In a recent interview, founders Jay Osterholt and Jeff Moore talked with WCPO-TV in Cincinnati about My Child’s Locket’s capabilities and the role Secure Web Hosting plays in protecting their clients’ identities.

We’re so proud to be protecting this and other businesses who need shelter from malicious hacker activity. Thanks for the trust.

The mandates for protecting cardholder data at rest seem rather straight forward, but taking them at face value could be a mistake. Many factors about your company’s or your client’s business determine how this requirement is followed.

3.1 – Store Only Necessary Cardholder Data; Store Cardholder for the Minimum Time Possible

Section 3.1 says to store only necessary cardholder data and to store it for the minimum time possible. Data storage requirements may vary depending upon the nature of your company’s or client’s business. For example, businesses that provide single use products, or a service offering that is only likely to be used one time should probably not store cardholder data at all, or at most for a very short period.

On the other hand, subscription- or recurring billing-based businesses are on the rise. Invoicing and charging customers “automatically” every month has become a common reality for millions of software as a service (SaaS) companies today. When you have repeat customers, the idea of having your customers resubmit payment details on a regular basis is not just inconvenient, it’s inconceivable. Therefore, businesses that cater to repeat customers have some special considerations to address, and because of the retention schedule, these companies go beyond the provisions of the standard to protect cardholder data when possible.

In either scenario, your company must develop and enforce a PAN disposal policy containing:
- A definition of what data is being stored;
- A definition of the time period for which this data is stored;
- A procedure for disposing of data after that time period has expired.

3.2 – Do Not Store Authentication Data

Since we primarily handle transactions online, PCI DSS provisions 3.2.1 and 3.2.3, which deal with magnetic stripe data and PIN numbers, are less applicable to web application developers. However, storing card validation codes (also known as card verification values, or CVV) is also prohibited by this subset of requirement 3, and to that detail we must pay close attention.

Your merchant account provider may give you favorable rates if the CVV number is provided in a transaction. Therefore, many companies make the business decision to retrieve this number from customers submitting orders online. In reality, you’re merely using the number as it was intended – for validating card not present purchases.

If your business has subscription-based orders and recurring charges, you’ll need to work with your merchant account provider to determine your options.  For example, it may be possible to use a previous transaction’s payment method ID in lieu of storing and subsequently re-providing it each time the subscription installment is billed.

Portability is another “hot button” that keeps business owners and developers on the fence. Consider these risks:
- What if your payment processor goes out of business?
- What if a current system you use to bill your customers becomes interoperable?
- What if you are presented considerably more favorable rates with another processor?

In either case, the cardholder data must be migrated for business continuity. If you only have access to a masked PAN, expiration date, and reference ID, you’re out of luck and face requesting the payment card details from your customers again. This would be a costly and imperfect process, no doubt.

For these reasons and more, many businesses choose to store the data in its entirety. Just ensure you follow PCI DSS requirements and exceed the provisions when possible.

3.3-3.4 – Render Cardholder Data Useless to Malicious Parties While Upholding Usability Requirements

PAN must be masked. The PCI DSS standard states that the maximum amount of data you can display (either internally without a specific need defined in your security policy, or externally to the customer) is the first six and last four digits of the PAN.

Where possible, use the irreversible hashes in your application or site implementation, allowing you to verify a card number without storing the actual data. Hashes should be based on secure cryptography such as SHA-1 and should use either fixed or dynamic salts (salts are random bits used to improve encryption).

In most cases, this type of data storage is not possible. In cases where storing the cardholder data and maintaining its readability after cryptographic processes is a must it should be stored using encryption similar to what was described in a “Decoding PCI DSS Requirement 6: Develop and Maintain Secure Systems and Applications, a previous article here on Ecommerce Developer.

3.5-3.6 – Securing the Keys to the Castle: Encryption Key Management

The IT department will actively participate in key management, but developers are obviously an integral part of the process since we build, extend, and at the very minimum manage the application(s) that collects, encrypts, and stores PANs. In addition, developers will need to occasionally access the data to troubleshoot, test, or confirm web application integrity. Developers will want to refer to Decoding PCI DSS Requirement 4: Encrypting and Storing Credit Card Data, published previously here, for more information.

Summary

While the third requirement of the PCI DSS standard may seem fairly straightforward, there are also several pitfalls developers and integrators often encounter while engaging PCI compliance. Clearly defining your business’s needs prior to undertaking PCI compliance can be extremely helpful, especially with regards to requirement 3, where the nature of the data defines how business is conducted in an online arena.

A version of this article was published in eCommerce Developer on July 15, 2010.

Now envision how you would feel if you woke up one morning and your website wasn’t working at all.  It doesn’t load or the homepage has been replaced with an offensive message — or even a warning from Google that this site is no longer secure. That’s right, you’ve been hacked and your website has been kicked off Google.

Think this can’t happen to you? It’s actually not uncommon.  It happens to small businesses every day when their website gets attacked one too many times for Google’s liking. Mberry, a small business based in Tempe, Arizona, is one of those businesses. This innovative company that sells the very cool, very fun “mberry” tablets that make everything you eat taste oh so sweet for 30 minutes.  Mberry had a rather sour experience when their site was banned from Google.

Mberry’s saga started about a year ago when their site was hacked – not once, not twice, but three times in two months. They rely on their site as a main portal for their revenues.  Having their site down multiple times going through the process of getting it cleaned up and back online was costly, annoying and damaging to their brand. But it wasn’t until they got the boot from big daddy Google, that things really got much worse.

“For a startup like ours, getting hacked and then kicked off of Google almost put us out of business,” said Charles Lee, founder and CEO of mberry. “The time and effort we had to spend working through the process to get back in Google’s good graces was arduous. Not to mention, we lost thousands of dollars by being offline for so long. There is no telling how much we lost in terms of brand reputation and vendor relationships. Small businesses simply cannot afford to get hacked.”

Can this happen to any website?  Yes. But here’s the reassuring news — everything you need to help protect your online business from hackers is in your power.

Google to the rescue

When you’re the entrepreneur living through this nightmare, Google definitely seems like the bad guy. Google does do a good job of upholding their responsibility to keep your website and it’s visitors safe. After all, you, your development team, and your hosting provider are responsible for protecting your website, not Google.

Google can be your friend in this situation. Their Webmaster Tools provide some useful services and articles aimed at helping prevent a problem with hackers from ever getting as far as it did with mberry. Google provides a quick checklist on their website that spells out the high-priority (and completely achievable) protective measures in a simple way. For example,

• Scrutinize third-party content plug-ins and use them only when required. Go with well-respected providers.
• Use Google site search to see which of your website pages Google has indexed. Type “site:__<yourwebsiteaddress.com>__” into the Google search bar, and if unfamiliar content shows up, you have problems.
• Sign up for a Google Webmaster account and get access to:
  • Notifications about potential vulnerabilities
  • Notifications about new software versions
  • Notifications when signs of suspect, hacker content like spammy links or comment spam infiltrate your code
  • Google also recommends you rely on your hosting company for support and advice. Ahem.

The White Knight – website hosting

A capable, security focused hosting provider can be a big part of prevention and identification when problems arise. Here are some of Google’s quick checklist recommendations that should be addressed by your hosting provider.

• Lock down your server’s configuration settings for directory permissions, server side includes, authentication, and encryption
• Stay up to date with the latest software patches for all the operating system and applications on your web server.
• Monitor logs and store them per a conservative retention schedule
• Regularly check and monitor your website with anti-virus and vulnerability scanning
• Use secure protocols for data transfer (SSH and SFTP only) and a high level of encryption when data is at rest

Don’t overlook importance of extra security measures like redundant firewall protection and web application firewalls. These protective layers could have kept Mberry from the one-two punch they got from hackers.

Since Mberry put the right protective measures in place, they have not been hacked once. Their customers’ data is totally safe, and life is once again sweet on Google.

The Yahoo! Network Insights team reveals that eCommerce retailers see a 73% increase in online conversions on the Monday following Thanksgiving (compared to the average shopping day in November). This means when consumers open their wallet on 11/30, they will be ready to buy.

You’ve got one shot, one day to win their holiday business, and you need to be totally sure your customers’ data is completely secure, as hackers are just waiting to steal all of those juicy credit card numbers from the thousands of people coming to your site that day.

So how can you improve user experience and conversion for your eCommerce Web site on high traffic days like CyberMonday while ensuring their security? Creative elements aside, there a many technical intricacies that help make your Web site stand out online and stay secure.

Load times, load times, load times. When your Web server is underpowered, pages load slowly and can even fail making it appear that your Web site is down. If your Web site appears to be on the fritz, consumers a) won’t have the patience to wait on you to get it figured out or b) will lose faith in your ability to process orders successfully.

A Web site on the fritz raises questions in consumers minds and decreases the likelihood that they’ll hand over their hard earned money. Was my order received? Is this Web site capable of protecting my PII (personally identifiable information)? Could someone steal my credit card number? And you know what? These are totally legitimate fears. Hacker activity in the last year has increased drastically, and your buyers know it.

Nestling your precious eCommerce Web site in a reliable, High Availability hosting environment and deploying a content delivery network capable of quickly serving up all your high-quality product shots, video customer testimonials, and other heavy media files can help prevent the situation from ever becoming a concern.

Predators on the prowl. Like your telephone operators, cybercriminals are standing by to take orders. They attack your website forms with SQL injections. They use CSRF (cross site request forgery) to inject malicious code capable of stealing information or even redirecting unwitting consumers off your website which obviously prevents them from completing a purchase. Malicious malware installations can damage your search engine rankings and even get your website banned from Google altogether.

Now more than ever, cybercriminals attack without regard or preference for Windows or Linux. Surrounding the application with multiple varieties and layers of protection between your code and the outside world is the best way to shield your eCommerce website from hackers.

Locking down ports. Installing application-focused firewalls. Deploying IDS (intrusion detection systems). Patching regularly. Contingency plans and encrypted backup restoration. All of these devices and techniques must be executed with precision and enterprise-level expertise to stand a chance at warding off cyber attacks. And in the event the your Web site or application is breached, you’ll need a team of responsive, knowledgeable Support Superheroes to help get you back online quickly.

Help users find what they need FAST. The Google Mini Search Appliance applies Google-grade search algorithms to the content on your website so users can find what they’re looking for FAST, every time. The Google Mini search service works with all hosting platforms, so Windows and Linux users can benefit from its capabilities.

Highly configurable, the Google Mini gives you control over which content will appear in your web search results to assist visitors in finding the perfect gift quickly on CyberMonday. The Google Mini is capable of indexing content for large websites (up to 300,000 pages to be exact) so all the products in your eCommerce product catalog can be included.

Elicit confidence, solicit a sale. Once you’ve achieved a high comfort level with the foundation upon which your website resides, you can turn your sites back to fostering trust by incorporating website elements customers can see and appreciate.

SSL Certificates and Security Badges go a long way toward improving your website conversion rate. The type and grade of SSL you select does more than provide an eye-catching dose of confidence. Most SSL providers back their encryption with warranties and insurance for online shoppers and retailers alike, so the protection goes beyond “feel good” sentiments to providing financial compensation in the event the SSL product’s capabilities are compromised.

So What Now? We’d be willing to bet that you’ve devoted the majority of your effort toward ensuring the “physical” components of your shopping season (inventory, staff, packaging, etc) are in place. In the process, you may have inadvertently overlooked the most important factor of your CyberMonday success: Is your Web site capable to handle the influx of shoppers and is it capable of protecting their identity?

You still have time to assess your Web application’s hosting environment and take steps to improve your capabilities or remediate problems before November 30. You know the old adage, prepare for the worst, hope for the best. May you all have a profitable holiday season, with few gliches on your site, and nary a hacker to bah-humbug your business!

This article was featured in eCommerce Times on 11/14/09.

eCommerce site owners that transition to a secure web hosting plan from FireHost by Friday 11/27 will receive a free Website Vulnerability Audit to help identify which areas of their website’s hosting environment could be improved to help ensure CyberMonday success. You can place your order securely online, now.

The website’s intended facade was replaced with a tearful picture of Maradona under the caption “We made you cry” after the Argentine team defeated Peru 2 to 1 on Saturday.

Under Maradona’s image, the hacker included a Peruvian team photo proclaiming “For the biggest cry baby of all time. We didn’t win at the football, but we did on the web!” And as a final insult, Elite Peruvian threw in a soundtrack of Peruvian folk music playing in the background.

Details on how the hacker accessed Maradona’s website are forthcoming, but you can see images of the defacement on Graham Cluley’s blog. Referring back to Maradona’s 1986 FIFA World Cup quarter finals match, Mr. Cluley suggests Maradona seek a more concrete website security solution than the “Hand of God.”

We agree. For website security, FireHost may be the best option.

This particular vulnerability, SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D., is considered Medium to High severity. It’s triggered when “SRV2.SYS fails to handle malformed SMB headers for the  functionality,” says Gaffie.

The flaw lies in a Server Message Block 2 (SMB2) driver and allows hackers to deploy a remote attack that could cause the infamous “blue screen of death” critical system error on both the 32-bit and 64-bit versions of Windows 7 OS. Other comments on Gaffie’s blog indicate that the flaw puts your computer at risk of a Dos attack and could lead to remote code execution.

Gaffie contacted Microsoft; they are investigating the report, but have no ETA on a patch. In the meantime, users can switch off the Server Message Block (SMB) feature or block TCP ports 139 and 445 at the firewall for protection.

Data collected on the geographical distribution of malware “Phone Home” locations in the first half of 2009 shows that  the USA hosts 35% of malware worldwide, followed by China (14%) and Brazil (8%). Additionally, cyber criminals use TCP port 80 most often for downloading and HTTP to transfer and send infections so they can avoid suspicion as these are both very common protocols.

Trojan malware rose the most in popularity in samples collected between January – June this year, and the penetration of viruses increased slightly. PUPs, Backdoors, and Worms declined just a little. Here’s how each category contributed to malware as a whole.

• Trojan – Trojans represent 55% of all Malware on the internet. Here’s how they work: Trojans perform a variety of malicious functions such as spying, stealing information, logging key strokes and downloading additional Malware.
• Backdoor (21%): Backdoors provide functionality for a remote attacker to log on and/or execute arbitrary commands on the affected system.
• Pup, a Potentially Unwanted Program (8%): PUPs are programs which the user may consent on being installed but may affect the security posture of the system or may be used for malicious purposes. Examples are Adware, Dialers and Hacktools/“hacker tools” (which includes sniffers, port scanners, malware constructor kits, etc.)
• Worm (6%): Worms self-propagate via e-mail, network shares, removable drives, file sharing or instant messaging applications.
• Virus (4%): Viruses propagate by infecting host files

The Trojan Malware category continues to occupy the largest share of new malware samples. In the first half of this year, the distribution of Trojans increased 9%. Experts speculate that the rise in Trojan popularity my be attributed to the proliferation of publicly available (and easily accessible) toolkits designed to control, spy on, and steal information from infected computers.

These toolkits are very easy to use. By completing a few text boxes, cyber criminals can have a backdoor or infostealer ready for deployment within seconds. Because they require little technical investment researchers expect the upward trend in popularity to continue.

Within the Trojan malware category, Infostealers (including password stealers, keystroke loggers, and spyware) represent 27% of all new samples.

While Infostealers are the most popular type of Trojan, their trend in popularity remained fairly flat throughout the first half of 2009. FraudTools on the other hand rose sharply and a brand new functionality called an Injector was introduced.

Definitions and trends courtesy of IBM X-Force Team‘s 2009 Mid-Year Trend & Risk Report.

The resurgence of image-based spam is interesting because this style of hacking attempt boomed in 2006-2007, but practically disappeared in 2008. Now that it’s back, there are some distinct trends in the subject, format, and techniques that make blocking these attempts fairly easy for most anti-spam filters.

1. Most of the emails advertise pharmaceutical products – drugs, pills, etc
2. Only a few of the emails use random pixels, and many have identical binaries
3. The messages contain random text below an embedded image
4. Most of the spam does not contain links that recipients can click, but they invite the user to visit a .com website that must be manually typed into a browser
5. WHOIS information shown on the images reflects domain registrars that are infamous for URL Spam

Despite a recent uptick in spam without links, URL spam (60%) continues to dominate this cyber crime category. In the “old days”, URL spam was hosted on domains registered solely for spam purposes, but the number of spam coming from trusted domains has spiked significantly.

One of the reasons hackers are using trusted domains is obvious – a URL from a legitimate website provides recipients a recognizable and trustworthy link. What you may not realize however is that legitimate/trusted links can help hackers evade anti-spam systems.

This year, the following domains have often been used for spam:

• about.com
• akamaitech.net
• ask.com
• cnn.com
• go.com
• googlegroups.com
• healthcentral.com
• icontact.com
• menshealth.com
• msn.com
• webmd.com
• yahoo.com

What’s next in spam? Researchers speculate that a resurgence of .pdf spam is likely considering the attention PDF documents hav ereceived from the perspective of exploitation. MP3 spam is another likely candidate.

The decrease is fueled by a decline in the number of traditional banks. Researchers speculate  that this trend could be fueled by the financial crisis, or perhaps improved security measures when users login to “real” banks online is playing a role. Make no mistake however, hackers aren’t slowing down. They seem instead to be targeting Online Payment institutions instead as reflected in the rise of attacks over the last 18 months.

To further reinforce the movement toward Online Payment institutions, PayPal is mentioned in two of the top five subject lines from this year. (PayPal is included four times if you extend the list to the top ten slots.)

• Attention! Votre compte PayPal a ete limite!, 24%
• Important Information Regarding Your Limited Account, 7%
• PayPal® Account Review Department, 2%
• Account Security Measures, 1%
• Citibank Alert: Additional Security Requirements, 1%

Along with the change in volume, phishing attack origins have shifted dramatically this year. Russia takes the top spot, and they weren’t present on the list last year; Turkey, Ukraine, and India are new as well. Spain and Italy sat in the top slots last year, but Spain has completely disappeared along with Israel, France, and Germany who were smaller yet valid players in ’08.

The top 10 for 2009 include:

The net of these changes lay the groundwork to support foundational changes to the cyber community ecosystem are coming. Researchers are concerned that the decline in phishing attempts simply means that hackers are redirecting resources to other methods that obtain the same (or better gains) that phishing once achieved.

Drupal’s Massive Appeal to Companies
The list of entities using Drupal includes large companies, like Sony and Warner Brothers. Organizations such as Human Rights Watch and the federal government’s Recovery.gov use Drupal too. The reasons for Drupal’s widespread appeal are many. Aside from being completely free to use, Drupal’s open source nature encourages active enhancement by thousands of developers around the world. The bottom line is simple, Drupal is constantly becoming better and better, without costing a dime.

The vibrant Drupal developer community includes dozens of “Drupal Camps” throughout the world, each with hundreds of attendees. Hosted by experienced Drupal users and developers who volunteer their time and knowledge, these camps are designed to foster innovation of the Drupal platform, educate new users, and spread the use of Drupal among web developers.

The Downside of Open Source Platforms
As beneficial as Drupal is when developing and managing your website, it is vulnerable to web application exploitation by malicious hackers. Since the Drupal source code is freely available to anyone, hackers have scoured the code for ways to exploit websites that use Drupal. The result can be devastating, including theft of private company and customer information.

FireHost Helps Secure Open Source Solutions
FireHost specializes in protecting websites and open source applications like Drupal from exploitation by malicious hackers. We use advanced web application firewalls, intrusion detection systems, and intrusion sniffing protocols to prevent attacks and exploitation before it starts. Our industry leading security measures allow you to confidently embrace all the wonderful aspects of Drupal, without the constant worry that accompanies the threat of malicious attacks.

FireHost is firmly dedicated to the idea every business and individual deserves the opportunity to conduct business and express themselves online without the risk of an attack by a hacker. Using Drupal to develop and manage complex website applications, with the security promise of FireHost, provides dynamic content for your website. To get started, contact a FireHost Agent today.