UpGuard Blog

Does filling out an online survey in exchange for a few bucks sound too good be true? For ClixSense users, this is turning out to be the case: last week, the leading paid-to-click (PTC) survey firm admitted to a massive data breach involving virtually all of its users' accounts—roughly 6.6 million records in total. With so many giving in to the allure of easy money, PTC firms should be on top of securing privileged data of survey takers they're bankrolling. Let's find out how the top 5 compare when it comes to fulfilling this critical responsibility.

For Spotify CEO Daniel Ek, the goal for the rest of 2016 should be simple: don’t rock the boat. The Swedish music streaming service, which is widely expected to go public late next year, is already locked in enough significant conflicts to occupy most of Ek’s waking hours.

Essential to enterprise security, or a waste of time? Security professionals' opinions regarding penetration testing (pen testing) seem to fall squarely on either side of the spectrum, but—as with most IT practices—its efficacy depends on application and scope.  And while pen testing alone is never enough to prevent data breaches from occurring, information gleaned from such efforts nonetheless play a critical role in bolstering a firm's continuous security mechanisms.

Leading cloud storage provider Dropbox is arguably having its worst month since launching back in 2007—but with over half a billion users, it's somewhat surprising that serious issues have only begun to surface between the ubiquitous service and the people trusting it with their files. First, in a recent announcement reminiscent of LinkedIn's latest data breach fiasco, Dropbox announced several weeks ago that over 68 million emails and passwords were compromised in a previously disclosed 2012 data breach. And now, security experts are criticizing the company for misleading OS X users into granting admin password access and root privileges to their systems. What recourse do consumers have when cloud services providers "drop the box" on security, or even worse—when their actions directly jeopardize the users they're supposed to protect?

As election year moves into the final stretch, news coverage wouldn't be complete without another mention of a politically motivated data breach or cybersecurity incident. Of course, several months ago the DNC's emails were compromised by hackers, resulting in the theft and exposure of 19,000 hacked emails and related documents. This pales in comparison, however, to the recent FBI announcement of data breaches involving both Illinois and Arizona's voter registration databases. If the controls critical to securing election systems continue to fail, how can participants in the democratic process be sure that their votes won't be hijacked?

When you use the internet, your computer has a conversation with a web server for every site you visit. Everything you submit in a form, any data you enter, becomes part of that conversation. The purpose of encryption is to ensure that nobody except you and the server you’re talking to can understand that conversation, because often sensitive information such as usernames and passwords, credit card data, and social security numbers are part of that conversation. Eavesdropping on these digital conversations and harvesting the personal information contained therein has become a profitable industry. But encryption isn’t an on/off switch. It requires careful configuration. In other words, the padlock isn’t always enough.

Organizations often regard cybersecurity as a series of barricades protecting the inner workings of the data center from attacks. These barricades can be hardware or software and take actions such as blocking ports, watching traffic patterns for possible intrusions, encrypting communications and so forth. In practice, these measures are only part of a comprehensive cybersecurity strategy, and by themselves will do little to bolster the overall resilience of an organization. But thoroughly tested and streamlined procedures within IT operations can prevent the most common attack point on the internet: misconfigurations.

Our new digital reputation scan provides a fast and easy way to get a risk assessment for your (or any) business. We look at the same stuff that other external risk assessment tools do– SSL configurations, breach history, SPF records and other domain authenticity markers, blacklists and malware activity. We're happy to offer this service for free, because that information is public and we believe that it's what's inside that really matters. Most of the elements we include in our external assessment are not controversial, but one resulted in arguments lasting several days: the CEO approval rating.

In selecting which checks would go into our risk assessment, we here at UpGuard looked at similar site assessment tools and selected only the checks that we thought were relevant to our goal: risk assessment, which overlaps with, but isn't identical to, website best practices. Plus, there are already fine tools for performing those best practices functions, so why duplicate them? We also intentionally omitted checks we thought would not be significant for calculating the risk of data breach and the damage it would cause.

If you regularly use a computer, chances are you spend at least part of your time reading internet news. If you have a subscription, you might even log in and enter your payment info. But how secure are news sites? Here at UpGuard, we took a look at six of the top news media sites on the internet to see how their security stacked up. Many big names had low scores, while a few did very well. What does this mean for the average online news reader?

Years ago, our company set out with a mission to solve a problem of trust between software developers and admins. We knew the problem existed firsthand—at our old jobs in a large Australian bank, one of us had been developing software and the other managing operations. We had a disagreement about how to proceed with a deployment. Dev insisted everything was ready but Ops pushed back, saying there was not enough information to trust the changes about to take place. We each saw merit in the other's argument and knew this had to be happening everywhere, so we left our 9-to-5's to build a solution.