Logging in, signing on and entering passwords or one-time PIN codes are barriers to optimal end-user and enterprise experiences. Existing biometrics solutions do not solve this problem (due mainly to hardware limitations), but there are some interesting technologies emerging which, if you can manage to get past the Minority Report feeling, stand to vastly improve mobile security.
Case in point, mobile identify protection service EyeVerify has announced a beta of its EyePrint Verification System - an impressive replacement for entering passwords on smartphone.
The progam is designed to help application developer participants integrate, test and deploy EyeVerify's mobile authentication solution. The program essentially provides access to the copany's technology which uses built-in cameras with smartphone devices to image and 'pattern match' the unique veins in the white's of user's eyes. The beta includes prototype applications, SDK access, technical and engieering support, along with quality assurance test plans and results.
"We're living in a world where we conduct our lives online and on the go, and yet we're plagued by password sprawl and identity theft and fraud," said Chris Barnett, EyeVerify's EVP of Global Sales and Marketing. "Eyeprinting solves this issue and, unlike other biometric verification offerings, is the first and only reliable mobile security solution that does not require additional hardware to deploy."
The PCI Security Standards Council (PCI SSC) has released new guidelines to help e-commerce merchants keep their customers' data safe.
The digital security landscape is a complicated one where the roles, risks and responsibilities of involved parties can quickly become muddled. That confusion of course, can lead to stagnation when it comes to finding (and implementing) fixes - on both an individual site and industry level.
“Take SQL injections as an example. This is not a new attack, and something we’ve known about in the industry for years. Yet it continues to be one of the most common methods by which e-commerce websites are compromised, said Bob Russo, general manager, PCI Security Standards Council.
Over 60 organizations representing banks, merchants, security assessors and technology vendors collaborated to produce guidance that will help organizations better understand their responsibilities when it comes to PCI DSS; the risks they need to evaluate when considering ecommerce solutions; and how to determine their PCI DSS scope.
The guide, which comes at a time when ecommerce fraud is rising, includes an overview of ecommerce and PCI DSS. and outlines common vulnerabilities in ecommerce that merchants should consider when developing or choosing ecommerce software and services.
The guidelines also include best practice recommendations on securing ecommerce environments and a checklist of responsibilities that outlines, when payments are outsourced, which elements of security the merchant and the payments company are responsible for.
“This can be addressed through simple, prudent coding practices, but merchants often don’t know where to start. These guidelines will help them better understand their responsibilities and the kinds of questions they need to ask of their service providers. In the case of SQL injections, one of the most important items to request of an e-commerce service provider is a description of the security controls and methods it has in place to protect websites against these vulnerabilities.”
E-commerce retailers need to prepare their websites for not only an increase in traffic and conversions this holiday season, but also for online fraudsters.
While retailers should always watch out for cybersecurity threats during the holiday season, the growing usage of mobile makes this more important than ever before. This is because the number of transactions that originate from a mobile device has been on an uptick, and retailers who don’t have a system in place to manually accept or reject suspicious transactions increase the risk of fraud.
“Mobile consumers typically store their credit card information in retail accounts, rather than entering the information during each transaction, making online retail account takeovers more profitable, and therefore, more attractive to fraudsters,” said Alisdair Faulkner, chief products officer, ThreatMetrix. “During the holiday season in particular, consumers find it much more convenient to keep credit card information stored online as they make such a high volume of purchases. This is especially risky if consumers use the same email address and password for several websites – doing so initiates a trail of destruction that is equivalent to unlocking every door in the house, easily allowing criminals to hack numerous accounts at once.”
According to cybercrime prevention solutions provider ThreatMetrix, account takeover is among the biggest security threats attributed to the rising usage of mobile. This is because many retailers don’t have a mobile security strategy set in place and are not equipped to efficiently secure a large volume of mobile transactions during Black Friday and Cyber Monday, which could make consumers’ account and credit card credentials vulnerable. Furthermore, retailers should watch out for “clean fraud,” which often passes security screens and appears to be a legitimate transaction, but is really a fraudster who is hiding behind a virtual private network (VPN) – making it difficult for retailers to identify authentic transactions.
“Cybersecurity should be a top priority for retailers this Black Friday, Cyber Monday and the rest of the holiday season,” said Faulkner. “Especially with so many consumers traveling at this time, retailers need to put forth extra effort to assure transactions are originating from authentic networks. The last thing retailers and consumers want is to wake up on Black Friday with a ‘turkey hangover’ and a compromised credit card.”
In order to provide its customers with real-time alerts about their SSL Certificates, which tell them when their websites are compromised and used to support phishing attacks, certification authority GlobalSign has partnered with Internet services provider Netcraft.
The GlobalSign Netcraft Phishing Alert service will first tell GlobalSign when one of its customers’ websites is being used to support phishing attacks, and the company will then immediately notify and advise the customers on remediation steps so they can quickly fix the problem and stop the attack. And, if GlobalSign discovers that a site has specifically created for malicious intent, it will revoke its certificate.
This service, the first of its kind, means customers can maximize their investment in GlobalSign with additional security against these highly prevalent, not to mention persistent, criminal attacks. For a partner, Netcraft was an ideal selection, as it is continually produces an updated phishing feed (one that is currently used by all of the major Web browsers), and it has blocked more than 5 million phishing attacks to date.
Websites are required to have an SSL Certificate to activate the SSL/TLS technology built into a browser or server. Once it’s activated, it will provide an encrypted link between the browser and server to secure transactions or data submission. As SSL trust signals are meant to inspire confidence in users, it can be especially disastrous for consumers and website owners if a site is compromised and used to deploy phishing pages. Luckily for GlobalSign customers, the GlobalSign Netcraft Phishing Alert will significantly reduce their risk of becoming victims of such an attack.
In order to fight the battle of Distributed Denial of Service (DDoS) attacks, at-risk businesses need to be armed with the same tools as the bad guys.
Prolexic Technologies, a DDoS mitigation service provider, announced it has added an extensive glossary of DoS and DDoS terms to its online Knowledge Center, which will help Web workers understand the tools and methods hackers use to target organizations.
"When faced with a DDoS attack, confusion can quickly set in, especially when an organization's key IT personnel are unavailable," said Stuart Scholly, Prolexic's president. "Decision makers typically aren't familiar with these terms, but have to act fast. This glossary provides one more tool to help them promptly assess the situation and take appropriate action to mitigate any damage."
More than 60 common acronyms and technical terms used to describe these attacks are defined in the Glossary of Terms. The need for Web workers to familiarize themselves with these terms is growing, as according to the Prolexic Security Engineering & Response Team, such DDoS attacks increased 10 percent in Q2 2012.
"Malicious hackers already know this stuff," said Scholly. "They know the difference between a Layer 4 and a Layer 7 attack. When businesses and media can speak their language, too, it becomes more difficult to catch a potential target off guard."
To view the free glossary, click here.
ControlScan, a provider of Payment Card Industry (PCI) compliance and security services for small and medium-sized online businesses, has announced its purchase of cloud-based secure payments solution CRE Secure.
The acquisition will allow ControlScan to considerably reduce the "scope" of PCI.
CRE Secure was already a level-one PCI Data Security Standard (DSS) certified service provider. It gives users a hosted payment page powered by patent-pending HTML cloning technology for a consistent consumer experience, and a secure e-commerce solution for merchants that is PCI-compliant.
By combining an already PCI-compliant object, such as a credit card form, with a merchant’s site template, merchant’s can simplify the compliance process by outsourcing consumer payment data to CRE Secure, putting their website out of the scope of PCI regulations, since it will not actually store, process or transmit cardholder information. This allows them to host their site wherever they want and save a lot of money on those annual PCI scans.
CRE Secure is based on a unified technology that utilizes a single cloud-based system to support a merchant’s payment channels, which includes everything from online, mobile and even mail/telephone orders. E-commerce sites can even take advantage of plug-ins that allow them to connect with their favorite payment processors and existing solutions, to create a seamless, secure customer experience that is light on the merchant’s wallet, too.
All of this is good news for ControlScan and the merchants who use their services, as CRE Secure technology and existing partnerships will now complement ControlScan solutions, opening up new opportunities in the card-not-present (CNP) space. ControlScan also hopes to build upon the current CRE Secure product.
Major tech firms including Google, Facebook and Microsoft have teamed together to fight email phishing scams. Members say the partnership will lead to better email security and protect users and tech brands from fraudulent messages.
The group, which calls itself DMARC – for Domain-based Message Authentication, Reporting & Conformance — says it wants to help reduce email abuse by standardizing how email receivers perform authentication. Now, email senders will get consistent authentication results for their messages at Gmail, Hotmail, AOL and any other email receiver using DMARC.
Email phishing scams are messages designed to trick recipients into providing personal information by replying to the messages or clicking on links. The emails look like they come from a legitimate sender, often featuring brand logos and mimicking the format and language of authentic messages.
With the rise of social media and e-commerce sites, spammers and phishers have "a tremendous financial incentive" to compromise user accounts, leading to theft of passwords, bank account information and credit card numbers, DMARC said.
"Email is easy to spoof and criminals have found spoofing to be a proven way to exploit user trust of well-known brands," the group said. "Simply inserting the logo of a well-known brand into an email gives it instant legitimacy with many users."
Other companies involved in DMARC include Bank of America, LinkedIn, PayPal and Yahoo.
– Andrea Chang
Image: Screen shot of the companies involved in DMARC. Credit: DMARC
MegaUpload, one of the world's largest file-sharing websites, was shut down Thursday by the U.S. Department of Justice, which accused it of violating piracy and copyright laws.
In an indictment, the Justice Department alleged that MegaUpload was a "mega conspiracy" and a global criminal organization "whose members engaged in criminal copyright infringement and money laundering on a massive scale."
The Justice Department said MegaUpload, which had about 150 million users, tallied up harm to copyright holders in excess of $500 million by allowing users to illegally share movies, music and other files. Prosecutors said in the indictment that the site's operators raked in an income from it that topped $175 million.
MegaUpload was just one of the many services that allow for the easy sharing of large files online. Others include sites such as Mediafire and Rapidshare and cloud storage services that allow for shared folders such as Box.net and Dropbox.
One way MegaUpload differentiated itself was with its online marketing campaign that featured celebrities such as rapper/producers Kanye West, Lil' Jon, Sean "Diddy" Combs and Swizz Beats stating in YouTube videos why they loved using the site. Other videos feature tennis star Serena Williams, boxer Floyd Mayweather Jr., Def Jam Records founder Russell Simmons and director Brett Ratner testifying to their use of MegaUpload.
The release of the Justice Department indictment came after dozens of websites, led by tech heavyweights Wikipedia, Craigslist, Mozilla and Google, altered their websites to protest two anti-piracy bills under consideration on Capitol Hill: the Stop Online Piracy Act (SOPA) and the Protect Intellectual Property Act (PIPA).
Critics of the bills say the proposed laws would give the Justice Department the ability to censor the Internet by giving the agency clearance to shut down a site without having to get court approval of an indictment, as it did with MegaUpload. Although the indictment was unsealed Thursday, it was issued by a federal court in the Eastern District of Virginia on Jan. 5, the agency said.
In a statement issued with the indictment,the Justice Department said "this action is among the largest criminal copyright cases ever brought by the United States and directly targets the misuse of a public content storage and distribution site to commit and facilitate intellectual property crime."
The Justice Department said that at its request, authorities arrested three MegaUpload executives — officially employed by two companies, Megaupload Ltd. and Vestor Ltd. — in New Zealand, including the site's founder, Kim Dotcom, who was born Kim Schmitz. The agency is also looking to arrest two additional executives.
The indictment charges the two companies with running a "racketeering conspiracy, conspiring to commit copyright infringement, conspiring to commit money laundering and two substantive counts of criminal copyright infringement."
According to the Associated Press, before the MegaUpload site was shut down Thursday, a statement was posted on the site saying the allegations made against it were "grotesquely overblown" and that "the vast majority of Mega's Internet traffic is legitimate, and we are here to stay. If the content industry would like to take advantage of our popularity, we are happy to enter into a dialogue. We have some good ideas. Please get in touch."
Visits to Megaupload.com on Thursday showed the website as unable to load. The Justice Department had ordered the seizure of 18 domain names it linked to the alleged wrongdoing.
[Updated at 3:42 p.m.: As noted by Times reporter Ben Fritz on our sister blog Company Town, the hacker group Anonymous has allegedly lobbed a denial-of-service attack that has temporarily taken down the websites for the Department of Justice and Universal Music as a move in retaliation for the shutdown of MegaUpload. Forbes is reporting that the same attack has struck the sites for the Recording Industry of America and the Motion Picture Assn. of America.]
[Updated at 3:50 p.m.: The Twitter accounts @YourAnonNews and @AnonOps are taking credit on behalf of Anonymous for the web attacks on the websites of the Justice Department, Recording Industry of America, Motion Picture Assn. of America and Universal Music.]
Zappos.com, the popular online shoe site, was the victim of a cyber attack by a hacker who gained access to part of the company's internal network through one of its servers, Chief Executive Tony Hsieh said in an email to employees Sunday.
Hsieh said the Henderson, Nev., company was cooperating with law enforcement to undergo "an exhaustive investigation" and that the database that stores customers' credit card and other payment data was not affected or accessed.
"We've spent over 12 years building our reputation, brand, and trust with our customers. It's painful to see us take so many steps back due to a single incident," Hsieh said in a separate email to customers. "Over the next day or so, we will be training everyone on the specifics of how to best help our customers through their password change process now that their passwords have been reset and expired. We need all hands on deck to help get through this."
The company said it would notify the more than 24 million customer accounts in its database about the incident and provide instructions on how to choose a new password; the company has already reset and expired existing passwords.
In the email to shoppers, Zappos said customers' personal information — including their name, email address, billing and shipping addresses, phone number, the last four digits of their credit card number and/or the cryptographically scrambled password on their account — may have been compromised.
"In order to service as many customer inquiries as possible, we will be asking all employees at our headquarters, regardless of department, to help with assisting customers," Hsieh said. "We have made the hard decision to temporarily turn off our phones and direct customers to contact us by email because our phone systems simply aren't capable of handling so much volume."
The company is directing customer concerns and questions to an internal Web page.
Zappos, which sells shoes and has since expanded to other retail categories, was bought by Amazon.com in 2009. The company has become known for its customer service and for its quirky company culture led by Hsieh — including head-shaving events, impromptu parades around the cubicles and employee birthday pranks.
– Andrea Chang
Top photo: Zappos' company headquarters in 2010. Credit: Isaac Brekken / For The Times
Lower photo: Zappos Chief Executive Tony Hsieh. Credit: Isaac Brekken / For The Times
Hackers based in China reportedly pulled off a massive Web attack against the U.S. Chamber of Commerce lobbying group, which resulted in access to a significant number of confidential emails and documents.
The chamber, the U.S.' largest business lobbying group, is still investigating the attack, both reports said.
The strike is believed to be one in a wave of Web attacks from hackers based in China, along with previous reported hackings against "U.S. companies, business associations, and lobbying groups involved in trade policy associated with China," Bloomberg said.
Officials at the Chamber of Commerce were unavailable for comment on Wednesday.
According to the Journal's report, the chamber hasn't yet determined how much of its data was viewed or taken by the hackers, though evidence has been found that "hackers had focused on four chamber employees who worked on Asia policy, and that six weeks of their email had been stolen."
It is also possible that the hackers, who investigators suspect may have ties to the Chinese government, "had access to the network for more than a year before the breach was uncovered, according to two people familiar with the chamber's internal investigation," the Journal said.
— Nathan Olivarez-Giles
Image: A screenshot of www.uschamber.com, the website of the U.S. Chamber of Commerce lobbying group. Credit: U.S. Chamber of Commerce
Two weeks after the Carrier IQ dust storm, in which an unknown California company was found to have data collections software embedded on tens of millions of smartphones, one of the company's main allies is taking a step back.
Sprint Nextel Corp. is now saying that it has "disabled use of" the Carrier IQ software. Importantly, that doesn't mean they have turned off or deleted the data collection software from your phone. Instead, the company is using the term "disabled" to mean that it is no longer accessing data from the Carrier IQ program, even though that program is still operational on your mobile device.
"We have weighed customer concerns and we have disabled use of the tool so that diagnostic information and data is no longer being collected," wrote Sprint spokeswoman Stephanie Vinge in an email. "We are further evaluating options regarding this diagnostic software as well as Sprint’s diagnostic needs."
In late November, when the furor originally broke out, Sprint came to Carrier IQ's aid, noting that "Carrier IQ is an integral part of the Sprint service" and that "Sprint relies on Carrier IQ to help maintain our dependable network performance.”
But now, in the wake of congressional inquiries and a nasty public relations storm, it seems the company has reconsidered the value of Carrier IQ.
Image: A Sprint storefront in New York City. Sprint says it has disabled use of Carrier IQ software. Credit: Stephen Yang/Bloomberg
Carrier IQ, the beleagured online metrics company that has been accused of installing spy software on millions of smartphones, has broken its silence to say the critics have it wrong.
"While a few individuals have identified that there is a great deal of information available to the Carrier IQ software inside the handset, our software does not record, store or transmit the contents of SMS messages, email, photographs, audio or video," the company said in a statement released late Thursday.
The firm's defense came as as politicians and privacy organizations continued to question the little-known Mountain View, Calif., company, which designs communications analysis software used by some of the largest U.S. wireless carriers, including AT&T, Sprint and T-Mobile. The carriers say data collected on their behalf by Carrier IQ helps them improve their service.
Last week, 25-year-old system administrator named Trevor Eckhart released a video (above) purporting to show Carrier IQ's app recording smartphone users' every keypress, and implying that the company was therefore able to intercept users' private communications.
But security researchers have disagreed with conclusions drawn from Eckhart's analysis.
"It's not true," said Dan Rosenberg, a senior consultant at Virtual Security Research, who said the video shows only diagnostic information and at no point provides evidence the data is stored or sent back to Carrier IQ.
"I've reverse engineered the software myself at a fairly good level of detail," Rosenberg said. "They're not recording keystroke information, they're using keystroke events as part of the application."
The difference is subtle but important. To perform commands, applications need to know which buttons a user has pushed: Your email app needs to know when you tap the reply button, and your phone app needs to know which numbers you press in order to dial. Applications therefore pay attention to which buttons a user is pressing.
But listening for a button press does not mean an application is therefore sending a record of those button presses back to the company, researchers said.
System-related apps like Carrier IQ often allow users or phone engineers to tap a series of keys in order to bring up administrative options or to display information on the phone's performance. In order to show that data, apps needs to know the correct code was tapped in — by identifying specific key presses, as it is shown doing in the video.
But Rosenberg said his look at the Carrier IQ program revealed "a complete absence of code" that would indicate key presses were being tracked and recorded or sent over the Internet by the phone.
Instead, the readouts on Eckhart's video that occur when he presses keys are "debugging messages" — informational feedback meant to help smartphone programmers verify that their applications are working correctly. In this case, Carrier IQ's developers appear to have set up the program to display a diagnostic message when a key is pressed or when a text message is sent.
"It's just spitting debug messages to the internal Android log service," sad Jon Oberheide, a co-founder of Duo Security. "It appears that Carrier IQ is indeed collecting some metrics, but I have not seen any evidence that keystrokes, SMS messages or Web browsing session content are being transferred off the device."
Carriers like AT&T, T-Mobile and Sprint have long disclosed that they collect and store information about users' locations, phone records and text messages. But what appeared to unnerve consumers and privacy observers was the possibility that the companies had gone a step further and were monitoring nearly every action a user performed on the phone.
Though Carrier IQ denied it collected message text and other personal communications, it did note that it gathers "intelligence on the performance of mobile devices" and sends it to wireless carriers. The company said little more about the specific types of data it does collect, whether users can opt out of the collection or how long the company keeps collected data.
– David Sarno
Video: Trevor Eckhart's video about Carrier IQ.
Research In Motion announced on Tuesday that it will soon launch software that will bring security and management features once only found on BlackBerrys over to Android and iOS phones and tablets.
The new tools, which RIM is calling BlackBerry Mobile Fusion, will allow businesses to set up and control Apple's iPhone and iPad, as well as smartphones and tablets running Google's Android operating system, as they have done for years with BlackBerry phones and more recently, the slow-selling PlayBook tablet.
"We are pleased to introduce BlackBerry Mobile Fusion — RIM's next generation enterprise mobility solution — to make it easier for our business and government customers to manage the diversity of devices in their operations today," said Alan Panezic, RIM's vice president of enterprise product management and marketing, in a statement.
"BlackBerry Mobile Fusion brings together our industry-leading BlackBerry Enterprise Server technology for BlackBerry devices with mobile device management capabilities for iOS and Android devices, all managed from one web-based console," Panezic said. "It provides the necessary management capabilities to allow IT departments to confidently oversee the use of both company-owned and employee-owned mobile devices within their organizations."
In announcing Mobile Fusion, RIM touted itself as "the leading provider of enterprise mobility solutions with over 90 percent of the Fortune 500 provisioning BlackBerry devices today," a nod to its still-large market share of the business market for smartphones.
But the Canadian company also acknowledges that when it comes time for consumers to buy phones and tablets for themselves, they're increasingly choosing rival devices and then bringing those gadgets into the workplace.
"The enterprise market for smartphones and tablets continues to grow in both the company-provisioned and employee-owned (Bring Your Own Device or BYOD) categories," RIM said. "BYOD in particular has led to an increase in the diversity of mobile devices in use in the enterprise and new challenges for CIOs and IT departments as they struggle to manage and control wireless access to confidential company information on the corporate network. This has resulted in increased demand for mobile device management solutions."
Among the features RIM said Mobile Fusion will offer for Android and iOS phones and tablets is the management and configuration of devices, as well as security features such as remote locking and data wiping, the creation of multiple user profiles on shared devices, app management and control over how a device connects to the Internet, among other settings.
While some would seem to love having an iPhone or an Android that's as secure and easy to manage at the scale a large business would require, others such as ReadWriteWeb has asked if RIM isn't "shooting itself in the foot with Mobile Fusion?"
GigaOm described RIM's stance with Mobile Fusion as "If you can't beat iOS and Android devices in the market, you might as well secure them."
Currently, Mobile Fusion is in "early beta testing with select enterprise customers," RIM said. But the company is accepting "customer nominations for the closed beta program which will start in January." The commercial rollout of Mobile Fusion isn't expected until late March.
— Nathan Olivarez-Giles
Photo: An Apple iPhone 4S. Credit: Robert Galbraith / Reuters
Dedicated Server Provider Checklist
I recently read with interest an article on pcmag.com which gave advice on what to look for when buying a server. The comments were well thought through for those purchasing their own server – perhaps for installation into an on-site corporate data center. For those who need to rent a dedicated server from an external hosting provider, there are a few other important items to consider. The following is a list to refer to when contemplating selecting and using a dedicated server provider. Thanks go out to dedicated server provider 34SP.com for contributing expertise to this piece.
A top priority for those outsourcing their servers is security. The data and processes that are most frequently running on dedicated servers are mission-critical to businesses or contain highly sensitive corporate or consumer information. There are specific security requirements for the most sensitive data such as credit card transactions. For example, it is well known that to process credit cards one needs a secure certificate often referred to as an SSL certificate. Any hosting provider can accommodate this requirement, however, you will also want a hosting provider to be PCI compliant as well. You can read all the details on PCI compliance on the website of the PCI Security Standards Council. You can visit the TrustWave website if you need to buy an SSL certificate.
The other important security issues are based around malicious activity – someone hacking your server. No hosting provider or server will ever be completely immune to malicious activity. There are simply too many exploits, worms, DDOS attacks and brute force password hacks to thwart them all 100 percent of the time. That being said, you should select a dedicated server provider that is hyper vigilant to the security of your server and will jump in very quickly to resolve any issues. You can assess the company’s security preparedness by asking for an outline of their security practices and what steps they take in the event of an incident.
* Backups and Recovery
In the unfortunate event that your server is compromised at some point you will need to recover your data and processes quickly to minimize the damage. While every hosting provider touts their ability to backup and recover data, it is well worth your time to investigate these processes thoroughly. For example, how often are backups made? Also important – look for a company that has off site backups. This is important in the event of a facility emergency such as fire or flood. Your server and or hard drives may be damaged and if the backups are sitting right next to the server in the data center – then the backups may become corrupt as well. Then you are stuck. If the data is backed up off site then there is a much better chance that the initial disaster will not effect your ability to get your server back up quickly. Of course you will also want to create your own backups of your critical data and only rely on the hosting provider as a last resort. This gives you an added layer of redundancy.
* Connectivity and Reliability
If you have your own corporate data center, then all the myriad issues of Internet connectivity and reliability are covered. With an external dedicated server provider, however, the reliability of the server hardware is only as good as the reliability of the network and connectivity. That is – if your server is unable to connect to the Internet for any reason then your server will be down. Any decent dedicated server provider will use capable hardware and switches, so it is usually how the network is configured and traffic routing that makes a difference. There is also an issue of multiple redundant bandwidth providers, and the ability to switch seamlessly between them in the event of a connectivity disruption. To judge a service provider on this metric, look for third party independent measurements of uptime and reliability such as Netcraft.com. The company publishes a list of the most reliable websites each month as rated by connectivity failures from a network of collector sites distributed around the globe. You can also view a real-time list of hosting providers network performance. Be certain to select a dedicated server provider with a low failure rate for the network – otherwise your server will be subject to unwanted downtime.
* Server Maintenance
There are two types of server administrators: hands-on and hands-off. You should know which category you fall into. Your server will require patches and updates from time to time. The server will undoubtedly need rebooting occasionally. There will be rogue processes which need chasing down and correcting. Also as mentioned above, someone needs to be hyper vigilant regarding server security. If you are hands-on them you will be fine with an unmanaged server. The unmanaged server saves money in that the responsibility for the admin tasks lies squarely on the user. If you are hands-off then you need a managed server provider who will conduct the server tasks necessary for the proper maintenance of the server for you. With a managed server the monthly service fees may be slightly higher to account for an engineer’s time to maintain your server, however this frees you up to do other important tasks for your business. So in the end the costs are really not that different.
* Service and Support
The cornerstone of all the above considerations are the service and support provided by the Linux dedicated server provider. You are resting the future of your business in the hands of your hosting provider. You need to be confidant that they will come through for you during an emergency – and there will be an emergency. In fact, there will be many emergencies over the life of your server – some small and some more serious. It is imperative that the service and support are of the highest order. Look for having a 24 x 7 x 365 dedicated server engineer on call for your server at the other end of a phone call. You can assess the capabilities through online forums such as webhostingtalk.com or search for a provider’s name on Google or use a Twitter real-time search for the brand name.
Spamming Techniques That You Should Avoid
There are many ways to spam search engines and trick search engine spider to increase traffic to websites. Some of these popular methods are better known as ’search engine spamming.’ Let’s know more about these methods in order to gain clarity:
* Keyword Stuffing
It is commonly known as the repeated use of word or phrase in order to make a page look more relevant. There is a specific way of including keywords in a webpage. Determine your exact keywords and use them in different ways to include in the page.
* Invisible Text
In this method, spammers usually insert text that is a combination of repetitive use of keywords on a webpage. The main aspect of this kind of process is that it is discolored and make to look similar as the background color so as to making invisible for common users.
* Tiny Text
Many times, spammers use small font size to place their content. By doing so again and again, search engines may penalize the website.
* Page Spoofing / Meta Refresh / Redirection
This is a process that automatically redirects users to a newly developed webpage. Usually, spammers create a separate page for particular keywords. So, when users click on the link, it will lead users to a different page with very content with no relation with the mentioned keywords. Therefore, most search engines simply decline such pages.
* Meta Tag Stuffing
Usually, adding keywords to a webpage without putting in excess keywords is an accepted form of search engine popularizing. However, many people place high traffic keywords which are directly not related with a webpage in any way.
Common spam indexing techniques are content spam and link spam. Content spam may include: keyword stuffing, hidden or invisible, meta tag stuffing, gateway or doorway pages, scraper sites, article spinning. Link spam includes: hidden links, link building using automated software, page hijacking, cookie stuffing, Sybil attacks and link farms.
Other spam indexing techniques are cloaking, URL redirection.
The Botnet Frenzy Requires Titanium Strong Internet Security
A zombie is a computer that has been infected with malware, allowing an attacker to gain complete control which is a security threat. Tens of thousands of computers are infected with some type of botnet or ‘bot’ and computers that have been infected are generally referred to as ‘zombies.’
These criminals are able to access lists of ‘zombie’ PC’s and activate them to help execute denial-of-service attacks against various websites, host phishing attack sites or send out spam email messages. Trying to trace an attack back to the original source is useless. They will find a victim rather than the criminal because they are so clever.
How do you know if your computer is infected? If you notice anything odd as you are working, such as a slow computer or a computer that seems to slow down or crash for no reason, there might be some malware running in the background. You need to scan your computer with current versions of your anti-virus software, to detect malware. Zombies can be used extensively to send out email spam.
In fact an estimated 80 percent of all spam worldwide was sent by zombie computers. This is what enables spammers to avoid detection. Spam greatly furthers the spread of Trojan horse computer viruses, which rely on the movement of emails or spam to grow.
They can be used to conduct distributed denial-of-service attacks, where a large number of zombie computers make simultaneous requests of a website’s server with the intention of crashing the server thereby preventing legitimate users from accessing the website.
There is a variant of this type of attack known as distributed degradation-of-service. Committed by “pulsing” zombies, distributed degradation-of-service is the moderated and periodical flooding of websites, done with the intent of slowing down rather than crashing a victim site. The effectiveness of this tactic springs from the fact that intense flooding can be quickly detected and fixed, but pulsing zombie attacks and the resulting slow-down in website access can go unnoticed for months or years.
You should make sure to have the latest anti-virus software, install firewalls, and make sure you always delete suspicious email messages. Cloud technology automatically stops viruses and spyware before they reach your computer. This is a new way to protect your computer and it won’t slow you down.
Anti-virus software should have the following features:
- Only real-time updates to safeguard you from the latest online threats today and in the future.
- Easy on system resources so your PC runs faster.
- Is designed to be easy-to-use and understand with simple screens and graphical reports.
- It also should block spam.
- Has parental controls keep kids safe online.
10 Free Ways to Help Prevent Malware Threats
It seems that every day there is a new virus, spyware or adware threat. What are you doing to protect your personal data and identity? Here are ten free ways which can help a home user can protect his/her personal computer from online malware threats.
1. Use anti-virus software, keep it up-to-date and run scans regularly
There are many choices of software out there some cost money others are free for home users. If you are a home user I recommend AVG Anti-Virus. AVG can be setup to update itself, scan incoming email for potential viruses as well as be set to run periodic scans. In other words, AVG does not require much user intervention at all. It has a clean, well laid out out user interface and is really quite simple to use.
To download AVG or view an entire list of free anti-virus applications go to our free anti-virus software page
2. Use anti-spyware software, again, keep it up-to-date and run scans regularly
My personal favorites in this department are SpyBot Search & Destroy, AdAware, Windows Defender and HiJackThis, all of which are free for home users. I have found that running Spybot Search & Destroy, AdAware and Windows Defender will pick up most, if not all spyware threats. For a more advanced tool you can use HiJackThis but I recommend finding an online forum where you can post your HiJackThis log so a professional can analyze the file and let you know what is safe to remove. I have used Spybot Search & Destroy, AdAware and Windows Defender to remove infections from many computers. Running these programs while in Safe Mode seems to be most effective. To learn how to start a computer in Safe Mode go here
To read more about the above mentioned free spyware detection/removal applications go to our free anti-spyware software page.
3. Keep your computer’s operating system up-to-date
If you are running Windows XP this is a fairly simple process using Windows build in feature called Windows Update:
a) Click on the “Start” menu and choose “Control Panel”.
b) Double-click the “System” Control Panel and click the “Automatic Updates” tab.
c) Put a check the box that says “Keep my computer up to date”.
d) Under “Settings” choose “Automatically download the updates and install them on the schedule that I specify”.
e) Now choose a convenient time for Windows to update your computer.
f) Click the “Apply” button and then click “OK” to close the window.
4. Do not open email attachments from unknown sources
Email is probably one of the most common ways to pick up a computer virus. Image this, an email comes into your inbox, it’s from an unknown sender but the attachment is called freemoney.txt.exe. You see the .txt file extention and think that the file must be safe because it’s only a text file so you decided to open the attachment. Within seconds your computer is infected by a Trojan virus, without your knowledge your computer sends a virus infected email to all of the contacts in your address book. As a result, your friends open the attachment, their computers get infected, they send the infected message to all the contacts in their address book and so on……In other words you computer can become part of the larger problem. This can be avoided by making sure that you know who is sending you the attachment and that the file is indeed safe.
5. Use passwords that are not easy to guess and change them frequently
Do not use your first name, phone number, dogs name etc.. as your password. Choose something that is unique to you. Use a combination of letters (both uppercase and lowercase), numbers, symbols and punctuation. if you can. For example using: ‘3eRz17b’ as a password would be more difficult to guess than ’spot’. Change your online banking passwords, computer login passwords and email passwords frequently. Keep your passwords safe and don’t write them down on paper and tape it to your computer monitor. . I know that this seems like common sense but I had to mention it.
6. Do not download free software unless you have verified that it is legitimate
There are many websites online that are simply there to infect your computer. If you see something that you want to download type the name into a Google search box and see what others have to say about it. Gather up a few sources and be certain that it’s safe to install. The time you take to verify the legitimacy of the software will probably much less than the amount of time and it would take to clean viruses and spyware from your computer.
7. Use a software firewall
A firewall is exactly what it sounds like – a barrier between your computer and the Internet but we are not talking about protection from fires! A good firewall monitors both incoming and outgoing network traffic. Windows XP and Vista both have built in firewalls but they only monitor incoming traffic. I recommend a program called Zone Alarm. Zone Alarm is free for personal use. It’s simple to configure and offers solid protection from unwanted Internet traffic. There are many other free firewalls out there. Read more about Zone Alarm and other free options here
8. Stay away from ‘questionable’ websites
Plain and simple, if you are going to visit ‘the dark side of the web’ you run the risk of infection.
9. Be wary of pop-ups
Do not click any button in the pop-up for example: do not use the ‘Close’ or ‘Cancel’ buttons, or the Close box that may appear in the upper-right corner of the window. Closing a pop-up in that way could potentially install a virus or other malicious software on your computer. To close a pop-up ad, press Ctrl-W.
10. Back up your data regularly
This is self explanatory, keep backups of your personal data. There are many cost effective ways to do this do some research and develop a plan to backup your data frequently preferably on some form of external media such as DVD, CD or external hard drive. For more on how to back up data see this tutorial.
Are Your Websites Secure Or Is The Back Door Wide Open?
One of the topics that all of us online business people are aware of but usually don’t feel totally on top of is website security.
Coming from a background of having spent over 20 years in the U.S. military, and having spent four years as a software tester, I have a greater awareness of the need for continuous vigilance in this area than your average marketer.
I also know that you can never make your websites or your computers completely secure. Instead, you can only do things that reduce the risk.
Given that you spend a lot of time, money, and energy, building your online business, it only makes sense that you set aside time periodically to review security related issues, and to look for problems that can be easily minimized.
Here are a few easy “fixes” that you can implement today that will increase the security of your online business.
1) Delete outdated scripts that you no longer use from your server. Many of “the bad guys” have studied the exact same scripts that you use to power your websites, and they know where the backdoors and vulnerabilities are. They know exactly which file will allow them to create all kinds of havoc.
If you have old programs on your server that you are not using, simply delete them.
2) Update older scripts that you are using. Often, the reason that updates are released for a script IS to patch a vulnerability that the developer has become aware of.
YES, upgrading can seem time consuming, and it can be tempting to skip an update, and just wait for the next one. When you wake up one day and can’t access your server, or all of your websites have been defaced or erased, you’ll see the wisdom in ALWAYS keeping the scripts powering your websites completely updated.
If you are as non-techie as I am, you simply hire a trusted programmer to perform this task.
3) Change the default setting when installing scripts on your servers. Many scripts have default passwords, and default locations for critical directories that make these scripts work flawlessly. Since everyone obtaining a copy of these script have these settings, you probably want to change them, and you also may want to rename certain directories.
4) Secure your web logs. Many web hosts have a standard location for the website’s logs and statistics on each hosting account. The files that allow you to access, read, download, and manipulate this data often aren’t secured. At a minimum, password protect that directory.
The danger in someone readily accessing your logs is that they can see the names and paths of the files on your server, including your download pages and the file names of files that may actually be for sale products
There are not only people who search on your product name, looking for unsecured files – there are also people who enjoy posting those links on sites where this type of information is shared.
5) Put an index page in every directory on your server. If someone surfs to the domain name of one of the directories on your server, and there is no index page in that directory, they will get a directory tree… showing them all of the files in that directory, and allowing them to simply click in a given file name to access it.
Servers can be configured to prevent this, but for many people, the quickest and simplest way to protect their directories from prying eyes is to stick an index page in each directory.
6) Give your download pages hard to guess names. Don’t use urls like YourDomain.com/ProductName/download.html Instead you want to give download pages names comprised of a random sequence of letters and numbers, perhaps stick them in directories not even associated with a given product, or use a “download guard-type” script that gives each customer a unique download link and protects your files.
3 Critical Alerts Regarding Your Website Legal Forms For Privacy and Data Security
Website privacy and data security violations continue to be the most critical legal concern for webmasters of software-as-a-service (SaaS) websites and ecommerce websites.
Just think about it – most marketing practices involve capturing data, including personal information about prospects, and using this data to market products or services.
How you collect, store, use, and share this information is now highly regulated, not only by the Federal Trade Commission (FTC), but also by various states. What you say in your website legal forms, website legal documents, and privacy policies is critical.
Three recent legal developments illustrate why webmasters of SaaS websites and ecommerce websites should monitor and stay current with these developments, or suffer severe consequences.
* New Massachusetts Data Security Statute
Effective March 1, 2010, the Commonwealth of Massachusetts requires new data security requirements for personal information of Massachusetts residents (201 CMR 17.00). The new requirements apply to all persons or businesses that “own, license, store or maintain personal information about Massachusetts residents.
“Personal information” includes a Massachusetts resident’s name if linked to his/her social security number, driver’s license or state ID card number, or financial account/credit/debit card number that would allow access to the resident’s financial records.
If you’re regulated by the new statute, you’re required among other things to develop and maintain a data security policy and to require encryption “to the extent technically feasible” of the storage and transmittal of personal information regardless of whether the storage is electronic or the transmittal is by portable device (laptop or handheld device) or over public networks or the Internet.
Penalties and fines for violations are $100 per person affected with a maximum cap of $50,000.
* FTC Issues Guides for Peer-to-Peer Networks
On February 22, 2010, the Federal Trade Commission (FTC) announced that it had notified almost 100 organizations — including large and small private and public companies, schools, and local governments – that their customers’ or employees’ personal information was vulnerable on peer-to-peer (P2P) networks.
The FTC was concerned that P2P networks operated by these organizations may inadvertently be providing an opening for unintentional access to personal information. According to FTC Chairman Jon Leibowitz, “Companies should take a hard look at their systems to ensure that there are no unauthorized P2P file-sharing programs and that authorized programs are properly configured and secure.”
In addition to the notification letters, the FTC issued a guide on its ftc.gov website entitled “Peer-to-Peer File Sharing: A Guide For Business”. The guide provides data security recommendations including identification of security risks and steps to protect personal information from unauthorized access on P2P networks. are no unauthorized P2P file-sharing programs and that authorized programs are properly configured and secure.”
* ControlScan CEO Pays $102,000 in FTC Settlement
On February 25, 2010 the FTC announced a settlement with ControlScan.com of FTC charges that ControlScan had misled consumers about how often ControlScan monitored websites, including steps taken by ControlScan to verify the websites’ privacy and security practices.
The founder and former CEO of ControlScan entered into a separate settlement requiring him to pay $102,000 in ill-gotten gains.
Privacy and security certification programs such as ControlScan are used by webmasters to provide assurance to consumers regarding how the website treats the privacy and security of personal information. The FTC alleged that ControlScan provided its certifications to websites with “little or no verification” of their privacy protections.
Most of these website documents and legal forms should be posted on the website, and therefore would be visible to any potential joint venture partner checking out your website.
This case underscores how seriously the FTC views privacy and security of personal information stored on websites, as well has how closely the FTC is observing representations regarding privacy and security. The FTC is on the lookout not only for websites that misrepresent what they do regarding privacy and security, but also what certification websites represent that other websites do about privacy and security.