The Irish police, the gardai, are investigating the break-in and burglary of a Labour member. The office of Jack Wall TD, a member of the lower Parliament of Ireland, was found ransacked on Monday. The thieves made off with two laptop computers, one of them with sensitive information; a scanner; and some money that was raised during a fundraiser. Thankfully, hard drive encryption was used on the laptop computer with the sensitive information.
Off the top of my head, I can think of at least four information security instances in Ireland this year. There was the case of the blood bank that suffered a breach in New York; two instances involving the Bank of Ireland; and this latest one. No doubt there are others that are escaping my mind at this moment. Call it selective memory, but it seems that Ireland understands what it means to protect data.
This latest case is a good example. The main door to the building had three locks. I personally don’t believe this represents adequate security, but when you consider that most business, across the world, believe one lock is sufficient security, well, these guys have gone the extra mile. Plus, the doors were wrecked, leading gardai to believe that the perpetrators used a sledge hammer or iron bar to break in. When violence is used to gain entry, it generally means that existing security wasn’t just for show. Compare this to instances where burglars entered the premises via unlocked windows or fiddled with the door.
However, what’s really commendable is that full disk encryption is being used on top of these physical security measures. Unlike organizations that believe a locked door is all that’s required to protect the contents of a computer, many Irish organizations have opted to have their data encrypted, no buts or ifs. Why?
Obviously because the law requires it. But if we’re to be a bit more philosophical, I suppose it’s an admission that there are no guarantees in life. There is no guarantee that a trusted employee will not rob your offices during the night. There is no guarantee that a security guard won’t do the same. Or that someone won’t drive a car through the doors. Or that someone will use a sledgehammer. I mean, there are just so many ways of committing theft…how to you guarantee the security of a computer with so many variables out in the world? You can’t. You do the next best thing, which is to somehow guarantee the safety of the data.
Encryption products like file encryption and usb disk data security software to protect external hard drives cannot protect data at all times. For example, encryption can’t protect you from employees who have a beef to grind with you and happen to know the encryption passwords. But, it can guarantee safety when a computer is missing due to theft or misplacement, which comprise over half of all data breaches.
Related Articles:http://www.herald.ie/national-news/oireachtas-laptop-stolen-after-breakin-at-tds-office-1552065.htmlhttp://www.leinsterleader.ie/news/Constituency-info-on-laptop-robbed.4706515.jp
Several blogs have reported that Starbucks employees are receiving letters asking them to watch out for funny business. According to the letter, a laptop computer with personal information (including name, address and SSN) on 97,000 employees was stolen. The coffee company last had a major breach approximately two years ago. It seems likely that laptop computer encryption was not used in this case, if my interpretation of Washington data breach notification laws is correct. Thankfully, the law is written mostly in civilian-speak, which is good, since I’m not a lawyer,
According to RCW 19.255.010, the breach notification law in Washington,
Any person or business that conducts business in this state and that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of this state whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
The above emphasis is mine, of course. It seems to me that had Starbucks used data encryption software (the letter, a copy of which is available here, does not mention whether data protection measures were in place), it wouldn’t be required to notify the theft of the laptop computer to 97,000 employees. But the company did, and also offered Equifax credit monitoring for one year to all affected, which will cost plenty of ducat; even with a discount, it probably means plunking down close to $1 million, if not more. What public company would offer such a package when the use of encryption would have protected personal data? All signs point to “no encryption.”
On the other hand, it could be that Starbucks did encrypt the data and is just being cautious. After all, Starbucks does try to be a socially conscious company. Plus, one would imagine that the inventors of the Frapuccino would have the sense to employ information security after the first major breach. But then why not mention the presence of data protection measures? My experience is that usually the lack of information is quite revealing as well.
A claim is made in the gossip site that the laptop computer was stolen from an employee’s home:
I called the PCC [Partner Contact Center] after I got my letter and they informed me that the laptop was stolen out of someone's home. Apparently the partner who had the laptop stolen worked at the enterprise help desk, but worked out of the home. They were running something related to the databases, and that night i guess his laptop was stolen out of the home. [Posted by: tomokun]
It seems to me that if this guy was officially working out of home, he definitely should have had his laptop contents encrypted. Many say that the information shouldn’t have been on the laptop to begin with. I’d agree, on principle, that information on 97,000 current and ex-employees shouldn’t be stored on a laptop in an unsecured environment.
But, let’s be realistic. Stuff like this happens all the time. Even logging in remotely doesn’t prevent someone from downloading information to their laptop: Ever feel the frustration of having to wait for your mouse’s pointer to move from one side of the screen to the other, two seconds after you actually moved your mouse? As long as minor technological hurdles remain, people will attempt to download work a local machine. The pragmatic thing to do is to ensure the safety of that data by using encryption.
Other things to point out, based on what I’ve read at the Starbucks Gossip site so far:
That last one really irks me. I’ve had people proclaim to me that encryption doesn’t work, and have used the cold-air case as their “proof.” How is it possible to be so misinformed? Let me put it this way: would you say that a condom is not an effective means of contraception because a pregnancy will result in 2% of the cases when it’s used properly? Is Lysol not an effective disinfectant because it only kills 99.9% of germs?
Related Articles:http://starbucksgossip.typepad.com/_/2008/11/somebody-please.htmlhttp://network.nationalpost.com/np/blogs/theampersand/archive/2008/11/24/starbucks-baristas-might-want-to-double-check-their-bank-statements.aspxhttp://www.csoonline.com/article/221322/CSO_Disclosure_Series_Data_Breach_Notification_Laws_State_By_Statehttp://seattletimes.nwsource.com/html/retailreport/2008430880_retailreportdige25lap.html
Approximately 2000 teachers, assistants, and support staff in Manchester, England are irate over the theft of two laptop computers from a secure area. The computer had names, dates of birth, and national insurance numbers. While the theft was discovered three weeks ago, the affected education workers have been notified only recently. As the warning letter pointed out, full disk encryption software was not used, although password protection was present.
Of course, password protection doesn’t really mean protection. And, it seems that a lot of UK residents are now aware of the fact. As one of the support staff has exclaimed, “It stinks - I cannot believe that these computers were not encrypted.” [mancheserterveningnews.co.uk]
It’s a sad, sad day when support staff are more knowledgeable about data security procedures than the administration. I guess the administration was busy playing golf or something while the UK suffered breach after information breach this past year. Otherwise, how could they not be aware of the need to secure data in laptops? Or, maybe, the administration thought that the data was secure, despite the lack of information security software, since so many breaches happened when data was being moved about: in a car, sent over the mail, etc. The laptops in question, though, were stored in a room that offered an “automatic door-lock system” that opened with a swipe-card. High-tech and all that jazz. They say that the thieves tampered with the door to get in.
Pfft. Since when is a door considered to be “security?” Unless we’re talking about doors to a bank vault with steel plates thirteen inches thick, I think most people will admit that doors offer little security, if at all. The high-tech aspect -- a magnetic card as opposed to a tried-and-true metal key -- doesn’t contribute to security at all. Chalk this up to another case of “security theater,” where things look secure but in retrospect are not.
What the administration should have invested in is in some old school-style technology, like disk encryption software. Such data protection solutions can’t prevent someone from stealing computers, but the thieves wouldn’t have access to the computer’s data. And this way, the administration would have to deal only with the loss of two computers, not the loss of two computers; 2000 irate people; and a government investigation (which I’m assuming is pending).
Related Articles:http://www.manchestereveningnews.co.uk/news/s/1081179_stolen_laptops_contained_teachers_detailshttp://www.pogowasright.org/article.php?story=20081121090600475
So you’re selling your computer. Or it’s so old that you have to toss it away. But you’ve also read how discarded computers can lead to identity theft. How’s that work, anyway? And what can you do to prevent it from happening? The answer lies in how much time you have. I’d personally use encryption software like hard drive encryption software, since it makes things a little easier and convenient, but you may not find it applies to you at this stage.
The secret about data deletion is this: data cannot be deleted, only replaced. You’ve read how computers store data in patterns of 1’s and 0’s, which are also known as bits. When you click on “empty recycle bin” on your computer’s desktop, all those bits remain in place. What you’ve “deleted” by emptying the recycle bin is the instruction set the computer uses to find those bits: the 1’s and 0’s are still there, it’s just that the computer doesn’t know where to look for them. If you will, it’s like a bank losing its accounting books. The money is still in the bank, but the bankers don’t know how much belongs to whom. Pandemonium ensues.
The implication is that, if given the right software, “deleted” data can be uncovered. Actually, it’s more than an implication. I know I bought Norton Disk Doctor back in the 90’s specifically because it allowed me recover files I deleted accidentally, so the technology to recover deleted data has been around for decades.
As you can conclude from the above explanation, when experts say that data should be deleted prior to computers being sold or recycled, what they really mean is that data should be overwritten. Turn those sequences of 1’s and 0’s entirely to 1’s, for example. What most overwriting software will do is randomly generate bits and write that to your hard drive. Since those bits are random, they don’t represent any information. More importantly, two bits can’t share the same space, so the randomly generated data (new) replaces the original data (old).
The problem with data overwrites is that it takes time and, because every single bit has to be replaced, the bigger your computer’s hard drive, the longer it takes. It’s not unusual to see a computer chugging away at this task for 10 or more hours when it comes to 100 Gb hard drives.
Plus, it’s understood that one pass is not enough. The Department of Defense, for example, requires that three passes be done per disk. Some advocate 35 passes! This is because a study found anything less increased the chances of someone being able to glean data in your drives. Thirty-five passes is, however, not necessary. Even the original author of the study has called it overkill for most people.
Yep, you read it right. I’ve just told you that it takes time to overwrite data, and yet here’s a Japanese company that claims otherwise. It’s because their new hard drives will be using AES-256 encryption. They can make their claim because all they have to do is destroy the encryption key, which does take only seconds to destroy. And since encryption protects data by randomizing bits and bytes (the same type of randomizing that goes on when overwriting data), Fujitsu’s in the clear with such a claim.
The only problem? These hard drives are not available until sometime next year. So, until then, you’ll have to do data overwrites when disposing of your old computer.
However, Fujitsu does bring up an interesting point: what would you prefer, having to spend hours of extra time prepping a computer just so you can dispose of it, or spending seconds only? Remember, there is the added benefit that drive encryption software will protect your data while you’re using the computer.
If you’re concerned about data security the choice is obvious. Again, the bad news is that these falutin’ drives won’t be available until next year. However, if you’re really looking to protect your sensitive data, then you have the option to encrypt your data today. Encryption as a service is available from companies like AlertBoot, and make encryption a snap. And, such encryption software is not just for computers. If you’ve got external hard drives, you’ll probably want something that will do usb disk data security as well.
Of course, encryption doesn’t make sense if you are looking to dispose of your old computer today, like, right now. But, it’s something you should keep in mind for when you get your new computer.
Related Articles:http://www.ehow.com/how_2138332_delete-all-data-computer.htmlhttp://www.google.com/search?q=how+to+delete+all+data+from+laptop+&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-ahttp://gizmodo.com/5083722/new-fujitsu-hdd-can-erase-500-gb-in-under-a-second
The importance of data security is not relegated to the office alone. Plenty of people feel more comfortable knowing that the information on their home computers, be they a laptop computer or a desktop, is protected with data encryption software. However, there are hazards in the use of encryption if you’re not careful. If you don’t know what you’re doing, you may be interested in encryption as a service as opposed to a solution you have to manage yourself.
Using encryption is admitting there is a chance that your computer might get stolen one day, just like insurance is admitting you could end up in an accident. No guarantees, but if it happens, you’re glad you decided protect yourself beforehand. If you work out of your home or happen to scan all of your documents to your computer -- including bank statements and other information you may deem sensitive, but don’t want to deal with clutter -- you’ll benefit greatly from the use of disk encryption or content encryption (they both work to protect your data in similar, yet different, ways).
There are many encryption products out in the world, including free ones (free like in free beer). However, there is something important you should keep in mind when using such products.
Despite the brevity of that last entry, it’s probably the most important of the three. The encryption key is what allows one to decrypt the data. That is, it allows you to restore the protected information, since encryption protects data by scrambling it (if you’re not looking to restore the information, it’s always advisable to destroy it, not encrypt it. Remember, what’s not there cannot be stolen).
Normally, the computer in which you’ve got encrypted information will have a copy of the encryption key, since it’s required to both encrypt and decrypt the information. However, there are cases when the encryption key is not available anymore.
For example, if your computer is stolen. Mind you, the stolen computer’s data is encrypted, so the information cannot be accessed by the thief. Everything is good with the world. But, chances are you need that data. As a conscientious person (you’ve got to be…you’ve decided to use encryption), you pull out your backup disk to restore the data. However, the encryption key lies…on the stolen laptop. Uh-oh.
If you don’t have a copy of the key, there is no way for you to access the data on the backup disk, since the same technology that keeps your data safe from the thief also prevents you from accessing it. Plus, not only do you have to make a copy of the key, you must make sure you can find it. If you’re anything like me, you’ll forget where you decided to store that key in the first place.
This is probably the number one reason why, despite free products out there, people decide to use encryption as a service. Many think that encryption as a service is for companies only, since it allows easy and fast parallel deployments -- in other words, you can encrypt a lot of computers at the same time. But, even though most people have one or two computers in the home, the management and safeguarding of encryption keys is a real issue that can’t be overlooked; so, in the interest of keeping one’s sanity after a distressing experience, people choose to sign up for managed encryption.
The upside to such a service is not only that someone else is ensuring your key remains safe and available when needed, though. Companies like AlertBoot that offer managed encryption software suites also add value by helping you if you forget your password (you need two things to decrypt data: the encryption key and, usually, a username and password…although some will allow the use of tokens). For example, you can reset your password after it can be verified that you are, indeed, you. The process is similar to resetting your password for a Yahoo! or Google mail account. You can even choose what the questions are by typing them in directly. Or, if you don’t have access to the internet, call support for help resetting your password.
And I really mean short. I’ve met a lot of people who didn’t quite understand the difference between hard drive encryption software and file encryption software, or that were assuming one is the other. It seems to me that such confusion can only lead disappointment with encryption products, so here’s a really, really basic primer on what’s what. I've kicked up "password protection" in the list below since it's of notable interest.
A lot of companies and agencies announce, when their laptop computer is lost or stolen, that it had password protection. It’s the worst kind of “security” you could possibly have for your data. In fact, I call the term “password protection” a misnomer because it doesn’t really afford you any protection. The real-world counterpart for password protection is hiding stuff beneath your mattress. Now you understand why data security professionals tear their hair out whenever they read that something was password protected. The game’s over if someone decides to look under the mattress. And, surprisingly enough, bypassing password protection is about as easy as lifting up a mattress. All you have to do is pull out the computer’s hard disk and plug it into another computer. That’s it.
The real-world counterpart for password protection is hiding stuff beneath your mattress. Now you understand why data security professionals tear their hair out whenever they read that something was password protected. The game’s over if someone decides to look under the mattress.
And, surprisingly enough, bypassing password protection is about as easy as lifting up a mattress. All you have to do is pull out the computer’s hard disk and plug it into another computer. That’s it.
A process for keeping data secret. The only way it to unearth the secret is to provide the correct key. I won’t go into the details of how it works, but essentially it will take an entry like “keep this a secret, OK?” and turn it into “wKsn a@kn q si1n,z$ !nZ.” Provide the key, and that crazy jumble of words, numbers, and symbols will turn back into the original text. Modern strong encryption is so advanced that, if someone were to try every combination possible to crack the crazy jumble, they’d have to take all the computers in the world (including supercomputers) we have now and run them for centuries to take a guess at what the jumble means.
Ambiguous terminology. It could mean either disk encryption or file encryption since both deal with data. I personally don’t think it’s anymore descriptive than the term “encryption.” If anyone is trying to sell you a product that does “data encryption” you may want to ask whether it’s disk encryption or file encryption. As you’ll see below, they protect your data in different ways.
Disk encryption is the encryption of an entire disk -- not just specific files. In other words, if you open up your computer and pop out the hard drive, all the contents of that physical hard drive are encrypted. Disk encryption is also known as hard drive encryption, full disk encryption, whole disk encryption, and partial combinations of these three (hard disk encryption, full hard disk encryption, etc.). If anyone or anything alludes to an entire disk being encrypted, chances are this is what they’re talking about. The real-world counterpart to disk encryption is the use of a safe (strongbox, if you prefer) with a built-in lock. That is, if you place any documents and close the door of the safe, the documents are protected. The only way to get back those documents is by knowing the combination or having the key to the lock, or busting the safe’s door open. Likewise, any files that you save on a computer or digital device with full disk encryption will be encrypted (read: protected) automatically due to the fact that disk encryption is being used. However, if you decide to e-mail that same file to someone else, it will not be protected anymore, just like taking a document out of a safe means that document is now not secure.
Disk encryption is also known as hard drive encryption, full disk encryption, whole disk encryption, and partial combinations of these three (hard disk encryption, full hard disk encryption, etc.). If anyone or anything alludes to an entire disk being encrypted, chances are this is what they’re talking about.
The real-world counterpart to disk encryption is the use of a safe (strongbox, if you prefer) with a built-in lock. That is, if you place any documents and close the door of the safe, the documents are protected. The only way to get back those documents is by knowing the combination or having the key to the lock, or busting the safe’s door open.
Likewise, any files that you save on a computer or digital device with full disk encryption will be encrypted (read: protected) automatically due to the fact that disk encryption is being used. However, if you decide to e-mail that same file to someone else, it will not be protected anymore, just like taking a document out of a safe means that document is now not secure.
File encryption is the encryption of specific files only. So, if you have only two documents on your computer, you can choose to encrypt one but not the other. Unlike disk encryption, which I mentioned above, you actually have to make a decision on what you’re going to have encrypted. (This does not necessarily mean that you have to remember which files to encrypt every time. There are managed data encryption service providers like AlertBoot that allow the use of “policies” to automate the process. For example, your Excel files will be encrypted automatically but not any jpegs saved to your computer). Unlike disk encryption, since the actual file is encrypted, passing around the files (via e-mail or otherwise) will still ensure the security of those files. File encryption is also known as content encryption. There is no real-world counterpart to file encryption except encryption itself. It might be useful, though, to think of file encryption as translating a document into a language only you know. So, if you leave the translated document on a table and someone picks it up, that person can’t make heads or tails out of it.
Unlike disk encryption, since the actual file is encrypted, passing around the files (via e-mail or otherwise) will still ensure the security of those files.
File encryption is also known as content encryption.
There is no real-world counterpart to file encryption except encryption itself. It might be useful, though, to think of file encryption as translating a document into a language only you know. So, if you leave the translated document on a table and someone picks it up, that person can’t make heads or tails out of it.
Is the same concept as disk encryption, in that anything that’s saved to a particular folder (or, directory, if you prefer) is encrypted. Take the file out of the folder, and it’s not encrypted anymore.
When it comes to encryption products, there are pros and cons. For example, disk encryption is great in the event your laptop gets stolen. On the other hand, if you send a sensitive file to the wrong person via e-mail, you can’t rely on disk encryption to protect you; file encryption is what you want. If you’re looking into USB disk data security to protect external hard drives, your options are the same as those for a laptop or desktop computer, since the data to be protected resides in the same component: the hard disk. Sometimes it will be hard to know what your specific data security needs are, and you’ll need to consult with a professional. You may need different encryption products to be used at the same time; it certainly is not unheard of to use both disk and file encryption on the same machine, although at first glance it sounds like overkill. Regardless of what you decide to use, the one thing to take from this one article is that you should never, ever under any circumstances come to the conclusion that password protection is protection.
Sometimes it will be hard to know what your specific data security needs are, and you’ll need to consult with a professional. You may need different encryption products to be used at the same time; it certainly is not unheard of to use both disk and file encryption on the same machine, although at first glance it sounds like overkill.
Regardless of what you decide to use, the one thing to take from this one article is that you should never, ever under any circumstances come to the conclusion that password protection is protection.