Posts Tagged ‘Online Shopping Safety 2009’

Top Five Application Security Risks for 2010

by FireHost Evangelist on December 23rd, 2009

CSA_08It just wouldn’t be the new year without a “best of” or “top ten” list, and we’ve chosen to expand upon OWASP‘s (Open Web Application Security Project) recap of the top application security threats to look out for next year.

Before you stop reading and get back to your _____ (insert whatever project you had planned for today), wait! You have our assurance that this won’t be too jargon-y. We’ve deliberately stopped the heavy tech talk here, and we’ll translate all the application security risk verbiage into usable, understandable terms for your growing enterprise.

So here they are, without further ado, the top five application security risks for 2010:

1) Injection Attack

All Web applications that collect and transmit data (using forms for example) are susceptible to Injection Attacks. By sending specific commands through your application’s forms, hackers can modify various elements of the code. In extreme cases, injection attacks could allow attackers to penetrate a firewalled environment such as the network environment or database.

SQL injections like the ones that compromised Symantec and NASA this year dominate this attack category, but there are many additional varieties to which you could fall prey. Impress your IT staff by nodding knowingly if he mentions a Code Injection, Command Injection, or XPATH Injection around the water cooler.

Some of the best, protective measures (ask your security expert about these) for Injection Attacks include:

  • Input Validation – cleanse your input data
  • Human Verification ie CAPTCHA
  • Restrictive Privileges when connecting applications to DBs and other proprietary systems
  • Vague Error Messages give attackers little detail to go on and can help defray an onslaught

(more…)

Tags: , ,
Posted in: Security | No Comments »

Save This List: How to Help Prevent a Web Application Security Breach

by FireHost Evangelist on December 16th, 2009

CSA_07In a previous post, we provided information you’ll need to know immediately if your website is successfully hacked. It included recommendations on how and when to:

Step 1 Announce and assess the breach
Step 2 Conduct a deeper investigation
Step 3 Notify affected individuals and organizations and begin remediation
Step 4 Re-launch
Step 5 Communicate the resolution publicly and to affected parties
Step 6 Take steps to remediate vulnerabilities and prevent a future breach

Today’s discussion takes a deeper look into step six, preventing cyber crime at small and medium sized businesses. The truth is that security measures in place at most SMBs are “easy pickings” for hackers, and there is a booming community of C2C (criminal to criminal) interactions focused solely on stealing customer data from SMBs that conduct business online. The same way you work every day to develop new, enticing products and easier ways for your customers to shop, cyber theft “shop owners” fuel this sub economy by devising faster, easier, and more effective methods by which to steal your company’s valuable data.

Preventing data leakage takes an ongoing, concerted effort, so it’s important that you take proactive control over your immediate environment. Here’s how:

(more…)

Tags: , ,
Posted in: Security | No Comments »

Credit Card Processing: Between a Rock (Hackers) and a Hard Place (Compliance)

by FireHost Evangelist on December 8th, 2009

CSA_06For many ecommerce developers, the thought of designing a system to store the credit card data of their clients’ customers is chilling.

For good reason. Determined hackers can compromise the most sophisticated network by combining simple, free tools with a little effort. In fact, the cyber-criminals behind the famed TJ Max and Heartland Payment Systems breaches used novice techniques like War Driving and SQL Injections to access the retailers’ networks.

If hackers can penetrate the network of a global enterprise, imagine what they can do to your clients’ small businesses. It’s a scary proposition, no doubt, but it shouldn’t keep you from going down that path when a project requires it.

Managing Credit Card Data

The first (and perhaps most important challenge) you’ll face with such an ecommerce development project is credit card collection, storage, and handling. One of the easiest and least risky options is to offload, via an API, the storage and handling of credit card numbers to a payment gateway that “hides” credit card data – Authorize.net, PayPal, BluePay or the like. If the credit card data is passed directly from the client (browser) to the gateway, without passing through your client’s web server, you’ll reduce your liability as the developer and help keep your client’s ecommerce site protected.

However, this solution many not work in all situations or for all clients for, at least, a few reasons.

  1. Complicated recurring billing. If your client has a complicated recurring billing structure wherein payments vary in time, frequency, amount, or purpose; or if your client’s customers use purchase orders, your client may need to keep the raw credit card numbers available for the flexibility. Your client can still use tokens and offload the recurring billing to some credit-card-obscuring payment gateways as mentioned above, but again the need to process or manage customer data can be project specific.
  2. Save on Interchange fees. All credit-card merchant-account providers charge an Interchange fee, and these fees can and do vary from provider to provider. So for some potential clients managing customer credit card data can be well worth the risk if doing so allows them to get a significantly better fee structure.
  3. Offloading credit-card-storage is not enough. If credit card data passes through your client’s web server, whether the business stores that data or not, the system you develop needs to be PCI compliant. In short, whenever possible, choose a solution that never exposes your web server and your client’s ecommerce business to customer data. But when a project does call for credit data transfer or storage, you’ll need to build a Payment Card Industry compliant system that hackers cannot easily overcome.

(more…)

Tags: , , ,
Posted in: Compliance | No Comments »

DDoS Attacks, The Ultimate Cyber Smackdown

by FireHost Evangelist on December 4th, 2009

CSA_05In MMA, fighters find the Guillotine or Rear Naked Choke to be reliable tactics for eliciting a submission. In cyber warfare, a DDoS attack is the “go to” move that produces the ultimate cyber smackdown effectively, time after time.

Just like choke holds, Denial of Service attacks come in a variety of flavors – Flood Attacks, SYN Attacks, Smurf Attacks, Ping of Death Attacks, and the ultimate tap out producer Distributed Denial of Service Attacks (to name a few). Each method is designed to achieve a single goal – stifle the target website or online application.

Generally speaking, DoS/DDoS attacks accomplish this by directing a flood of “packets” (fake visitors, often robots) to your website at the same time. In simple terms, a denial of service attack takes up all your hosting environment’s available bandwidth and resources making it impossible for human traffic to reach your website or service.

DoS/DDoS Popularity and Severity on the Rise

Geared toward taking sites offline rather than stealing information or deceiving unknowing web surfers, DoS/DDoS attacks could be regarded as the cyber “crime of passion”. These attacks have effectively silenced religious and political groups from publicly publishing their opinions. High-profile organizations make headlines most often, but really any group with “offbeat” opinions could be the target of a DoS/DDoS onslaught.

Extortion is another popular motive behind DoS/DDoS attacks. Just recently, several Australian sports-betting websites lost millions in revenue over a busy weekend when criminals held their web services hostage for ransom money. Other commercial entities are starting to feel the effect of DoS/DDoS deployments too. Recruit Advantage and Bitbucket have both recently suffered losses due to prolonged outages, and it’s only a matter of time before mass-market retailers use attack-for-hire services to wreck holiday sales for the competition.

DoS/DDoS attacks can take a website or online service to it’s knees effectively and inexpensively, so they are growing to become a popular add on to botnet operators’ portfolios. For a mere $200/day, common Rent-a-DDoS operations can dish out botnet deployments ranging from 100Mbps to 100Gbps. Prolonged over several days, an attack of this magnitude could leave your start-up with a 5-digit invoice for bandwidth.

How to Prevent a DoS/DDoS Smackdown

Unlike other cyber crimes, this type of attack may not pose a direct threat to your clients’ PII (personally identifiable information). That doesn’t spare you the expense of lost sales, regaining public opinion, and technical resources however. In addition to those more “expected” costs, you’ll face charges for the bandwidth consumed during the exploit, and that bill alone could be enough to lead your startup business to early retirement.

The worst part is that if a cyber opponent has you in his or her sights, you’re going down for the count. There are no known prevention methods on record. DoS/DDoS attacks are like a jump spinning rear kick delivered in your blindspot. Scary, deadly stuff.

(more…)

Tags: , ,
Posted in: Security | No Comments »

You’ve Been Hacked! Now What? A Guide for Entrepreneurs and eCommerce Website Owners

by FireHost Evangelist on November 25th, 2009

CSA_04You’ve just plopped down in your favorite chair after a big Turkey Day meal. Your first “real break” in months. Your only intention today is to relax because you know the next five weeks (from CyberMonday through New Years) will be non-stop, chaotic “fun” for your new business online.

Just as your head tips back and your mind wanders off to dream about the great momentum strong holiday sales will provide for your new enterprise, the phone rings. It’s your Web site developer. The news is not good. Somehow, someone has compromised your site’s customer database and taken critical customer data, like credit card information.

What you do in the next 48 hours will be critical to getting your business back online, on track, and on safe ground. Two things to remember: Transparency and Communication. It’s not just about restoring your Web site to a secure state but restoring your customer’s confidence to continue to shop with you.

Step 1: Announce and Assess (Timeframe: Immediately – 12 hours after the breach is discovered)

Immediately, get your site offline. Google has some specific recommendations regarding the best way to accomplish this.

Customers appreciate being notified as soon as possible, and they would rather hear it from you first. Plus, being the first to report the cyber crime lets you control the message. Concurrently, make a general public statement about what has happened and instruct all individuals (or companies) who have done business with your company to monitor their credit report and banking statements for inconsistencies.

Deliver the statement to all concerned parties via email and make sure to train all customer-facing representatives with the appropriate dialogue. Here’s a concise and effective example from Balmar Incorporated.

Step 2: Conduct a Deeper Investigation (Timeframe: 12 hours – 36 hours+)

Computer forensic auditors, PCI representatives, governmental agencies, and others may be involved in the process depending on the nature of your business.

Start by interviewing all personnel responsible for securing your environment and find out if they are aware of any known vulnerabilities. Next, begin reviewing log files with the following specific goals in mind: Identifying the date(s) of the breach, how many customers were compromised, and what information was stolen.

(more…)

Tags: , ,
Posted in: Security | No Comments »

Safe Cyber Shopping Suggestions for Consumers

by FireHost Evangelist on November 19th, 2009

CSA_03As consumers proceed full force into the online shopping season, it’s important to remember that good-hearted, upstanding citizens won’t be the only ones filling their shopping cart. As cybercriminals prepare to trade massive scores of PII (personally identifiable information) for cash in the “Underground Economy”, it’s important you recognize the risks and take steps necessary to protect your identity.

Symantec’s report on cybercrime reveals the volume and lucrativeness of identity theft.

  • Credit cards, the hottest commodity, account for nearly 33% of all illegal transactions and produce approximately $5.3 billion in revenue each year. Credit card numbers fetch between $0.10 to $25 per card, so compromising as many accounts as possible motivates thieves in this category.
  • Stolen financial accounts, the next most lucrative target, produce approximately $1.7 billion in revenue (20% of the total volume). Historically, stolen bank accounts have carried an average balance of $40,000 and sold for $10 and $1,000 each.

Crafty, sneaky, and increasingly sophisticated hacker techniques make it difficult to detect schemes, but (re)educating yourself on the risks and acting on protective measures will help prevent identity theft from ruining your holiday season.

#1 Check Statements Daily and Monitor Credit – Review transactions flowing thru your bank and credit card accounts daily. Detecting and reporting fraud or identify theft fast will “stop the bleeding” and increase the chances for a complete financial recovery. Federal law provides consumers one free copy of their credit report (from each of the reporting bureaus) every year. Toward the end of the middle or end of the holiday shopping season may be a strategic time to exercise your right. Contact Experian, TransUnion, and Equifax annually.

#2 Implement Password Confidentiality and Strength – Stolen passwords contribute a great deal to identity theft and security breaches taking place online. Password security seems so simple and obvious, but the recent incident with Hotmail shows that consumers are not following basic guidelines for safety and much work and education remains to be done. So, here are the top password guidelines (AGAIN!)

  • Don’t share your password with anyone.
  • Change passwords often.
  • Set a different, strong password for every website you visit. For example, Twitter should not have the same PW as your bank account or email, etc.
  • Strong passwords include 8 characters and a mix of symbols, numbers and letters.
  • Finally, a service like One Password can help make the task of implementing good password safety more manageable.

(more…)

Tags: , ,
Posted in: Security | No Comments »

Everyone is Excited for CyberMonday – Your Vendors, Your Customers, and Hackers

by FireHost Evangelist on November 14th, 2009

eCommerce SecurityLess than 20 days until CyberMonday. Your warehouse is full. Your shipper is standing by. But have you considered what will happen at your website after a flood of qualified buyers click on the irresistible and precisely worded ad for your product or service? Now (not then) is the time to find out if your website can take the heat that CyberMonday will dish out.

The Yahoo! Network Insights team reveals that eCommerce retailers see a 73% increase in online conversions on the Monday following Thanksgiving (compared to the average shopping day in November). This means when consumers open their wallet on 11/30, they will be ready to buy.

You’ve got one shot, one day to win their holiday business, and you need to be totally sure your customers’ data is completely secure, as hackers are just waiting to steal all of those juicy credit card numbers from the thousands of people coming to your site that day.

So how can you improve user experience and conversion for your eCommerce Web site on high traffic days like CyberMonday while ensuring their security? Creative elements aside, there a many technical intricacies that help make your Web site stand out online and stay secure.

Load times, load times, load times. When your Web server is underpowered, pages load slowly and can even fail making it appear that your Web site is down. If your Web site appears to be on the fritz, consumers a) won’t have the patience to wait on you to get it figured out or b) will lose faith in your ability to process orders successfully.

A Web site on the fritz raises questions in consumers minds and decreases the likelihood that they’ll hand over their hard earned money. Was my order received? Is this Web site capable of protecting my PII (personally identifiable information)? Could someone steal my credit card number? And you know what? These are totally legitimate fears. Hacker activity in the last year has increased drastically, and your buyers know it.

Nestling your precious eCommerce Web site in a reliable, High Availability hosting environment and deploying a content delivery network capable of quickly serving up all your high-quality product shots, video customer testimonials, and other heavy media files can help prevent the situation from ever becoming a concern.

(more…)

Tags: , ,
Posted in: Web Hosting | No Comments »

Cyber Shopping Awareness and Preparedness for 2009

by FireHost Evangelist on November 9th, 2009

CSA_01Tis the season for shopping, travel, food, and family. Unlike holiday seasons of past, planning and performing these activities will involve the web. Booking travel online. Searching for great buys, and purchasing gifts for your family, friends, and clients. Discovering the best recipes and party ideas to ensure your holiday gathering is memorable. When you sit back to think about it, eCommerce is infiltrating our shopping lives, and for good reason.

  • eCommerce websites never close.
  • You can easily compare prices from multiple sellers.
  • No lines, crowded parking lots, or germs (H1N1).

All these benefits mean more and more people (of all ages and economic conditions) will be shopping online during the holidays in 2009 – enough to generate an estimated $156 Billion in sales. (Online shopping represents 36% of sales expected from all channels this winter according to the National Retail Federation.)

That’s music to the ears of cyberthieves. Like retailers, hackers are going into their busy season. The influx of shoppers using eCommerce websites over the next several weeks means that there are more cyber crime victims upon whom to prey.

Even if cybercriminals can only maintain conversion rates for malware (Trojans, rootkits, spyware, zero-day exploits, keyloggers, and viruses) and phishing attempts (spam), the voluminous spike in traffic means they will increase their earnings. Cyber thieves know that unpredictable traffic patterns and spikes can make it difficult to detect a security breach meaning hacks carried out during the holidays may go overlooked for a longer period of time.

So that’s that backdrop in front of which a secure web hosting provider views holiday 2009, and we’re up for the challenge.

(more…)

Tags: , ,
Posted in: Security | No Comments »