Design
Jump

Important Internet Security Information

SECURITY GUIDE

  • Password Security Guide

    6 IMPORTANT steps to enhance your password security

    1. Always use a strong password
    min 12 characters, upper & lower case + numbers + special characters:

    As a general rule the following character sets should all be included in every password:

    • uppercase letters such as A, B, C;
    • lowercase letters such as a, b,c;
    • numerals such as 1, 2, 3;
    • special characters such as $, ?, &; and
    • alt characters such as µ, £, Æ. (Cliff)

    Ideally use words combination such as JwuembPservice195.(Please don't use this one)

    2. Your passwords should be changed on a regular basis (min every 6 months).

    3. Users must exercise extreme caution when writing down or storing passwords.

    4. Never “reply” to a third party with an email that contains passwords or account information. Please contact support if you have any questions regarding this.

    5. Keep all passwords in a safe place and delete any emails containing password information (after safely saving the information).

    6. Never expose your email address on a social network website.

  • Website Security Guide

    If you intend to keep personal or customer information online, especially within e-commerce sites, then some consideration must be given to the security of your data. If a company is wanting to be seen creditable and trustworthy, then the last thing you need is to be contacting your customers with news of lost or stolen personal information. Other negative factors are; false transactions due to fraudulant activity, website downtime to repair the security issues and the possibility of being sued by customers who might have incurred a loss.

    Note there is no such thing as 100% security. It does not exist, especially in the field of computing where there are a few ways hackers will find and exploit a website, but in general there are four main areas of consideration.

    Business Computers and Applications

    Almost all business computers use Microsoft software to operate the computer hardware. Microsoft dominate the desktop software packages apart from accounting software like Sage Line etc. Unfortunately, Microsoft systems and software packages are extremely vunerable to security flaws in the programming. Obviously its something Microsoft try to keep quiet. Microsofts pricing and agressive marketing has seen off quite a few worthy alternatives. Only Apple Macintosh, Sun Microsystems, IBM (Linux and Unix open source freeware systems) have survived, which the latter are very robust security wise. In comparison, the most robust systems require a dozen or so security fixes annually, whereas Microsoft Systems require a dozen essential daily security fixes (They call them Updates).

    Firewalls, Virus Checking, Spyware and Email

    Suffice to say that if you intend to use Microsoft based computers then you will need to employ these security measures to protect your systems and data. We would insist that any computers used in the running of an e-commerce site need to have the following installed and properly configured.

    Firewall - There are various software based firewall programms available. We wouldn´t recommend a novice try to configure his Router hardware firewall. One excellent free version is Zone Alarm and Norton offer a very good Firewall and Virus Checking. Firewalls protect the Ports on which computers use to communicate and offers Intrusion protection. For example, Port 80 is reserved for your browser software such as Internet Explorer to send and receive data from the Internet. There are around 65,000 possible ports available to communicate through. It`s necessary to configure the firewall to accept program access on certain ports you specify. However, the pre-configured settings work very well.

    Virus Checking - Virus Checking software is used to scan your computer memory and hard drives for resident computer Viruses, Worms, Trojan Horses and Diallers etc. Mostly, Viruses are used to gain access to your data, replication of infection to other computers or use your computer without your knowledge for illegal activities. Sometimes your computer may be used to attack other computers in conjuction, often called (DOS) Denial of Service attacks. The motive of destruction of the system is far less being seen. The software library is updated regularly with all the known viruses. Most virus software will also, to some extent, protect against software security flaws too.

    Spyware Removal - There are a number of very good free Spyware tracing and removal software such as Spybot. Spyware is essentially a small computer program that infects a computer in order to collect data or redirecting to inappropriate website content. It also can take over important settings in the operating system on Microsoft OS run computers because MS had the very strange notion of tying in Internet Explorer, with the core of the operating system. Unbelievable, considering the security flaws in IE. Spyware removal is automated and cleans the computers registry, drives and memory. Spyware can also cause a noticeable performance decrease in operation of the computer.

    Email - Email is the most popular way of spreading a virus, however, most virus checking software will check incoming email. More sophisticated methods use email to trick the receiver into giving out personal information. Popular techniques are Phishing, where an email is a fake identical of a well known company or Pharming, where an email takes you to a fake identical website. Both are very realistic though a look at the URL will show the fake domain name. NEVER give out any personal information from an email request. Period.

    Here is a good example of how viruses are spread via email. The screenshot below shows an incoming spam email for a Facebook Friends request. Clicking on the Confirm Friend Link or any other link takes you to a sub page on www.gk99.tw website which tries to exploit a potential security flaw in Windows OS and infect your system with the DR/Zapchast.E Trojan virus. The types of operations are limited by user privileges on target computer, which normally includes data theft, modification or deletion of files, keystroke logging, and use of machine as part of a botnet to perform mass spamming or to distribute Denial-of-service attacks.

    website security graph 1

    A check of the email headers show: Received-SPF: none (mta1016.bt.mail.ird.yahoo.com: domain of postmaster[at]adp-architects.com does not designate permitted sender hosts), which basically means Facebook did not send the email, adp-architects.com did. The email server functions of that website has been compromised in some way.

    One simple check for non tech person is to mouse over any link and look in the bottomof the browser... this will show the URL of the site the link is directed. One would expect the www.facebook.com url to be shown.

    Web Server Configuration

    Directory Traversal & Browsing - This is a method that a hacker would employ to access sensitive data held on a web server where your e-commerce site is installed. Each domain is generally given its own root directory which restricts access to other parts of the server for obvious security reasons. Filtering HTTP data requests to the server is the best prevention of directory traversal attacks. A web developer should make sure that the latest server software and security fixes have been installed. Removal of default server scripts should also be done.

    File Permissions - Each file and directory within the root directory of your e-commerce domain should have the necessary file permissions access set correctly to avoid access to files that should be hidden from browser viewing.

    PHP Globals & Error Reporting - There has been quite a few issues with the register_globals function within php programming. The real issue is insecure programming rather than the function itself. Most server PHP engines are now set to "off" and some php code might have to be edited to work correctly. Use server Logs for error reporting rather than returning the information to the user. This can reveal important server settings.

    Server Side Scripts

    Server Side Scripts are the programming language scripts which are processed on the Operating System of the Web Server. The web pages contain the code, i.e. ASP, ASP.NET, PHP, and CGI languages, so that web pages can have dynamic content retrieval, respond to user queries and save information to a database. The code is used because it makes a web page much more configurable and automated. However, the programming of these languages if not done securely, can lead to a compromise in security.

    SQL Injection - SQL is a database application which is used to store information on an ecommerce site. Information such as names, addresses, credit card, product details, purchase information, in fact anything to do with the running of the online store. The database can be vunerable to SQL Injection which breaches the database security. The database can be accessed and information stolen or destroyed in this manner. Around 9% of hacking attempts is accredited to SQL Injection. Applications should have a robust filtering method to prevent important database information being revealed.

    Cross Site Scripting (CSS) - Is a technique used to gather personal information or run malicious code whilst using your browser. 27% of reconised hacking attempts are due to CSS. Vunerabilities withing the site scripting languages can allow CSS to be run.

    Seventy five percent of hacking is caused at the web application level. Generally, the stolen information is used for illegal actvities and your database would be left intact.