Web 'U' RSS Feeds
Posts Tagged ‘Security’
EyeVerify Ushers In A New Era in Mobile Security
posted by Pete Prestipino @ 9:30 AM
Tuesday, February 26, 2013
Logging in, signing on and entering passwords or one-time PIN codes are barriers to optimal end-user and enterprise experiences. Existing biometrics solutions do not solve this problem (due mainly to hardware limitations), but there are some interesting technologies emerging which, if you can manage to get past the Minority Report feeling, stand to vastly improve mobile security.
Case in point, mobile identify protection service EyeVerify has announced a beta of its EyePrint Verification System - an impressive replacement for entering passwords on smartphone.
The progam is designed to help application developer participants integrate, test and deploy EyeVerify's mobile authentication solution. The program essentially provides access to the copany's technology which uses built-in cameras with smartphone devices to image and 'pattern match' the unique veins in the white's of user's eyes. The beta includes prototype applications, SDK access, technical and engieering support, along with quality assurance test plans and results.
"We're living in a world where we conduct our lives online and on the go, and yet we're plagued by password sprawl and identity theft and fraud," said Chris Barnett, EyeVerify's EVP of Global Sales and Marketing. "Eyeprinting solves this issue and, unlike other biometric verification offerings, is the first and only reliable mobile security solution that does not require additional hardware to deploy."
Comments Off
The PCI Security Standards Council (PCI SSC) has released new guidelines to help e-commerce merchants keep their customers' data safe.
The digital security landscape is a complicated one where the roles, risks and responsibilities of involved parties can quickly become muddled. That confusion of course, can lead to stagnation when it comes to finding (and implementing) fixes - on both an individual site and industry level.
“Take SQL injections as an example. This is not a new attack, and something we’ve known about in the industry for years. Yet it continues to be one of the most common methods by which e-commerce websites are compromised, said Bob Russo, general manager, PCI Security Standards Council.
Over 60 organizations representing banks, merchants, security assessors and technology vendors collaborated to produce guidance that will help organizations better understand their responsibilities when it comes to PCI DSS; the risks they need to evaluate when considering ecommerce solutions; and how to determine their PCI DSS
scope.
The guide, which comes at a time when ecommerce fraud is rising, includes an overview of ecommerce and PCI DSS. and outlines common vulnerabilities in ecommerce that merchants should consider when developing or choosing ecommerce software and services.
The guidelines also include best practice recommendations on securing ecommerce environments and a checklist of responsibilities that outlines, when payments are outsourced, which elements of security the merchant and the payments company are responsible for.
“This can be addressed through simple, prudent coding practices, but merchants often don’t know where to start. These guidelines will help them better understand their responsibilities and the kinds of questions they need to ask of their service providers. In the case of SQL injections, one of the most important items to request of an e-commerce service provider is a description of the security controls and methods it has in place to protect websites against these vulnerabilities.”
Comments Off
E-commerce retailers need to prepare their websites for not only an increase in traffic and conversions this holiday season, but also for online fraudsters.
While retailers should always watch out for cybersecurity threats during the holiday season, the growing usage of mobile makes this more important than ever before. This is because the number of transactions that originate from a mobile device has been on an uptick, and retailers who don’t have a system in place to manually accept or reject suspicious transactions increase the risk of fraud.
“Mobile consumers typically store their credit card information in retail accounts, rather than entering the information during each transaction, making online retail account takeovers more profitable, and therefore, more attractive to fraudsters,” said Alisdair Faulkner, chief products officer, ThreatMetrix. “During the holiday season in particular, consumers find it much more convenient to keep credit card information stored online as they make such a high volume of purchases. This is especially risky if consumers use the same email address and password for several websites – doing so initiates a trail of destruction that is equivalent to unlocking every door in the house, easily allowing criminals to hack numerous accounts at once.”
According to cybercrime prevention solutions provider ThreatMetrix, account takeover is among the biggest security threats attributed to the rising usage of mobile. This is because many retailers don’t have a mobile security strategy set in place and are not equipped to efficiently secure a large volume of mobile transactions during Black Friday and Cyber Monday, which could make consumers’ account and credit card credentials vulnerable. Furthermore, retailers should watch out for “clean fraud,” which often passes security screens and appears to be a legitimate transaction, but is really a fraudster who is hiding behind a virtual private network (VPN) – making it difficult for retailers to identify authentic transactions.
“Cybersecurity should be a top priority for retailers this Black Friday, Cyber Monday and the rest of the holiday season,” said Faulkner. “Especially with so many consumers traveling at this time, retailers need to put forth extra effort to assure transactions are originating from authentic networks. The last thing retailers and consumers want is to wake up on Black Friday with a ‘turkey hangover’ and a compromised credit card.”
Comments Off
GlobalSign Alert Service Helps Fight Phishing
posted by Michael Garrity @ 3:00 PM
Wednesday, September 19, 2012
In order to provide its customers with real-time alerts about their SSL Certificates, which tell them when their websites are compromised and used to support phishing attacks, certification authority GlobalSign has partnered with Internet services provider Netcraft.
The GlobalSign Netcraft Phishing Alert service will first tell GlobalSign when one of its customers’ websites is being used to support phishing attacks, and the company will then immediately notify and advise the customers on remediation steps so they can quickly fix the problem and stop the attack. And, if GlobalSign discovers that a site has specifically created for malicious intent, it will revoke its certificate.
This service, the first of its kind, means customers can maximize their investment in GlobalSign with additional security against these highly prevalent, not to mention persistent, criminal attacks. For a partner, Netcraft was an ideal selection, as it is continually produces an updated phishing feed (one that is currently used by all of the major Web browsers), and it has blocked more than 5 million phishing attacks to date.
Websites are required to have an SSL Certificate to activate the SSL/TLS technology built into a browser or server. Once it’s activated, it will provide an encrypted link between the browser and server to secure transactions or data submission. As SSL trust signals are meant to inspire confidence in users, it can be especially disastrous for consumers and website owners if a site is compromised and used to deploy phishing pages. Luckily for GlobalSign customers, the GlobalSign Netcraft Phishing Alert will significantly reduce their risk of becoming victims of such an attack.
Comments Off
In order to fight the battle of Distributed Denial of Service (DDoS) attacks, at-risk businesses need to be armed with the same tools as the bad guys.
Prolexic Technologies, a DDoS mitigation service provider, announced it has added an extensive glossary of DoS and DDoS terms to its online Knowledge Center, which will help Web workers understand the tools and methods hackers use to target organizations.
"When faced with a DDoS attack, confusion can quickly set in, especially when an organization's key IT personnel are unavailable," said Stuart Scholly, Prolexic's president. "Decision makers typically aren't familiar with these terms, but have to act fast. This glossary provides one more tool to help them promptly assess the situation and take appropriate action to mitigate any damage."
More than 60 common acronyms and technical terms used to describe these attacks are defined in the Glossary of Terms. The need for Web workers to familiarize themselves with these terms is growing, as according to the Prolexic Security Engineering & Response Team, such DDoS attacks increased 10 percent in Q2 2012.
"Malicious hackers already know this stuff," said Scholly. "They know the difference between a Layer 4 and a Layer 7 attack. When businesses and media can speak their language, too, it becomes more difficult to catch a potential target off guard."
To view the free glossary, click here.
Comments Off
ControlScan Merchants Can Rest Easier on PCI Issues
posted by Michael Garrity @ 10:00 AM
Thursday, May 10, 2012
ControlScan, a
provider of Payment Card Industry (PCI) compliance and security services for
small and medium-sized online businesses, has announced its purchase of cloud-based secure payments solution CRE Secure.
The acquisition will allow ControlScan to considerably reduce the "scope" of PCI.
CRE Secure was already a level-one PCI Data Security Standard (DSS) certified service provider. It gives users a hosted payment page powered by patent-pending HTML cloning technology for a consistent consumer experience, and a secure e-commerce solution for merchants that is PCI-compliant.
By combining an already PCI-compliant object, such as a credit card form, with a merchant’s site template, merchant’s can simplify the compliance process by outsourcing consumer payment data to CRE Secure, putting their website out of the scope of PCI regulations, since it will not actually store, process or transmit cardholder information. This allows them to host their site wherever they want and save a lot of money on those annual PCI scans.
CRE Secure is based on a unified technology that utilizes a single cloud-based system to support a merchant’s payment channels, which includes everything from online, mobile and even mail/telephone orders. E-commerce sites can even take advantage of plug-ins that allow them to connect with their favorite payment processors and existing solutions, to create a seamless, secure customer experience that is light on the merchant’s wallet, too.
All of this is good news for ControlScan and the merchants who use their services, as CRE Secure technology and existing partnerships will now complement ControlScan solutions, opening up new opportunities in the card-not-present (CNP) space. ControlScan also hopes to build upon the current CRE Secure product.
Comments Off
Facebook, Google, other firms team to fight email phishing scams
posted by Technology @ 12:20 PM
Monday, January 30, 2012
Major tech firms including Google, Facebook and Microsoft have teamed together to fight email phishing scams. Members say the partnership will lead to better email security and protect users and tech brands from fraudulent messages.
The group, which calls itself DMARC – for Domain-based Message Authentication, Reporting & Conformance — says it wants to help reduce email abuse by standardizing how email receivers perform authentication. Now, email senders will get consistent authentication results for their messages at Gmail, Hotmail, AOL and any other email receiver using DMARC.
Email phishing scams are messages designed to trick recipients into providing personal information by replying to the messages or clicking on links. The emails look like they come from a legitimate sender, often featuring brand logos and mimicking the format and language of authentic messages.
With the rise of social media and e-commerce sites, spammers and phishers have "a tremendous financial incentive" to compromise user accounts, leading to theft of passwords, bank account information and credit card numbers, DMARC said.
"Email is easy to spoof and criminals have found spoofing to be a proven way to exploit user trust of well-known brands," the group said. "Simply inserting the logo of a well-known brand into an email gives it instant legitimacy with many users."
Other companies involved in DMARC include Bank of America, LinkedIn, PayPal and Yahoo.
RELATED:
Shopping tips for protecting personal information
Hackers infiltrated personal Gmail accounts, Google says
New Justice Department unit to fight tech crimes, identity theft
– Andrea Chang
Image: Screen shot of the companies involved in DMARC. Credit: DMARC
Comments Off
Google+ now open to teens, with a few security tweaks too
posted by Technology @ 2:52 PM
Thursday, January 26, 2012
Google+ opened up to teenagers on Thursday, a move that Google no doubt hopes will help it challenge Facebook as the social network of choice.
"Teens and young adults are the most active Internet users on the planet," said Bradley Horowitz, Google's vice president of products, in a post on his Google+ page. "And surprise, surprise: they're also human beings who enjoy spending time with friends and family. Put these two things together and it's clear that teens will increasingly connect online."
While minors will now be able to use Google+, the experience on the social network won't be exactly the same for them as the 18-and-older crowd. Google has made a few privacy and security changes with teens in mind that Horowitz said will make Google+ a more ideal network to use for sharing and connecting with friends than other services.
"Unfortunately, online sharing is still second-rate for this age group," he said of teenagers. "In life, for instance, teens can share the right things with just the right people (like classmates, parents or close ties). Over time, the nuance and richness of selective sharing even promotes authenticity and accountability. Sadly, today's most popular online tools are rigid and brittle by comparison, so teens end up over-sharing with all of their so-called "friends.' "
The ability to share on Google+ to specific "circles" of friends is a start Horowitz said, but the social network is also giving users "control over who can contact them online. By default, only those in teens' circles can say hello, and blocking someone is always just a click or two away."
Google+'s Hangout video chats will also be tweaked for teens. "If a stranger outside a teen's circles joins the hangout, we temporarily remove the young adult, and give them a chance to rejoin," he said.
Previously, Google+ was only open to users who were 18 years old and up. Now, Horowitz said, anyone who is old enough for a Google account of any sort is old enough for Google+. And in all but Spain (14), South Korea (14) and the Netherlands (16), that age is 13.
Facebook, which boasts more than 800 million users, is open to anyone 13 and older. Google+ has about 90 million users, the tech giant said earlier this month.
RELATED:
Google plans to merge more user data across its products
Google+ continues battle with fading user interest, data say
Google engineer goofs, tells whole world that Google doesn't get it
– Nathan Olivarez-Giles
Nathan Olivarez-Giles on Google+
Image: An example of the prompt a teenage Google+ user under age 18 will receive whenever someone they don't have included in a contact "circle" on the social network joins in on a Hangout video chat session. Credit: Google
Comments Off
Tweets deny that Anonymous will try to hack into Facebook
posted by Technology @ 2:45 PM
Tuesday, January 24, 2012
Anonymous has lobbed many online attacks against high-profile websites, but so far the hacktivist group has never hacked into the world's largest social network, Facebook.
And, if you believe most Anonymous connected Twitter accounts, that won't be changing anytime soon — despite ongoing rumors and a YouTube video stating an Anonymous-backed Facebook strike is planned for Saturday.
The question of whether Anonymous will attack Facebook got started with that YouTube video, published Monday. The video, which can be seen above, states that the group is targeting the social network as a part of an online war in reaction to two controversial online anti-piracy bills known as SOPA and PIPA that were abandoned by several Washington politicians last week.
"Hello. People of the world. We are Anonymous," a computer generated voice-over says in the video. "The time has come. An online war has begun between Anonymous, the people, and the government of the United States. While SOPA and PIPA may be postponed from Congress, this does not guarantee that our internet rights will be upheld."
Later, the video states that "while it is true that Facebook has at least 60,000 servers, it is still possible to bring it down. Anonymous needs the help of the people, the people who want to take a stand against the government. The people who want to make a difference. This is what we must do."
On Monday, just a few hours after the video was published on YouTube, the @AnonOps Twitter account — which many believe to be an authentic Anonymous account — said there were no plans to hit Facebook.
"Again we must say that we will not attack #Facebook! Again the mass media lie," one tweet said.
Another tweet repeated the denial of the YouTube video, stating "AGAIN: 'Anonymous Threatens Facebook Shutdown Jan' IS A FAKE. RT PLEASE."
But while the attack may not be a legitimate Anonymous operation, and while it may never even take place, the group's lack of hacks against Facebook isn't for a lack of threats.
Rogue members of the collective, which has no publicly clear leadership structure, and possibly even impostors have threatened attacks against Facebook multiple times in the past. Notably, one such threat last August planned for Guy Fawkes Day on Nov. 5 never panned out.
RELATED:
SOPA blackouts inspired protest around the world
Wikipedia: SOPA protest led 8 million to look up reps in Congress
Justice Department shuts down MegaUpload, Anonymous responds with Web attacks
– Nathan Olivarez-Giles
Nathan Olivarez-Giles on Google+
Image: A screenshot of a tweet from the @AnonOps account that denies the hacker group Anonymous will attack Facebook. Credit: Twitter
Comments Off
MegaUpload was a ‘mega conspiracy,’ Justice Department alleges [Updated]
posted by Technology @ 4:41 PM
Thursday, January 19, 2012
MegaUpload, one of the world's largest file-sharing websites, was shut down Thursday by the U.S. Department of Justice, which accused it of violating piracy and copyright laws.
In an indictment, the Justice Department alleged that MegaUpload was a "mega conspiracy" and a global criminal organization "whose members engaged in criminal copyright infringement and money laundering on a massive scale."
The Justice Department said MegaUpload, which had about 150 million users, tallied up harm to copyright holders in excess of $500 million by allowing users to illegally share movies, music and other files. Prosecutors said in the indictment that the site's operators raked in an income from it that topped $175 million.
DOCUMENT: Read the indictment against MegaUpload
MegaUpload was just one of the many services that allow for the easy sharing of large files online. Others include sites such as Mediafire and Rapidshare and cloud storage services that allow for shared folders such as Box.net and Dropbox.
One way MegaUpload differentiated itself was with its online marketing campaign that featured celebrities such as rapper/producers Kanye West, Lil' Jon, Sean "Diddy" Combs and Swizz Beats stating in YouTube videos why they loved using the site. Other videos feature tennis star Serena Williams, boxer Floyd Mayweather Jr., Def Jam Records founder Russell Simmons and director Brett Ratner testifying to their use of MegaUpload.
The release of the Justice Department indictment came after dozens of websites, led by tech heavyweights Wikipedia, Craigslist, Mozilla and Google, altered their websites to protest two anti-piracy bills under consideration on Capitol Hill: the Stop Online Piracy Act (SOPA) and the Protect Intellectual Property Act (PIPA).
Critics of the bills say the proposed laws would give the Justice Department the ability to censor the Internet by giving the agency clearance to shut down a site without having to get court approval of an indictment, as it did with MegaUpload. Although the indictment was unsealed Thursday, it was issued by a federal court in the Eastern District of Virginia on Jan. 5, the agency said.
In a statement issued with the indictment,the Justice Department said "this action is among the largest criminal copyright cases ever brought by the United States and directly targets the misuse of a public content storage and distribution site to commit and facilitate intellectual property crime."
The Justice Department said that at its request, authorities arrested three MegaUpload executives — officially employed by two companies, Megaupload Ltd. and Vestor Ltd. — in New Zealand, including the site's founder, Kim Dotcom, who was born Kim Schmitz. The agency is also looking to arrest two additional executives.
The indictment charges the two companies with running a "racketeering conspiracy, conspiring to commit copyright infringement, conspiring to commit money laundering and two substantive counts of criminal copyright infringement."
According to the Associated Press, before the MegaUpload site was shut down Thursday, a statement was posted on the site saying the allegations made against it were "grotesquely overblown" and that "the vast majority of Mega's Internet traffic is legitimate, and we are here to stay. If the content industry would like to take advantage of our popularity, we are happy to enter into a dialogue. We have some good ideas. Please get in touch."
Visits to Megaupload.com on Thursday showed the website as unable to load. The Justice Department had ordered the seizure of 18 domain names it linked to the alleged wrongdoing.
[Updated at 3:42 p.m.: As noted by Times reporter Ben Fritz on our sister blog Company Town, the hacker group Anonymous has allegedly lobbed a denial-of-service attack that has temporarily taken down the websites for the Department of Justice and Universal Music as a move in retaliation for the shutdown of MegaUpload. Forbes is reporting that the same attack has struck the sites for the Recording Industry of America and the Motion Picture Assn. of America.]
[Updated at 3:50 p.m.: The Twitter accounts @YourAnonNews and @AnonOps are taking credit on behalf of Anonymous for the web attacks on the websites of the Justice Department, Recording Industry of America, Motion Picture Assn. of America and Universal Music.]
ALSO:
SOPA blackouts inspired protest around the world
Apple's iBooks 2, iBooks Author: Bids to own publishing's future
Wikipedia: SOPA protest led 8 million to look up reps in Congress
– Nathan Olivarez-Giles
Nathan Olivarez-Giles on Google+
twitter.com/nateog
Comments Off
Zappos website hacked; credit card database not affected, CEO says
posted by Technology @ 11:40 AM
Monday, January 16, 2012
Zappos.com, the popular online shoe site, was the victim of a cyber attack by a hacker who gained access to part of the company's internal network through one of its servers, Chief Executive Tony Hsieh said in an email to employees Sunday.
Hsieh said the Henderson, Nev., company was cooperating with law enforcement to undergo "an exhaustive investigation" and that the database that stores customers' credit card and other payment data was not affected or accessed.
"We've spent over 12 years building our reputation, brand, and trust with our customers. It's painful to see us take so many steps back due to a single incident," Hsieh said in a separate email to customers. "Over the next day or so, we will be training everyone on the specifics of how to best help our customers through their password change process now that their passwords have been reset and expired. We need all hands on deck to help get through this."
The company said it would notify the more than 24 million customer accounts in its database about the incident and provide instructions on how to choose a new password; the company has already reset and expired existing passwords.
In the email to shoppers, Zappos said customers' personal information — including their name, email address, billing and shipping addresses, phone number, the last four digits of their credit card number and/or the cryptographically scrambled password on their account — may have been compromised.
"In order to service as many customer inquiries as possible, we will be asking all employees at our headquarters, regardless of department, to help with assisting customers," Hsieh said. "We have made the hard decision to temporarily turn off our phones and direct customers to contact us by email because our phone systems simply aren't capable of handling so much volume."
The company is directing customer concerns and questions to an internal Web page.
Zappos, which sells shoes and has since expanded to other retail categories, was bought by Amazon.com in 2009. The company has become known for its customer service and for its quirky company culture led by Hsieh — including head-shaving events, impromptu parades around the cubicles and employee birthday pranks.
RELATED:
A conversation with Zappos CEO Tony Hsieh
Retail chains are embracing their online stores
– Andrea Chang
Top photo: Zappos' company headquarters in 2010. Credit: Isaac Brekken / For The Times
Lower photo: Zappos Chief Executive Tony Hsieh. Credit: Isaac Brekken / For The Times
Comments Off
Facebook to boost privacy protections in Europe, Irish agency says
posted by Technology @ 11:54 AM
Wednesday, December 21, 2011
Facebook will improve privacy protections in Europe over the next six months after an investigation into its practices there, the Irish data protection agency said Wednesday.
The agency conducted a three-month audit of Facebook’s compliance with European Union and Irish data protection requirements.
Facebook, the Menlo Park, Calif., company that has its European headquarters in Dublin, has agreed to give users more information on how Facebook and third-party apps handle their information, minimize how much data is collected on users when they are not logged in to Facebook and warn European users that Facebook uses facial recognition software that suggests people to tag in photos.
The Dublin headquarters has responsibility for handling hundreds of millions of users outside the U.S. and Canada.
“This was a challenging engagement both for my Office and for Facebook Ireland,” Irish Data Protection Commissioner Gary David said in a statement. “Arising from the audit, FB-I [Facebook Ireland] has agreed to a wide range of ‘best practice’ improvements to be implemented over the next six months.”
There will be another formal review in July.
The agency received 22 complaints from a privacy group, Europe V Facebook, and additional complaints from the Norwegian Data Protection Agency. Facebook said it was pleased that the report underscored a number of Facebook’s “strengths or best practices” in the security of user data and using personal information to target ads.
“The people who use Facebook take privacy and data protection seriously and so do we,” Richard Allan, Facebook’s director of public policy for Europe, said in a blog post.
Last month, Facebook agreed to settle privacy complaints raised by the U.S. Federal Trade Commission. The proposed 20-year agreement would require Facebook to get permission from users before sharing information they thought would remain private. The company also agreed to 20 years of privacy audits.
Facebook has run into trouble with its facial recognition software that suggests people for users to tag in their photos. A German data protection agency said it may fine Facebook over the feature and Norway’s privacy watchdog is investigating.
Facebook, the world’s most popular social networking site, is planning a $100-billion initial public offering sometime next year.
RELATED:
Watchdog group targets Facebook privacy settlement
Facebook and FTC reach agreement on privacy protections
Facebook nears settlement with the FTC on privacy
– Jessica Guynn
Photo: Dan Kitwood / Getty Images
Comments Off
China-based hackers reportedly targeted U.S. Chamber of Commerce
posted by Technology @ 10:05 AM
Wednesday, December 21, 2011
Hackers based in China reportedly pulled off a massive Web attack against the U.S. Chamber of Commerce lobbying group, which resulted in access to a significant number of confidential emails and documents.
Unnamed sources told both Bloomberg and the Wall Street Journal that the security breach took place in 2010 and gave the hackers access to information belonging to the Chamber's 3-million members.
The chamber, the U.S.' largest business lobbying group, is still investigating the attack, both reports said.
The strike is believed to be one in a wave of Web attacks from hackers based in China, along with previous reported hackings against "U.S. companies, business associations, and lobbying groups involved in trade policy associated with China," Bloomberg said.
Officials at the Chamber of Commerce were unavailable for comment on Wednesday.
According to the Journal's report, the chamber hasn't yet determined how much of its data was viewed or taken by the hackers, though evidence has been found that "hackers had focused on four chamber employees who worked on Asia policy, and that six weeks of their email had been stolen."
It is also possible that the hackers, who investigators suspect may have ties to the Chinese government, "had access to the network for more than a year before the breach was uncovered, according to two people familiar with the chamber's internal investigation," the Journal said.
China cracks down on Internet rumors
Chinese hackers pose a growing threat to U.S. firms
China-based hackers targeted oil, energy companies in 'Night Dragon' cyber attacks, McAfee says
— Nathan Olivarez-Giles
Nathan Olivarez-Giles on Google+
Image: A screenshot of www.uschamber.com, the website of the U.S. Chamber of Commerce lobbying group. Credit: U.S. Chamber of Commerce
Comments Off
Sprint says it has stopped pulling Carrier IQ data from phones
posted by Technology @ 4:53 PM
Friday, December 16, 2011
Two weeks after the Carrier IQ dust storm, in which an unknown California company was found to have data collections software embedded on tens of millions of smartphones, one of the company's main allies is taking a step back.
Sprint Nextel Corp. is now saying that it has "disabled use of" the Carrier IQ software. Importantly, that doesn't mean they have turned off or deleted the data collection software from your phone. Instead, the company is using the term "disabled" to mean that it is no longer accessing data from the Carrier IQ program, even though that program is still operational on your mobile device.
"We have weighed customer concerns and we have disabled use of the tool so that diagnostic information and data is no longer being collected," wrote Sprint spokeswoman Stephanie Vinge in an email. "We are further evaluating options regarding this diagnostic software as well as Sprint’s diagnostic needs."
In late November, when the furor originally broke out, Sprint came to Carrier IQ's aid, noting that "Carrier IQ is an integral part of the Sprint service" and that "Sprint relies on Carrier IQ to help maintain our dependable network performance.”
But now, in the wake of congressional inquiries and a nasty public relations storm, it seems the company has reconsidered the value of Carrier IQ.
RELATED:
Carrier IQ, T-Mobile, Sprint, RIM face class-action suits
Carrier IQ defends itself in privacy flap over data collection
Security researchers doubt researcher's Carrier IQ video conclusions
Image: A Sprint storefront in New York City. Sprint says it has disabled use of Carrier IQ software. Credit: Stephen Yang/Bloomberg
Comments Off
Facebook fixes security glitch after leak of Mark Zuckerberg photos
posted by Technology @ 1:58 PM
Wednesday, December 7, 2011
Facebook says it has fixed a security glitch after founder and chief executive Mark Zuckerberg's private photographs were published online.
The incident stemmed from a Nov. 27 post on the Bodybuilding.com Web forum. An anonymous tipster spelled out step-by-step instructions to access photos uploaded by Facebook users, even if the photos were marked as private. Among the photos hackers published: Zuckerberg preparing food and handing out candy on Halloween.
Facebook says the security glitch "was live for a limited period of time." It did not say how many of the site's more than 800 million users were affected. "The precise number of people impacted is unknown at the moment but we continue to investigate," a spokeswoman said in an e-mail.
Facebook blamed the problem on a recent "code push" in which it revised some of its software.
"Not all content was accessible, rather a small number of one's photos. Upon discovering the bug, we immediately disabled the system, and will only return functionality once we can confirm the bug has been fixed," a company spokesman said in an email.
The privacy breach struck at Facebook's Achille's heel. Last week Facebook agreed to settle federal government charges that it exposed too much user information without consent.
Security and privacy concerns have not dampened enthusiasm for Facebook, which has soared in popularity. It's preparing for an initial public offering next year that could peg the company's worth at $100 billion.
RELATED:
Facebook and FTC reach agreement on privacy protections
Facebook nears settlement with FTC on privacy
Privacy group asks FTC for Facebook inquiry
– Jessica Guynn
Photo credit: Dan Kitwood / Getty Images
Comments Off
Just in time for the holidays, language services solutions provider TransPerfect has announced PCI DSS certification for making online transactions more secure over multilingual e-commerce sites.
Read more in Website Magazine's E-commerce Express.
Comments Off
Carrier IQ disputes spying accusations; security researchers agree
posted by Technology @ 7:48 PM
Thursday, December 1, 2011
Carrier IQ, the beleagured online metrics company that has been accused of installing spy software on millions of smartphones, has broken its silence to say the critics have it wrong.
"While a few individuals have identified that there is a great deal of information available to the Carrier IQ software inside the handset, our software does not record, store or transmit the contents of SMS messages, email, photographs, audio or video," the company said in a statement released late Thursday.
The firm's defense came as as politicians and privacy organizations continued to question the little-known Mountain View, Calif., company, which designs communications analysis software used by some of the largest U.S. wireless carriers, including AT&T, Sprint and T-Mobile. The carriers say data collected on their behalf by Carrier IQ helps them improve their service.
Last week, 25-year-old system administrator named Trevor Eckhart released a video (above) purporting to show Carrier IQ's app recording smartphone users' every keypress, and implying that the company was therefore able to intercept users' private communications.
But security researchers have disagreed with conclusions drawn from Eckhart's analysis.
"It's not true," said Dan Rosenberg, a senior consultant at Virtual Security Research, who said the video shows only diagnostic information and at no point provides evidence the data is stored or sent back to Carrier IQ.
"I've reverse engineered the software myself at a fairly good level of detail," Rosenberg said. "They're not recording keystroke information, they're using keystroke events as part of the application."
The difference is subtle but important. To perform commands, applications need to know which buttons a user has pushed: Your email app needs to know when you tap the reply button, and your phone app needs to know which numbers you press in order to dial. Applications therefore pay attention to which buttons a user is pressing.
But listening for a button press does not mean an application is therefore sending a record of those button presses back to the company, researchers said.
System-related apps like Carrier IQ often allow users or phone engineers to tap a series of keys in order to bring up administrative options or to display information on the phone's performance. In order to show that data, apps needs to know the correct code was tapped in — by identifying specific key presses, as it is shown doing in the video.
But Rosenberg said his look at the Carrier IQ program revealed "a complete absence of code" that would indicate key presses were being tracked and recorded or sent over the Internet by the phone.
Instead, the readouts on Eckhart's video that occur when he presses keys are "debugging messages" — informational feedback meant to help smartphone programmers verify that their applications are working correctly. In this case, Carrier IQ's developers appear to have set up the program to display a diagnostic message when a key is pressed or when a text message is sent.
"It's just spitting debug messages to the internal Android log service," sad Jon Oberheide, a co-founder of Duo Security. "It appears that Carrier IQ is indeed collecting some metrics, but I have not seen any evidence that keystrokes, SMS messages or Web browsing session content are being transferred off the device."
Carriers like AT&T, T-Mobile and Sprint have long disclosed that they collect and store information about users' locations, phone records and text messages. But what appeared to unnerve consumers and privacy observers was the possibility that the companies had gone a step further and were monitoring nearly every action a user performed on the phone.
That claim set off alarms among phone users, privacy advocates and now Sen. Al Franken (D-Minn.), who demanded Thursday that Carrier IQ explain its software and the types of data it collected.
Though Carrier IQ denied it collected message text and other personal communications, it did note that it gathers "intelligence on the performance of mobile devices" and sends it to wireless carriers. The company said little more about the specific types of data it does collect, whether users can opt out of the collection or how long the company keeps collected data.
RELATED:
AT&T says attempted hacking was unsuccessful
Facebook settles privacy complaint with Federal Trade Commission
RIM Mobile Fusion to add BlackBerry security tools to Android, iOS
– David Sarno
Video: Trevor Eckhart's video about Carrier IQ.
Comments Off
RIM Mobile Fusion to add BlackBerry security tools to Android, iOS
posted by Technology @ 1:22 PM
Tuesday, November 29, 2011
Research In Motion announced on Tuesday that it will soon launch software that will bring security and management features once only found on BlackBerrys over to Android and iOS phones and tablets.
The new tools, which RIM is calling BlackBerry Mobile Fusion, will allow businesses to set up and control Apple's iPhone and iPad, as well as smartphones and tablets running Google's Android operating system, as they have done for years with BlackBerry phones and more recently, the slow-selling PlayBook tablet.
"We are pleased to introduce BlackBerry Mobile Fusion — RIM's next generation enterprise mobility solution — to make it easier for our business and government customers to manage the diversity of devices in their operations today," said Alan Panezic, RIM's vice president of enterprise product management and marketing, in a statement.
"BlackBerry Mobile Fusion brings together our industry-leading BlackBerry Enterprise Server technology for BlackBerry devices with mobile device management capabilities for iOS and Android devices, all managed from one web-based console," Panezic said. "It provides the necessary management capabilities to allow IT departments to confidently oversee the use of both company-owned and employee-owned mobile devices within their organizations."
In announcing Mobile Fusion, RIM touted itself as "the leading provider of enterprise mobility solutions with over 90 percent of the Fortune 500 provisioning BlackBerry devices today," a nod to its still-large market share of the business market for smartphones.
But the Canadian company also acknowledges that when it comes time for consumers to buy phones and tablets for themselves, they're increasingly choosing rival devices and then bringing those gadgets into the workplace.
"The enterprise market for smartphones and tablets continues to grow in both the company-provisioned and employee-owned (Bring Your Own Device or BYOD) categories," RIM said. "BYOD in particular has led to an increase in the diversity of mobile devices in use in the enterprise and new challenges for CIOs and IT departments as they struggle to manage and control wireless access to confidential company information on the corporate network. This has resulted in increased demand for mobile device management solutions."
Among the features RIM said Mobile Fusion will offer for Android and iOS phones and tablets is the management and configuration of devices, as well as security features such as remote locking and data wiping, the creation of multiple user profiles on shared devices, app management and control over how a device connects to the Internet, among other settings.
While some would seem to love having an iPhone or an Android that's as secure and easy to manage at the scale a large business would require, others such as ReadWriteWeb has asked if RIM isn't "shooting itself in the foot with Mobile Fusion?"
GigaOm described RIM's stance with Mobile Fusion as "If you can't beat iOS and Android devices in the market, you might as well secure them."
Currently, Mobile Fusion is in "early beta testing with select enterprise customers," RIM said. But the company is accepting "customer nominations for the closed beta program which will start in January." The commercial rollout of Mobile Fusion isn't expected until late March.
RELATED:
Adobe gives up on mobile Flash Player, but RIM won't yet
RIM's PlayBook OS 2.0 pushed into Feb. 2012 with no BBM
RIM's BBX phones are 'going to surprise people,' investor says
— Nathan Olivarez-Giles
Photo: An Apple iPhone 4S. Credit: Robert Galbraith / Reuters
Comments Off
Facebook settles privacy complaint with Federal Trade Commission
posted by Technology @ 11:12 AM
Tuesday, November 29, 2011
Facebook has settled charges with the Federal Trade Commission that it deceived users by telling them they could keep their information on Facebook private and then repeatedly making it public, according to the agency.
The settlement of an eight-count complaint requires Facebook to warn users about privacy changes and to get their permission before sharing their information more broadly, according to the FTC. Facebook has agreed to 20 years of privacy audits, it said.
"Facebook is obligated to keep the promises about privacy that it makes to its hundreds of millions of users," Jon Leibowitz, chairman of the FTC, said in a written statement. "Facebook's innovation does not have to come at the expense of consumer privacy. The FTC action will ensure it will not."
In a blog post, Facebook founder and Chief Executive Mark Zuckerberg said Facebook is committed to giving its users "complete control" over what they share and with whom.
"I also understand that many people are just naturally skeptical of what it means for hundreds of millions of people to share so much personal information online, especially using any one service. Even if our record on privacy were perfect, I think many people would still rightfully question how their information was protected. It's important for people to think about this, and not one day goes by when I don't think about what it means for us to be the stewards of this community and their trust," he wrote. "I'm committed to making Facebook the leader in transparency and control around privacy."
Facebook also has created two new positions to make sure it takes privacy seriously, Zuckerberg said.
Erin Egan, a former partner with Covington & Burling, will become chief privacy officer for policy. Michael Richter, Facebook’s chief privacy counsel, will take on a new role as chief privacy officer for products.
Privacy watchdog Jeff Chester, executive director of the Center for Digital Democracy, said the settlement shows that Facebook "has long misled users and the public."
But another frequent critic, Rep. Edward Markey (D-Mass.), applauded the settlement.
"The settlement's privacy protections will benefit Facebook users and should serve as a new, higher standard for other companies to follow in their own efforts to protect consumers' privacy online," Markey said in a written statement. "When it comes to its users' privacy, Facebook’s policy should be: ‘Ask for permission, don’t assume it."
RELATED:
Privacy group asks FTC for Facebook inquiry
Facebook nears settlement with the FTC on privacy
Is Facebook killing your privacy? Some say it already has
– Jessica Guynn
Photo: Facebook Chief Executive Mark Zuckerberg greets a student as he arrives to speak at Harvard University. Zuckerberg, who dropped out of Harvard in 2004, met with students as part of an East Coast trip to recruit for the social networking company. Photo credit: Kelvin Ma / Bloomberg
Comments Off
Dedicated Server Provider Checklist
I recently read with interest an article on pcmag.com which gave advice on what to look for when buying a server. The comments were well thought through for those purchasing their own server – perhaps for installation into an on-site corporate data center. For those who need to rent a dedicated server from an external hosting provider, there are a few other important items to consider. The following is a list to refer to when contemplating selecting and using a dedicated server provider. Thanks go out to dedicated server provider 34SP.com for contributing expertise to this piece.
* Security
A top priority for those outsourcing their servers is security. The data and processes that are most frequently running on dedicated servers are mission-critical to businesses or contain highly sensitive corporate or consumer information. There are specific security requirements for the most sensitive data such as credit card transactions. For example, it is well known that to process credit cards one needs a secure certificate often referred to as an SSL certificate. Any hosting provider can accommodate this requirement, however, you will also want a hosting provider to be PCI compliant as well. You can read all the details on PCI compliance on the website of the PCI Security Standards Council. You can visit the TrustWave website if you need to buy an SSL certificate.
The other important security issues are based around malicious activity – someone hacking your server. No hosting provider or server will ever be completely immune to malicious activity. There are simply too many exploits, worms, DDOS attacks and brute force password hacks to thwart them all 100 percent of the time. That being said, you should select a dedicated server provider that is hyper vigilant to the security of your server and will jump in very quickly to resolve any issues. You can assess the company’s security preparedness by asking for an outline of their security practices and what steps they take in the event of an incident.
* Backups and Recovery
In the unfortunate event that your server is compromised at some point you will need to recover your data and processes quickly to minimize the damage. While every hosting provider touts their ability to backup and recover data, it is well worth your time to investigate these processes thoroughly. For example, how often are backups made? Also important – look for a company that has off site backups. This is important in the event of a facility emergency such as fire or flood. Your server and or hard drives may be damaged and if the backups are sitting right next to the server in the data center – then the backups may become corrupt as well. Then you are stuck. If the data is backed up off site then there is a much better chance that the initial disaster will not effect your ability to get your server back up quickly. Of course you will also want to create your own backups of your critical data and only rely on the hosting provider as a last resort. This gives you an added layer of redundancy.
* Connectivity and Reliability
If you have your own corporate data center, then all the myriad issues of Internet connectivity and reliability are covered. With an external dedicated server provider, however, the reliability of the server hardware is only as good as the reliability of the network and connectivity. That is – if your server is unable to connect to the Internet for any reason then your server will be down. Any decent dedicated server provider will use capable hardware and switches, so it is usually how the network is configured and traffic routing that makes a difference. There is also an issue of multiple redundant bandwidth providers, and the ability to switch seamlessly between them in the event of a connectivity disruption. To judge a service provider on this metric, look for third party independent measurements of uptime and reliability such as Netcraft.com. The company publishes a list of the most reliable websites each month as rated by connectivity failures from a network of collector sites distributed around the globe. You can also view a real-time list of hosting providers network performance. Be certain to select a dedicated server provider with a low failure rate for the network – otherwise your server will be subject to unwanted downtime.
* Server Maintenance
There are two types of server administrators: hands-on and hands-off. You should know which category you fall into. Your server will require patches and updates from time to time. The server will undoubtedly need rebooting occasionally. There will be rogue processes which need chasing down and correcting. Also as mentioned above, someone needs to be hyper vigilant regarding server security. If you are hands-on them you will be fine with an unmanaged server. The unmanaged server saves money in that the responsibility for the admin tasks lies squarely on the user. If you are hands-off then you need a managed server provider who will conduct the server tasks necessary for the proper maintenance of the server for you. With a managed server the monthly service fees may be slightly higher to account for an engineer’s time to maintain your server, however this frees you up to do other important tasks for your business. So in the end the costs are really not that different.
* Service and Support
The cornerstone of all the above considerations are the service and support provided by the Linux dedicated server provider. You are resting the future of your business in the hands of your hosting provider. You need to be confidant that they will come through for you during an emergency – and there will be an emergency. In fact, there will be many emergencies over the life of your server – some small and some more serious. It is imperative that the service and support are of the highest order. Look for having a 24 x 7 x 365 dedicated server engineer on call for your server at the other end of a phone call. You can assess the capabilities through online forums such as webhostingtalk.com or search for a provider’s name on Google or use a Twitter real-time search for the brand name.
Spamming Techniques That You Should Avoid
posted by Web_University @ 8:00 AM
Monday, November 7, 2011
Spamming Techniques That You Should Avoid
There are many ways to spam search engines and trick search engine spider to increase traffic to websites. Some of these popular methods are better known as ’search engine spamming.’ Let’s know more about these methods in order to gain clarity:
* Keyword Stuffing
It is commonly known as the repeated use of word or phrase in order to make a page look more relevant. There is a specific way of including keywords in a webpage. Determine your exact keywords and use them in different ways to include in the page.
* Invisible Text
In this method, spammers usually insert text that is a combination of repetitive use of keywords on a webpage. The main aspect of this kind of process is that it is discolored and make to look similar as the background color so as to making invisible for common users.
* Tiny Text
Many times, spammers use small font size to place their content. By doing so again and again, search engines may penalize the website.
* Page Spoofing / Meta Refresh / Redirection
This is a process that automatically redirects users to a newly developed webpage. Usually, spammers create a separate page for particular keywords. So, when users click on the link, it will lead users to a different page with very content with no relation with the mentioned keywords. Therefore, most search engines simply decline such pages.
* Meta Tag Stuffing
Usually, adding keywords to a webpage without putting in excess keywords is an accepted form of search engine popularizing. However, many people place high traffic keywords which are directly not related with a webpage in any way.
Common spam indexing techniques are content spam and link spam. Content spam may include: keyword stuffing, hidden or invisible, meta tag stuffing, gateway or doorway pages, scraper sites, article spinning. Link spam includes: hidden links, link building using automated software, page hijacking, cookie stuffing, Sybil attacks and link farms.
Other spam indexing techniques are cloaking, URL redirection.
The Botnet Frenzy Requires Titanium Strong Internet Security
posted by Web_University @ 8:00 AM
Tuesday, September 27, 2011
The Botnet Frenzy Requires Titanium Strong Internet Security
A zombie is a computer that has been infected with malware, allowing an attacker to gain complete control which is a security threat. Tens of thousands of computers are infected with some type of botnet or ‘bot’ and computers that have been infected are generally referred to as ‘zombies.’
These criminals are able to access lists of ‘zombie’ PC’s and activate them to help execute denial-of-service attacks against various websites, host phishing attack sites or send out spam email messages. Trying to trace an attack back to the original source is useless. They will find a victim rather than the criminal because they are so clever.
How do you know if your computer is infected? If you notice anything odd as you are working, such as a slow computer or a computer that seems to slow down or crash for no reason, there might be some malware running in the background. You need to scan your computer with current versions of your anti-virus software, to detect malware. Zombies can be used extensively to send out email spam.
In fact an estimated 80 percent of all spam worldwide was sent by zombie computers. This is what enables spammers to avoid detection. Spam greatly furthers the spread of Trojan horse computer viruses, which rely on the movement of emails or spam to grow.
They can be used to conduct distributed denial-of-service attacks, where a large number of zombie computers make simultaneous requests of a website’s server with the intention of crashing the server thereby preventing legitimate users from accessing the website.
There is a variant of this type of attack known as distributed degradation-of-service. Committed by “pulsing” zombies, distributed degradation-of-service is the moderated and periodical flooding of websites, done with the intent of slowing down rather than crashing a victim site. The effectiveness of this tactic springs from the fact that intense flooding can be quickly detected and fixed, but pulsing zombie attacks and the resulting slow-down in website access can go unnoticed for months or years.
You should make sure to have the latest anti-virus software, install firewalls, and make sure you always delete suspicious email messages. Cloud technology automatically stops viruses and spyware before they reach your computer. This is a new way to protect your computer and it won’t slow you down.
Anti-virus software should have the following features:
- Only real-time updates to safeguard you from the latest online threats today and in the future.
- Easy on system resources so your PC runs faster.
- Is designed to be easy-to-use and understand with simple screens and graphical reports.
- It also should block spam.
- Has parental controls keep kids safe online.
10 Free Ways to Help Prevent Malware Threats
posted by Web_University @ 8:00 AM
Sunday, September 25, 2011
10 Free Ways to Help Prevent Malware Threats
It seems that every day there is a new virus, spyware or adware threat. What are you doing to protect your personal data and identity? Here are ten free ways which can help a home user can protect his/her personal computer from online malware threats.
1. Use anti-virus software, keep it up-to-date and run scans regularly
There are many choices of software out there some cost money others are free for home users. If you are a home user I recommend AVG Anti-Virus. AVG can be setup to update itself, scan incoming email for potential viruses as well as be set to run periodic scans. In other words, AVG does not require much user intervention at all. It has a clean, well laid out out user interface and is really quite simple to use.
To download AVG or view an entire list of free anti-virus applications go to our free anti-virus software page
2. Use anti-spyware software, again, keep it up-to-date and run scans regularly
My personal favorites in this department are SpyBot Search & Destroy, AdAware, Windows Defender and HiJackThis, all of which are free for home users. I have found that running Spybot Search & Destroy, AdAware and Windows Defender will pick up most, if not all spyware threats. For a more advanced tool you can use HiJackThis but I recommend finding an online forum where you can post your HiJackThis log so a professional can analyze the file and let you know what is safe to remove. I have used Spybot Search & Destroy, AdAware and Windows Defender to remove infections from many computers. Running these programs while in Safe Mode seems to be most effective. To learn how to start a computer in Safe Mode go here
To read more about the above mentioned free spyware detection/removal applications go to our free anti-spyware software page.
3. Keep your computer’s operating system up-to-date
If you are running Windows XP this is a fairly simple process using Windows build in feature called Windows Update:
a) Click on the “Start” menu and choose “Control Panel”.
b) Double-click the “System” Control Panel and click the “Automatic Updates” tab.
c) Put a check the box that says “Keep my computer up to date”.
d) Under “Settings” choose “Automatically download the updates and install them on the schedule that I specify”.
e) Now choose a convenient time for Windows to update your computer.
f) Click the “Apply” button and then click “OK” to close the window.
4. Do not open email attachments from unknown sources
Email is probably one of the most common ways to pick up a computer virus. Image this, an email comes into your inbox, it’s from an unknown sender but the attachment is called freemoney.txt.exe. You see the .txt file extention and think that the file must be safe because it’s only a text file so you decided to open the attachment. Within seconds your computer is infected by a Trojan virus, without your knowledge your computer sends a virus infected email to all of the contacts in your address book. As a result, your friends open the attachment, their computers get infected, they send the infected message to all the contacts in their address book and so on……In other words you computer can become part of the larger problem. This can be avoided by making sure that you know who is sending you the attachment and that the file is indeed safe.
5. Use passwords that are not easy to guess and change them frequently
Do not use your first name, phone number, dogs name etc.. as your password. Choose something that is unique to you. Use a combination of letters (both uppercase and lowercase), numbers, symbols and punctuation. if you can. For example using: ‘3eRz17b’ as a password would be more difficult to guess than ’spot’. Change your online banking passwords, computer login passwords and email passwords frequently. Keep your passwords safe and don’t write them down on paper and tape it to your computer monitor. . I know that this seems like common sense but I had to mention it.
6. Do not download free software unless you have verified that it is legitimate
There are many websites online that are simply there to infect your computer. If you see something that you want to download type the name into a Google search box and see what others have to say about it. Gather up a few sources and be certain that it’s safe to install. The time you take to verify the legitimacy of the software will probably much less than the amount of time and it would take to clean viruses and spyware from your computer.
7. Use a software firewall
A firewall is exactly what it sounds like – a barrier between your computer and the Internet but we are not talking about protection from fires! A good firewall monitors both incoming and outgoing network traffic. Windows XP and Vista both have built in firewalls but they only monitor incoming traffic. I recommend a program called Zone Alarm. Zone Alarm is free for personal use. It’s simple to configure and offers solid protection from unwanted Internet traffic. There are many other free firewalls out there. Read more about Zone Alarm and other free options here
8. Stay away from ‘questionable’ websites
Plain and simple, if you are going to visit ‘the dark side of the web’ you run the risk of infection.
9. Be wary of pop-ups
Do not click any button in the pop-up for example: do not use the ‘Close’ or ‘Cancel’ buttons, or the Close box that may appear in the upper-right corner of the window. Closing a pop-up in that way could potentially install a virus or other malicious software on your computer. To close a pop-up ad, press Ctrl-W.
10. Back up your data regularly
This is self explanatory, keep backups of your personal data. There are many cost effective ways to do this do some research and develop a plan to backup your data frequently preferably on some form of external media such as DVD, CD or external hard drive. For more on how to back up data see this tutorial.
Are Your Websites Secure Or Is The Back Door Wide Open?
posted by Web_University @ 8:00 AM
Friday, September 23, 2011
Are Your Websites Secure Or Is The Back Door Wide Open?
One of the topics that all of us online business people are aware of but usually don’t feel totally on top of is website security.
Coming from a background of having spent over 20 years in the U.S. military, and having spent four years as a software tester, I have a greater awareness of the need for continuous vigilance in this area than your average marketer.
I also know that you can never make your websites or your computers completely secure. Instead, you can only do things that reduce the risk.
Given that you spend a lot of time, money, and energy, building your online business, it only makes sense that you set aside time periodically to review security related issues, and to look for problems that can be easily minimized.
Here are a few easy “fixes” that you can implement today that will increase the security of your online business.
1) Delete outdated scripts that you no longer use from your server. Many of “the bad guys” have studied the exact same scripts that you use to power your websites, and they know where the backdoors and vulnerabilities are. They know exactly which file will allow them to create all kinds of havoc.
If you have old programs on your server that you are not using, simply delete them.
2) Update older scripts that you are using. Often, the reason that updates are released for a script IS to patch a vulnerability that the developer has become aware of.
YES, upgrading can seem time consuming, and it can be tempting to skip an update, and just wait for the next one. When you wake up one day and can’t access your server, or all of your websites have been defaced or erased, you’ll see the wisdom in ALWAYS keeping the scripts powering your websites completely updated.
If you are as non-techie as I am, you simply hire a trusted programmer to perform this task.
3) Change the default setting when installing scripts on your servers. Many scripts have default passwords, and default locations for critical directories that make these scripts work flawlessly. Since everyone obtaining a copy of these script have these settings, you probably want to change them, and you also may want to rename certain directories.
4) Secure your web logs. Many web hosts have a standard location for the website’s logs and statistics on each hosting account. The files that allow you to access, read, download, and manipulate this data often aren’t secured. At a minimum, password protect that directory.
The danger in someone readily accessing your logs is that they can see the names and paths of the files on your server, including your download pages and the file names of files that may actually be for sale products 
There are not only people who search on your product name, looking for unsecured files – there are also people who enjoy posting those links on sites where this type of information is shared.
5) Put an index page in every directory on your server. If someone surfs to the domain name of one of the directories on your server, and there is no index page in that directory, they will get a directory tree… showing them all of the files in that directory, and allowing them to simply click in a given file name to access it.
Servers can be configured to prevent this, but for many people, the quickest and simplest way to protect their directories from prying eyes is to stick an index page in each directory.
6) Give your download pages hard to guess names. Don’t use urls like YourDomain.com/ProductName/download.html Instead you want to give download pages names comprised of a random sequence of letters and numbers, perhaps stick them in directories not even associated with a given product, or use a “download guard-type” script that gives each customer a unique download link and protects your files.
3 Critical Alerts Regarding Your Website Legal Forms For Privacy and Data Security
posted by Web_University @ 8:00 AM
Wednesday, September 21, 2011
3 Critical Alerts Regarding Your Website Legal Forms For Privacy and Data Security
Website privacy and data security violations continue to be the most critical legal concern for webmasters of software-as-a-service (SaaS) websites and ecommerce websites.
Just think about it – most marketing practices involve capturing data, including personal information about prospects, and using this data to market products or services.
How you collect, store, use, and share this information is now highly regulated, not only by the Federal Trade Commission (FTC), but also by various states. What you say in your website legal forms, website legal documents, and privacy policies is critical.
Three recent legal developments illustrate why webmasters of SaaS websites and ecommerce websites should monitor and stay current with these developments, or suffer severe consequences.
* New Massachusetts Data Security Statute
Effective March 1, 2010, the Commonwealth of Massachusetts requires new data security requirements for personal information of Massachusetts residents (201 CMR 17.00). The new requirements apply to all persons or businesses that “own, license, store or maintain personal information about Massachusetts residents.
“Personal information” includes a Massachusetts resident’s name if linked to his/her social security number, driver’s license or state ID card number, or financial account/credit/debit card number that would allow access to the resident’s financial records.
If you’re regulated by the new statute, you’re required among other things to develop and maintain a data security policy and to require encryption “to the extent technically feasible” of the storage and transmittal of personal information regardless of whether the storage is electronic or the transmittal is by portable device (laptop or handheld device) or over public networks or the Internet.
Penalties and fines for violations are $100 per person affected with a maximum cap of $50,000.
* FTC Issues Guides for Peer-to-Peer Networks
On February 22, 2010, the Federal Trade Commission (FTC) announced that it had notified almost 100 organizations — including large and small private and public companies, schools, and local governments – that their customers’ or employees’ personal information was vulnerable on peer-to-peer (P2P) networks.
The FTC was concerned that P2P networks operated by these organizations may inadvertently be providing an opening for unintentional access to personal information. According to FTC Chairman Jon Leibowitz, “Companies should take a hard look at their systems to ensure that there are no unauthorized P2P file-sharing programs and that authorized programs are properly configured and secure.”
In addition to the notification letters, the FTC issued a guide on its ftc.gov website entitled “Peer-to-Peer File Sharing: A Guide For Business”. The guide provides data security recommendations including identification of security risks and steps to protect personal information from unauthorized access on P2P networks. are no unauthorized P2P file-sharing programs and that authorized programs are properly configured and secure.”
* ControlScan CEO Pays $102,000 in FTC Settlement
On February 25, 2010 the FTC announced a settlement with ControlScan.com of FTC charges that ControlScan had misled consumers about how often ControlScan monitored websites, including steps taken by ControlScan to verify the websites’ privacy and security practices.
The founder and former CEO of ControlScan entered into a separate settlement requiring him to pay $102,000 in ill-gotten gains.
Privacy and security certification programs such as ControlScan are used by webmasters to provide assurance to consumers regarding how the website treats the privacy and security of personal information. The FTC alleged that ControlScan provided its certifications to websites with “little or no verification” of their privacy protections.
Most of these website documents and legal forms should be posted on the website, and therefore would be visible to any potential joint venture partner checking out your website.
This case underscores how seriously the FTC views privacy and security of personal information stored on websites, as well has how closely the FTC is observing representations regarding privacy and security. The FTC is on the lookout not only for websites that misrepresent what they do regarding privacy and security, but also what certification websites represent that other websites do about privacy and security.
* Conclusion
The worst mistakes a n ecommerce webmaster can make is to have “borrowed” a privacy policy from someone else or to have an outdated privacy policy that either does not make the required disclosures or misrepresents what the website does regarding privacy and security.
Twitter Case Provides Critical Lessons in Administrative Security
posted by Web_University @ 8:00 AM
Thursday, April 28, 2011
SaaS-eCommerce Sites: Twitter Case Provides Critical Lessons in Administrative Security
In June, 2010, the Federal Trade Commission (FTC) settled charges that Twitter’s micro-blogging site had engaged in lax security practices that amounted to “unfair and deceptive trade practices”.
While previous cases brought by the FTC for lax security procedures focused on lax electronic controls, the Twitter case focused on lax administrative controls. Webmasters of SaaS and ecommerce sites who fail to learn and apply the critical lessons of the Twitter case do so at their peril.
- Twitter Case Facts – Two Hacks
The FTC’s complaint against Twitter alleged that lax administrative controls for data security permitted at least two hackers to acquire administrative control of Twitter resulting in access to private personal information of users, private tweets, and most surprising – the ability to send out phony tweets.
Here’s how the hackers got access to Twitter. According to the FTC, hacker no. 1 was able to hack in by using an automated password guessing tool that sent thousands of guesses to Twitter’s login form. The hacker found an administrative password that was a weak, lowercase, common dictionary word, and with it the hacker was able to reset several user passwords which the hacker posted on a website that others could access and use to send phony tweets.
Hacker no. 2 compromised the personal email account of a Twitter employee and learned of the employee’s passwords that were stored in plain text. With these passwords, the hacker was then able to guess the similar Twitter administrative passwords of the same employee. Once into Twitter, the hacker reset a user’s password and was able to access the user information and tweets for any Twitter user.
- Twitter Settlement Lessons
The FTC noted that Twitter’s website privacy policy promised: “We employ administrative, physical, and electronic measures designed to protect your information from unauthorized access.”
Focusing on Twitter’s administrative controls (more accurately on the lack thereof), the FTC alleged that Twitter failed to take reasonable steps to:
* Require employees to use hard-to-guess administrative passwords that they did not use for other programs, websites, or networks; * prohibit employees from storing administrative passwords in plain text within their personal e-mail accounts;
* Suspend or disable administrative passwords after a reasonable number of unsuccessful login attempts;
* Provide an administrative login webpage that is made known only to authorized persons and is separate from the login page for users;
* Enforce periodic changes of administrative passwords, for example, by setting them to expire every 90 days;
* Restrict access to administrative controls to employees whose jobs required it; and impose other reasonable restrictions on administrative access, such as by restricting access to specified IP addresses.
* The FTC settlement included (among other things) the requirement that Twitter set up and manage a comprehensive data security policy that will be reviewed by an independent auditor periodically for ten years.
- Conclusion
The FTC represents consumer interests to prevent fraudulent, deceptive, and unfair business practices. Privacy and data security have been high-priority issues for the FTC, as evidenced by the 30 cases brought over the last few years for lax data security practices.
In its investigations of data security cases, the FTC looks at 2 standards:
* What the FTC considers as “standard, reasonable” security procedures, and
* What a website’s privacy policy promises to consumers regarding data security.
If the website’s actual data security practices do not measure up to either of these standards (a worst-case scenario would be the failure to measure up to both), the FTC concludes that the website has engaged in lax security practices that amount to “unfair and deceptive trade practices”. A complaint and costly lawsuit may follow.
The reason that the FTC publishes the results of its settlements is to provide lessons to others regarding what the FTC regards as an “unfair and deceptive trade practice”.
Do you know if your site measures up to the two standards?
Effective Ways to Optimize Security in it
posted by Web_University @ 8:00 AM
Tuesday, January 4, 2011
Effective Ways to Optimize Security in it
Chances are your computer network or PC has been attacked at some point or another. Perhaps a worm caused your system to slow down severely, a virus erased your entire hard drive, or, malware plagued your registry and browser, leaving you helpless and frustrated. What you probably learned from these attacks was how or where to find a quick-fix while your overall security remained unchanged. What you may not know is that there are a few fundamental practices in relation to the hardware, software and people that can help to improve or optimize the safety level of your computer network and personal system. These practices or ways are sound, easy to implement and highly effective.
* On the Hardware/Software Side
While they may appear relatively basic at the onset, some practical measures should be taken to not just establish and maintain but also to increase ongoing security to computer hardware and software. Failure to adhere to these measures or ways of implementing security can potentially lead to disaster. Of course, you can further add to or enhance these measures depending on your particular situation–such as budget restraints, time-frame, etc.
Specifically, you will want to:
- Upgrade or replace: Older hardware can malfunction and become unstable; older software can have security holes and vulnerabilities or could fail to properly integrate with newer technologies.
- Patch up and harden: Whether it’s a domain controller or your home PC, install anti-virus software, configure a firewall, update the OS using service packs and remove unnecessary services.
- Limit access: Keep the system away from prying eyes and unauthorized users. Implement strong passwords; use encryption. Locks and biometrics are strongly recommended, too.
- Monitor regularly: Make a habit of watching network activity and reading system logs to find inconsistencies and unusual traffic patterns.
- Maintain good backups: Backup often and verify your backups always. Keep one or more copies off-site, if possible.
* On the People Side
When it comes to security, people usually are the weakest link in the chain. They can be lazy, indifferent, uninformed or represent some other security liability. Because you, too, may possibly exhibit such characteristics and behaviors yourself, here are ways to address these people problems and successfully increase and ensure IT security. For example, you should:
- Establish controls: Rules and policies can help to specify what is or isn’t acceptable use. Enforce them. Be prompt at acting on the slightest deviation.
- Train and educate: You and your staff can never be too knowledgeable about the newest technologies or the latest types of attacks–worms, viruses, Trojans, malware and others. Be prepared to learn and learn to be prepared.
- Be safety aware: Don’t expose yourself or your systems to potential attacks by linking to questionable websites. And, opening an email attachment from an unknown source could quench much more than sheer curiosity.
- Go “long” on commitment: Engage people by assigning them (or yourself) duties and responsibilities with realistic goals and rewards. Foster loyalty and support alongside accountability for non-performance.
Experiencing a malicious attack is sometimes the result of weak or ineffective security practices. And, while finding quick solutions to the attack may be reactionary and expected, it is not necessarily the only or best course of action in securing PCs and networks. There are far more sensible and fundamental ways to implement and address security in relation to the hardware, software and people involved in day to day operations. It is, in fact, by applying those ways and practices that you can effectively and successfully improve upon and optimize security in it.
Recent Comments