "not being used": when you're not interacting with your smartphone, for example, the contents of your mobile device are data that's not being used.

    Same goes for when you're transporting your laptop to and fro from work – it's data that's not being used.  (Seriously, you're not one of those types that uses one of these steering wheel trays while driving, right?)

    The list of devices that hold data that's not being used (at least a good chunk of the time) is huge: smartphones, external hard disks, small USB flash drives, laptops, backup tapes, tablet computers, data discs, etc.  For such devices, encryption is not only an appropriate method for protecting the data, it's considered one of the best (and in some circles, the best).

    It's just a matter of knowing when to use it.

    Related Articles and Sites:

More Posts Next page »