Posted by Jason Remillard on Tue, Jul 13, 2010 @ 08:58 AM
Responding to increased attacks and more sophisticated
approaches by hackers, effective immediately ALL subscription packages from SSM will now be scanned for Malware at minimum TWICE a day.
Higher level packages will have the sites subjected to the scans three or more times a day. We are finding with external or even internally hosted ad networks, the prevalence of Malware insertions is increasing. As well, we are trying to confirm, but it looks like our friendly googlebot is getting more aggressive on the Malware detection stance as well, potentially putting your site at a higher risk of being 'caught' by Google.
So, at no extra cost, we've increased the frequency of all scanning options, and expect this to continue onwards.
PS> Don't forget to check out our latest product addition - The Secure WordPress Plugin - now with over 160,000 Direct INSTALLS!
Posted by Sam Leeson on Mon, Jun 21, 2010 @ 01:53 PM
I've been rolling this blog post around in my head for a week or so. I mean really, what can one say about on-line porn sites and security that hasn't already been said? Most of us know that if we decide to spend time surfing around in the "less desirable" areas of the internet then we are opening ourselves up to the risk of malware infiltrating our computer and infecting everyone we know with viruses.
If this information is understood and we know that we are putting ourselves at risk then it can't be a surprise, with all of the "free" adults-only websites there are out there, that "malware distribution itself appears to be the only profitable sideline for the adult industry." So, what do you need to know?
One group with collaborative efforts from members at Secure Systems Lab, Technical University Vienna, Institute Eurecom, Sophia Antipolis and University of California, Santa Barbara decided to create and operate two different "adult web sites." They performed a series of experiments and ran a "security analysis of data obtained from web site visitors," which allowed them to assess and evaluate "remote vulnerabilities of visitors and possible attack vectors."
One of the scariest parts of their findings was just how inexpensive, and therefore lucrative, it can be to take advantage of site visitors citing that they "could potentially exploit more than 20,000 visitors by spending only $160."
In short their research lead them to conclude that "many adult web sites try to mislead and manipulate their visitors, with the intent of generating revenue . . . [by employing techniques, which] range from simple obfuscation [like] blind links . . . to sophisticated redirector chains that are used for traffic trading. Additionally, the used techniques have the potential to be exploited in more harmful ways, for example by facilitating CSFR attacks or click fraud."
No one is suggesting you should remove any specific website content from your "favourites" menu, we are simply offering a gentle reminder that someone can always see what you are doing and where you have been as long as they have the know-how and access to your system.
At the end of the day, YOU might not catch anything while surfing around on-line porn sites, but your computer might! As with anything, vigilance is key; don't forget to practice safe surfing. Fill out the free form on the right side of your screen and have your first malware and vulnerability scan done now and see how safe your computer environment is.
Posted by Sam Leeson on Thu, Jun 03, 2010 @ 03:41 PM
It's a sad statement to make that anyone can become a hacker with a few dollars and the right contacts. A simple email will allow anyone with the means access to credit card numbers, addresses, and all of your personal information. One blogger went so far as to label this industry as "fraud-as-a-service."
It's easy for individuals who have not been hacked to believe services like ours at SiteSecurityMonitor.com to be redundant. What started out on floppy disks in the 90's moved to email Trojans towards and through the move into the new millennium. These days websites are the most common place hackers target. Clients with ads and other additional click-through links are especially vulnerable.
We go out of our way to instil confidence in the consumers who use our services by generating regular reports for them letting them know exactly what malware their site has been infected with and where their site is vulnerable to future attacks.
In fact our customers are the first to let us know that the services we offer surpass what they thought was available to them.
Posted by Jason Remillard on Wed, May 12, 2010 @ 02:40 PM
Thought you were safe in the forest this spring?
As reported yesterday, and now reinforced by our friends at wpsecuritylock.com, the godaddy malware infections continue to grow, and now seems to be spreading across different hosters and now targetted applications.
Not only Wordpress installs are being affected, but now Joomla and 'standard' html-based websites. This lends more credence to our initial diagnosis that these hacks are actually the result of a platform-based attack, and spreading from the 'inside'. 
More details will be released as we learn more. In the meantime, if you are affected, please follow the instructions here and/or make sure you get a free malware/vulnerability scan here.
Posted by Jason Remillard on Fri, Mar 12, 2010 @ 09:18 AM
Hey everyone....happy friday!
Just wanted to share this little tidbit with you. As I said a week ago, we took a break for the Olympics, but did actually get some stuff done! :)
We're pleased to announce our FREE Wordpress Security Plugin. We've worked hard on this, and feel its a great place for everyone to start with Wordpress and general security principals.
It's already being downloaded from Wordpress (we didn't tell anyone yet!), and our beta testers report great success!
Read more about it:
Feel free to download it, test it, and let us know how it works out for you! If you like it, please update the settings on the Wordpress site!
“We expect to have over 10,000 customers downloading our WordPress plug-in within the next three months,” says SSM managing director Jason Remillard, “and we’re giving malware detection and vulnerability web security scanning services to each registered user. Imagine how many websites and visitors will be adequately protected.” - Says I.
Cheers, and thanks for listening, and uh...enjoy your weekend!!
-Team SSM
Posted by Jason Remillard on Tue, Mar 09, 2010 @ 12:35 PM
A note about transparency and a Special Offer to ControlScan Customers
By now, many have become aware of the settlement between the Federal Trade Commission and ControlScan.
From companies specifically created to sell seals without doing ANY scanning or verification what so ever, to individuals and businesses misrepresenting their status at the Better Business Bureau ; there is long and sorry history of this type of deceptive practice. It is refreshing to see the FTC finally catching up to some of these people. The deceptive and fraudulent actions of a few tarnish the hard work and honesty of the rest of us. Rarely does a day go by that I don't have to answer a question in one form or another about whether we're for real, and can we prove that we actually do scans. These are honest inquiries that I can not fault.
The FTC ruling against ControlScan for their past activities and inactivity, will not help us with this.
Adding to the questions about our legitimacy, there will now be lingering doubt in some people's mind about scanning frequencies. To clarify, yes we really do scan for Malware every single day. We really do scan for Web Vulnerabilities at preset schedules. For most of our customers, that's everyday too. In your Control Panel, you can see when the last Malware scan was completed and also when your last Web Vulnerability scan was completed.
For those of you reading this that are ControlScan customers who still have some natural lingering doubts about the service you're getting, we'd like to help set your minds at ease. To be clear, we have no reason to doubt that ControlScan is providing you with scans. We do know that they scan only for known vulnerabilities and not for the lastest and fastest growing segment of security challenges, Malware.
So to ControlScan customers we'd like to offer you 50% off the package of your choice, with no obligation. Simply contact me either by phone at 717-704-0061 or email and I'll be happy to answer any questions that you might have, to get your sites enrolled immediately and to hopefully restore for you some peace of mind.
Doug McDonald
VP Sales & Business Development
SiteSecurityMonitor.Com
Posted by Jason Remillard on Thu, Mar 04, 2010 @ 12:49 PM
ok so I suppose we should explain why we were so quiet for the past 2 weeks... As many of you know, we're a little crazy about our winter sports up here - especially our hockey.
Since the olympics took priority over marketing, we took a break of sorts - and wore out 2 couches (or sofas) and gained more pounds than I'd like to admit cheering one all athletes of the games. So kudos to the staff, organizers and our country as a whole for pulling off an incredible games and party!
So, what does this have to do with web security? Admittedly, not much. What was interesting however that since we 'let things sit' for about two weeks, other things got done :)
In the next week or so we'll be announcing a great new free product that we hope will be well received by the community.
During the past two weeks, we continued to scan and alert - for current and new customers. I am pleased to note that our volumes have jumped significantly - both on the free and paid perspectives.
With the past weeks' action at RSA, and s
everal large competitors taking the lead from us, its been a great few weeks.
So stay tuned here, no remote control or weight gain required! :)
Posted by Jason Remillard on Tue, Jan 26, 2010 @ 12:05 PM
Malware… Yes, its been around for many years. However the attack vector has changed. Long ago the primary distribution method was by sharing dirty data (yes, exchanging floppy disks….remember those days?! 
Then it went onwards into distributing viruses and malware via email (this is the early days of outlook express!). Then, came the solutions to block this (antivirus on your email, desktop solutions that block installs on your PC, etc.)
Now however, it is much more sophisticated. As unfortunately some of you have experienced, the hackers are now cracking PCs and websites to inject malware. Hence the term ‘drive-by malware’. By infecting your website the hackers are now able to enjoy a free distribution method for their wares – your website. Target any sized website, inject your bad code, and watch the infections grow by the minute!
Consider this scenario… we have a customer who came to us (name not mentioned of course), that had been injected my malware. The alerts went up in Google HQ. His site was dropped from search engine rankings immediately. So, boom – there goes all of his google traffic (in this case, responsible for about 2,000 unique visitors a day).
Worse yet, now that Google was aware to his sites problems, the browser vendors now pick up on this and start warning ALL people visiting his site with this nice little alert:
Malware Reported Attack Site
So now, he has -0- traffic from Google. ALL of his users are now getting told this is ‘an attack’ site. All bookmarked entries, links from other sites, etc. ALL reflect that this site is now worse than the worse of worse! You are evil! You are spreading the scourge of the earth! How could you!
Now, this guy is in a panic. He’d just started a major campaign (offline and online), and had paid for alot of advertising that was non refundable. He was loosing 
1000’s of dollars a day, and his business was evaporating before his eyes.
Personnally, I don’t like to scare monger my customers into solutions. I think it is a disservice that many of our competitors do. However, I do like to highlight true to life stories, and their true impacts.
In this case, we were able to quickly shut down his site to stop the spread. Taking the site offline also minimized any infections he was spreading (because, in reality, he was). After stripping out the hacked code, we scanned all of his site (100’s of pages) and plugged up any holes the web vulnerability scanner found (there were more than one in his shopping cart and forum systems). Turns out, some of the lovely little hit counters and subscriber forms he had on his site were wide open as well.
Anyways, after the cleanup, and a few runs through our malware scanner to ensure we were clean, we stood the site backup and asked please, please please!
Google, please allow his site to be back in your good graces…
After about 36 hours, Google’s scanners had verified that he was now indeed clean, and reincluded him in the indexes. Luckily, since we caught it quick enough, this did not affect his PR rankings and his SEO work he’d invested so much into was saved.
Now, the browser alerts were another problem. Firefox released their warnings within a few hours of Google. Microsoft IE shortly thereafter. Safari and a few other smaller footprint browsers took a few days.
All in all, this attack cost him well over $10,000 in immediate losses due to his PPC campaign and offline media buy losses. Of course, now he had a perception problem with his customers (yes you are safe, no I’m not a hacker, etc.), and on top of that, one very long, long weekend on the phone with customers.
How to protect from these effects? Well, since nothing is 100%, regular scanning is your best defense, since you’ll know before the hackers do that there is a problem with your site. Even more important, since we now test each and every URL on your site with over 120,000 attack patterns (yes, that many!), you are getting great coverage and risk mitigation from the standpoint that you know more, on a daily basis, about what the outside knows about your site.
This, all told, allows him to sleep better at night
Posted by Jason Remillard on Wed, Jan 20, 2010 @ 07:40 AM
For some light humor!
1) You really enjoy waking up in the morning with your coffee, hitting your homepage, and finding a new page marketing ‘special offers’ for ‘enhancement’ products… You spill your coffee, burn…ouch.
2) You just love getting a hosting bill showing your site had somehow managed to use 4 terabytes of data last month, even though your site is actually just 3 small pages.
3) You appreciate the Friday afternoon calls from 2 of your largest customers, saying that they are switching to your competitor due to some aggressive marketing they’ve received… Hmm, wonder how your competition knew how many kitty trinkets your biggest customer ordered last week?
4) You relish the thought of not being able to send your weekly newsletter to your regular customers, since, for some reason, no emails are getting through and your hosting provider says you sent 1,540,098 emails in the past hour marketing Acai Beans. You sell catnip toys… Interesting.
5) You’ve had approximately 38.56 different people help you with your website, you’ve changed hosters 6 times, and attempted to change the registrar of your domain three times but gave up. You know what they say about too many cooks…
6) That great freeware guest- book system written by a kid in Slovakia with a name you can’t even pronounce you thought was really neat in 2003 is actually still on the site, but you’ve long forgotten about it being there. Google and the scammers didn’t forget though…
7) One of your designers installed a patch for your shopping cart 2 years ago and had problems. After googling for a solution for a few hours with no results they decided to chmod 777 * a few large directories. Voila, it works! And that’s the way it’s been for 2 years now. Lovely.
8 ) You enjoy explaining to your customers how their private information is now front page news, or worse, with their ex-wife’s lawyer!
9) The thought of having the marketing list you paid $10k for last year available to anyone is something you enjoy. Sharing and collaborating, that’s what the net is all about, right?
10) You enjoy negotiating with a faceless individual from somewhere overseas that speaks like this “u will knot get ur d8a bck ever again unlezz u pay $80.000 dollarz.”. It wasn’t just your corporate data, it was your friends and family as well… Ouch.. Get that wire transfer ready.
11) Finally... The end of the pain. Perhaps not. On top of all of the great ‘side effects’ of not scanning your website – You get sued, your family gets sued, and now the ‘authorities’ are looking into your business activities — because — surprise, surprise, there are laws surrounding data protection. Your business is kaput, your staff is leaving in droves, and everything you’ve worked for for years now is gone. You thought you were diligent in picking a hosting provider, team members for the design and development and other folks for the rest of your business. However, when it came to someone offering you a fresh set of eyes on your site, you said no. No, we’re ok. We check. We’re fine. You thought website security scanning was like insurance. Perhaps it is. But we all miss it when we need it. In this case, you need it before you actually really need it. Because, by then, it’s too late.