Archive for the ‘Security’ Category

Shocking Results in Recent OTA Findings: Should YOU Feel Safe on the Internet?

As cybercriminals become more advanced and efficient, all businesses must recognize and prepare for the imminent threats of online hackers. The issue of cyber-attacks has made its way to the Senate, debating the amount of power the president should have in dealing with cybercrimes (Full story here).

Similarly, in accordance with the looming threat of online fraud and cybercrime, the Online Trust Alliance (OTA) released their annual Online Safety Honor Roll and Scorecard two weeks ago, revealing the many insecurities of the internet. Their findings were very surprising, making me question my privacy and safety on the internet. Two of the most shocking discoveries include:

• Only 26% of the top websites and government agencies evaluated by the OTA were recognized for their adoption of the best, most efficient technologies to help protect users’ privacy and identity. This means that 74% of the top websites used by millions of people have not implemented safe measures that protect against malicious emails and rogue websites. Organizations that made the Honor Roll enacted email authentication processes, Extended Validation SSL Certificates, and testing for malware and known site vulnerabilities. More than 500 million emails originated from the organizations lacking efficient online security measures. These facts demonstrate that we are not protected on the majority of sites we visit and are members of, and therefore we must consider reevaluating websites before giving them any of our personal information.

• Social media, e-commerce, and financial services ranked higher in securing their sites than government agencies.  About 27% of the FDIC 100 and 24% of the Fortune 500 qualified for the Honor Roll, though only 12% of government agencies made the list. It doesn’t make me feel particularly safe that government agencies’ websites are some of the most vulnerable to cybercrime attacks. The government and its various agencies should be the ones protecting us, enacting the proper online security protocols and trying to set an example, not being most susceptible to malware.

This report is extremely important for both e-commerce shoppers and small businesses. Online shoppers must realize the dangers of registering on sites that may be unsafe and prone to cyber-attacks and abuse. Therefore, they will seek out websites that have the proper preventative online security measures, and will most likely buy from the large, reputable online websites. This will in turn hurt small businesses that lack a reputation in online safety, and are trying to flourish in e-commerce.  This makes it even more important that for small businesses to succeed that they clearly demonstrate to the public their record of trustworthiness and reliability so potential customers are ensured that the small business they’re dealing with can be trusted.

The OTA’s full 2011 Online Safety Honor Roll and Scorecard can be found here: https://otalliance.org/news/releases/2011scorecard.html.

Tweet This Post

Archive for the ‘Security’ Category

Taking the Internet Back for the People: The Government’s Plan for Internet Security

Not too long ago, the U.S. federal government finalized their National Strategy for Trusted Identities in Cyberspace (NSTIC). Although acronyms tend to make everything sound overly-official, this isn’t some new set of laws. Instead, this ‘strategy’ is more of an attempt to improve internet safety. NSTIC aims to make the internet a better place for everyone to store and use their personal information. Sounds kind of impossible, right? If this was some sort of strictly government attempt, it probably would be. However, NSTIC asks for the participation of businesses and consumers alike, actually giving it a pretty good shot.

What’s the Strategy?

As explained in more detail here and here, NSTIC is focused on three main issues:

• Identity – Anyone who uses the internet probably has a jumble of user names and passwords. Attempting to foster an “identity ecosystem,” NSTIC aims to simplify this issue by having users deal with only a select few identities from trustworthy sources.
• Privacy – Whenever we sign up or buy something online, we give out tons of personal information. The plan regarding NSTIC is very much on a ‘need to know’ basis. Under this, only necessary personal information will be shared with the interacting group; no more, no less.
• Security – If we have less accounts to create, then we can actually create them distinctively. After all, how many people use the same user names and passwords across multiple accounts? In short, a lot! This makes online theft too easy. Hopefully, this proposed ecosystem will eliminate that.

In the end, it’s best to look at NSTIC as more of a reform than another government headache. It aims to create a more tightly knit hold on the online sharing of personal information.

Who Ya Gonna Call?

Sorry to upset you, but no one in particular. As I said earlier, NSTIC isn’t a law; it’s a recommendation. It calls upon all of us to do our part in improving our security online. I’m sure we all love to complain about incidents such as Sony’s Playstation Network being hacked. However, are there any particular networks or sites where we are 100% safe of theft? Businesses need to keep client information private, but we can’t just use easily accessible usernames and passwords with the expectation that they will take care of the rest.

NSTIC wants to fix these problems by making the online process simpler, and it wants everyone’s participation. If you really want to be cheesy about it, NSTIC has a ‘think of the children’ kind of feel. The process isn’t going to happen overnight. It’s a grand scale issue that will probably take decades or even generations. And yet, even in spite of its inevitably gradual process, isn’t there no time like the present to get started?

Tweet This Post

Archive for the ‘Security’ Category

WANTED: Your Confidential & Sensitive Data

Guess what? Your credit card number is less valuable to attackers today. Too bad they still want it, along with you Facebook credentials. We know this how? Recently Symantec released another security report. The security report said that the price of stolen credit cards dropped dramatically from previous years. The drop off is due to numerous factors, but one thing that seems to stand out is the amount of credit cards there are in circulation. Since there are so many credit cards avaliable, these sellers have to lower their prices if they want customers.

However, while credit cards have dropped in value, peoples social network credentials are becoming more valuable. During the past year, botnets were seen sweeping Facebook and other social networking sites for login credentials. Why are peoples social network credentials in demand? If attackers gain social network credentials, they can then use those platforms to launch malware attacks and spam campaigns. These attacks are often more successful. Why? Since many people divulge a lot of personal information on sites like these, an attacker can comb through a user’s profile and imitate them well enough to fool people into clicking on links that have malware embedded in them.

Since many of these malicious link are shortened, it is a challenge for social networks to determine which of the shortened links are trustworthy.  Remember that article I wrote on hacking toolkits? Well many of these toolkits are used to initiate these malware attacks, because many of them use Java. Since Java can run on almost any platform and browser, this means that these attacks cannot really be avoided by switching platforms or browsers. All of the toolkits have a high infection rate, which means that the infections can spread very fast and to a wide number of users if the toolkits are used. Social networks are also targeted because they enable attackers to get access to business information which can then be used to get sensitive data from those businesses attacked.

One platform that has not quite been hit by attacks is the mobile platform. Currently, very many people do not not use their mobile devices for online banking and other sensitive data transactions. Thus there is no real incentive for attackers to seriously target mobile devices. (They still do target them and the number of attacks is increasing, but there have not really been any widespread attacks.) However, as mobile devices become more sophisticated and as more users start using them for online banking and other sensitive data transactions, attackers will quickly start targeting mobile devices in rapid numbers.

What do you think of this?

Tweet This Post

Archive for the ‘Security’ Category

Internet Explorer 9 “Do Not Track” Security Feature…Will it Really Work?

I was reading this article in the Wall Street Journal yesterday when I realized that Microsoft released their new version of their uber popular Internet Explorer web browser which included the highly touted “Do Not Track” feature. The new feature is news-worthy for a few reasons in my opinion.  First of all, Internet Explorer is now the first major browser to include this type of feature in a major release of their we browser although Mozilla’s Firefox browser is said to include a similar feature in an upcoming release.

I think that this new “do not track” feature is also an interesting advancement because of how quickly Microsoft developed and included this functionality in a major release of their web browser.  This type of new feature only started making news a few months ago when a number of consumer privacy advocates started complaining about how so many websites, like Facebook and others, are now collecting personal information about people and their web browsing habits when they visit their websites.  Microsoft and Mozilla took these requests so seriously that they decided to include this feature in their next browser releases only a quarter later.  In my opinion these web browser companies decided to include this feature so quickly because they knew it was relatively easy to implement (in the way they have) and they also knew that this new feature would make big news and would therefore help market their new releases.

Finally, I think this new web browser feature is of note because of the way it has been implemented technically may not be very effective at doing exactly what it is meant for.  Basically, now when a person using Internet Explorer 9 browses to a web page that is trying to collect information about the person or their computer or their web browsing history it sends a series of “header” records to the requesting website indicating that the person requests that the information not be shared with anyone else or used for marketing purposes.  The only problem here is that there are no set standards around these “header” records and no major websites or eCommerce associations have acknowledged that they will accept or abide by these requests to not share the user’s data.  Inevitably, what will happen here is that Microsoft will start pointing the figure at the eCommerce sites that do not recognize these header records until they cave in and recognize them because Internet Explorer is the most used web browser in the world and nobody wants to fine themselves on the wrong side of this argument because their sites will be bad mouthed in the press and seen as non-consumer friendly.

In conclusion, I think this is definitely a step in the right direction by Microsoft but I am not sure that this is really the best or most effective way to go about it.  I guess if this is just the first step in the direction of better security for shopper’s personal information on the web then it is probably worth it and will probably get us where we want to go. 

What do you think about this new feature that Microsoft started offering yesterday in their new Internet Explorer 9?

Tweet This Post

Archive for the ‘Security’ Category

Know how many security threats there are for 2011?

Mobile Apps:

Did you know that 85% of adults in the US own a mobile phone? ( I thought that this figure seemed a bit low…) [Turns out that 90% have access to a cellphone, but only 85% actually own one. ] Anyone hear the about the Trojan Droid Dream? No? Well what it did was gain root  access to sensitive information such as a device’s ID, model number etc… This meant that the software could take control of the devices and download things that you didn’t want on your computer. Luckily, Google remotely deleted the Trojan from user’s phones before it could do any damage.

However, malware isn’t just on official app stores. Outbreaks come from repackaged apps and alternative app stores.  Due to the increase in malware in smartphones, soon you might have to have two phones: one for work and one for personal use.  So how do you protect yourself? First, be careful about what apps you install. Do some research before you install an app. Does it have a reputation? What kind of reputation does it have? Etc…

Don’t forget to read the app’s list of permissions before you download. Does it make sense for this app to have access? See if you can uncheck unwanted permissions. Does that game really need access to your camera? (If you’re an Android user, Google makes it mandatory for the list of permissions to be there. If there’s antivirus apps for your smartphone, you might want to think about getting one.

Social Networks:

You’ve all heard about Social Network scams right? Good, then I don’t have to go into very much detail. One large thing to keep in  mind is that  using  your  Facebook account  information , criminals can actually go  and  burglarize your house .  So, don’t  click  on any  suspicious  links, be wary of claims you know to be untrue and again , read exactly what the app is asking permission for.

Antivirus Software :

Since more users have become  aware  of the need for antivirus software , these  scams have been  on the rise. The scam looks like a legitimate  piece of software  and  convinces the user that the computer  has on infection. Once the user pays for the software, the program has access to the users computer  and credit  card information .  NOT GOOD  What ca you do to protect yourself? First  make  sure  you are running a current security  program that is updated frequently and never download security  software  from a popup add.

PDFs:

Apparently PDF’s are one of the  potentially most dangerous file formats available. Why? It’s easy to conceal malicious content in the file.   PC World give you a link to the study…but, since it’s in a PDF format, I didn’t read it. 😀  So, be careful where you get your PDF”s from.  (My university uses PDF’s often, but I’m pretty sure that they’re not infected.) Remember to run and keep  your antivirus programs updated. Also, make sure to keep your PDF reader updated. Many of the updates have important fixes.

War Games or in other words, state sponsored malware attacks, industrial espionage, etc…

For the ordinary person they may not be a threat, but if you own manage security for a business you should be paying attention.  Hacking groups have attacked sites in Egypt and Libya in support of recent protests. The group has also leaked emails from a security researcher attempting to identify their members.  How do you protect your company from all this? First, monitor the network traffic and conduct regular reviews of employee data access privileges.

All of these threats may seem scary(they do to me), but they can be mitigated by being vigilant, keeping things updated and just using common sense.

Tweet This Post

Archive for the ‘Security’ Category

Show Shoppers Your Online Business Can Be Trusted: KikScore Your Trust Solution

PROBLEM: Online Small Businesses lose billions in dollars a year in sales because shoppers do not know if they can trust those small businesses.

SOLUTION: Trust Seals – But which one?

It is established that small businesses, especially ones just starting out, can have a difficult time conveying to the public that they are trustworthy and reliable.  As a result, small businesses often lose significant sales because of this concern that the public has.  One of the primary ways that small businesses address these concerns is putting a “trust seal” on their website.  The trust seal is supposed to denote that a third party validation has occurred in some way and that third party therefore “vouches” for that small business so shoppers can then trust that business.  There are many trust seals out in the market that do different things and some of the providers of those seals include Verisign, TRUSTe, BuySafe, Trust Guard and the Better Business Bureau.

So we at KikScore often get the question: Why should a small business use KikScore and how is KikScore different than the other trust seals?

This post is not going to bash other seals, but there are critical differences between the KikScore seal and other seals that are on the market.  This post points out those differences and is meant to educate the community about why these differences are important.

1) Empowering Small Businesses To Show Their Track Record – A fundamental concern that shoppers have is can they trust a business?  Many businesses and business owner have an actual track record of reliability in paying their bills, having a strong financial history, reliably delivering products and services and historically being responsive to customers. Typically that has been built up over years of being responsible, reliable and trustworthy in the market.  So isn’t that track record work something? We say YES!  KikScore allows small businesses to take their own great track record and communicate it to the world and visitors to their website.  No one else allows a small business to take their business history and communicate that to the world so shoppers can get more comfortable with that business.

2) Promote Your Own Brand Not Another Company’s – A lot of other trust and verification seals do much more to promote their brand name on your website than actually assist in promoting a small business.  This is especially the case with some seals with lots of money behind their brand name that are widely recognized. Again these may be good trust seals that have a limited purpose, but they each miss out on a critical element to the trust equation.  They essentially are saying their brand name is more important to have on your website that your own brand name. At KikScore we do not believe that is the case. In fact, our seal is structured to take extensive amounts of information about the small business itself such as the management team’s names, their financial reliability, business policies, locations and website information and promote that information rather than our own brand name. We do this because we feel that information is more important to a website visitor or shopper in their determination of trustworthiness of a website.

3) KikScore is a Multi-Dimensional Trust Seal – Some trust seals try to do and message different things to the public. For example, some seals check for certain types of malware, some collect comments, some convey that an secure connection (SSL) is on the website, etc.  KikScore deliberately leaves those tasks to other folks because again in some instances those functions serve a purpose.  Those seals/services are, however, typically a one-dimensional service that only communicate that a small business website site gets a periodic and limited security scan.  You should note that based on our extensive information and first hand experience those scans can be helpful, but by no means are comprehensive and historically have not caught major pieces of malware that have resulted in some recent data breaches. KikScore’s seal actually incorporates all of these seals in our Certifications tab in our merchant report card, called a KikReport, in addition to providing the other wealth of information about a small business, its management and website history. Taken together this creates a multi-dimensional seal unlike others in the market.  This multi-dimensional seal allows small businesses to have one comprehensive seal that addresses the trust and reliability equation from a variety of angles.

4) Give Shoppers Dynamic and Continually Updated Information About Your Business – As small businesses know, their historical track record for reliability and trustworthiness always is being updated with new data and information as more transactions occur and a business grows.  Kikscore’s seal addresses this by being dynamic and continually updating a small business and their merchant report card (KikReport). The KikScore seal is set up to continually be updated and our own databases and data providers are scanned constantly for new information about a small business site.  So for example, when a small business website’s traffic increases meaning that business may be growing, that is reflected in the KikScore seal and the KikReport.  Also as a small business becomes more financially viable, that also gets reflected in the KikScore seal too and again helps demonstrate trustworthiness and reliability to shoppers. We do this, others do not.  Most other trust seals are static meaning they do not update information presented on a seal besides perhaps a change in the date of a scan that is performed – otherwise other trust seals just present static information.  That static information really does not do a lot to help address the issue of building trust for small businesses.

5) You Get a Unique Trust Score for Your Small Business –  Unlike anyone in the market, KikScore takes information, data and merchant provided information, analyzes that information and presents to the public a completely unique and dynamic trust and reliability score.  This trust and reliability score takes into account literally hundreds of data points and indications of trustworthiness in order to compute the trust score.  The trust score which in some ways is akin to a credit score except that the KikScore trust score is made available to the public so a small business can communicate to customers that they have a high trust score and therefore can be trusted.  Even better is that the trust score is based on data and information that is verified by KikScore through our systems and automated processes.

6) KikScore Helps Small Businesses Giving Wary Shoppers Transparency Into Your Business – KikScore attacks the heart of the trust issue for small businesses by giving small businesses a way to make themselves, their business and their management more transparent to shoppers.  We have seen that when shoppers are provided more information about an online business their level of comfort and likelihood of buying from that website increases.  Without this important transparency, sales are lost and shopping carts are abandoned.  Instead of empowering small businesses to provide this transparency, other trust seals merely provide a very small, isolated and static piece of information about a small business (a malware scan, etc). Those seals are just not comprehensive enough to fully address the trust issue.

7) Encourages Interaction with Your Customers – KikScore’s seal incorporates an interactive feedback platform within the seal.  This permits small businesses to interact in real time with their customers.  This also allows these small businesses to have other shoppers review the comments that are posted inside the KikScore seal about the shopping experience with that customer.  KikScore even incorporates these comments into the trust score for the small business.  One additional benefit of the interactive feedback platform is that it helps bring customers to the small business website to post comments instead of having those customers post comments on various unrelated sites around the internet like Yelp.  Now granted their are a few other seals that include comments sorting and response functionality, none of them have the comprehensive trust building solution that KikScore includes with the items listed in 1-6 before.

So I will leave everyone with the following:  We rarely and I mean rarely overtly talk about the KikScore product on our blog.  Instead, we use this blog to communicate with the community and provide valuable small business tips.  That being said, we thought that this would be a good time to take the opportunity to educate small businesses on the critical differences between KikScore and the many other seals that claim to address the trust concern that shoppers continually say are a barrier to buying more online.

We would love to know your thoughts on the differences we have identified.

Tweet This Post

Archive for the ‘Security’ Category

Hackers: They’re back and are coming to get you! Steps to Fight Back

What’s back? Hacker’s toolkits! There are new hacker’s toolkits out there that are user friendly. So, your computer could be in danger from any number of foes. It could be the kid next door, the person sitting across the table in Starbucks, some computer geek in an internet cafe in India. How do we know this? Symantec released a new report about this. These toolkits are priced anywhere from $40 to $40,000.

So, what exactly do these toolkits do?  They let people who have a little knowledge of coding to design malware to hack your computer. The big difference between these toolkits and the original ones is that these new toolkits use many different attack vectors. With the old toolkits, once you knew the software patch, the malware couldn’t get in. The toolkits exploit the vulnerabilities in a computer. Usually the malware gets in through the web browser and its plug-ins.

Then, the software usually installs a keylogger which steals things like online passwords and turn computers into zombies who infect other computers. Why through the web browser? Since most of the major software holes have been patched up, it has become harder to get malware onto a computer.Signs show that these toolkits are pretty effective. According to PC World, $70 million was stolen from bank accounts using the hacking toolkit Zeus. Plus these kits are often like regular software. They get constant updates, so they have the newest and most potent version of malware.  These toolkits are also attacking multiple software at once, so chances are that one application may be unprotected and the attack is more likely to succeed.

So, what can be done to protect your computer from these threats? Just the usual of keeping all of your system software, virus definitions, etc.. You also shouldn’t use Internet Explorer, but Firefox and Chrome are targets too. [The article didn’t mention anything about Opera though.] You can switch to Linux, but it takes a while to get used to. [I haven’t used Linux, so I don’t have an idea of how different it is. All I know is that it’s different.] You can also install a browser extension, such as FlashBlock(For both Firefox and Chrome), that’ll block any flash code on a website unless you opt to let it run.(YouTube is whitelisted.) Also make sure you’re using a reputable brand of antivirus softarware.

So what do you do to protect your computer from these threats and what do you think about these toolkits?

Tweet This Post

Archive for the ‘Security’ Category

Antivirus Software: A Comparison & Tips to Keep Your Computer Safe!

I’ve been commuting to college for a while now and I’ve noticed that in our library every newspaper except the USA Today is taken by 1:00 pm. What’s up with that? *shrugs* Anyway, guess what I’m going to talk about today!People living under rocks? No Patrick the starfish? No I’ll give you a hint. It was in the USA Today. Airline fees? Nope, I’m going to talk about Antivirus software! *fireworks* How many of you use antivirus software? *Looks around* Most of you, good. For those of you that don’t, get some! To help those of you that don’t have antivirus software or have had a trial version that’s now expired, USA Today has compared several antivirus software packages. Here’s the rundown.

1. Microsoft Security Essentials: Remember OneCare? No? That’s ok, this is better. It’s free! You get the basics, such as anti-virus and anti-spyware. Plus it’ll scan all of your hard drives and I mean all. (I have this on my laptop and it scanned my external hard drive when I had it connected.)
2. Immunet: $19.95, the only difference between it and Microsoft Security Essentials is you don’t get automatic updates and it also scans your email for infectious files. Correct me if I’m wrong, but doesn’t Gmail already do that?
3. Cyber Defender: $29.95 The only difference between it and Microsoft Security Essentials is no automatic updates and you get anti-phishing .

Most anti-virus software offers the same benefits. Some go further and offer website health checks, parental controls, and one, Webroot, offers to monitor your credit card usage. There are a ton of anti-virus software companies out there and that can make it confusing for those of us who want decent security. So, everyone should do their homework and find out which anti-virus software best fits their needs. Some good sites to look at are:

1. Microsoft’s list of anti-virus software vendors, here.
2. Google’s list, here, which includes anti-virus software for all you mac users out there.
3. The USA Today list(see above) which compares several software vendors

One warning about free software (OK more like two), you might not get very good support and the software might not be updated very often. Make sure you check the frequency of updates before downloading. Also check the websites that you visit. Do they have a seal of authenticity, such as Kikscore’s seal? If not, be careful. For all you website owners out there, consider getting a seal.

What about the rest of you? What kind of anti-virus protection do you have?

Tweet This Post