The UND Alumni Association is sending out word to approximately 85,000 people that they should be monitoring their credit.  Their information was stored on a laptop computer that was lost by a software vendor contracted by the alumni association.  It also sounds like affected members will be signed up for credit monitoring services, free of charge, of course.  This is despite the fact the computer in question was using laptop encryption to secure its contents.  I’ve often alluded that data encryption software like AlertBoot is the best method of protecting data, if not proclaiming it outright.

So why the credit monitoring, which can’t be cheap, considering we’re talking about 80,000 people?  Even with a discount so that it costs $10 per person, we’re talking close to one million dollars in expenses.

Well, there are a couple of reasons.  It could be that the encryption system that the UND Alumni Association is using is not strong enough.  Generally, encryption strength is measured by its key length.  The longer the key, the stronger the encryption.  In fact, the strength of the key tends to be exponential, so that a 256-bit key is not twice a strong as a 128-bit key, but much, much stronger.  Of course, that means that, in comparison, a 64-bit key is much, much weaker – not twice as weak.

Or, it could be that the encryption algorithm that is used hasn’t been vetted.  Hundreds of new encryption algorithms have been developed over the years that have been cracked due an underlying weakness in the algorithm itself.  Weak algorithms are a serious matter, since regardless of what the key length happens to be, the contents of the encrypted can be accessed in such cases via other methods.

However, the above don’t appear to be the motivation behind alerting alumni members.  According to Tim O’Keefe, the executive vice president of the association, the technology protecting the information was “absolutely the best you can buy.”  More money doesn’t necessarily mean more protection (or better protection, for that matter).  However, generally those who charge through the nose tend to stick to encryption algorithms that work on a theoretical level and have been impervious to attempts by the cryptographic community to crack it.  So, I think we can assume that they used something that used AES or RSA.

Perhaps the credit monitoring is a public relations ploy.  Alumni who have donated in the past tend to donate again.  And donations per person tend to be more than $20, a price that gets bandied about for an annual subscription to credit monitoring services.  So, the UND Alumni Association would come out ahead even with a one-time payment of hundreds of thousands of dollars, assuming the offer of a credit monitoring program allays any fears that are lingering despite the use of encryption software to protect the names, Social Security numbers, and credit card numbers of donors.

Personally, if I had been an alumnus, I would have preferred knowing what type of encryption was being used, and what the key length happened to be.  Once that has been established, I would feel secure enough to tell the alumni association to keep me off the credit monitoring.  I get enough junk mail as it is.

Related Articles:

http://www.kfyrtv.com/News_Stories.asp?news=23038

http://www.grandforksherald.com/articles/index.cfm?id=88793

Staff at a McCain campaign office in Missouri have announced that a laptop computer with strategic information related to McCain’s presidential campaign was stolen on Tuesday night.  There was minimal protection all around.  For example, the campaign hadn’t thought of using full disk encryption software, like those offered by AlertBoot, to safeguard the contents in their computers’ hard disks.  Instead, they’re relying, and hoping, on password-protection to prevent any data leaks.

Surprising?  Perhaps.  But, they didn’t have any physical security in place either, so it’s not hard to believe that the campaign office didn’t have adequate data security practices in place: the thief or thieves broke a window to gain access to the building, and nobody knew about it until people arrived for work the next day.  What’s odd is that out of twenty or so computer, only one was stolen.  Even weirder is the fact that the stolen laptop, which was the only machine with the valuable information, was in a bag, and hence out of sight, whereas the other computers were out in the open.

This is, of course, flaming the fires of conspiracy theories.  Those in the McCain camp find it odd that the one computer was stolen: Tina Harvey, spokeswoman for the Missouri Republican Party told SC Magazine “If you were stealing money, you would take 23 computers…If you were stealing for underhanded reasons, you take one computer.”

Well, yes and no.  I don’t know about Ms. Harvey, but I I’ve seen twenty-three laptops stacked on top of each other.  It’s kind of a drag to steal them all at the same time.  For a thief, mobility is something of an issue: having to juggle twenty-three separate items that weigh a total of forty-six pounds or more, and running with them, is not exactly what thieves gun for.  Heck, one laptop in each hand is probably the maximum one would potentially plan on swiping, especially if the point of entry happens to be a broken window.

On the other hand, someone rifling through an office and taking the one laptop that was hidden from view?  That certainly is suspicious.  Or, perhaps the burglar really didn’t like eee PCs: all of the untouched laptops were of this make, while the stolen computer was a Dell.  (Dude’s getting a Dell.  Literally.)

But, I have read the opinions of others, mostly people commenting on-line, that are claiming this is an inside job, meant to elicit sympathy for the McCain camp.  Ah, conspiracy theories.  They’re so much more entertaining that other theories.  It certainly would have made my college engineering classes bearable.

This is not the first time that political volunteers have been victims of computer thefts and data breaches.  Nor is it the first time to be pointed out, by many sources, that password-protection is not worth two dimes when it comes to data security.  Getting around it is, unfortunately, easier than ever since the method lies two clicks away in Google.

As being pointed out by pretty much anyone, if the laptop theft was truly politically-motivated, then the strategic information the Missouri office has alluded to is as good as revealed to its opponents.  Only some form of encryption software, be it hard drive encryption or file encryption could prevent a data leak at this point, which, again, was not used.

Related Articles:

http://www.scmagazineus.com/Stolen-McCain-party-laptop-had-minimal-data-safeguards/article/119080/

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9116239&intsrc=hm_list

http://www.theregister.co.uk/2008/10/06/mccain_laptop_theft/

http://www.internetnews.com/security/article.php/3776266/GOP+Laptop+Stolen+After+Missouri+Breakin.htm

A laptop computer belonging to Ireland’s Health Service Executive (HSE) has been stolen.  This is the second laptop reported missing in as many weeks.  Just like in the previously reported case, the HSE did not avail itself of laptop encryption software like AlertBoot to protect its contents.

The laptop computer, stolen from the HSE administration headquarters, holds thousands of records of HSE staff in Dublin, and had gone missing on September 17.  This was not reported, though, until 13 days after.  It has not been announced whether it took nearly two weeks for staff to notice the missing laptop, or whether this was just a delay in notifying affected personnel.  Either way, not a good thing.

The HSE has already started a review of their computer equipment and is planning on encrypting all of their computers as a result of previous data breaches.  I hope this is being extended to external hard drives and other digital media storage devices.  After all, such equipment are fodder for thieves as well, and are just as easy to steal as a laptop computer.

As this most recent case shows, acting fast is usually the best policy when it comes to data security.  After all, there is no guarantee that another theft that ends in a potential data breach won’t result soon after the first one.  I mean, it’s not as if all thieves, muggers, hackers, and other criminally-inclined people are synchronizing their crimes.  Since we don’t know when the next criminal will strike, it only makes sense to employ data protection measures as soon as possible – even before a data breach strikes (hey, now, there’s a concept!)

Related Articles:

http://www.scmagazineuk.com/Irish-HSE-hit-by-laptop-theft/article/118714/

http://www.herald.ie/national-news/stolen-hse-laptop-leaves-staff-open-to-identity-theft-1488894.html

Germany’s T-Mobile has admitted to a data breach that could affect up to 17 million people.  While the breach had happened in the spring of 2006, T-Mobile hadn’t alerted its customers at that time.  This week’s announcement was prompted by the findings of Der Spiegel magazine, which was able to access the information from unnamed third-party sources.  The use of data encryption like AlertBoot would have prevented this from happening, since the information leak was the result of a lost “storage device.”

T-Mobile wasn’t attempting to cover up the data leak.  It had reported the fact to the authorities, and based on what I’ve read so far, they actively continued to monitor whether the potentially compromised data would show up for sale – it didn’t.  At least one site, darkreading.com, is reporting that the storage device was recovered but there was no evidence that the data had been compromised.  Based on these encouraging signs, T-Mobile probably didn’t feel that there was a need to scare its customers.

Of course, absence of evidence is not evidence of absence.  The former could mean the latter or it could mean that someone did a shoddy job.  Or that the skills of criminals far outpaced the skills of investigators.  Or that the technology to effectively conduct the necessary forensic analysis does not exist.  Regardless, what is important is that Der Spiegel was able to see the compromised data, consisting of names, addresses, and cell phone numbers, as well as dates of birth or e-mail addresses in certain cases.  Nothing like evidence to dispel any illusions to the contrary.

Let’s face it: things go missing all the time, even the really important stuff that shouldn’t.  I recall that the US Air Force had “lost” a couple of nuclear warheads earlier this year, when they thought they were transporting some other kind of missile.  If the plane in question had decided to disappear, those nukes would have been lost for sure.  And this is despite the fact that the Air Force has checks and balances to ensure that such things don’t happen.  And before anyone decides to make a crack about military intelligence being an oxymoron, let me point out that the system has worked successfully for fifty years.  Of course, no data security procedure is going to be as intense as one designed for keeping secure and tracking nuclear arms (nor should it be expected to), so one expects things to go missing much more frequently.

On the other hand, it would be a moot point to apply checks and balances designed for weapons of mass destruction on something like a computer disk.  Information storage devices have a great solution for keeping their secrets safe.  It’s called disk encryption, and it’s designed specifically to prevent unauthorized access to the disk’s contents.  Unlike supposed data security solutions like password-protection which may or may not be deter amateur data thieves.

I’m not sure if Deutsche Telekom, parent company to T-Mobile, is aware of this, though.  The New York Times notes that security enhancements after the 2006 incident included “stronger passwords and access controls, and the logging of accesses to customer databases.”  That’s great and all, but the above won’t help when a disk goes missing.  It seems like mentioning the implementation of encryption software to ensure content security would have indicated T-mobile’s stronger commitment to customers’ data security.

Related Articles:

http://www.darkreading.com/document.asp?doc_id=165280&WT.svl=news2_1

http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=210700232

http://www.theregister.co.uk/2008/10/06/t_mobile_records_lost/

http://www.deutschetelekom.com/dtag/cms/content/dt/en/51612;?archivArticleID=572378

http://www.nytimes.com/idg/IDG_852573C400693880002574DA0034AE43.html?ref=technology

It was only two days ago that the world found out about the sale of a camera with confidential information from MI-6.  The media is now reporting that MI-5 is looking for a palmtop computer that went missing after a thief burglarized a house rented by the intelligence service.  The good news is that the device, which did have sensitive and confidential intelligence stored on it, had used data encryption to protect its contents, data protection that works at its core like hard drive encryption from AlertBoot.  The bad news is that the story made the news.  The odd story is, also, that it made the news.

Odd because…why would any self-respecting secret agency go around reporting this to the police?  You read that right.  A spokesman for the Greater Manchester Police had the details of what happened, and asked for any citizens approached with the device to contact them.  You’d imagine that a department like the MI-5 would go around trying to figure out who stole their stuff, and not file a burglary report with the coppers.  Is it just me?

Perhaps, the MI-5 feels comfortable with local cops dealing with it because of the use of device encryption.  As stated by the spokesman, the information is encrypted, so the chances of that data being accessed are virtually nil.  This means that the PDA is now nothing but a normal PDA, or possibly the equivalent of a brick, since the sensitive information cannot be retrieved.  After all, what’s the difference between the stolen PDA and the same model someone else has?  The data, which, once more, is encrypted.  As long as the agent who—may I add, has been slightly irresponsible with the device—didn’t have the credentials for decrypting the data stuck to the device, there is no data security breach.

Of course, this hasn’t stopped the media, or on-line comment makers, from portraying this as an information security bungle.  Is it really?  Sure, it’s funny that a burglar was able to get into what may have been a safe house for the MI-5, through an open window, no less.  And I can understand the concern—what secrets were in that PDA that could affect the security of Brittania?

On the other hand, I can also understand the seeming nonchalance of how the case is being dealt with.  With encryption in place, the chances of that information being made public are very low.  So low that you may have a better chance of winning the national lottery five times in a row.  In one single day.

Related Articles:

http://www.timesonline.co.uk/tol/news/uk/crime/article4868535.ece

http://news.bbc.co.uk/2/hi/uk_news/england/manchester/7648207.stm

http://www.manchestereveningnews.co.uk/news/s/1070173_mi5_terror_computer_stolen_

According to the letter sent out by Drs. Gangwish and Morgan at the Summer Avenue Chiropractic clinic, thieves broke into the clinic and stole computers that contained the information of patients, including names, addresses, dates of birth, and Social Security numbers.  But, there’s no need to worry since the information was encrypted.  But, as a precaution, patients ought to keep an eye out for any unusual activity on their credit reports.  This was the gist of the letter.

The actual letter, however, is a bit cringe-worthy.  To begin with, it reads like the good messieurs didn’t spend too much time learning how to spell or write prose worthy of doctors.  Unfortunately, perception always matters, and in this case, the letter (not the content of the letter, but the style and choice of words) makes one wonder whether they actually know what they’re talking about.  The words lack that ambience of professionalism that one expects from PR folk.  On the other hand, it’s very refreshing since it’s so to-the-point.  I can’t find any instance of double-speak, for example.  Maybe it’s the ultimate PR campaign: PR that doesn’t sound like PR.

I can’t say I share The Breach Blog’s observations in this particular instance.  For example, it looks like the thieves were not initially targeting the chiropractor’s office, but the RadioShack next to it.  The thieves decided that going through the chiropractor’s office was the easiest route into the RadioShack.  When it turned out that was not the case, they stole what they could.  Nobody likes to leave empty-handed.  They returned later to successfully break in to their primary objective.  This is what The Breach Blog had to say:

Good secure construction.  If I owned a business that created, collected or stored sensitive information, I would establish an office where I was the only business in the building or in a building that was adequately segregated from other businesses.  One of the segregation criteria would be walls that do not allow adjacent access.  Check this when evaluating an office space for adequate physical security.  Too often it is over-looked.

Maybe it’s just me, but I’d imagine that encryption was used by these guys because they figured they couldn’t control stuff like this.  While I can’t and won’t argue that secure premises are a bad thing for security—how would that even make sense?—businesses have other considerations besides data security as a priority.  It doesn’t make sense to match businesses to what one perceives to be the correct security needs.  You match the security needs to the business.  So, if the walls are not strong enough for the perfect business venue, you find some other way to protect the data.  These guys found it in encryption to protect the data.

To me, the telling sentence in this notification is "I was very much HIPPA compliant and the good thing is that everything was encrypted and had strong pass codes."  I would want more information.  I notice the word "was" which is past tense.  I notice "HIPPA" which is really meant to be "HIPAA".  I notice "everything was encrypted", which has been questioned.

Affected patients should certainly ask for more detail.

At this point, this is just nit-picking.  Between the above and the sarcastic words of “Now how about HIPAA compliant?” to the chiropractor’s typo, I wonder if the blogger was having a bad day.  I keep being reminded of Nick Burns, your company’s computer guy, aka Jimmy Fallon with a bad mustache.

They had encrypted the patients’ information (see what I did there?  Had?).  What more is needed?  They certainly could have done a lot worse, like not having any true data security measures, and stating that they “don’t have any evidence that the computers were stolen for their content” as an excuse.  Is not using spell check such a big deal in light of the circumstances?  Should I think less of a paramedic who’s saved someone’s life because his belt doesn’t match his shoes?

Besides, all the L337 |-|aXor5 know that the worse you spell, the better you are at computer security….  Ever read TJX’s announcement of their massive data breach?  It reads so well, with proper grammar and spelling.  So professional.  Too bad they couldn’t do anything about people committing fraud with the stolen credit card info.

I’ll always choose a guy with half a brain and bad writing who takes the time to implement adequate data security over a bunch of guys sharing half a brain who don’t.  Anytime.

Related Articles:

http://breachblog.com/2008/09/16/summerave.aspx