What are you guys using for data encryption?

For users or potential users.
Post Reply
User avatar
doctordoom
Posts: 41
Joined: Tue Sep 25, 2012 10:39 am
Contact:

What are you guys using for data encryption?

Post by doctordoom » Tue Dec 04, 2012 7:36 am

I was using truecrypt, but the one problem I had was if i ever rebooted the computer remotely, I wouldn't be able to get back into windows because for truecrypt you need to type in the passcode before it will even load into windows 7.

Just curious what you guys are using?

Any ideas on how I would be able to overcome that? Perhaps buy a 2nd hard drive where open dental and it's data would be stored and I would only encrypt the 2nd drive?


Or is simply right clicking the folder and encrypting the single OpenDentImages and mysqld folders sufficient as discussed in this post by hersheydmd?
viewtopic.php?f=2&t=3582


thanks in advanced.

teethdood
Posts: 267
Joined: Sun Jul 29, 2007 12:39 am
Location: Visalia, CA
Contact:

Re: What are you guys using for data encryption?

Post by teethdood » Wed Dec 05, 2012 6:30 pm

My server is not encrypted. I leave the server in a physically secure location where only I have access to it. Of course one can utilize the full-disk encryption available in windows or truecrypt itself, it's more of a hassle as you already know. On the other hand for backup purposes where I save the database/images/etc to an external hard drive, then Truecrypt does a fantastic job. (actually since I'm running a virtual server, I backup the entire thing versus just the database/images/etc.)
Philip H. Doan, DDS
http://www.kaweahdental.com/

User avatar
doctordoom
Posts: 41
Joined: Tue Sep 25, 2012 10:39 am
Contact:

Re: What are you guys using for data encryption?

Post by doctordoom » Sun Aug 04, 2013 9:39 pm

Ok, since I have been using open dental for a little bit now, thinking about doing this as a solution.

I purchased a SSD which I installed windows on. I plan to leave this unencrypted. Install open dental on this drive,
plan to get a 2nd bitlocker encrypted hard drive (will probably try to run a longer SATA cable and power cable) and store this drive inside a safe. This drive will be where i store database information and opendental images folder on.

Should resolve the remote login rebooting issue. Will it cause performance problems?

Your opinions appreciated.

teethdood
Posts: 267
Joined: Sun Jul 29, 2007 12:39 am
Location: Visalia, CA
Contact:

Re: What are you guys using for data encryption?

Post by teethdood » Mon Aug 05, 2013 7:51 am

Some fire-proof safes have built-in usb cable support. It is usb 2 so might not be fast enough, though still plenty fast. I'm waiting for usb 3.0. You can run SATA and power but your safe will not be fire-proof, if you care about that
Philip H. Doan, DDS
http://www.kaweahdental.com/

jimgaas
Posts: 31
Joined: Fri Aug 12, 2011 5:30 am

Re: What are you guys using for data encryption?

Post by jimgaas » Thu Aug 08, 2013 8:58 am

If you use encryption, you need a password to access your encrypted files. The files are only as secure as your password. Picking a decent password is a science. Few people care to learn about passwords but if you have ever used certain versions of Linux and you use a weak password, Linux cracks your password and tells you how much time it took which is usually fractions of a second. This impresses upon you the easy nature of cracking a password and how important it is to pick a good one. A great place to search for free software is http://sourceforge.net. If you check password managers one called key pass comes up with > 175,000 downloads. This is usually how I pick software to try. I use this software and find it very nice to use. One thing we have done in our office is to use different passwords on our insurance company websites. If you are in the habit of using the same login ID and the same password on every insurance company website, the insurance company can find interesting information about your reimbursement from other insurance companies by using those logins. I am not saying they do this, but why leave yourself open. Another important point is that you should obfuscate your identity on certain files as much as possible. For example, if you use Quickbooks and you fill in the company information with your name and address, someone who comes into this information without authorization knows who the information belongs to. Put in only the information you need to in order to make the software run. For company name I put in something like "a." I try to leave as much blank as I can, like address and phone information. Too much information is given away in the check register already, but being mindful of this can lessen the damage. Google "top passwords" and see what you find. Some people estimate that 90% of users use a password from these lists that show up if you google passwords. Needless to say, these passwords are trivial to crack. One way to turn trivial passwords into almost uncrackable passwords is to string them together. For example,
the password "bill:joe:molly" takes three passwords that would be cracked instantly and now the cracker has to guess these three passwords in the correct order with the correct separator, ie ":". So now you have (number of trivial passwords) raised to the third power multiplied by the number of possible separators = a very big number. By the way, no "cracker" guesses passwords. There are huge dictionaries of passwords that computers search to find a match. Every single word from any language is in these dictionaries. If you use the above password manager, a random password is created that is not able to be remembered or cracked but it is tied to a file on your computer so you can manage these different passwords. The ironic thing is that it is probably the front desk making up these passwords and the dentist may know not to use weak passwords but doesn't know they are being used in the office.

User avatar
doctordoom
Posts: 41
Joined: Tue Sep 25, 2012 10:39 am
Contact:

Re: What are you guys using for data encryption?

Post by doctordoom » Sat Aug 10, 2013 8:35 am

Finally figured out how to resolve this.

Made 2 partitions on hard drive. I made my first one about 250 GB for windows. Made that one the C: Made the 2nd partition the D:
Encrypted the D: with bitlocker (must have windows 7 ultimate or enterprise).

Made a .bat file that runs at startup. Here is a copy of mine.

@echo off
%systemdrive%\Windows\System32\manage-bde -unlock d: -password

net share mysql=d:\mysql /GRANT:Everyone,FULL
net share opendentimages=d:\opendentimages /GRANT:Everyone,FULL
net share xdr=d:\xdr /GRANT:Everyone,FULL
net start mysql
pause


So what this does is asks for the password to decrypt the D: right when you log in. then it shares the data folders, then lastly starts the mysql service.
Anyways that is the gist of it. Hope that helps.

User avatar
Hersheydmd
Posts: 703
Joined: Sun May 03, 2009 9:12 pm

Re: What are you guys using for data encryption?

Post by Hersheydmd » Sun Aug 11, 2013 11:20 am

My Win7 server is in a VirtualBox on a Win7 workstation.
The server is also partitioned into a C:\ drive for Windows and a D:\ drive for all my data.
Would you treat it any differently because it is in a VirtualBox? Would you still encrypt the Data Drive (D:\)?
What happens when you back up an encrypted drive? Is the backup encrypted?
What happens when you move the VB to another host? Will you be locked out of your encrypted guest because the hardware is different?

Also, googling BitLocker I found this article that seems to make the entire discussion moot.
This $299 tool is reportedly capable of decrypting BitLocker, PGP, and TrueCrypt disks in real-time
By Emil Protalinski, Thursday, 20 Dec '12, 06:48pm

Russian firm ElcomSoft on Thursday announced the release of Elcomsoft Forensic Disk Decryptor (EFDD), a new forensic tool that can reportedly access information stored in disks and volumes encrypted with desktop and portable versions of BitLocker, PGP, and TrueCrypt. EFDD runs on all 32-bit and 64-bit editions of Windows XP, Windows Vista, and Windows 7, as well as Windows 2003 and Windows Server 2008. The price tag isn’t outrageous, but EFDD will still set you back a solid $299....
Robert M Hersh DMD, FAGD
Univ. of Penn 1982
Brooklyn, NY 11234
https://www.facebook.com/pages/Robert-M ... 1471599429

User avatar
doctordoom
Posts: 41
Joined: Tue Sep 25, 2012 10:39 am
Contact:

Re: What are you guys using for data encryption?

Post by doctordoom » Sun Aug 11, 2013 3:24 pm

I backup onto a encrypted USB 3.0 flash drive, and archive it weekly and restore it on a computer at home that is encrypted.

I use bitlocker because it is recommended by open dental.
http://www.opendental.com/manual/encryption.html

"The Health Insurance Portability and Accountability Act of 1996 (HIPAA) encourages encryption of data during storage and transmission. You do not technically have to encrypt during storage, but if your data is compromised (hacked, computer stolen or media lost) and you did not encrypt it, you will need to notify every patient and, in some circumstances, the media.

The only exception to the notification requirement is that if your data is encrypted, you do not have to notify. So you probably want to encrypt. The American Medical Association released this document in 2010 which explains encryption for Protected Health Information (PHI) in layman's terms. Documenting your data security policy is very important, as the burden of proof may rest upon you if there is a data breach (see http://www.hhs.gov/ocr/privacy/hipaa/ad ... index.html). "

I am not sure what security provisions are in virtual box. But I would imagine if it is not encrypted they can possibly get the data off the hard drive or even just out of the virtualbox image file.


I am not saying one way is better than another. I just sharing what method I use to encrypt my data that still allows remote rebooting of the server.

And as far as that $299 tool. They can go ahead and use it on my computer. I did my job following hipaa guidelines and I better not get penalized by them if my computer gets stolen.

Nate
Posts: 164
Joined: Wed Jun 27, 2007 1:36 pm
Location: Kansas City, MO

Re: What are you guys using for data encryption?

Post by Nate » Sat Oct 05, 2013 11:22 pm

So you could still use TrueCrypt now that you partitioned the hard drives. Do you find that Bitlocker is easier to use or better in any way?

Jay
Posts: 272
Joined: Fri Aug 06, 2010 10:01 am

Re: What are you guys using for data encryption?

Post by Jay » Sun Oct 06, 2013 5:24 pm

Can someone explain how Bitlocker protects against a hacker who has gained access to the network and your shares? He could simply copy the files over which are accessible in an unencrypted state over your network. Even if your server is unhackable someone who hacks the workstations can use them to access the server over the network.

I think this only helps if someone runs off with the physical drive and mounts it on his own pc. Incidentally this probably makes data recovery impossible so backup well.

Note: I understand the notification benefit which is huge but want to understand the added security benefit.

bpcomp
Posts: 304
Joined: Mon Feb 27, 2012 7:30 am
Location: Tucson, AZ
Contact:

Re: What are you guys using for data encryption?

Post by bpcomp » Mon Oct 07, 2013 10:36 am

There is no encryption that helps when a workstation has been hacked on a live environment. As long as your database is network accessible then there is a vulnerability that files could be copied. This is why security should be approached from a site wide viewpoint instead of concentrating only on the server. Encryption of hard disks is not a protection from hacking so much as protection when something is stolen or lost. If you lose a drive that contains a backup of all the patient data and it isn't encrypted, then following HIPAA regulations you are required to notify every patient that their information may be compromised. If however that drive was encrypted then you are not obligated to do so. Security is a chain and it's only as strong as the weakest link. Hard drive encryption is not the whole of security but it is an important part and is best not ignored.

Jay
Posts: 272
Joined: Fri Aug 06, 2010 10:01 am

Re: What are you guys using for data encryption?

Post by Jay » Mon Oct 07, 2013 11:30 am

@bpcomp. I agree with everything you say here. Encrypted drives do not protect if the network is ON and someone accesses it but they are important for example is someone steals the server. Such a person may not be able to log in but can mount an unencrypted drive and copy the data folders over. That would be impossible if the volume is encrypted.

fishdrzig
Posts: 433
Joined: Tue Oct 07, 2008 12:46 pm

Re: What are you guys using for data encryption?

Post by fishdrzig » Sat Nov 02, 2013 2:21 pm

So, basically, we have to have Windows 7 Ultimate or Windows 8 Ultimate on each of our computers to use BitLocker for the encryption that OD recommends?

User avatar
doctordoom
Posts: 41
Joined: Tue Sep 25, 2012 10:39 am
Contact:

Re: What are you guys using for data encryption?

Post by doctordoom » Mon Nov 04, 2013 9:14 pm

I think you only need windows 7 ultimate or windows 8 ultimate on the server. All my workstations/client computers aren't encrypted.


You could actually use truecrypt as well if you don't want to use windows 7 ultimate... i found the way to make a .bat file to run when you log into windows with truecrypt
if you make your hard drive 2 partitions. the First partition is the operating system and the 2nd partition is where the data is stored
first partition would be C: and 2nd partition would be d:

If the 2nd partition = Partition3
would look something like this:

cd c:\program files\truecrypt\
truecrypt /v \Device\Harddisk0\Partition3 /m sm /a /q

net share mysql=d:\mysql /GRANT:Everyone,FULL
net share opendentimages=d:\opendentimages /GRANT:Everyone,FULL
net start mysql

User avatar
Justin Shafer
Posts: 596
Joined: Sat Jul 28, 2007 7:34 pm
Location: Fort Worth, TX.

Re: What are you guys using for data encryption?

Post by Justin Shafer » Tue Nov 05, 2013 4:25 am

If you use a batch file to decrypt and mount the drive... And the server was stolen.. All they would have to do is get at your batch file? On the subject of encrypting your internal partition that stores your PMS\HIPAA data.

Would it be encrypted? Yes.
Would it be easy to decrypt? Yes.

If this server was stolen, I would not tell myself that it cant be decrypted, and I would worry.. like hell. :D

Get a Dell Remote Access Card or a remove KVM switch. Then you can type the password in remotely without being in windows. Anyway of automating the mounting of the encrypted partition needs to looked at from a hacker point of view.

User avatar
doctordoom
Posts: 41
Joined: Tue Sep 25, 2012 10:39 am
Contact:

Re: What are you guys using for data encryption?

Post by doctordoom » Tue Nov 05, 2013 9:52 am

When you run the batch file, you still have to type the password to decrypt and mount the partition.

User avatar
Justin Shafer
Posts: 596
Joined: Sat Jul 28, 2007 7:34 pm
Location: Fort Worth, TX.

Re: What are you guys using for data encryption?

Post by Justin Shafer » Sat Nov 09, 2013 3:50 pm

Good deal.. should have read your batch file.. hehe.

Nate
Posts: 164
Joined: Wed Jun 27, 2007 1:36 pm
Location: Kansas City, MO

Re: What are you guys using for data encryption?

Post by Nate » Fri Nov 29, 2013 8:11 pm

I have been researching different disk encryption options but still unsure of how best to utilize them. Any advice would be appreciated. It seems that Bitlocker and TruCrypt are stable software based options. Unfortunately it seems that for Bitlocker it is only available with certain versions of Windows and Dell doesn’t sell many new systems with the Windows 7 Ultimate. It also seems that it is recommended that the computer be newer and have TPM (Trusted Platform Module). I would be worried that any software encryption may be slower or require more processing resources and will have vulnerabilities (which I am not worried about, because I only want to cover myself if a computer with patient data is stolen). I have since learned about a SED (Self Encrypting Drive). Any opinions on them? It seems that the SED will be much more expensive. I am uncertain how backing up data (entire hard drive and open dental data) would work with either option. I currently back up the entire hard drive on my main computer (that acts as the server) every 6 months. So if the hard drive goes out I can simply plug in the back up copy and everything is running great in a matter of minutes. I also back up Open Dental using its designed back up feature nightly and restore to the home computer to test it weekly. I frequently use logmein to view the schedule and evaluate occasional emergency calls. I am not using any hard drive encryption but I wonder how it would affect my routine?
1)Can you still back up the entire encrypted hard drive?
2)Can open dental back up feature still work on an encrypted drive. If so is the data it backs up still encrypted? If it is then can you not restore it to a different computer?
3)Can encrypted data ever be saved decrypted? For example if you use Bitlocker for hard drive encryption but later decide you want to use TruCrypt or a Self Encrypting Hard drive can you save it first in an un-encrypted state and then encrypt again later if you choose?
4)If you use logmein to access your office computer will you have problems if the hard drive is encrypted?
5)Will encryption cause problems with the network computers trying to access data on the encrypted computer?
6)Can Open Dental simply create an encryption of the Open Dental Data folders? Or even use a third party software to encrypt only the folders with patient data rather than the entire hard drive?

I’m really looking for the simplest solution, just to do my part in encrypting the data and reduce my liability if some kids brake in the office and steal the server computer.

User avatar
Justin Shafer
Posts: 596
Joined: Sat Jul 28, 2007 7:34 pm
Location: Fort Worth, TX.

Re: What are you guys using for data encryption?

Post by Justin Shafer » Sat Nov 30, 2013 9:09 am

I think I would get a Dell Server with a DRAC Enterprise card and use BitLocker on the C and D arrays, with a pin. Or tie it to the TPM and a pin.

What if someone runs off with your server connected to a UPS though??? :D It would still be TURNED ON and serving out MYSQL! :D Might want to set a password for root?

TarheelDentist
Posts: 7
Joined: Sat Oct 06, 2007 5:43 pm

Re: What are you guys using for data encryption?

Post by TarheelDentist » Sat Nov 30, 2013 10:42 am

This has been an interesting thread; and reflecting Nate's comments, I am also looking for a simpler solution.

My setup:
1. I have a Optiplex 990 Server - Intel i5; and a RAID 1 set up; Currently with no partition. Running windows 7 Pro 64 bit. (No Bitlocker)
2. I log on remotely using Logmein to check my schedules sometime
3. I have multiple backups including a taking a backup to an external encrypted USB drive

What is the best mechanism to encrypt the entire hard drive so that I am not impacting my RAID 1 configuration in any way?

I see interesting discussions. I wonder if any one has actually done this and happy with with encryption ? I am interesting in trying truecrypt however not sure how it works with RAID 1? I dont mind investing on a hardware card / or a software solution.

Thank you!

Nate
Posts: 164
Joined: Wed Jun 27, 2007 1:36 pm
Location: Kansas City, MO

Re: What are you guys using for data encryption?

Post by Nate » Mon Dec 02, 2013 10:19 am

Maybe all my other questions should be posted to Dental Town to get more insight on the encryption process for the computer or encrypted hard drives.

But I hope someone from OpenDental can answer at least this question:

Can OpenDental simply create an encryption of the Open Dental Data folders? Is it possible? or already a planned feature?

Thanks

KevinRossen
Posts: 293
Joined: Mon Apr 22, 2013 8:49 am
Location: Dallas, TX
Contact:

Re: What are you guys using for data encryption?

Post by KevinRossen » Mon Dec 02, 2013 12:35 pm

Nate wrote:Maybe all my other questions should be posted to Dental Town to get more insight on the encryption process for the computer or encrypted hard drives.

But I hope someone from OpenDental can answer at least this question:

Can OpenDental simply create an encryption of the Open Dental Data folders? Is it possible? or already a planned feature?

Thanks
Hi Nate. I'm in the process of updating how I have my data encrypted across three different computers. For the server, what I'm planning on doing is having a separate partition for Open Dental data (mysql, images) that I'll encrypt with either Bitlocker or TrueCrypt. I'm leaning toward TrueCrypt because it seems more robust and easier to use, but haven't fully decided yet.

As far as Open Dental encrypting the data, I'm sure you could request that as a feature, but I think you'd be much better off using either BitLocker or TrueCrypt. While it *might* be easier to use something that's integrated with the software, it will be better to separate that out. I'm running a laptop on a drive that's encrypted with TrueCrypt. The only thing that I have to do is enter a password at bootup, but that's it. Runs smoothly with no noticable performance impact.
Kevin Rossen
Office Manager, Rossen Dental
Founder, DivergentDental.com
Image

KevinRossen
Posts: 293
Joined: Mon Apr 22, 2013 8:49 am
Location: Dallas, TX
Contact:

Re: What are you guys using for data encryption?

Post by KevinRossen » Mon Dec 02, 2013 12:53 pm

I'll do my best to answer each of your questions based on my experiences:
Nate wrote:1)Can you still back up the entire encrypted hard drive?
Yes. An encrypted drive functions in Windows exactly the same as a normal drive in regards to features. The only difference might be how you handle "mounting" the drive. But you honestly can automate almost everything, so it would feel just like a normal drive in everyday use.
Nate wrote:2)Can open dental back up feature still work on an encrypted drive. If so is the data it backs up still encrypted? If it is then can you not restore it to a different computer?
Yes, the feature would work. Once the encrypted drive is actively mounted (think of it like plugging in a USB key), it can be used just like any drive. The data is actively encrypted on the fly with bitlocker and TrueCrypt, so it will be encrypted.
Nate wrote:3)Can encrypted data ever be saved decrypted? For example if you use Bitlocker for hard drive encryption but later decide you want to use TruCrypt or a Self Encrypting Hard drive can you save it first in an un-encrypted state and then encrypt again later if you choose?
I'm not certain about bitlocker, but TrueCrypt has a decrypting option at least when you're encrypting a whole drive that has Windows on it. You would have to use a bootable CD that is made when you're setting up the encryption (TrueCrypt walks you through it, really easy).
Nate wrote:4)If you use logmein to access your office computer will you have problems if the hard drive is encrypted?
This is an issue I'm thinking through. My plan is to setup the server's Windows partition as unencrypted (there's really no need to protect that) and encrypt the partition that has the MySql/Open Dental data. LogMeIn doesn't care whether or not the drive is encrypted and functions the same either way.
Nate wrote:5)Will encryption cause problems with the network computers trying to access data on the encrypted computer?
I'm pretty sure if you've setup your shared folders correctly it won't matter.
Nate wrote:6)Can Open Dental simply create an encryption of the Open Dental Data folders? Or even use a third party software to encrypt only the folders with patient data rather than the entire hard drive?
You can do this, but it would be kind of complicated. It'd be simpler to encrypt a partition.

If you haven't yet, you should check out the FAQ on TrueCrypt's website. Pretty helpful info there. http://www.truecrypt.org/faq
Kevin Rossen
Office Manager, Rossen Dental
Founder, DivergentDental.com
Image

shadlewis
Posts: 25
Joined: Tue Oct 04, 2011 3:35 am

Re: What are you guys using for data encryption?

Post by shadlewis » Wed Dec 04, 2013 7:06 am

My server runs linux.

I created a partition which contains the db and images folder.


User avatar
doctordoom
Posts: 41
Joined: Tue Sep 25, 2012 10:39 am
Contact:

Re: What are you guys using for data encryption?

Post by doctordoom » Thu Dec 26, 2013 7:32 pm

"......Shafer says he found a copy of a Dentrix program on an internet file sharing site. Shafer says he was curious, so he downloaded the program registered to the Lanap and Implant Dental Center in Williamsport. And to his surprise, Shafer says it had the names, addresses and in most cases, the social security numbers of 11,000 people in the Williamsport area. “You can just download and install it, and just use this database and surf it like you would the internet,” added Shafer."


Justin nice to see you in the news LOL. How did this office's database end up on a internet sharing site? Well obviously that practice didn't encrypt their data. But say someone finds a flash drive or whatever media it was backed up on. A normal person who found it would just format the media and use it for themselves. Not upload the data to the internet sharing site. Something sounds rather suspicious here.

User avatar
Hersheydmd
Posts: 703
Joined: Sun May 03, 2009 9:12 pm

Re: What are you guys using for data encryption?

Post by Hersheydmd » Fri Dec 27, 2013 3:51 pm

mark
Robert M Hersh DMD, FAGD
Univ. of Penn 1982
Brooklyn, NY 11234
https://www.facebook.com/pages/Robert-M ... 1471599429

User avatar
Justin Shafer
Posts: 596
Joined: Sat Jul 28, 2007 7:34 pm
Location: Fort Worth, TX.

Re: What are you guys using for data encryption?

Post by Justin Shafer » Fri Dec 27, 2013 7:05 pm

doctordoom wrote:"......Shafer says he found a copy of a Dentrix program on an internet file sharing site. Shafer says he was curious, so he downloaded the program registered to the Lanap and Implant Dental Center in Williamsport. And to his surprise, Shafer says it had the names, addresses and in most cases, the social security numbers of 11,000 people in the Williamsport area. “You can just download and install it, and just use this database and surf it like you would the internet,” added Shafer."


Justin nice to see you in the news LOL. How did this office's database end up on a internet sharing site? Well obviously that practice didn't encrypt their data. But say someone finds a flash drive or whatever media it was backed up on. A normal person who found it would just format the media and use it for themselves. Not upload the data to the internet sharing site. Something sounds rather suspicious here.
LOVE being in the news.... Always said to self.. Need to be on the news... One Day. :D Cross that off. :)

No idea how it wound up on the piratebay.. Your guess is as good as anyone else. Could be someone really didn't know there was a database on that flash drive, or they did and just uploaded it anyways.. Not exactly... I find a flash drive in the middle of the road, I check it out...

Reminds me of the time I borrowed a floppy drive from a friend in highschool. Long story short, I undeleted his crossword puzzle and turned it in for an A. Or the time someone gave me a stolen laptop with a password... I didn't turn the person in, but I did manage to burn everything important to some DVD's and mailed them back to the owner. I assume they were happy. :)

Your guess is really as good as anyone elses.... Though... One does wonder... Did he ever take the backups offsite??? Who knows.........

That is all I should probably say at this moment. It aint over.

User avatar
doctordoom
Posts: 41
Joined: Tue Sep 25, 2012 10:39 am
Contact:

Re: What are you guys using for data encryption?

Post by doctordoom » Sat Dec 28, 2013 8:12 am

I think that office's biggest mistake was not encrypting their back ups or server?

Only other thing i could think of, was a inside job (angry employee), or someone hacked into their computer or exploited vulnerabilities of dentrix which would have had to been done while the computer was on.


Justin, what things can we do to prevent us from being that office in the news? Thanks in advance.

User avatar
Justin Shafer
Posts: 596
Joined: Sat Jul 28, 2007 7:34 pm
Location: Fort Worth, TX.

Re: What are you guys using for data encryption?

Post by Justin Shafer » Sat Dec 28, 2013 11:10 am

Yes, the mistake it seems is that the backup was not encrypted. As the server does not appear that it was stolen, if it was you, you would want that flash drive encrypted as well with something like BitLocker or True Crypt.
-------------------------------------

Your guess is as good as mine... This is Dentrix 11.0 so... There are not really any vulnerabilities in Dentrix 11.0 other then you must protect access to FileSharing where the Dentrix 11.0 Database resides. G5 uses cTreeACE Database Engine and so with G5 you must hope Dentrix has secured access to the Database and the database itself, because that is how the product seems to be marketed.

This could be done with Dentrix G5, via the exploit. With Open Dental, if someone had access to your LAN and wanted your database then it is much harder with a root password set. That would prevent someone from finding the IP running port 3306 (mysql) and then login to mysql, and then dump the database.

With G5, I try to find the username and password to authenticate to the database server without physical access to the server. And I seem to be good at it at the moment. If mysql does not have a password for root..... then it is also very easy for me to authenticate to a mysql server holding an opendental database. Thing is, Open Dental is open source, and it's a different beast. We cannot hide strings in the source code like other companies. :o As such, we have the power to set a root password, while Dentrix administrators do not. Well, I can, but most people cannot. :lol: Anyways.. I bring this up so nobody can call me a hypocrite. :D It goes back to marketing.
==========================================================================

What can you do to make it hard for hackers? (These people will want your patient info and they will not tell anyone after they have acquired it, unless the info is being sold, etc.) Also prevents a virus from reading the database.. easily.

(This should also be used to prevent employees from dumping a database)
1. Create a password for root under open dental will help. Even better have Open Dental prompt for the root password at runtime so the password won't be saved in the XML file. This would prevent hacking of a workstation just to get access to the mysql running on the server.
2. Make sure all your updates have been installed for Windows. Double check that the Shares setup for Windows File Sharing do NOT include access to the Open Dental database.
3. Use a commercial router that has automatic firmware updates to prevent hackers from exploiting the Wifi. Or just use WPA2 with a long passphrase that is not a dictionary word, include numbers, characters etc. Disable WPS. Some routers actually have WPS enabled and you don't even know it, nor can it be disabled. Update the firmware, or try to hack it yourself. Or just use a commercial grade router. Or physically seperate your guest wifi from the rest of your network by getting 2 IP addresses from your ISP, etc. Prevent access to your lan through wifi is the theme here. :D You can use mac address white listing, though it could be possible to see client mac addresses while clients are turned on, and then spoof the mac address.
http://www.pcworld.com/article/249954/h ... iness.html
4. Don't run mysql on port 3306, everyone knows that port? Well, we do. :D
5. IPSec http://en.wikipedia.org/wiki/IPsec


I like DD-WRT myself, as they have WPS disabled in the firmware.

What can you do to make it hard for employees? (much harder to do from an administration standpoint)
1. I would use a domain\active directory.
2. I would use group policies to lock down the workstations, and prevent users from doing all sorts of things. You basically only want to give users access to performing their job, and NOTHING else. They would not be Administrators. This can be more difficult with other programs that want you to be part of the Administrator group in Windows.
3. Server should be physically secured.
4. Servers and Backup drives should be encrypted.
5. Watch out for keystroke loggers as they could be used to steal passwords very easily. Dongles you can attach to a keyboard. :D

The list goes on and on to keep an employee from doing this. Basically you want to be sure they are not administrators on the computer, and you would want to go over rights and permissions VERY thoroughly. You want to be sure you cannot hack it yourself, logged in as an employee. Nobody was ever interested in having me do this, as... most people trust their employees... 1 time I met an office manager who watched my every move when I setup a backup to an Iomega Rev Drive. I thought it was strange, but I thought maybe she was just wanting to learn. Naaa.. she was seeing how she could destroy a backup in case the doc ever found out she was stealing from the practice... Was like $300,000... And of course, she deleted the audit trail, but I was able to recover it. I think she got away with it... Doc wanted same day service some time later which I could not provide, so I never heard back that office.. I think a printer couldn't print or.. something.

I am sure there is more.. anything comes to mind I will ammend. :D

I wonder if we could encrypt an entire database based off a certificate or something.

PS. Feels good to get to TALK about it. 14 months..... the breach.. perfect example\talking point\topic.
Last edited by Justin Shafer on Sat Dec 28, 2013 4:34 pm, edited 9 times in total.

User avatar
Justin Shafer
Posts: 596
Joined: Sat Jul 28, 2007 7:34 pm
Location: Fort Worth, TX.

Re: What are you guys using for data encryption?

Post by Justin Shafer » Sat Dec 28, 2013 2:42 pm

Good read:
http://vxlabs.com/2012/12/22/ssds-with- ... ncryption/
What we really need are Raid Controllers that have their own passwords and can take advantage or Self Encrypting Drives. I told a dell rep that this would be beneficial, having a password or dongle or something to allow decryption of the Array. This goes beyond having a password set on the individual drives using the ATA spec. It could be tied to the bios password, could be tied to a raid controller prompt, some sort device that allows a certificate or key. That would be GREAT. Though... we would always most likely have this device always inserted into the server. Because people are lazy. :D Same goes with BitLocker being tied to a USB Flash Drive.

http://www.dell.com/downloads/global/pr ... debook.pdf
"This feature provides protection to the data at rest in the event of theft or loss of drives." Page 19.

That is true, this does prevent reading a SED drive, if your just trying to read the drive without being in the server it was from. But if your server is stolen, then it is a different ballgame, and your better off using True Crypt or Bit Locker. I dislike the idea of having some of the server decrypted and some of it encrypted because, as a design, because people like to copy data around when they know they should not. In other words, we HOPE that nobody copies PHI to the unencrypted part of the server for whatever reason. What if the server is stolen, the covered entity claims all was good, never reports it, and then suddenly, SHTF.

I think at a minimum one should really watch the Wifi, and use BitLocker on the backups. Encrypting the server with a USB Key and BitLocker at Bootup should be next (server theft prevention) along with setting a root password (prevent someone getting access to the database on your LAN)

There is also the problem of what if someone steals a server that is still turned on... Some sort of Network Location Awareness and self destruct should fix that.. Thought it could suck if you replaced your router and forgot about that. :D
To reiterate:
1. Prevent being able to gain access to Windows\Mysql over the LAN without physical access to the server.
2. Prevent someone using your server IF it was stolen and powered down during the process.
NOTE: If they stole the server while it was on, then they now have the ability to gain LAN access! Eventually they will win. They will wait for a Windows exploit to come out, use it, become the Windows Administrator, and then get access to mysql.
3. Prevent wifi access so they cannot get on the LAN.
These we can do.
4. Secure the database itself... (This seems more difficult and is a OD thing, and how do you encrypt a database when they key is accessible somewhere?)
#4 is just a thought, outside of our control.
Last edited by Justin Shafer on Sat Dec 28, 2013 3:50 pm, edited 3 times in total.

User avatar
Justin Shafer
Posts: 596
Joined: Sat Jul 28, 2007 7:34 pm
Location: Fort Worth, TX.

Re: What are you guys using for data encryption?

Post by Justin Shafer » Sat Dec 28, 2013 3:12 pm

http://technet.microsoft.com/en-us/libr ... 78941.aspx
The 10 Immutable Laws
Law #1: If a bad guy can persuade you to run his program on your computer, it's not solely your computer anymore.
Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore.
Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.
Law #4: If you allow a bad guy to run active content in your website, it's not your website any more.
Law #5: Weak passwords trump strong security.
Law #6: A computer is only as secure as the administrator is trustworthy.
Law #7: Encrypted data is only as secure as its decryption key.
Law #8: An out-of-date antimalware scanner is only marginally better than no scanner at all.
Law #9: Absolute anonymity isn't practically achievable, online or offline.
Law #10: Technology is not a panacea.

There is a lot of paranoia in the world of IT. Pick a level. :wink:

User avatar
Justin Shafer
Posts: 596
Joined: Sat Jul 28, 2007 7:34 pm
Location: Fort Worth, TX.

Re: What are you guys using for data encryption?

Post by Justin Shafer » Sat Dec 28, 2013 5:32 pm

One more story.

Was talking to a doctor over the phone. He was explaining everything he had been doing to the network. Blah blah blah blah blah blah "I put the server in the DMZ" blah blah blah blah blah....

I said... "Wait, you what? You put the server in the DMZ???"

I asked him to go to ipchicken.com, he gave me his ip address, and just like that, I could see his Open Dental database and I could use it, etc. We turned DMZ off. This person will forever be unknown. :D
http://en.wikipedia.org/wiki/DMZ_(computing)#DMZ_host (Means that all the open ports on the internal fileserver could be accessed from your WAN ip)
Yeesh! Not to be confused with a true DMZ

User avatar
Justin Shafer
Posts: 596
Joined: Sat Jul 28, 2007 7:34 pm
Location: Fort Worth, TX.

Re: What are you guys using for data encryption?

Post by Justin Shafer » Sun Dec 29, 2013 6:52 pm

Hersheydmd wrote:My Win7 server is in a VirtualBox on a Win7 workstation.
The server is also partitioned into a C:\ drive for Windows and a D:\ drive for all my data.
Would you treat it any differently because it is in a VirtualBox? Would you still encrypt the Data Drive (D:\)?
What happens when you back up an encrypted drive? Is the backup encrypted?
What happens when you move the VB to another host? Will you be locked out of your encrypted guest because the hardware is different?

Also, googling BitLocker I found this article that seems to make the entire discussion moot.
This $299 tool is reportedly capable of decrypting BitLocker, PGP, and TrueCrypt disks in real-time
By Emil Protalinski, Thursday, 20 Dec '12, 06:48pm

Russian firm ElcomSoft on Thursday announced the release of Elcomsoft Forensic Disk Decryptor (EFDD), a new forensic tool that can reportedly access information stored in disks and volumes encrypted with desktop and portable versions of BitLocker, PGP, and TrueCrypt. EFDD runs on all 32-bit and 64-bit editions of Windows XP, Windows Vista, and Windows 7, as well as Windows 2003 and Windows Server 2008. The price tag isn’t outrageous, but EFDD will still set you back a solid $299....
Excellent Question.
http://www.elcomsoft.com/efdd.html
Three Ways to Acquire Encryption Keys

Elcomsoft Forensic Disk Decryptor needs the original encryption keys in order to access protected information stored in crypto containers. The encryption keys can be derived from hibernation files or memory dump files acquired while the encrypted volume was mounted. There are three ways available to acquire the original encryption keys:
By analyzing the hibernation file (if the PC being analyzed is turned off);
By analyzing a memory dump file *
By performing a FireWire attack ** (PC being analyzed must be running with encrypted volumes mounted).


This is why servers dont have FireWire. :D If you have ALL the partitions in the server encrypted, then there won't be a hibernation file or memory dump file to examine. You would have to try to hack the server through the network card with a windows exploit, without turning off the server if bitlocker is setup with a pin and or usb flash drive and or tpm type of verification. (Meaning windows won't even boot without a password and or a usb flash drive with a decryption file). So this is if the server was stolen without being powered down, of course. And you would want the server to be locked at a control-alt-delete screen of some sort. If the server does NOT have the C partition encrypted and that is where Windows resides, then you do NOT want auto mounting of any encrypted drives. Then the decryption key will be loaded in ram and would be vulnerable to EFDD. Which is why I just say screw it, encrypt everything, I would require a pin and or usb flash drive with a tpm type setup, and then get a dell remote access card to do a remote reboot so I could enter in the password, which would be long. Of course, it is even MORE secure not to have the D Drive or Data Partition auto-mount at all, that way exploiting Windows would not work. Meaning you did very good to use a batch file and putting in the password manually. :D Perhaps dismounting the encrypted drive when you are done working would be the ultimate. Hmmm....

BUT if someone just finds your backup drive encrypted with truecrypt or bitlocker, there are not going to use EFDD to find your key and read the drive. Not without trying to find the decryption key that is already in memory running on a computer... which is what EFDD does.

User avatar
Hersheydmd
Posts: 703
Joined: Sun May 03, 2009 9:12 pm

Re: What are you guys using for data encryption?

Post by Hersheydmd » Thu Jan 02, 2014 4:50 pm

Justin, great posts but very technical. My head is spinning.
Could you perhaps give us a synopsis of the important points in layman's terms?
What are you recommending everyone do?
Robert M Hersh DMD, FAGD
Univ. of Penn 1982
Brooklyn, NY 11234
https://www.facebook.com/pages/Robert-M ... 1471599429

drtbar
Posts: 76
Joined: Wed Dec 26, 2007 6:43 pm
Location: Muskegon, MI

Re: What are you guys using for data encryption?

Post by drtbar » Thu Jan 30, 2014 6:26 am

I've been following this thread although there hasn't been activity in a few weeks. I want to encrypt the A-Z and mysql folders, but thinking through the process I think I'm going to run into a snag. Encrypting the A-Z folders should be a snap, create encrypted container with truecrypt and then put the A-Z folder in there. My problem is getting mysql to run. If I create the container with truecrypt, then install mysql to that folder, at startup windows will attempt to run the mysql server and will not be able to without the folder being mounted. So each time I have to manually mount the folder, then manually run mysql server to make it work. I believe you can automate a folder being mounted with truecypt, but how do you make sure it mounts it before windows trys to run mysql server? The other issue is I believe to automate the mounting of the folder/container, it has to have the same password as your admin/login password on the box. I've read that cracking a windows login pass is crazy easy. So how do we safeguard against that?

drtbar
Posts: 76
Joined: Wed Dec 26, 2007 6:43 pm
Location: Muskegon, MI

Re: What are you guys using for data encryption?

Post by drtbar » Thu Jan 30, 2014 8:57 am

The more I've read, I think I'm going to just get Win8.1 pro and use bitlocker to encrypt the mysql and A-Z folders. I have to upgrade my server from xp anyway, so this will kill two birds with one stone.

KevinRossen
Posts: 293
Joined: Mon Apr 22, 2013 8:49 am
Location: Dallas, TX
Contact:

Re: What are you guys using for data encryption?

Post by KevinRossen » Thu Jan 30, 2014 10:18 am

drtbar wrote:The more I've read, I think I'm going to just get Win8.1 pro and use bitlocker to encrypt the mysql and A-Z folders. I have to upgrade my server from xp anyway, so this will kill two birds with one stone.
As long as your server has a Trusted Platform Module BitLocker is the easiest way to go. I've setup both BitLocker and TrueCrypt in the past month or so. For my main server I use BitLocker and have Windows automatically mount the encrypted partition(s) I have setup and it works flawlessly. One of the backups I keep is on a laptop, which I use at home to test stuff and my "What do I do if the building burns down?" plan involves setting up temporary shop using the laptop.

Let me know if you need any help along the way. Like I said, I just setup encryption recently. It was intimidating at first, but it's a fairly straightforward process once you figure out everything.
Kevin Rossen
Office Manager, Rossen Dental
Founder, DivergentDental.com
Image

drtbar
Posts: 76
Joined: Wed Dec 26, 2007 6:43 pm
Location: Muskegon, MI

Re: What are you guys using for data encryption?

Post by drtbar » Thu Jan 30, 2014 10:50 am

My "server" is only another desktop I built myself for a dedicated server, so unlikely it has tpm. TPM looks to be proprietary to intel? My dedicated server is an amd based box. What does tpm do with bitlocker? I was under the assumption I could just use bitlocker with any box with win8 pro.

I just started using truecrypt for my removable backup drives and it was pretty straight forward. But I don't have a good way to physically lock up my server and regardless I want to encrypt the patient info. I like the idea of a batch file that was suggested, but not experienced enough to mess around with that.

KevinRossen
Posts: 293
Joined: Mon Apr 22, 2013 8:49 am
Location: Dallas, TX
Contact:

Re: What are you guys using for data encryption?

Post by KevinRossen » Thu Jan 30, 2014 1:15 pm

drtbar wrote:My "server" is only another desktop I built myself for a dedicated server, so unlikely it has tpm. TPM looks to be proprietary to intel? My dedicated server is an amd based box. What does tpm do with bitlocker? I was under the assumption I could just use bitlocker with any box with win8 pro.

I just started using truecrypt for my removable backup drives and it was pretty straight forward. But I don't have a good way to physically lock up my server and regardless I want to encrypt the patient info. I like the idea of a batch file that was suggested, but not experienced enough to mess around with that.
You can use BitLocker without TPM, but it you want to automatically mount/load an encrypted partition when Windows starts up you have to have your system partition encrypted via bitlocker and have a TPM. Without it, you'll either have to utilize a password or smart card. See this link for details: http://windows.microsoft.com/en-us/wind ... encryption

This is probably drifting into advanced topics, but you should be able to check your bios to see if it has a TPM. It's not always labeled as "TPM." Might be something like "secure boot options" or something similar. If you want to PM me your motherboard model I can Google it to see what I can find out.
Kevin Rossen
Office Manager, Rossen Dental
Founder, DivergentDental.com
Image

drtbar
Posts: 76
Joined: Wed Dec 26, 2007 6:43 pm
Location: Muskegon, MI

Re: What are you guys using for data encryption?

Post by drtbar » Thu Jan 30, 2014 4:58 pm

It's an ASUS M4A79XTD and with my google search, appears that it does not have tpm. So maybe truecrypt with win7 is still the way to go. I can format the disc and create two partitions like doctordoom recommended and encrypt the partition where mysql and opendental will be installed. I don't really see any other way to do it.

drmaximus
Posts: 75
Joined: Wed May 26, 2010 7:51 am

Re: What are you guys using for data encryption?

Post by drmaximus » Fri Jan 31, 2014 3:11 am

drtbar wrote:It's an ASUS M4A79XTD and with my google search, appears that it does not have tpm. So maybe truecrypt with win7 is still the way to go. I can format the disc and create two partitions like doctordoom recommended and encrypt the partition where mysql and opendental will be installed. I don't really see any other way to do it.
Just use bitlocker. Upgrade to win 8.1 pro. You don't need tpm. It will just make you print off a key and put it in a safe spot

User avatar
Justin Shafer
Posts: 596
Joined: Sat Jul 28, 2007 7:34 pm
Location: Fort Worth, TX.

Re: What are you guys using for data encryption?

Post by Justin Shafer » Fri Jan 31, 2014 7:39 pm

I think we should have server room filled with fake servers.. Buy 10 of them, but only have 1 be the actual server. So a thief would not know which server to take. You may buy all 10 of these servers from me. Great idea? :D

Nate
Posts: 164
Joined: Wed Jun 27, 2007 1:36 pm
Location: Kansas City, MO

Re: What are you guys using for data encryption?

Post by Nate » Mon Sep 07, 2015 6:55 pm

Anyone using encryption on windows 10? Which is better: Device Encryption or BitLocker? Do all versions of windows 10 have BitLocker? Thanks for any help you can provide.

Nate
Posts: 164
Joined: Wed Jun 27, 2007 1:36 pm
Location: Kansas City, MO

Re: What are you guys using for data encryption?

Post by Nate » Wed Sep 09, 2015 8:57 am

Can anyone explain the difference between BitLocker or Device Encryption and if one is preferred or works better for OpenDental? I have found that Windows 10 Home may not come with BitLocker so it looks like it will require Windows 10 Professional. Does either encryption method slow down the computer much? Will having BitLocker with TPM make it difficult to upgrade any computer hardware in the future? I was also wondering if you back up your data to USB device from a computer with BitLocker on then is your data automatically encrypted on the USB device?

OpenDental help pages explain that MySQL and A to Z image folders should be encrypted. Does anyone also encrypt their digital x-ray database?

Thanks for any help

User avatar
Justin Shafer
Posts: 596
Joined: Sat Jul 28, 2007 7:34 pm
Location: Fort Worth, TX.

Re: What are you guys using for data encryption?

Post by Justin Shafer » Sun Nov 22, 2015 1:10 pm

http://justinshafer.blogspot.com/2015/1 ... pdate.html

Government let me down. They closed the investigation of the breach without investigating the breach...

So I did one of my own. :D

Post Reply