| Quarrel.Net | Online Flash Games | Browser Games | MySpace Layouts | Daily PSP Movie | |
 |
|
| Weblogs [Personal] (1861) | Weblogs [Tech] (699) | Business (2080) | Technology (1544) |
| News (601) | Miscellaneous (379) | LifeStyle (930) | Shopping (329) |
| Regionals (709) | Companies (1830) | Recreation (1568) | Political (49) |
| Other Languages (133) | Pets & Animals (52) | Romance & Relationships (60) | Celebrities (98) |
| Total feeds: 12922 |
| Add Your Feed |
| AlertBoot Endpoint Security | |
[ Put this feed on your website - Click Here ] |
|
| Description: | |
| Format: | RSS 2.0 |
| Feed URL: | http://feeds.feedburner.com/AlertbootEndpointSecurity |
| Latest Headlines | |
AlertBoot Endpoint Security |
|
|
UK Military Using Full Disk Encryption On 20,000 Laptops
Tue, 13 May 2008 05:25:00 GMT The security‑breach whipping‑boy for the past 6 months has decided that it has had enough. The UK government, more specifically the military, is installing encryption software on 20,000 laptops. The military already had a program in progress where 300,000 users would be able to access information via their web-browsers. Called the Defence Information Infrastructure (DII), it was designed for accessing all types of information, from “classified” to “top secret.” Of course, there is always the risk of data being leaked; so, supposedly, the system was also designed so that information displayed on the web-browser won’t save locally, which is in some respects a better way of protecting data than using, for example, encryption. However, I’m left wondering whether such a tactic will be enough. What if the laptop gets stolen and some outsider is able to access the central database where the information resides? After all, the laptop becomes the portal to this data nirvana. For example, isn’t it possible for the owner of a laptop to save the access codes for getting into the DII on the laptop itself, as a text file? Sure, it would be stupid to do so, but not out of the ordinary. I myself keep a spreadsheet of usernames and passwords, strictly for fake e‑mail accounts which are used when a particular news site requires registration to read articles (the e-mails I receive in those accounts are so insignificant—not in terms of volume, but content—that I can’t be bothered to remember the random passwords I create for them. And no way I’m using the same or similar password I would use for legitimate e‑mail accounts.) Plus, a web‑browser is used as the access point. Last time I checked, a lot of web‑browsers allow passwords to be saved. Where’s the guarantee that the enduser won’t do anything stupid like click on “yes” to the question “would you like the web‑browser to save your login information?” Lose your laptop, and that’s not an information breach anymore (possibly) if you can’t save anything locally …but, the laptop could become the stepping‑stone towards one. There are also other issues as well. For example, there’s the print screen option built into every single computer. While the DII may have been designed so that data displayed on the screen cannot be saved locally, is there something in place that prevents an enduser from taking screenshots and saving those? Granted, at that point in the game, the enduser is looking to cause trouble, but it would be nice for administrators of the DII to ensure that data leaks can actually be prevented, not made slightly inconvenient. The technology to prevent such things do exist. For example, in AlertBoot, not only do you get a powerful hard drive encryption solution for enhancing laptop security, you also get the ability to control applications. That is, you can actually prevent certain software applications from running, depending on who accesses the laptop. |
|
|
Hard Drive Encryption Still Not Deployed Company-Wide At Pfizer?
Tue, 13 May 2008 05:19:00 GMT There are reports that Pfizer may be in another data breach maelstrom. According to theday.com, an employee lost a laptop, as well as a flash drive, with information on 13,000 employees at the pharmaceutical company. The breach itself occurred about a month ago. There were no details on how the breach itself occurred, nor what type of data protection system was installed. Pfizer has been in the news over information security breaches quite a few times over the past year. According to theday.com, this breach is the second this year, and the sixth since May of last year. Pfizer e-mailed affected employees to let them know that Social Security numbers were not part of the lost data, but that names, home addresses, phone numbers, positions, and salaries may possibly be compromised. Of course, while this may not be enough to carry out identity theft, it is enough information to possibly carry out some kind of phishing scam—if a criminal gets lucky. A scam that is going popular around the world right now seems to be the kidnapper’s call. While no one has actually been kidnapped, a parent gets a call from some stranger claiming they’ve captured their child—pay up now or else. The panicked parents wire the money; finds the child is safe at school later on; and the criminal is not to be found. The criminals’ lives become easier if they know how much a person is making before making the call. Based on the fact that protection measures like passwords and encryption are not mentioned, one would assume that they weren’t in place for the stolen laptop. Which leads to the question, what has Pfizer been doing for the past year? Granted, solutions have to match up to the problems, and Pfizer has had a number of different security problems. Full disk encryption is not going to work when P2P software is the cause for releasing thousands of SSNs, for example. (Although, AlertBoot could help in this instance, since the hard drive encryption solution also allows application control—disallowing the installation of the P2P client, and preventing such a breach in the first place.) However, a company that has done its homework—especially after being a victim of a data breach—tends to find that there are certain security solutions they need to ensure information security. For example, the issuance of company laptops to employees tends to point towards the need for laptop encryption. Data redaction is usually the best solution (in theory); but it is also a nightmare to control and enforce, since you can’t place people to look over other people’s shoulders and monitor their actions 24/7. Plus, there’s always the question of what should be “redacted.” In this case, for example, Pfizer may be under the impression that the lack of financial information means this particular information breach is not an occasion for alarm—but, the exclusion of financial information does not mean that Pfizer’s employees will be able to rest at night without any worries. |
|
|
Hard Drive Encryption Will Be Defeated By Post-Its
Sat, 10 May 2008 05:09:00 GMT Or any other form of note that will stick to the computer. UK government workers may want to keep that in mind: An internal memo has been passed around, acknowledging that the Department for Work and Pensions (DPW) has been effectively providing a way to breach their own security procedures: From politics.co.uk: “I have been advised of instances where password protected data has been sent out with the password being sent separately as detailed in Security Notice 02/07.“However, once the data and the separate password are received, staff are then forwarding the data and password on together. This defeats the purpose of the security measure entirely.” And how. Perhaps it’s just a matter of educating how protection measures work in the digital age. Data security solutions like full disk encryption from AlertBoot are very secure. They work by scrambling the original data so that no one can make sense of it. The effect is very hard to reverse because there are too many ways that could have been used to scramble the data in the first place. Imagine, if you will, that Moby Dick was written on glass by etching the words with a needle, aided by a powerful microscope. Then, you take a hammer and pulverize the glass, so that all the letters (not words) are in a pile a jumble. Cracking modern encryption methods would be like piecing the glass‑novel back so you can read it. It could be done. It’d also take forever. Plus, in your quest to piece things together, you would encounter those instances where you’ve used up every single letter except one—say a “z”—but every single sentence makes sense. That one “z,” though, is an implication that you probably haven’t gotten it right. Of course, the point of data encryption is not only to protect the data; one also wants to be able piece it back together—assuming that it’s the person who should have access to the data. This is easily done in digital encryption. The data is pieced back by supplying the correct password (or in the case of AlertBoot, two passwords: the username and the password). And this is why you don’t keep your passwords near your computer. Not on a Post‑it. Not taped to the bottom of the keyboard. Not on your monitor. Not…you get the idea. If your organization is going to (or have to) secure its digital assets and are planning on using full disk encryption, make sure people understand the consequences of their actions. |
|
|
Full Disk Encryption Not Present On Saks Fifth Avenue Stolen Laptops
Fri, 09 May 2008 03:25:00 GMT Saks Fifth Avenue, one of the premier names when it comes to shopping, has filed a letter with the Attorney General of New Hampshire, notifying them of an information security incident. In April, four company laptops were stolen, two of them with sensitive information. The sensitive information included names, addresses, and credit card numbers. Expiration dates, pin numbers, passwords, codes and other sensitive data were not included (as they shouldn’t have, since it would run counter to PCI-DSS rules, which states such information should not be stored, including credit card numbers). The letter mentions the laptops had password‑protection, but there is no mention of any kind of encryption, be it hard drive encryption or file encryption. Because the lost information is limited in its sensitivity, Saks believes that there is a very low risk of identity theft or credit card fraud. Regardless, they have alerted their customers about the incident and asked them to be on the lookout for irregular credit card activity. There was no offer of the standard one‑year (increasing, two‑year) credit monitoring program that other companies in similar situations tend to provide. In many ways, this is logical but unusual: if you don’t think there’s going to be credit card fraud, why offer such services? It sends mixed messages to customers. If I was a customer of Saks, though, I’d feel cheated under the guise of “well, everyone else is offering it….” But is the risk of credit card fraud or identity theft really low? Well, yes. (And, chances are the layperson would interpret that to mean “there is no risk of any type of crime.”) The truth is, though, that risk really depends on how astute these thieves happen to be, not on the (extremely) limited data safety precautions Saks had on those laptops. For example, most on‑line stores, when processing payment for a purchase, now require not only the credit card number and expiration date, but the CSC code as well, which is generally not recorded (and wasn’t, in the Saks incident). However, not all stores require it. So, what the criminals have to do is start looking for on‑line stores not requiring CSC codes. Also, the use of CSC codes are not as actively encouraged overseas, so another method of getting around this obstacle is to sell the information to foreign buyers of such stolen data. The lack of expiration dates arguably poses a bigger problem, albeit not a complicated one: just try different combinations of dates and months. The maximum “valid thru” date is usually capped at five years from the date of issuance, so there’s at most a total of sixty combinations one has to run through for each card. And last not but least, names and addresses may appear as bits of innocuous information; they’re easily available in the white pages, for example. Hence, the argument goes, this is not data that can be used for perpetrating crime. However, this kind of thinking is a fallacy because one forgets to put it in context. Names in the white pages are meaningless only if nothing else is known about the person or the address itself. If I add more information on top of that, it exponentially increases the type of scams and different approaches to scamming people. In the Saks case, the thieves would know the names, addresses, and the fact that these people shop at Saks. Would it be too much of a chore to create a fake letter from Saks Fifth Avenue stationery (counterfeit as well) asking people to call a number since their credit card, as shown in the letter, has been compromised? The courteous “customer service representative” will guide them through the process of doing…whatever it is they have to do. Furthermore, the above example could be used to further glean information from the victims. “To confirm that you are Bob Smith, could you please tell me your mother’s maiden name?” Now they’ve got your mother’s maiden name, your name, and your address. And they know you shop at Saks. Plus, if they have caller ID, they’ve got your phone number. Yeah, Saks is right in saying that the stolen data represents a low probability of it being used, as is, for fraud. However, there is nothing preventing the thieves from being creative in their criminal endeavors. And the seminal incident that could potentially lead to the above scenario? If you guessed the theft of laptops, you’re halfway there. If you wanted a gold star, however, you would have answered “lack of data security solutions.” A stolen laptop is no good for committing fraud if the information on it cannot be accessed. Password‑protection could be a deterrent (or not), just like pepper spray could be a deterrent to a bank heist (probably not). There is a reason why the Federal Reserve Banks arm their guards with automatic weapons instead of cans of pepper spray: the need for real protection. Real protection when it comes to data at rest—as well as for data in motion, now that I think about it—comes in the form of encryption. There are generally two different ways of encrypting such data: full disk encryption and file encryption, both available from AlertBoot. |
|
|
Musician Peter Gabriel Shows Us The Need For Full Disk Encryption
Fri, 09 May 2008 03:21:00 GMT Peter Gabriel shows, albeit indirectly and unwittingly, why one needs full disk encryption if data security is the ultimate objective. Gabriel’s servers that powered his website—hosted at a data center—were stolen. This affects more than a website with a litany of Gabriel’s accomplishments. I’ve never been to the site before, and it’s not operating at 100%, obviously, but a look at the temporary stand‑in makes it apparent the stolen servers were at the center for getting all things Gabriel‑related, including the sale of music and concert tickets. Break-ins into data centers are nothing new. I’ve heard the entire gamut, from people strolling in while waving at the guard (and the guard waving back, which is why I dropped the word “security” from “security guard”) to using chainsaws and going through the walls, literally. Break‑ins of any kind are not common when it comes to data centers, especially if the facility was built with security in mind—RFID key cards, locked spaces with bullet‑proof glass built for identity checks, and guys with semi‑automatic weapons. But, it does happen once in a while (and, lately, it seems, with growing frequency). And, of course, if a server is stolen, all the data in it is stolen as well, and available for the perps to use. Or is it? The digital world is an odd one, and what’s true for the physical world does not always translate to the digital world. If a file cabinet full of top secret documents gets stolen, all that information is stolen as well. The thief will have easy access to the documents. Even if the cabinet were locked, one could rip the walls of the cabinet to get to the contents. In the physical world, theft can easily result in an information breach. Likewise, the physical theft of a server with digital information can result in an information breach. Sure, one can set up password protection, but the equivalent of “ripping the walls” to get to the data exists in the digital world as well. However, the digital world offers ways to protect information when it’s stolen so that it doesn’t fall into the wrong hands. This method of protection is called encryption, and generally comes in two forms: full disk encryption and file encryption. The latter has a physical counterpart as well. File encryption, basically speaking, is just substituting one character for another via a particular set of rules. If you’ve ever come across a paper document full of gibberish, you’ve probably come across a document whose contents are encrypted (or, someone’s master’s thesis in electrical engineering). Full disk encryption, on the other hand, doesn’t have a physical counterpart. Like file encryption, it uses rules of substitution, changing each bit found on the hard drive itself; however, the actual file is not encrypted if you use full disk encryption. For example, if you e-mail a file that’s found on a hard drive with full disk encryption, the file can be read by the recipient without any problems. If you send him a file that was protected with file encryption, he’ll require a key to unscramble the contents of the file. The closest thing that full disk encryption comes to resembling in the physical world is really thick walls on a file cabinet, since the contents in the file cabinet don’t change. Really thick walls. I mean, we’re talking a thickness that’s incomprehensible. Like a safe whose walls have the thickness of Indiana. (You think driving across Indiana took forever, eh? Try blowing up or drilling through a wall the thickness of Indiana. Yep, that’d be a pretty secure cabinet.) Both forms of securing your digital assets are available from AlertBoot. The idea is to use them together as complementary solutions and enhance security. After all, you don’t necessarily have to choose between an armed guard and a safe. You do have the option of using both for security purposes. Or, just use one or the other—just make sure you understand what you’re data security requirements are prior to making a decision. |
|
|
Full Disk Encryption Sometimes Better Than Full Disk Destruction
Thu, 08 May 2008 05:39:00 GMT Can a hard disk survive a fall of over 100,000 feet? No, but the data can be extracted from its remains. That’s how scientists were able to find that xenon gas changes to a liquid when stirred under very low gravity. It’s under no ordinary circumstances that a hard disk can fall 100,000 feet. The disk in question was on board the ill-fated Columbia space shuttle, which disintegrated on re‑entry into earth in 2003. And, as one would expect for anything that re‑enters into earth without the usual protection of wings, parachutes, and heat‑proof coatings, the hard drive was found cracked and burnt. Specialists were able to extract 90% of the data, though. Kind of surprising? After all, most people’s experience with falling hard disks tends to generally involve waist-high or lower, and it’s kind of hard to get any data from it at all; one imagines involving a drop from space would make it slightly harder. The above data retrieval is testament that you can do anything if you have the money. From an engineering perspective, however, the above is not unusual or amazing. Usually, when you and I drop a laptop or an external hard drive, it’s broken because the intricate machinery that composes the whole of the disk drive is out of synch. However, the data recorded on the hard drive’s platters is still there. (If you weren’t aware, there’s a bunch of disks inside the a hard drive. That’s why they’re often called a hard disk.) Unless the drive with the xenon data had fallen near a refrigerator magnet, the information is still in place. Only the total annihilation of these platters would have prevented specialists from reading the data, like melting them into an amorphous mass. This is something one should keep in mind when getting rid of old equipment like computers. A lot of people think that “deleting” the data or formatting the disk will get rid of the existing data. This is not so; such actions merely remove the method for computers to locate data without disturbing the data itself. It’s like poking a librarian’s eyes out during your first time to a foreign library: she can’t find the books you want, but the books are still there. Now you’re stuck trying to find the books. Some effort, time, and a couple of clues will help you in finding those books. Savvy computer users will know this and physically attempt to destroy their drives. One of the time‑honored ways of doing so is using a refrigerator magnet; however, this, too, is not as reliable as the amorphous mass technique. Some use a drill to poke holes through the platters. This is pretty effective, but there is no guarantee that information on the unaffected parts of the platter will remain unread by someone hell‑bent on extracting data. These disks are pretty resilient. Unless you’re willing to spend $100 or more to pulverize a disk, your best option may be full disk encryption, like AlertBoot. Plus, the beauty of full disk encryption is that it’s a form of data protection that is perfectly good while the disk is in use as well as when you decide to ditch it. |
|
Webmasters - Another button for your collection
FeedBoy.com © 2005-2007
Hosted By NeonHQ
Partners
Quarrel.Network |
Browser Games |
Online War Games |
Mafia Game |
Online Flash Games
Singapore Outsource |
Backpacking Travel |
Legal Glossary |
Mobile Ringtones |
Internet Marketing
PT Cruiser |
Car Videos |
Honda Car Forum
Turnkey Scripts |
Photoshop Tutorials |
RSS Protocol |
Linux Web Hosting
Zoekmachine Optimalisatie |
DirArchive Web Directory |
Sidney Cosby |
Free Teen Webcam Chat |
Free Video Chat
Orlistat |
International City |
Alli |
Groovy Java Games