Slashdot Mirror
Ohio Plans To Encrypt After Data Breach
Lucas123 writes "After a backup tape containing sensitive information on 130,000 Ohio residents, current and former employees, and businesses was stolen from the car of a government intern in June, the state government just announced it has purchased 60,000 licenses of encryption software — McAfee's SafeBoot — for state offices to use to protect data. It's estimated that the missing backup tape will cost Ohio $3 million. In September, the state docked a government official about a week of future vacation time for not ensuring that the data would be protected."
Er, while this software encrypts data on the disk, it doesn't encrypt the backups. These will still be cleanly read from the disks and written out to tape.
Help me close this barn door, would ya?
The state loses $3 million bucks, and the guy responsible gets the punishment of a whole week of lost vacation time? Wow....I want to find me a job where I can screw up so badly and get off so lightly. I mean....other than the Presidency.
"Every great cause begins as a movement, becomes a business, and eventually degenerates into a racket." -- Eric Hoffer
the state docked a government official about a week of future vacation time for not ensuring that the data would be protected
I work as a DBA in a nonprofit healthcare organization. If our backup guys lost a tape, and I hadn't bothered to check off the box in our database backup software that says "Encrypt: 256-bit AES", I would lose my job.
This guy got dinged a whopping 1 week of vacation time. That's not even '1 week suspended without pay'. It's the equivalent of having to stay in detention after school.
I need to move over to the public sector or something.
It seems logical to me that this kind of information should be on a centralized servers at a state office with managed firewalls and all the rest with only hardwired terminals allowed access with maybe a VPN set up for remote access if absolutely needed out in the field. I know wireless isn't 100% secure and no system is but that just makes logical sense to me.
"The problem with socialism is eventually you run out of other people's money" - Thatcher.
Last I checked $3,000,000 divided by 60,000 equals $50, not $500.
Math issues aside, if you RTFA (and follow TF link to the original article) you'll see the breakdown:
"The incident is expected to cost the state almost $3 million. Of that total, $2.3 million covers projected and existing enrollment in Debix Inc. credit protection services. Debix enrollment paid for by the state for affected individuals will remain open until Oct. 31. Debix protection will not be extended toward any businesses with information on the lost backup tape."
I highly doubt those licenses are figured into the $3 million estimate.
-- What did Spock find in Kirk's toilet? The captain's log.
... but can't make it drink. Encryption is only a partial solution. You still need to keep your backup tapes secure (they won't be encrypted by this software, but most higher end backup software will), and you need to keep people from copying files to USB sticks or burning to CD.
Real programmers use "copy con program.exe"
Part of my job involves working on laptops owned by an agency that uses SafeBoot to encrypt data on laptops. Gather children, let me tell you of SafeBoot...
1. SafeBoot is whole-disk encryption, but Windows-partitions-only. If you dual-boot or use Linux, there is no solution for you except "Please don't lose your laptop".
2. SafeBoot requires a login before you can boot Windows. If you get your password wrong, you must wait a certain amount of time before you can re-enter your passwords. At first, it's not that bad -- a few seconds. But each successive failure increases the time... eventually, you're waiting minutes.
3. SafeBoot encrypts the drive so that you can't access the drive from another machine -- which is what it's designed for, of course. Try being an IT guy in this scenario: You can't perform ANY troubleshooting that doesn't involve booting Windows. If Windows fails to boot, you have to have your hard-drive decrypted (which, for us happens off-site and is a MAJOR pain in the ass). I cannot boot off a Windows CD to use the recovery console to replace damaged registry files. I cannot do a 'repair' install. I could wipe the drive and re-install Windows...
4. The password policy in place requires users to change their password periodically and be of a certain complexity level. Most users have their SafeBoot password written on a piece of paper and taped to their machine, now...
There's a line between security and usability. When SafeBoot works, it appears great -- it doesn't impact system performance *that* much and it encrypts the contents of the entire drive, woo. But when something goes wrong, it becomes a big pain.
To be honest, though, I think the bigger problems for the work *I* run into with SafeBoot is the policies in place, rather than SafeBoot itself.
I absolutely know that I don't want to hear the story of how those four words got used in the same sentence until happy hour is nearly over.
Yeah? Well, I wouldn't mind. Not the sentence they added.
Perhaps this one:
"After I checked the backup tapes to ensure that 512-bit AES encryption was working, and that the tapes were still readable, I closed and deadbolted the tape room, and then went out to my car to go to lunch with the new (darn good looking) intern from the art department."
Mod me down and I will become more powerful than you can possibly imagine!
Doesn't matter if it's carved into a brick of lead weighing 4 tons and can only be read by a half blind midget who is kept locked in a dungeon under the guard of five dragons.
The brick being stolen is a security breach, and the information that was carved into it is now to be considered 'out in the open.'
Security through obscurity? Get real.
Not a Twitter sockpuppet... but I wish I was.
truecrypt.
sigh
closed minded is as closed minded does
First 2 factual clarifications on this story: The stolen "tape" was actually a "device" that has not been officially disclosed as to what type. Some speculate a laptop while others say it was a USB Flash Drive. Second, nearly 1 million people are estimated to be affected by the theft, not 130,000 as the story states.
Well....okay. I live in Ohio and therefore could be in the group of State of Ohio employees, state taxpayers, Ohio lottery winners, and others and since it regarded social security numbers bank account information and such, along with the fact that the theft happened in my hometown of Hilliard, I paid close attention to the story.
What ACTUALLY happened was an INTERN took the device home for whatever reason. Some speculate to have an off-site backup of the data. The intern left it in their car and their car was broken into and the device was stolen.
To clarify the cost: Ohio is providing, free of charge, 1 year of credit monitoring service to each Ohioan that was affected by the theft. That cost estimate is very high. Even at a bargain basement price of $2 per year per taxpayer, that would be about $2 million. The lowest price you can find online is $4.95 per MONTH and about $60 per year.
Further: The official that lost vacation time was not the intern that took the drive home. That official lost the time because they were responsible for ensuring the safety of the data to begin with. Although the intern is the person in possession of the data and should have verified its safety, they were following the procedure that official set up. The intern is not the only one responsible for the theft.