AlertBoot Endpoint Security : file encryption

UK BYOD And Data Security: Nursing and Midwifery Council Fined £150,000

sang_lee — Thu, 07 Mar 2013 09:41:00 GMT

The Information Commissioner's Office (ICO) in the UK has issued a £150,000 monetary penalty to the Nursing and Midwifery Council (NMC) for a data breach involving one nurse and two children. In an age of smartphones and tablets, how the data was breached is almost anachronistic (three DVD discs were lost). The use of data security software like AlertBoot's Mobile Security and full disk encryption can help in such instances, but only if people decide to use it.

DVDs Delivered by Courier

According to techworld.com:
The three DVDs of highly sensitive witness videos of children were supposed to be delivered [for a misconduct hearing], but when it arrived the package was found to be empty.

Despite there being no obvious sign of tampering, the DVDs were never found.
It wasn't only the DVDs that couldn't be found. Because of the data breach, the ICO did a follow up on the NMC's security practices and found that there was nothing in place: not only were the DVDs in question not protected with encryption software, the council didn't have any policies in place for securing sensitive data, whether at rest or in transit.

This is a big no-no since it's the primary reason why a data breach takes place: because one wasn't preparing for it. In this day and age, a data breach is a matter of "when" and not "if". Thus, if you're dealing with information on a daily basis, you've got to assume that you'll be involved in a data breach at some point, especially if you are dealing with sensitive information. It's only logical, then, that you have policies in place to ensure that you minimize the risk of such an event from happening, policies that not only involve conduct, but the right tools.

For example, a policy that states "don't take sensitive data out of the office" doesn't work because (a) people ignore such policies and (b) someone will run across a situation where that rule has to be ignored (one may have to send DVDs full of information to a misconduct hearing, e.g.). So, a technological solution or tool must also be in place, such as easy to use encryption software. At the same time, policy must insist that these tools be used, no ifs or buts.

(In NMC's defense, they claim that they did have such policies. According to information-age.com, their policies require the use of encryption. The latest fiasco was an oversight, which happens, more often than you think).

One of the Largest Penalties to Date

The ICO's fine represents one of the largest penalties I've run across to date. Only the £250,000 penalty levied on Sony, in January 2013, for its notorious 2011 hack, is larger, if I'm not wrong. The irony is that £250,000 looks like a pittance on a "per individual" basis since it affected over 100 million people across the world (cents on the dollar. Granted, the ICO has only jurisdiction over the UK so the "per individual" figure can only rise if we limit the people count to the UK), but the NMC's represents a whopping £50,000 per person. In some ways, it feels like the ICO is stepping down on the "little guy" while a global Goliath is getting away with it.

That is, until you realize that the NMC has over 660,000 registered nurses, and there's nothing "little" about it. Once your data count starts involving more than three zeroes, it behooves you to step up to the data security challenge.

Protecting USB Ports: AMD Accuses Former Employees Of Stealing Documents

sang_lee — Thu, 17 Jan 2013 17:15:00 GMT

AMD, Advanced Micro Devices, has filed suit against a number of former employees. The claim is that they stole "thousands of confidential documents" (extremetech.com) by copying AMD secrets to external storage devices, and took these to rival NVIDIA. Stunts like these are why external disk encryption is part of AlertBoot's Mobile Security solution: don't only encrypt the contents of your computer, also encrypt USB media that's connected to it.

Forensic Revelations: Two Storage Devices Connected to Computers

Neither the story nor the legal paperwork mentions that the storage devices were USB devices. However, line 14 of "Advanced Micro Devices, INC., v. ROBERT FELDSTEIN, MANOO DESAI, NICOLAS KOCIUK, and RICHARD HAGEN" notes that:
The last day Mr. Feldstein used his AMD computer before leaving for NVIDIA, two external storage devices were connected to his computer.
You don't "connect" CDs or DVDs, and FireWire/1394 devices are kind of rare, so, it's quite obvious that a USB device was used to perpetrate this particular crime. Based on what was stolen by the accused – two licensing agreements and a document outlining AMD's licensing strategies, as well as emails, trade secrets, technological secrets, full copies of laptop and desktop computers, among others – it must have been a combination of thumb drives as well as high capacity external drives.

AMD maintains that they "took reasonable steps to preserve the secrecy of [the] information." I don't doubt it, but couldn't they have gone a step further?

Authorizing USB Sticks to be Used on Work Computers Only

The following is not necessarily the ideal solution for all companies, but AlertBoot features a solution to the problem of outside USB devices being used in the workplace: automatically encrypt any such devices that are connected to computers protected with full disk encryption.

The primary purpose for this AlertBoot feature was to allow the secure sharing of data between two computers that had their hard drives protected with encryption software. Sometimes, it's just easier and quicker to pass the information using hardware, as opposed to sending it via email, ftp'ing it, or other methods that don't involve "sneakernetting."

An unintended consequence of this feature is that employees quickly learn not to stick any USB device into their computer's ports, as the encrypted devices will not work outside the workplace. At least, they won't work without reformatting and losing all of their data in the process, which also works towards preventing data breaches.

Australia Encryption Problems: Russian Hackers Use Crypto For Data Ransom

sang_lee — Wed, 12 Dec 2012 00:12:00 GMT

Hackers of the Russian variety are holding the Miami Family Medical Centre hostage for $4,000. That's Miami, Queensland (Australia) and not Miami, Florida. That's right, there's a Miami in Australia. As surprising might be the news that encryption software like AlertBoot can be used, not to protect data, but to corrupt it.

Server Hijacked, Encrypted

The Miami Family Medical Centre has announced that hackers are demanding $4,000 (Australian. That's $4,200 American) to provide the encryption key that will unlock the center's own data. According to spokespeople for the center, they had proper security in place – firewalls, antivirus software, etc. – and believe that in this case

the hackers had "literally got in, hijacked the server and then ran their encryption software".

"It's people who know how to break in past firewalls and hack passwords to get onto the server. We're trying to work out how to pay the hackers or find someone to decrypt the information." [pulseitmagazine.com.au]

Well, I'm sure Mr. Wood doesn't mean "literally got in." But, the rest of the statement sounds par for the course: "ransomware" usually involves hackers infiltrating an organization's network, finding a server with essential data, and encrypting it. Since only the hackers know what the key is, they'll offer it in exchange for money, in this case, $4,000.

When you consider that cracking crypto is nearly impossible if strong encryption is used, such as the AES-256 used in AlertBoot's full disk encryption, the $4,000 is almost worth it. Even if the data can be regained via methods other than acquiring the hackers' encryption key, it would probably end up cheaper to pay off the aggressors.

On the other hand, if one has daily backups, it might be easier and cheaper to restore the data using these than paying off the extortionists. After all, where's the guarantee that they'll send the key after being paid?

Encryption: One Facet of Data Protection

Many people hear the word "encryption" and assume "data protection." It's not an incorrect reaction to have. After all, one of the best ways to secure data is via the use of good, strong crypto. However, it's not the only method. And, like most tools, it can be used for good or evil.

In order to maximize the protection that comes from using encryption, you must also ensure that you have proper backups of the data (which should also be encrypted). Proper backups are necessary not only as a contingency plan for instances where hackers hijack you data, but as an arrangement for all the other things that could happen: your computer gets stolen; your data gets corrupted; your office burns down; etc.

In other words, the same reasons why backups for data are a good idea in the first place, with or without encryption. Except, with encryption in place, there's even more of a reason why you should be using it.

Old Encryption Is Still Worth Its Mettle: WWII Pigeon Code Goes Unbroken

sang_lee — Sat, 24 Nov 2012 00:13:00 GMT

Old encryption usually can't hold a candle to modern, strong encryption like the AES-256 algorithm used in AlertBoot Mobile Security suite. However, sometimes they can be more than effective. For example, GCHQ has announced that the encrypted World War II message found with the remains of a dead pigeon -- found about a month ago -- will take its secret to the grave.

Cannot Be Decoded - One Time Pads

GCHQ, the UK's signals intelligence arm, has announced that the World War II era message is impossible to crack, at least not "without access to the original cryptographic material," because "much of the vital information that would indicate the context of the message is missing":

During the war, the methods used to encode messages naturally needed to be as secure as possible and various methods were used. The senders would often have specialist codebooks in which each code group of four or five letters had a meaning relevant to a specific operation, allowing much information to be sent in a short message. For added security, the code groups could then themselves be encrypted using, for example, a one-time pad. [gchq.gov.uk]

The use of one-time pads would make decryption not only hard but possibly insurmountable: of all the cryptographic methods, the one-time pads are the only ones that are theoretically unbreakable. All other methods, given enough time, will fall to deciphering techniques -- although, when that time is measured in eons like AES-256 is, it's almost as good as theoretically unbreakable.

One-time pads, of course, do have an Achilles' heel: whatever the correspondents used to decipher the messages themselves. Since the message is by a UK officer meant for UK eyes, it only follows that GCHQ would be able to retrieve the message using historical records.

But, as mentioned before, critical information that would help find these records are missing, possibly on purpose: "codebooks and the systems used to encrypt them will normally have been destroyed once no longer in use." Which makes sense.

Things in storage go missing, and certain information remains classified -- for legitimate reasons -- for a long, long time. Assuming that past enemies have intercepted certain messages, which are also filed away, having unused codebooks presents a risk.

Clues

GCHQ does have some clues as to where to look:

The abbreviation "Sjt" was exclusively used in the army.

Two identifiers at the end of in the message could identify the pigeon.

The addressee is X02.

It looks like the BBC has the best summary of what's going on, what the challenges are.

Data Encryption Breach Penalties: Greater Manchester Police Pays £120,000 For Lack Of Data Security Training

sang_lee — Thu, 18 Oct 2012 00:26:00 GMT

The Greater Manchester Police in the UK has recently been assessed a penalty of £150,000 (reduced to £120,000 for early payment). While many publications are claiming that this figure primarily ties to the theft of a USB stick, the truth is that the Greater Manchester Police (GMP) was fined for not having better sense.

What type of "sense"? Why the use of data security tools like AlertBoot, which ensure the protection of sensitive personal data using advanced encryption technology.

USB Stick Stolen is Part of a Pattern

According to the Monetary Penalty Notice filed in this case, an officer that worked with the GMP's Serious Crime Division ("mainly the Drug Squad") had his USB memory stick stolen on July 17, 2011. The device was kept in his wallet, which was stolen was stolen during a home burglary.

(This factoid gave me a boob tube flashback: George Constanza's exploding wallet / personal filing cabinet / not a purse. I guess the use of a USB drive is one way to ensure one's wallet doesn't become morbidly obese).

The officer in question was with the Serious Crime Division for over 10 years, and he used the USB stick to "create a backup of his folder and to enable the officer to access information when he was out of the office or at another site." A forensic, post-breach investigation revealed that information on 1,075 individuals was saved to the device and that it was not protected with encryption. This was against a September 2010 Chief Constable Orders (CCO) that instructed everyone to use an encrypted disk.

But the officer cannot be blamed directly, as he "was on leave at the time this CCO was issued," "never had any specific training on data protection," the use of encrypted storage media "was not effectively enforced," and "no further steps were taken to prevent the use of USB sticks other than encrypted ones."

Approximately 1,100 Unauthorized USB Sticks Used

Following the above incident, the GMP engaged in what's known in certain circles as "fixing the barn after the horses have fled CYA maneuver" (CYA being short for "Cover Your A--"). I call it prudence: the GMP declared amnesty for people not following the CCO, and rounded up all unauthorized USB sticks it could find.

The effort netted approximately 1,100 memory sticks and an admission that "some of the devices have still not been recovered."

It was further revealed in the Notice that GMP had a similar breach in 2010.

More Dormant Security License Issues

Yesterday, I had noted how the Veterans Affairs Department in the USA had wasted a cool $5 million on encryption licenses that had not been used since 2006. One has to wonder how many of the encrypted USB devices the GMP purchased have gone unused since 2010, just lying there and collecting dust.

The management of such devices and licenses can pose a significant challenge to many organizations. However, ensuring that they're properly managed and deployed is necessary and beneficial for many reasons:

Increased data security. That's what the procurement was about, right?

Adequate use of financial resources. Nothing worse than having your money tied up on software that you're not using.

Indirect assessment of your problem. You bought 1,000 -- presumably because an assessment showed you needed 1,000 -- and still have 900 waiting to be deployed one year later. You've got a problem somewhere, buddy.

Plus, the fact that you won't be publicly shamed or that you'll end up owing more £100,000 to the government has its merits as well.

Data Breach Costs: Scottish Borders Council Fined £250K

sang_lee — Thu, 13 Sep 2012 02:33:00 GMT

Scottish Borders Council has been fined a total of £250,000 for a paper-based data breach that occurred in September 2011. Per my tracking, it's the second highest monetary penalty assessed for a data breach. The ICO, Information Commissioner's Office, is sending a strong message: make sure you're securing personal data. Businesses in the UK ought to take notice, and ensure that their data is protected, be it via a mobile device security program, contractual clauses, encryption on laptops, etc.

Digitizing Data

The data breach, which was slapped yesterday with a £250,000 by the ICO, took place in September 2011. A person discovered a "recycling bank" (a quick image search indicates that British recycling banks are what Americans would call dumpsters) that was stuffed with files that contained personal data. The police were contacted.

A total of 10 boxes with 848 files were dumped in separate recycling banks by a contractor to Scottish Borders Council. The files -- involving SBC's employee pension details, including bank and salary information in nearly half of the compromised files -- were given to the contractor to be digitized, a job that's been proceeding in the same manner since 2005.

In light of the data breach, the contract was terminated.

The ICO, however, duly noted that:

The Data Protection Act requires that, if you decide to use another organisation to process personal data for you, you remain legally responsible for the security of the data and for protecting the rights of the individuals whose data is being processed.

But Scottish Borders Council put no contract in place with the third party processor, sought no guarantees on the technical and organisational security protecting the records and did not make sufficient attempts to monitor how the data was being handled. [ico.gov.uk]

Why So Serious?

While the specific nature of the breach is new, breaches similar to the SBC quandary are quite prominent in the annals of data breach notification to the Information Commissioner's Office. So why the £250,000 penalty?

In a section of the ICO's Monetary Penalty Notice labeled "Aggravating features...taken into account in determining the amount of a monetary penalty," the ICO notes that the following were the roots for a large fine:

Serious nature of the confidential personal data

Has been occurring since 2005

Contractor was free to dispose documents in a non-secure manner (due to the lack of specific contractual agreements)

Furthermore, it was revealed that the digitized data has been delivered to the SBC via data discs (CD, DVD) that were not protected with encryption. If you'll recall, that's the same practice that ended up affecting nearly half the UK's population and led to significant changes in how the ICO dealt with data breaches (and probably led to significant updates of the Data Protection Act as well). There's no way that revelation bought SBC any love.

The BYOD Angle

As more companies around the world start riding the crest of the BYOD wave, which promises to become a tsunami in less than 5 years, according to some experts, it follows that incidents like the above, where paper-based files are the center of the controversy, will occur less frequently.

However, the risks of not being compliant with the Data Breach Act are greater due to the mobile nature of the devices that are present in a BYOD program. The above penalty is a clarion call (quite a late one, actually) that organizations which handle personal data must pay attention to the status of the personal data they've been entrusted with at all times. This includes instances, perhaps especially those instances, where personal data is being entrusted to a third party.

Going forward, it might be required for UK companies to not only pay attention to their own mobile data security, but whether third parties they contract with are also using MDM software and other mobile data protection tools.