Connect with us

Tech News

How employees can steal your sensitive data and try to mask the theft

Whether your client list or client files, you have sensitive data on hand – how could an employee steal it, and how can forensic specialists recover it?

Published

on

backspace delete button

You and your team have data that must be protected

No matter your industry, you likely have information somewhere, be it a smartphone or laptop, that is sensitive. Maybe it’s credit card transaction data, perhaps it is client contracts or applications, maybe it’s something as simple as a confidential document shared casually between coworkers.

What happens if one of your employees leaves and takes your entire client list or attempts to cover up mistakes by altering documents? The good news is that all of this can be traced.

bar
To find out how, we talked with Chuck Snipes, a computer forensics examiner at DSi, one of the nation’s leading providers of advanced electronic discovery and digital forensics services. As a former cybercrime detective and consultant in outside investigations and criminal cases, he often serves as a testifying expert witness and has extensive experience in cybercrime investigations, digital evidence and data recovery.

In his own words below, he will explain why not even deleted documents are unrecoverable, how forensic specialists like him find altered data, and how to handle the tricky topic of employees using their own devices at work:

Anything typed can be recovered

Did you know that almost anything you – or your employees – type on a computer or device can be recovered? Sure, you can delete files, but digital forensic experts can retrieve fragments of documents and use them to reassemble the information. Scary, right?

It’s not always a bad thing. For example, sometimes employees take confidential information – such as contact lists, accounting spreadsheets with proprietary formulas or organizational documents – with them to a new job. As a worried business owner, you can rest assured. That information is often retrievable, even if the former employees rename or hide the documents, and it makes for sound evidence in court.

So, what do you need to know to safeguard your company’s data? Let’s take a look.

What ways can data be altered or deleted?

  • The most common attempt to get rid of information is to rename a data file or change the file extension (i.e., from .doc to .jpg).
  • One can also alter data by compressing the file and password-protecting it, which renders the file almost impossible to access without the password. Key word: almost.
  • Those who are more technology-savvy might alter data by embedding text in a string of data or using encryption software.
  • Regarding deletion, many think that emptying the recycle bin on their computers permanently discards unwanted data. That’s not actually the case. Even if you run a deletion program, data may be retrieved, especially if your company keeps a log of emails and data at the server level to retain a trail of communications.

How can digital forensic specialists find the altered or deleted data?

  • Computer forensic consultants use a combination of sophisticated hardware tools, software programs, training and experience to retrieve and unlock data, including password-protected files.
  • Even if users try to overwrite files on a hard drive, some fragments of the file may remain at other locations on the drive. Experts can take apart a forensic image of the drive and identify file fragments to reassemble the information.
  • A lot of information is stored in computers, and forensic professionals can usually see what a computer was used for, when it was used, what documents were accessed and when, as well as changes to the metadata (such as the title, subject or authors).
  • When a file is deleted, many people think it’s gone forever. It’s not. What’s erased is merely a pointer to the files, which tells the operating system to no longer include that information in file listings that the user sees. The content still exists on the hard drive until it is overwritten. This is also often true for items on mobile devices, like text messages.
  • If a wiping program is used, it still can’t account for backup services, so forensic specialists can use software to detect if these wiping programs were installed and/or used. If so, backed up copies of the deleted file can be accessed.
  • Even if the device is protected by thumbprint, forensic professionals can often access the corresponding iCloud account through legal process. The account typically has copies of everything.

What steps can you take to prevent employees from taking information with them when they leave your company?

  • Create a written agreement that lists the owner(s) of the data and provides guidelines for what data can and cannot be taken by an employee.
  • Be selective on who is granted permission to company data – and segregate your data for different levels of access privileges. Keep a detailed log in place that includes who accessed which computer or device, what was done while using the device, when it was done and more.
  • Put written security guidelines in place that detail how data is to be stored and transmitted. Don’t forget to include guidelines for portable items that contain data, such as USB devices, laptops and smartphones.
  • Create and enforce an information governance (IG) policy, outlining what data to preserve and how to maintain it. Your IG policy should also specify a defensible deletion process for the data you don’t need. Information can’t be stolen or mishandled if you don’t have it, so don’t collect and retain sensitive information that you don’t need.

Can employers collect business information accessed by employees via personal devices, and vice versa?

  • Employers have the right to see what is on company devices. Yet, if a company wants to access personal information on company computers, it’s best to consult with an attorney before taking any action. To avoid complications, many businesses implement a policy that states there should be no expectation of privacy for anything accessed via a company-owned device.
  • Company information on personal devices can be accessed by the company, too. And many businesses have employed a specific policy for dealing with the Bring Your Own Device (BYOD) phenomenon.

How can companies manage BYOD issues?

  • Implement a data ownership policy that fully discloses company procedures and ramifications. For example, implement a policy that all devices must be controllable from within the organization. This grants the employer the right to monitor employees’ activities on the device, and it ensures that, should a device be stolen or an employee terminated, the IT department can remotely lock or wipe the device.
  • Allow only devices that will actually be used for company purposes to connect to the corporate network.
  • Ensure that all devices granted access to the corporate environment meet established security and policy requirements. For example, companies may require that portable hard drives or flash drives be inspected before leaving the premises to make sure no company data is removed from the building.

Creating and implementing a well-documented strategy for maintaining confidential information and having technological safeguards in place will make it much harder for an employee to steal data. In the event that an employee is able to sneak out data, the right logging and backup systems will enable forensic personnel to prove theft. When used as evidence in court, the proof of a theft may allow for retrieval of the information and sanctions against the person(s) who stole it.

The takeaway

Chuck Snipes outlines above the sensitive nature of data, and highlights just some of the ways experts like him can prove theft. If you suspect a former employee is or has accessed, altered, or taken data, you’ll need to call in the experts. Contact Chuck at DSi to find out how they can strengthen your position and keep your data safe.

Remember that everything typed, saved, altered, transferred, or deleted, isn’t gone forever – forensics experts know how to find it.

#DeletedData

The American Genius is news, insights, tools, and inspiration for business owners and professionals. AG condenses information on technology, business, social media, startups, economics and more, so you don’t have to.

Continue Reading
Advertisement
1 Comment

1 Comment

  1. Pingback: Retailers struggle as theft rises (and it's not kids pocketing things) - The American Genius

Leave a Reply

Your email address will not be published. Required fields are marked *

Tech News

The inventor of the internet wants to give back control of your data

(TECH NEWS) Using the internet has given us access to many things, but we’ve also lost control of our data. Can the father of the internet give it back?

Published

on

Multiple monitors set up on desk with control for data enabled.

Since it was first introduced in 1989, the internet has come a long way, both in good and bad ways. With several communication tools available online, connecting with friends and family on the other side of the world hasn’t been this easy. However, it has taken away something, too — the control over our data.

Our information is everywhere. Once it’s out there, there is very little, if anything, we can do to control how it’s being used or who’s using it. But, the father of the internet, Tim Berners-Lee, wants to reinvent how users take back control of their data.

“We’re on a mission to change the way the web works and the way to basically make the web a better place for all of us,” said Berners-Lee on The Telegraph Live.

In an attempt to “fix the web”, Berners-Lee launched a privacy-focused startup, Inrupt. Using the company’s data storage technology called Solid, the tech company changes how data is stored to give you more control.

“Solid is the new way to connect to people and data. It’s an open-source web-based protocol that re-architects the way data is stored and shared,” said Berners-Lee.

With Solid, you put your personal data together into a personal online data store called a “pod”. Any kind of information can be stored in a pod such as websites visited, travel plans, health records, or credit card purchases.

The pod can be hosted on any Pod Provider, or you can host it yourself. Pods hosted on a Solid Server are fully compartmentalized from other Pods. Each one has its own set of data and access rules, and you decide who to share your data with using Solid’s authentication and authorization systems. And, you can also remove access to anyone at any time.

Inrupt was introduced back in November 2020, and the Solid technology is already being used by some large companies like the BBC and the National Health Service (NHS) in Britain.

The company’s business model is based on charging licensing fees for its commercial software, which uses Solid open-source technology. According to The New York Times, Inrupt has raised about $20 million in venture funding.

Getting data back into a user’s hands is very good. But, is it something that will quickly be adopted by everyone, including the tech giants?

Well, users will finally gain control of how they share their data. According to Berners-Lee, Solid will provide a “generic back-end store that works with all apps without modification.” This means developers don’t have to worry about creating back-ends for different apps.

And companies, what will they get out of it? According to Inrupt CEO & Co-founder John Bruce, over the years, he found that a lot of companies were “spending a great deal of time and money collecting and protecting user data.” So, “by moving the point of control of data from the organization to the user everybody wants.” (i.e. money is saved)

“This is just the beginning of how we turn the red web right side up, restore some of its original values, like how we empower everyone to participate in and benefit from a web that serves us all,” said the internet inventor. “The future of the web is a lot bigger than its past.”

Continue Reading

Tech News

This web extension protects your sensitive information while screensharing

(TECH NEWS) If you’ve ever had to share your screen, you know that sometimes, your sensitive information still slips. But this extension helps by blurring your info for you.

Published

on

Online presenter gesturing at a large Mac desktop computer, being cautious of their sensitive information.

In the time of video calls, video gatherings, and video everything, at one point or another, we will eventually need to share our screen and/or record video. When it’s time to present, there is one thing we don’t want to display to others — sensitive information.

While we can all take a good deal of precautions to make sure we don’t overshare, there is no guarantee we won’t miss something. After all, we’re human. The good thing about these modern times is that there is always someone trying to think of how to make our first world video problems go away.

Sanskar Tiwari, a software developer and educator at YouTube, found it time-consuming having to edit videos to blur over things such as API keys, account emails, passwords, etc. Plus, having to wait for videos to render made the process even longer.

To solve his problem, he created a new web extension named Blurweb. According to the website, the extension helps “people doing live screen sharing or recording video to make sure their sensitive information is secure.”

The extension does this by giving you the option to blur out things like inputs, links, email addresses, and images.

So, how does it work?

  1. Once you have the extension, you can go on any webpage and turn it on by clicking on the extension icon.
  2. When the extension is on, a tab with a Turn Off/On, Clear All, and Close option tab pops up.
  3. With the extension on, you can select any element on the page, and the tool will automatically blur it out.
  4. Once the sensitive information you want saved is blurred, you can record or share your screen without having to worry that you’re accidently displaying that information.

If you want to remove the “blur” from your elements, you can select “Clear All” and everything will go back to normal. You can also quickly toggle the tool on and off and close it once you’re finished.

Since Blurweb.app runs as an extension on the web browser, it can work on any website and even works offline. If you’d like to check it out, you preview it on their website here.

Continue Reading

Tech News

Star Citizen: A cautionary tale of Kickstarter and crowdfunding

(TECH NEWS) Why is the most funded game in history still in development and has no clear release date? Why crowdfunding as a concept cannot be seen as reliable from a backer’s perspective.

Published

on

Magnifying glass over Kickstarter URL and site, a crowdfunding website.

Kickstarter – at its core – is a brilliant idea (and I wish I’d thought of it first). Creating a funding platform to literally allow anyone to bring an idea to fruition by asking for – essentially – seed capital and investors en masse via crowdfunding is truly appealing in every sense of the word. Originally a stronghold of new inventions, gadgets, and apparel, it quickly spread into the entertainment industry as well, with hobbyist game developers, auteur filmmakers, and first time writers given the chance to use crowdfunding to breathe life into their creations.

Star Citizen first appeared on the Kickstarter platform way back in 2012 and was hailed as the next great space simulation game. The campaign was started by Chris Roberts – one of the grand masters of the genre – who created the legendary Wing Commander series while working at Origin Systems. While these might be unfamiliar to non-gamers, anyone who played computer and console games in the 80s and 90s would recognize each name as a juggernaut of the industry.

Without going into specifics, this is the equivalent of Steven Spielberg asking for money to make Montana Miles, a new franchise centered around an ace paleontologist and all around tough guy roughneck adventurer who maybe had a run in or two with certain historical societies while pursuing artifacts from an ancient and forgotten world.

Ol’ Steve is definitely gonna get backers. To really set this up, imagine he asked for money in the late 80s. That’s the kind of perfect storm situation we’d have here.

Star Citizen managed to bring in over $2.1 million from nearly 35,000 backers at its inception, and the fervor and excitement was high. This was due to the pedigree of those involved in the project and the fact that a massive space sim had not seen release in several years (the video game industry – like many others – goes through cycles, with certain properties and genres fading into and out of popularity). Fans eagerly donated, and it reached its original $500K goal quickly, with 9 people contributing $10,000 each and another 19 pledging $5,000.

Since then, additional crowdfunding was conducted by giving fans the option to buy ships and other digital goods to be used in-game, bringing the total to $339 million in the past 10 years (accounting for pre-production and other planning that was done prior to the Kickstarter campaign).

Backing up for a second, consider that I just said 10 years. Which doesn’t sound too bad until you consider that the game is still not out and has no projected release date. If you go to their website, you can be directed to their Pledge Store to purchase ships and other items for a game that isn’t even done, and last released new public material way back in 2015. A side project meant to appease and entice backers – Squadron 42 – just announced its own delay.

And the developers have more or less given no reassurance or updated timelines. The prevailing theory is that this is the result of feature creep, but even this has sparked a number of heated discussions and angry denial from the developers.

Understandably, gamers are angry, and are (perhaps justifiably) lashing out (I won’t link to Reddit or any other forums, but it’s easy to sniff these out). There’s even a (hilarious) Imgur repository of broken promises and failed deliverables against a backdrop of developer feel-good rhetoric. At least one lawsuit has been filed.

Let me take a moment here to say that the gaming industry is no stranger to delays, and has also seen games be released in broken states. The biggest recent example is Sony pulling Cyberpunk 2077 from its digital storefront and offering refunds. Cyberpunk 2077 is the biggest and most anticipated game at the moment, but has been delayed countless times, suffered numerous glitches, crashes, is otherwise unplayable on console platforms (both the Playstation 4 and Xbox One), and been called a disaster.

Let’s not even go into talking about the legacy of delayed games, which stretches from Daikatana, Duke Nukem Forever, No Man’s Sky (though it should be noted that Hello Games has worked tirelessly to rectify the game’s original dismal state against its many, many promises)… The list goes on.

But we’re getting a little off course here by looking at traditionally funded games (even if there are dozens of problems there too). In terms of pure Kickstarter-funded debacles? There’s lots of examples, including DoubleFine’s Broken Age (famous for being the first major game to be crowdfunded and a story in and of itself), SpaceVenture (now over seven years late), and whatever it was that Yogscast game was trying to do (relevant because this was one of the biggest Youtube groups at the time). What about when backers paid for the Oculus Rift, only to have it purchased
outright by Facebook before it was even released to backers?

There’s too many fascinating and infuriating rabbit holes to go through.

So let’s talk about Kickstarter directly for a bit, because if we’re going to play the blame game (hah!), then we certainly need to consider their participation. As it stands, Kickstarter continues to operate with almost no oversight, and has remained a silent and invisible actor throughout these failures. In effect, they are a neutral third party.

Even worse, Kickstarter themselves say that a creator is under zero obligation to complete their project, and relies heavily on the fact that each and every crowdfunding campaign functions in a benefit of the doubt construct. If a creator reaches funding and is never heard from again, Kickstarter maintains that not only will they not pursue any kind of legal action, but doubles down on blaming the investing audience by stating that they knew the risks upfront. Put bluntly: Kickstarter has a very convenient excuse that “art works by different rules.”

In almost all instances, this has resulted in incomplete and abandoned projects, often fueled by lies, deception, and fraud. And yet, Kickstarter has dodged any and all liability, and it’s unlikely that backers can easily exercise any kind of legal action. A similar situation would be taking a contractor to court over an unfinished job, but having no way to actually enforce restitution even under a favorable judgement.

This doesn’t even take into account that there’s a chance of a rogue backer voicing so much dissatisfaction that they sue a company into bankruptcy. Sure, this sounds like reasonable punishment, is entirely legal, and conceivably is well within the rights of that person. But even so, does the blame lie with an inexperienced creator, impossibly high standards set by a (debatably unreasonable) customer, or with Kickstarter being an enabler?

The lofty goals of Kickstarter set against this backdrop of numerous pitfalls suddenly tarnishes its efficacy and integrity, exacerbated by a laundry list of what ifs and potentialities. There’s simply too many legal issues to navigate when it comes to crowdfunding.

I’m not even going to start going into more examples of failed Kickstarter projects, outright scams, and other clear cut bits of fraud and swindling.

Real quick, I want to mention a few other things – similar crowdfunding platforms such as Indiegogo have the same issues, GoFundMe is not without its own controversies, and Valve’s digital marketplace Steam gives developers the same loophole via its Early Access program by allowing them to keep a game in a forever-limbo state.

So I guess the lesson here is that all of these crowdfunding platforms should be treated with a similar attitude you might have when playing the lottery. At the least, try to vet the creator beforehand, as there are certainly viable companies that have run successful campaigns in the past. I encourage you to read user comments on a campaign’s page, research the company in question (have they put out successful products previously?), and be financially ready to lose the money you might put into a shiny new hypothetical.

Continue Reading
Advertisement

Our Great Partners

The
American Genius
news neatly in your inbox

Subscribe to our mailing list for news sent straight to your email inbox.

Emerging Stories

Get The American Genius
neatly in your inbox

Subscribe to get business and tech updates, breaking stories, and more!