You are here: Home / Archives for security

PeC (ED): The Case Against Developing in Open Source Software

March 14, 2011 by Leave a Comment

This is my first article for Ecommerce Developer (part of Practical eCommerce).

Developing an ecommerce site using open source software may be very attractive on the surface. Open source software can usually be uber-customized, allowing developers to implement features as they are needed. Open source software frequently advances more quickly, addressing growing needs in an ever-changing industry. This is especially true in the social world.

Unfortunately, there are many downsides to relying on open source development versus a licensed or hosted solution. Online storeowners quickly realize the additional, substantial benefits of working with a more closed package.

Read my full argument at Ecommerce Developer

Filed Under: Ecommerce, PeC Articles Tagged With: , , ,

Think Before Sharing via Social Apps & Tools

February 19, 2011 by 1 Comment
Twitter OAuth screen

Last week Twitter announced suspension of two popular applications that violated the company’s policies. The news of the mobile app pulls hit Twitter quickly, and left the first page of our timelines in the same fashion.

The apps—UberTwitter and Twitroyd (for Blackberry and Android, respectively)—were among hundreds of Twitter applications that are pulled each day. While Twitter’s explanation at their own site is rather vague, the company told Mashable that the violations include “changing the content of users’ Tweets in order to make money”.

While content altering is something users would undoubtedly take issue with, even more disconcerting is Twitter’s statement that, “…on an average day we turn off more than one hundred services that violate our API rules of the road.” And, no doubt, privacy is part of Twitter’s developer policy.

Example of Twitter's authorization screen

Only allow trusted sites, services and apps to connect to your social media accounts.

Millions of web pages feature ways to share content via Twitter, including sites that use their own methods of connecting users to the social site. It’s similar to how brands and services connect users to Facebook, requiring the user to click a button that approves the application in order to gain access to their accounts.

My point is simple… think before you share through third-party tools. When it comes to spreading the word via Twitter, Facebook and other sites, most of these tools are there to “dummy proof” the process. Twitter and Facebook have their own official scripts which any web site can use to promote content sharing. Look for these official methods, and research third-party apps to determine if they can be trusted.

Filed Under: Mistakes That Kill, Social Media Tagged With: , , ,

Safety First: Storing Passwords

February 16, 2011 by 1 Comment
Security...

Via GoToMeeting, I work with many online store owners and designers in real time. It amazes me how lax many people are when it comes to creating and storing passwords. There have been thousands of articles published concerning the importance of using complex passwords and implementing security measures. Still, the process is often ignored.

Insecure password storage is like giving away the key...

Why would you give away the keys to your business?

I’ll start by saying this. If you use a weak password and take little to no effort to protect it, you deserve to be hacked, raked over the coals and shunned. Simply put, passwords are meant to protect everything about us, our customers and the business as a whole. If you don’t care enough to protect customer data, why should customers care enough about your company to pull out their wallets?

For the sake of safety and security, here’s some DOs and DON’Ts to keep in mind when it comes to password creation and storage.

DO

  • Use strong passwords. Passwords should be at least 8 characters and contain at least one number. Stronger passwords include letters, numbers and a special character, as well as a mixture of lowercase and uppercase letters.
  • Use encryption methods to store passwords. Consider reputable software that “explodes” data if the master password is entered incorrectly after a specific number of tries.
  • Use a unique, non-identifying master password. You shouldn’t use pet names, children’s names, birthdays or other common terms in any password. The master password on storage software needs to be so unique no one you know could guess it.
  • Create and enter passwords only over secure connections.
  • Use different passwords for different sites. You shouldn’t use your banking password, for example, for accessing forums.
  • Change passwords frequently. I know there are arguments against this, but, the fact is, the action of keeping passwords fresh reinforces the need to keep them secure.

DON’T

  • Store passwords in the browser. One only needs access to the computer to gain access to everything else. Auto-completion of logins and passwords is an easy way for employees to gain access to sensitive information, including PayPal and bank accounts.
  • Share your password. If you must provide someone else access to an account, either create a separate user, or change the password  to something totally different. When the third-party access is no longer needed, change the password again.
  • Save emails that include passwords. Since email itself, by default, is insecure, you’re better off logging into a site and changing the default password. Then delete the password email.
  • Use common password reminder questions. Using questions that require simple answers (your maiden name, your home town, your birthdate, etc) makes it easier for others to hack your account.

Finally, you should maintain a list (sans passwords) of accounts that are password-protected, and maintain it as new ones are created. Should your data ever be compromised, use the list to quickly access accounts and change both password and secret question criteria. Remember, you can never go wrong by keeping your security tight and up to date.

Filed Under: Ecommerce, Mistakes That Kill, Must Read Web Tagged With: ,

Want Your Router Hacked?

July 21, 2010 by 3 Comments

If you missed step one of securing your network, you just may fall victim to a hack that’s getting released into the wild next week. Seismic’s Craig Heffner says he’s got a way to hack into millions of routers and he’s going to share it with the masses during the Black Hat 2010 conference July 28-29, 2010.

What’s that first step? Changing the default administrator password, of course. The admin password gives you control over configuring your router and the hack is designed to exploit Domain Name System (DNS), which is used to convert web site addresses into IP addresses. While modern browsers have installed safeguards that prohibit content not registered to the specific IP address of the web page to be displayed, this can’t be used as the sole method of security.

What can happen? It’s been reported that the hack can trick users into visiting a web page that an attacker has created with Heffner’s exploit. The router could be hijacked, and thus used to steal information from the network or computer, or redirect the browser to a different page.

Several routers are affected – more than 30 – from companies like Belkin, Linksys and Dell. See the full list of potentially affected routers.

If your router isn’t on the list, that doesn’t necessarily mean your protected – only that the router model may not have been tested.

Additional Resource: Engadget

Filed Under: Mistakes That Kill, Must Read Web, Technology Tagged With: ,

What is PA-DSS and Why Should I Care?

July 16, 2010 by 2 Comments

Now that it’s a requirement, online store owners are finally starting to get the term PA-DSS drilled into their heads. I’ve spoken about this for some time, but it seems far too few merchant account providers took time to notify companies early and often. Some companies are already being charged monthly fees for not following the global security standard set forth by the Payment Card Industry Security Standards Council (PCI, for short).

PA-DSS stands for Payment Application Data Security Standard. It was created to set specific data-transmission and storage standards for payment applications (like online shopping carts and payment gateways). The standard prevents third-parties from storing sensitive information, like magnetic stripe data, CVV2 (or CID) numbers and PINs.

PCI-DSS (the PCI’s own Data Security Standards) now requires that applications be PA-DSS validated as well. PCI standards include the transmission of data using SSL encryption, protecting cardholder information, and creating and enforcing strict security policies.

Online shopping cart developers have been scrambling this past year to update their software so it can be authenticated. For some, it will be the end of the road, since the development process can be both lengthy and expensive.

The deadline for PA-DSS was July 1, 2010. It is now up to merchant account providers to take one of many steps to enforce the rules, including:

  • Warning companies that they are not compliant, and providing a deadline for rectification.
  • Charge companies additional fees (the average I’ve personally seen is $25/month) for not being compliant, and provide a definitive deadline.
  • Inform companies that failure to rectify could result in loss of the merchant account (the ability to accept online payments).
  • Cancel merchant accounts for companies which refuse to comply (this is not commonly the first or second action by the provider).

Some merchants argue that the new standards are really about money, because previous standards were created to protect cardholders and, in many ways, failed. For example, the CVV2 (or, CID) – those 3 to 4 numbers on the front or back of the credit card – was implemented to protect both consumers and merchants. It was a method used to prove possession and ownership of the credit card. It wasn’t long before thieves got hold of this information as well, sending the world of identity theft spinning even faster.

Regardless, the compliancy standards are here, and merchants need to take them seriously. Here’s a few steps store owners should be taking right now:

  • Confirm the shopping cart you use passes PA-DSS. Vendors will receive an Attestation of Validation, and will also (though it could take several months to be finalized) be listed at the PCI web site. (Current Listings) VISA maintains an easier-to-read listing in PDF format.
  • If the software is not yet validated, find out if the company is in the testing process.
  • If there’s no intention to become validated, start researching other shopping carts that provide the features you want and get estimates on making a switch.

Note: If you use a third-party application to process payments, such as PayPal or Amazon Checkout, which do not handshake card data back to your server, the shopping cart doesn’t necessarily need to be validated, but you should check to make sure that the shopping cart itself doesn’t touch the payment data at all.

Whatever you do, don’t just assume. Some online store owners are already reporting being billed for not being compliant. Ensuring your shopping cart, and other tools you use, pass validation will keep your business running smoothly and (hopefully) money rolling inward.

Filed Under: Ecommerce, Mistakes That Kill, Must Read Web Tagged With: , , ,

Thinking About Working in the Cloud?

May 7, 2010 by 3 Comments
Cloud computing may be cost-effective, but trust is priority.

Cloud computing is all the rage these days. The storing of contacts, tasks and meeting dates is taking many by storm, especially in the mobile world. But is it right for everyone?

If you use any of Google’s Applications (like Google Calendar or Google Docs) or any other company’s over-the-web creation and/or storage, then you’re already a cloud computing participant. Shared and on-demand resources fall under the “umbrella” of cloud computing.

Many cell phones and data devices also promote and support storing data in the “cloud.” Applications can now back up your contacts, task list, calendar and other data in case of damage or loss of the device. This makes a restore quick and easy.

Cloud computing may be cost-effective, but trust is priority.There are, however, downsides to using the cloud. While the cloud concept has been around for decades, Cloud Computing, as we know it today, is relatively new. This means a great deal of newcomers to the game – many companies of which we’ve never heard nor had any previous experience.

There are pros and cons to converting usage and storage of data to the cloud, the most appealing features being reduced costs (long-term, because conversion does cost money) and ease of access (lose your phone on the plane? No problem!).

Alas, I’m all about what really matters, so here are my warnings about living in the cloud:

Who has access?

Make sure you’re working with a company you trust. I used Quickbooks Online for years, and I trust Intuit with my information. I’ve used Google Calendar, but only as an option to publish my blocked time.

However, when it comes to client info – I’m talking private numbers and statistics – it’s something I’m not comfortable potentially sharing. Thus, my devices are set not to back up data over the air.

Who has a stable platform?

Just yesterday, Google Calendar went down. Anyone relying solely on this cloud method had zero access to their day’s routines for several hours. That would drive me nuts.

Accessing data from anywhere is very appealing, but if it’s the only place you’re storing that data, what happens when networks fail? Local backups are key.

What’s the cost?

What is the cost of cloud computing opposed to transferring a backup to, say, an encrypted flash drive or other device? A service like GoToMyPC
gives me access to my office 24/7. Yes, I know, what if the power or network drops? So far, this has been a reliable service.

Is it Secure?

There are many arguments (pro and con) concerning the security of cloud computing. This isn’t just about who has access to the data, but exactly
how the data is transmitted.

The weakest link breaks the chain – always. Cloud computing relies on security at every level, from the host computer, through the router and modem, over the network, and so on… Thus, if you don’t take measures to keep prying eyes out of your own network (by use of a firewall), then cloud backups are less safe than if you disconnected from the Internet and worked with data locally.

Who is Liable?

When selecting a service provider, ask who is liable if the stored data is compromised. In fact, request documentation. Any company unwilling to provide documentation should be suspect. Don’t take a company’s word for anything. Research each company before making a decision.

Am I against cloud computing? Not at all. But in my experience, many small business owners looking for cost-effective measures frequently don’t realize they’re actually seeking “cheap” services. Reliability and stability, as well as privacy protection and insurance, should be among the top reasons for selecting a provider.

I also recommend not putting all your eggs in a single basket. Cloud computing should be used as a backup and accessibility feature, but it should never be the sole place in which we store information necessary to business. Secure, local storage (even if just on an encrypted, portable hard drive in a bank’s vault) gives us an alternative should a company, or its service, fall off the radar, even if just temporarily.

Filed Under: Ecommerce, Mistakes That Kill, Technology Tagged With: , , , ,