Monthly Archives: May 2011
Internet security is a major concern for all Internet users; however the stakes are raised a notch or two for website owners, especially those that are providing online membership facilities and downloadable e-products such as e-books, e-media and software. One weak spot in security measures can devastate the site owner’s reputation; not to mention the potential of law suits if e-products are unknowingly contaminated with a range of malware or computer viruses. Site owners are also obliged to uphold customer privacy policies and to secure payment process and customer details. Then there is the challenge of safeguarding payable e-products against theft and tampering while criminal elements never stop their efforts to find security loopholes, especially if high priced e-products are involved.
Point of Sale URL’s (Sales Pages), Online Forms and Registration Facilities regularly receive high volumes of traffic from botnets, trying to get a piece of the action. Some bots have been observed to initiate fake purchases using stolen identities and bank account details. When download URL’s are revealed to paying customers and bots falsifying purchases, those areas also tend to receive more attention by criminal elements; usually trying to scrape content or injecting scripts. If online customer support facilities like forums or support desks are also offered before a payment processes, bots will also attempt to get a piece of that action. Customer support forums are especially susceptible for criminal Cross-Site Request Forgeries (CSRF). Add a PayPal or customer support email address to the payment process, and/or a customer subscription, and you have a security nightmare when bots subscribe to your services and start sending messages to your disclosed e-mail addresses.
Adding an affiliate incentive program, further complicates security issues if spammers should join the affiliate program and start advertising sales pages using abusive methods and spam; not to mention business opponents and bot herders who may use harvested contact details in spoofed messages using forged e-mail headers in Joe Jobs. The real danger here is that your business reputation is at risk and spam victims may list your domain and IP address in blacklists. Always choose affiliates carefully to exclude spammers. On shared hosting services, a range of other domains sharing the same server and IP address, may be blocked causing other webmasters and spam victims to complain to your web-host, who may suspend or terminate your services. That is why it is never a good idea to have online customer support desks on the same domain as your money or income generating sites.
BASIC SECURITY MEASURES
The only way to avoid such a security nightmare and eventually ending up in the crossfire between criminal elements and other Internet users, is to establish a sound security baseline before starting an online business. The minimum security baseline includes the following:
- Install an appropriate anti-virus, firewall and Internet protection application on every computer at your home and office.
- If using several computers, printers, VoIP and other equipment in a Local Area Network (LAN) configuration, a LAN gateway firewall is advisable. Although most gateways are equipped with a basic Network Address Translation (NAT) firewall, more advanced security equipment can also be considered to prevent viruses, spam and other undesired data from entering and leaving the LAN or Computer Network.
- A Secure Sockets Layer (SSL) is also required for secure communication between a web server and local computers to prevent interception of any sensitive information and passwords. SSL certificates also serve to authenticate the owner of a website, although it does NOT imply that the web owner should be trusted. Therefore membership or certification by a Consumer Protection Organization may be required to indicate to potential customers that your business can be trusted amongst many other criminal operations on the Internet.
- The website and web-server should be protected with a firewall and other security measures to protect it against botnet attacks, cracking, virus injections and other security threats. Unless a website is hosted on a dedicated server, the owner of a website cannot do much about the security of the web-server in a shared hosting environment, and should thus choose a webhost and data centre carefully. Attacks via other websites on the same server are however rare. A multilayer website security system should in most cases provide adequate protection.
- Any security solution is however just as strong as the weakest link. Storing unencrypted usernames, passwords, contact and banking details on a computer is asking for trouble. File Transfer Protocol (FTP) applications are especially vulnerable to Trojans and using web browser facilities, email clients and contact managers are very risky. It is therefore advisable to use an encrypted file system to secure information with a difficult master password of at least 12 characters. All security measures are worthless if the same usernames, passwords and other details are used on several websites, social media facilities or elsewhere on the Internet. Each site should have a unique set of login details and contact emails. It is therefore advisable to invest in an encrypted password database application like Roboform, which is also a contact manager that can attach as a web browser toolbar, making it easy to login to websites.
Any selection of security systems should work in harmony and complement each other without any conflicts and should be updated regularly. It is also advisable to actively manage firewalls and to deploy a few intrusion detection triggers. Personnel should also be selected carefully to avoid security leaks by those who are responsible for the ongoing maintenance of security systems and backups.
OTHER SECURITY CHALLENGES
If any staff member should copy a file from an external source onto a computer or if a spam message with malicious content is opened, a virus or worm could spread through a business network in minutes. Some anti-virus applications detect less than fifty percent of malicious codes in the wild. It may therefore be advisable to deploy a variety of anti-virus applications on different computers within a LAN environment to broaden your malware detection potential. With the recent release of the source code for a virus scripting toolkit, the Internet remains dangerous territory for those who are not well informed about security risks.
Some companies deploy a dedicated quarantine computer with a separate Internet connection for all Internet downloads, including files received from outsourced or freelance personnel. The goal is to avoid nasty surprises in the operational environment while affording security personnel the opportunity to run various checks before a file is released into the operational environment.
Deception always remains a security vulnerability. Despite rogue anti-virus applications being sold to Internet users, it was recently discovered that Trend Micro, a well known anti-virus application distributed by a South African bank, engage in brute force tactics to hack into secure areas of websites. The bots used by Trend Micro to detect website malware on the fly, use the user’s computer to bypass website security measures. Some webmasters have reported damages and other losses caused by software that is supposed to prevent it. Choose your anti-virus and security vendors carefully.
Some of my statistics indicate that botnet and other malicious visitors vary between 10 and 70 percent of all website visitors. In one occasion it was above 90 percent, but that was the exception (More information about the incident below). These figures had a noticeable impact on marketing and SEO strategies; especially for paid advertising campaigns. You don’t want to waste money on paid advertising in the wrong target market or optimise your site for malicious visitors using flawed statistics.
If you are under the impression that your websites are safe from botnets and malicious visitors, think again. To measure is to know. Perhaps you just don’t know about strange activities going on at your websites; simply because you don’t have visibility about some problem areas. The first symptoms that something was wrong at some of my websites were a notable increase in spam emails, forum spam, comment spam at blogs and unauthorised downloads. When these symptoms become visible, it is usually almost too late and a major restructure may be required.
In one occasion (the 90 percent malicious visitors incident), a hit-bot hammered a site two to three times per second via various IP addresses, increasing the server workload and slowing all other legitimate traffic. It took almost three months of abuse reports, blacklisting, moving content, redirecting and bouncing some visitors before the hammering subsided. The Awstats statistics looked fantastic, but this was traffic nobody wanted. Perhaps I should have sold the site as many website owners can only dream about that amount of traffic (just joking).
Chasing criminal elements off your virtual properties can sometimes be disturbing; however it can also be a lot of fun, especially when you have the right tools, protection and information. Ensure that you are prepared for these events by investing in appropriate security systems and the knowledge to protect your online assets. Internet Security should not be an afterthought when doing business online; it is one of the first priorities. Unfortunately it is often neglected in training courses.
Happy botnet hunting and best wishes for all your endeavors.
PS: Ensure that you subscribe to my newsletter or to gain access to additional security tips.