Articles
Pages
Products
Research Papers
Blogs
Search Engines
Events
Webinar, Seminar, Live Classes

[This article is originally published in cpomagazine.com written by  - Uploaded by AIRS Member: Robert Hensonw]

In an age where the Internet is simply an indispensable part of life, the use of a search engine is possibly at the foundation of the user experience. This is a world where near instantaneous access to information is not simply a ‘nice to have’ for researchers and writers, it is at the bedrock of our modern consumer society. Is the way in which we find takeout food, restaurants, household furnishings, fashion – and yes even friends and lovers. In short, without search engines, the machine that powers our modern world begins to falter.

We are increasingly reliant on search engines – but it may be instructive to understand just how much data Google is now handling. Within Google’s range of products, there are seven with at least one billion users. In its privacy policy, Alphabet (Google’s parent company) outlines its broad and far-reaching data collection. The amount of data the company stores is simply staggering. Google holds an estimated 15 exabytes of data, or the capacity of around 30 million personal computers.1

However, it is worth noting that Google is not alone in the search engine space. There are other players such as Microsoft’s Big. Yahoo Search and Baidu. All of them are mining data. However, there can only be that one ‘Gorilla in the Sandpit’ – and that is undoubtedly Google. To explore just how search engines may infringe on our rights to privacy Google gives us a yardstick to what they would characterize as ‘best practice’.

Nothing in life is free … Including search engines

Consumers are becoming increasingly aware that the old maxim of ‘nothing in life is free’ is even more applicable than when it was penned. In fact, there is an associated saying ‘if something is free you are getting exactly what you pay for.’

Herein lies the problem with the use of search engines. They offer an essential service – but that service is certainly not free of cost. That cost is a certain level of intrusion into our lives in the form of search engine companies like Google gathering data about our online habits and using that data to fine-tune marketing efforts (often by selling that data to third parties for their use).

But that is only the outcome of using a search engine. For many consumers and consumer advocate groups, the real problem lies deeper than that. It revolves around awareness and permission. Are search engine companies free to gather and use our data without explicit permission- can we opt out of such an arrangement?

The answer is both yes and no. Reading search engine company user agreements it becomes clear that we (at least historically) we have been empowering companies like Google to use the data that they gather in almost any way that they see fit. But lately, we have seen a huge effort by search engine companies to make sure that consumers are aware that they can limit the amount of data that is gathered. That was not always the case – user agreements are almost never perused with great care. Most people are not freelance attorneys and are defeated by the legalese and intricacies of most user agreements and outlines of a privacy policy.

However, the real problem is that although the gathering of data and the leveraging of that data for profit may represent a betrayal of the relationship between consumer and search engine company there is a larger issue at stake, beyond even the right to privacy – and this is data security.

Google has a far from the perfect record as regards security – but it is better than many other tech companies. However, mistakes do happen. In 2009, there was a bug in Google docs that potentially leaked 0.05% of all documents stored in the service. Taken as a percentage this does not seem like a terribly large number, but 05% of 1 billion users is still 500,000 people. Google has no room for error when it comes to data protection.

Another fact worth noting is that Google’s Chrome browser is a potential nightmare when it comes to privacy issues. All user activity within that browser can then be linked to a Google account. If Google controls your browser, your search engine, and has tracking scripts on the sites you visit (which they more often than not do, they hold the power to track you from multiple angles. That is something that is making Internet users increasingly uncomfortable.

Fair trade of service for data

It may seem that consumers should automatically feel extremely uncomfortable about search engines making use of the data that they gather from a user search. However, as uncomfortable as it may seem to some consumers are entering into a commercial relationship with a search engine provider. To return to a previous argument ‘there are no free lunches’. Search engines cost money to maintain. Their increasingly powerful algorithms are the result of many man hours (and processing power) which all cost huge amounts of money. In return for access to vast amounts of information, we are asked to tolerate the search engine companies use our data. In most instances, this will have a minimum impact on the utilitarian value of a search engine. Is this not a tradeoff that we should be willing to tolerate?

However, there is a darker side to search engine companies harvesting and using data that they have gleaned from consumer activity. Take for instance the relationship between government agencies and search engine companies. Although the National Security Agency in the United States has refused to confirm (or deny) that there is any relationship between Google and itself there are civil rights advocates who are becoming increasingly vocal about the possible relationship.

As far back as 2011, the Electronic Privacy Information Center submitted a Freedom of Information Act request regarding NSA records about the 2010 cyber-attack on Google users in China. The request was denied – the NSA said that disclosing the information would put the US Government’s information systems at risk.

Just how comfortable should we be that the relationship between a company like Google and the NSA sees that government agency acting as a de facto guardian of its practices and potential weaknesses when it comes to data protection – and by extension privacy?

It’s complicated

The search for a middle ground between the rights of the individual to privacy and the bedrock of data protection vs the commercial relationship between themselves and search engine companies is fraught with complexities. What is becoming increasingly clear is that a new paradigm must be explored. One that will protect the commercial interests of companies that offer an invaluable service and the rights of the individual. Whether that relationship will be defined in a court of law or by legislation remains to be seen.

Categorized in Search Engine

[This article is originally published in cba.ca - Uploaded by AIRS Member: Barbara Larson] 

Identity theft, or the theft of personal information, can be the starting point to a range of crimes — from financial fraud and forgery to abuse of government programs. The thief only needs a small amount of information, as little as your name and birthdate, to start building their new identity and committing fraud. That is why combating identity theft requires the cooperation and efforts of business, law enforcement, individual consumers and the government.

Banks have highly sophisticated security systems and experts in place to protect customers’ personal and financial information and to protect them from being the victims of financial fraud. They also work closely with law enforcement to help educate consumers about steps they can take to minimize the risk of becoming a victim. Consumers also have a role to play in protecting themselves, however, and must remain vigilant.

Signs of identity theft

You could be a victim of identity theft if:

  • You are contacted by a creditor because an application for credit that you did not apply for was received in your name and with your address.
  • You receive a phone call or letter informing you that you have been denied or approved by a creditor that you never applied to.
  • You receive credit card statements or other bills with your information that you never applied to.
  • You no longer receive your credit card statements or any of your mail.
  • You are contacted by a collection agency informing you that they are collecting for a defaulted account established with your identity that you never opened.

What to do if you are a victim

If you think you have been a victim of identity theft, here are some important actions to take:

  • Contact your bank or credit card issuer right away – the bank will take the appropriate steps to help prevent fraud in your accounts. These steps could include canceling and reissuing credit or debit cards, investigating and reversing fraudulent transactions and providing further advice to customers.
  • Contact local police – contact your local police force and file a report about the fraud.
  • Contact Canada’s credit reporting agencies – if you suspect that you may have been a victim of identity theft, contact both of Canada’s credit reporting agencies, Equifax Canada and TransUnion Canada, and obtain a copy of your credit report.  If there are creditors on the report that you have not done business with, contact those organizations and let them know you have been the victim of identity theft.
  • Consider a fraud alert for your credit files – Equifax Canada and TransUnion Canada can also put a fraud alert put on your credit files. With this fraud alert, creditors that have viewed your credit report will have to contact you before extending credit. This can help prevent someone else from taking out a loan or credit card in your name.
  • Contact other organizations as necessary – other organizations and government agencies may also need to know if your personal information has been stolen and used to commit fraud.  For example, you should contact government agencies such as Human Resources Development Canada (HRDC) if someone has used your Social Insurance Number to apply for government services.

Categorized in Internet Privacy

Tech companies are leaving your private data unlocked online and there isn’t much you can do about it. (image: Flickr/ Maarten Van Damme)

SANTA ROSA, CALIF. — Chances are your private data has probably been available on the web for any random visitor to read. And you may not even be able to blame hackers or identity thieves for it.

Instead, somebody at a company that collected or handled your information — maybe a wireless carrier, maybe a software firm with a mailing list, maybe a political research firm trying to put you in one likely-voter box or another — may have left it vulnerable on their own. And this happens often enough for a security researcher to make finding these exposures his speciality.

What’s more, there’s really not much you can do about it short of becoming a digital hermit.

A boom in breaches

Chris Vickery, director of cyber risk research at Upguard Security, has a simple theory for why he keeps finding databases open.

“I would say convenience is probably the biggest reason,” Vickery said during an interview at a coffee shop in this Sonoma County city where he works remotely for his Mountain View, California employer. “It’s easier just to have it open to everybody.”

At best, he added, some hapless employee doesn’t think they left the data exposed or believes nobody will stumble upon their attempt to ease telecommuting.

The biggest such example Vickery found to day was some 200 million voter-registration records that a Republican National Committee contractor left publicly accessible.

But the consequences of changing secure default settings in such cloud systems as Amazon’s (AMZNAWS can go well beyond extra spam.

For example, the 13 million account credentials from the Mac-software firm Kromtech that Vickery found in 2015 could have been used to hack into other accounts “secured” with the same passwords.

The 6 million Verizon (VZ) wireless subscriber records Vickery found last month included some account passcodes that an attacker might have used to defeat two-step verification security that confirms strange logins with a one-time code texted to your phone.

(Verizon’s media division Oath owns Yahoo Finance.)

And the 87 million Mexican voting records he uncovered in 2016 could have been exploited by drug traffickers to compound the country’s plague of kidnappings and murders. Vickery recalled one immediate reaction: “You cannot let the cartels know about this.”

The 32-year-old’s work has won endorsements from other security researchers.

“Chris has been enormously effective at sniffing out exposed data left at risk in all sorts of obscure places,” said Troy Hunt, an Australian researcher who runs a data-breach index called Have I been pwned? that can reveal if your accounts have been exposed.

How to find a breach

Vickery said the easy part of his job is finding these databases, thanks to a searchable catalogue of publicly-accessible devices called Shodan and automated scanning toolsthat can quickly detect databases left open.

“The amount of data that comes back isn’t a ton, but it happens at a very, very fast rate,” he said.

At no point, he said, does he engage in hacking or impersonation of a legitimate user.

“If you have a password or a username set up, I’m not going to go any further,” he said. “I don’t trick anything.”

If a search locates apparently sensitive data, he will download a sample to confirm that it represents material that should have stayed private. He usually doesn’t bother looking for his own info, but he has not been amused when he finds it — such as in a leaked voter-registration database in 2016.

“I looked myself up just to see if it was legit, and it was all my data,” he recalled “I was pretty pissed.”

Then he will try to notify the affected company. That hasn’t always been easy. Kromtech, the maker of the often-scorned security app MacKeeper, didn’t respond to his queries until he posted about the problem on Reddit — though after securing the data, the firm hired him to blog about security issues.

Hunt, the Australian researcher, recently met even more egregious resistance when a British firm selling family discounts for things like theme parks blocked him and others on Twitter for tweeting about its lax security.

“I used to start at the bottom, calling the receptionist or something,” Vickery said. “Now I’ll start with the breached data and then find the CEO’s home number and call him at dinner. That usually gets a faster response.”

Unhelpful responses and an unhelpful law

But a response accepting his findings can still come seasoned with denial. Vickery advised against trusting the common excuse that only he saw the exposed data — many companies don’t keep the access records needed to prove that claim.

“They can say that plausibly because they’re not keeping logs,” he said.

Vickery said he has also received the occasional legal threat, despite making a point of not using hacking tools to sneak into sites.

“No law enforcement agency has ever even suggested that what I do is illegal,” he said.

But the 1986-vintage Computer Fraud and Abuse Act applies such a broad definition of online trespassing that a company could feasibly try to sue a researcher like Vickery.

A new bill, the Internet of Things (IoT) Cybersecurity Improvement Act of 2017, would exempt more security research from the CFAA as part of a larger tightening of security standards for internet-connected devices in government use. But this law’s vagaries have survived years of talk about reforming it.

Will another round of data-breach headlines change that? We’ll probably find out soon enough, Vickery said. While consumers are now better educated about the scope of the problem, companies keep making the same mistakes.

“I think things have gotten better in the past couple of years as far as awareness goes,” Vickery said. “But the number of breaches happening hasn’t decreased at all.”

Source: This article was published yahoo.com By Rob Pegoraro

Categorized in Internet Privacy

Encryption should become the default as study reveals millions of sensitive services are exposed to the internet, says Rapid7Millions of IT systems on the internet offer services that should not be exposed to the public network, a study by security firm Rapid7 has revealed.

The study uncovered 15 million nodes offering Telnet, 11.2 million nodes offering direct access to relational databases, and 4.5 million printer services, according to a report released at Infosecurity Europe 2016 in London.The researchers counted 7.8 million MySQL databases and 3.4 million Microsoft SQL Server systems, but did not include other popular database systems such as PostgreSQL and OracleDB.

 

The scan of 30 of the most prevalent services across the internet showed that 4.7 million systems expose port 445, which is one of the most commonly attacked ports used by Microsoft systems.The study measured the prevalence of cleartext, unencrypted services on the internet and their encrypted counterparts, by country, and used this ratio to generate an overall National Exposure Index score.

It found the most exposed nations on the internet today include countries with the largest GDPs, such as the US, China, France and Russia.Belgium was found to be the most exposed country, but researchers said the reason for that was not yet clear. The US was ranked at number 14, while the UK came in at 23.

“This is a foundational paper, intended to educate readers about the core principles on which internet-based services operate,” said Tod Beardsley, security research manager at Rapid7.

“It is aimed at decision makers, policy makers and chief information security officers, which is why there is a lot of explanation in the report of how things work. We are releasing all the data behind the report, so it is also aimed at researchers and data scientists,” he told Computer Weekly.

 

Encryption is essential

The report catalogues, for the first time, what is going on in the internet, providing the first service-level audit in an attempt to counteract the high level of port scanning being carried out by cyber criminals.

“We wanted to look at all the cleartext services versus their encrypted counterparts to see how that deployment is coming along, because encryption is important for properly securing the internet,” said Beardsley.According to the report, fully encrypted communication is important for overall internet safety, usability and sustainability.

 

“Today’s internet touches virtually everyone’s lives and is a critical component of economic security. Counter-intuitively, the adoption of fully encrypted protocols for core internet services has not scaled with our personal, national and global dependence on the internet,” the report said.Beardsley said most people treat the internet as if it were a secure, safe and stable machine, while in reality is it not engineered that way.

“In a way, the internet is not really engineered at all. It has grown and developed organically, and uses millions of insecure protocols like Telnet and FTP [file transfer protocol], which is not appropriate for the way we use the internet today. It’s 2016, but the internet still looks a lot like it did in 1996, just bigger,” he said.That is despite the fact that there are enormous security and functionality advantages to having encrypted services, he said, especially authentication that enables internet users to be certain about who they are talking to.

 

For example, the report shows that FTP, which dates from the very start of the internet and is rarely encrypted, is still the fourth most popular protocol, with 20 million FTP services being used to transport things like software security updates, customer data and even patient data.

“People tend to just use the internet and all they care about is that it works. But this study shows that we need to be a little bit more thoughtful, at least on a national and international level, about where we want the internet to go, because we are treating it as if were engineered one way, while it is actually built in an entirely different way,” said Beardsley.

Businesses should check their own networks, he said, because many of these ports are exposed unintentionally, and unbeknownst to the organisations concerned, by third-party contractors who set up the infrastructure.

 

“We also want to spark conversations about the whole notion of exposure, and raise awareness about things like the fact that one machine with five to seven services on it creates a whole lot more exposure or greater attack surface than having one to two services per machine,” said Beardsley.

“We would also like researchers and manufacturers to look at our data, which has been lacking until now, to see what they can come up with to help fill in the gaps, and to consider the advantages of encryption, which should now be the default,” he said.According to Beardsley, there is an urgent need for the same kind of effort that went into averting the Y2K crisis to go into averting a crisis around insecure connections on the internet.

“Failure to do the hard work now will result in a crisis due to the mass deployment of unencrypted services,” he said.Beardsley said individual businesses need to look at what they are doing on the internet, identify the most critical services, and then do whatever is necessary to keep these secure and prevent them from going down.

Source:  http://www.computerweekly.com/news/450297895/Millions-of-sensitive-IT-services-exposed-to-the-internet-study-finds

 

 

 

 

 

Categorized in Internet Privacy

 

Startups are usually in a rush, and they often forget about data security as they try to get an MVP out.With new businesses, a data breach can result in the company closing down. To address the mistakes most commonly made, I asked ten YEC entrepreneurs the following:

What’s the one crucial mistake that tech startups seem to make when it comes to data security nowadays and why?

1. Personal and professional borders

Bring your own device (BYOD) has become increasingly popular during the past years, even more so in the startup scene. People don’t like carrying several smartphones and having to get proficient in different operating systems for tasks as checking their email or updating their calendars. However, convenience often compromises security. Workers’ personal devices can access and store sensitive corporate information locally. When the person leaves the company, the information leaves with them, forever stored on his or her device. Security-wise, this is a crucial mistake.

 

2. Ignoring two-step authentication

Two-step authentication – the system that sends your mobile phone a code via SMS, to enter when logging in a new web page – is an easy, but often ignored, initial step. It is now offered in all the key business platforms, including Salesforce and Google Apps for Work. You can even enable this security system in social networks at will. Since password breaching is becoming more and more common, the wise thing to do is to enhance your online-stored sensitive information with an added protection layer.

3. Security issues

Racing to get a sustainable product on the market and getting those all important sales is a top startup priority, which may cause security mishaps early on. Ensuring that your systems are secure is a meticulous process which can rob resources from product development. However, when startups “cheat” during security setup, it is almost certain that they’ll come across the same problem in the future. Privacy and safety should be top priorities from the beginning.

4. Insufficient exit protocols.

Data lapses and security breaches are more common with companies that depend mostly on freelancers or part-time staff unless they incorporate a predetermined exit procedure. Data loss, in the form of confidential information sharing, account access and other, is not hard to take place when sensitive corporate data remains stored on the devices of these people; they are not so security-conscious on their personal devices, or they even forget about having the information stored in the first place. You ought to protect your company’s and your client’s information by planning ahead with your legal team.

5. Forgoing SSL from the beginning

SSL (Secure Sockets Layer) is easily implementable from day one. It should be enabled by default in every website. It reassures your users, while upgrading the security level of your communications.

 

6. Failing to prioritize security

Startups often think they can leave security for later when they will have grown larger. The problem with this approach is that the company fails to incorporate security in its core values, which makes it harder to deal with when the time comes.

7. Having no policies for cloud storage

Cloud Storage services like Dropbox, Box and Google Drive, are an amazing way to keep your team up to speed and handle documents. However, failing to lock them down properly renders them vulnerable to ransomware, viruses, and unauthorized access. The main vulnerability is the convenience of file sharing itself, which means that backups, anti-virus, password, email attachment and access policies must be set up before a single user is allowed to cause trouble for a whole company.

8. Disregarding security best-practice

Change in security practices follows the pace of technological evolution. This means that security standards from a decade ago are now obsolete. Many startups fail to keep up with the most up-to-date security developments and as a result, they use outdated encryption protocols or old techniques that can be breached by hackers and crackers.

9. No internal policies and infrastructure

Tech startups are in a prime position regarding data security because they have the ability to apply best industry practices from the start, without being kept behind by outdated systems. This has resulted in unprecedented product security. However, despite the increased security, internal protocols and practices at tech startups have not evolved accordingly. Limited use of single log-in, sharing of credentials and insecure password policies are all aspects of the failure of technology startups to invest adequate resources in their internal systems and infrastructure or their influence on data security.

 

10. No suspicious activity notifications

About half-a-year ago, I suffered a data breach that brought me close to a significant financial setback. For starters, I used a single (weak) password across many organizations, as well as for personal use. Someone figured out the password, and I suffered breaches in multiple points at the same time. I could have easily avoided this catastrophe with a simple policy regarding password strength. What’s more, I found out that sophisticated data security tools exist in many systems for mitigating data breaches. On Google Apps for Business, for example, I set up a notification alert to be sent whenever weird activity takes place.

Source:  https://www.entrepreneur.com/article/277086

 

 

 

 

Categorized in Others

 

Washington, DCA new report from the Federal Trade Commission (FTC) shows that data breach complaints are on the rise. In the report, Consumer Sentinel Network Data Book (2/16), the FTC notes that complaints about identity theft increased 47 percent in 2015, likely helped by a number of high-profile data breaches. Consumers have filed lawsuits against companies they allege have failed to adequately protect their personal, confidential information.

 

Data breaches frequently occur when unauthorized third parties gain access to personal information. Hackers exploit vulnerabilities in computer systems to access information such as bank accounts, health records, Social Security numbers, addresses, tax information and passwords. Making the situation more concerning, a report from Javelin Strategy & Research (2/2/16) notes that identity thieves have stolen around $112 billion in the past six years, the equivalent of around $35,600 per minute.

According to the FTC, identity theft was the second-highest complaint category, falling behind debt collection. Among identity theft complaints were tax- or wage-related fraud, credit card fraud, phone or utilities fraud, and bank fraud.

“Nearly half a million complaints sends a clear message: more needs to be done to protect consumers from identity fraud,” said National Consumers League Executive Director Sally Greenberg. “One of the key drivers of the identity theft threat is the continuing flow of consumers’ personal information to fraudsters thanks to the ongoing epidemic of data breaches.”

Meanwhile, New York State Attorney General Eric T. Schneiderman has also indicated that data breaches are increasing. A news release issued by the Attorney General (5/4/16) notes that his office has received more than 40 percent more data breach notifications so far in 2016, compared to the same time span in 2015. From January 1 to May 2, 2016, the Attorney General’s office received 459 data breach notices, compared with 327 in the same period of 2015.

An earlier report issued by the New York Attorney General’s office found that hacking intrusions - where third parties gain unauthorized access to data stored on computers - were the number-one cause of data security breaches.

 

Consumers have filed lawsuits against companies accused of not properly storing or securing customer information. In April, an appeals court reinstated a lawsuit filed against P.F. Chang’s, which alleged the restaurant chain was responsible for a massive data breach. Although the lawsuit was dismissed by a lower court, with the judge finding the plaintiffs did not show actual harm, according to The National Law Journal (4/15/16), a federal appeals court reinstated the lawsuit, finding the plaintiffs had shown plausible injuries.

Among possible compensation plaintiffs could be entitled to were the cost of credit-monitoring services, unreimbursed fraudulent charges and lost points on a debit card.

The lawsuit is Lewert et al. v. P.F. Chang’s China Bistro, No. 14-3700, in the US Court of Appeals for the Seventh Circuit.

Source:  https://www.lawyersandsettlements.com/articles/data-breach/federal-trade-commission-ftc-javelin-strategy-21469.html?utm_expid=3607522-13.Y4u1ixZNSt6o8v_5N8VGVA.0&utm_referrer=https%3A%2F%2Fwww.lawyersandsettlements.com%2Flegal-news-articles%2Finternet-technology-news-articles%2F

 

 

 

Categorized in Science & Tech

As the number of reported data breaches continues to blitz U.S. companies — over 6 million records exposed already this year, according to the Identity Theft Resource Center — IT budgets are ballooning to combat what corporations see as their greatest threat: faceless, sophisticated hackers from an outside entity.

But in reality, a bigger danger to many companies and to customers' sensitive data comes from seemingly benign faces inside the same companies that are trying to keep hackers out: a loan officer tasked with handling customers' e-mail, an attendant at a nursing home, a unit coordinator for the main operating room at a well-regarded city hospital.

According to Verizon's 2015 Data Breach Investigations Report, about 50 percent of all security incidents — any event that compromises the confidentiality, integrity or availability of an information asset — are caused by people inside an organization. And while 30 percent of all cases are due to worker negligence like delivering sensitive information to the wrong recipient or the insecure disposal of personal and medical data, roughly 20 percent are considered insider misuse events, where employees could be stealing and/or profiting from company-owned or protected information.

Often, that translates to employees on the front lines stealing patient medical data or client social security numbers, which can then be sold on the black market or used to commit fraud like collecting someone else's social security benefits, opening new credit card accounts in another's name, or applying for health insurance by assuming the identity of someone else.

"The Insider Misuse pattern shines a light on those in whom an organization has already placed trust," Verizon said in the report. "They are inside the perimeter defenses and given access to sensitive and valuable data, with the expectation that they will use it only for the intended purpose. Sadly, that's not always the way things work."

For the first time since 2011, Verizon found that it's not cashiers involved with most insider attacks, but many "insider" end users — essentially anyone at a company other than an executive, manager, finance worker, developer or system administrator — carrying out the majority of such acts. Most are motivated by greed.

"Criminals have a different motivating factor," said Eva Velasquez, CEO and president of Identity Theft Resource Center, a non-profit charity that supports victims of identity theft. "There are a number of jobs that pay minimum wage where individuals have access to this type of information, and so the incentive may be 'this isn't a job that is paying me enough to support myself.'"

Velasquez cites workers in an assisted living facility tasked with caring for patients, a job in close proximity to medical records that can be accessed by a few keyboard taps. According to the Bureau of Labor Statistics, such healthcare support occupations see mean annual wages hovering around $25,000, a salary that might make workers more vulnerable to stealing for self gain. Or, maybe worse, they fall prey to acting as a conduit for some type of organized crime ring looking to make big money by selling or manipulating stolen personal data.

"There are a number of jobs that pay minimum wage where individuals have access to this type of information, and so the incentive may be 'this isn't a job that is paying me enough to support myself."

According to the Verizon report, the public sector, health care and financial services — like credit card companies, banks, and mortgage and lending firms — were the industries hit hardest by insider incidents in 2015.

In one recent cases a Baltimore man is facing federal charges of identity theft and bank fraud after he used personal information of at least three nursing home residents to open multiple credit card accounts without their permission. A former employee of Tufts Health Plan pleaded guilty to stealing names, birth dates and social security numbers that were eventually used to collect social security benefits and fraudulent income tax refunds. A former assistant clerk at Montefiore Medical Center in New York who was indicted in June 2015 for printing thousands of patients' records daily and selling them. The information in the records was eventually used to open department store credit cards at places like Barneys New York and Bergdorf Goodman; the alleged actions are estimated to have caused more than $50,000 in fraud, according to the New York County District Attorney's Office.

While the number of breaches and hacks by outsiders has skyrocketed since 2007 in tandem with the surging digitization of information, the occurrence of insider jobs can be a read on the overall economy. It tends to peak during recessions and drop off when times are good, according to the Identity Theft Resource Center. In 2009, the percentage of insider attacks hit a high of roughly 17 percent; after a three-year slide, the amount today (about 10 percent) is slowly creeping back up.

"When the economy isn't doing well, you'll see people that are feeling stressed and taking advantage of opportunities they might not take advantage of otherwise," said attorney James Goodnow from the Lamber Goodnow team at law firm Fennemore Craig.

With the defining characteristic of an internal breach being privilege abuse — employees exploiting the access to data that they've been entrusted with — the best way to mitigate such attacks is to limit the amount of information allotted to workers.

"As business processes have started to rely more on information and IT, the temptation, the desire is to give people access to everything [because] we don't want to create any friction for users to do their jobs," said Robert Sadowski, director of marketing and technology solutions at security firm RSA.

Terry Kurzynski, senior partner at security firm Halock Security Labs, said that smart entities perform enterprise-wide risk assessments to find where their systems are most vulnerable and to spot aberrations in user behavior.

But sophisticated analytics does little to assuage situations where employees are using low-tech methods to capture information. "Most systems will not handle the single bank employee just writing down on paper all the bank numbers they see that day — that's difficult to track," said Guy Peer, a co-founder of security firm Dyadic Security.

Clay Calvert, director of cybersecurity at IT firm MetroStar Systems, said communication with employees in a position to turn rogue is key. "That's a big deterrent in identity theft cases; if an employee feels like the company cares for them, they're less likely to take advantage of the situation."

Hackers hiding in plain sight

Preventing the display of sensitive data in plain sight — say an employee seeing a confidential record as they walk by a colleague's computer — is the focus of Kate Borten, founder of Marblehead Group consultancy and a member of the Visual Privacy Advisory Council. She recommends companies institute a clean desk policy (ensuring that workers file away papers containing customer data before they leave their desk), implement inactivity time outs for any tech devices, and switch to an e-faxing system, which eliminates the exposure of sensitive patient data on paper that's piled up around traditional fax machines.

Experts also say that tougher penalties for and more prosecution of inside hackers would also be a disincentive for such crimes. "On a general level, there can be practical barriers to pursuit of a criminal case, such as the victim company's fear of embarrassment, reputational damage, or the perceived risk — real or not — that their trade secrets will be exposed in a court proceeding," said Brooke French, shareholder at law firm Carlton Fields.

But she added, "The DOJ and local authorities prosecute these cases all the time, despite what are seen as common barriers. The barriers are low when the actions are clearly wrong, such as a hospital employee stealing electronic medical records and selling them on the black market."

While the price tag for stolen information on the black market can translate to a lucrative sales career for some crooked employees, it's a costly phenomenon for organizations once they have realized it has occurred, which is often "during forensic examination of user devices after individuals left a company," said Verizon.

That's usually too late to enact damage control. According to the Ponemon Institute, the average cost of a breach is $217 per record.

"That's just the hard costs, what you have to pay for notifying customers or any type of remediation services," said Velasquez. "The bigger, broader cost is the reputational damage that shows itself not just to the entity that suffers the damage, but to the industry."

Source:  http://www.cnbc.com/2016/05/13/a-surprising-source-of-hackers-and-costly-data-breaches.html

Categorized in Internet Privacy

Finally ready to get off the grid? It's not quite as simple as it should be, but here are a few easy-to-follow steps that will at the very least point you in the right direction.

If you're reading this, it's highly likely that your personal information is available to the public. And while you can never remove yourself completely from the internet, there are ways to minimize your online footprint. Here are five ways to do so.

Be warned however; removing your information from the internet as I've laid it out below, may adversely affect your ability to communicate with potential employers.

1. Delete or deactivate your shopping, social network, and Web service accounts

Think about which social networks you have profiles on. Aside from the big ones, such as Facebook, Twitter, LinkedIn and Instagram, do you still have public accounts on sites like Tumblr, Google+ or even MySpace? Which shopping sites have you registered on? Common ones might include information stored on Amazon, Gap.com, Macys.com and others.

To get rid of these accounts, go to your account settings and just look for an option to either deactivate, remove or close your account. Depending on the account, you may find it under Security or Privacy, or something similar.

If you're having trouble with a particular account, try searching online for "How to delete," followed by the name of the account you wish to delete. You should be able to find some instruction on how to delete that particular account.

If for some reason you can't delete an account, change the info in the account to something other than your actual info. Something fake or completely random.

new-screen-delete.png

 

Using a service like DeleteMe can make removing yourself from the internet less of a headache.

2. Remove yourself from data collection sites

There are companies out there that collect your information. They're called data brokers and they have names like Spokeo, Crunchbase, PeopleFinder, as well as plenty of others. They collect data from everything you do online and then sell that data to interested parties, mostly in order more specifically advertise to you and sell you more stuff.

Now you could search for yourself on these sites and then deal with each site individually to get your name removed. Problem is, the procedure for opting out from each site is different and sometimes involves sending faxes and filling out actual physical paperwork. Physical. Paperwork. What year is this, again?
Anyway, an easier way to do it is to use a service like DeleteMe at Abine.com. For about $130 for a one-year membership, the service will jump through all those monotonous hoops for you. It'll even check back every few months to make sure your name hasn't been re-added to these sites.

3. Remove your info directly from websites

First, check with your phone company or cell provider to make sure you aren't listed online and have them remove your name if you are.

If you want to remove an old forum post or an old embarrassing blog you wrote back in the day, you'll have to contact the webmaster of those sites individually. You can either look at the About us or Contacts section of the site to find the right person to contact or go to www.whois.com and search for the domain name you wish to contact. There you should find information on who exactly to contact.

Unfortunately, private website operators are under no obligation to remove your posts. So, when contacting these sites be polite and clearly state why you want the post removed. Hopefully they'll actually follow through and remove them.

If they don't, tip number four is a less effective, but still viable, option.
4. Delete search engine results that return information about youSearch engine results includes sites like Bing, Yahoo and Google. In fact Google has a URL removal tool that can help you delete specific URLs.

Google's URL removal tool is handy for erasing evidence of past mistakes from the internet.

For example, if someone has posted sensitive information such as a Social Security number or a bank account number and the webmaster of the site where it was posted won't remove it, you can at least contact the search engine companies to have it removed from search results, making it harder to find.

5. And finally, the last step you'll want to take is to remove your email accountsDepending on the type of email account you have, the amount of steps this will take will vary.
You'll have to sign into your account and then find the option to delete or close the account. Some accounts will stay open for a certain amount of time, so if you want to reactivate them you can.

An email address is necessary to complete the previous steps, so make sure this one is your last.

One last thing...Remember to be patient when going through this process. Don't expect it to be completed in one day. And you may also have to accept that there some things you won't be able permanently delete from the internet.

Source: http://www.cnet.com/how-to/remove-delete-yourself-from-the-internet/

If you're reading this, it's highly likely that your personal information is available to the public. And while you can never remove yourself completely from the internet, there are ways to minimize your online footprint. Here are five ways to do so.

Be warned however; removing your information from the internet as I've laid it out below, may adversely affect your ability to communicate with potential employers.

1. Delete or deactivate your shopping, social network, and Web service accounts

Think about which social networks you have profiles on. Aside from the big ones, such as Facebook, Twitter, LinkedIn and Instagram, do you still have public accounts on sites like Tumblr, Google+ or even MySpace? Which shopping sites have you registered on? Common ones might include information stored on Amazon, Gap.comMacys.com and others.

To get rid of these accounts, go to your account settings and just look for an option to either deactivate, remove or close your account. Depending on the account, you may find it under Security or Privacy, or something similar.

If you're having trouble with a particular account, try searching online for "How to delete," followed by the name of the account you wish to delete. You should be able to find some instruction on how to delete that particular account.

If for some reason you can't delete an account, change the info in the account to something other than your actual info. Something fake or completely random.

new-screen-delete.png

Using a service like DeleteMe can make removing yourself from the internet less of a headache.

Screenshot by Eric Franklin/CNET

2. Remove yourself from data collection sites

There are companies out there that collect your information. They're called data brokers and they have names like Spokeo, Crunchbase, PeopleFinder, as well as plenty of others. They collect data from everything you do online and then sell that data to interested parties, mostly in order more specifically advertise to you and sell you more stuff.

Now you could search for yourself on these sites and then deal with each site individually to get your name removed. Problem is, the procedure for opting out from each site is different and sometimes involves sending faxes and filling out actual physical paperwork. Physical. Paperwork. What year is this, again?

Anyway, an easier way to do it is to use a service like DeleteMe at Abine.com. For about $130 for a one-year membership, the service will jump through all those monotonous hoops for you. It'll even check back every few months to make sure your name hasn't been re-added to these sites.

3. Remove your info directly from websites

First, check with your phone company or cell provider to make sure you aren't listed online and have them remove your name if you are.

If you want to remove an old forum post or an old embarrassing blog you wrote back in the day, you'll have to contact the webmaster of those sites individually. You can either look at the About us or Contacts section of the site to find the right person to contact or go to www.whois.com and search for the domain name you wish to contact. There you should find information on who exactly to contact.

Unfortunately, private website operators are under no obligation to remove your posts. So, when contacting these sites be polite and clearly state why you want the post removed. Hopefully they'll actually follow through and remove them.

If they don't, tip number four is a less effective, but still viable, option.

4. Delete search engine results that return information about you

Search engine results includes sites like Bing, Yahoo and Google. In fact Google has a URL removal tool that can help you delete specific URLs.

screen-shot-2016-06-28-at-11-34-49-am.png

Google's URL removal tool is handy for erasing evidence of past mistakes from the internet.

Screenshot by Eric Franklin/CNET

For example, if someone has posted sensitive information such as a Social Security number or a bank account number and the webmaster of the site where it was posted won't remove it, you can at least contact the search engine companies to have it removed from search results, making it harder to find.

5. And finally, the last step you'll want to take is to remove your email accounts

Depending on the type of email account you have, the amount of steps this will take will vary.

You'll have to sign into your account and then find the option to delete or close the account. Some accounts will stay open for a certain amount of time, so if you want to reactivate them you can.

An email address is necessary to complete the previous steps, so make sure this one is your last.

One last thing...

Remember to be patient when going through this process. Don't expect it to be completed in one day. And you may also have to accept that there some things you won't be able permanently delete from the internet.

Editors' note: This article was originally published in December 2014. It has been updated with only a few minor tweaks.

Categorized in Internet Privacy

Absurdly Driven looks at the world of business with a skeptical eye and a firmly rooted tongue in cheek.

Knowing the truth isn't enough sometimes.

You need academics to point out the obvious so that you can huff that, of course, their conclusions are obvious and then you go back to doing nothing about it.

This, therefore, is how you might react to research from the Future Work Centre, a group of psychologists who analyze how work is affecting you.

Thanks to technology, it's not affecting you well.

Indeed, these researchers suggest that the mere existence of the email system leads to enormous stress.

Dr. Richard MacKinnon, the lead author of the study, declared: "Our research shows that email is a double-edged sword. Whilst it can be a valuable communication tool, it's clear that it's a source of stress or frustration for many of us."

You knew that, of course. But what have you done about it? Nada, perhaps?

Consider this, then.

MacKinnon concluded: "The people who reported it [email] being most useful to them also reported the highest levels of email pressure. But the habits we develop, the emotional reactions we have to messages and the unwritten organizational etiquette around email, combine into a toxic source of stress which could be negatively impacting our productivity and well-being."

He's British. He was being nice. It isn't that it could be negatively impacting our well-being. It is.

You know that it is. You feel the mental burden every morning when you open your laptop or stare at your phone in bed and see that there are 50 or 60 emails demanding your eyes and mind.

Do you remember what it was like when you just woke up and wondered: "I wonder what today will bring?"

Now, today has already brought a ton of problems before you've even had a chance to brush your teeth.

There's a certain tragedy in reading MacKinnon's assertion that those who find email most useful feel the most pressure.

Indeed, he and his team found that the two worst habits are keeping your email app open all day and checking your email first thing in the morning and last thing at night.

It's in this area that researchers want you to stop and think. And even do.

They suggest switching your email off and opening it only when you actually have a positive reason to be using it.

But that requires effort and discipline. You're too weak to do that, aren't you? It's so hard when your bosses are workaholics -- either naturally or out of fear -- and expect you to be always "on."

Moreover, technology is often designed to hook you and keep you hooked. It's created the notion that you could be missing out on something very important, something that could affect your day, your week, or even your career.

We live with only one eye on our lives. The other eye is always on the lookout for, well, something else -- a problem, a danger, a demand, or even an opportunity.

And then we wonder that we're slowly going mad.

We begin to loathe our dependence on gadgets, even as we sit in a restaurant with our lovers completely ignoring them in favor of, oh, a work email.

One tiny light of hope emerged from this research. It was that the youngest people feel the most email stress.

Perhaps the older ones know how to handle it better because they know that 99 percent of all office communication is simply windbaggery and balderdash.

Source:  http://www.inc.com/chris-matyszczyk/emails-are-killing-you-researchers-say.html

Categorized in Online Research

Get Exclusive Research Tips in Your Inbox

Receive Great tips via email, enter your email to Subscribe.
Please wait
online research banner

airs logo

AIRS is the world's leading community for the Internet Research Specialist and provide a Unified Platform that delivers, Education, Training and Certification for Online Research.

Subscribe to AIRS Newsletter

Receive Great tips via email, enter your email to Subscribe.
Please wait

Follow Us on Social Media