Full Disk Encryption: Halton District School Board Data Breach Shows Value Of Whole Encryption.

According to insidehalton.com, the Halton District School Board has notified all students that there is “a potential breach of student privacy.”  The situation shows how the use of laptop encryption software like AlertBoot is preferable to the use of file encryption.

Was It Encrypted or Not?  Questions Remain After Using File Encryption

A data breach took place in early February when a Halton District School Board employee lost a laptop computer.  The computer made use of password-protection (nine digits long) and files were encrypted.  However,

“When the laptop was stolen, the employee couldn’t be 100 per cent sure that all the databases they were working on had all been encrypted,” said Marnie Denton, spokesperson for the school board.

The weakness associated with individual file encryption is the same weakness found in “data security via employee behavior policies”: for it to work, the employee must follow and stick to the rules all the time.  Regardless of an employee’s intentions or motivations, this is not feasible.  Mistakes will happen, at least.  Rules will be flaunted, at most.  (Worst case scenario: employee not only flaunts the rules, he’s actually stealing the data).

Disk encryption is a valuable and better option for data protection because it excises many of the problems associated with getting employees to keep track of files.  Since all files are encrypted by default — including those that are not generated by employees, such as temporary files and memory swap spaces — there is never a question of whether a particular set of files were protected in the event of a data breach.

A Password Cannot Guarantee Protection

One of the more puzzling aspects to the story is the following:

“(The Computer manufacturer) assured us that no one would be able to see information on that computer without the password. The employee did have a nine-digit password,” Denton added.

Based on the assurances that were made, it appears that what we’re dealing with here is a BIOS password.  The BIOS password stops the computer from booting at all.  Without knowing the 9-digit password, the laptop never boots up, which means that information cannot be read using the laptop.

But this is only true if whoever took the laptop doesn’t (a) access a jumper switch, (b) use a disk utility CD to boot the computer, or (c) take the disk out and attach it to another computer.

It might appear that the above require “advanced computer knowledge.”  That’s like claiming you have “advanced painting skills” because from 200 feet away your color-by-number rendition of Rembrandt’sMan in a Gold Hat” looks like the real thing.

None of the three require advanced computer knowledge.  Just the ability to type “bypass computer password” in Google and then follow instructions.  I’m surprised that the computer manufacturer made the claim that the information on the stolen laptop cannot be seen.

I mean, it’s not true.  Not true at all.  Even with the use of encryption you cannot make that guarantee: you can only note that the chances of the information being read is highly, extremely improbable.  From “Dumb and Dumber“:

Lloyd: What do you think the chances are of a guy like you and a girl like me… ending up together?
Mary: Well, Lloyd, that’s difficult to say. I mean, we don’t really…
Lloyd: Hit me with it! Just give it to me straight! I came a long way just to see you, Mary. The least you can do is level with me. What are my chances?
Mary: Not good.
Lloyd: You mean, not good like one out of a hundred?
Mary: I’d say more like one out of a million.
Lloyd: So you’re telling me there’s a chance… *YEAH!*

Like in the above exchange, there is “a chance” that encrypted information can be read (try one in a gazillion-quintillion-billion centuries).  That “chance” requires the resources of the NSA and the like, which have annual budgets of hundreds of millions of dollars.  Or, the full force and power of the US Attorney General.

BIOS passwords and Windows passwords?  Chances are I can do it 15 minutes or so.  Unless it’s related to encryption software, I think that one should not be going around making assurances on information security, nine-digit password or not.

(Also, I should note that a nine-digit password wouldn’t take much time to break, as opposed to a nine-character password.

Related Articles and Sites:

Comments (0)

Let us know what you think