AlertBoot Endpoint Security : secure digital assets

Apple BYOD Protection: Pentagon Clears Apple Devices for Use In DOD Network

sang_lee — Mon, 20 May 2013 12:00:00 GMT

Many media outlets are reporting that the US Department of Defense (DOD) has finally approved the use of Apple devices on its network. I see plenty of comments like, "Great, prepare for malware to spread in our country's military networks because some government worker decided to download the wrong game" or some nonsense.

Yeah, BYOD, or Bring Your Own Device, introduces risks. That's why you need to have the appropriate infrastructure to support BYOD, including the use of MDM (mobile device management) solutions for smartphones and tablets like AlertBoot Mobile Security.

It also helps if your BYOD project is not actually a BYOD project.

Apple Devices are STIG-tastic

Defense.gov reports that:
The release of the Apple iOS 6 STIG is a major stride in building a multivendor environment, supporting a diverse selection of devices and operating systems, DISA officials said. This STIG and the recently approved STIGs for the BlackBerry and Samsung Knox operating systems demonstrate DISA's commitment to validate a range of devices that meet DOD security standards so the best technology is available to achieve mission requirements, they added.
The STIG, or Security Technical Implementation Guide, is documentation designed to standardize security in the installation and maintenance of computer hardware and software, according to Wikipedia.

It Ain't BYOD If You Don't Bring It

What this all means is that Apple can now sell their devices to the military. This does not mean that people can bring their own iPhones and connect them to the government network. Also from defense.gov (my emphasis):
government-issued iOS6 mobile devices are approved for use when connecting to Defense Department networks within current mobility pilots or the future mobile device management framework
See how it says government-issued? A further explanation by the same site (my emphasis):
Officials said the STIG does not allow personally acquired mobile devices to connect to DOD networks.
In other words, they'll give employees an iPhone. Or an Android phone (as long as it's a Samsung, I guess, or running KNOX). Or perhaps even a Blackberry. Basically, the DOD, which is already leveraging Blackberry devices for better productivity and communications, is now widening their options in terms of hardware (and possibly software).

No BYOD here. More like CYOD, Choose Your Own Device.

Fool Me Twice, Shame on Me

The capriciousness of the "here come the data breaches" comments are a little annoying. Granted, the military once had a huge problem in their hands due to USB memory sticks, and ended banning all removable media devices on DOD machines. However, I like to think that much has changed since 2008. It seems quite obvious to me that the DOD would have learned something from the experience; they're most probably not approving Apple and Samsung devices without a good idea of what they're doing.

Getting Philosophical

Now, you might say, "hey, it's a matter of when, not if. That's the nature of data breaches. You can't really escape it; you can only be lucky enough not to be there anymore when it happens." In other words, MDM, passwords, encryption, location tracking, etc. are all for naught; attempting to provide security is useless when you know it's going to eventually happen.

Well, that's also true when it comes to death. The probability of you meeting your maker is 100% (in a manner of speaking), but mass suicides are severely lacking among the logical crowd. Often times, engaging in the "impossible" is still worth doing regardless of the odds.

Data Backup Encryption: Kmart (Inadvertently) Suffers Data Breach At Gun Point

sang_lee — Mon, 29 Apr 2013 13:31:00 GMT

Do you backup your data? Excellent! Do you use encryption software to protect its contents? Not doing so means that you've joined the "Data Breach Club," where the chances of a data breach are not an "if" but "when." Take Kmart as an example, which had a data breach because a thief robbed one of its store at gunpoint.

Nobody Expects their Data Backup to be Stolen

When I first heard that Kmart had to publicize a data breach because of HIPAA regulations, it hit me like a bag of surrealistic bricks (Kmart and HIPAA/HITECH?). But, I remembered that many Kmart locations also include a pharmacy. The story, as storefrontbacktalk.com describes it, is as follows:

On March 17, an armed robbery took place at a Little Rock, Arkansas Kmart. The assault took about an hour after closing time, and the perpetrator pointed a gun to the assistant store manager and forced him to open the store safe. The thief wiped it clean, which included $6,000 in cash and a backup disk.

The backup disk contained "full names, addresses, dates of birth, prescription numbers, prescribers, insurance cardholder IDs and drug names for some 788 customers" and, in certain cases, SSNs as well (well, more than a few. The spokesperson noted it was a "few hundred customers."

It was expressly pointed out that disk encryption was not used, nor its enfeebled cousin, password-protection.

Aside from the obvious mistakes, the spokesperson made two additional observations: (1) that accessing the customers' information "is slim to none, because you would need to know what software package" was used, and (2) that they were quick in contacting customers because they did so in about a month, as opposed to the 60 days that they're given.

Data Breach Possibility, Slim to None: Only If You Used Encryption

The observation that accessing customers' information is slim to none is debatable at best. It is slim to none because chances are the thief is not going to look. Generally, when a laptop gets stolen, it's wiped and reformatted for sale (at least, that's the reigning consensus). One assumes the same would hold for disk drives used as backups.

Then again, we must remember that this disk drive was inside a safe. That already suggests that something valuable is stored in it. Under the circumstances, what are the chances that the thief will ignore the suggestion that it's worth his while to see what's in it?

And, if he does, then the odds of a data breach are not really slim to none: freely available software from the internet can be used to scan a disks contents for particular information, like Social Security numbers (either as a pattern of 000-00-0000 or as a string of 9 numbers).

Only in the event that encryption is used can one confidently declare that particular breach is nearly riskless.

HIPAA Data Breaches and Unreasonable Delays: You (Don't Really) Have 60 Days to Report It

One of the more misinformed statements I've read is the following:
Asked why the delay [a little over one month], Sears spokesperson Shannelle Armstrong-Fowler pointed out that the chain moved much more quickly than the law requires. "Under HIPAA guidelines, 60 days are available for a health care entity to investigate and report on a potential breach. We completed our investigation and notified customers in approximately thirty days," she said.
This is entirely correct as well as partially true (what, you say? That sounds like a contradiction? Read on). As the Department of Health and Human Services (HHS) has pointed out in various publications, a breached entity must contact affected patients within 60 calendar days. However, it has noted that the HIPAA covered-entity must also contact patients as soon as possible. In a previous post (Does HIPAA / HITCH Really Give You 60 Days For Patient Notification?), I wrote the following:
It behooves administrators for a HIPAA-covered entity to take a good look at the HHS's opinions on the matter of data breaches and notifications. The 60-day limit is an "upper limit" and covered entities are expected to contact patients ASAP.
and supported the argument by noting the following passages from the Federal Register:
"...if a covered entity learns of an impermissible use or disclosure but unreasonably allows the investigation to lag for 30 days, this would constitute an unreasonable delay."

"...if a covered entity has compiled the information necessary to provide notification to individuals on day 10 but waits until day 60 to send the notifications, it would constitute an unreasonable delay despite the fact that the covered entity has provided notification within 60 days."
If the HHS Office of Civil Rights (OCR) were to conduct an audit and were to find that Kmart had unnecessary delayed contacting patients, it could mean severe legal repercussions for the wholesaler. Under HIPAA, 60 days is not really 60 days.

I'm no PR expert, but it seems to me that the spokeswoman should have focused on stating that they had to conduct an investigation, couldn't finish it any sooner, and notified its customers as soon as possible.

Of course, when you consider that the stolen disk affected 788 Kmart customers, one wonders whether they couldn't have been notified any sooner, and whether 30 days was really necessary. I've certainly seen situations where even more people were affected and notification letters were sent in a couple of weeks.

On the other hand, I've seen the inverse as well. The trick, it seems, is to design your systems with the possibility that a data breach will occur. By doing so, processes for a quick recovery are implemented.

For example, the reporting engine in AlertBoot Mobile Security allows one to easily generate mobile security audit and incident reports. It's used by many of our clients to prove compliance with laws and regulations in the event a mobile device (like a smartphone or a tablet) or a laptop computer is lost or stolen.

US Fifth Amendment Rights: Suspect Cannot Be Compelled To Surrender Encryption Password

sang_lee — Fri, 26 Apr 2013 12:15:00 GMT

The United States' Fifth Amendment and encryption software like AlertBoot have a complicated relationship. The question is: can the government force you to reveal your encrypted data? The answer: it's complicated and depends on the situation.

However, it looks like things are beginning to converge towards certain key ideas. While nothing will be definitive until the issue is addressed at the highest courts in the nation (and not for lack of trying), a handful of cases are allowing one to converge upon when forcing a suspect to give up a password or to provide decrypted data would be a violation of a person's Fifth Amendment rights (and when it isn't).

In Re The Decryption of a Seized Data Storage System, 13-M-449 (E.D. Wis. 2013)

In re The Decryption of a Seized Data Storage System, the latest "encryption vs. the Fifth Amendment" case I've come across, a man is accused of storing child pornography in several encrypted computer hard drives. The FBI, after unsuccessfully trying to gain access to these disks for four months, attempts to coerce the suspect to decrypt the disks. The suspect refuses to do so, pointing it would be a violation of his Fifth Amendment rights.

So far, this is no different from the handful of past cases that dealt with the same issue: the John Doe case from 2012; the Fricosu case from 2011; and the Boucher case from 2009. (Incidentally, including Seized Data Storage System, three out of the four cases involve child pornography; however, this law is important for all sorts of reasons).

Seized Data Storage System a different from the others because the judge in charge ruled that coercing the suspect into decrypting the data is a violation of his rights. Of the three previous cases I've quoted above, the John Doe case resulted in a win for the suspect, whereas the Boucher and Fricosu cases resulted in the courts ordering the suspects to provide decrypted data.

Despite the different outcomes, it's now clear that the three cases were following established procedures and legal precedents. This fourth is just another data point that shows what's what.

Data Encryption Software, US Fifth Amendment, Foregone Conclusion, and Act of Production

While going over the Fricosu case a couple of years ago, I happened upon some material that explained how the government could legally coerce a defendant to produce evidence against himself without trampling on his rights.

Now, I'm not a lawyer, but basically, it's revolves around the doctrines of "foregone conclusion" and the "act of production." For example, forcing a suspect to produce evidence is not against one's rights if the government already knows about the evidence. The suspects may refuse to do so, but then they're in contempt of the court that made the order.

In the case of Seized Data Storage System, the judge concluded that the act of providing a password, either directly or indirectly, would work against the suspect. It would give them information that the government has no other way of confirming whether it exists. Hence, the Fifth Amendment rights kick in.

(More specifically, the judge called it a "close call". If you go over the Fricosu case, you might get an idea why: as far as I know, it was never admitted by the defendants that they held data in their laptop. A tape recording, however, revealed that the defendants had some kind of data that they wanted to keep away from the government's lawyers).

All of this is still in line with the courts' rulings over the past five years. Unless something dramatic happens, it looks like the courts are basically in cruise control mode.

Personal Data Breach: Consumer Churn Rate Directly Tied To Infosec Events Is Significant

sang_lee — Mon, 22 Apr 2013 08:46:00 GMT

A global study has revealed that personal data breaches lead to sizable numbers of customers to turn their back on companies. This might not be news, but perhaps the figures are: 23% of the respondents affirmatively answered that they have stopped doing business companies that failed to properly safeguard their data. All the more reason why a company should up the security ante by using some kind of data protection solution like AlertBoot (especially in this age of BYOD).

We Will vs. We Have

News of this study comes courtesy of databreaches.net. As the author at the site noted, there is a tremendous difference between what people claim they will do vs. what they actually end up doing. To account for this discrepancy, the authors of a study by the Economist Intelligence Unit asked the following (my own paraphrase):

Would you stop doing business with an organization that breached your data?

Have you actually suffered from a data breach, and if so, did you stop doing business with the company that experienced the data breach?

To the former, 32% of the respondents answered in the affirmative. To the latter, 38% answered in the affirmative.

This is a very curious outcome. Generally speaking, the latter tends to be lower than the former. That is, there are always more people that say they will do something, in contrast to those who actually do something. Hark back to New Year resolutions, for example: you'll always have more people who promise to lose weight, or to read more, or to procrastinate less; how many keep that promise, though?

What does this unexpected finding mean? Off the top of my head, it seems to indicate that it's only after they've become victims of a data breach that people realize the severity of the situation.

Spillover Effect

Not only that, it turns out that there are further ramifications:
the EIU research also found that 46% of respondents that had suffered a data breach had advised friends and family to be careful of sharing data with the organization.
Many companies look to get their products to "go viral" or make it spread via word of mouth, knowing that recommendations from friends, family, and acquaintances carry more weight than any marketing campaign some guys in an office can create.

Imagine, then, the disastrous effects the above could have on a company.

Nip It in the Bud because It's a Drop in the Bucket

An ounce of prevention is worth a pound of cure; so goes the old saying. Nowadays, I'm under the impression that the value of the cure is much, much higher.

Consider all the things that could go wrong by not employing, say, a BYOD security solution like AlertBoot Mobile Security. Assume that you can get the service for $100 per year, per device (it's actually much more cost effective, but I like easy numbers to work with).

Also, assume you've got 100 employees who opt to bring in their smartphones and tablets to use at work. This means you'd be spending $100,000 per year on what appears to be a bottomless pit. After all, it's not as if security threats are going away any time soon. One hundred large ones sound like a big number.

But what about the flipside of the coin?

There's the approximate one-third of your customers that will not be doing business with you in the foreseeable future. What does that translate to in lost revenue?

Your marketing will see a drop in ROI as you work harder to bring in new clients to replace the ones you've lost. That's money you didn't need to spend if you had proper security, on an activity whose efficiency is debatable.

Depending on which sector your business is in (finance, healthcare, e.g.), you might have to incur the costs of an audit, internal as well as external (by the government, such as an audit by HIPAA/OCR). These easily run into the five figures, at least.

Reaching out to "breachees". Most state and federal laws that oversee personal data laws require that first-class mail (or equivalent) be used. If the breach involves 200,000 people and you can mail each letter for $0.25, that's $50,000 you're spending to shoot yourself in the foot. That cost doesn't include the loss of productivity as your employees are working to help you shoot yourself in the foot.

Why do I keep writing that "you're shooting yourself in the foot"? Because around 33% of the people you're reaching out to will probably turn their backs on you, per the survey.

Lawsuits. 'Nough said.

No doubt there is more to the flipside of the coin; I've just run out of time to list them all. What would all of this cost? Depends on the size of the breach, but it could very well be in the millions of dollars.

For example, BCBS of Tennessee saw its data breach costs soar to $7 million when 220,000 patients were affected by a data breach. By the end of the whole ordeal, they had spent nearly $10 million for contacting members affected, investigating the theft, and offering free credit protection".

And this is before the fine that OCR levied on them for breaching HIPAA (technically, BCBS settled for $1.5 million, which is the maximum penalty that OCR can assess), or the reputational damage they took.

Or the security solutions they ended up adding into their risk prevention portfolio.

Financial Data BYOD: Investment Industry Regulatory Organization of Canada Loses Info On 50K

sang_lee — Wed, 17 Apr 2013 08:22:00 GMT

According to Canadian media, the Investment Industry Regulatory Organization of Canada (IIROC) has lost a "portable device" that contained information on over 50,000 people. The IIROC has not been very responsive regarding the details, including whether the device was protected with a mobile data management software like AlertBoot. However, we know this much: they're "very sorry."

52,000 Clients of 32 Brokerage Firms Affected

According to theglobeandmail.com, among other media outlets, the IIROC has blamed itself for the "unfortunate but isolated incident" and has promised to strengthen their internal controls so that the situation does not present itself in the future.

The regulator's spokeswoman noted that the IIROC does not want to make public details about the case (and make things worse):
"We are concerned that disclosing details of the incident may put clients' information at greater risk of being targeted for unauthorized use," she said. "We have communicated with all affected firms and are notifying their clients whose information was on the device."
Maybe it's just me, but this does not sound like the words of a confident organization that knows their data is secure, despite not exactly knowing its current whereabouts. Could this be indicative of a situation where this lost device has not been encrypted?

This would not be the first (or last) time that something like this has happened. The loss of USB drives and external hard drives have accounted for hundreds of public data breaches around the world. You can bet that many more go unreported.

The combination of "extremely portable" and "high capacity," compounded with people's inability to delete data – it's always easier to keep it around if you've got lots of storage space left, which is why my web-browser bookmarks point to YouTube clips that don't exist anymore – creates a potent and poisonous mix that will lead to a data breach, sooner or later.

Our Recommendation: Control and Encrypt

The best way to ensure that a portable device doesn't turn into a data breach is to not use one. Now, you might think this is easier said than done, but it isn't, in a way. There are companies out there in the world where they prevent the use of USB flash drives and such by taking a penny and gluing it to USB ports (my guess is that they're big into Bluetooth keyboards and mice).

Most companies, however, will benefit from the use of their USB ports. But, keeping them open and accessible also means that an employee could use their own USB sticks to copy data. What to do? At AlertBoot, we recommend controlling where the USB device can be used, and making sure that it's encrypted.

First, the use of encryption software will ensure that there is no unauthorized access when and if the device goes missing. Second, you can control where and how the device can be used by ensuring it doesn't work on unauthorized computers. Under the AlertBoot solution for full disk encryption, a USB storage device can only be shared with computers that are part of a trusted group.

So, for example, a USB device will work among computers lined at the front of the room, but not with those at the back of the same room (the device would show as unformatted thanks to encryption). It's just a matter of how you group the computers: by department, by team, by floor, etc.

Apple iMessage Security: Can The Government Really Not Access It Or Is It Bull?

sang_lee — Mon, 08 Apr 2013 09:43:00 GMT

Last week, cnet.com reported that the US government's surveillance was being hampered by Apple's iMessage. Today, I see techdirt.com reporting on accusations that this could be the government's attempts to engage in disinformation. Personally, I think this is a case of people seeing a conspiracy where there is none. Why? Because I wasn't under the impression that the government couldn't access iMessage chats after reading Cnet's article.

Not a Secret: iMessages Sync Across Apple iDevices

Techdirt.com thoughtfully summarized Cnet's article:

CNET had a story revealing a "leaked" Drug Enforcement Agency (DEA) memo suggesting that messages sent via Apple's own iMessage system were untappable and were "frustrating" law enforcement.
And followed it by revealing that:

In reading over this, however, a number of people quickly called bullshit. While Apple boasts of "end-to-end encryption" it's pretty clear that Apple itself holds the key -- because if you boot up a brand new iOS device, you automatically get access to your old messages.
That's right. You're able to see your old iMessages in a new device. Indeed, if you have more than one device from Apple, you'll see that the chats are synchronized: you can start an iMessage chat on your iPhone, continue it on your iPad, then check up on it on your iPad mini or iPod Touch, and return to it via your iPhone. This feature, if I'm not wrong, was highlighted in one of Apple's commercials.

Apple's iMessage: Secure from Government Poking? Maybe... But It Isn't Meant to be

Now, the ability to synchronize your iMessages across the board obviously indicates that Apple is able to get to it, and we can infer from this that the government can force the company to hand over the information via a warrant or otherwise.

And yet, it's not unfair to say that government could feel stymied by iMessage, at least for the time being. Consider the following:

iMessage has end-to-end encryption. The celebrated BlackBerry messages also feature end-to-end encryption. The difference between BB and Apple, though, is that BlackBerry (the company) does not know which encryption key is used (the "enduser administrator" sets it). Apple has made no such promises.

iMessage uses TLS. Transport Layer Security is the successor to Secure Sockets Layer (SSL). Easily put, it's the crypto that ensures your online banking sessions are secure, or that your credit card numbers aren't hijacked while you're buying stuff online. This same encryption also secures your iMessages. While researchers are constantly teasing out potential problems (like this one), TLS is powerful crypto be design. You can bet that it's harder than not to crack iMessages.

Apple is not a telco.

That last one probably contributes most to the DEA's problems. As cnet.com's original reporting noted,
telecommunications providers [are required] to build in backdoors for easier surveillance, but [this] does not apply to Internet companies, which are required to provide technical assistance instead.
Think about it: there's no substantial difference between a text message and an iMessage. The major difference is that the former is delivered by a telco and the latter by Apple (well, technically iMessages also go through telcos. After all, they own the fiber that allows intercontinental communications possible. But the encryption for iMessages is handled by Apple, making the presence of telcos in the mix a moot point).

They're Just Like Us (But with Guns)

When you consider how much information flows in, out, and within the US, you can bet the government's surveillance operations are automated as much as possible, not just in terms of data analysis but also in terms of acquisition. What do you imagine the DEA's complaint would sound like if they had to veer away from their tried and true (and, in their minds, easy) way of monitoring communications? They'd probably sound like me when I have to manually fill in my tax forms as opposed to using Turbo Tax. (Impossible! Frustrating! Will be the downfall of civilization as we know it!)

Likewise, let's say you're in "middle management" at the DEA. You find that your agents aren't doing as good a job as they could because they failed to notice the gaps in the "text messages" they acquired from telcos. What do you do? Well, you write a memo and distribute it, with helpful pointers and comments on where the challenges lie.

That's what I see when I read the DEA's leaked memo. I don't particularly think it was written for a notorious or subversive purpose – albeit, it is perhaps worth considering why it was leaked.

On the other hand, was it leaked? Look at what's written at the very top of the DEA's leaked message: Unclassified.