Posted by Jason Remillard on Wed, Mar 31, 2010 @ 12:05 PM
As reported in the past few days, a site selling Durex condoms have had a small 'exposure' problem. As reported, the site had been suffering (time length unknown) from several basic security exposures, including even allowing orders to be viewed online, without a login - simply by changing the order number!
I know that this is a 'simple' mistake, but come on folks.. This isn't 1998 where you wrote apps in MS-access and wrapped a report around it! This is (was?) a fully fledged shopping system, with um...confidential information regarding previous orders (hmmm.....size...color...flavors???)
According to the lawsuit, the company took quick action to pinch off the problem, but who knows how long the problem was exposed? What is more interesting to me, is that this problem was found by an unsophisticated user. I mean, he wasn't a cracker, malware engineer or depth-defying trojan writer. He was a customer that said, "Hmm... I wonder".... Perhaps we can all take a lesson from this scenario and consider thinking not just outside of the box with security, but also using I 
suppose accidental techniques to test services and applications. I'm sure my tester friends have a technical term for this, but it just goes to show that sometimes 'what if' is a testing parameter.
Usually conversations in this context deal with adult-content oriented websites - those are usually the first and most often attacked. Considering this case, things are a little different but no less important - the last thing you want is your customer information all piled up in someone else's control.
On a better note, our facebook group seems to be cooking now, over 170 fans now. Even better, our WordPress Security Plugin is getting great play - over 500 Installs now!
Posted by Jason Remillard on Mon, Mar 15, 2010 @ 01:44 PM
Hey everyone...just wanted to say thanks to everyone who has tried the WP-Secure by SSM Wordpress Security Plugin... The press releases have been distributed as of this morning, and we're already starting to see bloggers pick up the idea and talk about it.
From our perspective, security is a multi-layered approach and part of it resides with the site owners. We felt that the current instructions for securing a WordPress Blog were confusing, too techie, and usually were too hard for anyone to specifically do, without a techie helping.
Thats why we wrote the plugin. This baby does 23 security fixes for you, with mouse clicks. Simple, easy and quick to implement.
If you haven't tried it, go ahead and download it here! If you like it (or not), please update the wordpress page for the plugin.
We appreciate it!
-Team SSM
PS> Don't forget to join our Facebook Group....81 members as of this writing!
Posted by Jason Remillard on Fri, Mar 12, 2010 @ 09:18 AM
Hey everyone....happy friday!
Just wanted to share this little tidbit with you. As I said a week ago, we took a break for the Olympics, but did actually get some stuff done! :)
We're pleased to announce our FREE Wordpress Security Plugin. We've worked hard on this, and feel its a great place for everyone to start with Wordpress and general security principals.
It's already being downloaded from Wordpress (we didn't tell anyone yet!), and our beta testers report great success!
Read more about it:
Feel free to download it, test it, and let us know how it works out for you! If you like it, please update the settings on the Wordpress site!
“We expect to have over 10,000 customers downloading our WordPress plug-in within the next three months,” says SSM managing director Jason Remillard, “and we’re giving malware detection and vulnerability web security scanning services to each registered user. Imagine how many websites and visitors will be adequately protected.” - Says I.
Cheers, and thanks for listening, and uh...enjoy your weekend!!
-Team SSM
Posted by Jason Remillard on Tue, Mar 09, 2010 @ 12:35 PM
A note about transparency and a Special Offer to ControlScan Customers
By now, many have become aware of the settlement between the Federal Trade Commission and ControlScan.
From companies specifically created to sell seals without doing ANY scanning or verification what so ever, to individuals and businesses misrepresenting their status at the Better Business Bureau ; there is long and sorry history of this type of deceptive practice. It is refreshing to see the FTC finally catching up to some of these people. The deceptive and fraudulent actions of a few tarnish the hard work and honesty of the rest of us. Rarely does a day go by that I don't have to answer a question in one form or another about whether we're for real, and can we prove that we actually do scans. These are honest inquiries that I can not fault.
The FTC ruling against ControlScan for their past activities and inactivity, will not help us with this.
Adding to the questions about our legitimacy, there will now be lingering doubt in some people's mind about scanning frequencies. To clarify, yes we really do scan for Malware every single day. We really do scan for Web Vulnerabilities at preset schedules. For most of our customers, that's everyday too. In your Control Panel, you can see when the last Malware scan was completed and also when your last Web Vulnerability scan was completed.
For those of you reading this that are ControlScan customers who still have some natural lingering doubts about the service you're getting, we'd like to help set your minds at ease. To be clear, we have no reason to doubt that ControlScan is providing you with scans. We do know that they scan only for known vulnerabilities and not for the lastest and fastest growing segment of security challenges, Malware.
So to ControlScan customers we'd like to offer you 50% off the package of your choice, with no obligation. Simply contact me either by phone at 717-704-0061 or email and I'll be happy to answer any questions that you might have, to get your sites enrolled immediately and to hopefully restore for you some peace of mind.
Doug McDonald
VP Sales & Business Development
SiteSecurityMonitor.Com
Posted by Jason Remillard on Mon, Mar 08, 2010 @ 08:07 AM
Much like Mr. Reagan, we nned to trust but verify.
Very interestingly enough, in the past five or six days we have been detecting ad networks including Google Adsense, Adultadwords, and Adbrite allowing malware-laden ads on their networks. We are not the only ones who have identified this issue, check out the following links for more information about them:
Google Adsense distributes malware - Google blocks own publisher!
AdultAdWorld (AAW) -distributes malware - doesn't answer the phone
This highlights a major issue that we have been discussing for a long time with all of our customers -- that is, the need for ongoing Malware detection scanning. Your site might be nailed down. Your site might be clean from SQL injection, Apache flaws, cross site scripting, and the myriads of other issues associated with open source and custom developed software. However if you run any sort of ad network, widgets, or anything else that inserts code from other sites you are running a major risk.
In these cases you are a very simple publisher. You trust your ad network since they are your partner. And now those lovely people are inserting Malware into your site.
Looking further, although humorous but serious, Adsense itself inserted malicious ad code into a customer's website -- and then proceeded to ban them and slapped the nasty Malware alert window on this board buggers website.
Now, how are going to react in this sort of scenario? I'd be interested in your comments, however at the end of the day you have to trust somebody and I like trusting by a verification -- and in this case we use several third parties for our validation services since I don't trust anyone on its own.
That is our commitment to you as a client of sitesecuritymonitor.com. We bring the best of breed to you, from a solution perspective, from a resource perspective, from a research perspective.
Again, I am interested in any comments regarding this subject -- it is very unfortunate that the Malware purveyors have chosen to attack this vector to distribute their wares, but did you really expect them to stop? We certainly didn't.
Is Google Adsense a Trojan horse itself?
Posted by Jason Remillard on Thu, Mar 04, 2010 @ 12:49 PM
ok so I suppose we should explain why we were so quiet for the past 2 weeks... As many of you know, we're a little crazy about our winter sports up here - especially our hockey.
Since the olympics took priority over marketing, we took a break of sorts - and wore out 2 couches (or sofas) and gained more pounds than I'd like to admit cheering one all athletes of the games. So kudos to the staff, organizers and our country as a whole for pulling off an incredible games and party!
So, what does this have to do with web security? Admittedly, not much. What was interesting however that since we 'let things sit' for about two weeks, other things got done :)
In the next week or so we'll be announcing a great new free product that we hope will be well received by the community.
During the past two weeks, we continued to scan and alert - for current and new customers. I am pleased to note that our volumes have jumped significantly - both on the free and paid perspectives.
With the past weeks' action at RSA, and s
everal large competitors taking the lead from us, its been a great few weeks.
So stay tuned here, no remote control or weight gain required! :)