More laptop thefts

probe

Why do companies allow employees to carry around personal information on laptops and other portable media? A far more sensible solution is to hold all data centrally in a secure controlled environment, allowing mobile employees access to these data on a need to know basis over encrypted data connections in a controlled manner. (i.e. it should not be possible to download bulk personal data into spreadsheet, database or any similar format into a notebook PC).

While many mobile phone networks operating in Ireland are almost certainly intelligence gathering platforms for certain foreign governments, these bast**** would have severe difficulty decrypting large volumes of mobile data traffic if every company using the mobile networks was using properly set-up VPNs using AES-256 with frequently changing keys…. FIPS 140-4!

Why didn’t the Gardaí ask the bank in question (when the theft was reported months ago) to confirm that they had notified the Data Protection Commissioner immediately? And why was Hawkes so slow in announcing the breach to the public? All losses/thefts of corporate / government PCs should be required to go through this procedure in a timely manner – time is surely of the essence?!

The Data Protection laws of 1988 and 2003 are badly written and need to be updated to take into account the new reality of notebook computers and other portable media capable of carrying large datasets – to put stricter, clearer obligations on companies and government agencies to enforce data security measures – and to give adequate redress to the victims of data loss to cover their costs of taking preventative measures.

Hit companies hard in the pocket if they allow personal data to get into the wild, and give this money to the victims to take measures to protect their identity and credit rating.

Several years after the introduction of the EMV payment card, many retail chains in Ireland are still swiping the magnetic stripe of peoples’ cards and presumably storing their card numbers etc on their IT systems. How many of these data sets end up in notebook computers or are accessible over poorly secured WiFi networks?

In France, all bank card details are encrypted and have to go through the bank provided POS terminals – retailers don’t get their hands on the magnetic stripe to steal data – data which they don’t need to process the transaction and therefore have no legal basis to collect.

Britain has 94 reported data thefts/losses last year (which is probably only a fraction of the real number). That would imply on the balance of probabilities at least 8 took place in Ireland – given the similar culture of sloppy administration and management (and pub culture).

It is likely that most large companies and government agencies have lost data at some stage, and the matter was probably swept under the carpet!

Is it not time that the Data Protection Commissioner considered his position?

.probe

Martyr

Why didn’t the Gardaí ask the bank in question..

you can't expect them to do everything! :rolleyes:

It is likely that most large companies and government agencies have lost data at some stage, and the matter was probably swept under the carpet!

absolutely, its best choice.

How many of these data sets end up in notebook computers or are accessible over poorly secured WiFi networks?

imo its got alot to do with the people responsible for maintaining the networks, policies on security..etc

friend told me about a company involved with many credit card transactions every day, had a wireless router with no key, setup to facilitate a conference where internet access was required.

it was on same network as company computers..

The company was using unpatched pirate copies of XP/Win2k and everything..from routers to switches were all left with default settings, the whole network was wide open, including whatever credit transaction information was stored on them.

From what i learned, the guy in charge was given the network administrative position, because he knew the company accountant, and the contract was awarded based on this, to run several sites around the country.

In order to make more money for himself, he simply downloaded pirate copies of XP/Win2k and other applications, but charged the company full cost price of the O/S and applications.

Its unfortunate that company customers will be affected at some point in the future, but what can you really do about it?

If the company are told of the problem, they just take the router offline - problem solved as far as they're concerned.

Without going too far off topic, alot of government jobs (atleast where i live) are kept exclusively for family members, regardless of how skilled or qualified for the job they are..

People wonder why the country is so badly mis-managed? its not a big mystery to me.

carveone

Average Joe wrote: »

friend told me about a company involved with many credit card transactions every day, had a wireless router with no key, setup to facilitate a conference where internet access was required.

<horror snipped>

Good grief! And here was I waiting for someone to mention encryption as the magic bullet to solve all problems when encrypted laptops (in the On/Suspend/Hybernate states) are easily compromised...

In order to make more money for himself, he simply downloaded pirate copies of XP/Win2k and other applications, but charged the company full cost price of the O/S and applications.

Its unfortunate that company customers will be affected at some point in the future, but what can you really do about it?

Of course he was committing fraud and possibly industrial espionage but, when sod all happens to TK Maxx, he's probably grand :mad:

Conor.

probe

Average Joe wrote: »

you can't expect them to do everything!

absolutely, its best choice.

According to GB-data protection agency half of the data losses last year from the private sector came from financial services companies. In the public sector one third of data losses came from central government and a fifth from the "health" service.

imo its got alot to do with the people responsible for maintaining the networks, policies on security..etc

As I said above, you have to hit people in the pocket. TJX had to pay MasterCard $24 million and Visa $ 41 million for their card fraud in the US alone - and I have no doubt that they incurred zillions of additional legal, compensation and PR costs all over the world. This type of money would buy a lot of computer security.

friend told me about a company involved with many credit card transactions every day, had a wireless router with no key, setup to facilitate a conference where internet access was required.

it was on same network as company computers..

The company was using unpatched pirate copies of XP/Win2k and everything..from routers to switches were all left with default settings, the whole network was wide open, including whatever credit transaction information was stored on them.

From what i learned, the guy in charge was given the network administrative position, because he knew the company accountant, and the contract was awarded based on this, to run several sites around the country.

In order to make more money for himself, he simply downloaded pirate copies of XP/Win2k and other applications, but charged the company full cost price of the O/S and applications.

Its unfortunate that company customers will be affected at some point in the future, but what can you really do about it?

If the company are told of the problem, they just take the router offline - problem solved as far as they're concerned.

Without going too far off topic, alot of government jobs (atleast where i live) are kept exclusively for family members, regardless of how skilled or qualified for the job they are..

People wonder why the country is so badly mis-managed? its not a big mystery to me.

Microsoft is part of the problem too. The latest legitimate Vista and Windows Server 2008 on the Irish market has weaker encryption than the same products sold in the USA (AES-128 in IRL -v- AES-256 in USA). Free open source Linux supports AES-256.

It says to me that if they have to, they can throw enough computer power at the 128 bit version of AES to break it. We are back to the dark ages of the 40 and 64 bit browsers "for export" (from the USA) and 128 bit for "domestic use"! And the ECHELON lot are spying on data traffic from the Irish corporate sector - and Microsoft is in bed with them - otherwise Microsoft products would offer similar security levels in Ireland as they do in the USA.

.probe

probe

carveone wrote: »

Good grief! And here was I waiting for someone to mention encryption as the magic bullet to solve all problems when encrypted laptops (in the On/Suspend/Hybernate states) are easily compromised...

This is a very theoretical risk - the thief has to grab the computer while it is being powered down, get at the internals within a few seconds and spray refrigerant gas on the chips to hold on to the encryption keys in memory for perhaps an hour or so.

Which is no different to having your PC in a cafe or airport lounge and someone grabbing it and running away while it is powered on. Listen to episode 137 of Steve Gibson's Security Now "Ram Hijacks" http://www.grc.com/securitynow.htm if you have any concerns.

.probe

Martyr

probe wrote:

you have to hit people in the pocket.

i agree 100%!

probe wrote:

Microsoft is part of the problem too. The latest legitimate Vista and Windows Server 2008 on the Irish market has weaker encryption than the same products sold in the USA..

my point was that the operating systems are too old and would be easily compromised by someone using point-click tools such as Metasploit.

atleast if the computers had valid copies, updated with latest service packs/patches, additional switches, routers configured properly - there would be a little less risk involved.

and its not even that difficult, is that not what they're paid to do? ffs

its no surprise 1/5th of data goes missing from hse, its run by clowns.

macrubicon

probe wrote: »

We are back to the dark ages of the 40 and 64 bit browsers "for export" (from the USA) and 128 bit for "domestic use"!

<snip>

Microsoft is in bed with them - otherwise Microsoft products would offer similar security levels in Ireland as they do in the USA.

To be fair to Microsoft and the rest of the US companies regarding encryption...

Encryption technology is classed as a "munition" and as such it's export is regulated. They can't ship anything larger than 128 without an individual export licence. Granted it's easy enough, but not for a "box" product that's going to ship millions of unit's and be OEM'd

It's the same with Cisco, 3Com, Nortel etc. in relation to 3Des / AES 256 licences for firewalls etc. You have to apply for the higher levels of encryption after you get the devices.

Blame the US export rules not the Manufacturers who have to follow them. If you want AES 256 for wireless... use the tools and get an add-in.

probe

macrubicon wrote: »

To be fair to Microsoft and the rest of the US companies regarding encryption...

Encryption technology is classed as a "munition" and as such it's export is regulated. They can't ship anything larger than 128 without an individual export licence. Granted it's easy enough, but not for a "box" product that's going to ship millions of unit's and be OEM'd

It's the same with Cisco, 3Com, Nortel etc. in relation to 3Des / AES 256 licences for firewalls etc. You have to apply for the higher levels of encryption after you get the devices.

Blame the US export rules not the Manufacturers who have to follow them. If you want AES 256 for wireless... use the tools and get an add-in.

I can think of several (non-Microsoft) software/hardware products of US origin that incorporate AES-256 bit encryption, freely available in Europe and elsewhere without any special "licenses".

Example: The Firefox browser. Visit https://www.ecb.europa.eu/stats/monetary/rates/html/index.en.html or virtually any website running with Apache server and you'll get an AES-256 bit secure connection in https mode. Download Firefox free here: http://www.firefox.com

Moving back to the subject of business/government laptop theft risk management, you can buy US made PGP Whole Disk Encryption in Europe which uses AES-256 encryption out of the box.

http://www.pgp.com/products/wholediskencryption/index.html

Specification: http://www.pgp.com/products/wholediskencryption/tech_specs.html (supports multi-factor encryption too).

.probe

P.S. : In any event AES encryption is European - Rijndahl - Made in Belgium - the US has no right to even purport to control its distribution.

macrubicon

probe wrote: »

I can think of several (non-Microsoft) software/hardware products of US origin that incorporate AES-256 bit encryption, freely available in Europe and elsewhere without any special "licenses".

Example: The Firefox browser. / Apache
<snip>

Moving back to the subject of business/government laptop theft risk management, you can buy US made PGP Whole Disk Encryption in Europe which uses AES-256 encryption out of the box.

<Snip>

P.S. : In any event AES encryption is European - Rijndahl - Made in Belgium - the US has no right to even purport to control its distribution.

OK... you are right - I was not saying that you cannot get things with keys 256+ but that export controls are in place for certain things!

Regarding Firefox, Apache and PGP - all good points, but I will nearly guarentee you that they download from a non US site. That is an easy way around the restrictions. PGP I know as I use it for work purposes is mainly shipped out of Europe.

Another way to get around the Export Regs is to publically and openly document how you do it. - Firefox, Apache etc. all have publically available source code so probably avail of this exemption.

In relation to the Encryption standard - it does not matter if it's AES, RSA, Diffy-Helman or whoever, it's encryption and the US control's it's export.

http://www.bis.doc.gov/encryption/ will give you some insight to what is allowed where - including the exemption which allows the EU countries to immediately download the greater key sizes.

We are probably straying off topic, but there is no doubt they were damn fools to have that info unsecured on a laptop and they should pay a harsh penalty for it.

probe

macrubicon wrote: »

OK... you are right - I was not saying that you cannot get things with keys 256+ but that export controls are in place for certain things!

Regarding Firefox, Apache and PGP - all good points, but I will nearly guarentee you that they download from a non US site. That is an easy way around the restrictions. PGP I know as I use it for work purposes is mainly shipped out of Europe.

Another way to get around the Export Regs is to publically and openly document how you do it. - Firefox, Apache etc. all have publically available source code so probably avail of this exemption.

In relation to the Encryption standard - it does not matter if it's AES, RSA, Diffy-Helman or whoever, it's encryption and the US control's it's export.

http://www.bis.doc.gov/encryption/ will give you some insight to what is allowed where - including the exemption which allows the EU countries to immediately download the greater key sizes.

We are probably straying off topic, but there is no doubt they were damn fools to have that info unsecured on a laptop and they should pay a harsh penalty for it.

The majority of Microsoft products sold in Europe and elsewhere in the free world originate in Ireland. So where is the "export" problem?

.probe

MadsL

What is even more shocking is the wait time...10 months AFTER the event they go public! :eek:

Serious need for mandatory security breach reporting legislation to be brought in.

ISO 27001:2005 ftw!

macrubicon

probe wrote: »

The majority of Microsoft products sold in Europe and elsewhere in the free world originate in Ireland. So where is the "export" problem?

.probe

The intellictual property of the originating company - in this case Microsoft - rests in the US. The OEM products etc. are mostly through corporate agreements based in US law.

The box product on the shelf had to be "exported" from somewhere. It may originate here from a production standpoint but production in this case is burning the Disks and producing the packaging, not creating the product.

probe

macrubicon wrote: »

The intellictual property of the originating company - in this case Microsoft - rests in the US. The OEM products etc. are mostly through corporate agreements based in US law.

The box product on the shelf had to be "exported" from somewhere. It may originate here from a production standpoint but production in this case is burning the Disks and producing the packaging, not creating the product.

If I bought a boxed copy of “Genuine*”Vista from an Irish supplier, under Irish law, (non-OEM), it would still be spayed (with 128 bit AES). Despite costing far more than in the US (tax excluded from the price at both ends). Furthermore Microsoft's Vista price reductions in the US haven't been replicated in Ireland. A higher price for an inferior product.

Microsoft has no problem dealing with the situs of intellectual property rights when it suits the company. European companies who take their customers’ data privacy seriously really have no alternative but to move to open source products.

RSA Security said that 1024 bit keys are likely to become crackable some time before 2010. Virtually every bank and other “secure” website one visits in Ireland running on MS software uses 1024 bit keys. All potentially crackable now or in the near future.

PGP’s corporate headquarters is in Palo Alto, so the intellectual property of the originating company of the PGP whole disk encryption product must rest there. Notwithstanding this, PGP Corporation manages to export an unadulterated product to Ireland.

.probe

*”Genuine Windows” – a dumb term found all over Dell’s website (as if Dell would sell pirated Windows versions as an option) – one of many reasons why I didn’t buy a Dell machine this time

probe

'While IBM is not itself a banking or healthcare provider, its customers that are have encouraged IBM to adopt encryption for purposes of sharing information. "We work with banking, healthcare and government agencies," Mitchell says. "We serve these markets and they are driven by compliance requirements." He adds, "And we've had an increased loss in laptops as well."'

What amazes me is that IBM is only doing this in 2008! Better late than never perhaps.

http://www.networkworld.com/news/2008/012908-ibm-encryption-deployment.html

.probe

JimmyCrackCorn!

My question would be not why. We know Why. We know how to use truecrypt two

My question as someone who contracted to government once or twice and overheard more than i wish to have.

Is how many more laptops went missing but were never made public?

I know the number for just one government body's office and ill just say its a common occurrence. :eek:

MadsL

re: I know the number for just one government body's office and ill just say its a common occurrence

Questions recently asked in the Dail answered (officially)...

Taoiseach

The Taoiseach: A small amount of computer equipment has been reported lost or stolen in the period specified (as outlined in the table below).
A number of measures are in place in my Department to protect private and sensitive data. Users supplied with Departmental equipment are issued with guidance to ensure devices are secured appropriately. All laptops issued by the Department have encrypted hard drives and store no data locally. Strong authentication methods, in addition to simple username and password, are in place to prevent unauthorised access to these devices. Mobile devices can be, and are, disabled immediately by my staff, on notification that they are lost or stolen.
My Department continually reviews and updates procedures and products to secure portable machines and devices to the highest levels.Table
Year Devices reported lost /stolen Devices Recovered
2002 1 0
2003 3 0
2004 1 1
2005 1 1
2006 2 0
2007 1 1

167. Deputy Damien English asked the Taoiseach the number of and the records kept by his Department of attempted hacking or suspected cyber attacks or other malicious computer security breaches committed against his Department’s computer systems. [1731/08]
The Taoiseach: My Department’s computer systems are protected against security breaches through the use of industry standard security procedures and products. These products produce reports on attempted and actual security breaches. There have been no reported or attempted attacks on my Department’s computer systems.
We continually monitor and update our security procedures and products to ensure that a high level of protection is always in place.
172. Deputy Simon Coveney asked the Taoiseach the details of all instances since 1 June 2002 where personal data held by his Department or any agency under its auspices were compromised in any way; if the review by his Department of data security procedures announced on 22 November 2007 is completed; and the findings of that review in terms both of prior shortcomings and of future actions. [2168/08]
The Taoiseach: No personal data held by my Department has been compromised in any way since June 2002.


Finance
221. Deputy Ruairí Quinn asked the Tánaiste and Minister for Finance the number of Department owned computer desktops or laptops or other data devices, such as blackberries and memory keys, reported lost, missing or stolen from his Department in each year from 2002 to 2007; the number of these that were later recovered or found; the number still missing; if any sensitive or private data was compromised; the measures in place within his Department to secure such portable or at risk data devices; and if he will make a statement on the matter. [1515/08]
Tánaiste and Minister for Finance (Deputy Brian Cowen): One Department owned memory key was reported missing in 2007 but no sensitive or private data was compromised. No computer desktops, laptops or other data devices owned by my Department have been reported lost, missing or stolen. As regards the measures to secure at risk data devices, my Department has a facility in place to immediately wipe all corporate emails and data from mobile email devices should such a device be reported lost or stolen and has begun a process to enforce encryption of data stored on laptops. Moreover, all staff are regularly reminded to be vigilant with any information stored electronically on removable media devices and to ensure that these devices are not left unattended.
228. Deputy Damien English asked the Tánaiste and Minister for Finance the number of and the records kept by his Department of attempted hacking or suspected cyber attacks or other malicious computer security breaches committed against his Department’s computer systems. [1726/08]
Tánaiste and Minister for Finance (Deputy Brian Cowen): Unauthorised traffic to all the Department’s public-facing systems is logged and monitored. A page of one of the Department’s websites was overwritten in November 2007. The company that manages the site fixed the underlying vulnerability in their software, and access to this page was completely restored after less than 24 hours.
239. Deputy Simon Coveney asked the Tánaiste and Minister for Finance the details of all instances since 1 June 2002 where personal data held by his Department or any agency under its auspices were compromised in any way; if the review by his Department of data security procedures announced on 22 November 2007 is complete; and the findings of that review in terms both of prior shortcomings and of future actions. [2163/08]
Tánaiste and Minister for Finance (Deputy Brian Cowen): There have been no instances of personal data held by my Department being compromised.
In relation to the agencies under the remit of my Department, I have been advised by the Revenue Commissioners that there have been a number of investigations into instances of inappropriate accessing of information by Revenue staff since 1 June 2002. Appropriate sanctions have been, and are, taken against staff under the Civil Service Disciplinary Code.
Revenue’s Security and Confidentiality Policy informs all staff of the continuing need to maintain the highest level of confidentiality and security regarding access to and control of information used for Revenue business purposes. Revenue staff are regularly reminded of the need to protect the confidentiality of information concerning members of the public. Staff are also regularly reminded that access to Revenue information is authorised only in circumstances where there is a clear official business reason requiring such access and that any unauthorised access constitutes a serious breach of discipline and will be dealt with accordingly. Data, security systems and procedures are regularly reviewed as part of Revenue’s business and strategic planning processes.
In relation to the Office of Public Works, when setting up the Freedom of Information Website in June 2004, the names of all those making requests were published. In addition, the addresses of private individuals were mistakenly displayed along with the addresses of businesses/journalists etc. This error has been rectified.
Following consultation with the Office of the Data Protection Commissioner regarding the use of individual’s names, OPW is currently in the process of removing the names of all requesters from its website and has amended its FOI acknowledgement letters to reflect this change.
In 2004 and 2005 a series of articles about OPW related issues appeared in the Irish media containing some personal information about OPW staff. However, it was not possible to establish how this information came into the possession of the media.
The Government made a decision (which I announced in November 2007) to review the systems and procedures operated by Departments and Agencies which are in place to protect the confidentiality of personal data and to prevent its improper release. In that context, my Department is required to furnish the Government with a report. Consequently, my Department has written to all Departments and Offices requesting details of the systems and procedures in place. These details are scheduled to be returned to the Department of Finance by 1st February 2008.


Health and Children
351. Deputy Ruairí Quinn asked the Minister for Health and Children the number of Department owned computer desktops or laptops or other data devices, such as blackberries and memory keys, reported lost, missing or stolen from her Department in each year from 2002 to 2007; the number of these that were later recovered or found; the number still missing; if any sensitive or private data was compromised; the measures in place within her Department to secure such portable or at risk data devices; and if she will make a statement on the matter. [1517/08]
Minister for Health and Children (Deputy Mary Harney):
Year No. Type of equipment
2007 2 1 Memory key1 Laptop
2006 1 1 Laptop
2005 0 N/A
2004 0 N/A
2003 0 N/A
2002 2 2 Laptops
Since 2002, there have been five (5) items of ICT equipment lost/mislaid/stolen, none of which has been recovered. I understand that no sensitive or private data was compromised with the loss of this equipment. My Department has an acceptable usage policy in relation to the use of ICT facilities that defines the rules of use and advises staff on the best practice for security controls and the management of confidential material.
My Department is currently examining the deployment of encryption and security products to ameliorate the risks involved with the loss/theft of portable media. The guidelines issued to staff and all ICT security arrangements are also under review as part of a wider computer security initiative in the context of the 2008 business plan.

Transport
543. Deputy Ruairí Quinn asked the Minister for Transport the number of Department owned computer desktops or laptops or other data devices, such as blackberries and memory keys, reported lost, missing or stolen from his Department in each year from 2002 to 2007; the number of these that were later recovered or found; the number still missing; if any sensitive or private data was compromised; the measures in place within his Department to secure such portable or at risk data devices; and if he will make a statement on the matter. [1521/08]
Minister for Transport (Deputy Noel Dempsey): I understand that three laptops and two Blackberries were reported lost, missing or stolen from my Department between the years 2002 to 2007. Of these, one Blackberry and one Laptop was subsequently recovered. Two Laptops and one Blackberry are still missing. I have been assured by my officials that, to the best of their knowledge, there was no private or sensitive data compromised as a result of these events.
My Department ensures that data security measures are regularly reviewed in the light of changing circumstances and that any appropriate measures identified are implemented in order to prevent risk to data. All Departmental laptops are issued to staff with password protection enabled. Since October 2007, all data replicated from my Department’s network to laptops is automatically encrypted. Mechanisms are in place to remotely immobilise and wipe any information on any portable data devices lost, missing or stolen from my Department.
Since 1 June 2002, there was one instance of Personal Data being displayed on my Department’s website, which was subsequently removed from the public domain. In this regard, I refer the Deputy to my reply in Dail Question number 90 of 1 November 2007 in the House in which I explained that, following correspondence with the Office of the Data Protection Commissioner, the display on my Department’s website of two registers, one of road haulage operator and another of licensed passenger transport operators, was not in accordance with the Road Transport Act, 2006 or with data protection rules generally. Both registers were removed from my website immediately.
All data replicated from the Department’s network to laptops is automatically encrypted. Mechanisms are in place to remotely delete data from any laptop or Personal Digital Assistant stolen from the Department, which connects to the Internet.
Where, for business reasons, personal data needs to be transferred to third parties (for example, transferring salary details to staff bank accounts), this is carried out in a fully secured electronic manner. In the case of the National Vehicle and Driver File (NVDF) large data volumes are transferred to third parties through secure encrypted channels.
My Department regularly reviews its data security in the light of changing circumstances and needs. The most recent such review dealt with an emerging requirement for more mobile access to Departmental data and involved external specialists. The report was delivered on 22 August 2007 and appropriate measures have been implemented.
Personal data on physical files is secured by restricted access to buildings and is locked away in filing cabinets to which only appropriate staff members have access.
The review announced by the Tánaiste on 22 November 2007 is being conducted by the Department of Finance and is I understand ongoing.
Protection of Personal data is a day to day operational matter for agencies under my Department’s remit in which I have no function.

Foreign Affairs
589. Deputy Ruairí Quinn asked the Minister for Foreign Affairs the number of Department owned computer desktops or laptops or other data devices, such as blackberries and memory keys, reported lost, missing or stolen from his Department in each year from 2002 to 2007; the number of these that were later recovered or found; the number still missing; if any sensitive or private data was compromised; the measures in place within his Department to secure such portable or at risk data devices; and if he will make a statement on the matter. [1516/08]
Minister for Foreign Affairs (Deputy Dermot Ahern): The Department of Foreign Affairs has had two incidents of lost, missing or stolen computer equipment in the period 2002 to 2007.
In July 2003, 25 new computers were stolen from temporary offices in Brussels. In June 2004, an individual, who had been working on contract in the Department of Foreign Affairs, received a four year suspended sentence for the theft of eight laptop computers. None of these computers or laptops has been recovered by the Department. In both incidents, the equipment was new and unused and no sensitive or private data was compromised.
The Department has issued guidelines to all officers on the appropriate use of IT equipment, highlighting important issues relating to the Data Protection Act. The Department encrypts data on PCs and laptops not located within its premises and has a project under way to encrypt all data on memory sticks and other portable data devices.
There have been no instances of personal data held by my Department being compromised during the period in question.
The review of procedures is underway and will be delivered to the Department of Finance by the 1st February 2008

Enterprise, Trade and Employment
638. Deputy Ruairí Quinn asked the Minister for Enterprise, Trade and Employment the number of Department owned computer desktops or laptops or other data devices, such as blackberries and memory keys, reported lost, missing or stolen from his Department in each year from 2002 to 2007; the number of these that were later recovered or found; the number still missing; if any sensitive or private data was compromised; the measures in place within his Department to secure such portable or at risk data devices; and if he will make a statement on the matter. [1513/08]
Minister for Enterprise, Trade and Employment (Deputy Micheál Martin): My Department’s records indicate the following:2002 - One laptop reported stolen.2003 - One laptop reported stolen.2004 - No IT assets reported lost, missing or stolen.2005 - One Laptop reported stolen and one Blackberry reported lost.2006 - One Blackberry reported lost.2007 - One Blackberry reported stolen.
Of the three laptops reported stolen one was subsequently recovered and none were reported as containing sensitive data at the time. While none of the Blackberry devices have been recovered, my Department invoked the facility to automatically wipe all data from the devices as soon as they were reported missing and immediately cancelled the subscription with the service provider.
Last year my Department, with the assistance of an external ICT security expert, conducted a comprehensive review of ICT security across my Department and its Offices. The findings of the report now form a significant part of my Department’s new ICT Strategy (2008-2010), which will focus on ensuring continuity of ICT availability including increased security awareness of users, additional process and technological controls and ongoing inclusion of security considerations as part of a project’s planning process. The Review took into consideration the balance that is required between ensuring integrity and confidentiality of information and systems on one hand, and availability and usability of information on the other.
The recent growth of electronic storage devices such as those mentioned in the question is a concern for my Department in terms of how it can ensure that sensitive information remains secure. Indeed, the fact of the matter is that many people including staff of my Department would personally own a number of such devices including memory keys, mobile phones, MP3 players and handheld game consoles. Therefore, my Department is adopting a dual approach by concentrating on both awareness and prevention of any security lapses. An ICT security awareness programme is underway, involving newsletters, workshops and presentations to staff along with reminders of ICT usage policies and regulations. Furthermore, and in light of recent events internationally involving loss of media containing sensitive data, my Department has reviewed the manner in which data is transported within the Department and between the Department and other Public Bodies. A number of changes were made to the processes involved and my Department will continue to implement new procedures and technologies to ensure ongoing improvements in securing sensitive data.
The Internet is an increasingly aggressive environment and the advice of my Department’s ICT security advisors is that all websites and on-line systems run the risk of hacking or some other cyber attack. Many of these attacks are automated and are not targeted at particular individuals or organisations. Consequently my Department takes the security of its computer systems and the data they contain very seriously. My Department’s computer systems are protected by a range of security technologies designed to minimise the potential for hacking or cyber attack. These systems have the ability to generate alerts and records of unusual or suspicious activity which could indicate that a cyber attack was being attempted.
Over the last few years my Department and its Offices has developed a comprehensive on-line presence comprising 14 separate websites, including three on-line processing systems. Apart from a small number of minor incidents where individual computers have found to have been infected with a virus, my Department’s records indicate that noteworthy hacking or cyber attacks have been carried out against the Department’s public websites on four separate occasions.
Three of these attacks were against websites hosted internally within my Department, while the fourth was against a website hosted and maintained by a 3rd party.
The attacks against the websites hosted within my Department were forensically investigated by an independent firm of ICT security consultants who concluded that there was no evidence to suggest that other servers, networks or data within the Department had been compromised. A full record of these incidents has been created, including a comprehensive report from the consultants. The incidents were reported to An Garda Síochána and I am informed that their investigation is ongoing.These attacks underline the growing importance of ICT security. Maintaining a secure ICT infrastructure is a continuous process, involving a combination of appropriately skilled people and the implementation of best-practice processes and technologies. Last year my Department, with the assistance of external ICT security experts, conducted a comprehensive review of ICT security across the Department and its Offices. The findings of the report now form a significant part of my Department’s new ICT Strategy (2008-2010) and in conjunction with the external security consultants a programme of work is currently being undertaken which is designed to deliver ongoing improvements in the security of the Departments’ ICT systems. In addition a dedicated Information Security Officer is being appointed to maintain an ongoing focus on Information Security across the Department.
There have been no reported instances in my Department where personal data has been compromised since the date in question.
My Department is registered with the Office of the Data Protection Commissioner for the purpose of the Data Protection Acts. My Department is very conscious of its obligations under the Data Protection Acts, and of the need to promote awareness among staff of these obligations. In this regard all induction courses for new staff members include a segment on data protection. In September 2007 all staff in my Department were issued with a Human Resources Management Handbook in hard copy format, which includes a dedicated Section concerning the provisions of data protection legislation, and highlighting the obligations and responsibilities for staff in this area. These obligations were reiterated to all staff in my Department by way of an Office Notice in November 2007. Physical and technical safeguards are in place throughout my Department. A secure ICT infrastructure and staff awareness programmes play a key role in supporting data protection.
Regarding ICT this is a continuous process, involving a combination of appropriately skilled people and the implementation of best-practice processes and technologies. Last year, my Department with the assistance of external ICT security experts, conducted a comprehensive review of ICT security across the Department and its Offices. The findings of the report now form a significant part of my Department’s new ICT Strategy (2008-2010) and a programme of work is currently being undertaken which is designed to deliver ongoing improvements in the security of the Departments’ ICT systems thereby minimizing the risk of compromising data and/or security breaches. This includes a programme of data protection and security awareness workshops, one of which has already taken place. The workshops are facilitated by experts in the field who prior to the workshop examine the business units involved in terms of information security and data protection.
The position in relation to the review by my Department of data security procedures to protect the confidentiality of personal data is that the review is almost complete and a report on the matter is expected to be forwarded to the Department of Finance shortly.
The registration of the agencies of my Department with the Data Protection Commissioner for the purpose of the Data Protection Acts is a day-to-day operational matter for the agencies concerned and one in which I have no function.

Arts, Sport and Tourism
705. Deputy Ruairí Quinn asked the Minister for Arts, Sport and Tourism devices, such as blackberries and memory keys, reported lost, missing or stolen from his Department the number of Department owned computer desktops or laptops or other data in each year from 2002 to 2007; the number of these that were later recovered or found; the number still missing; if any sensitive or private data was compromised; the measures in place within his Department to secure such portable or at risk data devices; and if he will make a statement on the matter. [1508/08]
Minister for Arts, Sport and Tourism (Deputy Séamus Brennan): In four of the six years referred to by the Deputy, no data devices were either lost or stolen from my Department. In 2006, in separate instances, one blackberry was lost, one desktop computer stolen and one laptop stolen, in 2007 one blackberry was lost, none of which were recovered. None of the devices in question held sensitive or personal information.
Neither sensitive nor personal information is stored by default on desktop or portable data devices in the Department and officials are requested not to save any such information onto the devices. This information is stored only on the Department’s IT network, to which access is controlled by password protection and by firewall security systems.
The National Archives, an institution which is also part of my Department, has not had any laptops, mobile devices or memory keys lost or stolen during the period in question. Correspondingly, no sensitive data has been lost. In terms of security, these laptops and mobile devices would not hold particularly sensitive data and would be password protected for access.
Data Protection.
706. Deputy Damien English asked the Minister for Arts, Sport and Tourism the number of and the records kept by his Department of attempted hacking or suspected cyber attacks or other malicious computer security breaches committed against his Department’s computer systems. [1719/08]
Minister for Arts, Sport and Tourism (Deputy Séamus Brennan): My Department’s IT Network is part of the Government Virtual Private Network (VPN) and, as such, is initially protected against intrusion by the VPN firewall. Beyond this level the network is also protected by the Department’s own firewall system. This extensive firewall security blocks in the regions of 70,000 items of data traffic daily.
A log is kept by this system of intrusion attempts and alerts are configured to warn if any such attacks breach the network. The traffic which is allowed through the firewall is further filtered for so-called ’spam’ and the traffic which is subsequently allowed through that process is filtered for viruses and for content. No breaches of the firewall security systems in place by my Department have been made to date.
The National Archives, an institution which is also part of my Department, has had no recorded attempts of hacking, suspected cyber attacks or other malicious computer security breaches against its computer systems.

Social and Family Affairs
741. Deputy Ruairí Quinn asked the Minister for Social and Family Affairs the number of Department owned computer desktops or laptops or other data devices, such as blackberries and memory keys, reported lost, missing or stolen from his Department in each year from 2002 to 2007; the number of these that were later recovered or found; the number still missing; if any sensitive or private data was compromised; the measures in place within his Department to secure such portable or at risk data devices; and if he will make a statement on the matter. [1519/08]
Minister for Social and Family Affairs (Deputy Martin Cullen): Departmental mobile phones do not store customer data and while departmentally supplied laptops can be used to access critical customer information such data is not retained on the device following access. Industry standard security protocols such as password protection and security software are deployed to protect all departmentally supplied devices and preserve the confidentiality and integrity of sensitive data.
The following data devices, officially supplied by the Department, were reported stolen in the years in question:-2002 – One Laptop computer - while staff member was on public transport2002 – Three mobile phones - while being returned to Headquarters2004 – One Laptop - house break-in2006 – Two laptops - one house break-in and one car break-in2007 – One laptop - house break-inNone of these devices have been recovered since.

Community, Rural and Gaeltacht Affairs
781. Deputy Ruairí Quinn asked the Minister for Community, Rural and Gaeltacht Affairs the number of Department owned computer desktops or laptops or other data devices, such as blackberries and memory keys, reported lost, missing or stolen from his Department in each year from 2002 to 2007; the number of these that were later recovered or found; the number still missing; if any sensitive or private data was compromised; the measures in place within his Department to secure such portable or at risk data devices; and if he will make a statement on the matter. [1510/08]
Minister for Community, Rural and Gaeltacht Affairs (Deputy Éamon Ó Cuív): In 2006 one laptop and a memory stick was stolen from a Departmental official and not recovered.
In the same year another official lost a memory stick and this was not recovered either. I am informed that no sensitive or private data was compromised in any of these cases.
782. Deputy Damien English asked the Minister for Community, Rural and Gaeltacht Affairs the number of and the records kept by his Department of attempted hacking or suspected cyber attacks or other malicious computer security breaches committed against his Department’s computer systems. [1721/08]
Minister for Community, Rural and Gaeltacht Affairs (Deputy Éamon Ó Cuív): My Department is satisfied that its computer systems are well protected against hacking, cyber attacks or other malicious computer breaches.

Agriculture, Fisheries and Food
840. Deputy Ruairí Quinn asked the Minister for Agriculture, Fisheries and Food the number of Department owned computer desktops or laptops or other data devices, such as blackberries and memory keys, reported lost, missing or stolen from her Department in each year from 2002 to 2007; the number of these that were later recovered or found; the number still missing; if any sensitive or private data was compromised; the measures in place within her Department to secure such portable or at risk data devices; and if she will make a statement on the matter. [1507/08]
Minister for Agriculture, Fisheries and Food (Deputy Mary Coughlan): The number of Department-owned computer desktops or laptops or other data devices, such as blackberries and memory keys, reported lost, missing or stolen from my Department are set out in the following table:
Year Lost/Stolen Recovered/Found
2002 3 Laptops were reported stolen None
2003 None N/A
2004 None N/A
2005 None N/A
2006 1 Laptop reported stolen None
2007 1 Laptop reported stolen2 Blackberry devices lost None
No computer desktops, or other data devices e.g. memory keys were reported lost, missing or stolen. When a device, such as a laptop or Blackberry, is reported lost or stolen, access by that device to the Department’s computer network is immediately suspended and use of the device is blocked. In all cases where devices were reported stolen, the theft was reported to the Garda. To date, no sensitive or private data has been compromised. All computer desktops and laptops are protected by use of a user-ID and password. The Department is currently examining the procurement of encryption software to enhance the security of laptops and other data devices such as memory keys.

Minister for Education and Science
980. Deputy Ruairí Quinn asked the Minister for Education and Science the number of Department owned computer desktops or laptops or other data devices, such as BlackBerries and memory keys, reported lost, missing or stolen from her Department in each year from 2002 to 2007; the number of these that were later recovered or found; the number still missing; if any sensitive or private data was compromised; the measures in place within her Department to secure such portable or at risk data devices; and if she will make a statement on the matter. [1512/08]
Minister for Education and Science (Deputy Mary Hanafin): The information requested by the Deputy is set out as follows:2002-2004 no items were reported lost stolen or missing.2005 2 USB memory cards were reported stolen. Both cards are still missing.2006 2 USB memory cards were reported lost and 1 memory card was reported stolen. The stolen memory card was recovered and 1 of the lost memory cards was subsequently found later that year. The other lost memory card is still missing.2007 2 laptops were stolen and 1 USB memory card were reported lost. The laptops and the memory card are still missing.
No sensitive or private data was reported as having been compromised. The laptops had a dual level of password protection and the USB memory cards were password protected.
All desktop and laptop computers owned by my Department are password protected. Blackberry devices are both PIN and password protected. Encryption of USB memory keys is currently being investigated.

Defence
1110. Deputy Ruairí Quinn asked the Minister for Defence the number of Department owned computer desktops or laptops or other data devices, such as blackberries and memory keys, reported lost, missing or stolen from his Department in each year from 2002 to 2007; the number of these that were later recovered or found; the number still missing; if any sensitive or private data was compromised; the measures in place within his Department to secure such portable or at risk data devices; and if he will make a statement on the matter. [1511/08]
Minister for Defence (Deputy Willie O’Dea): In relation to my Department no officially issued computer desktops, laptops or other data devices, such as blackberries and memory keys, have been reported lost, missing or stolen since 2002. All portable devices are issued on foot of a business requirement authorised at senior level and are recorded, tracked and maintained in accordance with the Department’s ICT Security Policy and procedures certified to ISO27001 standard.
In relation to the Defence Forces, two desktop computers were stolen in 2007 from a Defence forces installation during the UNMIL mission to Liberia and were not recovered. The PCs were on a restricted network and all data was on network drives rather than the PCs hard disk, so no compromise of data arose. A non-networked laptop computer, containing no sensitive or personal data, went missing in transit during a reconnaissance visit associated with humanitarian relief to the Tsunami in 2005 and was not recovered. A non-networked laptop computer with no personal or sensitive data was stolen from a member of the Defence Forces in 2004 while on an OSCE mission in Georgia and was not recovered.

Justice, Equality and Law Reform
1188. Deputy Ruairí Quinn asked the Minister for Justice, Equality and Law Reform the number of Department owned computer desktops or laptops or other data devices, such as blackberries and memory keys, reported lost, missing or stolen from his Department in each year from 2002 to 2007; the number of these that were later recovered or found; the number still missing; if any sensitive or private data was compromised; the measures in place within his Department to secure such portable or at risk data devices; and if he will make a statement on the matter. [1518/08]
Minister for Justice, Equality and Law Reform (Deputy Brian Lenihan): No data has been compromised because of lost data devices. In 2005, arising from burglary, four laptops containing no sensitive or private data were stolen from a Departmental building.
No desktops have been lost or stolen.
The Department has no record of stolen Blackberries, although a small number have been lost and not recovered to date. They were quickly missed, the accounts frozen and the data removed by the server. There was no loss of data.
The Department’s IT system is designed to allow staff who need access to official information off-site to access the Department’s information via a secure portal. This means that they are working on the Department’s IT network and no Departmental data rests on the device they are using to access the portal. The capability to download information on to devices such as USB keys is heavily restricted. There have been no reports of data being lost or compromised.

Minister for the Environment, Heritage and Local Government
1348. Deputy Ruairí Quinn asked the Minister for the Environment, Heritage and Local Government the number of Department owned computer desktops or laptops or other data devices, such as blackberries and memory keys, reported lost, missing or stolen from his Department in each year from 2002 to 2007; the number of these that were later recovered or found; the number still missing; if any sensitive or private data was compromised; the measures in place within his Department to secure such portable or at risk data devices; and if he will make a statement on the matter. [1514/08]
Minister for the Environment, Heritage and Local Government (Deputy John Gormley): No Department owned computer desktops or memory keys have been reported lost, missing or stolen, during the period 2002 to 2007. During 2007, twelve Department owned laptops were stolen from the Custom House and one was stolen while in transit between Department offices. Ten of these were recovered almost immediately. Nine of these laptops were obsolete and had already been prepared for recycling. Of the three laptops not recovered, one was new and unused. One also contained a 3G card. One Blackberry device was reported lost in 2005 and two were reported lost in 2007. All unrecovered devices were password protected and no sensitive or private data was compromised.
Security systems in the Custom House have since been upgraded and my Department, in conjunction with the Office of Public Works, is installing a new CCTV system. My Department already has a range of data protection initiatives in place. A review of the operation of systems and procedures to protect the confidentiality of personal data and to prevent its improper release is being finalised at present. Any issues emerging from the review which need to be addressed will be followed up.

Communications, Energy and Natural Resources
Minister for Communications, Energy and Natural Resources (Deputy Eamon Ryan): There have been no reported losses of desktop PCs or memory keys in my Department over this period. The number of laptop PCs and Blackberry devices lost in the same period is shown in the table below.
Year Laptop Blackberry
2002 0 0
2003 4 0
2004 0 0
2005 4 0
2006 1 0
2007 1 1
Total 10 1
Laptop devices are accessed via a strong password (a combination of any three from uppercase, lower case, numbers and wildcard characters such as “^” or “&”), which are tied to the users network login and changed every 30 days*. The password is required on start-up and after fifteen minutes of inactivity. Blackberry devices lock and require a password to reactivate after ten minutes of inactivity. They can also be wiped clean from within the management software.
There have been no reports that any sensitive data has been compromised by these losses. The level of personal information relating to members of the public processed within my Department is very small. The level of safeguards set for these devices has historically been considered appropriate for the type of user and the sensitivity of the information that might be contained on them. The desirability of additional safeguards will be considered as part of the annual ICT security review.
[* Thanks for the info Eamon – only three characters to brute force eh?!!]
Data Protection.
1446. Deputy Damien English asked the Minister for Communications, Energy and Natural Resources the number of and the records kept by his Department of attempted hacking or suspected cyber attacks or other malicious computer security breaches committed against his Department’s computer systems. [1720/08]
Minister for Communications, Energy and Natural Resources (Deputy Eamon Ryan): Virtually every computer or network connected to the internet is being probed for vulnerabilities by third parties. My Department’s network is no exception, and it receives a high volume of spurious traffic. There is no record kept of these probes. The traffic is stopped by firewalls on the Department’s IT system.
All traffic that is permitted through the external firewall is inspected by a network Intrusion Detection System, which monitors the perimeter of the network for suspicious activity. This device inspects the millions of packets of data that enter and leave the network daily. Most of this traffic is legitimate, including email, Internet access by staff, et cetera, but if there are suspicious packets of data addressed to the Department’s network on a daily basis, these are identified, inspected, catalogued and logged by the system.
Over the last nine months the analysis of incoming traffic by the system has not identified any attempt to hack or infiltrate the network, however, there have been over 65,000 occurrences of spyware, viruses, malware, et cetera, recognised by the system. The objective of all these is, of course, to compromise computers on the network.
In addition to the intrusion detection system there are additional safeguards in the form of secondary firewalls, web content filtering, multiple anti-virus, anti-spyware and anti spam devices installed to block dangerous traffic and protect the network. The portfolio of measures that operates to protect the network of the Department would be considered best practice in the State or private sectors.

probe

While it is encouraging to see that the portable devices in the Dept of An Taoiseach don’t appear to store any data on the device, the password issue remains a weakness. No government department above specifically reports using multi-factor authentication – either for encrypted device storage or VPN/network access control. There is no such thing as a strong password in 2008 – i.e. one that a human being can remember.

Even with cheapo non-professional software cracker (of the “forgot your password?” variety) on a fast PC (nothing fancy) you can do about 15 million password attempts per second in a brute force attack.

A password like
7*-aArq#G77\7~_.RM"sgYpS^C1.%E#CLj7?Hm$xO!T'K0y8TBkre;]E[jJ4x

would have to be written down and would be very tedious to enter after every timeout.

A multi-factor device (such as a smart card) stores the complex “password”, and supplies it to the security software during the login process. The user password can be much shorter because the smart card will shut down after a pre-determined number (typically 3 to 5) of wrong entries.

Multi-factor smart card/USB type devices include:
• OMNIKEY CardMan 3121 USB for desktop systems
• OMNIKEY CardMan 6121 USB for mobile systems
• ActivIdentity USB 2.0 reader
• Reiner SCT CyberJack pinpad
• Athena ASEDrive IIIe USB reader
• ActiveIdentity ActivClientCAC cards
• Aladdin eToken 64K, 2048-bit RSA-capable
• Aladdin eToken PRO USB Key 32K, 2048-bit RSA-capable
• Aladdin eToken PRO without 2048-bit capability (older smart cards)
• Athena ASEKey Crypto USB Token for Microsoft ILM
• Athena ASECard Crypto Smart Card for Microsoft ILM
• EMC RSA SecurID SID800 Token
• Charismathics CryptoIdentity plug 'n' crypt Smart Card only stick
• S-Trust StarCOS smart card
• Rainbow iKey 3000

Passwords on their own offer little protection with today’s cheap computing power, particularly where high value information is concerned. This is especially relevant in the case of online access to banking and financial systems which permit money to be moved to third parties.

.probe

MadsL

No government department above specifically reports using multi-factor authentication

Department of Defence aren't (as you would expect) forthcoming about what method they use. However as they have 27001 they would comply with the guidance of 27002:

11.2.3 User password managementControl
The allocation of passwords should be controlled through a formal management process.
Implementation guidance
The process should include the following requirements:
a) users should be required to sign a statement to keep personal passwords confidential and to keep group passwords solely within the members of the group; this signed statement could be included in the terms and conditions of employment
b) when users are required to maintain their own passwords they should be provided initially with a secure temporary password (see 11.3.1), which they are forced to change immediately;
c) establish procedures to verify the identity of a user prior to providing a new, replacement or temporary password;
d) temporary passwords should be given to users in a secure manner; the use of third parties or unprotected (clear text) electronic mail messages should be avoided;
e) temporary passwords should be unique to an individual and should not be guessable;
f) users should acknowledge receipt of passwords;
g) passwords should never be stored on computer systems in an unprotected form;
h) default vendor passwords should be altered following installation of systems or software.
Other information
Passwords are a common means of verifying a user’s identity before access is given to an information system or service according to the user’s authorization. Other technologies for user identification and authentication, such as biometrics, e.g. finger-print verification, signature verification, and use of hardware tokens, e.g. smart cards, are available, and should be considered if appropriate.

The level of technology used for authentication would be determined by the Risk Assessment according to the sensitivity of the asset.

I would read nothing into Willie O'Dea not mentioning multifactor authentication - he would not be stating the method used in a Dail session.

JimmyCrackCorn!

• Enterprise Ireland?
• Local councils/Local Government?
• Shannon Developement?
• Motor Taxation?
• Bord Failte?
• Local Fire brigades?
• Dept of Agriculture?

Seem to not be missing here.

Martyr

probe wrote:

..either for encrypted device storage or VPN/network access control

how do you know what way gov employees logon to VPN.

please explain?

MadsL

Enterprise Ireland?
Local councils/Local Government?
Shannon Developement?
Motor Taxation?
Bord Failte?
Local Fire brigades?

Are not Govt departments but state bodies.

Dept of Agriculture see Agriculture Fisheries and Food

Who ever briefed Eamon Ryan to state the password format as a response is 'challenged' in the common sense area :rolleyes:

probe

Average Joe wrote: »

how do you know what way gov employees logon to VPN.

please explain?

I've no idea. There is nothing in the above disclosures about government computer security which would indicate to me that they use multi-factor authentication. If they were using it, one would assume that it would have been stated in a reply of this nature.

There should be a government security standard, with perhaps various levels of security depending on the nature of the data being protected, (like FIPS 140-1, 2, 3 and 4) which sets out the minimum requirements to be followed by government departments and agencies (and their contractors) - and others who collect large volumes of personal information - (eg banks, insurance companies, telcos, cable TV and other utilities and similar). A simple set of rules requiring minimum encryption standards, password strengths, MFA, VPN standards, and a ban on carrying around personal datasets of any material size on mobile devices (encrypted or not). These rules should be reviewed from time to time to keep them up to date.

Just think, even a cable TV company's subscriber database with name and address information, Visa/MC card details, bank account details, phone number, geolocation of the subscribers' premises etc - for every household in the country would fit on the hard drive of a laptop. There must be a rulebook backed up with severe penalties (as in big fines, imprisonment terms and license withdrawal) for companies who allow games to be played with peoples' personal data.

A chronology of data losses: http://attrition.org/dataloss/

.probe

Spyral

not going to prerent to have read the whole thing BUT

ENCRYPTION

if stuff is encrypted properly then it can minimize damage

MadsL

It's not just the laptops that worries me sometimes, it's the casual approach to data...

ever search site:gov.ie filetype:xls ??

amazing what they leave up on the web.

sed

What type of encryption package would you guys recommend for a company like BOI? Would truecrypt suffice or would they be better off with some other packages out there like Safeboot or pointsec?

Personally, I dont think sensitive material like that should physically leave the premises at all.

probe

sed wrote: »

What type of encryption package would you guys recommend for a company like BOI? Would truecrypt suffice or would they be better off with some other packages out there like Safeboot or pointsec?

Personally, I dont think sensitive material like that should physically leave the premises at all.

People (employees or contractors) should not be walking around with large datasets of personal information from banks, government agencies or anyone else. If someone needs access to data, connect over the internet via a VPN using AES-256 and MFA and look at the individual record(s) in question. It is a far safer strategy. Employees should not be able to download large datasets – because who knows who is going to leave the company and join a competitor, or be fired and want to get revenge etc.

People hacking at a government or bank data repository can be easily locked out after a few failed login attempts. However if they get their hands on an entire data set on a stolen laptop etc, they have all the time in the world to run password cracking software on the sitting target – which can do brute force attacks using every possible combination of passwords at 15 million attempts per second and more.

The use of a good quality encryption package is irrelevant in these circumstances – because the weak link in the chain is the password.

So if you have to put some data on a portable device, use multi-factor authentication (MFA) with a smart card or similar device. Something that gives the attacker about five attempts to enter the correct password and then closes down. This has to involve a hardware component in the solution such as a smart card. Software only solutions can have their wrong password counters re-set as part of the cracking process. You need a complex password of at least 60 characters to take full advantage of AES256, and it takes something like a smart card to remember this type of long password in a secure way.

The worst case scenario of all is where one just depends on the windows password to block access to a laptop (without any encryption of data). All the thief has to do is re-install windows on the machine using his own password and s/he has full access to everything on the hard drive.

.probe

Steve Gibson was at the RSA security conference 2008 and has just put up a netcast on the event. I haven’t listened to it yet, but suspect it will have a few interesting perspectives on computer security issues in general:

http://www.podtrac.com/pts/redirect.mp3/aolradio.podcast.aol.com/sn/SN-141.mp3

His archive of netcasts is here:

http://www.grc.com/securitynow.htm

Philbert

probe wrote: »

The worst case scenario of all is where one just depends on the windows password to block access to a laptop (without any encryption of data). All the thief has to do is re-install windows on the machine using his own password and s/he has full access to everything on the hard drive.

.probe

There are other easier options!

What do you think is the best way to secure actual documents. Lets say a company has a large number of Word documents floating around containing very valuable Intellectual Property. How would a company secure these documents from being printed or emailed and sold to competitors?

With Encryption, it only secures the documents on the local disk. Once the document is opened it can be easily printed, emailed or uploaded to a website. Is there such a thing as MFA at the document level?

probe

Philbert wrote: »

There are other easier options!

What do you think is the best way to secure actual documents. Lets say a company has a large number of Word documents floating around containing very valuable Intellectual Property. How would a company secure these documents from being printed or emailed and sold to competitors?

With Encryption, it only secures the documents on the local disk. Once the document is opened it can be easily printed, emailed or uploaded to a website. Is there such a thing as MFA at the document level?

Philbert wrote: »

There are other easier options!

What do you think is the best way to secure actual documents. Lets say a company has a large number of Word documents floating around containing very valuable Intellectual Property. How would a company secure these documents from being printed or emailed and sold to competitors?

With Encryption, it only secures the documents on the local disk. Once the document is opened it can be easily printed, emailed or uploaded to a website. Is there such a thing as MFA at the document level?

What about DRM? Microsoft have an IRM offering - http://office.microsoft.com/en-us/help/HA101029181033.aspx

I have no idea how secure it is in the real world. In any event you are stuck with the same problem once the encrypted, DRM locked file leaves your premises - the other guy has theoretically an infinite amount of time and probably lots of computing resources to crack the encryption system and do what he likes with the contents. They have cracked the DRM in DVDs and BluRay. Why not a Microsoft IRMized document?

.probe

Philbert

Thanks for the reply probe.

Yes, I am considering DRM and Microsoft’s IRM with Sharepoint. I also found and trialled a couple of off the shelf packages. One in particular was the most buggy piece of sh*t software I have ever tested and it is horrific how much they are charging for it. Its supposedly one of the better ones too.