drive encryption

A spear phishing attack on IMF

June 15th, 2011
IMF Headquarters, Washington, DC.

IMF Headquarters - Image via Wikipedia

Hackers are not only getting into gaming sites; they are eyeing the monetary world as well. It is the International Monetary Fund (IMF) this time. This happened just after a day Citibank faced cyber attack and names, account numbers and email addresses of more than 200,000 North Americans Citibank account holders were compromised.

Before we move ahead and discuss the story in detail, let us try to understand the difference between phishing and spear phishing. While phishing floods millions of email inboxes and relies on mass attack, spear phishing is more about selectively targeting individuals who have been identified previously. That means spear phishing can potentially attack  a small bunch of people working in the same organization.

It appears that some foreign government was behind the data breach. According to IMF spokesman David Hawley the incident was under investigation and the fund was completely functional. Fox News reported that the IMF’s computers had been hacked into similar to the latest incident in November 2008 via malicious software.

The World Bank deactivated a cyberlink it has with the IMF as one of IMF’s desktop was compromised and large quantity of data was obtained. The hackers had deliberately infected a computer at the IMF with malware trained to steal information. This is a new kind of malware, one that gave hackers broad access toIMF’s systems – helping to gain ‘hot market’ information. Email warnings about “increased phishing activity”were received on June 1  and employees were warned against opening emails from unknown senders, access suspicious video links or click on attachments . IMF had sent an internal memo on June 8 about the actual cyber-attacks to its board members and employees.

Political foes, especially China, could be behind the attack as data related to monetary policies is of utmost value. The IMF studies the economic stability of its 187 members and analyzes each nation’s financial risk. It supervises the global financial system and recently played a major role in the economic bailout of Greece, Ireland and Portugal. This came as a rude shock when the country was just grappling with IMF chief Dominique Strauss-Kahn’s sexual asasult scandal.

Unless the IMF reveals more information about what data was compromised and how it happened,  it is difficult to figure out who was behind the attack and the extent of the loss. The Federal Bureau of Investigation is in charge of this investigation.

Contact Alertsec for your data security needs

It is clear that the security of world’s large corporations is at risk. In the absence of full disk encryption, valuable files can be accessed. To keep your sensitive data safe from thefts and hacking, it is vital to use Data encryption software. Data loss prevention systems can also reduce the loss of information. Investing $13/month gives an organization peace of mind. A very small price to pay compared to losing high-quality or sensitive data. Alertsec Xpress offers a very good and easy-to-use laptop security service that includes more than the traditional software licensing model. Feel free to subscribe for your personal 30-day free trial

Enhanced by Zemanta

Full Disk Encryption – An Executive’s Introduction To How It Works And Other Issues

May 2nd, 2011
Icon from Nuvola icon theme for KDE 3.x.

Encryption

File encryption or Full disk encryption?? That is the most important question for most of the organizations now a day. Because some of the organizations encrypted their important files but still failed to prevent data lose, and file encryption does not allow encryption on in and out moving data. So the organizations are not finding any profit in adopting data encryption. Full disk encryption is the only solution of their anxiety.

Now the organizations are not sure whether they will apply the full disk encryption on each and every system of their organization or just on those systems which contain sensitive data. According to PCI and ICO the answer is an organization should apply the full disk encryption to all the system. Because only a few stuffs of the organization can access the sensitive data but still there is a chance that due to some emergency an ordinary stuff can also get access to sensitive data. So, be ready before the mistake has been done.

Full disk encryption not only save your sensitive data but also assures you the protection of each and every single data of your organization. But some people do not want to apply encryption because of some drawbacks and those drawbacks can cause data loss or computer malfunction, because the following things can happen due to encryption:-

  1. Password forgotten.
  2. Problem in the hardware.
  3. Data corruption due to the encryption of data.
  4. Normally people like to make some common as well as weak password just because they can remember it. Those passwords are known as weak keys password.
  5. Sometimes we write down our passwords because we do not have the confidence that we can remember them.
  6. Data corrupted by the encryption process.
  7. The encryption algorithm can be cracked sometimes.

But we have to keep in mind before applying full disk encryption that encryption does not enhance or reduce risks, it just provides protection to your data from data loss.  So it depends on us that how we are applying the full disk encryption process to our system. Before the implementation of full disk encryption we have to be very careful about the following factors:-

  1. The encryption process is approved by the Advanced Encryption Standard (AES) or not.
  2. Due to presence of scratch pad the modern day’s computers cannot protect the hard disk and full memory. And the dangerous thing is that through these scratch pads the hackers can easily access your data.

Another problem with encryption is that there is a chance of potential data loss, but in case of full disk encryption as full disk encryption works in the hardware level not on the software level, so the chances of interaction between the encryption and other applications automatically reduces and as a result of it the probability of data loss also reduces.

So, if your system has sensitive data and you do not want to lose those data, and then apply full disk encryption to your system because it does not drop the speed of your system but it makes your system fully protected.

About ALERTSEC:-

Alertsec Xpress is the No.1 encryption service provider for hundreds of banks and financial institutions worldwide. They are providing 24*7 customer service system. By offering computer protection software, encryption with lowest TCO (Total Cost of Operation), Checkpoint and Pointec they are assuring to make data secure. For more details about Alertsec log on to: http://www.alertsec.com

Enhanced by Zemanta

Advice on security for small/medium sized organisations

November 16th, 2009

We’ve talked about the The Information Commissioners Office (ICO) several times here, most recently in Encrypt Before the Law Smacks It On.  We talk about the ICO because it is one of the few governmental agencies, anywhere in the world, that has real legal powers to ensure that organizations keep private data secure.  Knowing the quality of work that the ICO has created it is intriguing to see their latest project.  The ICO is soliciting bids for a project to research and produce a report on the availability of advice on information security for small/medium sized businesses (SMBs).

The ICO says that “The aim of the project is to establish whether there is appropriate advice available on keeping personal information secure for small to medium sized organisations.”  They want to understand what authoritative advice is available and how these information can best be made accessible to these small organizations.

Government Report on Security for SMB Organisations

On the one hand you have to wonder if the world needs another government report.  But on the other hand I think back the number of small and medium sized businesses that have been featured within the electronic walls of this blog alone. When you read through the ICO enforcement page you will spot some large businesses like UPS – but there are many small businesses like a sole medical practitioner or small government agencies that have fallen prey to unsecured and unencrypted data.

A great deal of the ICO’s enforcement efforts concern the loss of personal data – most often the media which is not appropriately encrypted. In theory, Large organisations, whether in the public or private sector, should have the resources to enable them to either maintain an ‘in-house’ security capacity or to obtain support from those with specialist security expertise.

What is much less clear is whether there is sufficient advice and resources available for smaller organisations.  While the organizations themselves might be smaller, some of them will hold vast repositories of personal information – on par or greater than a large organization.  But it is the rare small organization that has the resources to afford to either retain ‘in-house’ specialists or to pay for the support of security consultants.

Just because you are small, it does not mean your database is small!

While we are months away from this report, indeed we are at least a month away just from the selection of the organization to handle this study, we can only hope that this study will highlight the value that security via software-as-a-service (SaaS) brings to the table.

Many large organization select SaaS tools like Alertsec to ensure the security of their hard drives; making a selection that is highly cost-efficient.  However, if services like Alertsec did not exist, these large businesses would find other ways (albeit more expensive ways) to address the security issues. SMB often have a different challenge in that they have little to no budget for critical security projects.  They might, and often do, think that they have no options.  Only when they see the cost of ownership data to they realize that security and encryption are indeed possible in their small and underfunded world.

Software as a Service fits SMB

Hopefully, when the report with “advice on security for small/medium sized organisations” comes out in 2010 it will recognize the considerable options and benefits that SaaS provides for small and medium sized organizations.

Your data is your data, no matter where it is

October 26th, 2009

laptop-puzzle-pieceWith some of the most stringent reporting requirement regarding data breaches, the tiny state of New Hampshire (population 1.3 million) in the northeastern United States is turning into the place to go to learn about data breaches.   The latest news on how a “laptop left on plane put pension fund participants at risk” is an interesting tale about how security does not stop at your firewall – indeed security is a piece of most every business puzzle.

Party A does not encrypt and loses data owned by Party B

This story is a bit hard to follow but essentially on June 14 an employee of the Verso Paper Corp. left a company laptop behind on an airplane.  One their laptop were two documents that contained the names and Social Security Numbers of some former and current participants in the PACE Industry Union-Management Pension Fund (PIUMPF). According to a letter (pdf) sent to the New Hampshire Attorney General’s Office, it seems that PIUMPF had provided Verso with the data as part of a discussion relating to the possible merger of Verso’s pension plan into PIUMPF.

So say you are the IT manager at PIUMPF and perhaps if you have secured and encrypted all your data – you are sitting safe and pretty.  But your company’s data is shared with Verso and they don’t have nearly as good security – their laptops are not encrypted and as this case highlights – a third party can bring you down from a security perspective.

You can’t just encrypt, You have to educate

Alertsec has written and talked about this many times.  What your partners do matters: from Software-As-A-Service vendors who host your data to the company, to the company that carries your backup tapes to a vault to business partners that gain access to some or all of your data. When it comes to security, the actions of your partners matter.

Any other vendor that will come in contact with your confidential data has to be asked to follow the same stringent security protocols that you use.  However, the decision to share data may occur outside the confines of the IT world.  This is a key reason why it is not just enough to secure and encrypt your organization’s PCs – you have to ensure that your senior leaders understand the security issues of data sharing.

Encryption is the only secure way to protect your information

It might seem pushy to ask questions about a business partner’s security procedures – but the case with Verso Paper  highlights why you have to be proactive and specifically tell business partners what you mean by security. If the unthinkable actually happens and your business partner loses a computer with your laptop, a tool like Alertsec Xpress ensures that the information is protected at all times and cannot be compromised which ensures you complete peace of mind.

Encrypt Before the Law Smacks It On!

October 22nd, 2009

The Information Commissioners Office (ICO) is the UK’s independent authority set up to promote access to official information and to protect personal information.  The ICO has legal powers to ensure that organizations comply with the requirements of the Data Protection Act.  The ICO is an outgrowth of the The Data Protection Act 1998 which has helped to encourage businesses to step up and take action to ensure appropriate protection of data. The ICO, which is responsible for enforcing the Act, has shown great success in getting organizations to cooperate after DPA violations.

Information Commissioners Office Enforcements

Reading through the ICO enforcement page is like reading an advertisement for encryption software.

  • 14 September 2009 – Billing Pharmacy Ltd, theft of an unencrypted computer containing sensitive personal data for around 1,000 customers.
  • 4 September 2009 – Sandwell Metropolitan Borough Council, an unencrypted memory stick was lost by an employee.
  • 21 August 2009 – London Borough of Sutton, theft of two unencrypted laptops.
  • 20 August 2009 – Repair Management Services Ltd (formally MVRA), theft of an unencrypted laptop containing the personal information of approximately 36,800 individuals.
  • 12 August 2009 – UPS Limited, an unencrypted password-protected laptop was stolen containing the payroll data of approximately 9,150 UK based UPS employees.
  • 28 July 2009 – Imperial College Healthcare NHS Trust at St Mary’s Hospital, South Wharf Road, London, theft of six unencrypted laptop computers (two incidents)
  • 28 July 2009 – NHS Lothian, theft of an unencrypted memory stick
  • 28 July 2009 – London Clubs International Limited, theft of an unencrypted laptop containing the data of approximately 26,000 customers.
  • 14 July 2009 – Chelsea & Westminster Hospital NHS Foundation Trust – theft of an unencrypted USB memory stick containing personal data relating to 143 of the Trust’s patients.
  • 14 July 2009 – The Hampshire Partnership NHS Trust, theft of an unencrypted laptop computer, containing the personal data of 349 patients and 258 members of staff.
  • 14 July 2009 – The Royal Free Hampstead NHS Trust, loss of an unencrypted computer disk containing personal data relating to some of the Trust’s patients.
  • 14 July 2009 – Surrey and Sussex Healthcare NHS Trust, theft of two unencrypted laptop computers containing personal data relating to 23 and up to 80 of the Trust’s patients respectively.

Password protected laptops are not secure

Referring to the UPS case noted above, Mick Gorrill, Assistant Information Commissioner with the ICO, said ‘Password protected laptops are not secure. I urge all organisations to restrict the amount of personal information that is taken off secure sites. I am pleased that UPS has encrypted its laptops and smartphones, and I urge other organisations to follow suit.”

Encryption is the most Affordable Security Approach

In all these cases, the breaches are clear examples where had data security measure like laptop encryption software been used; the entire incidents could have been avoided.  There are so many benefits to encryption; it is so affordable; it is so obvious – yet as the ICO enforcements show – we are a long way from universal laptop encryption.

In each of the cases noted here, the organization implement encryption policies as part of the enforcement with the ICO – and I bet each of them wished they had  implemented the same policies on your own, ahead of the law!

Employees – The Weak Link in Encryption

October 18th, 2009

woman-bed-laptopWith the continued growth of mobile computing and of data security laws, every day companies are investing more an more time and dollars into security systems.  Unfortunately, a common failing of these laptop security measures is the fact that they are heavily reliant on the diligent action of laptop-using employees to remain effective.  Thus, even after this investment of time and money – a security breach occurs because of the weakest link – the person behind the keyboard.

Employees Can’t Be Relied on to Enforce Security

Most organizations promote polices for the safe use of mobile computing devices and for accessing sensitive files.  However, just thinking about yourself:

  • Have you ever shared a password with another employee
  • Have you ever heard about another employee sharing passwords and not reported that?
  • Have you ever turned off an anti-virus, anti-spyware or encryption program?
  • Have you ever copied confidential data from it’s home (mainframe, shared network drive) to your PC for convenience?

Regardless of policies, the reality is that busy salespeople, unknowing marketers and harried administrative staff will ignore or avoid policy and load sensitive information onto portable computers. With more than 600,000 laptops lost or stolen each year from U.S. airports alone, companies relying on organizational policy to protect sensitive data will continue to fuel data breach media headlines.

Value of Remote Administration for Encryption

laptop-outside-womanTraditionally, organizations have used corporate firewalls and other intrusion detection systems to protect corporate networks from potentially compromised endpoints.  However, in today’s laptop-dominated environment, endpoint security strategies place the responsibility for security on the device itself and not on the employees.  This next generation of security strategy is already common in the form of anti-spam filters, desktop level firewalls and anti-virus software programs.

For best protection using encryption , there should be no local administration available for the end-user.  This is one of the benefits of Alertsec Xpress, as it  is designed to support an enforced security implementation where the user will not be able to disable the security without proper authority. Recognizing that organizations cannot rely on end-users to consistently follow IT policy or diligently apply security software, Alertsec Xpress eliminates the requirement for end-user involvement to be effective.

US Federal Agencies Still Fail at Security

September 29th, 2009

gao-security-reportThe U.S. Government Accountability Office (GAO) has released another information security report which indicates that while federal agencies continue to make progress with information security policies and practices, there is still the need to “mitigate persistent weaknesses.”  The report says that for the fiscal year 2008, almost all 24 major federal agencies had weaknesses in information security controls.

The GAO’s auditors said a recent audit that examined how well agencies were protecting information and complying with the Federal Information Security Management Act (FISMA) found significant problems. “These persistent weaknesses expose sensitive data to significant risk, as illustrated by recent incidents at various agencies,” GAO said. “Further, our work and reviews by inspectors general note significant information security control deficiencies that place a broad array of federal operations and assets at risk.”

While these security issues ranged the spectrum, many focused on the issue of securing confidential data.  An analysis of the reports reveals that 48 percent of information security control weaknesses pertained to access controls. For example, agencies did not consistently establish sufficient boundary protection mechanisms; identify and authenticate users to prevent unauthorized access; enforce the principle of least privilege to ensure that authorized access was necessary and appropriate; apply encryption to protect sensitive data on networks and portable devices.

  • The Securities and Exchange Commission had 23 new weaknesses in controls intended to restrict access to data and systems.  “For example, it had not always (1) consistently enforced strong controls for identifying and authenticating users, (2) sufficiently restricted user access to systems, (3) encrypted network services, (4) audited and monitored security-relevant events for its databases, and (5) physically protected its computer resources.
  • While the Los Alamos National Laboratory—a weapons laboratory—implemented measures to enhance the information security of its unclassified network, vulnerabilities continued to exist in several critical areas, including encrypting sensitive information.

In response to this report, Vivek Kundra, President Obama’s newly appointed federal chief information officer, said that OMB was working to clarify FISMA reporting guidance and improve performance metrics. He also said OMB was planning to move FISMA reporting to an Internet-enabled database for fiscal 2009 reporting.  The hope here is that the transparent and public reporting of issues will, as has occurred in the private sector, encourage an increased focus on security.

The report highlighted several opportunities including the SmartBUY program. This program, led by the General Services Administration, is to support enterprise-level software management through the aggregate buying of commercial software governmentwide. The SmartBUY initiative was expanded to include commercial off-the-shelf encryption software and to permit all federal agencies to participate in the program.

The tools are all there – maybe someday all the confidential data will actually be encrypted.

All encryption is not created equal

September 25th, 2009

One of the benefits of a software like Alertsec is that many governments do not require notifications of security breaches when the data in question was encrypted.  However, in the United States of the exceptions to this is the tiny state of New Hampshire. In New Hampshire a company is required to report a data breach notification even if sensitive information was encrypted.

Normandeau Associates Reports Stolen Laptop

laptop-is-it-safeSo just recently, Normandeau Associates filed a letter with the Attorney General when a laptop was stolen. According to the letter filed with the AG, a computer with personal information of 277 NH residents (who knows how many more people living in other states were affected) was stolen from an employee’s home in November 2008.  The laptop theft was recovered in February 2009.  However, somehow the fact that the laptop was stolen did not come to light until June 2009.

According to a copy of the letter sent to affected residents, the laptop contained a database of past and current Normandeau employees, including SSNs, names, and bank account numbers.

Confidential Data on the Laptop

So, why was this database on the laptop computer?  The official letter explained:

Normandeau has policies that prohibit personal information from being downloaded onto its laptop computers. In this instance, the database was temporarily stored on the laptop during restorative maintenance to the company’s network, and contrary to company policy, not thereafter removed. The company took action against the responsible person for unintentionally failing to remove the database containing the personal information as required by company policy. No further precautionary actions were required to prevent similar breaches.

But the letter also noted:

The perpetrator required specific computer software to access the encrypted database in its existing format on the laptop, and it is unknown if access was actually made.

Levels Of Encryption

That last note explains why states like New Hampshire require reporting even when data is encrypted.  There are different levels of encryption, and depending on how strong (or weak) the database’s encryption happens to be, there could have been a data breach.

The most common example of encryption is password protection used in Microsoft Office Products like Word and Excel. However, the encryption used is primitive at best.   A simple search on the Internet will yield software that is inexpensive and often free that will allow for the breaking of this basic encryption.

While the letter from Normandeau does not identify the encryption that was used, it does say “required specific computer software to access the encrypted database” which points out that the encyrption was not on the entire laptop – but just on this database.

Hard drive encryption is used in order to encrypt all data stored on a hard drive. With a program like Alertsec all installed programs, files and system settings are encrypted.  This makes it impossible for an unauthorized person to read your files.

All encryption is not equal – but Alertsec will provide a high level of encryption for minimal cost and expenditure of time.

Prescriptions without Encryptions!

September 22nd, 2009

broken-laptop-screenThis month the United States Naval Hospital in Pensacola, Florida began notifying thousands of people use its pharmacy services. Last month, on August 18, a laptop computer which contains personally identifiable information disappeared.

The last date that the computer can be accounted for is Aug. 18. In an internal review and investigation, the command made contact with 100 percent of its Pharmacy staff members in an attempt to discover the whereabouts of the computer.  The computer has a damaged screen and is thought to have been disposed of.

The computer’s database contains a registry of 38,000 pharmacy service customers’ names, Social Security numbers and dates of birth on all patients that used the pharmacy in the last year. “While there is no evidence to suggest personal data has been compromised, it is the Department of the Navy’s policy to apprise individuals whose Personally Identifiable Information (PII) may be at risk,” says Captain Maryalice Morro, commanding officer.

As is the case with every security breach – after the breach additional security measures are implemented.  The hospital is now  reviewing all protocols to ensure that Personally Identifiable Information is protected.  The hospital spokesperson notes that “We regret any inconvenience or undue concern this may cause and we take this potential data compromise very seriously and continue to strive to protect and secure your PII.”
So once again we have an organization that “strives to protect and secure your Personally Identifiable Information.”  So how did they strive?
  • Putting confidential medical records on a laptop
  • Not encrypting the laptop
  • Not training staff on the proper procedures were disposing of the laptop

Today, information is often an organization’s most important asset. As laptops are overtaking desktop PCs as the major source of computing and media storage, laptops frequently store an organization’s most valuable information. That is why protection of mobile devices is so important.

As our recent article Data Loss is the Other Guy’s Problem pointed out, hospital are at high risk for data loss.  Yet, they remain slow to adapt and slow to realize that services like Alertsec with hard disk encryption as a fully managed service. are so affordable as easy to manage.

It seems like the medical community is better at providing advice than it is at listening to advice!

eBay – Allowing Unencrypted Drives to Live on!

September 18th, 2009

hard-drivesA Spring 2009 study on used hard drives by by the University of Glamorgan showed that computers sold on eBay and at computer fairs still contain sensitive corporate data from companies such as Laura Ashley, Lockheed Martin, Ford and Nokia. The school frequently undertakes research on behalf of the police and high-tech crime units, with state-of-the-art facilities and researchers who have an established record in network security and data crime analysis.   This study, funded by BT and Sims Lifecycle Services, found that a number of hard drives contained a substantial mixture of corporate and personal data.

Of the 300 drives that were purchased, the most notable one was a disk containing the test launch procedures for the Terminal High Altitude Area Defence missile system.  The same disk also contained “security policies, facility blueprints and employee social security numbers belonging to the system’s designer, aerospace manufacturer Lockheed Martin.”  The researchers turned the drive over to the FBI when they found some employee data still readable on the drive.

That story is living on because eventually personal data was found that impacted at least one resident of New Hampshire in the United States was affected by the discovery of data from Lockheed Martin on a drive.  Lockheed Martin notified some former or current employees that a hard drive that formerly belonged to them had been found for sale on eBay by academic researchers participating in a global research project.

Law Required Reporting of Theft of Unencrypted Data

According to state law, Lockheed had to file a letter with the New Hampshire state’s Attorney General.  The report states that:

“We are informing you of this incident because your first and last name and Social Security Number (SSN) were contained on the hard drive in question. This was the only personal information found related to you on the drive. We’ve determined that this information was collected between the years of 1999 and 2001 as part of a process to provide access to employees and guests visiting Cape Canaveral and possibly other Lockheed Martin facilities.”

locked-hard-driveThis leads to any number of questions.  Why is a government contractor collecting SSNs?  Why didn’t the government contractor encrypt the files for security reasons?  Why didn’t they redact the data before selling the drive?

From a time line perspective the data probably should have been encrypted immediately.  If it was not encrypted at least it should have been secured via some password protection.  Then it should have been deleted when it was no longer needed.  Then before the drive was sold the drive should have been wiped.

The list of security and just plain common sense mistakes is long.  But perhaps the key is that if the first step had been encryption – all the other errors would have gone unnoticed.  When your first step is encryption – you cover yourself on down the line of the life of a hard drive.