Posted by Sam Leeson on Thu, Jun 17, 2010 @ 03:22 PM
While reading through blog posts this morning I was greeted with this one from
Acunetix indentifying reasons why consumers should be wary of "[hopping] aboard the Web Vulnerability Scanning bandwagon." Their article raises several valuable reasons as to why deciding to repair your own system may be more harmful than helpful. What the article did not describe was why services like ours at SiteSecurityMonitor.com are an essential tool for large and small companies alike.
When you register with SSM you can be sure that you are not only scanning for website vulnerabilities within your own system but also that you are seeking out and identifying malware that may have infected your entire network. Because the whole focus of SSM is to be able to identify malware and vulnerability issues within the sites of our clients we are able to direct all of our resources to continuously update and remedy the ever-increasing number of viruses set to damage a website.
Certainly I can support the idea that Acunetix raises about how easy it is to find, buy and use an "outdated, unproven, ‘free' scanner" and that's why we are here. There are so many options out there that it can feel overwhelming to know where to begin to look for help. That said, these days with the media outlining how easily hackers seem to be getting a hold of large companies like Adobe and Apple's iPad then why wouldn't you be anxious about the safety of your own website?
If you aren't sure about the services we offer then I encourage you to give us a try before you commit. Fill out the "Get A Free Scan" form on the right side of this page and let us tell you what we find. According to clients like Jack Summers, of Radioworld.ca, the research shows that "SSM earned high marks are the most community-oriented and helpful solution in the [malware and vulnerability scanning] industry." Let our service speak for itself.
Posted by Jason Remillard on Thu, Jun 10, 2010 @ 09:03 AM
As I watch the debacle unfold in what is quickly becoming widely known 
as one of the worlds worst environmental disasters - I watch with interest the actions of Mr. Hayward - the CEO and pointman for the BP Company.
Since I've been working part/full/over-time on my Executive MBA for the past year, leadership and its attributes and different flavours has been a subject of interest for me recently. Watching Mr. Hayward, and his reactions will be fodder for business schools for the years to come and judging by the recent lashing he's receive from Harvard Press - it probably won't be pretty.
We can talk about the horrendous impacts on the environment, lifestyles and in some cases, the very being of many communities along the shore for hours. Being an amateur suba diver and lover of all things water-based, I'm aghast and personally very afraid for the aquatic ecosystem going forward.
However, the Harvard article tweaked something in me - more of a case of deja vu really. When we look at other 'wide spread' issues - such as massive data breached or widespread malware infections - we see alot of the same actions of management. To be sure, academia has done alot of work in this area - the 5 steps of disclosure - lie first, slowly admit, backpeddal, sweep, etc.
Just look at the current state of our own industry! Over the past 6 weeks, GoDaddy has been suffering massive attacks of malware and wordpress cracks. 100's per minute sometimes. Watching their actions on their forums, and how they've handled some of the customer issues reminds me of the need to have a proper disclosure procedure built into your operational processes. For sure not the first time, but GoDaddy should have some experience in this area and be a leader for others to follow in this regard. Everyone has problems. Sometimes the problems are too hard to fix, or hydrates get in the way and mess up great plans. Other times, you need to buy yourself time to let your experts settle in and figure out just what is going on.
Either way, the crisis consultants have methodologies for dealing with these sort of things (I'm sure Tigers' consultants are looking for work now) - and it's something we as professionals and service providers need to look more seriously at. Witness the recent activitiy around Adobe... They admit to the issues (finally), but as of yet, still don't produce a patch to potentially offset MILLIONS of infections around the world.
It saddens me to say, but perhaps what is really needed here is some good solid case law to remind vendors and service providers of their responsibilities. Sometimes it seems that the only way to get business to move in a more ethical and responsible manner is to add a financial metric to it. McDonalds reduced the high temperature of its coffee due to lawsuits. Tylenol introduced seals caps in the 80s due to the lawsuits there.
So do I think BP could learn from our industry on incident and eme
rgency response? To be sure, they are very different industries, impacts and processes. However, for me, the responsibilty of business to be protective of their clients, supportive and acknowledging of client concerns and responsible for their actions. These actions set businesses apart from all others organizations apart from others - and in the long term - is a great sustainable business activity sure to pay dividends (monetarily and sociality) in the future.
Posted by Sam Leeson on Mon, Jun 07, 2010 @ 11:18 AM
Everywhere we turn in the recent weeks we are reading articles, blog posts and social media updates about frustrations consumers are having with Adobe products. This comes in light of the Kaspersky Lab report titled "Information Security Threats In the First Quarter of 2010" indicating that Adobe products are the number one choice for hackers and virus writers around the world. Adobe went so far as to announce, late Friday, that they know about that holes being exploited in their Flash Player and indicated that, as yet, as patch was not available.
What I glean from the comments I've read is that individual consumers are surprised that their sites are being targeted just as frequently as the "big companies." Too often we make the assumption that because we are small, we are inconsequential and therefore uninteresting and unappealing to the hackers and malware-spreading individuals of the world. This is no longer the case. The people who are looking for targets generally have plenty of time and patience on their side 
so they can hit anyone with access to the internet through a blog posts, website visits, or click-through ads. Many of these sites utilize services offered through Adobe and other "big name" companies and so if there is already vulnerability there, you are unwittingly subjecting yourself and anyone who visits your site to an attack. J. Sadowsky, from http://www.partyinnovations.com/ thought he was protected by using McAfee security solutions but only managed to become completely free of site attacks when he began our program utilizing both the malware detection coupled with our vulnerability scanning services.
Regina, from WPSecurityLock, makes every effort to ensure that blog writers using the WordPress platform have all of the information they require to keep their posts safe from attack. Regular readers of her site will also note that she even writes about any potential exploitation she comes across.
Do not assume that simply because you are small, you do not have power. Be it good or bad, you wield more power than you think.
Posted by Jason Remillard on Wed, Jan 20, 2010 @ 08:22 AM
One big thing that is missing from this industry is empirical trend data that supports the TRUE risks and costs associated with hacking and malware infections. To date, we’ve written quite alot about customer-specific impacts when they are infected… The ‘results’ run the gambit of 1000’s of dollars of losses over time, loss of SEO rank, customer reputation, etc. However, one part that has been missing is the true impact around the realm of supporting actors in these instances.
For example, if there is a site that is infected with a simple malware redirect. Instead of only looking at the impacts directly to the website owner (which are onerous enough!), we’re starting to look at the impacts to the service providers for that customer.
It's not just the webhoster. It's the affiliates for that site that may lose sales. It's the adnetwork that is presented on that site that receives negative feedback for the ads being present on an infected site. It's the content readers that also receive the infection, or are impacted by the reduction in traffic. It's the direct advertisers that are affiliated with the website, that are now also negatively impacted on either/or image, reputation or traffic perspectives.
So we here at SSM are undertaking a small series of end-user surveys (specifically those that were impacted) about their total ‘experience’ with the solution. Questions like: Who did you call first? How were you told? Did your SEO rankings take a hit? Was your webhoster helpful? Did you switch hosts/designers/products based on the infection. What other steps have you taken, etc.?
Thus far (early in our survey), some interesting facets have already arisen.
Primarily:
1) Clients learned of their defacement primarily through their customers or colleagues. Because they don’t regularly monitor their site, they had no idea that they were infected.
2) Their web host provider was NOT helpful, not beneficial during the resolution process. Surprisingly enough, only a small percentage ’switched’ providers due to this.
3) Google was their main source of information on this issue, but the information was confusing, not really related, and generally was unhelpful overall.
We will be publishing more results as the data becomes more solid. We are still running the survey, so if you (or someone you know) went through this very personal hell, please forward them this survey link URL: http://surveys.verticalresponse.com/a/show/527087/2a7f185d4a/0
(securely hosted by vertical response – anonymous is ok too!)
-Jason
Posted by Jason Remillard on Wed, Jan 20, 2010 @ 07:29 AM
Back for the last entry of 2009, here are the latest updates in the security world:
Aweber announces its own incursion into its site, unnumbered number of email addresses pilphered.
AWeber was recently the victim of an intentional
attack to mine email addresses. We’d like to take this opportunity to
share what happened, what was (and was not) affected and what we’re
doing as a result of this attack.
PCI Security Council updates its site:
Today, the PCI Security Standards Council (PCI SSC), a global, open
industry standards body providing management of the Payment Card
Industry Data Security Standard (PCI DSS), PIN Transaction Security
(PTS) Security Requirements and the Payment Application Data Security
Standard (PA-DSS), announced the launch of a new PCI SSC micro site,
providing resources to secure payment card data in eight languages.
Adobe named this years most hacked software
Taking the first place from Internet Explorer, Adobe has had its
fair share of issues this year, including numerous ‘zero-day’ exploits.
Kits that go by names like “T-IFramer,” “Liberty Exploit
Systems” and “Elenore” all turned up on underground markets selling for
$300 to US$500, Kandek says, and allow the attacker to install a Trojan
program ready to download whatever malicious software a cybercriminal
wishes, from spyware to click-fraud software. All three of those kits
exploit three unique Adobe Reader bugs, along with a smaller number of
bugs in Internet Explorer, Microsoft Office, Firefox and even Quicktime.
Ever think of what happens to your facebook account when you die?
This new service allows you to send posthumus notices, shut down
accounts, store passwords, etc. Important new entry into your last
will and testament?
“Practically everyone knows someone that has died and
whose blog just stays up there, or whose Facebook profile keeps on
sending friendship suggestions,” said Lisa Granberg, 29, a co-founder
of My Webwill.
“Those surviving that person, have a very difficult time (doing) something about it.”
For the ‘home hacker’ a nice little christmas break project
Book scanners, like the ones Google is using in its
Google Books project, run into thousands of dollars, putting them out
of the reach of a graduate student like Reetz. But in January, when
textbook prices for the semester were listed, Reetz decided he would
make a book scanner that would cost a fraction of commercially
available products.