Archive for the ‘Security’ Category



3
May

Who are you sharing your customer data with?

I see new products and services from large retailers and large online companies all the time. Sometimes these services can be extremely helpful to the ecommerce website owners. Services such as product reviews, facebook or social media widgets, customer feedback, additional payment methods, etc., can help small websites look more authoritative and help build visitor trust. It’s trust that gets your customers to purchase from you, just as much as the prices you sell your products at, right?

The internet and the companies that we routinely see operating on it have become such common names that most of us hardly stop to consider how these companies that we trust make money, and what they do with the information that we give them. When we’re talking about information on a personal level, the potential loses are fairly low if some company decides to use or share our data with others. Facebook, Google, MySpace, Linkedin, Twitter, Amazon, Walmart, Target, and just about any other major player on the internet uses your personal information in some manner. Most of the time, the worst thing that could come from misuse of your information is increased spam email or targeted advertising directed to get you to buy some product. When we look at the same information privacy scenario from a business perspective, the repercussions of sharing your information can be severe.

Small business owners need to be vigilant in who they share their data with!

I’ve personally talked to more than handful of website owners who watched Amazon become their biggest competitor after they launched a successful Amazon.com business. I’ve heard of elaborate buying schemes with lawyers, accountants, and capital firms, even involving publicly traded companies, just to get a crack at some successful company’s marketing and analytical data. It’s sometimes hard to see the value in data but it’s there. Facebook was valued at nearly $50B ($50,000,000,000) just a few months ago, when as a company they make less than $1B per year in revenue. Just think about that…

Unlike personal information that sellers would use to sell you products, your business’s information can be used to compete against you. It can be used to out compete you. It can be used to steal your customer and lead sources. It can be used to figure out how your SEO campaign gets links. How your PR company promotes your business. Your data may only be giving you a snapshot of how you got your customers. It will give another company a playbook on how to steal your customers.

Now, just because you currently trust one of these companies and use a service that collects data about the way your website works and the way your customers work, doesn’t mean that you are going to have a MyProducts.SomeOtherCompany.com website popping up in a week. What it means is that before you add some global script to your site like Google analytics, or Shopping.com tracking, or an affiliate tracking script, or join a product comparison site, or anything else, you should be damn sure you understand what that company is going to do with your data.

I’ve been running ecommerce websites for nearly 10 years, and something that I can tell you with 100% certainty is that the knowledge, the experience, the information and data you gain in creating a successful online business, is as important as the business itself. It’s one thing to trust a company with your personal information. It’s entirely different to trust them with your business information, especially if there’s any chance of them competing against you.

Small businesses need to be careful with whom they trust with their customer information!

A few weeks ago, there was a major breach at a massive email marketing company. Citigroup, JPMorgan Chase, U.S. Bank, Barclays Bank, Best Buy, Hilton WorldWide, Marriott International, Disney Destinations and The College Board were among the clients that lost their customer information in the data breach. While there wasn’t any loss of credit card or other highly sensitive information, there was a loss of names and email addresses. This creates huge avenues for phishing fraud, and is a huge blow to the integrity of these corporations.

The difference between these giants and the rest of us, is that they can easily withstand a data breach. They have the money and PR budget to survive and in many cases these companies are so big that their customers don’t even have a reasonable alternative to switch to. Unfortunately this is rarely the case for small businesses. A good percentage of businesses that suffer a data breach from themselves or due to a 3rd party go out of business, some are forced to sell, all suffer nearly-irreparable damages. The bottom line is that most businesses cannot afford a major data loss neither in names and email addresses nor in a more severe case like credit card or banking information.

In cases like Epsilon it’s hard to fault the companies whom had lost data. If they trusted Epsilon with their information, there’s a good chance that Epsilon was pretty secure. Business owners should nonetheless be diligent in any partner’s security practices and certifications. This would include PCI and other industry security standards and would include making sure the company you are giving data to has a solid and logical data security policy. It also should be clear if they share the data you provide with 3rd parties, for security sake and for the above reason.

Data, while intangible, may be the most important asset of your company without you even knowing it. Take a step back and make sure that you trust whomever you share it with, and make sure that you aren’t providing a new competitor with an avenue to compete or to put you out of business.

29
Jan

Open Source Firewall Appliance Round 2

A few years ago I blogged about using the Untangle firewall to replace a Sonicwall or similar firewall appliance.

Since then, Untangle has come a long way. I would like to revisit the untangle appliance as it has undergone numerous improvements, and in my opinion is now a fully capable replacement for an off-the-shelf firewall appliance.

Hardware update…

For a solid, and completely silent firewall for a business environment, here’s my current recommendation (Prices are for new components. Refurbished or used could result in a 30% – 50% reduction in price).
Server – ASUS rs100-x5/pi2: ~$300
Processor – Intel Core 2 Duo E7500: ~$105
RAM – 4Gb (2x2GB) DDR2667: ~$90
Hard Drive – WD RE3 or equivalent
(200 – 500GB) SATA: ~$100

Total cost is under $600. This would be comparable to a $3000+ Sonicwall or similar appliance and would be significantly more quiet.

If you need more ports, a quality 4 port PCI-E Ethernet card runs about $350. The $1000 tag on this server with 6 Ethernet ports is still a bargain. A quality single port Ethernet card would run around $75. Don’t use a desktop Ethernet card in a server like this and expect good performance, you need a quality 3com, Intel or other enterprise quality card.

This is still a low-end server, but is silent and would work well for a moderate sized office. If you have the budget and usage to require it, you could put this on a dual quad-CPU server and put 32Gb or more ram on it. Additionally for any datacenter usage, you don’t need to worry about sound, so a more robust server could probably be setup for the same cost.

Unlike most human related computer activities, packet inspection and other firewall activities are very processor intensive. The faster the processors, the better a firewall appliance will perform. If you do decide to build a Untangle or other firewall appliance, keep this in mind. Embedded processors like Atoms, or VIA’s are not a good match for a firewall, even through they are designed to fit in compact sized enclosures. They work well for what they’re designed to do, but they are not designed for this.

Current hardware recommendations are as follows:

CPU RAM DISK NIC
Minimum 800 MHz 512 MB 20 GB 2 (inline)
1-50 PCs P4 1 GB 80 GB 2+ NICs
51-150 PCs Dual Core 2 GB 80 GB 2+ NICs
151-500 PCs 2+ Cores 2+ GB 80 GB 2+ NICs
501-1500 PCs Quad Core x64 4 GB 80 GB 2+ NICs
1500+ PCs 4+ Cores x64 4+ GB 80 GB 2+ NICs

VPN

Something I didn’t discus in my last article was the VPN. Untangle comes bundled with openVPN. There is no limit other than that of your hardware for the number of VPN users your appliance can support. It is extremely easy to add, suspend and remove VPN users. VPN users are sent a custom key and connection for them to install on their computer. The VPN also supports site-to-site VPN allowing 2 or more offices to virtually share the same network no matter their distance from each-other.

Open VPN is much simpler than any VPN software I have used on either the client or host side. It makes VPN administration and setup a breeze. If you have used cisco, sonicwall or other VPN services, this will be a breath of fresh air in administration and setup.

Feature Improvements

When we started using Untangle, it was not designed to handle advanced protocols including some VPN services, and multi-protocol traffic like VOIP (Voice over IP) phone services.

I am happy to say that Untangle now fully supports multi-protocol traffic like VOIP or Ipsec. Some types of traffic will require custom configurations, but so far I haven’t found any sort of traffic that Untangle has problems with.

Untangle also now support firewall bypassing for high-availability applications, and supports a form of QOS (Quality of service). The QOS is very configurable, but still not quite a user friendly as other platforms. It is however usable despite some potential complicated setups. QOS is essential for running VOIP and other mission-critical applications. It can also be used to throttle down bandwidth eating services like online video.

OS Upgrades

Untangle is now offered in a 64bit operating system, something to satisfy the larger memory requirements for more robust servers. It is still a small custom Debian-linux build. The total install file size is around 500Mb, which is a fresh breath compared to the 3 – 4Gb sizes of many current Linux distributions.

There is also a Windows version for those who don’t have a dedicated server to run untangle on. In this case, Untangle works as a re-router, controlling the routing and traffic of a network, but on an existing windows XP computer.

Conclusion

Untangle has moved from an aspiring concept, to a true contender to established firewall appliances. At this point, I can’t see any reason why a business would spend the extra money on a Sonicwall or similar appliance. Pair this with OpenDNS, and you have a reliable system that can block websites on a DNS level, and a full featured firewall for spam, intrusion, phishing, viruses, and just about every other threat your users will encounter on the internet.

Untangle resources
Untangle Downloads (32bit, 64bit, and Windows)
Untangle guide (Wiki)
The Untangle Blog

If you don’t want to built an appliance yourself, there are plenty of approved untangle hardware vendors.

23
Jul
Comments Off on Are EV SSL certificates insecure?

Are EV SSL certificates insecure?

Today Intrepidus Group reported that EV SSL certificates are susceptible to a “Man-in-the-Middle” attack.

Zusman and Sotirov call their attack “SSL Rebinding” and claim that it can be used to sniff sensitive data as it leaves the user’s browser or to conduct a browser cache poisoning attack against EV SSL Web sites.

This is a major blow to EV SSL certificates and their significantly higher price tag. Something like this is significant enough, that if you are using an EV SSL, it may be a good idea to downgrade until the exploit is fixed.

28
May

Multi process PHP execution

Moved to: http://www.saynotoflash.com/archives/multi-process-php-execution/

16
Oct

What not to do when times get tough

When you look at businesses that are struggling, you generally see two reaction in attempt to get out of the slump.

The first reaction which generally is seen when a company declares bankruptcy or just before, is the add more fees without adding any value solution. Airlines are currently guilty of this, as most are adding fees everywhere without adding any additional value to their customers. I recently took a trip and was charged for curbside check-in, for checking a single bag, and for a soda while on the flight. The flight attendants and check-in receptionists were rude, no doubt because they have to deal with a bunch of angry customers. Southwest Airlines’ marketing team was just handed the golden platter of advertising opportunity, because people are angry at airlines for all the fees, and Southwest doesn’t have all the extra fees.

The second reaction which is actually consumer focused, is to change your business so it is more appealing adding value, in an effort to drive more business. Quiznos is a perfect example of this with their new pricing. I’m not sure if the end-user gets anything more from Quiznos, but the price / value point is far easier to understand which makes their restaurant more appealing.

Times are tough for a lot of retail businesses, and I can guarantee that simply raising prices will not create a more profitable or stable business unless you know for certain that your customers will happily pay the extra price.

Do not simply do these when times get tough:

  • Add fees without adding some value with those fees (The airline raise).
  • Grossly increase prices to accommodate for lost revenue.
  • Unilaterally change contract terms (Think AT&T and Verizon).

Be careful doing these:

  • Placing customers in opt-out programs.
  • Cutting the variety of the products you offer.
  • Dramatically changing or adding confusing policies and / or pricing structures.

Unfortunately there’s no magic recipe to making it through tough financial times, but these are some good ideas to help keep customers coming back to your business.

Here’s my recommendations to do before you ever get into real trouble:

  • Make your price / value point more appealing (like Quiznos above). Be extremely cautious with this one because it can easily backfire if your customers think your smoke and mirrors are just an effort to pad your revenue.
  • Offer rewards or incentives for frequent customers.
  • Retail & Restaurants. Offer incentives to customer who bring their own cups or shopping bags. Ideas like this can help reduce overhead costs, and produce less waste. It’s win-win for everyone.
  • Offer incentives to customers that refer their associates and friends to your business. If you’re not doing this already you’re doing something wrong.
  • Offer incentives to employees that refer their associates and friends to your business.
  • Diversify your marketing efforts. Don’t just use the Yellow Pages or radio ads. Puts your eggs in more baskets as long as they all provide real business. You can try local PPC marketing, sponsoring events, newspaper ads, and more.
  • Optimize your business. This is a great time to see if you can save money on the services that your business already uses. Internet, phone services, your merchant account, shipping costs and methods, are all great places to start. Find services that you don’t really need and cut those first.
  • If you need to purchase new IT equipment look into low power consuming equipment. Low power servers, computers, and network hardware can save thousands per year in energy costs.
  • Reduce staff. This is truly one of the hardest and most unpleasant aspects of owning a business, but realistically, if it’s going to potentially save your company then you should consider it. My personal opinion is that this is an absolute last resort, unless you have employees that you were planning on releasing anyway, but it is sometimes necessary.

Every dollar you can save will really help later when you’re completely cash strapped. Start doing these before you are looking an an insurmountable situation that will ultimately end with the end of your business.

Let me know if you have suggestions or experiences of your own.

14
Feb

Enterprise open source firewall appliance software!

I needed to setup a content filtering firewall a few weeks ago for an office of about 50 people. The existing firewall was a Sonicwall Pro 4060 which is a very solid firewall and is more than adequate for 50 computers. Sonicwall also has a content filter application that installs on the Pro 4060. The drawback to using Sonicwall’s filter is the price. Their filter is billed on a recurring yearly subscription, and would cost about $2,000 per year to use. $2,000 per year was far beyond the budget for such a project, so I went to look for an open source or lower cost setup, hopefully without any annual fee. My first thought was a custom Linux-Debian computer made only to function as a firewall. After some research and a few recommendations, I found a great out-of-the-box Linux operating system, Untangle, that is designed specifically for dedicated firewall applications. This was a much better solution that custom configuring a Linux server.

The following is a quick guide on how to setup a Enterprise class firewall for a small to medium sized business. How good your firewall performs is dependent on the hardware that you use, but if you copied the specs of the one that I setup, it should easily handle 100+ computers and servers.

Tyan transport GS14

Click to continue…

12
Dec

The myth of tax free internet sales

It has been a long held belief by most online shoppers that out of state internet purchases are tax free. I have to admit that I believed this for a long time myself, but unfortunately it’s not the case.

Just to dispel any theory dissolving that old ‘Death and Taxes’ quote, internet purchases are not tax free. That’s right. As the wording goes, most internet companies don’t have to collect out of state sales tax. However, consumers, businesses and any end users still must pay a “Use Tax” on non-taxed purchases that they make through mail-order or online.

Most states currently have Use Tax which specifically requires consumers to pay their state sales tax on purchases they make online that are not taxed by the business. There are some exemptions for certain types of products and for states that do not have any sales tax, but for the most part, taxes on these purchases are required to be paid to your state government. With the exception of very large purchases, use tax is rarely if ever monitored, as it would simply be an impossible feat for any state government to handle. However, we can all be sure that states are losing out on millions if not billions in uncollected taxes, so if you aren’t paying them, enjoy the free ride while it lasts.

Here’s a Use Tax table that I came up with covering which states require it:
(Let me pre-apologize about all of the PDF links here, Government websites are about as bad as they come, and in many cases PDF’s are the only pages available.)

Click to continue…

13
Nov

Spam-proof your dedicated server!

I wrote about a great cpanel firewall add-on that I found a while back.

The same company that designed configserver firewall, has two security packages that are designed to help maintain a cpanel/whm dedicated server.

I recently purchased the “cPanel Service Package + MailScanner” package for one of the servers that I manage.

Here’s what you get for $125:

  • iptables SPI firewall (csf)
  • Login failure detection (lfd)
  • Stop unnecessary processes
  • Logcheck
  • Logwatch
  • WHM configuration check
  • OpenSSH configuration check
  • Install and configure Rootkit Hunter
  • Install and configure Chkrootkit
  • install mod_security
  • Host spoof protection
  • Operating System check
  • Name server configuration check
  • Disk check
  • Kernel check
  • Apache tune and check ***
  • MySQL tune and check
  • Enhanced log rotation
  • Day of the week backup rotations
  • Secure /tmp /var/tmp /dev/shm
  • Install and configure ConfigServer Explorer (cse)
  • Install and configure ConfigServer Mail Queues (cmq)
  • Install and configure ConfigServer Mail Manage (cmm)
  • Perl installation check
  • Delete unnecessary OS users
  • Disable open DNS recursion
  • Enhance path protection
  • Remove SUID/GUID from binaries
  • PHP hardening
  • Exploit check
  • Disable vulnerable phpBB installs
  • Initial cPanel configuration
  • Enhance MailMan performance
  • Install MRTG graphs
  • MailScanner Server service
  • One week of informational tickets

While this is all great, what really caught my attention was the improvement with the email that the server was handling. Click to continue…

19
Sep

cPanel Security

This is a little plugin that I came across today. Nothing new, but after using it, there’s no way I would setup a cpanel/whm server without it.

ConfigServer Security & Firewall (csf)

This is essentially an extension of iptables firewall that integrates with a nice GUI in the WHM interface. It makes configuring the server’s firewall a snap, and also suggests other security fixes based on how your server is setup.

The installation took about 5 minutes to complete and another half hour to fully configure. You will need ssh or other shell access to install it on a server. This is an absolute necessity for any server. I only wish I would have found it a long time ago, as it is a huge time-saver.

22
May

Internet Explorer (Auto Complete) stores your passwords unencrypted!

When you check the auto-complete option in Windows internet explorer, you just opened yourself up to a mess of potential problems. Internet explorer stores all of the user names and passwords that you tell it to learn, in a single flat-file that is unencrypted and can be easily read by a variety of program.

Click to continue…

Copyright © 2024 The Ecommerce Blog, Jamie Estep, All Rights Reserved · Theme design by Themes Boutique