Today’s podcast is about the good the bad and the ugly of passwords and encryption. Welcome to Cyber Security Today. It’s Monday November 19th. To hear the podcast click on the arrow below:
Today I’m going to talk about recent password and encryption screwups. And they are screwups, because they put personal information about people at risk.
First up is the unprotected database of millions of text messages left open on the Internet. They’d been sent through a San Diego telecommunications company called Voxox. The database included password reset links, two-factor codes, shipping notifications and other information that could have read. According to the news site TechCrunch, a German security researcher discovered the database, which had been left on an Amazon cloud storage server. Now, many companies use cloud storage services from Amazon, Microsoft, IBM and others to temporarily store and process data, But employees have to be schooled that any company data that goes into the cloud has to be encrypted. Unfortunately there are many cases where staff apparently ignore the rule or think, ‘This data isn’t important.’ Unfortunately, they’re wrong.
Next up: A reason why organizations need to encrypt every storage devices that holds sensitive data: The city of Amarillo, Texas last week said an outside company doing a security payroll audit lost a flash drive with city employees’ names, addresses, bank deposit information, dates of birth, and social security numbers. Presumably an employee of the consulting firm had taken a copy of the data for processing on its own computer. Fortunately, the drive was encrypted. If the consulting firm used strong encryption, the likelihood of it being unscrambled by criminals is low. The news story doesn’t say what kind of a drive was used, but I assume it was one of those little drives the size of a finger. They’re easily lost, fall out of pockets, briefcases or backpacks. I attach the lanyards you get at conferences or a keychain to mine so they don’t easily go missing. Consulting firms who do this kind of work should think of using more expansive portable hard drives, which are the size of a small paperback. They won’t get easily lost. As for consumers, you should think about encrypting your flash drives if walking around with sensitive personal information on them.
Of course, having a company policy of encrypting a device doesn’t mean things are fine. For example, last week the FHN Family Counseling Center in Illinois acknowledged an employee’s laptop with sensitive patient data was stolen from their car. The center has a policy that all laptops have to be encrypted. However, due to a technical issue this one wasn’t. It isn’t clear if the issue was the employee’s fault, or a problem with the software. Now, the stolen laptop was password-protected. However, that isn’t protection enough. A poor password can easily be cracked. Meanwhile, the centre has re-encrypted all of its remaining laptops just to be sure.
What about just password-protecting your computer or drives? Depending on how short the password is, that may not be enough if you have sensitive data on it. You may need to encrypt them.
That’s it for Cyber Security Today. Subscribe on Apple Podcasts, Google Podcasts or add us to your Alexa Flash Briefing. Thanks for listening.
Sponsor: Micro Focus
How GDPR can be a strategic driver for your business