The stick was found by a civilian on a sidewalk outside a police station.

Colin Woodland, VP EMEA at IronKey, said: “The issue of employees’ losing data or being victims of theft will likely never change, which is why we’re working with a number of constabularies and police forces across UK and EMEA who are actively using IronKey to protects officers on the streets.

“Obviously this sort of data really should have been encrypted, however, we advise our customers, whose mobile workers regularly handle sensitive or valuable data that they go beyond just simple encryption and implement an auditable data protection record. This way if the police wanted to know if someone had attempted to access the device there questions can be easily answered.

“In this case the ideal solution is a managed service, which would allow the IT department to manage the encrypted devices so they can track and ultimately destroy any data that is lost, even if it ended up in the hands of a terrorist group.”

“If a company is providing telecom services in Indian, then all communications must be available to Indian security services,” a government representative told AFP. “If Google or Skype have a component that is not accessible, that will not be possible. The message is the same for everybody.”

The Indian government is also said to be wanting access to corporate VPN traffic. How they will do this without compromising the security of corporations is really up for debate.

I wonder if they will be trying to ban IronKeys next?

If true, it could be one of the first incidents in which computer malware resulted in the death of innocent people.

One benefit to using a hardware PKI token is that the signing keys are stored on the device, and cannot be exported or stolen. This means that stealing a certificate from a browser is not effective, as you also need the private RSA key to be able to use the client-side certificate to log into a website.

Apparently the systems management firmware has been compromised in the manufacturing supply chain, and has been infected with malicious software. Dell is calling customers to warn them of the malware infections, and giving them instructions on how to scan the flash memory to detect and remove the spyware.

It’s another example in the growing set of supply chain vulnerabilities that are starting to emerge in the IT industry. Vendors of IT infrastructure must realize that attackers are eager to infect their products, and are even doing so inside the supply chain itself.

The UK Ministry of Defense has admitted to losing 340 laptops over the last two years, and less than half of them were encrypted. A further 215 USB memory sticks were lost, and many were not encrypted either. When you add up lost mobile phones, CDs, PDAs as well, it turns out that only 20% of these were encrypted.

I spent much of the day being interviewed by security and business press. There is considerable interest in how the Information Commissioner’s Office (ICO) will deal with government agencies that have lax security and data protection practices. For corporations, the ICO can now fine up to 500,00 pounds, but it’s unclear how government bureaus will be disciplined.

I will talk about the evolving cyber-crime threat landscape that is targeting users of online banking systems. I’ll also review various ways that banks can deploy solutions to help protect their users. I’ll look at various protection types for consumer banking versus corporate banking systems and online trading systems.

If you would like to attend the Infragard meeting, you can find more information here: Atlanta Infragard A-List Conference.

Infragard is a partnership of businesses, the FBI, educational entities and the National Infrastructure Protection Center. This alliance is designed to protect IT systems from hacker attacks and other intrusions by providing a network for sharing information, anonymously, about attacks and how to protect against them.

The FBI says that these spies not only used encryption to protect data on their laptops and USB flash drives, but that they also are suspected of using proprietary Russian-build steganography software to hide data inside images and other files on their computers.

Steganography is the technique of hiding information inside other documents or data, so that it cannot be detected. Combining steganography with cryptography can create systems of communications and data protection that are incredibly difficult to detect and to crack.

For example, imagine encrypting a data file using strong encryption, and then inserting that file as noise in the soundtrack or video stream of a large .wmv video file. Then posting that file to a website or sharing it on a bittorrent network for its intended recipients to download. If you communicate out-of-band (through an email or a phone call or SMS) to your recipients the name of the video file, and if there is a key sharing protocol (ie. they know the password to decrypt the data), then its highly likely that only that person will be able to know that the encrypted data is there, and be able to decrypt it.

If anyone else downloads the file, even using steganographic detection tools they are unlikely to detect the encrypted data. And even if they were able to extract it, they would still have to crack the encryption.

In fact, one wishing to communicate covertly would want other people to download the file, so that nobody monitoring networks can tell who the file is intended for.

In the case we are discussing today, the alleged Russian spies were detected sending data to known addresses of Russian government computers (we assume IP addresses). Using the technique I discuss, they would have been able to avoid such detection.

One other thing I found interesting about this article is that a 27 character password was required to access the steganographic data. Sounds like a great security measure to have such a long password. However, the agent wrote the password down on a piece of paper! In such a case, it would have been much more secure to use a shorter password that was more easily remembered.

I do think that a national federated identity scheme requires strong authentication, at least for any site that can do transactions or reveal personal information (which is pretty much any site of value). I also think that the Federal government is one of the only hopes we have of achieving such a system, as it will require a big infusion of cash.

However, I am skeptical that this plan can be achieved, given the diverse interests of the private sector and the federal government agencies, and the myriad of agendas and technological approaches. Look, Microsoft has failed at this many times, and they control 90%+ of the computer desktops out there.