Posted by Jason Remillard on Wed, Mar 31, 2010 @ 12:05 PM
As reported in the past few days, a site selling Durex condoms have had a small 'exposure' problem. As reported, the site had been suffering (time length unknown) from several basic security exposures, including even allowing orders to be viewed online, without a login - simply by changing the order number!
I know that this is a 'simple' mistake, but come on folks.. This isn't 1998 where you wrote apps in MS-access and wrapped a report around it! This is (was?) a fully fledged shopping system, with um...confidential information regarding previous orders (hmmm.....size...color...flavors???)
According to the lawsuit, the company took quick action to pinch off the problem, but who knows how long the problem was exposed? What is more interesting to me, is that this problem was found by an unsophisticated user. I mean, he wasn't a cracker, malware engineer or depth-defying trojan writer. He was a customer that said, "Hmm... I wonder".... Perhaps we can all take a lesson from this scenario and consider thinking not just outside of the box with security, but also using I 
suppose accidental techniques to test services and applications. I'm sure my tester friends have a technical term for this, but it just goes to show that sometimes 'what if' is a testing parameter.
Usually conversations in this context deal with adult-content oriented websites - those are usually the first and most often attacked. Considering this case, things are a little different but no less important - the last thing you want is your customer information all piled up in someone else's control.
On a better note, our facebook group seems to be cooking now, over 170 fans now. Even better, our WordPress Security Plugin is getting great play - over 500 Installs now!
Posted by Jason Remillard on Wed, Jan 20, 2010 @ 07:40 AM
For some light humor!
1) You really enjoy waking up in the morning with your coffee, hitting your homepage, and finding a new page marketing ‘special offers’ for ‘enhancement’ products… You spill your coffee, burn…ouch.
2) You just love getting a hosting bill showing your site had somehow managed to use 4 terabytes of data last month, even though your site is actually just 3 small pages.
3) You appreciate the Friday afternoon calls from 2 of your largest customers, saying that they are switching to your competitor due to some aggressive marketing they’ve received… Hmm, wonder how your competition knew how many kitty trinkets your biggest customer ordered last week?
4) You relish the thought of not being able to send your weekly newsletter to your regular customers, since, for some reason, no emails are getting through and your hosting provider says you sent 1,540,098 emails in the past hour marketing Acai Beans. You sell catnip toys… Interesting.
5) You’ve had approximately 38.56 different people help you with your website, you’ve changed hosters 6 times, and attempted to change the registrar of your domain three times but gave up. You know what they say about too many cooks…
6) That great freeware guest- book system written by a kid in Slovakia with a name you can’t even pronounce you thought was really neat in 2003 is actually still on the site, but you’ve long forgotten about it being there. Google and the scammers didn’t forget though…
7) One of your designers installed a patch for your shopping cart 2 years ago and had problems. After googling for a solution for a few hours with no results they decided to chmod 777 * a few large directories. Voila, it works! And that’s the way it’s been for 2 years now. Lovely.
8 ) You enjoy explaining to your customers how their private information is now front page news, or worse, with their ex-wife’s lawyer!
9) The thought of having the marketing list you paid $10k for last year available to anyone is something you enjoy. Sharing and collaborating, that’s what the net is all about, right?
10) You enjoy negotiating with a faceless individual from somewhere overseas that speaks like this “u will knot get ur d8a bck ever again unlezz u pay $80.000 dollarz.”. It wasn’t just your corporate data, it was your friends and family as well… Ouch.. Get that wire transfer ready.
11) Finally... The end of the pain. Perhaps not. On top of all of the great ‘side effects’ of not scanning your website – You get sued, your family gets sued, and now the ‘authorities’ are looking into your business activities — because — surprise, surprise, there are laws surrounding data protection. Your business is kaput, your staff is leaving in droves, and everything you’ve worked for for years now is gone. You thought you were diligent in picking a hosting provider, team members for the design and development and other folks for the rest of your business. However, when it came to someone offering you a fresh set of eyes on your site, you said no. No, we’re ok. We check. We’re fine. You thought website security scanning was like insurance. Perhaps it is. But we all miss it when we need it. In this case, you need it before you actually really need it. Because, by then, it’s too late.
Posted by Jason Remillard on Wed, Jan 20, 2010 @ 07:35 AM
While not particularly new anymore, online social networking is still an exciting medium. Compulsively, I check my Facebook every day, make several posts on Twitter and contribute what I can to LinkedIn and I know I’m not alone with these things. Well, now unsurprisingly a study has found that “social network users [are] more vulnerable to risks”, discovered here.
The study has its issues, but it has some important points too. Let’s start with the issues.
- "Changing passwords (64 percent infrequently or never)
- Adjusting privacy settings (57 percent infrequently or never)
- Informing their social network administrator (90 percent infrequently or never)”
While changing passwords can certainly help maintain a certain level of security, I think that a more important aspect is the quality of the password (how long it is, whether it includes capitals/numbers, and how original it is) is more valuable than the amount of times that the password is changed in most circumstances (for more information on passwords, check out my last blog post).
Adjusting the privacy settings really depends on what sort of privacy you need. If you don’t put up anything private, then obviously you don’t need strict privacy settings.
Then finally, “Informing their social network administrator.” It’s not surprising that this is 90% because I have no idea what this is even referring to. Who is the social network administrator and what do they need to be informed of? Most people are probably their own social network administrator making this question invalid.
After that the article goes on to note things like that “21 percent accept contact offerings from members they don’t recognize” — which is actually exceptionally low in my opinion. I would think more people would accept to see if perhaps they know the person but didn’t realize, then if they don’t, they delete them. Easy.
If you’re paranoid and feel that you’ll easily fall victim to some sort of phishing scam then by all means, don’t accept them. However, the article states that 55% of people have seen phishing scams, but it doesn’t state how many have really been scammed by one, so I’m guessing that number is actually much lower.
When it comes to social networking, the best thing you can do is use common sense. If someone you don’t know is asking for money or asking for your password (in all my years of having online passwords, I have never once been asked for it by a legitimate official for any purposes, so if someone is asking you, 99% of the time, it’s a scam). Also, if someone posts a link, make sure it’s from a source you trust or else you can always highlight and Google it, or if it’s a link like a couple I posted here that are shortened, there are a few things you can do. There are sites that will tell you where the link leads but if the link is from bit.ly or j.mp you can paste the link in your browser and add a “+” at the end of it and it will give you interesting details, including where the link leads (go ahead, try it out on one of the links here).
Of course, sometimes it can be difficult to realize what a scam is, as it was for Jayne Scherrman, who as I posted on Twitter a couple of weeks ago, was scammed out of almost $4,000 on Facebook: http://bit.ly/4mqZQv. However, with a single call to her friend, it could’ve been saved.
So watch out for these types of things and if a friend is asking you for money, especially large amounts of money, why not give them a call, or at least an e-mail to verify it. And if you’re not willing to give them a call, well then you’re probably not close enough to them to be giving them money anyway.