Slashdot Mirror
Ohio Plans To Encrypt After Data Breach
Lucas123 writes "After a backup tape containing sensitive information on 130,000 Ohio residents, current and former employees, and businesses was stolen from the car of a government intern in June, the state government just announced it has purchased 60,000 licenses of encryption software — McAfee's SafeBoot — for state offices to use to protect data. It's estimated that the missing backup tape will cost Ohio $3 million. In September, the state docked a government official about a week of future vacation time for not ensuring that the data would be protected."
Er, while this software encrypts data on the disk, it doesn't encrypt the backups. These will still be cleanly read from the disks and written out to tape.
Couldn't they have found an OSS solution that would have, y'know, saved the state an assload of money? I'm not an "OSS can do everything commercial software can, but better!" zealot, but that's a big bit of pocket change to be throwin' out for a solution, there.
Help me close this barn door, would ya?
The state loses $3 million bucks, and the guy responsible gets the punishment of a whole week of lost vacation time? Wow....I want to find me a job where I can screw up so badly and get off so lightly. I mean....other than the Presidency.
"Every great cause begins as a movement, becomes a business, and eventually degenerates into a racket." -- Eric Hoffer
...that the next time they get a backup tape stolen, it'll have a post-it note stuck to the tape with the password on it?
the state docked a government official about a week of future vacation time for not ensuring that the data would be protected
I work as a DBA in a nonprofit healthcare organization. If our backup guys lost a tape, and I hadn't bothered to check off the box in our database backup software that says "Encrypt: 256-bit AES", I would lose my job.
This guy got dinged a whopping 1 week of vacation time. That's not even '1 week suspended without pay'. It's the equivalent of having to stay in detention after school.
I need to move over to the public sector or something.
It seems logical to me that this kind of information should be on a centralized servers at a state office with managed firewalls and all the rest with only hardwired terminals allowed access with maybe a VPN set up for remote access if absolutely needed out in the field. I know wireless isn't 100% secure and no system is but that just makes logical sense to me.
"The problem with socialism is eventually you run out of other people's money" - Thatcher.
Last I checked $3,000,000 divided by 60,000 equals $50, not $500.
Math issues aside, if you RTFA (and follow TF link to the original article) you'll see the breakdown:
"The incident is expected to cost the state almost $3 million. Of that total, $2.3 million covers projected and existing enrollment in Debix Inc. credit protection services. Debix enrollment paid for by the state for affected individuals will remain open until Oct. 31. Debix protection will not be extended toward any businesses with information on the lost backup tape."
I highly doubt those licenses are figured into the $3 million estimate.
-- What did Spock find in Kirk's toilet? The captain's log.
... but can't make it drink. Encryption is only a partial solution. You still need to keep your backup tapes secure (they won't be encrypted by this software, but most higher end backup software will), and you need to keep people from copying files to USB sticks or burning to CD.
Real programmers use "copy con program.exe"
Part of my job involves working on laptops owned by an agency that uses SafeBoot to encrypt data on laptops. Gather children, let me tell you of SafeBoot...
1. SafeBoot is whole-disk encryption, but Windows-partitions-only. If you dual-boot or use Linux, there is no solution for you except "Please don't lose your laptop".
2. SafeBoot requires a login before you can boot Windows. If you get your password wrong, you must wait a certain amount of time before you can re-enter your passwords. At first, it's not that bad -- a few seconds. But each successive failure increases the time... eventually, you're waiting minutes.
3. SafeBoot encrypts the drive so that you can't access the drive from another machine -- which is what it's designed for, of course. Try being an IT guy in this scenario: You can't perform ANY troubleshooting that doesn't involve booting Windows. If Windows fails to boot, you have to have your hard-drive decrypted (which, for us happens off-site and is a MAJOR pain in the ass). I cannot boot off a Windows CD to use the recovery console to replace damaged registry files. I cannot do a 'repair' install. I could wipe the drive and re-install Windows...
4. The password policy in place requires users to change their password periodically and be of a certain complexity level. Most users have their SafeBoot password written on a piece of paper and taped to their machine, now...
There's a line between security and usability. When SafeBoot works, it appears great -- it doesn't impact system performance *that* much and it encrypts the contents of the entire drive, woo. But when something goes wrong, it becomes a big pain.
To be honest, though, I think the bigger problems for the work *I* run into with SafeBoot is the policies in place, rather than SafeBoot itself.
I absolutely know that I don't want to hear the story of how those four words got used in the same sentence until happy hour is nearly over.
Yeah? Well, I wouldn't mind. Not the sentence they added.
Perhaps this one:
"After I checked the backup tapes to ensure that 512-bit AES encryption was working, and that the tapes were still readable, I closed and deadbolted the tape room, and then went out to my car to go to lunch with the new (darn good looking) intern from the art department."
Mod me down and I will become more powerful than you can possibly imagine!
If they have 60,000 computers with 'sensitive' data on it then they're borked already.
... if they want to prevent
If they want to encrypt people's laptops/desktops then fine
personal civilian data from leaking out they're off by a few orders of magnitude on the
extent of their distributed storage.
Belthize
Hmm... I wonder if they give a damn that their state-wide reliance on Windows is another accident waiting to happen.
Care about trojans, keyloggers, viruses, and all the other uncountable ways to lose confidential data, not to mention productivity?
Get rid of Windows as well. You'll never regret it.
you had me at #!
As an IT professional in Ohio who works in a field very close in both location and function to what this company did, I just want to say that this whole thing has been blown so far out of proportion it's not even funny. Yes, there was some sloppiness going on. Yes, someone, maybe a few people, deserved to lose their jobs over this. However, the amount of time and money that has been spent on this is so far overboard it's ridiculous.
No actual loss has ever been reported as a result of this breach. The tape that was stolen was in a relatively obscure tape format. (I don't believe it's ever been reported, but I work with similar systems, and I would guess it's probably 5 1/4 inch format, likely not even in ASCII. Most of the data backups we get are EBCDIC.) It was unencrypted, but in order for someone to get anything off this, they would need the correct hardware, the correct software and they'd really need to know that they were looking for something. Add to that it wasn't reported until weeks after the loss, by which time the thug who broke into the car had log since ditched the useless cassette tape that he stole.
Meanwhile, Ohio taxpayers are spending millions of dollars doing credit checks on every person whose information was potentially on that tape.
I'm not advocating that we forgo due diligence. I take great care in making sure that all backups from my company are encrypted. I hound everyone in the office to make sure their passwords are secure. However, the fact that we're still speding money on this makes me irate. If there was any indication whatsoever that this data was compromised, I'd be OK, but there's a 99% chance that this tape is in a landfill in southern Columbus right now.
-Arthur
Cave ne ante ullas catapultas ambules
Doesn't matter if it's carved into a brick of lead weighing 4 tons and can only be read by a half blind midget who is kept locked in a dungeon under the guard of five dragons.
The brick being stolen is a security breach, and the information that was carved into it is now to be considered 'out in the open.'
Security through obscurity? Get real.
Not a Twitter sockpuppet... but I wish I was.
First 2 factual clarifications on this story: The stolen "tape" was actually a "device" that has not been officially disclosed as to what type. Some speculate a laptop while others say it was a USB Flash Drive. Second, nearly 1 million people are estimated to be affected by the theft, not 130,000 as the story states.
Well....okay. I live in Ohio and therefore could be in the group of State of Ohio employees, state taxpayers, Ohio lottery winners, and others and since it regarded social security numbers bank account information and such, along with the fact that the theft happened in my hometown of Hilliard, I paid close attention to the story.
What ACTUALLY happened was an INTERN took the device home for whatever reason. Some speculate to have an off-site backup of the data. The intern left it in their car and their car was broken into and the device was stolen.
To clarify the cost: Ohio is providing, free of charge, 1 year of credit monitoring service to each Ohioan that was affected by the theft. That cost estimate is very high. Even at a bargain basement price of $2 per year per taxpayer, that would be about $2 million. The lowest price you can find online is $4.95 per MONTH and about $60 per year.
Further: The official that lost vacation time was not the intern that took the drive home. That official lost the time because they were responsible for ensuring the safety of the data to begin with. Although the intern is the person in possession of the data and should have verified its safety, they were following the procedure that official set up. The intern is not the only one responsible for the theft.