[SecurityRatty] tag: encrypt

Enforceable Policies

Fri, 27 Jun 2008 10:23:29 +0000

Blogger: Randall Gamby

Across the different security technology presentations given this week at Catalyst, one common theme has been the important role of policy. As people hear about new and better technologies and how they can be integrated into their existing infrastructures, they should take the time to examine their policies to make sure they keep up with the solutions being considered. Questions to ask:

When did we review our policies last?
Do we have not enough or too many?
Will they still be valid?
Are there other influencers on them?

But while changes will most likely be needed for many current policies, a question that often isn’t asked is, “Are they enforceable?” As enterprises create policies based upon what users “should do,” can the security team validate that they “did do” what was asked? For example, a common policy is, “All sensitive data at rest must be encrypted.” So this means you must encrypt your Active Directory, your e-mail storage, every production database, yes? That's probably not happening. So if the enterprise has no way to implement the policy, then it ultimately is not a valid policy and needs to either be modified or the enterprise needs money, resources and time to conform to the policy.

The social effect on the user population also needs to be considered. Essentially, the enterprise is teaching users that they don’t have to conform to this policy, so maybe they don’t have to be conformant to others on the books. Not a good lesson to teach them.

So as the Catalyst attendees go back with “dreams of technology sugar plums dancing in their heads” don’t forget that good governance with valid processes should be skipping around the edge.

Enforceable Policies

Fri, 27 Jun 2008 10:23:29 +0000

When did we review our policies last?
Do we have not enough or too many?
Will they still be valid?
Are there other influencers on them?

But while changes will most likely be needed for many current policies, a question that often isn???t asked is, ???Are they enforceable???? As enterprises create policies based upon what users ???should do,??? can the security team validate that they ???did do??? what was asked? For example, a common policy is, ???All sensitive data at rest must be encrypted.??? So this means you must encrypt your Active Directory, your e-mail storage, every production database, yes? That's probably not happening. So if the enterprise has no way to implement the policy, then it ultimately is not a valid policy and needs to either be modified or the enterprise needs money, resources and time to conform to the policy.

The social effect on the user population also needs to be considered. Essentially, the enterprise is teaching users that they don???t have to conform to this policy, so maybe they don???t have to be conformant to others on the books. Not a good lesson to teach them.

So as the Catalyst attendees go back with ???dreams of technology sugar plums dancing in their heads??? don???t forget that good governance with valid processes should be skipping around the edge.

Security Briefing: June 19th

Thu, 19 Jun 2008 07:17:24 +0000

Making lists of things to remember as I scramble to keep my focus in the face of a lack of sleep. Next thing you know I’ll be putting sticky notes on things. “Coffee cup”, “Door”, “Advil” and “C-61 / bad joke”.

You get the idea.

Click here to subscribe to Liquidmatrix Security Digest!. Welcome to the new subscribers who joined us yesterday! Thanks!

And now, the news…

Copyright Bill’s Fine Print Makes For a Disturbing Read | Michael Geist
A Week in the Life of the Canadian DMCA: Part Two | Michael Geist
DMC-eh? Why Canada’s new Copyright law is a mistake | Mang Bat
E-Mail: To Encrypt or Not to Encrypt? | NPR
Hazel Blears’s stolen laptop was not encrypted | Information Age
Encryption: DLP’s Newest Ingredient | Dark Reading
Merchant Securities’ stock broking firm fined for poor data security procedures | RTT News
State computers headed for sale had private information | The Topeka Capital-Journal
Fed slammed over internal controls | Houston Chronicle

Tags: News, Daily Links, Security Blog, Information Security, Security News

Data encryption best practices in Windows

Wed, 18 Jun 2008 20:00:00 +0000

Data encryption is an important link in the chain of Windows security. In this tip series, learn how you can encrypt data in Windows Vista, how Encrypting File System (EFS) can prevent data loss and how the SecureZip tool can improve encryption in Outlook.

Data security and the "chasm of protection"

Tue, 17 Jun 2008 09:25:00 +0000

I was thinking a bit more about the notion of data-centric or information-centric security and why this is absolutely the future of data protection...

Say you are a retailer. You have data in your POS devices, encrypted with the POS application as cards are read in. As this data is required by another application, it has to be first decrypted so this in-store application can read it. It may then encrypt it again as it stores on in-store servers. Now assume you have another application in the data centers that is used for card settlement. Another decrypt-encrypt cycle from the store to the data-center!

This scenario is not limited to a retail environment. Consider a similar cycle repeating itself in most companies as data is moved from location to location, analyzed and processed by multiple applications and on multiple devices and multiple internal and external networks - each time being decrypted, stored or transfered in the clear till it gets encrypted again. Each time this cycle repeats, there is a weakness that can be exploited - since there is a gap in the consistent protection of data.

Being data-centric however, brings in persistence and consistency in the protection of that data element, thereby removing this "chasm".

Are we going to need TSA backdoors to encryption

Sun, 15 Jun 2008 06:36:00 +0000

I was reading an article in Information Week tonight about a case going to the 9th Circuit Court of Appeals about the governments right to search, seize and copy laptops and other electronic devices at our borders. Two groups that don't often find themselves on the same side of issues, the Electronic Frontier Foundation (EFF) and the Association of Corporate Travel Executives (ACTE) have filed briefs with the court asking them to strike down a lower courts ruling that granted the government these broad powers to confiscate laptops.

As the article points out here in the US there was quite an uproar about China "slurping" laptops from people on travel there, but we seem to think it is OK for our government to do it. Well at least our government is telling people they are doing it. What they are not telling us is what they are doing with the data after they search or copy it. How do we know, no US security but nevertheless confidential data is being secured and or destroyed promptly? The government telling us "trust me" just doesn't cut it.

However, I think technology is going to pose a bigger problem for the government regardless of whether the court upholds the governments position. I think any terrorist or other bad guy would never have confidential data on their laptop that is not encrypted. In fact with full disk encryption coming to the masses from the likes of McAfee and others, what will the government do? Sure they can take the encrypted data to the NSA and let them brute force the keys, but that sounds impractical. Perhaps, the TSA will demand encryption vendors to put in a back door or secret key that will allow the TSA to decrypt the data similar to what they do with the special luggage locks now.

I know what they can do. Perhaps they can go back to Checkpoint and find out for sure about those back doors that they always suspected was in their software and see if it is there for sure. If so the government can appoint Checkpoint the official encryption vendor for laptops ;-) Just kidding of course, but really guys. What self-respecting bad guy is not going to encrypt their data knowing the government has a right to search their laptop. I think it makes this whole case much ado about nothing.

Are we going to need TSA backdoors to encryption

Sun, 15 Jun 2008 05:36:00 +0000

2.2 million billing records missing on stolen backup tape

Wed, 11 Jun 2008 08:33:06 +0000

Technorati Tag: Security Breach

Date Reported:
6/10/08

Organization:
University of Utah

Contractor/Consultant/Branch:
University of Utah Hospitals & Clinics
Perpetual Storage, Inc.

Victims:
Patients

Number Affected:
"approximately 2.2 million"

Types of Data:
"names, related demographic information and diagnostic codes" additionally, "Records for a subset of 1.3 million patients also contained Social Security numbers"

Breach Description:
"SALT LAKE CITY (AP) - Billing records of 2.2 million patients at the University of Utah Hospitals and Clinics were stolen from a vehicle after a courier failed to immediately take them to a storage center"

Reference URL:
University of Utah Hospitals & Clinics
The Salt Lake Tribune
Associated Press via KUTV Channel 2 News

Report Credit:
University of Utah Hospitals & Clinics

Response:
From the online sources cited above:

SALT LAKE CITY (AP) - Billing records of 2.2 million patients at the University of Utah Hospitals and Clinics were stolen from a vehicle after a courier failed to immediately take them to a storage center
[Evan] There is no mention of encryption in any of the news reports I have read regarding this breach, so I am going to go ahead and assume that it was not used. As you read through the publicly available details of this breach below, you will probably agree that the courier driver made an idiotic mistake that he almost certainly regrets, but the University of Utah Hospitals & Clinics is the custodian of this information that should have identified the risks involved with transporting confidential patient records off-site. One of those risks is the possibility that a backup tape may become lost of stolen, which is obviously the case in this breach. Where were preventative controls to account for this unacceptable (in most cases) risk, like encryption?

The records, described only as backup information tapes, contained Social Security numbers of 1.3 million people treated at the university over the last 16 years

people would be notified by a letter at a cost of $500,000 just for stamps and envelopes
[Evan] How much would it have cost to encrypt the information on the tapes? The State of Utah has an exemption in their breach notification law for encrypted information.

The hospital also pledged free credit monitoring

The records were in a gray metal box

The courier, whose name was not released, picked them up in his Ford Explorer on June 1

instead of driving directly to a storage center, he worked a second job and then went home
[Evan] This is the idiotic mistake I was writing about earlier.

The next day, he discovered that someone had broken into his Ford Explorer outside his Kearns home and taken the box

The driver worked for Perpetual Storage Inc. for 18 years and was fired.

Authorities declined to say how easy or difficult it would be to read the records.

The sheriff believes the thief probably thought the box contained money.
[Evan] What it contains could probably be turned into a helluva lot of money!

"The investigation indicates that the theft was probably a random car burglary, and there is no evidence that the information on the tapes has been accessed or used for identity theft," said Salt Lake County Sheriff Jim Winder.
[Evan] Eight days (June 2nd - June 10th) is probably a little too soon for evidence to appear of identity theft.

There's no evidence any of the information on the tapes has been accessed; besides, anyone trying to use the tapes would need specialized equipment to view the contents, Winder said.
[Evan] Specialized equipment like a tape drive?

Eighty percent of the 2.2 million people live in Utah or Idaho, Betz said. The hospital is offering a $1,000 reward for the records. (Lorris Betz, M.D., Ph.D, Senior Vice President for Health Sciences)

The University of Utah Hospitals & Clinics is offering a $1,000 reward for the return of the tapes, no questions asked. Those wishing to claim the reward may call the Sheriff’s Department at (801) 743-7000.
[Evan] To think of this in pure financial terms. A person could return the tape for $1,000 or could access the tape, sell the information and make maybe $5,000.000+. Maybe a good preventative control for organizations is to assume that criminals are stupid as part of your risk management program (seriously though, it's not).

"We understand this is unwelcome news to our patients," said Betz.

The university had worked with Perpetual Storage for 12 years before the theft

The University of Utah Hospitals & Clinics has suspended deliveries of backup tapes to Perpetual Storage pending the review of all procedures and protocols for transporting and storing backup data.

Additionally, the health-care system is taking the following steps on behalf of its 2.2 million patients.

Mailing notification letters to all 2.2 million patients and guarantors;
Providing free credit monitoring and restoration service to patients whose records included Social Security numbers;
Providing a toll-free information line at 1-866-581-3599 to respond to questions; and
Establishing a website at healthcare.utah.edu/billingrecordstheft that provides information and resources.

Victim Reaction:
Tuesday's news was especially unsettling for people like Will Taylor, of West Valley City, whose premature daughter is a patient at University Hospital. Taylor has already been the victim of identity theft once, when thieves racked up credit card charges in his name.

"I will ask [the hospital] what precautions I can take and what they are doing about it," he said.

"If our information isn't safe, then what is?" patient Dan Christenson, of Salt Lake City, said Tuesday after learning of the theft.

Commentary:
I would be more understanding if this were the first breach ever reported where a backup was stolen that contained personal information, but it's not. Employing backup tapes without encryption is a very well documented risk, so why do large organizations still accept it?

Past Breaches:
March, 2008 - Stolen University Health Care laptop requires notification of 4800

European Backup Services Vulnerable to Attack

Wed, 11 Jun 2008 07:49:32 +0000

Online backup is seen as a good strategy for preventing data loss, in case of a disaster at a local datacenter or on a local machine. But apparently the software used by over 100 services is vulnerable to a man in the middle attack, even though it uses SSL to secure the connection:

Tests by heise Security show that four of the six services tested were vulnerable to attack.

While all of the tested systems encrypt communication with the backup server using SSL, external attackers can sniff the access code as plain text by acting as a man-in-the-middle (MITM) if the locally installed backup software does not perform sufficiently rigorous checks on the authenticity of the server’s certificates. In the vulnerable systems, we were able to hijack the connection from the client software to the backup servers.

Four of six may not be a large test sample, but it does raise concerns about trust between customers and their service providers. If you’re providing or purchasing this kind of service, you might want to look into it closely to make sure your data is secure.

Confidential Connecticut Department of Labor mailing is missing

Tue, 10 Jun 2008 08:00:32 +0000

Technorati Tag: Security Breach

Date Reported:
6/2/08

Organization:
State of Connecticut

Contractor/Consultant/Branch:
Connecticut Department of Labor

Victims:
Customers

Number Affected:
2,160

Types of Data:
"personal information, including name, address and Social Security number"

Breach Description:
"WETHERSFIELD, The Connecticut Department of Labor is notifying approximately 2,100 customers that files containing copies of letters sent to them regarding their unemployment insurance claim cannot be located."

Reference URL:
Connecticut Department of Labor
Associated Press via The Hartford Courant
Newsday

Report Credit:
Connecticut Department of Labor

Response:
From the online sources cited above:

WETHERSFIELD, The Connecticut Department of Labor is notifying approximately 2,100 customers that files containing copies of letters sent to them regarding their unemployment insurance claim cannot be located.

the agency strongly believes that the letters were mistakenly shredded along with others that were being rightfully destroyed

Following an extensive search, it appears the copies were inadvertently shredded and destroyed on or before May 21

we feel it is in the best interest of our customers to be proactive in our efforts to ensure that personal information is not compromised

The files contained copies of letters dated from May 2 to May 20 informing applicants that they were ineligible for the unemployment insurance.

Copies of the letters, which must be kept on file for three years, contained personal information, including name, address and Social Security number.
[Evan] Why does a letter informing someone that they are not eligible for unemployment insurance require a Social Security number?

we do not believe information on these letters will be used in a manner that will compromise the security of these residents

we have arranged for two years of free preventative services through the Debix Identity Protection Network
[Evan] Two years is much better that the semi-standard one year given by many organizations. Government breaches tick me off a little more than most. One reason is the fact that taxpayers get to foot the bill.

We sincerely regret any inconvenience or concern that has been caused by this situation

the agency takes the protection of personal information very seriously and since last year, we have been working on additional security features for the state’s unemployment insurance compensation system

Since federal law mandates that we use the entire Social Security number in the course of business, we are looking at ways to encrypt that data and still comply with regulations.
[Evan] I am glad to read that the agency is considering encryption of confidential information (albeit late, better than never), but this is only feasible for electronic information. Encryption would not have provided any protection against this particular breach which involved printed confidential information, namely Social Security numbers. I think it is generally a poor business practice to send mail with Social Security numbers in print unless it is absolutely necessary. I don't think that federal law requires that these mailings include Social Security numbers.

Residents who receive a letter from the agency and who may have questions regarding the free protection service can contact Debix directly at 888-332-4963. Those with questions about their Determination Letter can call the Labor Department’s Assistance Center at 860-263-6785.

Commentary:
If the missing letters only contained the information necessary to communicate the required message, then the impact of this breach would be considerably smaller.

Information security personnel don't currently review mailed information prior to release in the companies I consult for. This breach gets me thinking about a potential risk that I may have missed in my assessments.

Past Breaches:
September, 2007 - Stolen laptop contains names and allegations in state DCF cases
August, 2007 - State of Connecticut Stolen Laptop