Sometimes it seems like everything in our lives today rotates around the internet. It does not matter if you are talking about your home life or work life. It does not matter if you are talking about paying your bills online, shopping or working with colleagues who are not located within the same facility. Everything revolves around the internet. The natural result from the internet explosion is that the fields of security certification and security training have also exploded.

People sometimes get very confused about the certification process as it relates to computers and the online world. That is because people do not know a lot about the details; they just hear stories about how the internet is a bad place. As the internet has become more popular, it also means hackers have spent more time and money on trying to find easy ways to cause problems.

Every time you turn on the television, you hear another story about a major company who had their computer system hacked into. This type of activity gives the hackers access to critical personal data that can cost each person thousands of dollars. Another big scandal that has been in the news a great deal is the recent “wiki leaks” issue.

There is no question about it, both individuals and businesses all over the world are more concerned than ever about computer security. This concern is what makes the world of certifications for security a growing trend.

There are actually two different meanings for this term, and that is what makes it so difficult for people to understand the difference. Both meanings are about protecting the uses on the website or system.

One of the meanings is for a seal of some kind that can be put on a website to show that it is protected from hackers. It shows anyone who is using your system or your website that you have taken all of the required steps to protect everything about them. If you are on a site, you should check that it has this type of certification. If it does, you can be confident that any personal information that you input into the system is as protected as possible from hackers who may try to break in. It also shows that the system is protected from spreading viruses of some kind to your own computer. If you have your own website, it is important that you get this kind of a certificate so that you can display it on your site. If you do not have it, your visitors will lose confidence and will be much less likely to do business with you. This certification should be considered mandatory.

The other type of certification is given to people. These are the people who do the work to allow your site to be certified. There are many different types of certifications and many different levels. In order to get your personal certification, you must obtain and pass different classes. The higher level certifications will require you to take multiple classes.

Post from: SiteProNews: Webmaster News & Resources

What Is A Security Certification?

Running an online business like an ecommerce web site can be pretty hard at times, especially when you’re the only person working on it (which is not so uncommon these days) and you have to take care of everything, including customer support, sales, and the maintenance of your server.

Of course, there are a lot of various automation tools that can really help you and increase your productivity by taking your hands off the most mundane tasks, but not everything can be automated. Customer satisfaction is very important, and there’s nothing worse than having their security and privacy compromised.

Hackers and other shady people are always on the look for weaknesses and security holes that would allow them to gain access to important information like SSN and Credit Card numbers, which they can later use for their own profits or to damage a person’s reputation (most often the credit score is affected).

Even if they don’t find a way to break into your site’s database or server, they can still harm you by leaving broken software and ports or overloading your server’s resources and bandwidth using Denial of Service or other similar attacks. That’s why you must implement at least a couple of security measures that will stand between you and the offenders. Here are the most important ones:

Firewalls. Even though most servers have software firewalls installed and enabled by default, most of the times, they’re not configured properly (or at all, for that matter). That’s why one of the first things you need to do when receiving a new server is configure the firewall for your specific purposes and make sure it is not vulnerable to any external threats.

The best way to go about it is to lock down all the ports which you know are not used by anyone except you and allow external access only from a few trusted IPs. This is the single most important step you can take. For example, every single day, there are hundreds of bots scanning for open ports and trying to break in using general passwords and usernames, and limiting all ports to only a few external IPs will completely eliminate that threat.

Your MySQL, SSH, VNC and sometimes FTP ports need not be accessible by everyone. You can and should limit access to them only from your own IP addresses. This way, only you will be able to access them, and anyone else will get an “access denied” error, which will most probably make them mark your server as secure and move on.

You can also find or create your own list of bad IPs (of spammers and hackers, for example) and fully block their access manually. This is a good way of dealing with immediate threats, but it’s hard to do in the long run, as there are countless infected computers that attack others without the user’s permission.

Another thing you should consider installing or ordering is an external firewall. These are better suited for high loads (they do not tax your server’s CPU or RAM) and are even less vulnerable (software can be exploited and modified, hardware can’t). But you need to make sure that it will not limit your bandwidth (if you have a 1Gbit connection, a 100Mbit hardware firewall will slow it down considerably). Most of the times, a good, up to date software firewall should be enough.

DDoS Protection. DDoS attacks are very nasty things that can easily overload your server, cut off access to real users and make you lose money as well as spend more for bandwidth. Fortunately, they’re pretty easy to stop using a properly configured web server. There are a lot of instructions out there on how to configure Apache and other servers to cut or completely remove the chance of a DDoS attack, and you should implement them as soon as possible. It only involves changing the number of concurrent half open connections and time outs.

In addition, you could benefit from a separate DoS detection utility that can detect (obviously) and stop DDoS attacks in a matter of seconds from their start. The most advanced ones can also cut off access from attacking IPs for a limited or unlimited amount of time, effectively blocking any DDoS attack attempt in the future.

Data Encryption. If you are dealing with sensitive information (both yours and your users’), you absolutely must use encryption protocols for those purposes. You must use an SSL encryption with a real valid certificate for all outgoing and incoming connections and keep the user data stored in encrypted and password protected databases that can’t be accessed by anyone on the outside.

Implementing the above security measures will reduce the chances of your sites being attacked and exploited by 90%. The rest consists of being careful and installing the latest stable updates for all the software on your server. Stay safe!

Post from: SiteProNews: Webmaster News & Resources

How to Enhance the Security of Your Web Server – A SPN Exclusive Article

Last year the major financial institutions lost billions refunding customers who had suffered financial loss after being tricked into giving out their bank account details to online thieves by using a method known as ‘phishing.’ I thought that it might be an idea for me to concentrate this week on what to look out for when trying to identify a fraudulent e-mail, although most of them are so obvious that you shouldn’t need too much help identifying them.

I also wanted to publish this guide without meaning to sound harsh as I honestly don’t think that these customers should be reimbursed by their banks when they are tricked because at the end of the day it will be costing customers such as myself – It isn’t the fault of the financial institutions that you were silly enough to give a fraudster all your bank account details so surely they shouldn’t take it upon themselves to pass the costs on to their other more alert customers. I personally think that there should be more education on the matter to stop people from making these mistakes in the first place and that before you sign up for an Internet Banking service that you agree to their terms and conditions that insist that you will show due diligence.

The majority of ‘phishing’ e-mails will appear to be sent from a particular company and will usually say that they require you to confirm some account information and will provide you with a hyperlink to click on. When you click on this link you are taken to a spoof site that will have been made to look like the website of the company that the e-mail claimed to have been sent from. You then merely fill out all of your security details as requested by the e-mail which the website will then pass along to the fraudster who will then raid your account. I find it quite concerning that this money could then be used to invest in further illegal activities.

There are several rules that you can use to protect yourself against phishing:

- Treat all e-mails with a reasonable degree of suspicion; the senders address can be forged and the e-mail header can be manipulated to disguise its true origin.

- Rather than using the link provided in the e-mail to get to the page they’re requesting type the URL directly into your browser. Rather than clicking on a link in an e-mail claiming to be from Barclays for example you should just open your browser and type www.barclays.com into the address bar.

- Never send personal or financial information to any one via email

- Regularly log into your online accounts to check for any fraudulent activity and scrutinize your statements to ensure all transactions are legitimate.

- Do continually update your Operating System, ensure that you have installed up-to date anti-virus software, Spyware software and a firewall and make sure you regularly use this software to run a check on your system.

If someone came up to you in the street dressed as a banker and asked you to confirm all your bank account details you obviously wouldn’t do it

It’s amazing how far a little common sense in this world can get you but unfortunately with many users this common sense goes straight out the window as soon as they sit in front of a computer! The Internet is technically one of the most secure areas to conduct financial transactions but the human factor often lets it down

Follow the points above and you can be sure that you’ll be kept safe.

Post from: SiteProNews: Webmaster News & Resources

Phishing – Don’t Get Caught

The online attacks against international payment websites continue to make the news and, if you believe the media hype, look set to escalate into all-out cyber warfare. It has already been dubbed “The First World Information War.”

‘Operation Payback’ began to hit the headlines when the shadowy online anarchic campaigners known as Anonymous called for reprisals against certain large global corporations for their withdrawal of online payment collection services to the controversial WikiLeaks site.
Since my first posting on this subject Amazon has experienced further problems and there are continued reports of downtime on Visa and MasterCard sites across the world.

The whistle-blowing, secret-government-document-publishing website WikiLeaks has attained international notoriety for championing openness and transparency. Its founder, Julian Assange, is widely feted as a freedom fighter – anti-censorship, anti-copyright, pro freedom of speech – and is wanted by the US government for alleged espionage and for threatening national security. His status as guerrilla fighter for the truth and potential martyr has been further enhanced by the pronouncements of well known right-wing spokespersons such as Mike Huckabee, who said those who passed the secrets to Assange should be executed, and Sarah Palin, who demanded that Assange be hunted in the same way an al-Qaida operative. News of his arrest, on the unrelated charges of sexual assault, was greeted by the US Secretary of Defense with the words “That sounds like good news to me.”

Sources in the Kremlin have cheekily suggested Assange for a Nobel Peace Prize. Whatever next? Perhaps the Vatican could have him canonized: The Blessed St Julian of Assange has a certain ring to it, don’t you think? It is less well known that Operation Payback began way before the WikiLeaks story went viral and exploded across the internet creating sensational headlines all over the world. In fact it originated as a less-than-idealistic campaign designed to hit back at the US recording industry in reprisal for its prosecutions of illegal music file downloaders.

Now, spear-headed by the ‘saintly’ Assange and spurred on by the so-called ‘Hacktivist’ group Anonymous, Operation Payback continues to gather momentum and cause disruption and annoyance to everyday commercial operations totally unconnected to the controversy. Anonymous may have been dubbed ‘Hacktivists’ by the press, which is currently enjoying a media bonanza of headline-making stories, but they are hardly worthy of the epithet of ‘Hacker’, are they?

As far as I can see, all they are doing is following the crowd like a herd of sheep, using someone else’s ‘botnet’ software to maliciously target the innocent and the irrelevant rather than using their brains to hack into a computer system that might actually constitute an intellectual challenge or a threat to them. Take Gary McKinnon, for example, computer geek, UFO enthusiast and Asperger’s sufferer, currently awaiting extradition to the US. He managed to break into US military and NASA systems whilst apparently looking for evidence of UFO sightings and cover-ups. Now there was a true Hacker.

I don’t approve of what he did, but at least he had the brains to get into government computer systems under his own steam. He maintains that the ‘secret’ files he hacked into were on open, unsecured machines with no passwords and no firewalls, and claims to have left countless notes pointing out their many security failings. Not exactly the acts of a dangerous terrorist, but idealistically motivated, albeit in a misguided way.

In contrast to this, the malicious attacks by the Anonymous activists are not true hacks at all. They are more accurately known as Distributed Denial-of-Service, or DDoS attacks, meaning multiple systems attacking a single target, thereby causing denial of service for users of the targeted system. The sheer volume of incoming messages to the target system forces it to shut down, denying service to the system to legitimate users.

Post from: SiteProNews: Webmaster News & Resources

What is a Hacker?

If you get an email that instructs you that a package has been returned to Fedex and you need to get the label of the package printed and placed back onto the package so it can be retrieved, beware!

When you go to open the zip file and “extract,” the information – you wind up getting a malware/spyware program installed into your computer.

The name of this “software,” is system tools. It is disguised as a “security tool,” to prevent spyware/malware.

It automatically places an icon on your p.c. named “system tool,” and immediate pop-ups start showing themselves which read “Your p.c. has been infected with 27 viruses, click here and get removal tool.”

This is a blatant lie. The only “infection,” you have gotten is the malware – bogus software itself!

It continually pops-up on your screen – interrupting your progress. When you try to close the program it throws yet another pop-up reading “continue unprotected”?

When you close the icon, you still get “balloon,” messages from your tray saying your p.c. has a Trojan virus which is trying to steal your credit card information.

This malware is relentless. It pops-up every two minutes, and is very annoying. Furthermore – when you search for such a “fake security tool removal,” it will let you complete the search, but when you try to purchase a legitimate tool which will remove it, it prevents you from using the tool to “remove,” it – by popping up every time you try and open the removal program.

It also tries to confuse the user by displaying a full page “security tool software,” when you enter your credit card number to buy the removal system.

This “system,” is $97.00 and is a hoax. It does not even exist. I did not buy the security tool software suggested by the pop-up.

What I did have to do, is boot my system into a “safe mode,” (F8) to keep the pop-up from interrupting my purchase of a real removal tool ($29.95)

After installation of the real security tool (Superanti-spyware) I ran a scan on my system – it found 85 trojans, malware, and spyware on my p.c.

This is a superior, major, new malware, which bypassed and got by my McGaff p.c. security system which I always keep running.

This is the very first time in years that something got by my p.c. security and infected my p.c. with malware.

I have removed it, and have had no problem since. I just wanted to warn the good folks out there – there are systems which can get by McGaff, as well as other p.c. security systems – by posing themselves as a Fedex email which my system did not flag.

How to avoid this? If you get such an email from Fedex saying your “package had been returned undelivered,” and to retrieve the label for the package, open a zip file and “extract,” such information, do not fall for it.

I send packages and receive packages fairly regularly, so the email seemed legit. If this information can save only one person from having to go through the headache of buying additional software to remove such a threat for ($29.95) this post is worth it.

I suggest emailing this information to your friends so they too can avoid such a scam. The software removal tool I did buy worked great, and it did take it off of my p.c. but I did not buy it from the company, which installed the fake malware disguised as a “security tool.”

I got it from a separate company, which showed the very icon of the real threat. This post is meant to expose this threat to others, so they do not fall for such scams.

Even with an installed, running, professional security tool (such as I had running) It is possible to be infected with malware. So, happy surfing – and keep your p.c. safe.

Post from: SiteProNews: Webmaster News & Resources

Webmasters Beware: Malware Email Hoax

A zombie is a computer that has been infected with malware, allowing an attacker to gain complete control which is a security threat. Tens of thousands of computers are infected with some type of botnet or ‘bot’ and computers that have been infected are generally referred to as ‘zombies.’

These criminals are able to access lists of ‘zombie’ PC’s and activate them to help execute denial-of-service attacks against various websites, host phishing attack sites or send out spam email messages. Trying to trace an attack back to the original source is useless. They will find a victim rather than the criminal because they are so clever.

How do you know if your computer is infected? If you notice anything odd as you are working, such as a slow computer or a computer that seems to slow down or crash for no reason, there might be some malware running in the background. You need to scan your computer with current versions of your anti-virus software, to detect malware. Zombies can be used extensively to send out email spam.

In fact an estimated 80 percent of all spam worldwide was sent by zombie computers. This is what enables spammers to avoid detection. Spam greatly furthers the spread of Trojan horse computer viruses, which rely on the movement of emails or spam to grow.

They can be used to conduct distributed denial-of-service attacks, where a large number of zombie computers make simultaneous requests of a website’s server with the intention of crashing the server thereby preventing legitimate users from accessing the website.

There is a variant of this type of attack known as distributed degradation-of-service. Committed by “pulsing” zombies, distributed degradation-of-service is the moderated and periodical flooding of websites, done with the intent of slowing down rather than crashing a victim site. The effectiveness of this tactic springs from the fact that intense flooding can be quickly detected and fixed, but pulsing zombie attacks and the resulting slow-down in website access can go unnoticed for months or years.

You should make sure to have the latest anti-virus software, install firewalls, and make sure you always delete suspicious email messages. Cloud technology automatically stops viruses and spyware before they reach your computer. This is a new way to protect your computer and it won’t slow you down.

Anti-virus software should have the following features:

- Only real-time updates to safeguard you from the latest online threats today and in the future
- Easy on system resources so your PC runs faster.
- Is designed to be easy-to-use and understand with simple screens and graphical reports.
- It also should block spam.
- Has parental controls keep kids safe online.

Post from: SiteProNews: Webmaster News & Resources

The Botnet Frenzy Requires Titanium Strong Internet Security

Let me start with this: I’ve dedicated a portion of my life to finding criminals on the internet, and have worked with both local and federal law enforcement to help catch child predators. Child Prostitution and Sex Slavery is a plague on the human race that needs to be eradicated completely. Recently 16 State Attorney Generals made what seemed to be a positive step in asking Craigslist to better police their adult-services section to prevent child prostitution. Their desire was that the adult-services section be completely shut down because they accused the site of being complicit in allowing advertising for these services to be allowed an in theory assisting in the exploitation of children. This claim against Craigslist, is ridiculous and worse, changes the focus from the real issues surrounding this issue and attempts to blame a technology for the actions of pedophiles.

It’s important in this debate to clear the air: we are not talking about prostitution in general, with its own set of complaints, its own moral and political issues. The 16 Attorney Generals who took on Craigslist specifically brought up the most horrific of crimes, the forced prostitution and rape of children. They made general claims that Craigslist.com was a cesspool of child prostitution, that there were thousands of advertisements available on Craigslist.com every day that made children available sexually to predators for money. While I applaud the Attorney Generals for finally paying attention to the issue of Child Prostitution in this country, they are taking the easy way out, focusing on a company that has nothing whatsoever to do with the issue to make headlines.

The problem with the claims of the 17 Attorney Generals is that they are only grounded in press spin. While Craigslist does have advertising for prostitution, so does hundreds of publications, online websites, and magazines in this country – and the Yellow Pages. Their basis is that one can go online and see a virtual cornucopia of child-sex advertising. While I know that there have been some cases on child prostitution on Craigslist.com, an overwhelming amount of the sex-based advertising is that of consensual services between adults. Most of the claims of law enforcement and the media are based on a few real cases, but mainly on the claims that certain “keywords” signified child prostitution. When the press releases and media reports say that they found “thousands of ads on Craigslist.com promoting child prostitution” they are basing this on a very incorrect assumption.

This assumption is simple: that every advertisement that says “young”, “barely legal”, “fresh” and a dozen other keywords, are advertising child prostitution. Law Enforcement looks for these keywords and then mark that advertisement as a suspect “child prostitution” advertisement. For investigative purposes this is very, very important – but it does not make a real situation of child-prostitution. Remember, companies like Playboy, Penthouse, Hustler and many porn magazines promote “barely legal” in their magazines, videos, and websites all the time. There is 4.5M results on Google for “barely legal” for porn sites, should we assume that Google is promoting child prostitution? If we are to really want to blame anyone for the seemingly great appetite of some men in the United States for “barely legal” women, we should be blaming the porn companies which promote this type of porn with photos of women in pigtails and school skirts.

Dr. Lois Lee, one of the heading experts in forced prostitution of Children, seems to agree with me. She told me that “Blaming Craig’s List for child prostitution is like blaming Alexander Bell for providing the telephone.” Instead of making real steps in the fight against sex-slavery, the Attorney Generals have gone after the technology, almost like there are Neo-Luddites who look at a computer and complain that it’s evil, causing people itself to get on the internet and search for evil things. The problem in this Country with child prostitution has nothing to do with Craigslist anymore than drug dealing has to do with prepaid cell phones. Most child prostitution doesn’t even occur on the internet, but on the streets, with organized gangs, with poor populations who can’t protect themselves. The real issues are much deeper and have to do with a broken child protection system that allows runaways to fall through the cracks, with parents not monitoring their children’s whereabouts, with the issues of uneven prosecution against the victims instead of the johns. By blaming Craigslist we remove the needed focus on the real issue of catching these criminals, the reasons child-prostitution occurs, and what is really wrong with our society as a whole. On top of that, if there are cases of child prostitution on Craigslist, we are removing one of the best tools in catching these criminals. Craigslist.com is involved with preventing these ads, forwarding them to law enforcement for investigation – without this, many of these guys will go back to peddling on the street again, making it much harder for them to be caught.

Post from: SiteProNews: Webmaster News & Resources

Child Prostitution: Craigslist has nothing to do with it.

Website privacy and data security violations continue to be the most critical legal concern for webmasters of software-as-a-service (SaaS) websites and ecommerce websites.

Just think about it – most marketing practices involve capturing data, including personal information about prospects, and using this data to market products or services.

How you collect, store, use, and share this information is now highly regulated, not only by the Federal Trade Commission (FTC), but also by various states. What you say in your website legal forms, website legal documents, and privacy policies is critical.

Three recent legal developments illustrate why webmasters of SaaS websites and ecommerce websites should monitor and stay current with these developments, or suffer severe consequences.

New Massachusetts Data Security Statute

Effective March 1, 2010, the Commonwealth of Massachusetts requires new data security requirements for personal information of Massachusetts residents (201 CMR 17.00). The new requirements apply to all persons or businesses that “own, license, store or maintain personal information about Massachusetts residents.

“Personal information” includes a Massachusetts resident’s name if linked to his/her social security number, driver’s license or state ID card number, or financial account/credit/debit card number that would allow access to the resident’s financial records.

If you’re regulated by the new statute, you’re required among other things to develop and maintain a data security policy and to require encryption “to the extent technically feasible” of the storage and transmittal of personal information regardless of whether the storage is electronic or the transmittal is by portable device (laptop or handheld device) or over public networks or the Internet.

Penalties and fines for violations are $100 per person affected with a maximum cap of $50,000.

FTC Issues Guides for Peer-to-Peer Networks

On February 22, 2010, the Federal Trade Commission (FTC) announced that it had notified almost 100 organizations — including large and small private and public companies, schools, and local governments – that their customers’ or employees’ personal information was vulnerable on peer-to-peer (P2P) networks.

The FTC was concerned that P2P networks operated by these organizations may inadvertently be providing an opening for unintentional access to personal information. According to FTC Chairman Jon Leibowitz, “Companies should take a hard look at their systems to ensure that there are no unauthorized P2P file-sharing programs and that authorized programs are properly configured and secure.”

In addition to the notification letters, the FTC issued a guide on its ftc.gov website entitled “Peer-to-Peer File Sharing: A Guide For Business”. The guide provides data security recommendations including identification of security risks and steps to protect personal information from unauthorized access on P2P networks. are no unauthorized P2P file-sharing programs and that authorized programs are properly configured and secure.”

ControlScan CEO Pays $102,000 in FTC Settlement

On February 25, 2010 the FTC announced a settlement with ControlScan.com of FTC charges that ControlScan had misled consumers about how often ControlScan monitored websites, including steps taken by ControlScan to verify the websites’ privacy and security practices.

The founder and former CEO of ControlScan entered into a separate settlement requiring him to pay $102,000 in ill-gotten gains.

Privacy and security certification programs such as ControlScan are used by webmasters to provide assurance to consumers regarding how the website treats the privacy and security of personal information. The FTC alleged that ControlScan provided its certifications to websites with “little or no verification” of their privacy protections.

Most of these website documents and legal forms should be posted on the website, and therefore would be visible to any potential joint venture partner checking out your website.

This case underscores how seriously the FTC views privacy and security of personal information stored on websites, as well has how closely the FTC is observing representations regarding privacy and security. The FTC is on the lookout not only for websites that misrepresent what they do regarding privacy and security, but also what certification websites represent that other websites do about privacy and security.

Conclusion

The worst mistakes a n ecommerce webmaster can make is to have “borrowed” a privacy policy from someone else or to have an outdated privacy policy that either does not make the required disclosures or misrepresents what the website does regarding privacy and security.

The legal liability can be substantial.

This article is provided for educational and informative purposes only. This information does not constitute legal advice, and should not be construed as such.

Post from: SiteProNews: Webmaster News & Resources

3 Critical Alerts Regarding Your Website Legal Forms For Privacy and Data Security

One of the topics that all of us online business people are aware of but usually don’t feel totally on top of is website security.

Coming from a background of having spent over 20 years in the U.S. military, and having spent four years as a software tester, I have a greater awareness of the need for continuous vigilance in this area than your average marketer.

I also know that you can never make your websites or your computers completely secure. Instead, you can only do things that reduce the risk.

Given that you spend a lot of time, money, and energy, building your online business, it only makes sense that you set aside time periodically to review security related issues, and to look for problems that can be easily minimized.

Here are a few easy “fixes” that you can implement today that will increase the security of your online business.

1) Delete outdated scripts that you no longer use from your server. Many of “the bad guys” have studied the exact same scripts that you use to power your websites, and they know where the backdoors and vulnerabilities are. They know exactly which file will allow them to create all kinds of havoc.

If you have old programs on your server that you are not using, simply delete them.

2) Update older scripts that you are using. Often, the reason that updates are released for a script IS to patch a vulnerability that the developer has become aware of.

YES, upgrading can seem time consuming, and it can be tempting to skip an update, and just wait for the next one. When you wake up one day and can’t access your server, or all of your websites have been defaced or erased, you’ll see the wisdom in ALWAYS keeping the scripts powering your websites completely updated.

If you are as non-techie as I am, you simply hire a trusted programmer to perform this task.

3) Change the default setting when installing scripts on your servers. Many scripts have default passwords, and default locations for critical directories that make these scripts work flawlessly. Since everyone obtaining a copy of these script have these settings, you probably want to change them, and you also may want to rename certain directories.

4) Secure your web logs. Many web hosts have a standard location for the website’s logs and statistics on each hosting account. The files that allow you to access, read, download, and manipulate this data often aren’t secured. At a minimum, password protect that directory.

The danger in someone readily accessing your logs is that they can see the names and paths of the files on your server, including your download pages and the file names of files that may actually be for sale products

There are not only people who search on your product name, looking for unsecured files – there are also people who enjoy posting those links on sites where this type of information is shared.

5) Put an index page in every directory on your server. If someone surfs to the domain name of one of the directories on your server, and there is no index page in that directory, they will get a directory tree… showing them all of the files in that directory, and allowing them to simply click in a given file name to access it.

Servers can be configured to prevent this, but for many people, the quickest and simplest way to protect their directories from prying eyes is to stick an index page in each directory.

6) Give your download pages hard to guess names. Don’t use urls like YourDomain.com/ProductName/download.html Instead you want to give download pages names comprised of a random sequence of letters and numbers, perhaps stick them in directories not even associated with a given product, or use a “download guard-type” script that gives each customer a unique download link and protects your files.

There are a lots of other things that you can do to easily close common holes in your website’s security. This article barely scrapes the surface, and is intended more to make you aware of the problem, and to get your thinking about it. Make regularly reading articles and reports on the topic a part of your education in how to operate a successful online business.

Post from: SiteProNews: Webmaster News & Resources

Are Your Websites Secure Or Is The Back Door Wide Open?

Believe it or not, the article is true. This is what happened to a friend of mine. I am not at liberty to name the SEO company, especially since the investigation is still ongoing, but this is what happened.

A couple months ago, my friend hired an expensive SEO company (charged $2500) to reoptimize his website to get maximum exposure for the search engines.

After he paid the fee, he soon learned that they contracted out the job overseas to a bunch of random people who asked for his website hosting username and ftp password and told him that it should be ready in a few days.

They made some changes to his website. He visually saw many of them but not all of them. They said wait 3 months before making any other changes and let our SEO work do the job.

He waited, and his traffic started dropping. He contacted them, and they told him that it was completely normal while his website was being reindexed by Google, and to be patient.

His orders began to suffer, his visits were decreasing, he barely lasted the 3 months. When he tried to contact them again, they had disappeared.

He hired someone else to go in and take a look at his website to figure out what had gone wrong.. This is what they had done..

In his product catalog, some of the product names had a special hidden javascript next to them. When someone would go to the main website and click everything, the website would perform normally…

HOWEVER, if they came through a google referer in the http request, the javascript would activate and send his visitor to a competitor / spammy website who was selling the same products.

The only way he could have seen this, is if he visited his website like a normal visitor would who showed up from Google. Instead, he manually typed in his website address and therefore the javascript wouldn’t activate.

So here is a guy, who pays $2500 to an SEO company to help increase his traffic, and instead, all they ended up doing was stealing his money, AND his traffic.

This is something that everyone needs to be careful about. Don’t EVER trust an SEO company unless you have investigated THEM first. Don’t just hand over your FTP username and password to someone, and say “go ahead, and do what needs to be done”

…in this case what needed to be done was to hijack his website, steal a nice sum of cash, and run off in the middle of the night. His payment was cashed overseas, and the free mail accounts they had were no longer operational.

A real nice scam. Plus you have to wonder how much they made off his free traffic they stole over that 3 month period. How much other website hosting traffic did they steal from other websites caught in their SEO scam?

We’re all so desperate to get to the top rankings of the search engines, sometimes, we lose our business sense, and just hand money over to the first person who promises what we want to hear.

Jie Fang – Please share this story with anyone you know. More useful articles like this are at http://sillyinternet.blogspot.com

Post from: SiteProNews: Webmaster News & Resources

SEO company STOLE my traffic!