AlertBoot Endpoint SecurityAlertBoot Endpoint SecurityEndpoint security blog focusing on data breaches and losses at various companies and how such the catastrophic consequences can be avoided with the right security software. Articles
EMS Laptop Missing: Approximately 30,000 Potentially Affected By Lack of Tr
2007-11-09 06:44:00 A laptop used by emergency medical services (EMS) personnel went missing in North Carolina. The device was left on the bumper of an ambulance. While details are sketchy, it sounds like the computer was left by accident on the ambulance, and somebody swung by and lifted it. Or, it could have been left on the vehicle and lost in transit, while the ambulance was on its way to help another person in need. The laptop disappeared around 10 p.m., and, obviously, conditions were dark. The computer had records of more than 28,000 people who had been cared by Cabarrus County EMS over the past four years, including Social Security numbers and other personal data. County officials have said that it?s possible, but unlikely, that information in the laptop could be breached. There is no mention of whether the device was encrypted, so I?m guessing that your standard Windows logon username and password prompt is serving as protection. Furthermore, t... More About: Laptop , Missing , Lack , Missi
MSU To Delete All Sensitive Personal Data To Improve Laptop Security
2007-11-08 07:05:00 Montana State University (MSU) is informing students and faculty that they might have been victims of another data security breach; MSU had a security breach earlier this year. On November 2, the universities announced that a stolen laptop contained Social Security numbers on two hundred students. In a separate incident on the same day, they also found that an Excel spreadsheet with Social Security numbers was available via the university?s website. As part of their effort to minimize any future via breaches, the university is removing any sensitive personal data from portable devices. Undoubtedly, not having personal information in portable devices prevents the occurrence of a data breach, even if the theft of the machine itself cannot be prevented. This is just a matter of logic. I mean, a server that is up and running but has no data in it?it cannot be compromised via hacking: No data means no data breach, even if Paul Bunyan were to come arou... More About: Personal , Laptop , Data , Improve
A Sure-Fire Way of Preventing Endpoint Security Breaches In Phishing Scams
2007-11-07 04:45:00 Salesforce.com has recently issued an alert to their customers, letting them know that a Salesforce.com employee was the victim of a phishing scam. This allowed the phishers to copy Salesforce.com customer contact list which was subsequently used for sending e-mails that looked like Salesforce.com invoices, but designed to collect passwords. Perhaps this was an exploratory scam, since subsequent phishing e-mails included malware as attachments and increased the scope of their attacks. Malware, if you?re not aware, is malicious software, generally viruses or key loggers, among others, designed to collect information and surreptitiously send information back to the phishers. The malware gets installed in your computer and collects information as you visit legitimate websites (and enter your username and passwords). While salesforce.com admitted to the security breach today, there were already signs that something was amiss back in October. A... More About: Security , Phishing , Scams , Fire , Eventing
Laptop Security, Theft, And Public Relations: Password Protection Is Not ?P
2007-11-03 02:23:00 We seem to have a new trend: I?m seeing more and more instances of people stating after a data breach that the lost or stolen computer was not encrypted but was password?protected: The Home Depot and the Kiski Area School District instances are the two that come into mind as of right now, but there certainly have been more since then. A quick search in Google also shows that CUNY released a similar statement regarding a laptop theft reported last month. It seems that they?re referring to the password and username you have to enter prior to accessing your Windows machine, the Windows logon prompt. Unfortunately, that particular logon prompt is not secure. I?ve already mentioned in passing why this is so in other blog posts. I?m not sure what to make of it. Is this a PR effort in a lame attempt to assure the people affected? Or perhaps people in the public relations department actually believe that because you?re entering a password, this of... More About: Security , Laptop , Public Relations , Public , Password
Healthcare Provider Loses Mobile Data Device, Issues Letter and Credit Moni
2007-11-02 06:35:00 Clarian Health has notified over 1200 patients that their information might have been compromised. These patients were in the Clarian transplant program, and one of the transplant coordinators misplaced ?a device similar to a Palm Pilot.? Before anyone goes around saying that such information should not be on such a small device to begin with, since it can be easily lost or stolen, one should realize that such devices let the transplant teams notify patients within seconds that an organ is available. When you need a new liver, or a heart, or a lung, every second does count. As for whether patient information, such as Social Security numbers, is necessary, my guess is that it must be so. Perhaps the paperwork is being filled as the surgeon is being paged and the patient is being wheeled into the operating room. Unfortunately, even in such emergencies there is paperwork to be filled. If a coordinator always has the information, it must be a ... More About: Mobile , Credit , Healthcare , Issues , Data
Workplace Education As Important As Data Encryption When It Comes To Endpoi
2007-11-01 03:04:00 According to a national survey conducted by ISACA, thirty-five percent of US workers have violated their company?s IT policies. Sixteen percent have also used peer-to-peer filesharing programs at work. When put in this context, I guess, it?s not surprising that major companies such as Pfizer and Citigroup had a major data breaches in the past six months. The survey was conducted via phone and geared to white-collar workers, so depending on the definition of ?white collar? the problem might add a couple of more points to the above stats. What?s even more eye-popping is that they found that ?on average, at a company of 1,000 white-collar employees, up to 70 employees are likely using peer-to-peer file sharing at work often or very often.? Let?s do some calculations, shall we? What are the chances that there will be a data breach due to P2P filesharing applications? First, we must make an assumption. The assumption is that most people k... More About: Education , Encryption , Workplace , Data , Crypt
Khaki Bandit: Extreme Social Engineering (or, An Extreme Reason For Greenl
2007-10-31 06:10:00 The Khaki Bandit. That?s how Eric Almly was known in Milwaukee when they didn?t have a name to match up with the burglaries. He?s been connected to computer thefts in Minnesota, California, Arizona, and Florida. Supposedly, Almly?s modus operandi was to walk into corporate offices and lift laptops found in the office. He wouldn?t walk in willy-nilly. He?d stake out the soon-to-be crime scene, studying the place. He would dress the part to better match the surroundings (I guess corporate America is really into khakis). He would enter the offices close to the end of business day?when things were winding down, people were leaving work, but prior to the nighttime security staff arriving?and just hang around until people left. Hey, he looked like he belonged. On the rare times when he was confronted, he would lie. Hey, he sounded and looked like he belonged. He?d go around the deserted office, pick up the laptops, and sa... More About: Social , Engineering , Extreme , Reason , Trem
There?s That Word Again: Hope, And The Data Security Blues
2007-10-30 04:37:00 "Saving money and being PCI-compliant is important to us, but equally important is protecting ourselves against intruders. Even though we have some breathing room with PCI, we are still vulnerable with WEP as our security key. It must be a risk we are willing to take for the sake of saving money and hoping [emphasis added] we do not get compromised." This is a quote attributed to a member of the IT staff at TJX. (The only source seems to be eWeek. I?ve tried finding the original court filings but was unable to dig them up, and I cannot find anyone else making mention of it.) Supposedly, this was in response to several money-saving options that the CIO had suggested for keeping their budget in check: ?I think we have an opportunity to defer some spending from FY'07's budget by removing the money for the WPA upgrade, but would want us all to agree that the risks are small or negligible.? (Also from eWeek) In this ligh... More About: Security , Blues , Data Security , Word , Data
Continuing TJX Legal Saga Further Highlights Need For Data Protection And E
2007-10-27 05:26:00 TJX is back in the news, and in a big way. The reason for the brouhaha is the new estimated number of credit card accounts compromised when TJX security was breached last year. The new number is 94 million, double the original TJX estimates of 46 million, as reported in a court filing. The new estimate was provided by the bank group that is suing TJX in order to recoup costs involving the notification and issuance of new credit cards for affected customers. In light of the above, obviously a lot of people are asking if the new estimate is real, or if it has been inflated in order to induce a bigger, and faster, settlement. I guess there is an incentive to inflate it, but at the same time people have multiple credit card numbers. Perhaps TJX is consolidating some of their findings based on the number of people affected, whereas the Bank group is reporting a pure number of accounts affected? Anyway, most commentators don?t seem to know what t... More About: Data , Legal , Highlights , Data Protection , Saga
The Heart Wants, And The Mind Says Yes To Mobile Encryption?But The Body Do
2007-10-26 05:55:00 There were reports last week that a laptop containing personal information on over 160,000 people was stolen from Administaff, Inc., a Houston-based company. Administaff is a company that engages in outsourcing personnel management services, such as payroll administration. As such, it?s not surprising that Administaff deals with a lot of personal information, or that the stolen laptop contained Social Security numbers, names, and addresses. How did the laptop get stolen? From the backseat of an employee?s car. Apparently, the employee stopped at a grocery store. I cannot fault the employee in this case. People have to eat at some point, and grocery shopping right after work is a natural thing to do. And let?s face it, not too many people decide to put their laptops in the trunk. To begin with, everybody knows that there is no cushioning in there?what if you drive over a rough patch and you bust your laptop? I?m less unders... More About: Mobile , Encryption , Body , Mind , Heart
Data Encryption And SMBs - The Smaller You Are, The Greater The On-Line Thr
2007-10-25 07:40:00 Many of the stories covered in the media regarding data and security breaches involves companies that are large, usually Fortune 500, maybe Fortune 1000. We must not forget, however, that any business needs to practice proper security when it comes to customer data. For example, the Boston Globe covers today the theft of customers? credit card data at Not Your Average Joe?s, a restaurant chain based out of Dartmouth, Massachusetts. This chain is small by most measures, with 13 restaurants in Massachusetts and one in Virginia. Based on an ongoing investigation, about 3500 customers were affected, most of them patrons at their Hyannis restaurant. This is despite Not Your Average Joe?s having proper security measures in place. The Secret Service has gotten involved, and they think that there was an internal security breach, although restaurant management believes that none of their regular personnel were involved. They have hired a forensic ex... More About: Encryption , Data , On-line , Line , On Line
Data Protection: Need, Right, And Time Should Be Extended To Mobile Devices
2007-10-24 06:43:00 In a Government Technology article, an argument is made that access to data should be granted on a need, right, and time basis. Now, this is not a new argument, and it was directed to securing databases and their contents. The argument is that not everyone needs to have access to information on a database or databases. Obviously, depending on one?s seniority and ranking within an organization as well as type of job one holds, the type of information that one should have access to will differ; the higher in the hierarchy, the more information one needs to access. Along with the need, the right to access information is to be considered as well. In fact, some would argue that the need and the right to access information are intertwined, and are not to be considered on a separate basis. The third criterion, time, is meant to curtail access to the data as necessary. If an employee always works from nine to five, there is no reason why he should... More About: Mobile , Time , Devices , Data , Extended
University Sends Internal Student List To Student ? Why Data Encryption Wil
2007-10-19 19:44:00 Eight thousand students and applicants to Duquesne University narrowly avoided becoming victims to a data breach. Or, rather, they avoided becoming victims to personal information peddlers. A file containing mostly students? financial information was sent by mistake to a Duquesne student, who promptly reported the incident to university officials. The information included Social Security numbers and household incomes. This incident illuminates the constant need for file encryption. The opportunities to send e-mails, with or without attachments, to the wrong recipients are numerous. With e-mail software such as Microsoft Outlook, where the program automatically tries to find the correct address as you begin to type the name in the ?To:? field, has led to numerous mistakes for many people. I myself have experienced such instances. Common names such as Dave, Tim, or John seem to require the need to exercise great restraint and caution ... More About: Encryption , Student , Data , List
Laptop Security As Part of Freshman Orientation?
2007-10-18 23:50:00 A new school year has started in the United States, and already there seems to be a deluge of laptop theft stories in the media. A small number of them are covered in the national media, such as the laptop theft in Arizona that affected students in Iowa: a former teaching assistant in Iowa had stored Social Security numbers on his laptop, and moved out-of-state. Then there is the case of the professor?s office that was broken into at Carnegie Mellon University, and two of his five computers were stolen (I?d like to point out that?s a lot of computers in an office). Students? Social Security numbers were present in the stolen computers and, as far as I can tell, these were not encrypted. Then there are the locally covered stories (read: school papers) where student laptops are stolen from classrooms, dorm rooms, student centers, etc. Normally, I tend to skip the local stories when looking for blogging material. After all, computer the... More About: Laptop , Part , Orientation , Freshman
TSA Requires Disk Encryption Following Several Losses
2007-10-17 19:46:00 The Transportation Security Administration (TSA) has effectively ordered contractors to encrypt all data related to TSA activities. Apparently, the tipping point was the recent loss of two laptops that carried the information of nearly four thousand Hazmat truckers. This is not the first time the TSA has had issues with lost data: earlier this year a hard drive containing the employment records of 100,000 government workers was lost as well. In that particular case, the information included Social Security numbers, dates of birth, payroll information, and bank account information. The TSA got into a lot of trouble for that particular loss, as the hard drive disappeared from a controlled area at TSA headquarters. As far as I know, the case remains unresolved and pending. Obviously, the more recent loss is not the fault of TSA, but of the contractors working for the administration?hence the order. The TSA already has policies requiring contra... More About: Encryption , Disk , Losses , Crypt
Is Disk Encryption Effective When A Trusted Employee Is Involved In The Cri
2007-10-16 18:34:00 I’ve read today an article where Joseph Harris, a former manager of the San Jose Medical Group, was sentenced to 21 months in prison. He also has to pay $145,154 in restitution and will be under supervision for three years after his release. His crime? Stealing computer equipment from the branch he was working at and selling it on Craigslist. The FBI got involved because one of the stolen computers had a DVD disk with patient information in it. The bad news is that 187,000 patients could have been affected by this. The good news is that Harris made sure that nothing was in the DVD tray before selling his ill-gotten goods: FBI agents later found the disk in Harris’s car, although he initially denied knowledge of it. In retrospect, it’s not hard to see why the FBI zeroed in on Harris, although I’m sure it must have taken a lot of investigative work to sort out suspects. There were six burglaries into the San Jose Medical Group ... More About: Encryption , Disk , Employee , Effective , Crypt
Written Rules Are Worthless When It Comes To Ensuring Data Security
2007-10-12 17:55:00 While scanning the latest data security breach stories, I have noticed that a lot of them involve institutions of higher learning. Most of them involve theft of digital devices, mostly laptops. It?s only now that I?ve realized that a new school year has started just recently. Most of these cases are trivial, if you will. After all, computers were stolen when I was an undergrad, which was sometime ago. I?m sure computers will be stolen as well when my grandkids during college. A small number of these are not so trivial, since they point out errors, lack of precaution, or mismanagement of sensitive data in an academic setting. One of the more salient cases in some time is the case at Western Oregon University. To recap, a student discovered a file with personal data in a publicly-accessible university server. He downloaded a copy on the end it over to the campus newspaper. The editor of the paper made another copy?apparent... More About: Security , Data Security , Data , Rules , Written
Full Disk Encryption By Itself Is Partial Protection, but AlertBoot Provide
2007-10-11 23:09:00 Almost on a daily basis we hear about large organizations losing laptops or computer media with confidential customer or employee data. The companies are then forced to determine their risk and liability by confirming whether or not the data was encrypted. The legal position is that encrypted data translates to no data loss¸ and the company is legally protected from the potential ramifications of losing a laptop or mobile media where the data could be easily extracted. What?s the first question the company?s lawyers will ask?Was it encrypted???? This SHOULD be an easy question to answer, but most of the disk encryption solutions out there provide little to no reporting functionality. Such information should be readily available to the right people in management positions at a company. Comprehensive reporting would also make it much easier to enforce encryption compliance within a company so there will be little to worry about when a laptop or usb drive is lo... More About: Encryption , Disk , Full , Crypt , Ovid
Full Disk Encryption For the Really (Really) Bad Times?
More articles from this author:2007-10-11 22:23:00 I have been following a story for the past couple of days regarding the political events in Burma (Myanmar, if you prefer). More specifically, I?m following, or have attempted to follow an article that showed up in the Times where it was claimed that Burmese police and diplomats showed up at United Nations offices in Burma and demanded that UN workers turn over hard drives. Apparently, there might have been information on dissidents in the UN files. What I find puzzling about this is that no other mainstream media has picked up on the story. Today, I?m reading that the Burmese government has officially requested information regarding the UN?s satellite equipment, I?m guessing used for communicating with UN headquarters. There is so little information here, I?m almost tempted to wonder whether there was an attempt to cover-up what could have become a significant international incident. Well, aside from the other significant incident in Burma today... More About: Encryption , Disk , Full , Ally 1, 2, 3, 4, 5, 6 |
|
 |
|
 |
