Survey: Almost 90 percent of Internet users have taken steps to avoid surveillance

A majority of U.S. Internet users polled in a recent survey report taking steps to remove or mask their digital footprints online, according to a report from the Pew Research Center’s Internet Project and Carnegie Mellon University.

While 86 percent of the Internet users polled said they made some attempt hide what they do online, more than half of the Web users also said they have taken steps to avoid observation by organizations, specific people or the government, according to the survey.

The survey’s findings are based on telephone interviews among a sample of 1002 adults, age 18 or older in July, with 792 Internet users among the respondents.

People use a variety of measures to decrease their online visibility, the study showed. The most popular one is clearing cookie and browser history, which 64 percent of Internet users polled said they did. Forty-one percent said they deleted or edited something they had posted in the past and 41 percent said they disabled or turned off their browsers’ use of cookies, Pew said.

Other measures taken to cloak online activity were not using websites that asked to disclose a user’s real name (36 percent of users polled), using a temporary user name or email address (26 percent), posting comments without revealing who you are (25 percent). Twenty-one percent of the Internet users polled said they had asked others to remove something that was posted about them.

Some Internet users also use public computers to browse and give inaccurate information about themselves, while 14 percent said they at times encrypt email and 14 percent said they use services like virtual networks or proxy servers such as Tor anonymity software, which allow them to browse without being tied to a specific IP address, the survey found.

Beyond general measures taken to go online more or less anonymously, the majority of Internet users polled (55 percent) have tried to avoid observation by specific people or groups. “Hackers, criminals and advertisers are at the top of the list of groups people wish to avoid,” Pew said.

But a minority of Web users said they tried to hide their online activities from certain friends, people form their past, family members or partners as well as their employers, coworkers, supervisors, companies, people that might want payment for downloaded files and to a lesser extent the government (5 percent) and law enforcement (4 percent).

However, despite these precautions 21 percent of the online adults polled said they have had an email or social media account hijacked and 11 percent said they have had vital information like Social Security numbers, bank account data, or credit cards stolen.

Discovering that many Internet users have tried to conceal their identity or their communications from others was the biggest surprise to the research team, they said in a news release. Not only hackers, but almost everyone has taken some action to avoid surveillance and despite their knowing that anonymity is virtually impossible, most Internet users think they should be able to avoid surveillance online, they said.

Most U.S. citizens would like to be anonymous and untracked online, at least every once in a while, but many think it is not possible to be completely anonymous online, Pew said. “This reinforces the notion that privacy is not an all-or-nothing proposition for internet users. People choose different strategies for different activities, for different content, to mask themselves from different people, at different times in their lives,” the researchers wrote.

One of the most revealing contradictions in the results of the survey is that those who have taken steps to try to avoid observation by others and those who have taken more general steps to be anonymous are more likely than others to have personal information posted online, the researchers said.

Internet users surveyed said they have a photo of themselves online (66 percent), while about half of those polled said their birth date was available online. A minority said that their email address, home address, mobile number or political affiliation was available.

A majority of Web users polled, 66 percent, said they think current privacy laws are not good enough to provide reasonable protections for people’s privacy on their online activities.

“Interestingly, there are not noteworthy differences in answers to this question associated with political or partisan points of view. Tea Party supporters, conservative Republicans, self-described moderates, and liberal Democrats are not statistically significantly different in their answers,” the researchers wrote.

Loek Essers focuses on online privacy, intellectual property, open-source and online payment issues.
More by Loek Essers, IDG News Service

View the original article here

Even suspicious email is too tempting to skip, survey finds

In a study conducted by TNS Global for Halon, an email security service, 30 percent of those surveyed admitted they would open an email, even if they were aware that it contained a virus or was otherwise suspicious.

The study included only 1000 adults within the U.S., so this isn't a national index by any means. But of those surveyed, one in 11 admitted to having infected their system after they opened a malicious email attachment. Given the fact that email is still an easy way for attackers to gain access to the network, often via social engineering (phishing/spear phishing), the survey's results are somewhat alarming.

The reasons given for accessing the messages are telling: For women, the survey results marked messages containing invitations from social networks as the most alluring, while men were tempted messages with the time-tested suggestions of money, power, and sex. More often than not, the malicious messages claimed to be from banking institutions (15.9 percent), social media sites like Facebook or Twitter (15.2 percent), and online payment services, like PayPal (12.8 percent).

According to the stats form the Anti-Phishing Working Group (APWG), in its 2013 First Quarter report, there were more than 74,000 unique phishing campaigns discovered during the reporting period, leveraging over 110,000 hijacked domains and targeting more than 1100 brands.

Based on the data reported by the APWG and various security vendors, Phishing kits are rather inexpensive and the time to develop a workable campaign is rarely longer than a few hours. So the numbers mean that the attack surface is large, and the pool of potential victims is rather full. Combine this with a reported 30 percent success rate, and the criminals behind these campaigns are more than likely pleased with their return on investment.

Still, Halon's study is focused on the consumer, so how do these figures translate to the corporate world? The simple answer is directly, because users who open malicious attachments at home are often the ones who do so at the office too.

To be sure though, CSO contacted two experts on the topic of social engineering: Chris Hadnagy, the President and CEO of Social-Engineer, Inc.; and David Kennedy, the creator of the Social Engineer Toolkit and the founder of TrustedSec. We asked them a few questions about what they do and their opinions about the Halon study.

"It is important to remember that as an attacker, often, all I need is one person with a vulnerable browser or software or client and that can give me access to click. So from an attackers perspective, a 30 percent success rate is great number for broad attacks," Hadnagy said.

In agreement, Kennedy said that when his firm stages attacks against large organizations, with customers in the Fortune 50 to Fortune 1000, their success ration is around 94 percent. The difference between what he does for his customers and what the criminals are doing with the previously mentioned malicious messages is focus.

The attackers in the Halon study are casting a wide, generic net for victims, and are still able to pull a 30 percent success rate. Those numbers will only climb if the messages are less generic and more finely tuned.

"It only takes about an hour or so to craft up a 'pretext' or attack that we know will be believable. It only takes the employee to believe the fantasy is real in order for them to click something...these are completely obscure emails that have no relevance or believability in a lot of cases and it's still a 30 percent success ratio...For us, the attacks have moved from the external perimeter to the [social engineering] route because of the ROI," Kennedy said.

In their day-to-day work, both Kennedy and Hadnagy seek to lower the ROI many attackers are seeing though social engineering. Each of their respective firms use ongoing training and education in order to accomplish this. Humans are the weakest link in the security chain, so there isn't an appliance or solidly technical control available to prevent focused Phishing attacks (spear phishing) or to stop someone from doing as the attacker has asked one-hundred percent of the time.

"I think the alarming trend in all of this is that we are literally defenseless right now with our current technology or procedures to handle these types of attacks," Kennedy explained.

"The problem with this one is that no piece of technology can fix this alone. It's a coupling of education and awareness, handling procedures, and technical controls on the user population. Our daily lives revolve around opening up emails at a rapid response rate, clicking just this one or that one has no relevance anymore and to take a few extra seconds to review the email isn't part of our daily tasks."

What about the topics of the messages referenced in the study, and the brands represented, is that typical? According to Hadnagy, when humans see emails that hit on things that are on our minds, we're more inclined to click.

"It is basic psychology that they use social media for women and money/power/sex for men as lures... Although highly targeted attacks may use a different lure, tuning into the psychology of the intended victim plays a significant role in a successful lure," he said.

Adding a corporate example to this, Kennedy told the story of one campaign where they used the customer's health benefits program as a lure. The point, he explained, is that whenever an attacker can impact someone personally, there is a higher degree of success. Health benefits issues would impact someone personally, and they fall in-line with normal day-to-day business operations, so as expected, people took the bait.

"If health benefits are in jeopardy and they need to do something that will take two minutes out of their lives to remediate and fix, they will do it without rhyme, reason or thought," Kennedy said.

"[Social engineering] is effective, it's the most effective, and has the most ROI for an attacker. The reason we don't hear about these more in the news is that we have nothing to detect these attacks. We're already compromised, we've already experienced it, and we just don't know it yet."

How serious is this threat? Serious enough that even the professionals can be caught by social engineering tactics. As previously covered on CSO, Hadnagy ran the Social Engineer Capture the Flag (SECTF) contest at DEF CON this year. While answering our questions for this story, he shared an interesting anecdote.

As he was preparing for the DEF CON contests and a four-day training class at Black Hat, Hadnagy had made a large amounts of purchases from Amazon in order to procure the supplies needed. To make things easy, said supplies were then shipped to the hotels in [Las Vegas].

"Rushed, behind the 8-ball and trying to get 500 things done at once I [wasn't] thinking when I received an email that said: 'One of your Amazon Purchases was declined&.'. I almost clicked through until I double-checked the URL and saw it went to a [domain] in Russia," he explained.

"Even someone who does this for a living can fall for these things. Why? We are all human. No one is 100 percent all the time. Condition, psychology, curiosity, fear, greed—these are common themes that attract and make us react. I think this sounds typical for most people."

View the original article here