AlertBoot Endpoint Security : encryption software provider

Apple BYOD Protection: Pentagon Clears Apple Devices for Use In DOD Network

sang_lee — Mon, 20 May 2013 12:00:00 GMT

Many media outlets are reporting that the US Department of Defense (DOD) has finally approved the use of Apple devices on its network. I see plenty of comments like, "Great, prepare for malware to spread in our country's military networks because some government worker decided to download the wrong game" or some nonsense.

Yeah, BYOD, or Bring Your Own Device, introduces risks. That's why you need to have the appropriate infrastructure to support BYOD, including the use of MDM (mobile device management) solutions for smartphones and tablets like AlertBoot Mobile Security.

It also helps if your BYOD project is not actually a BYOD project.

Apple Devices are STIG-tastic

Defense.gov reports that:
The release of the Apple iOS 6 STIG is a major stride in building a multivendor environment, supporting a diverse selection of devices and operating systems, DISA officials said. This STIG and the recently approved STIGs for the BlackBerry and Samsung Knox operating systems demonstrate DISA's commitment to validate a range of devices that meet DOD security standards so the best technology is available to achieve mission requirements, they added.
The STIG, or Security Technical Implementation Guide, is documentation designed to standardize security in the installation and maintenance of computer hardware and software, according to Wikipedia.

It Ain't BYOD If You Don't Bring It

What this all means is that Apple can now sell their devices to the military. This does not mean that people can bring their own iPhones and connect them to the government network. Also from defense.gov (my emphasis):
government-issued iOS6 mobile devices are approved for use when connecting to Defense Department networks within current mobility pilots or the future mobile device management framework
See how it says government-issued? A further explanation by the same site (my emphasis):
Officials said the STIG does not allow personally acquired mobile devices to connect to DOD networks.
In other words, they'll give employees an iPhone. Or an Android phone (as long as it's a Samsung, I guess, or running KNOX). Or perhaps even a Blackberry. Basically, the DOD, which is already leveraging Blackberry devices for better productivity and communications, is now widening their options in terms of hardware (and possibly software).

No BYOD here. More like CYOD, Choose Your Own Device.

Fool Me Twice, Shame on Me

The capriciousness of the "here come the data breaches" comments are a little annoying. Granted, the military once had a huge problem in their hands due to USB memory sticks, and ended banning all removable media devices on DOD machines. However, I like to think that much has changed since 2008. It seems quite obvious to me that the DOD would have learned something from the experience; they're most probably not approving Apple and Samsung devices without a good idea of what they're doing.

Getting Philosophical

Now, you might say, "hey, it's a matter of when, not if. That's the nature of data breaches. You can't really escape it; you can only be lucky enough not to be there anymore when it happens." In other words, MDM, passwords, encryption, location tracking, etc. are all for naught; attempting to provide security is useless when you know it's going to eventually happen.

Well, that's also true when it comes to death. The probability of you meeting your maker is 100% (in a manner of speaking), but mass suicides are severely lacking among the logical crowd. Often times, engaging in the "impossible" is still worth doing regardless of the odds.

UK BYOD Security: 82% Of Biz Unaware Of Existing Data Protection Expenditures

sang_lee — Wed, 15 May 2013 12:24:00 GMT

The UK Information Commissioner's Office (ICO) ordered a report to find the extent of English businesses' knowledge on the European Commission's data protection reforms. Among other things, the updates to the privacy laws further encourage (indirectly) the use of data protection software, like AlertBoot's Mobile Security for smartphones and tablets, as well as introducing novel ideas such as the "right to be forgotten."

Bad News

The survey's results are not very encouraging. For example, it turns out that 82% of businesses did not know how much they spend on data protection. Observed information-age.com,
it is not surprising, then, that 87% could not estimate what the impact of the reforms would be.

Respondents were asked to describe the reforms as they understand them. Four out of ten had an inaccurate understanding of all ten reforms, and not one fully understands every one.

An Easier Way? A Totally Transparent Cost Structure

I don't know about "the inaccurate understanding of all ten reforms," but I can understand why most businesses don't have a good idea on their data protection budget. The answer is that it's not easy figuring out what it actually costs.

Consider just one example of data security: laptop computer encryption and mobile device security for smartphones and tablets. Under the traditional model you have:

License purchases. Depending on the approach, a company may have to purchase the licenses in pre-arranged blocks, say at least 100 licenses, and 50 additional license blocks after that. If you need 105 licenses, you have to purchase 150. The remaining 45 are sometimes called "shelfware" because that's where they end up; maybe you'll them all, maybe you won't.

Because computers are tracked (e.g., to install updates or new software), you have a good idea of how many machines are on your network. But the cost of the data security is actually greater than that because of shelfware as well as computers than are not plugged to the network. Unless you have meticulous records, chances are your estimates will be lower than reality.

Bring Your Own Management Server. In other words, you have to provide the infrastructure for managing, deploying, and installing the licenses you just purchased. Of course, you could do it without central management. But if you have more than, say, 50 computers to manage (again, to install updates or new software or whatever), a management server saves time and money. But only if you plunk down money. The problem is that you may add, retire, or repurpose servers as necessary or as opportunity permits.

And, by doing so, you also change the equations for what you're spending in terms of electricity, peripherals (like LAN cables and whatnot), etc. In the end, these add up to a substantial figure. But, with things moving in and out, you're never quite sure what the figure is. For example, a management server for full disk encryption is repurposed as a printer server...did you update your accounting spreadsheets as well?

Data Center. Many companies make use of data centers to ensure reliability and uptime of core operations. The data security portion probably holds a fraction of the space allocated in a data center. So what are its costs, exactly? You know you're paying saying, $5,000 per month, but how much of that is assigned to the data protection portion? Good luck finding out.

Employees. Maybe the company has an IT department. And maybe the IT department's personnel are doing double (or triple) duty as coders, troubleshooters, software installers, hardware installers, and who knows what else. How much of their time is spent on data security stuff? Or maybe they've got people dedicated to doing password resets for people who forgot their passwords and are locked out of their computers.

As you can see, trying to figure out how much data security costs is fraught with blind spots.

Of course, it doesn't necessarily have to be this way. AlertBoot's security suite for endpoints – AlertBoot Mobile Security for BYOD and AlertBoot Full Disk Encryption for laptop hard drives – are a model of cost transparency: a flat annual price without any predefined license purchases: you can obtain as many (or as little) licenses as you need.

This is possible because the solution is cloud-based, hosted on AlertBoot's data centers. This means any hardware and software issues are left up to AlertBoot. Furthermore, the company provides support and password recovery services 24/7, ensuring that the IT department is focused on more important matters.

Because all of this is included in AlertBoot's offerings, calculating data security costs are also very easy.

Smartphone Security: Facebook App - Yes, They Can Use Your Smartphone Camera (But They Won't)

sang_lee — Mon, 13 May 2013 09:43:00 GMT

Whenever I mention that AlertBoot Mobile Security, an MDM for protecting smartphones, allows one to disable their camera (and keep it that way), some people say something along the lines of "hey, that's great for companies infringing on my darn tootin' rights to do whatever the heck I want with my own smartphone that I'm allowed to use at work, but why would I personally want that?"

I never could answer this question. What is the value of this feature for the smartphone owner? Thankfully, Facebook is making the case for me on this one.

Facebook Spokesperson Essentially Says: "Trust Us"

In what I can only describe as one of the most horrific (but also naively refreshing?) statements I have read in a while, businessinsider.com had this to report (my emphasis):
While it is technically possible for the Facebook app to record video and audio without your knowing, the spokesperson said Facebook won't do that.
I realize that I haven't even covered the details of the story, but doesn't the above kind of make the hairs on your neck stand up, and tells you all that you need to know, regardless of the story?

I know it does to me.

It's Google's Fault

Eli Langer over at storify.com has a story on how people are "complaining about Android applications" for Facebook and Google Search. Namely, that these apps can use a smartphone's "microphones and camera at any point without any confirmation."

I wouldn't have believed it if it weren't for a screenshot that shows the legal language. You can find it by visiting the story, but it reads:
Record Audio: Allows the app to record audio with the microphone. This permission allows the app to record audio at any time without your confirmation.

Take Pictures and Videos: Allows the app to take pictures with the camera. This permission allows the app to use the camera at any time without your confirmation.
Now, a screenshot in the age of Photoshop means nothing. But, consider this: (1) multiple people are tweeting about it, (2) neither Mr. Langer nor businessinsider.com are not known for pulling April Fool's day pranks in mid-May (as far as I know, that is), and (3) there is the admission by a Facebook spokesperson, which we already saw above. In fact, the full quote in the businessinsider.com article is the following:
A spokesperson for Facebook explains this [the legal language above] as follows: the language in this disclaimer comes from Google and wasn't written up by Facebook, it's simply how Android handles camera access. While it is technically possible for the Facebook app to record video and audio without your knowing, the spokesperson said Facebook won't do that.
I'm on the fence whether the full passage makes the spokesperson's statement more or less creepy. One the one hand, the "openness" and "transparency" are appreciated (even if most people wouldn't read the legalese). On the other hand, a living, breathing person telling me that I should ignore the implications.... well, let's just say that I'm pulling out of storage my X-Files t-shirt just for this occasion.

The Solution?

AlertBoot is one of the many companies that have a BYOD solution. It's an MDM (mobile device management) service that allows one to control and manage smartphones and tablets from the cloud, and it includes features like remote data wipe, password policies, and Wi-Fi provisioning (and more, of course).

It also includes the ability to disable cameras on mobile devices. Many companies do not allow cameras in the workplace for myriad reasons, and this is how it works in AlertBoot:
A policy is created in the online management console. For simplicity's sake, it'll be for disabling the camera.
Apply it.
The policy is updated for devices, and that's that. This works as long as the device is not jailbroken (of which the administrator will be notified).

If a regular/official/authorized version of the device's OS is in place, the Facebook app will not be able to access the camera, period (in the event of a conflict between the app settings, "use camera," and the AlertBoot MDM settings "camera disabled," the latter comes out on top, as should be the case).

Of course, the "real" solution is for Google and/or Facebook to change their policies and not allow this to happen. I mean, the app can technically access your mic and camera but "it won't happen?" Why build it, then? And why ask for permission to use it without your being aware of it?

BYOD Security: Complying With Australian Privacy Principle 11

sang_lee — Thu, 09 May 2013 08:07:00 GMT

Last week (28 April to 4 May 2013) was "Privacy Awareness Week" in the Asia Pacific region. Australia is one of the entities that participates in PAW (the others are, in alphabetical order, Canada, Hong Kong, Korea, Macau, Mexico, New Zealand, and the USA).

As part of the awareness campaign, the Office of the Australian Information Commissioner (OAIC) released their "Guide to Information Security: 'reasonable steps' to protect personal information." There is much information, and an entire subsection is dedicated to the use of encryption. That doesn't come as a surprise, seeing how cryptography is a key aspect of effective IT security; it could very well end up being the only information security measure that is (indirectly) listed as a requirement in complying with the Australian Privacy Principles.

BYOD and Australian Privacy Principle 11

According to the Parliament of Australia:

Australian Privacy Principle 11 (APP 11) protects personal information by imposing specific obligations on both agencies and organisations which hold that information. The principle also provides that entities take reasonable steps to destroy or de-identify the personal information once it is no longer needed... these obligations are in line with international best practice on privacy protection.
What are these "specific obligations" that are "in line with international best practice on privacy protection"? The answer to this question is quite complex, but when it comes to BYOD, mobile devices like smartphones and tablets, and laptop computers and their storage accessories, using encryption software to protect the data is probably up there on the do-list.

Consider the following:

Best practices vary from country to country, but most include a provision for data encryption, and provide safe harbor from legal and other penalties if used.

Encryption is used extensively for destroying or de-identifying information. For example, remote wiping of smartphones is based on deleting the encryption key (Note: Best practices still require physical destruction of information – including shredding, grinding, melting, etc., but only when it is possible to do so. If a device is lost or missing, encryption is the last, and best, resort).

Encryption is at the heart of all e-commerce, including on-line banking and credit card processing.

Where such data is made available – such as the USA's HIPAA (Health Insurance Portability and Accountability) "Wall of Shame" – the loss of devices accounts for more than 50% of data breaches (in the case of HIPAA, those affecting 500 or more people).

Encryption is a time-tested, bona fide solution for the many risks that accompany the use of devices that store sensitive data. Australian law, however, will probably follow in the footsteps of established legislation around the globe and not make its use a requirement.

Instead, indirect incentives for its use, such as the extension of safe harbor for encrypted data, which was already mentioned before, or monetary fines and penalties for data breaches where encryption is not used, are much more likely (and the accepted model in other countries).

Indeed, it was revealed only one week ago that financial penalties will be assess under the Exposure Draft Privacy Amendment (Privacy Alerts) Bill 2013:
Repeat and serious offenders face financial penalties of up to $340,000 for individuals or $1.7 million for organisations - a maximum penalty which was last month increased from $220,000 and $1.1 million respectively.

Small-scale offenders could be taken to court and fined up to $34,000 for individuals, and $170,000 for organisations.

Making It Easy to Install, Deploy, and Manage BYOD Encryption

Of course, there will be other ways to comply with APP 11, depending on the circumstances. However, it wouldn't be a reach to say that none of these other solutions offer the dynamism, robustness, facility, or peace of mind that encryption offers.

Just because encryption is a proven technology and easy to use, however, it doesn't mean that it's easy to set up or maintain. An individual user must, among other things:

Ensure that the machine is ready for successful installation,

Ensure that the encryption key or keys are backed up (just in case. Otherwise, it will prove impossible to recover the protected data if something were to go awry, like a disk becoming corrupted),

Ensure that there is a way to regain access to the information if one forgets one's password,

Etc.

Try doing the above for more than one computer, and soon you're running into logistical problems. Indeed, effective encryption key management is seen as the top challenge for organizations that use encryption to secure their data.

The use of an encryption management server, if one's available for the particular cryptographic software you're using, resolves these issues but introduces another problem. Namely, that you've got to maintain the server, which requires its own resources: employee time; additional costs for said time, underlying software, hardware, server space, etc.; and concerns about scalability and reliability. (On a personal note, I've seen encryption management servers slow down once they start reaching around 2,000 users, a stark contrast to its zippy past when there were only a couple of hundred endpoints listed.)

Avoiding such problems is what makes AlertBoot Mobile Security such an effective service. The cloud-based solution makes keeping track of encryption keys very simple, and installation can be started in minutes, not days (or weeks, or months!) from anywhere with an internet connection. And, the 24/7 password recovery (via phone or web-based self-service) ensures that users will have a verified method for regaining access to their machines.

Of course, encryption is not the be-all, end-all: seeing how APP 11 is the eleventh privacy principle, logic dictates that there must be at least ten more of these (there are thirteen in all), and their compliance bring their own unique challenges.

However, encryption is bound to be one of the core solutions for compliance, and AlertBoot is one of the easiest and cost-effective methods to do so. If you'd like more information, you can start by visiting us here or here, if you're looking to become a partner.

Encryption And Security: WWII Encryption Cracked, Shows Strength Of Crypto Algorithms

sang_lee — Mon, 06 May 2013 09:32:00 GMT

World War II and encryption is back in the news. According to the Daily Mail, mathematicians, historians, and geography experts at Plymouth University combined their efforts to crack the messages that were hidden in personal letters, letters sent home by a UK prisoner-of-war held in Germany. While the algorithm that was cracked is not as dependable as modern mobile encryption and security, it shows us why cryptography is a powerful information security tool.

As I alluded, this is not the first time that old-time cryptography is making waves in modern times. The world was treated to a bizarre surprise when cleaning out a chimney resulted in the discovery of a 70-year mystery. The big difference in this case is that we know that happened, unlike the dead-pigeon saga.

Smalltalk about a Garden Turns into Coded Casualty Report

The folks over at dailymail.co.uk put it best when they noted:
Many seeds are left, being saved from several plants which did very well some time ago.
'Our last year's harvest was extremely good. Well worth repeating again for this year.'

But it meant: 'HMS Undine attack failure. Trawler depth-charged, scuttled in 70 feet, three burnt.'
The encryption (and decryption) algorithm is quite a pretty convoluted process. Among other things, there were:

Predetermined indicators that a letter contained a coded message: (1) writing the letter's date in "Continental format" (day/month/year) as opposed to the typical English method (month/day/year), and (2) underlining one's own signature at the end of the letter.

Using the first two words of the first line (after the greetings) to indicate what kind of grid/matrix to use.

Counting only the fourth or fifth letters to create the message.

Using certain keywords as signifiers for the end of a message, the start of a message, and secret requests for items that could be used during an escape.

When you consider how simple the code is, relatively speaking, it's amazing how much information the POWs were able to pack in their letters. I'm especially impressed by the use of the matrix at the beginning, since it would make it harder to crack the code.

Mobile Devices and BYOD: Modern Encryption Much More Secure

Of course, modern encryption – for example, those used to protect smartphones and tablets like iPhones and Android phones – is much more secure than what was used in WWII. But, the principles remain the same.

Well, to a degree. With modern encryption such as AES-256, which is used by AlertBoot to protect hard drives on laptop computers, most estimates show that all the processing power in the world would still take a few centuries before a significant dent can be made in forcefully cracking data.

This is why if your workplace has a "bring your own device" policy, you're probably required to use encryption on your smartphone, tablet, or PC/laptop: even if you lose your device, the chances of the data falling into the wrong hands are infinitesimally small.

Android Security: Pattern Lock Is Stronger Than You Think

sang_lee — Fri, 03 May 2013 08:15:00 GMT

How secure is the pattern lock found on Google Android devices? Apparently, quite a bit. Of course, it can be made very easy to crack. For example, if the so-called pattern is a straight line, that's not much security, is it? That's the equivalent of using "password" as a password, and defeats BYOD smartphone security, even if something like AlertBoot's Mobile Security is used to enhance their protection.

But, if you're not into hamstringing yourself, it turns out that the pattern lock can be very secure. So secure, in fact, that the FBI had to issue a warrant to Google to get the device unlocked.

Or so the headlines would lead you to believe....

FBI Wants Access to Pimp's Phone

"FBI, stumped by pimp's Android pattern lock, serves warrant on Google" is the headline at arstechnica.com (14 March 2013). A similar observation is made by wired.com.

The story: a pimp with a criminal history is found to be using an Android phone to coordinate his business activities in the sex trade. The FBI gets a warrant to search his house and belongings, which includes the phone. Pimp won't cooperate. So, the FBI sends the phone to its technicians, who eventually end up triggering a device lock-out after too many erroneous attempts. Once that happens, the FBI applies for a second warrant so that Google will unlock the phone.

So, what happened? As the arstechnica.com article notes, studies have shown that smudges on the phones can defeat the pattern lock. It's a guessing game, and under "ideal conditions" researchers were able to gain access to a phone 90% of the time.

But then, those are under ideal conditions. Make the pattern long enough and complex enough, and the odds of successfully breaking into a smartphone plummet. Especially if you attempt it more than 20 times. After the twentieth entry, the phone will lock you out, as noted earlier, and the only way to regain access is to provide the Google email address and password.

Mobile Security: MDM Controls Maximum Number of Failed Attempts

One of the features in AlertBoot Mobile Security is setting a policy for the number of failed passcode attempts before data on a device is wiped. This is a powerful way of ensuring data security for two reasons:

Chances are that, if the passcode is entered incorrectly too many times, it's not the device owner who's trying to gain access. (Of course, you need to find a balance. One wrong attempt is too little, but more than 15 wrong attempts is too much, never mind 20!)

Remote wiping sometimes doesn't work because the device is not connected to a network. Why not establish a self-destruction mechanism independent of internet or cellular network connectivity?

The real star of the FBI story is not really the pattern lock – which can work wonders, obviously – but the fact that you (or, rather, someone other than you) will get locked out after too many incorrect attempts.

If there was no limit, who's to say what would have happened?