Owner: AlertBoot Endpoint Security URL:http://www.alertboot.com/blog/blogs/endpoint_security/ Join Date: Mon, 15 Oct 2007 04:49:10 -0500 Rating:0 Site Description: Endpoint security blog focusing on data breaches and losses at various companies and how such the catastrophic consequencescan be avoided with the right security software. Site statistics:Click here
Written Rules Are Worthless When It Comes To Ensuring Data Security 2007-10-12 10:55:00 While scanning the latest data security breach stories, I have noticed that a lot of them involve institutions of higher learning. Most of them involve theft of digital devices, mostly laptops. It’s only now that I’ve realized that a new school year has started just recently. Most of these cases are trivial, if you will. After all, computers were stolen when I was an undergrad, which was sometime ago. I’m sure computers will be stolen as well when my grandkids during college.
A small number of these are not so trivial, since they point out errors, lack of precaution, or mismanagement of sensitive data in an academic setting. One of the more salient cases in some time is the case at Western Oregon University.
To recap, a student discovered a file with personal data in a publicly-accessible university server. He downloaded a copy on the end it over to the campus newspaper. The editor of the paper made another copy—app Read more:Rules
Full Disk Encryption By Itself Is Partial Protection, but AlertBoot Provides COMPLETE PROTECTION 2007-10-11 16:09:00 Almost on a daily basis we hear about large organizations losing laptops or computer media with confidential customer or employee data. The companies are then forced to determine their risk and liability by confirming whether or not the data was encrypted.
The legal position is that encrypted data translates to no data loss¸ and the company is legally protected from the potential ramifications of losing a laptop or mobile media where the data could be easily extracted. What’s the first question the company’s lawyers will ask?Was it encrypted????
This SHOULD be an easy question to answer, but most of the disk encryption solutions out there provide little to no reporting functionality. Such information should be readily available to the right people in management positions at a company. Comprehensive reporting would also make it much easier to enforce encryption compliance within a company so there will be little to worry about when a laptop or usb drive is Read more:Encryption
, Itself
, Partial
Full Disk Encryption For the Really (Really) Bad Times? 2007-10-11 15:23:00 I have been following a story for the past couple of days regarding the political events in Burma (Myanmar, if you prefer). More specifically, I’m following, or have attempted to follow an article that showed up in the Times
where it was claimed that Burmese police and diplomats showed up at United Nations offices in Burma and demanded that UN workers turn over hard drives. Apparently, there might have been information on dissidents in the UN files.
What I find puzzling about this is that no other mainstream media has picked up on the story. Today, I’m reading that the Burmese government has officially requested information regarding the UN’s satellite equipment, I’m guessing used for communicating with UN headquarters. There is so little information here, I’m almost tempted to wonder whether there was an attempt to cover-up what could have become a significant international incident. Well, aside from the other significant incident in Burm Read more:Encryption
Laptop Security As Part of Freshman Orientation? 2007-10-18 16:50:00 A new school year has started in the United States, and already there seems to be a deluge of laptop theft stories in the media. A small number of them are covered in the national media, such as the laptop theft in Arizona that affected students in Iowa: a former teaching assistant in Iowa had stored Social Security numbers on his laptop, and moved out-of-state. Then there is the case of the professor’s office that was broken into at Carnegie Mellon University, and two of his five computers were stolen (I’d like to point out that’s a lot of computers in an office). Students’ Social Security numbers were present in the stolen computers and, as far as I can tell, these were not encrypted.
Then there are the locally covered stories (read: school papers) where student laptops are stolen from classrooms, dorm rooms, student centers, etc. Normally, I tend to skip the local stories when looking for blogging material. After all, compute Read more:Freshman
, Laptop
TSA Requires Disk Encryption Following Several Losses 2007-10-17 12:46:00 The Transportation Security Administration (TSA) has effectively ordered contractors to encrypt all data related to TSA activities. Apparently, the tipping point was the recent loss of two laptops that carried the information of nearly four thousand Hazmat truckers. This is not the first time the TSA has had issues with lost data: earlier this year a hard drive containing the employment records of 100,000 government workers was lost as well. In that particular case, the information included Social Security numbers, dates of birth, payroll information, and bank account information. The TSA got into a lot of trouble for that particular loss, as the hard drive disappeared from a controlled area at TSA headquarters. As far as I know, the case remains unresolved and pending.
Obviously, the more recent loss is not the fault of TSA, but of the contractors working for the administration—hence the order. The TSA already has policies requiring contrac Read more:Encryption
, Following
, Losses
Data Protection: Need, Right, And Time Should Be Extended To Mobile Devices Such As Laptops For Better Security 2007-10-23 23:43:00
In a Government Technology article, an argument is made that access to data should be granted on a need, right, and time basis. Now, this is not a new argument, and it was directed to securing databases and their contents.
The argument is that not everyone needs to have access to information on a database or databases. Obviously, depending on one’s seniority and ranking within an organization as well as type of job one holds, the type of information that one should have access to will differ; the higher in the hierarchy, the more information one needs to access. Along with the need, the right to access information is to be considered as well. In fact, some would argue that the need and the right to access information are intertwined, and are not to be considered on a separate basis.
The third criterion, time, is meant to curtail access to the data as necessary. If an employee always works from nine to five, there is no reason why he should Read more:Devices
, Extended
, Mobile
, Mobile Devices
, Protection
, Right
Alumni Data And University Administrative Functions: Data Encryption Is Vital, For Now 2007-10-22 21:49:00 There is news today that over seven thousand former students of the University
of Cincinnati were affected in a data breach. A flash drive with sensitive information on 7366 students and graduates was stolen from an employee’s desk.
One of the people interviewed for the article, Cybil Pearson, stated that she had not been at the University of Cincinnati since 1997, so this is a surprising and annoying development for her. Like many people entering their thirties, she’s probably in a state where she monitors her credit carefully as her carrier takes off and she begins to have several opportunities for investing assets, be it a new home or otherwise. If somebody were to take over her identity, it will be a huge setback for her. Trying to get things straightened out would not be easy, as detailed numerous times in the media.
One might wonder, why is a university hanging on to this information in years after graduation? In many ways, purging information o Read more:Administrative
, Alumni
, Encryption
, Functions
, Vital
Continuing TJX Legal Saga Further Highlights Need For Data Protection And Encryption 2007-10-26 22:26:00 TJX is back in the news, and in a big way. The reason for the brouhaha is the new estimated number of credit card accounts compromised when TJX security was breached last year. The new number is 94 million, double the original TJX estimates of 46 million, as reported in a court filing. The new estimate was provided by the bank group that is suing TJX in order to recoup costs involving the notification and issuance of new credit cards for affected customers.
In light of the above, obviously a lot of people are asking if the new estimate is real, or if it has been inflated in order to induce a bigger, and faster, settlement. I guess there is an incentive to inflate it, but at the same time people have multiple credit card numbers. Perhaps TJX is consolidating some of their findings based on the number of people affected, whereas the Bank group is reporting a pure number of accounts affected? Anyway, most commentators don’t seem to know what to Read more:Encryption
, Further
, Highlights
, Protection
The Heart Wants, And The Mind Says Yes To Mobile Encryption…But The Body Doesn’t Follow? 2007-10-25 22:55:00 There were reports last week that a laptop containing personal information on over 160,000 people was stolen from Administaff, Inc., a Houston-based company. Administaff is a company that engages in outsourcing personnel management services, such as payroll administration. As such, it’s not surprising that Administaff deals with a lot of personal information, or that the stolen laptop contained Social Security numbers, names, and addresses.
How did the laptop get stolen? From the backseat of an employee’s car. Apparently, the employee stopped at a grocery store. I cannot fault the employee in this case. People have to eat at some point, and grocery shopping right after work is a natural thing to do. And let’s face it, not too many people decide to put their laptops in the trunk. To begin with, everybody knows that there is no cushioning in there—what if you drive over a rough patch and you bust your laptop? I’m less Read more:Encryption
, Heart
, Mobile
Data Encryption And SMBs - The Smaller You Are, The Greater The On-Line Threat 2007-10-25 00:40:00 Many of the stories covered in the media regarding data and security breaches involves companies that are large, usually Fortune 500, maybe Fortune 1000. We must not forget, however, that any business needs to practice proper security when it comes to customer data.
For example, the Boston Globe covers today the theft of customers’ credit card data at Not Your Average Joe’s, a restaurant chain based out of Dartmouth, Massachusetts. This chain is small by most measures, with 13 restaurants in Massachusetts and one in Virginia. Based on an ongoing investigation, about 3500 customers were affected, most of them patrons at their Hyannis restaurant. This is despite Not Your Average Joe’s having proper security measures in place. The Secret Service has gotten involved, and they think that there was an internal security breach, although restaurant management believes that none of their regular personnel were involved. They have hired a forensic Read more:Encryption
Workplace Education As Important As Data Encryption When It Comes To Endpoint Security: A Calculation 2007-10-31 21:04:00 According to a national survey conducted by ISACA, thirty-five percent of US workers have violated their company’s IT policies. Sixteen percent have also used peer-to-peer filesharing programs at work. When put in this context, I guess, it’s not surprising that major companies such as Pfizer and Citigroup had a major data breaches in the past six months. The survey was conducted via phone and geared to white-collar workers, so depending on the definition of “white collar” the problem might add a couple of more points to the above stats.
What’s even more eye-popping is that they found that “on average, at a company of 1,000 white-collar employees, up to 70 employees are likely using peer-to-peer file sharing at work often or very often.”
Let’s do some calculations, shall we? What are the chances that there will be a data breach due to P2P filesharing applications? First, we must make an assumption. The assumption is that Read more:Calculation
, Education
, Encryption
, Workplace
Khaki Bandit: Extreme Social Engineering (or, An Extreme Reason For Greenlighting Laptop Encryption) 2007-10-31 00:10:00 The KhakiBandit
. That’s how Eric Almly was known in Milwaukee when they didn’t have a name to match up with the burglaries. He’s been connected to computer thefts in Minnesota, California, Arizona, and Florida.
Supposedly, Almly’s modus operandi was to walk into corporate offices and lift laptops found in the office. He wouldn’t walk in willy-nilly. He’d stake out the soon-to-be crime scene, studying the place. He would dress the part to better match the surroundings (I guess corporate America is really into khakis). He would enter the offices close to the end of business day—when things were winding down, people were leaving work, but prior to the nighttime security staff arriving—and just hang around until people left. Hey, he looked like he belonged. On the rare times when he was confronted, he would lie. Hey, he sounded and looked like he belonged.
He’d go around the deserted office, pick up the Read more:Encryption
, Extreme
, Laptop
, Laptop Encryption
, Reason
, Social
There’s That Word Again: Hope, And The Data Security Blues 2007-10-29 22:37:00
"Saving money and being PCI-compliant is important to us, but equally important is protecting ourselves against intruders. Even though we have some breathing room with PCI, we are still vulnerable with WEP as our security key. It must be a risk we are willing to take for the sake of saving money and hoping [emphasis added] we do not get compromised."
This is a quote attributed to a member of the IT staff at TJX. (The only source seems to be eWeek. I’ve tried finding the original court filings but was unable to dig them up, and I cannot find anyone else making mention of it.)
Supposedly, this was in response to several money-saving options that the CIO had suggested for keeping their budget in check:
“I think we have an opportunity to defer some spending from FY'07's budget by removing the money for the WPA upgrade, but would want us all to agree that the risks are small or negligible.” (Also from eWeek)
In this l Read more:Again
, Blues
Laptop Security, Theft, And Public Relations: Password Protection Is Not “Protection” If There Is No Device Encryption 2007-11-02 20:23:00
We seem to have a new trend: I’m seeing more and more instances of people stating after a data breach that the lost or stolen computer was not encrypted but was password‑protected: The Home Depot and the Kiski Area School District instances are the two that come into mind as of right now, but there certainly have been more since then. A quick search in Google also shows that CUNY released a similar statement regarding a laptop theft reported last month.
It seems that they’re referring to the password and username you have to enter prior to accessing your Windows machine, the Windows logon prompt. Unfortunately, that particular logon prompt is not secure. I’ve already mentioned in passing why this is so in other blog posts.
I’m not sure what to make of it. Is this a PR effort in a lame attempt to assure the people affected? Or perhaps people in the public relations department actually believe that because you’re entering a passwor Read more:Device
, Encryption
, Laptop
, Password
, Protection
, Public
, Relations
Healthcare Provider Loses Mobile Data Device, Issues Letter and Credit Monitoring. I Presume The Device Was Not Encrypted (Not that I Blame Them In This Case) 2007-11-02 00:35:00 Clarian Health has notified over 1200 patients that their information might have been compromised. These patients were in the Clarian transplant program, and one of the transplant coordinators misplaced “a device similar to a Palm Pilot.”
Before anyone goes around saying that such information should not be on such a small device to begin with, since it can be easily lost or stolen, one should realize that such devices let the transplant teams notify patients within seconds that an organ is available. When you need a new liver, or a heart, or a lung, every second does count.
As for whether patient information, such as Social Security numbers, is necessary, my guess is that it must be so. Perhaps the paperwork is being filled as the surgeon is being paged and the patient is being wheeled into the operating room. Unfortunately, even in such emergencies there is paperwork to be filled. If a coordinator always has the information, it must be a Read more:Blame
, Device
, Healthcare
, Issues
, Letter
, Mobile
, Provider
Data Center In Chicago Is Broken Into (Twice!): Why Hard Disk Encryption Should Be Considered Even When You’ve Got Cages and Security Guards 2007-11-09 22:28:00 An article in theregister.co.uk mentions how a Chicago
-based data hosting center, C I Host, was broken into twice. The more recent case was about a month ago, on October 2nd, when armed robbers (!) broke into the facility by “cutting into the reinforced walls with a power saw.” The night manager present was tasered and struck with a blunt instrument. Then, the robbers made off with equipment belonging to C I Host and their customers, including servers.
In the ensuing days, C I Host turned the robbery into a major PR fiasco, taking several days to admit that there was a breach at the location. In the meantime, they told affected customers that servers were down, routers were not working, etc.—anything but the truth. What was management thinking? We’re they planning on surreptitiously replacing the customers’ machines? What about the data on those machines? Copy them over from back ups? What about the serial numbers o Read more:Broken
, Center
, Data Center
, Encryption
, Twice
EMS Laptop Missing: Approximately 30,000 Potentially Affected By Lack of True Endpoint Security 2007-11-08 23:44:00 A laptop used by emergency medical services (EMS) personnel went missing in North Carolina. The device was left on the bumper of an ambulance. While details are sketchy, it sounds like the computer was left by accident on the ambulance, and somebody swung by and lifted it. Or, it could have been left on the vehicle and lost in transit, while the ambulance was on its way to help another person in need. The laptop disappeared around 10 p.m., and, obviously, conditions were dark.
The computer had records of more than 28,000 people who had been cared by Cabarrus County EMS over the past four years, including Social Security numbers and other personal data.
County officials have said that it’s possible, but unlikely, that information in the laptop could be breached. There is no mention of whether the device was encrypted, so I’m guessing that your standard Windows logon username and password prompt is serving as protection. Furthermore, Read more:Laptop
, Missing
UK Doctors To Be Prosecuted If Laptop Encryption Not Present In Stolen Devices? 2007-11-16 00:51:00 Richard Thomas, the Information Commissioner in the UK, has told the Lords’ Constitution Committee that doctors who have their laptops stolen due to carelessness should end up in court. Of course, the matter is not as simple as it sounds. Mr. Thomas’s words were as follows:
“If a doctor, or hospital [employee] leaves a laptop containing patients’ records in his car and it is stolen, it is hard to see that is anything but gross negligence.”
Mr. Thomas also clarified his position saying that his intention was not to prosecute every incidence of a laptop theft, but those instances where such negligence is recurrent. Encrypting the contents of the device, of course, would absolve the doctors and other hospital employees from any wrongdoing. After all, encrypted data is virtually inaccessible by undesirables, so there’s no detriment to any patients who could have been affected by theft.
Naturally, such a suggestion has brought lots o Read more:Devices
, Doctors
, Encryption
, Laptop
, Laptop Encryption
, Present
Sloppy Laptop Security Can Cost Over $500,000 2007-11-14 20:15:00
The value of the data on those who do carry valuable information on their laptops is $525,000 on average. This was the result of a survey commissioned by a company that specializes in offering secured wireless and wired broadband services to hotels and conference centers.
The survey included 491 participants, all of them users of mobile devices such as PDAs and laptops, who stay in a hotel at least once a month. The survey also found that the value of the information on laptops is negligible most of the time. If everyone were to be included, the above figure would lower to $330,000.
I took a look at the above numbers, and frankly I’m slightly puzzled, since I would conclude that most people do carry valuable information. If the average is $330,000 with 491 people, that means the total value is $161.7 million. (Note: That’s a pretty scary thought. $100 million crisscrossing the nation on flimsy, easily filch-able devices? And Read more:Laptop
Laptop Security For University Students 2007-11-13 22:21:00
The Daily Bruin, a UCLA publication, is carrying an article about laptop thefts on their campus. Eleven computer-related thefts were already reported in the month of October, despite the fact that this is not the beginning of the year anymore, and hence, one would assume, that students are not as trusting as they were at the beginning of the year.
However, the incidents highlighted in the article are not what I would call stupid, like leaving your laptop unattended and unsecured at a coffee table while you go get another latte and flirt with the barista. No, the cases described include a burglarized car; laptops secured with laptop locks; laptops placed inside a room (no word on whether the door was locked, but I’ll assume it was). These are your run-of-the-mill methods for protecting valuables—lock the door or physically secure your device. And like in the real world, assuming that life in a college campus is not real enough, these run-of-the-mill m Read more:Laptop
, University
UK Up In Arms Over Loss Of Two CDs. 25 Million Britons Affected By Lack of Data Encryption 2007-11-21 00:54:00
HM Revenue & Customs (HMRC) has lost two CDs containing the details of 25 million people in the United Kingdom. With the official population of the UK at 60.5 million, this represents slightly less than half of all the people in that country. The matter was grave enough, combined with other data breaches at the same department, for the chairman, Paul Gray, to resign.
The data that could potentially be compromised are the names, addresses, and the birthdates of every child in the UK, plus the bank account details and England’s equivalent of Social Security numbers of 10 million parents and other caretakers. The two CDs were lost en route to the National Audit Office. Because of the nature of the media lost—compact discs—there has been plenty of fist-pounding on why the government is using such “ancient museum pieces” and that these must be replaced. I would like to comment, as I usually do, that the method of delivery is not at fault.& Read more:Britons
, Encryption
Laptop Encryption Is The Most Commonsense Way To Protect Portable Computers 2007-11-20 00:33:00 InformationWeek has an in-depth article on preventing data loss, and has fingered encryption as a must-have in one’s arsenal. They correctly point out that it’s the most “commonsense” way to protect data, and that it also helps avoid penalties in certain states if the computer were to be stolen.
How powerful is encryption? It depends on what you’re using, but it is so powerful that the UK has included as part of their terror laws the ability for police to ask for encryption keys. Last week, an animal rights activist was ordered to surrender her encryption keys to the authorities as part of RIPA, the Regulation of Investigatory Powers Act. The measure is contentious, but English Parliament passed it in order to better fight organized crime and terrorism (criminals tend to be at the forefront of technology in order to escape the authorities. This begs the question, how come the authorities are not using what’s at the forefront of tec Read more:Encryption
, Laptop
, Laptop Encryption
, Portable
, Protect
Eleven Laptops Stolen Out Of Japanese Embassy. No Word On Laptop Security. One Conspiracy Nut Created: Me 2007-11-16 21:58:00 The Yomiuri Shimbun is reporting that eleven laptops were stolen from a JapaneseEmbassy
in Brussels, Belgium. Japanese expatriates—about 12,700 of them—might be affected. The information on the laptops included residence certification, overseas voting registrations, and passport information. The information on residence certification also include personal details such as date of birth, name, permanent address in Japan, occupation, and family information. Because of the fears expressed regarding personal identity theft, my guess is that there was nothing such as AlertBoot ensuring the safety of the information on the laptops via encryption.
Is it normal for an embassy to have this information? Actually, it is, and it’s not because they’re playing Big Brother. Generally speaking, embassies welcome their country’s citizens to register their arrival whenever they step onto foreign soil, although this is rarely followed anymore. I Read more:Conspiracy
, Eleven
, Laptop
Indian Military Research Facility Suffers Computer Theft - Electrified Fences Not Enough For Computer Security 2007-11-23 21:46:00 The Times of India and several other news sites are carrying articles about a break‑in to the Defence Material Store Research
Development and Establishment (DMSRDE) in India. As far as I can tell, this is a research laboratory under aegis of the Ministry of Defence (or Defense, if you prefer), a branch of an Indian DARPA that deals with materials research. As such, one would expect a more than adequate level of security. The details in the Times article bears this out: “the entire boundary wall is fenced and the wires are electrified.” I’d assume armed guards, most probably military, were also securing the entrances as well. Three computers were stolen, and due to the circumstances, there is a not-unsurprising belief that this was an inside job. Thankfully, nothing of strategic importance has been stolen, according to official statements released by the government; however, I would imagine there are some reasons for concern. One of the c Read more:Computer
, Enough
, Facility
, Military
Ten Seconds Is All It Takes To Steal A Laptop. Make Laptop Encryption Part Of Your Endpoint Security Arsenal 2007-11-22 20:21:00 If one does a search for the words “laptop theft” in Google, the third result is the security footage of what looks to be a passing elderly man stealing a laptop. More specifically, this elderly man scouts the place out and steals the laptop that was displayed at a storefront window in broad daylight, with at least two workers in the store.
I wanted to call him a vagrant, but it doesn’t look like his appearance is causing sirens to go off in the minds of the storekeepers, despite what looks like an unkempt appearance in the extremely grainy footage from the camera. Plus, one can clearly see him pretending to be talking on a cell phone as he walks out with the hot goods (good?) literally stuffed down his pants. You don’t have too many hobos with cell phones out there. Well, with the exception of South Korea, it seems. I’ve been a direct witness to someone begging for money in the streets and answering a call at the same time.
Th Read more:Arsenal
, Encryption
, Laptop
, Seconds
, Steal
Why Laptop Encryption Beats File Encryption When It Comes To Data Security 2007-11-30 20:54:00
Of course, it doesn’t mean that you can’t use both (or that using both is not recommended). But encrypting an entire laptop’s hard drive holds an ace over individual file encryption: convenient, one-stop security.
Once a computer’s entire disk is encrypted, the only thing the end user has to do is remember the username and password required to access the laptop. This process is identical to typing the username and password in order to gain access into Windows, if the login prompt is set up. But unlike the Windows prompt, encryption provides security, whereas the Windows prompt just provides the sense of security. You can think of encryption as a Jumble word puzzle with a shot of testosterone (strong enough that even the US Government uses it to safeguard their own documents if they decide to use encryption, which is not as often as you’d think, based on the news), whereas the ordinary Windows username and password is the gray, silver laye Read more:Beats
, Encryption
, Laptop
Recommend Site To A Friend
