Security
- Malware Gets Smart with Vodafone Smartphone 4 hours ago TrendLabs | Malware Blog - by Trend Micro
Security researchers recently unveiled findings about malware that came preinstalled on a Vodafone mobile phone handset. Its memory card was also believed to carry malware. A leading mobile telecommunication company, Vodafone, has been taking the heat for packing malware straight out of the box on their HTC Magic Android smartphones. The recipient of one of [...]Post from: TrendLabs | Malware Blog - by Trend Micro
Malware Gets Smart with Vodafone Smartphone - More Adobe Exploits in the Wild 5 hours ago TrendLabs | Malware Blog - by Trend Micro
Researchers from Microsoft recently unearthed exploits targeting the CVE-2010-0188 vulnerability. On February 16, Adobe released a security advisory describing a vulnerability in Adobe Reader and Acrobat 8.X and 9.X. Once the vulnerability is exploited, attackers gain the capability to perform denial-of-service (DoS) attacks on affected systems. Doing so can cause applications and even systems to crash. [...]Post from: TrendLabs | Malware Blog - by Trend Micro
More Adobe Exploits in the Wild - Full Disk Encryption: Not Really Understood By People, Hints Ponemon Study 12 hours ago Endpoint Security
So I'm continuing to read the new report released by Absolute and the Ponemon Institute, and their survey seems to back up what I've felt for a long time: people don't really understand what disk encryption software does, even when they sign up for it.
Consider the following result:
Assuming their laptops are encrypted, 57 percent of business managers believe there is no chance or less than a 10 percent chance of having their sensitive information accessed if they should access an insecure wireless network. In contrast, only 27 percent of IT security practitioners are confident that there would be zero or less than a 10 percent chance of losing data when accessing an insecure wireless network. [my emphasis]
What's jawdropping to me is that figure of 27% for IT security practitioners. Granted, this may be because of how the survey question is interpreted:
Q11b. If you were accessing the Internet from an insecure wireless network, what do you think is the probability that someone else would be able to access your sensitive or confidential information assuming the laptop computer had an encryption solution? [my emphasis]
I should point out that "laptops are encrypted" and "laptop computer had an encryption solution" can be interpreted differently. The former implies, at least to me, the use of a full disk encryption solution, whereas the latter could include disk encryption as well as file or folder encryption solutions.
If all of your files or folders are encrypted, I can understand why some security professionals would think using an insecure wireless network wouldn't lead to a data breach: the information is encrypted no matter what. If someone intercepts an encrypted attachment because it's traveling through an unsecured network, the contents of that attachment are still secure.
Full Disk Encryption (FDE) - Your Encrypting Your Disk, Not Your Data
However, when it comes to an encryption solution like FDE, one can't assume his data will be protected when using insecure wireless networks.
Consider this example using a more familiar product: the owner of a strongbox puts the key into the strongbox and opens it to work with the contents of the strongbox. In such a state, the strongbox cannot protect its contents until it's closed and locked again.
Likewise with FDE: the disk with encryption is the strongbox, the data is the content of the strongbox, and the password is the key to the strongbox. As long as a user is working on an encrypted computer, the contents/data are vulnerable.
Also, just like with the strongbox, if you copy data off a computer that employs full disk encryption--say, to an unprotected USB flashdrive or e-mailed to a co-worker--that data will not be encrypted any longer because it's not on your encrypted drive anymore. This is a crucial point to understand.
FDE doesn't encrypt your data; it encrypts your hard drive. Since your data is saved to the protected hard drive, your data is protected as well...but only as long as it's on that drive. Again, e-mail it, and it won't be protected anymore. And, like I noted, FDE cannot protect your data while you're using the computer.
In many instances, I use the strongbox as a metaphor, and people quickly understand what FDE solutions like AlertBoot can and cannot do when it comes to data protection.
Related Articles and Sites:
http://www.absolute.com/resource_center/whitepapers/ponemon-human-factor - New IE Zero-Day Exploit (CVE-2010-0806) 1 day ago TrendLabs | Malware Blog - by Trend Micro
Hot on the heels of this month?s security bulletin, a new vulnerability exploit surfaces with a malware in tow. The new zero-day vulnerability, as described in a previous post, prompted Microsoft to release Security Advisory (981374) while investigations are still underway. This Internet Explorer (IE) vulnerability exists due to an invalid pointer reference bug [...]Post from: TrendLabs | Malware Blog - by Trend Micro
New IE Zero-Day Exploit (CVE-2010-0806) - Data Encryption Software: Proving That Your Lost Laptop Was Encrypted 1 day ago Endpoint Security
-
44% report they were able to prove the use of encryption
-
Proving encryption was used is important: regulators
-
Third parties for resolving conflict of interest
Absolute Software and the Ponemon Institute have come out with a number of reports on the "human factor" when it comes to data security. It turns out that a huge factor when it comes to data security is people (just like Soylent Green); nothing surprising there. For example, business managers think that their laptop computer is secure once hard disk encryption is in place.
IT managers, on the other, realize that they still need to employ other forms or security, such as using cable locks on their laptops. However, what really caught my eye is the following:
Ninety-five percent of IT practitioners report that someone in their organization has had a laptop lost or stolen and 72 percent report that it resulted in a data breach. Only 44 percent report that the organization was able to prove the contents were encrypted.
In other words, slightly more than half of those surveyed were unable to provide evidence that sensitive information was encrypted--even if they had it in place!
Prove It
Not being able to provide positive proof of encryption is problematic for at least a couple of reasons.
First, it makes one wonder how the IT department knows which machines were protected and which ones weren't. Sure, one could send a command for "all computers" to be protected over a network. However, the IT department still needs to follow up and ensure that those machines are indeed protected. I mean, what if the process failed, possibly because a number of machines were unpatched with the latest updates? There are so many things that could go wrong.
Remember, the point is not to go through motions--pushing buttons on a software package--but to safeguard sensitive, confidential data.
Second, how else are you going to convince regulators, state attorneys general, and the like that you did have adequate protection on a machine? You need some kind of proof other than, "Bob from the IT department KNOWS that machine was encrypted." You have to be able to put forward something other than a guy's word.
Conflict of Interest - Managed Encryption
Many companies opt for in-house deployment of encryption software (which I encourage, if that's what your company needs; and that's saying something, since what we at AlertBoot offer is a managed encryption service--disk security as a service, if you will) because of security concerns.
I've found out that in significant instances, clients will opt for outsourced encryption like AlertBoot despite their misgivings.
Initially, I figured it was due to the cost savings involved with managed encryption services: no need to invest in more hardware; no need to update and upgrade, both hardware and software; no need for ongoing maintenance; etc.
Turns out that a chief consideration among these clients was the conflict of interest when it comes to proving that their machines are encrypted: When people are accused of lying and doctoring documents, how can a company prove--without a trace of doubt--that a computer is indeed protected?
The answer: get an outside organization to take care of it. Essentially, the idea is that "Chinese Walls" don't work, and the guys in the IT department can feel as much pressure to do questionable things as, say, accountants. After all, they have the same boss.
Of course, the clients wanted to make sure that the ability to audit the encryption status of their machines was accurate (one might say this borders on cynicism and paranoia, but I'd disagree: do you know how many reports I read where hard drives bought from on-line auction sites still contain confidential data, in certain cases confidential corporate data? In many such instances, outside contractors hired to pulverize a disk just sold it).
The true cynic, naturally, would point out that third-parties are as likely to succumb to corporate pressure: Arthur Andersen's financial audit of Enron, for example, is now considered a classic case.
However, remember that at the time there five large accounting firms (the so-called Big Five): the other four firms didn't succumb to the same pressure, which is the rule, not the exception.
Related Articles and Sites:
http://www.absolute.com/resource_center/whitepapers/ponemon-human-factor -
- Multiple Vendors Affected by New Vulnerabilities 2 days ago TrendLabs | Malware Blog - by Trend Micro
The number of serious zero-day vulnerabilities and potential exploits discovered in recent days is higher than normal. This can enable cybercriminals to gain more leverage in their attacks, allowing them to target a considerably large number of users while these vulnerabilities remain unpatched. As part of its regular Patch Tuesday schedule, Microsoft released two security fixes [...]Post from: TrendLabs | Malware Blog - by Trend Micro
Multiple Vendors Affected by New Vulnerabilities - iPad Giveaway Gives Users? Identities Away 2 days ago TrendLabs | Malware Blog - by Trend Micro
April 3 cannot come soon enough for those who are eager to get their hands on the iPad. If anything, Apple?s recent announcement that the gadget will soon be available in the United States only added to the excitement over the much-talked-about gadget. Unfortunately, spammers are using the current enthusiasm over the iPad to their [...]Post from: TrendLabs | Malware Blog - by Trend Micro
iPad Giveaway Gives Users? Identities Away - Disk Encryption: Server Stolen From McNair Eye Center 3 days ago Endpoint Security
McNair Eye Center on Industrial Park Road, Arkansas, has had a data breach that could affect 9,000 patients. A server, which I'll assume was not protected with data encryption software like AlertBoot, was stolen.
Burglars Target Server Only?
The server was stolen from McNair Eye Center (as opposed to a break-in at a data center). The burglars entered the building by pulling a window air conditioning unit. They also had the sense to turn security cameras towards walls. Me thinks that these people knew the lay of the land beforehand. Wouldn't be surprised if this was an inside job.
According to the article by thesuntimes.com, only the server was taken, which was "very heavy." No details on the actual weight.
Size Not A Factor When It Comes To Computer Security
I've often found that many people don't really think of encryption software as a necessary precaution for their servers, whereas they might ponder on it a bit if we were talking about laptops. Generally, there's two reasons for the lack of enthusiasm on encrypting servers.
First reason: it slows down the server. This is true but must be put into context: most people won't really notice the difference.
If you process as much data as Google, yes, you'll definitely feel the lag. But if you happen to be a smaller business, like our clinic above, chances are "slowing down the server" doesn't quite mean "slow performance," just like a car going down the highway at 120 mph is slower than one going at 150 mph but by no means slow.
Second reason: servers are heavy. Yes, they are. They're heavy...er than a laptop, but not so heavy that a guy would have a problem stealing it. I mean, let's face it, a guy put the server there so chances are another guy can take it away. What kind of security is that?
(Pointing out that there are other forms of security, such as locked doors and whatnot, do not count. The same security would be present if the server in question was a laptop. But, people would cry foul for not having the information encrypted if it actually was a laptop.)
Besides, even if a server is super heavy (say, the size of a mainframe) so that it cannot be stolen, where is the guarantee that the data on that server cannot be stolen? A guy could connect an external disk and copy off data from that server with the instruction of a few commands.
Related Articles and Sites:
http://www.thesuntimes.com/news/x324651657/Server-theft-could-affect-9-000-people - Oscars 2010 Awards Users with FAKEAV 3 days ago TrendLabs | Malware Blog - by Trend Micro
It seems that fans around the world are not the only ones who are hooked on the Oscars. Just a day after this year?s Academy Awards, Trend Micro threat researchers found FAKEAV variants topbilling the search pages. This time around, users searching for news on the Oscars fell prey to the latest blackhat search engine optimization (SEO) [...]Post from: TrendLabs | Malware Blog - by Trend Micro
Oscars 2010 Awards Users with FAKEAV - Data Encryption Required: MA Property Managers And Data Protection 3 days ago Endpoint Security
I found an interesting article over at meeb.com, lawyers that seem to specialize in real estate and properties. I was looking up 201 CMR 17.00 compliance information--the compliance date was March 1, 2010--and happened upon how condominium managers are affected by Massachusetts's data breach notification and encryption laws.
201 CMR 17 - Encrypt Your Information Or Face Fines of $5,000 Per Violation
As already discussed a couple of times previously, MA 201 CMR 17 penalties have some teeth to them (maximum of $5,000 per violation, although it's not quite yet known what "violation" means exactly: per file? Per name of resident affected? Per computer lost?)
Obviously, many businesses are affected by this law. However, I kind of forgot that it's a data protection law, not a "consumer" data protection law. Which is why the fact that condo managers need to follow this law came as something of a surprise, although it shouldn't have.
Direct Payment and Employees
Why do condo managers need to see if they're in compliance with 201 CMR 17? For two reasons, at least:
-
They have employees. If a company has any employees--even just one--it is required to keep W-4 and I-9 forms (for tax withholding and employment eligibility verification). These forms require first and last names; SSNs and/or other forms of identifying information; and are to be retained by a company for at least three years. Obviously, this data has to be protected per 201 CMR 17.
-
Direct payment / Automatic withdrawal. As noted in the article, many property management companies make available a direct payment program, where a biller automatically withdraws money from a person's bank account. Financial information--such as bank account numbers--is also required to be protected from breaches if they happen to be combined with first and last names.
Guess who's making a trip down to the lobby, where the management office is, to see if his information is protected?
Remember: Affects Digital and Paper Documents
One thing to constantly keep in mind is that this is an information breach law. The fines and penalties apply even if a file full of paper documents are lost. For example, a folder full of direct payment authorization documents are lost? Chances are you'll be fined for that, assuming the folder was not secured in a locking file cabinet.
What's important is not what form the information takes. Ensure that you're not just concentrating your efforts on laptop encryption like AlertBoot, internet firewalls, anti-virus software, and the like.
Related Articles and Sites:
http://www.meeb.com/articles/ID%20theft.pdf -
