STE WILLIAMS

Email delivery: 4 steps to get more email to the inbox

Poll Well-known computer security researcher Dragos Ruiu claims to have been hit by seemingly invincible firmware-infecting malware.

Dubbed BadBIOS, the mysterious rootkit has split the infosec community after Ruiu said the software nasty can jump over air gaps, meddle with a number of different operating systems, and survive motherboard firmware rewrites.

The claims

Once installed and hidden away in the PC’s BIOS storage area, the rootkit is supposedly capable of communicating between compromised machines by transmitting data encoded in ultrasonic sound emitted from the device’s loudspeakers. Incredibly, nearby infected PCs can, it’s alleged, pick up the signal from their microphones and decode the information. This is said to allow the malware to communicate between systems even if there is no other way to exchange information, such as over Wi-Fi, Bluetooth, or an Ethernet connection.

Ruiu reckons BadBIOS, which infiltrated his lab computers, can infect PCs regardless of whether they are running Mac OS X, Windows, Linux, or a flavour of BSD including OpenBSD. The rootkit supposedly infects USB sticks, reprograms their micro-controller firmware to hide itself, and injects itself into a sterile computer once the stick is plugged in.

Indeed, simply by plugging in an infected USB thumb drive, with no other action required, is supposedly enough to catch ‪BadBIOS‬. Canadian Ruiu claims he’s been fighting against the terrifying strain for weeks, but nobody else has come across it. The malware can prevent a machine from booting from CD, can stop system administration software from working, and attempts to burn evidence of the nasty onto optical media is thwarted by the rootkit – which, we’re told, can hook into classic BIOS, EFI, and UEFI firmware.

The rootkit’s ultimate intentions, other than sending out encrypted IPv6 traffic, is not at all clear, it seems.

Ruiu, on Twitter as @dragosr, organises the annual popular Pwn2Own hacking contest at the CanSecWest conference. In response to a handful of questions on the social network, the security-bug researcher said preparing for a presentation for the upcoming PacSec event, due to take place in Tokyo in two weeks, is more important right now.

This talk in Japan may bring much-needed hard information to light on the Abominable malware. Ruiu has suggested he is holding back on the details until security patches for software bugs exploited by BadBIOS are made available.

The reaction

The infosec world raised a quizzical eyebrow to the rootkit claims, which has super-villain-like characteristics. Ruiu is a respected expert, but he has yet to release any data for independent corroboration.

Rob Graham of Errata Security has put together a detailed analysis of each element of the claims about ‪BadBIOS‬’s capabilities.

“Everything Dragos describes is plausible. It’s not the mainstream of ‘hacking’, but neither is it ‘nation state’ level hacking,” Graham noted.

An even more sceptical evaluation comes from industry veteran Paul Ducklin, writing on the Sophos Naked Security blog. “It’s possible, of course, that this is an elaborate hoax, intended as a combined publicity exercise and social engineering experiment that will be wrapped up at PacSec,” said Ducklin.

“If so, expect it to be aimed at outing anyone who jumped to detailed conclusions without having the details to go on!”

Now tell us what you think – vote below and comment away. ®

Email delivery: 4 steps to get more email to the inbox

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/01/breaking_badbios/

The Tor Onion Routing network has long been a favorite way for privacy-seeking online users to add a series of anonymizing layers between themselves and sites on the Internet. From hackers and dissidents to companies and governments seeking to cloak their activities online, Tor has gained a significant following of users.

Yet, anonymizing networks, or darknets, are also used by online criminals looking to hide their tracks. Two recent incidents underscore the appeal: The Silk Road, an online bazaar of drugs and illegal goods, was operated as a hidden site until the FBI arrested the alleged owner of the site in San Francisco in early October; and a recent botnet known as Mevade, or Sefnit, routed its command-and-control traffic through the Tor network to hide the locations of infected nodes. The botnet traffic had a tremendous impact on Tor, driving its measure of simultaneous users from approximately 800,000 to more than 5 million, according to statistics on the Tor Project site.

Companies need to watch their networks for signs of the presence of darknets and for traffic to anonymous sites created to evade search engine crawlers, known as the deepweb, says Jon Clay, a security technology expert with antivirus firm Trend Micro.

“The criminals are using these techniques,” he says. “The question that an organization needs to look at, and discuss among themselves, is whether these communications channels, such as the TOR network, is something that employees should be using internally. If not, then you need to flag that and investigate any detections.”

The recent takedown of Silk Road, the online marketplace for drugs and crime, has spotlighted the use of the deepweb sites and hidden services for illegal activities. In a report published following the arrest of the suspected operator of Silk Road, Trend Micro stressed that Tor is only the best known of the deepweb networks. Other networks and technologies for anonymizing communications and creating hidden services include the Invisible Internet Project (I2P), Freenet and alternative domain roots.

Each technology has legitimate uses. Tor allows users to hide the source of their traffic, hidden services are used by many journalists as a drop box for anonymous sources, and alternative domain roots have offered top-level domains for certain groups of people, such as Kurdish, Tibetan and Uyghur ethnic groups. The technologies serve a legitimate role by giving people in oppressive regimes the ability to communicate.

[The Tor-based ‘LazyAlienBiker’ — a.k.a. Mevade — botnet’s attempt to evade detection using the anonymous Tor network ultimately exposed it. See How The Massive Tor Botnet ‘Failed’.]

Whether a company should block deepweb sites and darknets is a discussion for management, but each company should look for signs of the anonymizers to know whether they have a problem, says Wade Williamson, a senior security analyst with network-security firm Palo Alto Networks. The first step should be a survey of systems on the network to look for such applications, he says.

“If you see Tor, or one of these other anonymizing networks on a computer in your network, that should be a canary in the coal mine,” Williamson says. “You at least need to investigate at that point.”

Many cybercriminals tend to create their own anonymization networks, which are fairly easy to detect and block, once analyzed by security firms. The team behind Tor, which was originally created by the U.S. Naval Research Laboratory to protect government communications, has made that technology much harder to find.

While some groups and threat-intelligence firms compile lists of Tor relays and exit nodes to allow companies to block communications with those sites, unlisted bridge relays can act as intermediaries to bypass such blocking. The Tor project has even created obfuscated bridge relays to defeat techniques for inspecting traffic and blocking Tor-like traffic.

In the end, companies serious about blocking any sort of anonymizing traffic may want to only allow IP addresses and domains with known, good reputations, says Trend Micro’s Clay.

“You want to have as much information as you possibly can, and if you don’t know if an IP or a domain is bad, you might block it,” he says.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/monitoring/monitoring-where-search-engines-fear-to/240163477

A woman from South Milwaukee, Wisconsin, faces stalking and identity theft charges after she allegedly hacked into her ex-boyfriend’s email and stole information not only on him, but also on his other love interests.

According to local reports, Phoebe Sayavong is alleged to have “hacked” the email account of her ex (read – guessed or figured out the password), locked him out of the account and accessed personal information on the him and other woman he had dated.

She is then thought to have set up accounts on social media sites, including Facebook, Pinterest and LinkedIn, using nude or partially-nude photos of the women – in some cases it’s thought the pictures were faked by merging the women’s faces with other photographs – and then sending friend requests to the families of the women targeted.

Most disturbingly, at least one of the women reported being visited at home by a man who thought he had met her online and had been invited over to have sex with her.

Sayavong’s stalking stretches back to as early as May this year, and is believed to have included repeated phone calls and drive-bys of her former lover’s home in Racine County, Wisconsin, spraying his car with soft drinks, and spreading garbage on his lawn.

She is also claimed to have found out her victim’s social security number, and read it out to him over the phone.

Another local report cites court documents which apparently claim police found clear evidence related to the email hacking and setting up the fake social media accounts on Sayavong’s computer.

She faces multiple identity theft charges as well as one each of stalking, recklessly endangering safety and “distributing a recording of nudity without the subject’s consent”. The latter is considered a felony under Wisconsin legal code.

It seems it’s not enough to be careful about keeping our own systems and accounts secure, we have to pay close attention to who we share information with and how well they maintain their security.

Of course, it’s probably never that wise to go sending intimate photos of yourself to anyone, however well you trust them. Remember, anything that’s on the internet is a) unlikely to remain entirely private, and b) never going to go away.

Email may feel safer than posting to a public website, but really it’s just another part of the internet and should be subject to the same rules.

Leaving aside the issue of personal pics, most people probably feel OK about letting their boyfriends know all manner of things about them that they wouldn’t want all and sundry to hear about, but it’s worth remembering just how useful our personal info can be to bad actors.

Even basic info like names and addresses seems to have been used for some pretty creepy purposes in this case.

It’s best to be as cautious as possible, and if you think someone you’re entwined with may be at risk of being a hacking target – if they have a rather worrying ex-girlfriend for example – be sure to remind them of the importance of good computer and password hygiene.

Even if they do no more than the basic essentials, that’s a start at least.

The same goes in the business world too. If you have to share data on yourself or your clients or customers with third parties, make sure you know what steps they are taking to keep your data secure before you hand anything over.

Follow @VirusBtn
Follow @NakedSecurity

Image of woman on computer and password courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/erD2dsZgusA/

Supercharge your infrastructure

US Secretary of State John Kerry has issued a rare mea culpa on behalf of the US government and its NSA surveillance platforms.

Speaking at a panel discussion for the Open Government Partnership, Kerry said that in its efforts to thwart terrorists, the US had gone “too far” in its collection of personal data, but insisted that reports of massive data hoarding were untrue.

“I assure you, innocent people are not being abused in this process,” Kerry said, “but there is an effort to gather information, and yes, in some cases it has reached too far, inappropriately.”

“Our President is determined to clarify and is now doing a thorough review in order that nobody will have a sense of abuse.”

Sentiment of such a “sense of abuse” has been rampant among both the domestic and international communities in recent days.

Earlier this week, a number of major providers, including Google and Yahoo, were found to have unwittingly supplied the government with some 180 million records via NSA surveillance programs.

The disclosure adds to an already hefty government data repository first uncovered with the revelation of the PRISM platform by whistleblower Edward Snowden, the now-infamous consultant living under asylum in Russia.

Further reports from the international community have suggested that the spying activities have also extended to the diplomatic arena, as reports out of Germany indicated that US agents may have tapped lines of communication used by government officials, including Chancellor Angela Merkel.

Even when fessing up to the use of heavy-handed tactics, Kerry remained defiant on the most recent reports, denying that tens of millions of people were having their data slurped through the NSA pipeline.

“There is a tremendous amount of exaggeration and misreporting in some of what is out there,” he said.

“What we are trying to do is, in a random way, find ways of trying to learn if in fact there is a threat that we need to respond to.” ®

Supercharge your infrastructure

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/01/john_kerry_nsa_spying/

Free Regcast : Microsoft Cloud OS

UK carriers BT and Vodafone are among top telcos today accused of supplying surveillance data to Blighty’s eavesdropping nerve center, GCHQ.

The Guardian cited documents leaked by whistleblower Edward Snowden in reporting that the operators, along with Verizon Business and a number of smaller providers, provided spooks with access to their undersea cable networks for the collection of voice and internet traffic.

According to the report, the firms have assisted in the harvesting of social networking and email activity of customers as well as the banking of phone conversations by way of tapped fiber-optic lines.

A spokeswoman for Verizon told The Guardian: “Verizon continually takes steps to safeguard our customers’ privacy. Verizon also complies with the law in every country in which we operate.”

BT declined to comment. A spokesman for Voda added: “Vodafone does not disclose any customer data in any jurisdiction unless legally required to do so. Questions related to national security are a matter for governments not telecommunications operators.”

Today’s disclosure sheds further light on GCHQ’s modern-day dragnet activities, first revealed in June after Snowden fled the US and handed reporters top-secret dossiers he obtained while working as an NSA contractor.

In addition to tapping undersea fiber cables for telco data, GCHQ – which shares intelligence with its American counterpart, the NSA – is said to be collecting other information from data-center communications links, essentially hoarding data generated by Google and Yahoo! services.

Following months of outcry, British MPs have taken steps to probe their spies’ mass collection of data from private sources. ®

Email delivery: Hate phishing emails? You’ll love DMARC

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/01/bt_vodafone_verizon_gchq_undersea_fiber/

Free Regcast : Microsoft Cloud OS

Poll Well-known computer security researcher Dragos Ruiu claims to have been hit by seemingly invincible firmware-infecting malware.

Dubbed BadBIOS, the mysterious rootkit has split the infosec community after Ruiu said the software nasty can jump over air gaps, meddle with a number of different operating systems, and survive motherboard firmware rewrites.

The claims

Once installed and hidden away in the PC’s BIOS storage area, the rootkit is supposedly capable of communicating between compromised machines by transmitting data encoded in ultrasonic sound emitted from the device’s loudspeakers. Incredibly, nearby infected PCs can, it’s alleged, pick up the signal from their microphones and decode the information. This is said to allow the malware to communicate between systems even if there is no other way to exchange information, such as over Wi-Fi, Bluetooth, or an Ethernet connection.

Ruiu reckons BadBIOS, which infiltrated his lab computers, can infect PCs regardless of whether they are running Mac OS X, Windows, Linux, or a flavour of BSD including OpenBSD. The rootkit supposedly infects USB sticks, reprograms their micro-controller firmware to hide itself, and injects itself into a sterile computer once the stick is plugged in.

Indeed, simply by plugging in an infected USB thumb drive, with no other action required, is supposedly enough to catch ‪BadBIOS‬. Canadian Ruiu claims he’s been fighting against the terrifying strain for weeks, but nobody else has come across it. The malware can prevent a machine from booting from CD, can stop system administration software from working, and attempts to burn evidence of the nasty onto optical media is thwarted by the rootkit – which, we’re told, can hook into classic BIOS, EFI, and UEFI firmware.

The rootkit’s ultimate intentions, other than sending out encrypted IPv6 traffic, is not at all clear, it seems.

Ruiu, on Twitter as @dragosr, organises the annual popular Pwn2Own hacking contest at the CanSecWest conference. In response to a handful of questions on the social network, the security-bug researcher said preparing for a presentation for the upcoming PacSec event, due to take place in Tokyo in two weeks, is more important right now.

This talk in Japan may bring much-needed hard information to light on the Abominable malware. Ruiu has suggested he is holding back on the details until security patches for software bugs exploited by BadBIOS are made available.

The reaction

The infosec world raised a quizzical eyebrow to the rootkit claims, which has super-villain-like characteristics. Ruiu is a respected expert, but he has yet to release any data for independent corroboration.

Rob Graham of Errata Security has put together a detailed analysis of each element of the claims about ‪BadBIOS‬’s capabilities.

“Everything Dragos describes is plausible. It’s not the mainstream of ‘hacking’, but neither is it ‘nation state’ level hacking,” Graham noted.

An even more sceptical evaluation comes from industry veteran Paul Ducklin, writing on the Sophos Naked Security blog. “It’s possible, of course, that this is an elaborate hoax, intended as a combined publicity exercise and social engineering experiment that will be wrapped up at PacSec,” said Ducklin.

“If so, expect it to be aimed at outing anyone who jumped to detailed conclusions without having the details to go on!”

Now tell us what you think – vote below and comment away. ®

Email delivery: Hate phishing emails? You’ll love DMARC

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/01/breaking_badbios/

Free Regcast : Microsoft Cloud OS

Google has equipped its experimental “Canary” distribution of the Chrome web browser with a malware-spotting capability to protect users from malicious downloads.

The security upgrade was announced by Google on Thursday and means the browser will scan downloaded executable files for the presence of viruses and Trojans, and notify punters if it finds any.

“In the current Canary build of Chrome, we’ll automatically block downloads of malware that we detect,” the advertising giant said. “If you see this message in the download tray at the bottom of your screen, you can click ‘Dismiss’ knowing Chrome is working to keep you safe. “

Canary is the bleeding-edge version of the Chrome browser and receives nightly updates. Google cautions users that it’s “not for the faint of heart” as it can be “prone to breakage”.

This vulture has been using Chrome Canary as one of his three primary browsers for several months and can testify that it can break in confusing and infuriating ways from time to time.

That said, it tends to be extremely fast and seems to have a mildly smaller memory footprint than stock Chrome.

Along with the malware-sniffing feature, Google has also added a “reset browser settings” button into stock Chrome tht lets you roll the browser back to its original state in case you catch a dash of browser-distorting malware. ®

Email delivery: Hate phishing emails? You’ll love DMARC

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/01/google_canary_security_update/

Phishing hooks more than its share of people and organizations. But just like its homophonic counterpart, phishing can always be made easier with the right bait.

At the upcoming Black Hat Regional Summit in Brazil, Trustwave researchers Joaquim Espinhara and Ulisses Albuquerque plan to do exactly that. Using a new tool they call ‘phisher’ (read as microphisher), the researchers say they have found a way to gather the digital breadcrumbs users leave on the Internet through social networks, mailing lists, online forums, and beyond.

With a mix of data mining and natural language processing [NLP], the tool can find patterns in the way a target communicates online and about what, so the information can be used to craft a more enticing attack.

“phisher builds a database of social network status updates and makes these available for building user profiles,” Albuquerque tells Dark Reading.

Those profiles, he explains, focus on text provided by a target of interest and allow pen testers to build support data structures for the most commonly used words, as well as the people the target most frequently interacts with on social networks, hashtags, and gelocation information. With that in hand, the tool uses the information to rank how close phony content is to legitimate content produced by the target.

“We check sentence length, if the words are typically used by the target, and if the referenced users and hashtags match those actually used by [them],” Albuquerque says.

“Since different social media networks are used for different purposes … all [social] networks are possible targets,” he says. “Professional content, geolocation, pictures and movies, interacting with friends — every one of these activities involves a different ‘online persona’ by the user, and the phrasing, words, and sentence length will vary wildly between content written for each of these purposes. So we don’t focus on one particular social network because that would mean focusing on content which might not look legitimate on other social networks.”

The tool does not try to interpret the meaning of what the user is talking about; therefore, slang, abbreviations, and other “non-standard” words would end up in its dictionary even though the natural language processing engine might not be able to categorize them properly.

“Since the tool was developed to support quick engagements, we do not want to have the consultant/penetration tester spending too much time trying to analyze and infer intention on the subject of interest,” the researcher says. “We just want to help produce content that looks like it was written by the target. Thus, anything which is not proper English will be treated as noise, but will end up in our dictionaries,and will be still checked against when evaluating user-provided content.”

The tool uses the official APIs for obtaining data, and in their talk the researchers plan to touch on potential legal implications of using the tool. According to Albuquerque, the user must generate the required tokens with each social network, and the tool itself does not try to be stealthy in its activities. For that reason, it may be subject to restrictions by some social networks.

“We also authenticate against the networks using the actual user identity of the person operating the tool when fetching data — which should be enough to transfer most of the liability to them when using the tool for not-so-legitimate scenarios,” he says. “We certainly do not wish it to be used as an umbrella to hide malicious users against an applicationwide identity in order to harvest data from unknowing targets.”

The researchers’ presentation is scheduled for Nov. 26 at the summit, which will be held at the Transamerica Expo Center in Sao Paulo.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/attacks-breaches/researchers-sharpen-spear-phishing-with/240163445

Henderson, NV USA – Oct 31, 2013 – On the heals of recent QuickLicense 7, Windows 8.1 and OS X Mavericks upgrades, Excel Software updated a suite of protection and licensing tools. QuickLicense Server 1.1 creates a floating license server for a protected application or document. DocProtect 3.0.2 generates a protected Mac or Windows application from popular document types. QLRT Xcode 2.0 provides the QuickLicense 7 runtime system in a static library for Xcode developers. PluginFMQLRT 1.0.1 and PluginXojoQLRT 1.0.1 give FileMaker and Xojo developers a plugin with QuickLicense 7 features tested on the latest Mac and Windows OS.

QuickLicense Server 1.1 outputs a vendor-branded, floating license server system for protected applications with no programming required. The system requires minimal administrative effort for the vendor or customer, requires no Internet access and can increase the license count at the customer site with a secure code. The License Server and License Monitor can be distributed royalty-free to customers with a protected application created with QuickLicense or a protected document created with DocProtect. The License Server can run on Windows to serve protected Mac and Windows applications on the network. The server also runs on Mac to license Mac and Windows applications.

QLRT Xcode 2.0 adds QuickLicense 7 features for Trial, Product, Subscription, Floating or Try/Buy licenses with a human managed or Internet automated activation system. QuickLicense is used to configure all aspects of the software license and activation process, then output an encrypted Ticket file. That Ticket file is bound to an application with a function call when the QLRT library file is dropped into an Xcode project. Programmers enjoy a quick, integrated solution for any software protection, activation or licensing requirement. Call a simple function to access all commands with fast, streamlined security and no exposed interface. With a small disk and memory footprint, the runtime allows one software build to support many license types and customized features.

DocProtect turns HTML projects, image collections, video files, audio files, PDFs or SWF files into a protected Mac or Windows application. When used with QuickLicense 7, any license type or activation process can be applied with advanced features such as license release, restore, reset and subscription management. DocProtect Windows now supports either QuickTime or Media Player as the video engine for protected videos. Protected PDF files are presented with the Adobe Reader engine and have been updated to support the latest build.

PluginFMQLRT is a FileMaker plugin that embeds the QuickLicense 7 runtime in a FileMaker Pro Advanced solution that is distributed as a standalone application. PluginXojoQLRT is a Xojo plugin containing the QuickLicense 7 runtime. All protection, activation and licensing capabilities in the QuickLicense system are available to an application with simple function calls.

QuickLicense Server 1.1 is $995 for a Single User License on either Windows or Mac. QLRT Xcode 2.0 is $495 and runs on a Mac OS X computer with 10.6 or later with an Intel processor. DocProtect is $495 for a Single User License on either Windows or Mac OS X or $795 for both platforms. A Single User License of either PluginFMQLRT or PluginXojoQLRT is $395 on Mac or Windows or $690 for both.

Each product includes royalty-free runtime distribution rights for any number of protected products or licenses. All licensing products support Windows XP, Vista, 7, 8 or 8.1 or Mac OS X 10.6 or later through Mavericks. A free video library demonstrates software protection, licensing features and order process automation.

Article source: http://www.darkreading.com/applications/protection-tools-enhanced-for-quicklicen/240163470

WASHINGTON, Nov. 1, 2013 /PRNewswire-USNewswire/ — In recognition of International Fraud Awareness Week, taking place November 3-9, 2013, Shred-it – a world-leading information destruction company is joining organizations across the world to promote the importance of safeguarding confidential information to prevent fraud and identity theft.

As the risk of security breaches continues to become more prevalent, it is increasingly important that consumers and organizations protect their confidential information. While many people and businesses believe they take the appropriate steps to safeguard sensitive data, they are unaware of simple ways to truly protect themselves from the risk of fraud and identity theft that could lead to serious financial and reputational damage.

“International Fraud Awareness Week provides a great opportunity to raise awareness of how vital it is to protect yourself and your information,” said Michael Collins, Shred-it Regional Vice President. “From old tax returns and bank statements, to credit card offers and pay stubs, Shred-it wants to educate consumers on ways to ensure confidential information is safe.”

How to Protect Yourself at Home
According to the 2013 “Identity Fraud Report” released by Javelin Strategy Research, the number of identity fraud incidences continues to increase with approximately 12.6 million Americans becoming victims of identity theft in 2012, resulting in $21 billion worth of theft. As the number of identity fraud reports continues to climb, it is imperative that people take preventative measures to safeguard their personal data to prevent fraud and identity theft.

The first step in preventing fraud is recognizing personal patterns of behavior that puts private information at risk. This could be something as simple as leaving credit card receipts at restaurants or carrying multiple forms of identification, such as a Passport or Social Security card, which are unnecessary for daily transactions. Engaging in these sort of behaviors make a consumer’s confidential information more susceptible to being stolen.

In addition to altering personal behaviors, consumers should engage in protective measures such as conducting a periodic credit check to monitor for any abnormal activity, frequently changing passwords and ensuring all security software is up to date. However, the only 100 percent way to protect information is to participate in Community Shred-it events. These events give individuals the opportunity to have their confidential documents destroyed on site, free of charge or for a minimal donation to a local charity.

How to Protect Your Business
Despite regular news reports of businesses being impacted by data breaches, organizations from across the U.S. continue to be plagued by the loss of sensitive information. Safely and securely storing and destroying printed documents and any information stored on electronic media should be made a priority. Not doing so can lead to identity theft and fraud, which can result in serious financial impact, reputational damage, loss of customers, employee turnover and disengagement, and a decrease in competitive advantage.

The 2013 Security Tracker – an annual survey conducted by Ipsos Reid on behalf of Shred-it – provides detailed insight as to what businesses of all sizes are doing (or not doing) to protect their companies and customers from the threat of fraud and identity theft. The most surprising finding was that businesses of all sizes lack awareness about proper information security policies and procedures, and are not regularly training their staff on these information security processes.

“It is imperative that companies remain vigilant when it comes to information security and take proactive steps to protect against data breaches,” adds Collins. “A crucial first step is improving awareness of policies and procedures.”

Employees need to be made aware that data being lost or stolen can result in financial impact and harm to the credibility of an organization. The second step is the actual implementation of policies and procedures by enforcing sensitive data safeguarding as a company-wide practice. As the ways companies do business continue to evolve, the development and implementation of a proactive plan for safeguarding information becomes increasingly important. If businesses want to remain competitive and profitable, they must safely and securely destroy documents and electronic media to protect customers and employees.

For more information about ways businesses and consumers can protect themselves from fraud and identity theft, or to take a free risk assessment, visit www.shredit.com.

About Shred-it
Shred-it is a world-leading information destruction company providing information destruction services that ensure the security and integrity of our clients’ private information. The company operates 140 service locations in 16 countries worldwide, servicing more than 150,000 global, national and local businesses, including the world’s top intelligence and security agencies, more than 500 police forces, 1,500 hospitals, 8,500 bank branches and 1,200 universities and colleges. For more information, please visit www.shredit.com.

Article source: http://www.darkreading.com/end-user/shred-it-promotes-fraud-prevention-provi/240163451