fbpx

Cloudflare, which operates a widely used web content delivery network, announced a security bug on February 23 that caused sensitive data to leak from its customers’ websites.  The exact number of websites potentially affected is unknown but some estimates place the total in excess of 5 million. The Google security researcher who discovered the bug – nicknaming it “Cloudbleed” after the 2014 Heartbleed bug – reported it to Cloudflare on February 18, 2017.  Cloudflare disabled the compromised software and stopped the leak later the same day.

The leaked data reportedly included passwords, private messages, encryption keys, session cookies that would let an attacker log into an account without a password, IP addresses and other data.  Leaked data was exposed to search engine crawlers, which began to automatically cache the data, thus complicating remediation.

As of this writing there have been no publicized reports that leaked data has been exploited and Cloudflare has published analysis concluding that the vast majority of its customers probably were not affected.  However, operators of millions of websites and their users are left to wonder whether they were affected and what they should do next.

Below is a summary of what we know now and our thoughts on next steps.

What is Cloudflare?

Cloudflare makes a web content delivery product used by 6 million customers to enhance website performance and security.  When you visit a website in Cloudflare’s network, your request for the site is automatically routed to Cloudflare, which uses routing techniques and its own copy of the site’s static content to load the site faster than it would conventionally.

Cloudflare also offers features designed to enhance the security of web content, such as rewriting unencrypted http content to encrypted https, using “server-side exclude” technology to ensure data is seen only by its intended audience, and obfuscating email addresses.

What does the Cloudbleed bug do?

The bug was found in a parser used to power three security features – https rewrites, server-side excludes, and email obfuscation.  To execute these features, Cloudflare saves website content and data to memory for parsing.  The bug caused this data to leak – at random – into code of web pages in the Cloudflare network such that when you visited a web page, that page would include leaked data from an entirely different Cloudflare-supported website.

What type of information was leaked?

The Google researcher who discovered the bug gave this report:

I’m finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We’re talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.

Cloudflare’s CTO initially reported that end-user passwords, authentication cookies, OAuth tokens used to log into multiple website accounts, and encryption keys were at risk of exposure.  In its most recent blog post, Cloudflare reports that it has not yet found any instances of passwords, credit cards or health records among leaked data but that leakage of this and other sensitive data cannot be ruled out.  In addition, Cloudflare has emphasized that leakage occurred randomly and leaks would include a mixed bag of both potentially sensitive data and useless non-sensitive “noise”.

Where did leaked data go?

Leaked data could be stored in the browser caches of users who unwittingly downloaded leaked data, was cached by search engines like Google, Bing and Yahoo, and may have been saved by other bots that roam the Internet.  While Cloudflare worked with search engines to remove 770 cached instances of leaked data from 161 different domains before announcing the bug and was unable to find leaked data on sites like Pastebin, researchers subsequently reported that leaked sensitive data is still discoverable in search engines.

When did the leak become active?

As early as Sept. 22, 2016, when the https rewrite feature was first enabled.

The period of greatest exposure was between February 13, 2017 (when the email obfuscation feature was migrated to the compromised parser) and February 18, 2017 (when the compromised features were disabled).

How many Cloudflare customers were affected?

Cloudflare has not provided an official estimate but its latest blog post reports that it found data of approximately 150 Cloudflare customers among the more than 80,000 cached pages that have been purged by the search engines.  The post provides some useful analysis of the probability of a leak based on a website’s level of traffic.  For example, a site that made 250-500 million requests to the Cloudflare network per month is expected to have leaked 25-56 times.  Cloudflare estimates that the 99% of its customers sending fewer than 10 million requests per month probably had no leak at all.  The post also reports that a maximum of 6,457 websites could have triggered the bug.  However, because the websites that triggered the bug pulled information from other websites in Cloudflare’s network, the number of affected Cloudflare customers is unknown and could be much higher.

Has any data been exploited?

Cloudlfare reports that it has found no evidence of the bug being exploited before it was patched.

What is the risk to individuals?

The risk to specific individuals is difficult to evaluate at this stage.  The good news is that Cloudflare acted quickly to remediate the bug and purge known instances of leaked data from search engine caches—all before any reported instances of the bug being discovered or exploited by malicious actors.  In addition, the random distribution of leaked data across the Internet may limit the kind of accumulation of data in one place that would make it easier for a malicious actor to exploit it at scale.  Finally, according to Cloudflare’s analysis, the risk of a leak appears to be low for 99% of its customers.

The bad news is that some of the leaked data – including passwords, encryption keys, authentication tokens and conversations – is clearly sensitive and potentially exploitable to the extent it is still discoverable in search engine caches or elsewhere.

What should companies do now?

Like the Heartbleed bug before it, Cloudbleed is the latest internet security bug to expose a wide swath of the Internet to potential data leaks while in most cases leaving no way to conclusively confirm whether or not a particular company’s or individual’s data was leaked or exploited.  While Cloudbleed may pose low risk to most websites according to Cloudflare, its customers should take this news seriously given the sensitivity of the data exposed and the media attention that the bug has attracted.  Following some basic incident response best practices can help companies mitigate risk and assure customers and partners that appropriate steps are being taken.

  • Evaluate the impact. Companies that use Cloudflare should evaluate the impact to their own websites and any potentially sensitive data that those sites process, while continuing to follow new developments.  A careful reading of Cloudflare’s initial and follow-up posts, as well as the post by the Google security researcher who discovered the bug, followed by inquiries with Cloudflare, are a good start.
  • Take mitigating action. Because the Cloudbleed bug has been patched, efforts should focus on mitigating risk to potentially impacted individuals.  Cloudflare has recommended that concerned customers invalidate and reissue persistent secrets, such as long lived session identifiers, tokens or keys (the company says that customer SSL keys were not exposed and do not need to be rotated).  Other options include:
    • Informing customers about Cloudbleed and its potential impact.
    • Recommending that customers change passwords and use two-factor authentication to protect accounts
    • Forcing a change of administrator credentials for potentially impacted sites
    • Forcing a change of customer passwords
    • Requiring customers to log back into websites without changing passwords (if not already required by invalidating session identifiers)

The right approach will vary for each company based on its own business, the operational costs of making these changes, the sensitivity of the data it handles and the probability of data leakage based on the volume of traffic it sends through Cloudflare.  Companies should perform their own risk assessments in determining the appropriate mitigating steps, weighing both the probability that leaked data could be exploited and the potential impact to the company and individuals if it is.  It is a good idea to document this analysis as part of your incident response process (discussed below).

  • Search for your data. Although Cloudflare took steps to purge leaked data from search engine caches, there have been reports on social media that leaked data remained discoverable after Cloudlfare’s purge.  Thus, potentially affected companies should make a reasonable effort to discover whether their own data is still searchable as part of their incident response efforts.  Whether these searches are performed with the assistance of security incident response vendors or in-house, it is advisable to document the methodology used for the search, why it is believed to be sound and the results of the searches.
  • Develop a communications strategy. Cloudbleed has attracted significant media attention and it is only a matter of time before companies are asked whether they are affected.  Proactively communicating your company’s response to Cloudbleed and efforts to investigate can help alleviate concerns and demonstrate that your company takes security seriously.  This message can be relayed through support emails, customer notices or talking points tailored to customers or other external parties who may inquire.  However, like any external communication relating to an information security incident, these messages should be carefully crafted with the assistance of legal counsel and other relevant internal stakeholders before distribution.
  • Consider security incident notice obligations. Companies should consult legal counsel to assess whether even potential leakage of data triggers breach notification obligations under legal or contractual obligations. While most legal breach notification requirements would not be triggered by unconfirmed potential data leakage, the question is worth closer examination if health data or other particularly sensitive data is at issue or if the company is subject to stringent contractual security incident notification requirements.
  • Initiate an incident under your incident response plan. Companies are increasingly required by law, contractual obligations or internal policy to follow a security incident response plan that addresses how to detect, respond to and mitigate security incidents affecting sensitive data.  If you have an incident response plan and handle sensitive data with potential exposure to Cloudbleed, this is a great reason to formally initiate in incident and respond according to your plan.  Doing this, and documenting the effort, can help you ensure a sound response and demonstrate that you responded responsibly in the event auditors, customers or governmental investigators inquire.  You will also learn something about how well your incident response plan works and what can be done to improve it.

Author : David Navetta & Boris Segalis

Source : http://www.dataprotectionreport.com/2017/03/cloudbleed-bug-impacts-large-swath-of-the-internet/

Categorized in Internet Privacy

Middle-aged people who consider themselves tech-savvy are a prime target for internet fraudsters, according to research by the insurer Aviva.

More than a million over-45s have fallen victim to an online scam, even though two thirds call themselves “tech adopters” who embrace new devices.

Aviva’s Real Retirement Report found that those aged between 45 and 64 were more likely to be conned than those between 65 and 74 and are almost as at risk as the over-75s.

The survey showed that 6 per cent of over-45s with internet access had been victims of scams, compared with 4 per cent of 65 to 74-year-olds and 8 per cent of over-75s.

Author : Philip Aldrick

Source : http://www.thetimes.co.uk/edition/business/internet-fraudsters-take-aim-at-savvy-over-45s-qmp7jwrmh

Categorized in Internet Privacy

Ian Kilpatrick, chairman of security specialist Wick Hill Group and EVP cyber security for Nuvias Group, looks at the rapidly changing security scenario faced by companies in 2017

1. Security reaches the boardroom

In 2017, security breaches will be a regular occurrence.

Organisations will continue to struggle to deal with them, causing board-level executives to pay more attention to security, as the financial and reputational consequences become more apparent – the average cost of a serious data breach to a company is now $3.5 million.

The fact is that many company boards have abdicated their responsibility regarding IT security for a long time, and are only now overtly recognising that breaches are a business risk, the same as a foreign exchange risk or a fire risk, and they need to understand it and manage it.

Business leaders will increasingly demand clarity around the security risks that their organisations are exposed to, and how secure they are in response to those risks, particularly around issues like PCI compliance. Alongside this, they will require ongoing monitoring and board level reporting.

As such, IT professionals will need to deliver a clear-cut definition of proper measures to tackle the risks.

2. Tackling existing threats and employee behaviour

Most vulnerabilities will continue to either be known vulnerabilities or down to employee behaviour, and organisations shouldn’t be distracted by the big cyber-attack headlines in the press, or knee-jerk responses and marketing hype from security vendors.

Organisations need to address their vulnerability management in a structured fashion so they are progressively working their way through managing their own vulnerabilities, rather than getting distracted by the latest data breach that’s making the news.

Keeping a core focus on the key elements of security, while still responding to upcoming threats, isn’t easy, but CISOs need the strength to push back to the board to say, “We need to deal with this first.”

3. More cloud breaches

There will be continued growth in cloud breaches. It’s an attack vector that contains significant vulnerabilities around identity management and mobility or off-site access.

Consequently, cloud access security broking will experience significant growth and there will be more interest in Identity-as-a-Service (IDaaS).

Indeed, Gartner predicts that 40 percent of identity and access management (IAM) purchases (see below) will use the identity IDaaS delivery model by 2020, up from just 20 percent in 2016.

4. Identity access management comes of age

Across all areas, identity access management will at last move into where it should have been ten years ago, and experience strong growth.

Organisations are starting to recognise that simple passwords have always been insecure but in this new world they now are totally insecure. Particularly with user passwords being harvested in the hundreds of millions from social media sites.

Identity access management involves a range of solutions based on multi-factor authentication, linking between physical access and logical access, e.g. card systems, tokens, mobile phone biometrics, etc.

While biometrics can appear as a panacea, bear in mind that that your biometric is a core unique identifier, and if the underlying database is breached, that identifier is useless from that point on.

5. Total security still not achievable

Companies will realise total security is not achievable, and that they will be breached. The consequence of that is that they will increasingly move to secure key assets rather than try to protect everything.

They will increasingly invest in technology such as data leakage protection and encryption, as they look to protect their security perimeter against attack, from both inside and outside the organisation.

6. IoT insecurity

The Internet of Things (IoT) will continue to show the stupidity of rolling out applications prior to considering security.

The challenge for organisations will be both dealing with the security threat of IoT technology getting into the organisation – probably through shadow IT implementation – which is a nightmare scenario for CISOs.

IoT will also drive growth in DDoS solutions, particularly following the recent high profile attacks on Twitter, Spotify and Reddit using ‘smart’ home devices.

7. Growth in user training

One much overlooked area is user training, testing and awareness, but one that continues to experience strong growth, as organisations realise that insecure behaviour at home leads to insecure behaviour in work-mode.

More than 60% of all network intrusions stem from compromised user credentials, so education, awareness training and user testing will increase as companies realise employee behaviour is a key vulnerability – but it can be resolved by teaching and managing employees’ awareness skills and competence.

Measurements show that, for most organisations, initial testing of employee skills demonstrates average failure rates of 20%, which slowly declines over time – but worryingly rarely reaches zero!

8. Mobility and wireless worries

Mobility security will continue to represent an ever-increasing challenge to organisations both with device management and user interaction – as will the use of wireless networks.

A large majority of mobile device users will connect to Wi-Fi networks without considering the risks that involves and the credentials they are exposing. Inside organisations, first generation wireless deployments are, in many cases, particularly insecure.

There is an increasing focus on providing high capacity and high performance networks but that carries with it not only the need to do it securely, but also to offer the right user credentials, particularly in distributed organisations where there have been many high-profile breaches.

9. GDPR preparation

In 2017, General Data Protection Regulation (GDPR) will drive a lot of changes within organisations in preparation for the May 2018 deadline, as the consequences of not meeting the deadline sink in.

If an organisation fails to protect their data, they will be liable to a fine that represents a percentage of their turnover.

Bear in mind there are organisations only making two or three percent profit as a percentage of their turnover, so that’s going to hurt – and possibly cause a collapse of share prices. Companies need to start thinking about how to mitigate that risk.

10. Implementing best practice

There will be more press coverage of stolen data in 2017, which for many organisations, will expose unresolved issues around passwords, content, and payment card vulnerabilities.

In most cases, companies are unaware when they’ve been breached. Just because you think you’re safe, doesn’t mean you are; if nothing appears to have happened, it doesn’t mean it didn’t happen or isn’t still happening.

Shockingly, the average length of time an attacker stays inside a network before detection is more than 140 days – that’s if the attacker doesn’t just copy the data and disappear.

As a result, you may not find out you were breached for a long time. Some recently discovered breaches date back over four years.

Organisations need to look at encrypting their data, changing login credentials, removing user privilege, etc., on a regular basis.

At worst, you will have spent the time implementing best practice, and at best you’ve stopped potential attackers using your own data against you.

If you’re waiting for a breach before implementing these safeguards, you might want to think about the financial and reputational consequences compared to the cost of fixing it before it happens.

Auhtor : Nick Ismail

Source : http://www.information-age.com/top-10-security-predictions-2017-123463621/

Categorized in Internet Privacy

ONE OF THE most important laws protecting online speech is also one of the worst. You’ve probably heard of it. In 1998, President Bill Clinton passed the Digital Millennium Copyright Act, or DMCA. It’s the law that, for example, makes it all too easy for companies to have embarrassing content removed from sites like YouTube by issuing bogus takedown requests, claiming that the content violates their copyright—no presumption of innocence required. But the DMCA also contains one incredibly important section: the so-called safe harbor provision. Thanks to safe harbor, companies can’t be held liable for copyright violations committed by their users, so long as the companies take reasonable steps to ensure that repeat offenders are banned from their services. Post a pirated copy of Ghostbusters to YouTube via your Comcast Internet connection? That’s on you, the DMCA says, not on YouTube or Comcast.


Companies fearing they’ll lose their safe harbor might start policing the content posted by their users.

But after a recent court decision, that safe harbor doesn’t look so safe anymore.

Last week a federal judge ruled that cable Internet provider Cox Communications must pay $25 million in damages to BMG Rights Management, which controls the rights to the music of some of the world’s most popular artists. The court found that Cox was liable for the alleged copyright infringement carried out by its customers, safe harbor or not. The decision might not rattle the giants of the Internet business, like Comcast, Verizon, Google and Facebook–at least not yet. But it could be bad news for smaller companies that can’t afford such costly legal battles. And if companies start fearing they’ll lose their safe harbor, they might have to start more carefully policing the content posted by their users.

Turning Off Notifications

It’s hard to overstate the importance of the DMCA’s safe harbor provision to the growth of the early Internet. Had providers and platforms faced liability for what users published, far fewer social networks and web hosts would have existed because of the legal risk. Those that did exist would have had to carefully screen what users posted to ensure no copyright violations were taking place. In short, the DMCA, for all its problems, enabled the explosion of online speech over the past two decades.

But that explosion has not been kind to some businesses, such as the music industry, which has seen its margins erode since the 1990s due to peer-to-peer file sharing. To fight back, BMG in 2011 hired a company called Rightscorp to monitor file sharing networks and catch people illegally sharing music that belonged to BMG. Whenever Rightscorp believed it had detected a copyright violation, it would forward notifications to the offending user’s Internet provider. The twist was that Rightscorp added a bit of language to its letters offering to settle the copyright dispute if the user was willing to pay a fee of around $20 to $30 per infraction. Cox refused to forward these letters on to its users because it believed the settlement offers were misleading, arguing the notifications of infringement were not in and of themselves proof that a user had actually broken the law.

Rightscorp refused to alter the language of the letters, so Cox refused to process any further notifications from the company. In 2014, BMG sued Cox.

Last year, US District Court Judge Liam O’Grady judge found that by refusing to process Rightscorp’s requests, Cox had failed to live up to its responsibilities under the safe harbor provision, and therefore was not eligible for its protections. A jury found Cox liable for $25 million in damages. Cox filed for a new trial but O’Grady denied the request last week, allowing the previous decision to stand.

Just a Pipe

While the decision does not set a binding precedent, some open Internet advocates worry the decision could embolden copyright holders to sue smaller companies. A company like Google can afford expensive lawyers. It can invest in multi-million-dollar digital rights management software to keep offending content off its sites. But smaller ISPs or web sites can’t. “If safe harbor is for anyone, it’s for Internet service providers that do nothing but carry information from sites to specific homes,” says Charles Duan, staff attorney at Public Knowledge.

Safe harbor issues aside, BMG’s argument also depends on the idea that users should be denied Internet access because of the mere accusation of copyright infringement, even if the accuser has never proven in court that those users had actually broken the law.

“It doesn’t take into account all the things people use the Internet for,” says Mitch Stolz, a staff attorney with the Electronic Frontier Foundation. “People use it for their jobs, to interact with government. The circumstances in which it’s reasonable to cut someone off are narrower now than 20 years ago.”

However flawed it is, the DMCA enables online speech to flourish. But if the BMG case does become a precedent, online service providers of all types will have to crack down on their users—even if no one has proven in court that those users committed a crime. If you don’t like what someone has to say, you could accuse them of copyright violations and not only have a video banned from YouTube, but have that person kicked off the Internet entirely. That’s not a future in which the Internet flourishes.

Source : http://www.wired.com/2016/08/internets-safe-harbor-just-got-little-less-safe/

Categorized in Internet Privacy

Federal regulators just suffered a major setback in their efforts to help cities build Internet services that compete with large providers such as Comcast and Time Warner Cable.

In a federal court decision Wednesday, the Federal Communications Commission was told that it doesn't have the power to block state laws that critics say hinder the spread of cheap, publicly run broadband service.

The ruling marks a significant defeat for a federal agency that for the past several years has turned "competition" into an almost-literal mantra, with its chairman, Tom Wheeler, repeating the word at almost every possible opportunity.

To-save-the-Internet-regulate-it
To save the Internet, regulate it

Under the court decision, large Internet providers will continue to enjoy certain benefits that insulate them from the threat of popular city-owned broadband operators such as the Electric Power Board of Chattanooga, Tenn., and the city of Wilson, N.C.

Through EPB, residents of Chattanooga have access to download speeds of 1 Gbps at rates of about $70 a month. People outside of EBP's service area have "repeatedly requested expansions" from the public utility, according to Wednesday's ruling from the U.S. Court of Appeals for the Sixth Circuit, but due to a geographic restriction put in place by the Tennessee state legislature, EPB is prohibited by law from reaching more customers.

Last year, EPB and other so-called municipal broadband providers asked the FCC to intervene on their behalf, and the agency agreed. Invoking a part of its congressional charter that it said would allow it to act against the states, the FCC tried to neutralize those state laws. The states responded by suing the agency, claiming it had no right to come between the historical relationship between states and the cities lying within their jurisdiction. This week's ruling, then, rolls back the federal government's attempt to intervene.

privating-core-part-of-the-internet
The U.S. just took one step closer to privatizing a core part of the internet

 

Wheeler, a Democrat, said Wednesday that the outcome of the case "appears to halt the promise of jobs, investment and opportunity that community broadband has provided in Tennessee and North Carolina. In the end, I believe the Commission's decision to champion municipal efforts highlighted the benefits of competition and the need of communities to take their broadband futures in their own hands."

Wheeler's opponents, including from within his own agency, said the outcome was an obvious one.

"In my statement last year dissenting from the Commission's decision, I warned that the FCC lacked the power to preempt these Tennessee and North Carolina laws, and that doing so would usurp fundamental aspects of state sovereignty," said Republican FCC Commissioner Ajit Pai. "I am pleased that the Sixth Circuit vindicated these concerns."

Berin Szoka, president of the right-leaning think tank TechFreedom, said the issue was "federalism 101."

internet-speed
Chicago's internet speeds lag behind other cities'

"The FCC was unconstitutionally interfering with the division of power between state legislatures and municipalities without a 'clear statement' from Congress authorizing it to do so."

The court ruling represents a turning point for the legal tool the FCC tried to use as a weapon against Internet providers. First deployed in earnest by the FCC as an attempt to justify its net neutrality regulations on Internet providers, Wheeler again invoked Section 706 of the Communications Act to defend his moves against state limits on municipal broadband.

 

Section 706 calls on the FCC to promote the timely deployment of broadband across the country. The state laws targeting EPB and Wilson, N.C., Wheeler argued, amounted to a legal roadblock to meeting that goal, so preempting those state laws was consistent with Congress' marching orders.

In rebuking Wheeler's FCC, the Sixth Circuit has now effectively put some new constraints on what Section 706 may be invoked to accomplish. That is a significant step: Not long ago, policy analysts were saying that there were so few limits on the relatively vague language of Section 706 that the FCC could in theory use it to justify almost anything Internet-related. In effect, the court took what some analysts viewed as an unbounded grant of legal authority and imposed some bounds on it.

There are signs, however, that municipal broadband proponents were anticipating Wednesday's outcome - and are already moving to adapt. One approach? Focus on improving cities' abilities to lay fiber optic cables that then any Internet provider can lease; so far, only one state, Nebraska, has banned this so-called "dark fiber" plan, said Christopher Mitchell, who directs the Institute for Local Self-Reliance's Community Broadband Networks Initiative.

"We're pursuing strategies that are harder for the cable and telephone companies to defeat," said Mitchell.

Source : http://www.chicagotribune.com/bluesky/technology/ct-fcc-broadband-competition-20160811-story.html

Categorized in Internet Ethics

 

Darktrace, a U.K. cybersecurity firm that positions its software as the "human immune system" for networks, has raised $65 million in a funding round led by U.S. private equity giant KKR, the start-up said on Wednesday.Existing investor Summit Partners contributed while new investors TenEleven Ventures and SoftBank joined the round. The British start-up is also backed by Autonomy founder Mike Lynch's Invoke Capital and London-based venture capital firm Hoxton Ventures.

Darktrace's solution sits in the middle of an organization's computer network and can detect cyber-threats in real-time, allowing the company's security team or the software to take action to protect the system.

 

The start-up has been developing its machine learning capabilities – advanced algorithms that can adapt and learn. Darktrace says that its machine learning techniques are based on the "biological principles of the human immune system".

Hackers pose a huge threat to businesses with cyber-crime forecast to cost businesses over $2 trillion by 2019, according to Juniper Research. Some of the biggest organizations in the world have been victims of cyber-attacks and this has meant cybersecurity companies have gained traction.

Start-ups like Darktrace are attempting to challenge established players such as FireEye and Symantec. And as cyber-attacks get more sophisticated, machine learning solutions are becoming increasingly important.

A new threat identified by Darktrace is the ability for hackers to program machines to carry out attacks. In this way, machines are attacking machines, something that can be hard to stop as computers are able to adapt their own attack methods.

Ransomware is another attack that has been on the increase which involves hackers locking a person's files and then demanding something in return for unlocking them.To combat these threats, Darktrace released a product called Antigena, which the chief executive describes as "machine fighting machine tech". Antigena allows a business's network to battle back against invading threats.

"We have some early customers using Antigena, and what we have seen as the first use case is slowing down the attack, allowing humans to catch up. One example of that would be Ransomware. We could detect ransomware as soon as it hit the machine, slow it down and stop it getting to the back-up servers," Nicole Eagan, CEO of Darktrace, told CNBC in a phone interview on Wednesday.

The start-up was founded in 2013 and has already grown to 300 employees and claims to have over 1,000 customers on board. Darktrace said it has achieved over 600 percent revenue growth in the latest financial year.

Cybersecurity has been one of the hottest sectors in the start-up world for investment and Darktrace faces competition from a number of players. Last month for example, cybersecurity start-up LightCyber raised $20 million. LightCyber has a product which it calls a "behavioral attack detection" platform capable of fighting against threats that have got past traditional security controls.

Eagan said that the $65 million funding will help Darktrace expand further into the U.S. and Asia as well as into new markets such as Latin America, hiring employees, opening offices on the ground and improving its technology.

"We are going to continue to invest in R&D. The initial Darktrace product is fully developed with a lot of the focus on machine fighting machine and the new wave of artificial intelligence attacks, so we will continue to build out our machine fighting machine tech," Eagan told CNBC.

Source:  http://www.cnbc.com/2016/07/06/cybersecurity-start-up-darktrace-raises-64-million-backed-by-kkr.html

 

 

Categorized in Internet Privacy

 

CANCUN, Mexico, June 22 (Xinhua) -- With the goal of securing an open Internet, which can be used with freedom, security, trust and accessibility by all, governments, companies and civil society must come together to craft a new governance model for the web, global experts have agreed.

During the 2016 Ministerial Meeting on the Digital Economy, which is taking place this week in the Mexican town of Cancun, the Organization for Economic Co-operation and Development (OECD) is presenting the final report of its Global Commission on Internet Governance.

The report, crafted by a group of experts from every part of the world, has the mission of finding a way for the Internet to remain inclusive and secure.

"The Internet is at a crossroad. Threats to privacy and other risks that may bring the Internet down are real," Carl Bildt, president of the commission, said at a press conference Wednesday.

Bildt, who is the former prime minister of Switzerland, believes that the Internet can have a future where it provides economic opportunities, boosts freedom of expression, improves political equality and guarantees social justice.

"For this to happen, governments, civil society and the private sector must actively promote this future, and consequently, take the right steps to reach it," he added.The main risks identified by the report are access to essential information services being under threat, people believing the Internet is not safe, and aging technology needing an upgrade.

If these are not addressed, "the Internet could lose its capacity to drive innovation and many of the advances and benefits we have seen in the last two decades could be eliminated."Alongside Bildt, Jose Angel Gurria, the OECD secretary-general, said that "trust is crucial in the digital economy. The Internet is the best tool to bring people together."

According to the report, "a new social pact is needed for Internet governance ... where fundamental human rights, such as privacy and freedom of speech, are protected online."Bildt said that access to the Internet is another challenge, since over half of the world's population has no access to the Internet.

"We run the risk of a world of two halves, with those who have access to the Internet and those who have none. The consequences of this could be catastrophic. If the Internet is not properly managed ... it could lead to a fracture that could cause serious harm to global economic development," noted the Swiss expert.

Alongside this initiative, the OECD is focusing on the development of information and communications technologies (ICT) and the creation of related opportunities for young people.

The report shows that the percentage of professionals working in ICT is at an average of over 3 percent in OECD countries. Some positive statistics have emerged, with 95 percent of companies having access to broadband, 76 percent having websites, and 22 percent use the cloud. However, only 21 percent of companies offer online sales.

In terms of security, the commission states that governments must work together to halt cybernetic attacks.

The report also advocates that consumers must have the freedom to choose the services they wish to use and for "free service providers" to treat their customers' data with more respect before selling them for commercial use.

"Due to their impact on public opinion, governments, civil society and the private sector must unite to understand the effects of ... publicly available data," added Bildt.

Finally, he noted that "there must be a continuous evolution in the governance of an open Internet, with multiple and broad-based participation, in order to guarantee the existence of a unified global Internet." Enditem

Source:  http://news.xinhuanet.com/english/2016-06/23/c_135458529.htm

 

Categorized in Online Research

 

Washington, DCA new report from the Federal Trade Commission (FTC) shows that data breach complaints are on the rise. In the report, Consumer Sentinel Network Data Book (2/16), the FTC notes that complaints about identity theft increased 47 percent in 2015, likely helped by a number of high-profile data breaches. Consumers have filed lawsuits against companies they allege have failed to adequately protect their personal, confidential information.

 

Data breaches frequently occur when unauthorized third parties gain access to personal information. Hackers exploit vulnerabilities in computer systems to access information such as bank accounts, health records, Social Security numbers, addresses, tax information and passwords. Making the situation more concerning, a report from Javelin Strategy & Research (2/2/16) notes that identity thieves have stolen around $112 billion in the past six years, the equivalent of around $35,600 per minute.

According to the FTC, identity theft was the second-highest complaint category, falling behind debt collection. Among identity theft complaints were tax- or wage-related fraud, credit card fraud, phone or utilities fraud, and bank fraud.

“Nearly half a million complaints sends a clear message: more needs to be done to protect consumers from identity fraud,” said National Consumers League Executive Director Sally Greenberg. “One of the key drivers of the identity theft threat is the continuing flow of consumers’ personal information to fraudsters thanks to the ongoing epidemic of data breaches.”

Meanwhile, New York State Attorney General Eric T. Schneiderman has also indicated that data breaches are increasing. A news release issued by the Attorney General (5/4/16) notes that his office has received more than 40 percent more data breach notifications so far in 2016, compared to the same time span in 2015. From January 1 to May 2, 2016, the Attorney General’s office received 459 data breach notices, compared with 327 in the same period of 2015.

An earlier report issued by the New York Attorney General’s office found that hacking intrusions - where third parties gain unauthorized access to data stored on computers - were the number-one cause of data security breaches.

 

Consumers have filed lawsuits against companies accused of not properly storing or securing customer information. In April, an appeals court reinstated a lawsuit filed against P.F. Chang’s, which alleged the restaurant chain was responsible for a massive data breach. Although the lawsuit was dismissed by a lower court, with the judge finding the plaintiffs did not show actual harm, according to The National Law Journal (4/15/16), a federal appeals court reinstated the lawsuit, finding the plaintiffs had shown plausible injuries.

Among possible compensation plaintiffs could be entitled to were the cost of credit-monitoring services, unreimbursed fraudulent charges and lost points on a debit card.

The lawsuit is Lewert et al. v. P.F. Chang’s China Bistro, No. 14-3700, in the US Court of Appeals for the Seventh Circuit.

Source:  https://www.lawyersandsettlements.com/articles/data-breach/federal-trade-commission-ftc-javelin-strategy-21469.html?utm_expid=3607522-13.Y4u1ixZNSt6o8v_5N8VGVA.0&utm_referrer=https%3A%2F%2Fwww.lawyersandsettlements.com%2Flegal-news-articles%2Finternet-technology-news-articles%2F

 

 

 

Categorized in Science & Tech

Finally ready to get off the grid? It's not quite as simple as it should be, but here are a few easy-to-follow steps that will at the very least point you in the right direction.

If you're reading this, it's highly likely that your personal information is available to the public. And while you can never remove yourself completely from the internet, there are ways to minimize your online footprint. Here are five ways to do so.

Be warned however; removing your information from the internet as I've laid it out below, may adversely affect your ability to communicate with potential employers.

1. Delete or deactivate your shopping, social network, and Web service accounts

Think about which social networks you have profiles on. Aside from the big ones, such as Facebook, Twitter, LinkedIn and Instagram, do you still have public accounts on sites like Tumblr, Google+ or even MySpace? Which shopping sites have you registered on? Common ones might include information stored on Amazon, Gap.com, Macys.com and others.

To get rid of these accounts, go to your account settings and just look for an option to either deactivate, remove or close your account. Depending on the account, you may find it under Security or Privacy, or something similar.

If you're having trouble with a particular account, try searching online for "How to delete," followed by the name of the account you wish to delete. You should be able to find some instruction on how to delete that particular account.

If for some reason you can't delete an account, change the info in the account to something other than your actual info. Something fake or completely random.

new-screen-delete.png

 

Using a service like DeleteMe can make removing yourself from the internet less of a headache.

2. Remove yourself from data collection sites

There are companies out there that collect your information. They're called data brokers and they have names like Spokeo, Crunchbase, PeopleFinder, as well as plenty of others. They collect data from everything you do online and then sell that data to interested parties, mostly in order more specifically advertise to you and sell you more stuff.

Now you could search for yourself on these sites and then deal with each site individually to get your name removed. Problem is, the procedure for opting out from each site is different and sometimes involves sending faxes and filling out actual physical paperwork. Physical. Paperwork. What year is this, again?
Anyway, an easier way to do it is to use a service like DeleteMe at Abine.com. For about $130 for a one-year membership, the service will jump through all those monotonous hoops for you. It'll even check back every few months to make sure your name hasn't been re-added to these sites.

3. Remove your info directly from websites

First, check with your phone company or cell provider to make sure you aren't listed online and have them remove your name if you are.

If you want to remove an old forum post or an old embarrassing blog you wrote back in the day, you'll have to contact the webmaster of those sites individually. You can either look at the About us or Contacts section of the site to find the right person to contact or go to www.whois.com and search for the domain name you wish to contact. There you should find information on who exactly to contact.

Unfortunately, private website operators are under no obligation to remove your posts. So, when contacting these sites be polite and clearly state why you want the post removed. Hopefully they'll actually follow through and remove them.

If they don't, tip number four is a less effective, but still viable, option.
4. Delete search engine results that return information about youSearch engine results includes sites like Bing, Yahoo and Google. In fact Google has a URL removal tool that can help you delete specific URLs.

Google's URL removal tool is handy for erasing evidence of past mistakes from the internet.

For example, if someone has posted sensitive information such as a Social Security number or a bank account number and the webmaster of the site where it was posted won't remove it, you can at least contact the search engine companies to have it removed from search results, making it harder to find.

5. And finally, the last step you'll want to take is to remove your email accountsDepending on the type of email account you have, the amount of steps this will take will vary.
You'll have to sign into your account and then find the option to delete or close the account. Some accounts will stay open for a certain amount of time, so if you want to reactivate them you can.

An email address is necessary to complete the previous steps, so make sure this one is your last.

One last thing...Remember to be patient when going through this process. Don't expect it to be completed in one day. And you may also have to accept that there some things you won't be able permanently delete from the internet.

Source: http://www.cnet.com/how-to/remove-delete-yourself-from-the-internet/

If you're reading this, it's highly likely that your personal information is available to the public. And while you can never remove yourself completely from the internet, there are ways to minimize your online footprint. Here are five ways to do so.

Be warned however; removing your information from the internet as I've laid it out below, may adversely affect your ability to communicate with potential employers.

1. Delete or deactivate your shopping, social network, and Web service accounts

Think about which social networks you have profiles on. Aside from the big ones, such as Facebook, Twitter, LinkedIn and Instagram, do you still have public accounts on sites like Tumblr, Google+ or even MySpace? Which shopping sites have you registered on? Common ones might include information stored on Amazon, Gap.comMacys.com and others.

To get rid of these accounts, go to your account settings and just look for an option to either deactivate, remove or close your account. Depending on the account, you may find it under Security or Privacy, or something similar.

If you're having trouble with a particular account, try searching online for "How to delete," followed by the name of the account you wish to delete. You should be able to find some instruction on how to delete that particular account.

If for some reason you can't delete an account, change the info in the account to something other than your actual info. Something fake or completely random.

new-screen-delete.png

Using a service like DeleteMe can make removing yourself from the internet less of a headache.

Screenshot by Eric Franklin/CNET

2. Remove yourself from data collection sites

There are companies out there that collect your information. They're called data brokers and they have names like Spokeo, Crunchbase, PeopleFinder, as well as plenty of others. They collect data from everything you do online and then sell that data to interested parties, mostly in order more specifically advertise to you and sell you more stuff.

Now you could search for yourself on these sites and then deal with each site individually to get your name removed. Problem is, the procedure for opting out from each site is different and sometimes involves sending faxes and filling out actual physical paperwork. Physical. Paperwork. What year is this, again?

Anyway, an easier way to do it is to use a service like DeleteMe at Abine.com. For about $130 for a one-year membership, the service will jump through all those monotonous hoops for you. It'll even check back every few months to make sure your name hasn't been re-added to these sites.

3. Remove your info directly from websites

First, check with your phone company or cell provider to make sure you aren't listed online and have them remove your name if you are.

If you want to remove an old forum post or an old embarrassing blog you wrote back in the day, you'll have to contact the webmaster of those sites individually. You can either look at the About us or Contacts section of the site to find the right person to contact or go to www.whois.com and search for the domain name you wish to contact. There you should find information on who exactly to contact.

Unfortunately, private website operators are under no obligation to remove your posts. So, when contacting these sites be polite and clearly state why you want the post removed. Hopefully they'll actually follow through and remove them.

If they don't, tip number four is a less effective, but still viable, option.

4. Delete search engine results that return information about you

Search engine results includes sites like Bing, Yahoo and Google. In fact Google has a URL removal tool that can help you delete specific URLs.

screen-shot-2016-06-28-at-11-34-49-am.png

Google's URL removal tool is handy for erasing evidence of past mistakes from the internet.

Screenshot by Eric Franklin/CNET

For example, if someone has posted sensitive information such as a Social Security number or a bank account number and the webmaster of the site where it was posted won't remove it, you can at least contact the search engine companies to have it removed from search results, making it harder to find.

5. And finally, the last step you'll want to take is to remove your email accounts

Depending on the type of email account you have, the amount of steps this will take will vary.

You'll have to sign into your account and then find the option to delete or close the account. Some accounts will stay open for a certain amount of time, so if you want to reactivate them you can.

An email address is necessary to complete the previous steps, so make sure this one is your last.

One last thing...

Remember to be patient when going through this process. Don't expect it to be completed in one day. And you may also have to accept that there some things you won't be able permanently delete from the internet.

Editors' note: This article was originally published in December 2014. It has been updated with only a few minor tweaks.

Categorized in Internet Privacy

When the grandees of the global advertising industry met in the south of France earlier this week for the annual Cannes Lions International Festival of Creativity, they had much to feel good about.

Global ad spending is expected to reach $600 billion US by the end of next year, according to eMarketer, and grow at an annual rate of about five per cent until the end of the decade. Much of that growth is being fuelled by digital advertising, particularly on mobile devices.

But there was one session in Cannes where some very dark clouds managed to intrude on the sunny forecast. It was a panel devoted to the current scourge of the digital advertising industry — ad blocking

According to a report by PageFair and Adobe, more than 200 million people worldwide have downloaded software that can block virtually all online advertising.

The number of people blocking ads increased by more than 40 per cent last year, and it is estimated that blocking cost cash-starved publishers more than $22 billion last year.So it's not surprising that just about any time advertisers and publishers get together these days, the question of what to do about ad blocking is usually high on the agenda.

The panel at Cannes was hosted by Randall Rothenberg, CEO of the Interactive Advertising Bureau, who has made no secret of his contempt for ad blockers.At an IAB meeting in January, he described ad blocking as "an old-fashioned extortion racket, gussied up in the flowery but false language of contemporary consumerism."

skip this ad

White lists

The source of the ad industry's outrage is the ad blockers' practice of "white listing." Publishers and advertisers can pay an ad blocking company to have their ads appear on a user's page, even if the user has paid to have ads blocked.

The ad blockers defend the practice by arguing they only allow ads they deem to be "acceptable," but Kate Kaye, who writes about digital marketing for AdAge, isn't buying it.

"If I'm a consumer and I've downloaded that thing I might be a little bit off-put by the fact that someone can pay to have the technology that I downloaded actually not work," Kaye said in a recent interview.

"I think it's analogous somewhat to mafia protection pay. It's like we're going to create a threat and then we're going to ask you to pay us to not threaten you."Almost everyone in the ad industry acknowledges that most of the wounds that have led to the rise in ad blocking are self-inflicted.

Advertisers got greedy by assaulting users with too many low quality, untargeted ads, too many auto play videos, too much click bait.Last fall, the IAB launched an initiative called L.E.A.N. Ads (light, encrypted, ad choice supported, non-invasive).

The IAB hopes that by following the L.E.A.N. guidelines, advertisers will create ads that consumers will be happy to see.

apple laptop

Playing hardball

But improving the user experience is not the only weapon in the arsenal. Some high-end publishers are playing hardball with readers who have installed ad blockers.

Sites like Forbes and GQ won't allow access to their content unless users turn them off. At Cannes, Mark Thompson, the president and CEO of the New York Times, announced that his newspaper would soon be offering an ad-free edition to subscribers at a premium price.

Other publishers are appealing to their readers' sense of fairness and justice, asking them to turn off their blockers and reminding them they are a critical part of the ecosystem that has powered the internet for the past 20 years. Without ads, there would be no free content online.

But Jess Greenwood of the New York ad agency R/GA doubts the effectiveness of appealing to users' better nature."Given the option to do the right thing or the free thing," Greenwood told the panel at Cannes, "consumers will always choose the free thing."

Was3780362

Native advertising

But the most effective strategy to counter the ad blocking surge might be to produce ads that don't look like ads at all.

So-called "native advertising" has been growing in popularity over the past several years. Also known as "sponsored content," it looks and feels like editorial content, but it comes from advertisers rather than journalists.

Native advertisements can often pass through ad blocking filters because the filters don't recognize it as advertising. Many readers seem to be prefer this kind of content over traditional advertising, provided it's properly labeled, although there's no consensus on what constitutes proper labeling.

"The web can go"

But the real victims of the ad blocking surge may not be advertisers and publishers, but the "free" web itself.

The money to pay for content has to come from somewhere, and if you take advertising revenue out of the equation, readers will have to pick up the slack themselves, something they have historically been reluctant to do. Without ads, the web may be a poorer and less interesting place.

It's hard to blame anyone for wanting to opt out of the increasingly unpleasant experience of surfing an over-commercialized web, the consequences of those actions have perhaps not been fully realized.

"Things like the web can go," argues Johnny Ryan, author of the book, The History of the Internet and the Digital Future.

"It came from somewhere. It's a fragile thing. It's supported by advertising and if we don't fix it, it won't be around for that much longer."

Source:  http://www.cbc.ca/radio/thesundayedition/who-s-voting-trump-nostalgia-for-brittannia-ad-blockers-are-killing-the-internet-the-poet-who-hates-poetry-1.3649955/if-you-use-an-ad-blocker-you-re-killing-the-internet-an-ira-basen-documentary-1.3650007

Categorized in Online Research
Page 2 of 4

airs logo

Association of Internet Research Specialists is the world's leading community for the Internet Research Specialist and provide a Unified Platform that delivers, Education, Training and Certification for Online Research.

Get Exclusive Research Tips in Your Inbox

Receive Great tips via email, enter your email to Subscribe.

Follow Us on Social Media