Slashdot Mirror
Ohio Plans To Encrypt After Data Breach
Lucas123 writes "After a backup tape containing sensitive information on 130,000 Ohio residents, current and former employees, and businesses was stolen from the car of a government intern in June, the state government just announced it has purchased 60,000 licenses of encryption software — McAfee's SafeBoot — for state offices to use to protect data. It's estimated that the missing backup tape will cost Ohio $3 million. In September, the state docked a government official about a week of future vacation time for not ensuring that the data would be protected."
People just won't learn that security should be proactive. Society is a very slow learner.
Er, while this software encrypts data on the disk, it doesn't encrypt the backups. These will still be cleanly read from the disks and written out to tape.
Couldn't they have found an OSS solution that would have, y'know, saved the state an assload of money? I'm not an "OSS can do everything commercial software can, but better!" zealot, but that's a big bit of pocket change to be throwin' out for a solution, there.
Help me close this barn door, would ya?
The state loses $3 million bucks, and the guy responsible gets the punishment of a whole week of lost vacation time? Wow....I want to find me a job where I can screw up so badly and get off so lightly. I mean....other than the Presidency.
"Every great cause begins as a movement, becomes a business, and eventually degenerates into a racket." -- Eric Hoffer
...that the next time they get a backup tape stolen, it'll have a post-it note stuck to the tape with the password on it?
the state docked a government official about a week of future vacation time for not ensuring that the data would be protected
I work as a DBA in a nonprofit healthcare organization. If our backup guys lost a tape, and I hadn't bothered to check off the box in our database backup software that says "Encrypt: 256-bit AES", I would lose my job.
This guy got dinged a whopping 1 week of vacation time. That's not even '1 week suspended without pay'. It's the equivalent of having to stay in detention after school.
I need to move over to the public sector or something.
Probably the cost of the investigation in lost hours, the price of notifying all those whom where among the 130,000 and all that comes with it (lawsuits, credit checking, the cost of the corrective actions...) I went to a university of 11,000 at first that paid for 90 days of credit monitoring for all effected students after someone hacked into the student information system that stored SSNs. I'm sure the state had to deal with some more heat than a small university.
Forgive my spelling from time to time. I'm often posting during short breaks.
I saw four horrifying words...
Intern, backup tape, car
encryption is probably low on the list of security concerns here... just WOW
I absolutely know that I don't want to hear the story of how those four words got used in the same sentence until happy hour is nearly over.
Those 4 words should never be needed in the same sentence. Process is just as important as encryption. That should have been 'backup tape', security company, armored transport, iron mountain in the sentence... oh wait, then there would be no story.
Support NYCountryLawyer RIAA vs People
...we see a story about 130,000 residence records locked and unavailable due to lost encryption passwords?
It seems logical to me that this kind of information should be on a centralized servers at a state office with managed firewalls and all the rest with only hardwired terminals allowed access with maybe a VPN set up for remote access if absolutely needed out in the field. I know wireless isn't 100% secure and no system is but that just makes logical sense to me.
"The problem with socialism is eventually you run out of other people's money" - Thatcher.
Your problem is? They have been seen to have done something.
Deleted
Last I checked $3,000,000 divided by 60,000 equals $50, not $500.
Math issues aside, if you RTFA (and follow TF link to the original article) you'll see the breakdown:
"The incident is expected to cost the state almost $3 million. Of that total, $2.3 million covers projected and existing enrollment in Debix Inc. credit protection services. Debix enrollment paid for by the state for affected individuals will remain open until Oct. 31. Debix protection will not be extended toward any businesses with information on the lost backup tape."
I highly doubt those licenses are figured into the $3 million estimate.
-- What did Spock find in Kirk's toilet? The captain's log.
... but can't make it drink. Encryption is only a partial solution. You still need to keep your backup tapes secure (they won't be encrypted by this software, but most higher end backup software will), and you need to keep people from copying files to USB sticks or burning to CD.
Real programmers use "copy con program.exe"
You'll also be aware of the various rows here in England as the government displays its new networking technology: CDs and a courier. Most of us with medium-sized data farms (I herd about 50TB) are getting out of removable media as fast as we can. I've got 20TB of disk at the far end end of 30 miles of GigE, which with compression (all hail ZFS!) provides me enough space to keep copies of all the critical data, plus a few weeks of daily snapshots. My RPO is ``that day's work'' and my RTO is essentially zero: I can serve the data up over NFS from the replicas as easily as from the live systems. Obviously, some of it's better than ``that day'': the Oracle archive logs go straight over, and the Cyrus mail server will replicate live as soon as I can find the time to get it working. But we're only using tape now for monthly audit copies, and those can therefore safely stay in the machine room: the data replicates offsite, and then comes back into the tape silo monthly. A machine room fire costs us the audit copies: if I feel keen I'll start cloning those and sending them offsite. If I can scare up the budget and offsite space for a MAID then I can get out of tape entirely.
Encryption is crap unless it's used by those trained to understand how it works and what it's limitations are, which I'm sure 60,000 employees will not be. What happens when an employee copies data to a USB disk or e-mails it to someone. If the software prevents this, it will be a major pain in the arse that will cost a lot more than $3 million in lost productivity. If it doesn't, then data will get stolen and everyone will say "no problem, it was encrypted", until massive identity theft cases force them to admit that not all copies were encrypted, but, because the guy in charge spent $3 Million, he'll argue that he did everything reasonable and no one will be held accountable. The real solution is to LIMIT ACCESS TO SENSITIVE DATA TO TRAINED EMPLOYEES WHO ACTUALLY NEED IT TO DO THEIR JOB. I can't imagine that there's 60,000 employees who actually need the personal information of 130,000 Ohio residents. I'm not saying it's obvious who needs what data, but $3 million would buy a lot of manpower to figure it out.
And what happened to Encrypted File System. You know, built-in to NTFS, complete with administrative recovery keys, doesn't cost $3 million? This sounds like just more government waste and McAfee marketing to me.
Part of my job involves working on laptops owned by an agency that uses SafeBoot to encrypt data on laptops. Gather children, let me tell you of SafeBoot...
1. SafeBoot is whole-disk encryption, but Windows-partitions-only. If you dual-boot or use Linux, there is no solution for you except "Please don't lose your laptop".
2. SafeBoot requires a login before you can boot Windows. If you get your password wrong, you must wait a certain amount of time before you can re-enter your passwords. At first, it's not that bad -- a few seconds. But each successive failure increases the time... eventually, you're waiting minutes.
3. SafeBoot encrypts the drive so that you can't access the drive from another machine -- which is what it's designed for, of course. Try being an IT guy in this scenario: You can't perform ANY troubleshooting that doesn't involve booting Windows. If Windows fails to boot, you have to have your hard-drive decrypted (which, for us happens off-site and is a MAJOR pain in the ass). I cannot boot off a Windows CD to use the recovery console to replace damaged registry files. I cannot do a 'repair' install. I could wipe the drive and re-install Windows...
4. The password policy in place requires users to change their password periodically and be of a certain complexity level. Most users have their SafeBoot password written on a piece of paper and taped to their machine, now...
There's a line between security and usability. When SafeBoot works, it appears great -- it doesn't impact system performance *that* much and it encrypts the contents of the entire drive, woo. But when something goes wrong, it becomes a big pain.
To be honest, though, I think the bigger problems for the work *I* run into with SafeBoot is the policies in place, rather than SafeBoot itself.
If they have 60,000 computers with 'sensitive' data on it then they're borked already.
... if they want to prevent
If they want to encrypt people's laptops/desktops then fine
personal civilian data from leaking out they're off by a few orders of magnitude on the
extent of their distributed storage.
Belthize
Why not?
Terrorists can't threaten a country's freedom and democracy. Only lawmakers and voters can do that.
TrueCrypt is a very nice free solution and I've been using it for months, haven't had a single problem with it. I guess they were not aware of that software, maybe because they simply didn't look for ANY other products beside McMoney's..
The problem is that the government workers don't have the proper technical expertise. Security is only as strong as the weakest link, and even with Windows on the laptops the operating system is usually not the issue, the stupidity of people are. All OpenBSD would do is add another layer of security that the user would disable in order to save five seconds and the trouble of remembering a password. Secondly, OpenBSD's security is mostly directed at remote attacks, as the developers realize that there's no way to secure a computer in the hands of somebody else.
Hmm... I wonder if they give a damn that their state-wide reliance on Windows is another accident waiting to happen.
Care about trojans, keyloggers, viruses, and all the other uncountable ways to lose confidential data, not to mention productivity?
Get rid of Windows as well. You'll never regret it.
you had me at #!
As an IT professional in Ohio who works in a field very close in both location and function to what this company did, I just want to say that this whole thing has been blown so far out of proportion it's not even funny. Yes, there was some sloppiness going on. Yes, someone, maybe a few people, deserved to lose their jobs over this. However, the amount of time and money that has been spent on this is so far overboard it's ridiculous.
No actual loss has ever been reported as a result of this breach. The tape that was stolen was in a relatively obscure tape format. (I don't believe it's ever been reported, but I work with similar systems, and I would guess it's probably 5 1/4 inch format, likely not even in ASCII. Most of the data backups we get are EBCDIC.) It was unencrypted, but in order for someone to get anything off this, they would need the correct hardware, the correct software and they'd really need to know that they were looking for something. Add to that it wasn't reported until weeks after the loss, by which time the thug who broke into the car had log since ditched the useless cassette tape that he stole.
Meanwhile, Ohio taxpayers are spending millions of dollars doing credit checks on every person whose information was potentially on that tape.
I'm not advocating that we forgo due diligence. I take great care in making sure that all backups from my company are encrypted. I hound everyone in the office to make sure their passwords are secure. However, the fact that we're still speding money on this makes me irate. If there was any indication whatsoever that this data was compromised, I'd be OK, but there's a 99% chance that this tape is in a landfill in southern Columbus right now.
-Arthur
Cave ne ante ullas catapultas ambules
It was due to general incompetence and cutting corners, and the lack of security on the entire OAKS project, which was virtually nonexistant. A shared drive was left open during project development, and it had been discovered many times that people who weren't involved in the project could log in download personal info. My cousin in law interviewed various employees and wrote a good article for the Cleveland Free times: http://www.freetimes.com/stories/15/28/system-failure .
Doesn't matter if it's carved into a brick of lead weighing 4 tons and can only be read by a half blind midget who is kept locked in a dungeon under the guard of five dragons.
The brick being stolen is a security breach, and the information that was carved into it is now to be considered 'out in the open.'
Security through obscurity? Get real.
Not a Twitter sockpuppet... but I wish I was.
According to your definition, there is a whole hell of a lot of data "out in the open." In Windows 2000/XP, it's reasonably difficult to encrypt your system drive and your pagefile. Even if you diligently keep 100% of your data on an encrypted volume, can you guarantee that no social security numbers were written to your pagefile? That data can be scraped, you know. Plus, if your computer is stolen, can you tell with any degree of confidence which records were in that pagefile? No? Then you have to assume that all of them were compromised.
Truthfully, the only perfect security is a computer that's disconnected from the Internet, underground, in a locked room turned off with all the hard drive cables removed. And even then, "they" can probably read the information from their satellites in space. In the real world, we need to make compromises.
All of our company backups are encrypted using 256-bit AES encryption. If one gets stolen, I can't "guarantee" that the data hasn't been compromised. After all, someone with a few billion^10 CPU cycles to spare could crack the encryption algorithm. Sure, AES is trusted by the Pentagon, but that doesn't mean it's 100% infallible. In fact, there's a calculable mathematical chance that someone could guess the encryption key on the very first try, even without a supercomputer. It's damn unlikely, but certainly not impossible.
So the question comes down to this: what level of risk are you prepared to accept? More importantly, what level of security are you willing to pay for? Security isn't free. "Perfect" security (like nuclear launch codes, where failure is absolutely not an option) is very expensive. Would you be willing to donate a couple thousand dollars of your own money (along with every other taxpayer) to replace all computers in the country with ones that have hardware-level encryption? Is that good enough? Most of our customers are small, non-profit organizations already run on a shoestring budget. Most of them can't afford to hire a proper secretary, let alone an IT specialist who knows how to use TrueCrypt and enforce security policies.
Listen, I'm not arguing against data security. If you knew me personally, you'd know I'm a very security conscious individual, but I'm saying that we need to be realistic. We need to spend a finite amount of money where it will do the most good. Those millions of dollars in Ohio put towards useless credit checks were funneled directly away from our customers' already meager budgets. My boss is a nice guy, but he needs to keep the company running, so he can't donate our services. That money could have been spent on education, or updated hardware, or proper disposal of old equipment. Put in perspective, there are breaches far more egregious than this one that happen every day, and I can say first-hand that they are usually the result of ignorance. Some people don't know it's not OK to save a SQL backup to a USB key and take it home. Some people don't know that you have to DBAN a hard drive before you throw the computer away. These are far more dangerous than a lost (and probably trashed) AS400 backup.
-Arthur
Cave ne ante ullas catapultas ambules
First 2 factual clarifications on this story: The stolen "tape" was actually a "device" that has not been officially disclosed as to what type. Some speculate a laptop while others say it was a USB Flash Drive. Second, nearly 1 million people are estimated to be affected by the theft, not 130,000 as the story states.
Well....okay. I live in Ohio and therefore could be in the group of State of Ohio employees, state taxpayers, Ohio lottery winners, and others and since it regarded social security numbers bank account information and such, along with the fact that the theft happened in my hometown of Hilliard, I paid close attention to the story.
What ACTUALLY happened was an INTERN took the device home for whatever reason. Some speculate to have an off-site backup of the data. The intern left it in their car and their car was broken into and the device was stolen.
To clarify the cost: Ohio is providing, free of charge, 1 year of credit monitoring service to each Ohioan that was affected by the theft. That cost estimate is very high. Even at a bargain basement price of $2 per year per taxpayer, that would be about $2 million. The lowest price you can find online is $4.95 per MONTH and about $60 per year.
Further: The official that lost vacation time was not the intern that took the drive home. That official lost the time because they were responsible for ensuring the safety of the data to begin with. Although the intern is the person in possession of the data and should have verified its safety, they were following the procedure that official set up. The intern is not the only one responsible for the theft.