in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.
  • Laptop Encryption: Thieves Stick Up Doc, Ask For Passwords To Encrypted Computer

    Brigham and Women's Hospital (BWH) has notified nearly 1,000 people that a computer that was protected with laptop encryption software has been stolen.  Normally, the use of encryption would provide safe harbor from sending such a notification letter, not only under HIPAA (the federal set of laws that govern medical organizations) but also under Massachusetts's data protection and notification laws, one of the most rigorous in the US.

    This, however, was not to be: the thieves who stole the laptop also forced the password from the doctor by placing him under duress.

    Tied to a Tree, Held at Gunpoint

    According to the breach notification letter, as well as coverage by myfoxboston.com, the hold up occurred back in September in Jamaica Pond (a Boston neighborhood that is not necessarily known for its safety).  Two assailants stole a doctor's cellphone and laptop:
    He was tied to a tree while one man held a gun and the other brandished a knife.

    Although both the laptop and cellphone were encrypted, they were stolen during an armed robbery on Sept. 24, and the hospital said the suspects forced the victim to give the pass codes during the robbery.
    It sounds like something that came out of a script for a B-film or something.  But then, they do say that art imitates life (and vice versa).  Anyhow, on to security issues.  This story reveals a number of things most people don't really think about when it comes to data security.

    First, there are caveats to HIPAA's data breach notification laws.  Many of our clients who call in looking for our managed laptop encryption services are under the impression that the use of encryption gives them complete safe harbor from the breach notification requirements.  This is not so and never has been.

    In order for safe harbor under the Breach Notification Rule to kick in, the following conditions also must be met: (1) the encryption used must be something that follows NIST guidelines.  This means strong encryption that is equivalent or stronger to AES-128, along with a number of other requirements.  (2) The HIPAA covered entity must be able to prove that the lost or stolen device was encrypted.  This means there must be some kind of report and paper trail.  (3) The password or encryption key must not be compromised.  If any of these conditions are not met, you won't be able to claim safe harbor.

    Second, we've heard from clients who're looking for "NSA-proof encryption".  We don't know what means, but we're pretty sure it doesn't really exist.  Also, why would the medical community be looking for something that's NSA-proof?  Not only does it sound a little overkill, but as the above story shows, two hoodlums can easily succeed where G-men behind a bunch of computer screens cannot (or maybe they can).

    Are Laptops Really Stolen for Their Hardware Value?

    Last but not least, the above story puts into question past stories where the breached entity proclaims that they "believe that a laptop was not stolen for the data."  Of course, from a very literal and technical standpoint, they're not wrong: the representatives of the breached entity can believe whatever they want; they can believe that the laptop will be used as a beer coaster, however unlikely it may be.

    The implication, on the other hand, is that data saved to an unencrypted laptop is probably safe.  The above puts the kibosh on such speculation: if thieves are now willing to tie up people and threaten the beejezus out of them in order to get into a stolen laptop, doesn't it make it more than possible that they've already been scraping for personal data on unencrypted laptops?

    It's beyond me how any self-respecting company that claims they've got the security of their clients' information at heart can even be writing such drivel.  Not BWH, though: they had encrypted their laptops.  What happened afterwards was literally out of their control.
    Related Articles and Sites:
    http://www.phiprivacy.net/brigham-and-womens-hospital-notifies-patients-after-data-stolen-in-armed-robbery/
    http://www.myfoxboston.com/story/27410047/brigham-womens-warning-of-privacy-breach-after-laptop-stolen
     
  • Laptop Encryption: Don't Forget To Use Strong Passwords

    According to theage.com.au, one of the most sought-after (and currently incarcerated) hackers was identified and trapped because he used his pet's name as his password to his Mac disk encryption.  At least, he thinks that's how it happened.  He's probably right, seeing how it was "Chewy123".

    The Interview

    In an interview conducted with Jeremy Hammond, who was given a 10-year sentence for hacking into government websites and other cyber-hijinks, the incarcerated hacker reveals not only his motivations, political and otherwise, but what happened on the day the feds bust through his door.

    It almost sounds like he was expecting it:
    Hammond was smoking pot and chatting with friends in the kitchen of his Chicago home when the front door was kicked in. Someone threw a flash bang.

    "There were all these dudes with assault rifles," he said.

    Everyone else hit the floor, but Hammond dashed to his bedroom to slam shut his encrypted Mac laptop.
    The above, of course, means that Hammond closed the lid of the laptop.  By doing so, an encrypted Mac goes into its "protected state": when full disk encryption] is used, the encryption is "on" when the computer is off or when the password has to be entered.  Encryption is turned "off" when you're working on the computer.  By slamming shut his Mac, Hammond had ensured that his encryption kicked in, preventing third parties from browsing through and reading his computer's contents.

    Or at least, that was the idea.

    Weak Passwords

    Encryption works.  This has been proven time and time again.  Modern encryption, such as the AES encryption algorithm used in Macs are so powerful that cracking it by brute force would take decades, maybe even centuries.

    And because of that, anyone trying to break into an encrypted system tends to target the password, since these tend to be much shorter and less complex, and thus much easier to crack.  How much easier?  According to some recent research, you can expect any password to fall within a week if the password is less than 15 characters in length.  The current guidelines in certain circles call for a 22-character password if a password is going to be useful.

    Chewy123 is not such a password.  Furthermore, there are other problems to this particular password choice: 
    • Chewy is a dictionary word.  Running a list of words found in a dictionary through the password prompt (if you will) is pretty easy and standard when it comes to cracking passwords.
    • 123 is a very oft-used add-on to passwords when trying to create an alphanumeric password.
    • Chew is also Hammond's cat's name.  People looking to break passwords will use personal information like mother's maiden names, birthdates, old addresses, names of friends, and names of pets.

    What's the moral of the story?  I guess one is "don't use weak passwords."  And I guess another is " don't do stuff that will get you arrested."  But regardless of what it may be, I think we can conclude one thing for certain: nobody wants to be using long, complex, "un-memorizable" passwords, not even hackers.  But, that will cost you when you least expect it.


    Related Articles and Sites:
    http://www.theage.com.au/it-pro/security-it/chewy-123-fbis-mostwanted-cybercriminal-used-cats-name-as-password-20141115-11nan3.html
     
  • Laptop Disk Encryption: Coca-Cola Sued For January 2014 Laptop Theft (and Recovery)

    I learned via databreaches.net that Coca-Cola has been sued over a data breach that occurred earlier this year: laptop computers, that were not protected with disk encryption software like AlertBoot, were stolen by a (former) employee.  While certain details weren't as forthcoming at the time, it was obvious that the employee's misdeed was made easy by the fact that the computers were marked for disposal… and he was in charge of disposing of them.

    Why the Lawsuit?

    Perhaps the latest lawsuit is just more evidence that the US is an overly litigious country: all the computers that were stolen by the wayward employee were recovered, as I noted in a previous entry.  Indeed, these had been recovered by the time the breach notification letter had been sent to affected employees.

    On the other hand, the fact that they contained sensitive personal data and were easily accessible (remember, the laptops don't appear to have been protected with encryption software) does mean there is room for concern, however slight it may be.  What guarantees do affected employees have that their information was not stolen and sold prior to the laptops being recovered?

    Had encryption been in place – quite unlikely, as I explained in my previous entry on the Coca-Cola breach – the company would probably see the case thrown out of court.  Among other things, Georgia is one of the many states that provides safe harbor from data breaches if sensitive information is encrypted.  But, as the company admitted, the laptops were not encrypted, apparently due to an oversight.

    Something else that may have impacted the decision to go to court: 55 laptops were involved, according to the short blurb I can read at law360.com.  Losing a couple of laptops is one thing; losing 55 is something else.  My initial surprise wore off pretty quickly, but I can see how an individual who was directly affected by the breach might still be seething.

    Related Articles and Sites:
    http://www.databreaches.net/coca-cola-sued-over-stolen-laptops-breach/
    http://www.law360.com/articles/595455/coca-cola-hit-for-privacy-breaches-from-stolen-laptops
    http://online.wsj.com/articles/SB10001424052702304632204579341022959922200
     
  • Data Security: Home Depot's Execs Switch To Macs, iPhones After Data Breach

    The Wall Street Journal reports on the Home Depot data breach.  Among some of the revelations is that (a) they had actually upgraded to the latest security measures when the data breach was discovered and (b) executives were handed Apple devices to counteract the immediate damage.  Seeing how these were "secure," it sounds like disk encryption had been enabled, among with the installation of other security solutions.  Plus, it made sense because the problem the facing company originated from Windows.

    A Timeline and Revelations

    The site wsj.com has a very good summary of how and when Home Depot was alerted of the data breach, and what happened in the following days.  It appears that they were notified of the data breach via multiple avenues, including the Secret Service as well as a financial institution's analyst.

    After that, well… the story has been covered via multiple channels, thanks to it being one of the largest data breaches in US history.  What might be news to people, however, is that when all of this was going down, Home Depot had already upgraded their security.  Unfortunately, the hackers were already inside their system by then (the application of a patch by Microsoft, meant to deal with the security vulnerability, was also powerless for this same exact reason), so Home Depot's efforts were for naught in this particular case.

    The other revelation is the switch to Macs once the company found out that they had a problem in their computer network:
    The company was able to confirm a breach, but it couldn’t be sure its critical business information was out of danger. An IT employee bought two dozen new, secure iPhones and MacBooks for senior executives, who referred to their new devices as "Bat phones."
    Seeing how a Windows vulnerability was at the heart of the problem, it makes sense that Macs were employed.  On the other hand, there's nothing magical about Macs, is there?  Switching to Macs is a temporary band-aid.

    Growing Problem

    One of the purported reasons why Macs are more secure than Windows is that there is less malware for it.  And the reason for that lies in Macs not being as "popular" – that is, it's footprint in the world is much, much smaller than Windows machines.  Since hackers are looking to infect as many machines as possible, it only makes sense to expend their time going after Windows machines.

    The problem with this is that it is an old argument.  Macs are becoming every more popular.  And, thanks to the growing popularity of Apple's smartphones, more and more people are learning to code in a Mac environment. (In fact, one of the reasons why viruses and other malware were not as prevalent in the past for Macs could very well have been due to the smaller number of people who programmed for Macs.  Hackers who were looking to make the switch form Windows or other OSes may ultimately have decided it was not worth it because they'd have to re-learn a substantial amount).

    But, again, it's an old, irrelevant argument.  We can readily see that Apple's malware-free environment is being encroached upon every day, with iPhone and Mac-specific malicious software being identified in the wild more and more often.  The users of Macs today must be as aware of the potential pitfalls as their Windows counterparts.

    Related Articles and Sites:
    http://online.wsj.com/articles/home-depot-hackers-used-password-stolen-from-vendor-1415309282
    http://www.macobserver.com/tmo/article/countermeasure-in-home-depot-data-breach-macbooks-iphones-for-execs
     
  • HIPAA Data Breach: You're Still More Likely To Lose Data Than Get Hacked

    The site hitconsultant.net relays that HIPAA covered entities are still more likely to experience a data breach by losing data than by being hacked online – which is why a managed HIPAA encryption solution like AlertBoot is very important in a medical environment.  The site's conclusions are supported not only by an analysis of the HHS's "Wall of Shame," where data breaches involving more than 500 people's personal information are listed, but by a report released from the California Attorney General's Office.

    Some Stats

    Based on the analysis, the Wall of Shame shows that 68% of all HIPAA data breaches since 2010 are due to the theft or loss of a device (be it a laptop, external hard drive, USB thumbdrive, backup tapes, etc).  Data from the AG's office shows similar figures despite the time period being shorter (70% of data breaches attributed to missing devices since 2012).  So, despite the recent prominence of online hacks being reported in the media, it appears that more attention should be given to what's happening at the local, un-virtual level.

    If there's criticism to be levied above, it's that the "number of data breaches" does not necessarily mean that the "most people were affected" by it.  But that's covered as well.  The article notes that,

    4% of breaches accounted for 80% of total records compromised. Of these 100k record and above mega-breaches, an above-average 78% of compromised records were the result of loss or theft.
     
    A couple of things are notable about the above.  The 80/20 rule (aka, Pareto law or Power law, although specifics can differ when you get to the nitty-gritty) is broken, possibly pointing towards something quite unusual going on here.  For example, maybe it means that because online hacks generally involve millions of data points, these tend to bias the overall figures.  In turn, this could mean that online hacks should not be bunched together with other types of data breaches, possibly because online data breaches involve figures in the hundreds of thousands, at least, whereas everything else tends to include much lower numbers (e.g., 500, in the case of HIPAA).

    What I find more surprising is that the loss and theft of devices account for well nearly 80% of breaches involving 100,000 records or more.  Why would anyone be carrying such large amounts of data on a computer that is not protected with encryption software?   Many would say that the risk is not there, or that they cannot justify it financially.

    A Simple Risk Analysis

    From a simple risk analysis point of view, assuming that each person's data point is worth a measly 10 cents, the loss of a database with 100,000 personal records would be like losing $10,000.

    Of course, the 10-cent figure is from the perspective of the attacker (since that's how much it fetches in online black markets; the world is saturated in such data).  To the defender, the covered entity that has to deal with cleaning up a data breach, the per capita cost is actually in the hundreds of dollars.  That means an unencrypted computer is a silicon satchel potentially worth $10,000,000 or more if something untoward were to occur: disruption to its business operations; costs involving the notification of clients; setting up call centers for answering any follow up questions; hiring forensic experts; dealing with regulators; loss of brand reputation and goodwill; defending against lawsuits; etc.  There are a lot of intangible costs, as you can see.

    A Little More Complicated Risk Analysis

    Of course, the individual probability of a computer being lost or stolen is relatively low.  But the point is that it just takes one laptop loss or theft to trigger a data breach.  So, it's not about the individual risk as it is about the company's risk.

    If the individual odds of something happening to a laptop in a given year is 1%, and you have 100 people in a company who have laptops with sensitive data, then the odds of a data breach in any give year is:

    1 – (the odds of no one losing their laptops)

    In order to trigger a data breach in a give year, you could have two laptop losses in a year, or three losses, or four losses, etc. all the way up to a theoretical 100 losses.  The only way you can avoid a data breach is if none of the 100 employees have their laptops nicked.

    So, the calculation becomes easier if the "1% probability of losing a laptop" becomes a "99% probability of not losing a laptop."  Since the loss of laptops can be thought of as independent events:

    1 – (.99)^100 = your odds of having a data breach in a give year = 0.634 (or 63%)

    Now, it could be that the initial assumption of 1% is too high.  But even if the initial assumption is 0.1%, the resulting probability is 9%, still pretty high (you'll see what I mean in the next calculation).  Make it 0.01% and it finally sinks to 1%.

    Now, a 1% probability of a data breach in a given year across 100 employees doesn't sound too bad (again, assuming the probability of losing any individual laptop is 0.01% or 1 in 10,000) but you have to incorporate the cost of data breach.  In my earlier calculation, I had given that amount as $10 million.

    $10,000,000 x 1% = $100,000

    So, a company would still be facing the possibility of losing $100,000 any given year because of a data breach.  It's definitely cheaper to encrypt 100 laptops, especially when you consider that the actual losses, when it hits, will not be the statistical $100,000 but a very large $10,000,000 – enough to sink most commercial concerns.

    Related Articles and Sites:
    http://www.phiprivacy.net/68-of-healthcare-data-breaches-due-to-device-loss-or-theft-not-hacking/
    http://hitconsultant.net/2014/11/04/healthcare-data-breaches-device-theft-loss/
     
  • Disk Encryption: Laptops Stolen From DC Polling Locations

    According to wusa9.com, a break-in in Southeast D.C. has resulted in the theft of laptops and other items.  While the use of laptop encryption software was not disclosed, a Board of Elections official noted that voter information was not compromised.

    Elementary School = Low Physical Security

    Three laptop computers were stolen when the voting site – really an elementary school – was broken into.  In addition, refreshments for volunteers were stolen as well.  Conspiracy theories not withstanding, it looks like it was just your average break-in: you have high-value items, low security, and, apparently, zero monitoring: it seems that nobody knew anything was amiss until volunteers arrived around in the wee hours of the morning.

    As mentioned above, an election official was quoted as saying that voter information was not compromised.  How does he know?  Because "the laptops have to be connected to the BOE network for anyone to gain access to that information."

    If I may put on my tin-foil hat, however, it should be noted that the wording here was very specific to voter information.  It sounds like things were set up so that voter info resided on secure servers, and the laptop was merely acting as a "thin-client."  That is, a device for remotely accessing the data.  Assuming the correct app was available, the same could have been accomplished with an iPad.  However, laptops being what they are, one has to wonder if there was any sensitive information stored on any of the stolen devices.

    Not voter information per se, but other information.  Had disk encryption been used, these refreshment and computer stealing thieves would be stopped from digitally poking around in the laptops.  So, was encryption used?  Was it necessary?  If yes, one only hopes that encryption was used.

    Related Articles and Sites:
    http://www.databreaches.net/voter-info-stolen-in-southeast-dc/
    http://www.wusa9.com/story/news/politics/elections/2014/11/04/voter-information-laptop-stolen-se-dc/18455153/
     
More Posts Next page »