in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.
  • Laptop Encryption: Beth Israel Deaconess To Pay $100K To Settle Breach Of Personal Laptop

    Beth Israel Deaconess Medical Center will settle with the Massachusetts Attorney General's Office to the tune of $100,000 for causing a data breach when a laptop computer was stolen from it campus.  This amount is on top of the $500,000 that the hospital paid to deal with the data breach itself (as of August 2014, according to phiprivacy.net).  The use of disk encryption software goes a long way towards preventing such "fines" from being assessed, as many people know: there are legal safeguards as well as technical ones.

    However, the hospital couldn't take advantage of these for a very simple reason: the stolen laptop was the personal device belonging to a physician, and so the hospital had no direct control over its security… in theory.

    Does Not Mean "Ban Personal Devices"

    The data breach occurred in 2012 (that's right, two years ago) and affected nearly 4,000 people.  The laptop was a personal device.  Why is BIDMC being held responsible?

    According to the complaint against BIDMC [Beth Israel Deaconess Medical Center], in May 2012, an unauthorized person gained access to a BIDMC physician’s unlocked office on campus and stole an unencrypted personal laptop sitting unattended on a desk. The laptop was not hospital-issued but was used by the physician with BIDMC’s knowledge and authorization on a regular basis for hospital-related business.

    As the underlined portion shows, BIDMC cannot but be held accountable.  They knew of the laptop's presence and use.  The physician had obtained authorization.  The laptop was stolen from the hospital's premises.  I mean, except for the question of ownership, you may as well call it the hospital's machine for all intents and purposes as they relate to the data breach.

    It's About Securing Data

    It's hard to understand how BIDMC got it so wrong.  The need to use encryption solutions on sensitive data has been known by the medical community well before 2012.  It makes even less sense seeing how the medical center is located in Boston – meaning they have to deal with HIPAA/HITECH as well as the quite arduous Massachusetts data security laws.

    Indeed, certain organizations feel that the laws are so oppressive that they actually ban the use of personal devices at work.  It's an extreme attempt at controlling the risks of a data breach.  Why BIDMC decided to go the other way is a complete mystery to me.  Perhaps they made the mistake of believing it was a matter of securing hospital devices.  Because the physician's laptop was not hospital property, it's decided that there's no need to encrypt the device.

    The problem with this approach, among other things, is that laws and regulations clearly point out that it's the data that needs to be protected.

    Related Articles and Sites:
    http://www.phiprivacy.net/beth-israel-deaconess-medical-center-to-pay-100000-to-settle-state-charges-over-data-breach/
     
  • Data Encryption: Apartment Front Office Broken Into For Personal Info

    According to click2houston.com, the front office of a Houston apartment complex was broken into in August, resulting in the theft of personal information for hundreds of people.  What's new, right?  Well, it turns out the thieves got the information from a filing cabinet.  In other words, because a computer or other electronic media was not used, capitalizing on the power of managed data encryption software like AlertBoot was not possible.  And unlike other breach reports, this incident has turned at least one person into an ID fraud victim.

    SSNs Stolen, $2000 in Charges

    The August break-in resulted in the theft of "full names, Social Security numbers, address[es]…and bank routing numbers."  Plus, according to an interviewee, someone had opened up a credit card in his name and racked up $2,000 in a shopping spree.

    (Which, based on certain reports, could actually be valued at more than $2,000.  There is some kind of scam going on where shoppers are conning Walmart to match fake Amazon price listings, resulting in the sale of PlayStation 4 consoles at less than $100.  These gaming machines retail for $400.  Combine it with bogus credit cards, and a guy who timed it well could have $8000 worth of PS4 in his hands).

    One of the more frustrating things for the above person must be the fact that they "had the credit bureaus on alert within hours of" being notified about the breach but were still victimized.  It goes on to prove that, once you have a data breach, it's not easy to rectify or prevent things from happening.  In these cases, an ounce of prevention really is worth a pound of cure.

    Digital Data over Paper Data

    For all the hubbub that we see in the media over how easy it is to steal digital data, the truth is that traditional data can be (and is) just as easy to steal.  Even more important, and something that nobody really discusses, ever, is that it's harder to protect.  With data stored on a laptop, clicking a number of on-screen buttons that installs disk encryption is all it takes to counter the force of government departments authorized to hack into data.  A single attempt to break through could take millions of dollars.

    Doing the same for paper documents takes some downtime, a brick through a window, and a criminal mentality, depending on the location.  Any amateur can make a go for it.

    Related Articles and Sites:
    http://www.click2houston.com/news/personal-information-for-hundreds-of-people-exposed-after-break-in-at-apartment-office/29831970
     
  • Laptop Encryption: Thieves Stick Up Doc, Ask For Passwords To Encrypted Computer

    Brigham and Women's Hospital (BWH) has notified nearly 1,000 people that a computer that was protected with laptop encryption software has been stolen.  Normally, the use of encryption would provide safe harbor from sending such a notification letter, not only under HIPAA (the federal set of laws that govern medical organizations) but also under Massachusetts's data protection and notification laws, one of the most rigorous in the US.

    This, however, was not to be: the thieves who stole the laptop also forced the password from the doctor by placing him under duress.

    Tied to a Tree, Held at Gunpoint

    According to the breach notification letter, as well as coverage by myfoxboston.com, the hold up occurred back in September in Jamaica Pond (a Boston neighborhood that is not necessarily known for its safety).  Two assailants stole a doctor's cellphone and laptop:
    He was tied to a tree while one man held a gun and the other brandished a knife.

    Although both the laptop and cellphone were encrypted, they were stolen during an armed robbery on Sept. 24, and the hospital said the suspects forced the victim to give the pass codes during the robbery.
    It sounds like something that came out of a script for a B-film or something.  But then, they do say that art imitates life (and vice versa).  Anyhow, on to security issues.  This story reveals a number of things most people don't really think about when it comes to data security.

    First, there are caveats to HIPAA's data breach notification laws.  Many of our clients who call in looking for our managed laptop encryption services are under the impression that the use of encryption gives them complete safe harbor from the breach notification requirements.  This is not so and never has been.

    In order for safe harbor under the Breach Notification Rule to kick in, the following conditions also must be met: (1) the encryption used must be something that follows NIST guidelines.  This means strong encryption that is equivalent or stronger to AES-128, along with a number of other requirements.  (2) The HIPAA covered entity must be able to prove that the lost or stolen device was encrypted.  This means there must be some kind of report and paper trail.  (3) The password or encryption key must not be compromised.  If any of these conditions are not met, you won't be able to claim safe harbor.

    Second, we've heard from clients who're looking for "NSA-proof encryption".  We don't know what means, but we're pretty sure it doesn't really exist.  Also, why would the medical community be looking for something that's NSA-proof?  Not only does it sound a little overkill, but as the above story shows, two hoodlums can easily succeed where G-men behind a bunch of computer screens cannot (or maybe they can).

    Are Laptops Really Stolen for Their Hardware Value?

    Last but not least, the above story puts into question past stories where the breached entity proclaims that they "believe that a laptop was not stolen for the data."  Of course, from a very literal and technical standpoint, they're not wrong: the representatives of the breached entity can believe whatever they want; they can believe that the laptop will be used as a beer coaster, however unlikely it may be.

    The implication, on the other hand, is that data saved to an unencrypted laptop is probably safe.  The above puts the kibosh on such speculation: if thieves are now willing to tie up people and threaten the beejezus out of them in order to get into a stolen laptop, doesn't it make it more than possible that they've already been scraping for personal data on unencrypted laptops?

    It's beyond me how any self-respecting company that claims they've got the security of their clients' information at heart can even be writing such drivel.  Not BWH, though: they had encrypted their laptops.  What happened afterwards was literally out of their control.
    Related Articles and Sites:
    http://www.phiprivacy.net/brigham-and-womens-hospital-notifies-patients-after-data-stolen-in-armed-robbery/
    http://www.myfoxboston.com/story/27410047/brigham-womens-warning-of-privacy-breach-after-laptop-stolen
     
  • Laptop Encryption: Don't Forget To Use Strong Passwords

    According to theage.com.au, one of the most sought-after (and currently incarcerated) hackers was identified and trapped because he used his pet's name as his password to his Mac disk encryption.  At least, he thinks that's how it happened.  He's probably right, seeing how it was "Chewy123".

    The Interview

    In an interview conducted with Jeremy Hammond, who was given a 10-year sentence for hacking into government websites and other cyber-hijinks, the incarcerated hacker reveals not only his motivations, political and otherwise, but what happened on the day the feds bust through his door.

    It almost sounds like he was expecting it:
    Hammond was smoking pot and chatting with friends in the kitchen of his Chicago home when the front door was kicked in. Someone threw a flash bang.

    "There were all these dudes with assault rifles," he said.

    Everyone else hit the floor, but Hammond dashed to his bedroom to slam shut his encrypted Mac laptop.
    The above, of course, means that Hammond closed the lid of the laptop.  By doing so, an encrypted Mac goes into its "protected state": when full disk encryption] is used, the encryption is "on" when the computer is off or when the password has to be entered.  Encryption is turned "off" when you're working on the computer.  By slamming shut his Mac, Hammond had ensured that his encryption kicked in, preventing third parties from browsing through and reading his computer's contents.

    Or at least, that was the idea.

    Weak Passwords

    Encryption works.  This has been proven time and time again.  Modern encryption, such as the AES encryption algorithm used in Macs are so powerful that cracking it by brute force would take decades, maybe even centuries.

    And because of that, anyone trying to break into an encrypted system tends to target the password, since these tend to be much shorter and less complex, and thus much easier to crack.  How much easier?  According to some recent research, you can expect any password to fall within a week if the password is less than 15 characters in length.  The current guidelines in certain circles call for a 22-character password if a password is going to be useful.

    Chewy123 is not such a password.  Furthermore, there are other problems to this particular password choice: 
    • Chewy is a dictionary word.  Running a list of words found in a dictionary through the password prompt (if you will) is pretty easy and standard when it comes to cracking passwords.
    • 123 is a very oft-used add-on to passwords when trying to create an alphanumeric password.
    • Chew is also Hammond's cat's name.  People looking to break passwords will use personal information like mother's maiden names, birthdates, old addresses, names of friends, and names of pets.

    What's the moral of the story?  I guess one is "don't use weak passwords."  And I guess another is " don't do stuff that will get you arrested."  But regardless of what it may be, I think we can conclude one thing for certain: nobody wants to be using long, complex, "un-memorizable" passwords, not even hackers.  But, that will cost you when you least expect it.


    Related Articles and Sites:
    http://www.theage.com.au/it-pro/security-it/chewy-123-fbis-mostwanted-cybercriminal-used-cats-name-as-password-20141115-11nan3.html
     
  • Laptop Disk Encryption: Coca-Cola Sued For January 2014 Laptop Theft (and Recovery)

    I learned via databreaches.net that Coca-Cola has been sued over a data breach that occurred earlier this year: laptop computers, that were not protected with disk encryption software like AlertBoot, were stolen by a (former) employee.  While certain details weren't as forthcoming at the time, it was obvious that the employee's misdeed was made easy by the fact that the computers were marked for disposal… and he was in charge of disposing of them.

    Why the Lawsuit?

    Perhaps the latest lawsuit is just more evidence that the US is an overly litigious country: all the computers that were stolen by the wayward employee were recovered, as I noted in a previous entry.  Indeed, these had been recovered by the time the breach notification letter had been sent to affected employees.

    On the other hand, the fact that they contained sensitive personal data and were easily accessible (remember, the laptops don't appear to have been protected with encryption software) does mean there is room for concern, however slight it may be.  What guarantees do affected employees have that their information was not stolen and sold prior to the laptops being recovered?

    Had encryption been in place – quite unlikely, as I explained in my previous entry on the Coca-Cola breach – the company would probably see the case thrown out of court.  Among other things, Georgia is one of the many states that provides safe harbor from data breaches if sensitive information is encrypted.  But, as the company admitted, the laptops were not encrypted, apparently due to an oversight.

    Something else that may have impacted the decision to go to court: 55 laptops were involved, according to the short blurb I can read at law360.com.  Losing a couple of laptops is one thing; losing 55 is something else.  My initial surprise wore off pretty quickly, but I can see how an individual who was directly affected by the breach might still be seething.

    Related Articles and Sites:
    http://www.databreaches.net/coca-cola-sued-over-stolen-laptops-breach/
    http://www.law360.com/articles/595455/coca-cola-hit-for-privacy-breaches-from-stolen-laptops
    http://online.wsj.com/articles/SB10001424052702304632204579341022959922200
     
  • Data Security: Home Depot's Execs Switch To Macs, iPhones After Data Breach

    The Wall Street Journal reports on the Home Depot data breach.  Among some of the revelations is that (a) they had actually upgraded to the latest security measures when the data breach was discovered and (b) executives were handed Apple devices to counteract the immediate damage.  Seeing how these were "secure," it sounds like disk encryption had been enabled, among with the installation of other security solutions.  Plus, it made sense because the problem the facing company originated from Windows.

    A Timeline and Revelations

    The site wsj.com has a very good summary of how and when Home Depot was alerted of the data breach, and what happened in the following days.  It appears that they were notified of the data breach via multiple avenues, including the Secret Service as well as a financial institution's analyst.

    After that, well… the story has been covered via multiple channels, thanks to it being one of the largest data breaches in US history.  What might be news to people, however, is that when all of this was going down, Home Depot had already upgraded their security.  Unfortunately, the hackers were already inside their system by then (the application of a patch by Microsoft, meant to deal with the security vulnerability, was also powerless for this same exact reason), so Home Depot's efforts were for naught in this particular case.

    The other revelation is the switch to Macs once the company found out that they had a problem in their computer network:
    The company was able to confirm a breach, but it couldn’t be sure its critical business information was out of danger. An IT employee bought two dozen new, secure iPhones and MacBooks for senior executives, who referred to their new devices as "Bat phones."
    Seeing how a Windows vulnerability was at the heart of the problem, it makes sense that Macs were employed.  On the other hand, there's nothing magical about Macs, is there?  Switching to Macs is a temporary band-aid.

    Growing Problem

    One of the purported reasons why Macs are more secure than Windows is that there is less malware for it.  And the reason for that lies in Macs not being as "popular" – that is, it's footprint in the world is much, much smaller than Windows machines.  Since hackers are looking to infect as many machines as possible, it only makes sense to expend their time going after Windows machines.

    The problem with this is that it is an old argument.  Macs are becoming every more popular.  And, thanks to the growing popularity of Apple's smartphones, more and more people are learning to code in a Mac environment. (In fact, one of the reasons why viruses and other malware were not as prevalent in the past for Macs could very well have been due to the smaller number of people who programmed for Macs.  Hackers who were looking to make the switch form Windows or other OSes may ultimately have decided it was not worth it because they'd have to re-learn a substantial amount).

    But, again, it's an old, irrelevant argument.  We can readily see that Apple's malware-free environment is being encroached upon every day, with iPhone and Mac-specific malicious software being identified in the wild more and more often.  The users of Macs today must be as aware of the potential pitfalls as their Windows counterparts.

    Related Articles and Sites:
    http://online.wsj.com/articles/home-depot-hackers-used-password-stolen-from-vendor-1415309282
    http://www.macobserver.com/tmo/article/countermeasure-in-home-depot-data-breach-macbooks-iphones-for-execs
     
More Posts Next page »