AlertBoot Endpoint Security

Laptop Encryption Software And Rickrolling Having Something In Common

sang_lee — Tue, 10 Nov 2009 04:14:00 GMT

What does laptop encryption software have in common with the cultural zenith that was, and is, Rick Astley? Passwords.

Rickrolling iPhone Worm

Australians with jailbroken iPhones got the treat of a lifetime when their wallpaper got changed to that of a young Astley looking impishly serious (check out the darkreading.com site for an image), a result of a worm by an unemployed programmer from Australia. He meant no harm, he was just playing around. The worm's design seems to confirm his playful intentions.

Besides Rickrolling, the worm doesn't seem to be engaged in other nefarious activities. It's not asking you for a five-euro ransom, for example. However, it is annoying the heck of a lot of people.

The worm affects jailbroken phones that installed SSH and left their password set to the default, "alpine." Once an iPhone is infected, it will go through the contact list and find other iPhone users with an identical vulnerability and infects those as well.

If an iPhone doesn't have SSH or if the default password is not being used, the vulnerability does not exist. SSH stands for "secure shell," btw. Ironic, yes?

Forcing A Change On Default Passcodes

Many would take the above and point out that jailbreaking iPhones is what caused the problem in the first place. And, while such arguments wouldn't be wrong, it certainly wouldn't be entirely right either. People who've jailbroken(?) their iPhones to install SSH and forgotten to change the password would probably have forgotten to do so for "legitimate" iPhone apps as well. One of the central data security tenets of anything that requires a password is "don't use the default password."

This is especially true of encryption software, for those cases where a common, default password is used. If a person continues to use the default password, the encryption is for naught: what's going to prevent a person from trying that as the first password in an attempt to gain access? Their conscience?

Which is why many software designers will force users to change their password. For example, in AlertBoot encryption, a central administrator is able to set up policies on what types of passwords are or are not allowed, including, the size of passwords (a minimum length), how often passwords can be reused, whether palindromes can be used, etc.

Furthermore, the initial password that allows a user to bypass the pre-boot authorization window has to be changed to one of the user's choosing (and satisfy the admin's initial demands of what a password should be). Otherwise, the user cannot proceed forward, and the volume with hard disk encryption won't be decrypted.

Data Breach Costs: Canadian Government Pays $751,750 For Data Breach

sang_lee — Mon, 09 Nov 2009 23:30:00 GMT

The Canadian federal government paid out $751,750 to approximately 120,000 people who were affected by a data breach on September 2003, when six computers were stolen. The computers contained personal information but were not protected via drive encryption software.

Six years for resolution. That must be some kind of record.

Computers Stolen from Tax Services Office at Laval, Quebec

The breach occurred at a Laval Tax Services Office. Four laptops and two desktops were stolen. As already mentioned, data protection tools like encryption software were not used to protect the information found on these devices. One of the laptops was used as a server, which is not really unusual, but certainly raises eyebrows when considering the presence of desktops (on the other hand, if the laptops were much recent purchases and more powerful, it would make sense to use one of them as a server, as opposed to an aging desktop...)

The thieves broke into the office by smashing a rock through a window. Regarding the theft, a spokesperson had this to say:

... the theft was indeed the result of human error as the main laptop, which held the majority of the stolen information, should have been locked away in a safe room - which it was not

I don't know about that. I mean, when thieves are willing to throw rocks around, they're willing to kick down doors as well. Regardless, separating the main laptop/server may have helped the tax authority if the situation was literally a smash and grab.

It took about a month for data to be reconstructed and the affected to be notified about the incident. Most of the people affected worked in the construction industry and could have included names, addresses, payments, and business numbers.

Breach Victims' Time Compensated

The government has decided to settle a class action suit filed by the affected. Of the $750 thousand dollars, 1,401 people will receive $150 and 2,708 people will receive $200.

This is meant as compensation for their time spent with credit reporting agencies Equifax or Trans Union. That's only 4,109 people out of 120,000 affected that are being compensated, or roughly 3% of the affected. Most people decided not to join the lawsuit, it looks like.

Encryption Would Have Been Cheaper

$750,000 dollars for the theft of 6 computers, or $125,000 per computer. When you consider that managed endpoint encryption like AlertBoot costs less than $14 per month, signing up for data protection would have been cheaper.

For example, the settlement money could have provided for 744 years' worth of disk encryption for the 6 computers. Or, put another way, it could have protected 4,400 computers for an entire year.

Can I Still Work While My Computer's Being Encrypted?

sang_lee — Sun, 08 Nov 2009 15:23:00 GMT

You've installed disk encryption software on your computer. You were promised the process would be short and painless, and, wonder of wonders, it was true! Well, kind of.

You didn't have to spend much time in front of the computer. However, now you're noticing that your computer's hard disk light is blinking like crazy. What's going on?

Well, your computer's hard drive is in the process of encrypting itself.

Hard Disk Encryption Is Full Disk Encryption

When you use disk encryption software, you're literally encrypting (protecting) your entire hard disk drive. That's why some companies call it full disk encryption (FDE) or whole disk encryption.

Because each sector of the hard disk is being encrypted, it's going to take a while with today's disk capacities: the bigger the storage capacity, the longer it takes (think of it this way: how long do you think it would take to fill up your hard drive? Then tack on an hour or so on top of that, and that's how long it takes).

The good news is that the use of encryption software on your hard drives doesn't prevent you from using it while it's doing its thing. At least, it doesn't for AlertBoot endpoint encryption software (and most--heck, all--of the other ones that I know of).

In other words, while the software is going through the process of ensuring your hard drive is protected, you can use the computer as you normally would: surf the internet, type up an e-mail, tweeter to your heart's delight, etc.

What Can You Not Do?

About the only thing you shouldn't do is turn off the computer. Or rather, you shouldn't cut the power off suddenly, such as letting the batteries die or doing a hard boot.

Usually, it is possible to turn off the computer if you can't quite afford to have your computer up and running while it's encrypting (you have to go home, for example). Just remember to follow the normal procedures for shutting off a computer. In such cases, the encryption process will continue from where it dropped off.

Disk Encryption Software: Mossad Hacks Syrian Government Laptop

sang_lee — Sat, 07 Nov 2009 17:37:00 GMT

According to Der Spiegel, Israel's intelligence service planted a Trojan horse on the laptop computer of a Syrian government official. This act ultimately led to the 2007 bombing of the Al Kibar complex (supposedly a nuclear reactor). One way to have prevented this would have been the use of full disk encryption. However, there are dissenting groups as well.

Laptop Left Unsecure At Hotel

The Syrian official had left his laptop computer behind at his hotel. This allowed the Mossad, the Israeli intelligence agency, to gain access to the computer and plant a Trojan that stole data. The information gleaned from this move proved to be invaluable, with photographs of Al Kibar at various stages of construction and other works in progress.

They were even able to identify a North Korean scientist, in charge of the Hermit Kingdom's nuclear program, on site.

Of course, if disk encryption had been used, the Mossad would have had a heck of a time trying to get into the computer, and planting Trojan wouldn't have been easy.

Evil Maid

As security guru Bruce Schneier pointed out though, the use of whole disk encryption may not have been enough. "Remember the evil maid attack," is his rallying cry.

What is this evil maid attack? Well, the idea is that an evil maid at the hotel (or a janitor, bellboy, the hotel security guy, whatever) can come in; plant a password reader into the MBR of an encrypted computer; and retrieve the password later. The MBR is the master book record of a fully encrypted hard disk drive, and is the only place that's not encrypted on an encrypted disk.

Since figuring out the encryption key is extremely hard, an evil maid attack can be used to find the passwords. It goes on to show that whole disk encryption cannot protect one against instances where laptops are left alone. (Disk encryption is meant to protect the contents of a computer if it gets stolen. If the computer is eventually recovered...well, you can't just use it as if nothing ever happened. You'll have to have it wiped if it needs to be secure.)

The problem with evil maid attacks, though, is that they require multiple access to the targeted computer, once to install the password reader and again to retrieve said password.

If the Syrian official screwed up just once and left the laptop unattended that one time, the evil maid attack wouldn't have worked (this being the Mossad that's involved, maybe it would be more accurate to say retrieval would have presented some challenges).

Heck, I bet they could have done something else to bypass the encryption software, like maybe use hacked hardware like compromised DRAM.

Hard Disk Encryption Not On Laptop: Follow Up On Connecticut Data Breach

sang_lee — Fri, 06 Nov 2009 23:40:00 GMT

A little over two years ago, a laptop computer belonging to the Connecticut Department of Revenue Services (DRS) was stolen. It did not use hard drive encryption software like AlertBoot to protect its contents and led to the breach of personal information for 106,000 people.

An investigation was started since making the breach public, and little known details were revealed, such as,

The laptop was stolen from a parked vehicle

The person who took the laptop had gotten authorization to do so

That same person was on vacation (why take a work laptop, then?)

When stuff like the above are taken into consideration, it makes one wonder whether the lack of security (keeping a laptop in a car and not using disk encryption) was systemic and endemic. On the other hand, an employee--about to leave on vacation--asking whether a work laptop can be taken seems to counter the assumption that security was not a factor to consider at the DRS. Most people would probably just take them without a second thought.

The Follow Up

What prompted me to revisit this case was an opinion piece at the New Haven Register. It looks like the lack of security was systemic and endemic.

As part of their review of lapses in the security of tax records, [Attorney General] Blumenthal and the auditors found that any Department of Revenue Services employee with computer network access could not only read taxpayer records, but make alterations in them. There was no reliable way of tracing who accessed the records. This breakdown in taxpayer confidentially was potentially far more serious than the theft of the laptop

The guy who asked for permission to take his laptop sounds like the most security-minded person in the world when contrasted to the above.

Cost Of A Breach

The costs related to the breach actually went over $1 million. It was already assumed at the beginning that providing identity theft protection would reach the $1 million figure, but it looks like the additional need for security implementation pushed the figure over.

The implementation of new security is something that most people don't factor into the cost of a data breach. Although, it makes sense to do so. After all, an organization cannot afford to experience the same breaches over and over; furthermore, it wouldn’t have thought to implement them prior to the breach.

On the other hand, if the same organization had implemented the same, it wouldn't have experienced a breach to begin with, saving them seven figures.

The case could be pictured as one where a million buckaroos were spent unnecessarily because a guy decided to take his work laptop to a hockey game. It would be, perhaps, more accurate to picture it as a situation where a million bucks were spent because an organization wouldn't spent a fraction of that on the correct information security tools like encryption software for computers and data monitoring.

Data Encryption Not Necessary If Using Laptops As Dumb Terminals?

sang_lee — Fri, 06 Nov 2009 02:43:00 GMT

Encryption software is very useful when laptops get stolen; but, do they have a place if a computer is being used as a thin client? That's the question that got prompted when I read about the Chorley Council in the UK.

According to the Chorley Guardian, "Officials at Chorley Council have been left red-faced after forking out £14,000 on new laptops to improve security--only for the whole lot to get stolen." The computers were brand new, so there was no information on them. However, the words "to improve security" caught my attention. How were the new computers supposed to improve security? Did they come with built-in disk encryption or what?

The product that's supposed to provide the security is not actually mentioned, but I did get a hint:

...the laptops only work if they are logged on to the council's own Citrix mainframe computer system and [Council Chief executive Donna Hall] added: "Anyone who gets one under their Christmas tree will be disappointed."

I've done some research on-line, and as far as I can tell, it seems that the security was supplied by using the laptops as dumb terminals: they connect to a council server that doles out the information as necessary via a window to a working environment on the server itself (in other words, virtualization, something Citrix excels at).

This is an excellent way of providing data security. The idea is, if nothing is saved on the laptop itself, then losing it doesn't compromise any sensitive data. However, it does revolve around the observation "if nothing is saved."

Those Unpredictable Creatures Called "People"

A person may or may not have legitimate reasons for downloading information locally. The Citrix software probably has controls in place to disallow such actions, but there are ways to get around it.

For example, if I take a screenshot of my screen and save that file locally, and the computer gets stolen, that's a breach. Since there's nothing preventing access to the computer--such as a password-prompt for accessing a device with endpoint encryption--any thieves would be able to get into the computer and open that file (and in this day and age, they will do that). We're assuming, of course, that worthwhile data such as personal information was the reason behind taking the screenshot.

Now, why would anyone in their right mind take a screenshot of sensitive data? Well, since this laptop acts as dumb terminal (if you prefer, a thin client), it requires some kind of connection to the servers for information to be available. What if the person is going to a place where there isn't any such connectivity, and knows it? He can ditch the laptop and grab a notepad, or he can take the laptop and have the necessary information locally, on his laptop.

There are ways to turn off built-in functions like screen grabbing. But free software that does the same is available as well, and the user could install it. One could prevent the installation of such software, but then it could be run off a USB memory stick. One could prevent the use of memory sticks...and so on and so forth.

Me, being pragmatic, I would just use encryption to protect the disk and call it a day. Of course, that doesn't mean I'm going to retire my antivirus software or not pay attention to what I'm doing, such as leaving my laptop unprotected. All I'm saying is, there are several ways of skinning a cat, and I tend to opt for what's the simplest yet effective.