AlkoHost.comVideos | Your Web Hosting Solution

Password security is broken say experts

admin — Fri, 18 May 2012 14:10:44 +0000

Identity fraud is one of the biggest threats to unwary web users today. It can come in a variety of forms but is often the result of an online account being hacked or details phished via social engineering.

I recently met Jason Hart, former ethical hacker and now managing director of secure authentication firm Cryptocard, who has been banging on for years about how password-based approaches to account authentication are no longer sufficient.

Now, of course, he would say that, given that Cryptocard’s job is to sell alternative two-factor-based authentication technology, whether it’s via key fob token generators, or passcode-generating software which can be installed on a smartphone.

However, the sheer number of security breaches which have occurred because password security systems have been cracked in the most basic and simple way backs up the two-factor message.

“Why should a [hacker] go to the effort of finding a vulnerability when he could target the password?” Hart told V3.

“The problem has always been there but the reliance of social networks and cloud computing [sites] on passwords has been explosive. Password security is the only thing that impacts confidentiality, integrity, availability, accountability and auditability.”

Most retail banks in the UK have got the message and now issue customers with some form of one-time password generating device to try to deny the dedicated fraudster. But problems persist elsewhere. Online cloud-based services have grown to staggeringly high numbers and most of them still use passwords as the primary means of account entry.

Twitter, Facebook, Google and virtually all other web firms have been of the opinion that to do otherwise would be unnecessarily burdensome to the user, incur cost to them and fatally tip the security/usability balance the wrong way so as to actively discourage people from signing up.

Hart, of course, believes this is a narrow minded approach that leaves such firms woefully unable to protect their customers. As an ethical hacker, Hart told V3 he has spent much of his time finding ways to crack password systems, with little difficulty.

Password reset options in particular, as was observed by Trend Micro’s Rik Ferguson the other week, can often contain startlingly easy questions, answers to which can be found anywhere online with a little rudimentary digging. And that’s assuming that the password was not an easy-to-guess name or even a default word in the first place.

More disturbingly still, Hart said he was able to find the personal details of virtually anyone he needed to online, a technique many hackers use to enhance their chances of success in social engineering attacks.

He gave the example of a hacker who could trawl LinkedIn for new job starters, then email a victim who had just begun a job, pretending to be from the new firm’s IT or HR team. It’s only a small step from there to persuading the victim to click on a malicious link or volunteer some sensitive financial information.

So where does the responsibility for account security lie? Certainly people need to improve their password habits, but, as Hart argues, passwords really shouldn’t be used anymore. However, when it comes to the amount of data routinely placed online by web users, the problem is a little less black and white.

LinkedIn was highlighted by Hart as a particular goldmine of personal information for hackers, the added dimension being that it’s professional information and much more valuable to hackers looking to infiltrate an organisation. So does LinkedIn need to up its game and tighten privacy settings? Well, the firm told me in a statement it is “constantly assessing its security and privacy policies to ensure all members have a rewarding and safe experience”.

“As a member of LinkedIn, you have full control over what information you share with your connections and beyond,” it added.

“Privacy settings allow you to control what information you make available to search engines through your public profile, and to control the messages you receive from LinkedIn and other users. The privacy settings also allow you to control visibility and accessibility throughout the web site.”

A pretty unequivocal ‘we’ve done our bit, it’s up to the users to do the rest’ message, then. But has the balance of responsibility shifted a little too far onto the user? Privacy policies on sites like Facebook have been criticised in the past for being too complicated for the average Joe to work out. While LinkedIn’s are a lot simpler than Facebook’s, they may still trouble some people, and crucially the firm could do more to publicise them.

As online fraudsters get ever more sophisticated and wise to the opportunities afforded by these huge and as yet still largely untapped pools of personal information, more pressure will come on the platform providers to do a little more.

Why backup your data?

admin — Fri, 18 May 2012 14:02:47 +0000

Superheroes need it, police rely on it and everyone that uses a computer should use some form of it. In the world of mainframes and microchips it’s called data backup or data recovery and it can mean the difference between a slight computer setback and living through your own electronic apocalypse.

Let’s face it; our computers are a bigger part of life than ever before. We shop, work and play using computers. They’ve replaced stereos, encyclopedias, even the mailman. They’ve become journals, photo albums and canvases for our art.

But computers aren’t perfect. Files become corrupt, motherboards malfunction, CPUs call it quits taking our precious data with them.

The best defense is data backup software. Backing up data is vital for businesses; lost information can cause a major crisis or worse, lead to business failure. Individuals who don’t backup computer data run the same risk. While this may not cause financial ruin, it can certainly be frustrating and even heartbreaking. So why do so few of us practice data backup?

Here are the common excuses:

“I’m too busy to backup my computer.” We are busy; work, family and friends fill our days and leave us little time for boring things like computer maintenance. But today’s backup software manufacturers make it easy. Through scheduled backups, your system can automatically perform a backup that fits your needs at an interval you choose – without interrupting life.

“I don’t know how to backup data.” Like preparing for a natural disaster, most of us understand how important data backup is, but don’t know where to start. A big step is deciding how you are going to store the data you backup.

One option is Removable Backup Media, but this only narrows the field a little. You could buy a million 3.5″ discs or perhaps invest in a larger-capacity external Zip drive. You could take the plunge into writeable CDs or stretch out your legs with the help of an external hard drive.

Another good data backup option is to backup to an FTP location, which allows you to backup a file, a folder or your entire hard drive to a separate location online.

“My computer won’t crash.” You’ve had your computer this long and haven’t had problems so far why worry about computer backup now? Data backup is about protecting your data’s future, but with computers, it isn’t if you crash, it’s when you crash.

In today’s high-tech world of sneaky spyware and venomous viruses, you are in more danger of data loss than ever before. Computer viruses grew by as much as 11% percent during 2003 alone.*

Like tires on your car, the electronic circuits your computer rides on will eventually wear down and blow out. When this happens, you can either grieve at your loss or simply restore your data with data backup software.

So with that said, how does one choose the right backup software? There are many varieties available – some suited to a growing business and others for growing families. Some backup software is for technical experts, other packages for the technically challenged.

Protect your Web Servers with SSL

admin — Fri, 18 May 2012 09:22:18 +0000

Do you need SSL?

SSL (Secure Sockets Layer) is a technology to encrypt communications between the user and the web server. It helps to prevent hacker attacks that are based on eavesdropping. When you use a web page that is protected by SSL, you see a padlock icon that assures you that the page is secure.

Is the web site really secure with SSL?

No. SSL secures the network communication link only. Although this is an important security layer for sensitive applications, most attacks on websites are not actually done this way. Most attacks on websites are actually done in one of the following ways:

The server is attacked directly. SSL does not protect you from this. Rather, you need to have a good IT security policy to protect your server.
The user is attacked directly, either by infecting their PC with malware, or by using “phishing” to steal their passwords. SSL does not protect you from this, either. To protect your own PC from this, you need to use a good anti-virus program, and use lots of common sense and a small amount of paranoia when on the Internet. However, it is unrealistic to expect that all the PCs of all of your website visitors will be adequately protected.

In other words, SSL does very little to prevent the user or the website from being hacked. It only prevents 3rd parties from listening to communications between the user and the website.

In that case, when is SSL important to have?

If you are transmitting sensitive private data over the internet, SSL is an important additional security layer. Although eavesdropping may be a less common form of attack, there is no reason not to protect against it if the consequences are serious.

What kind of “sensitive private data” needs protection?

Private data is information that should only be known to you (the website owner) and the user. The most obvious example is credit card numbers. If you outsource your credit card processing to an external e-commerce gateway, the transactions are protected by your e-commerce provider’s SSL. Adding SSL on your website is not necessary.

Passwords may also be sensitive if they access private data or functions, such as bank account statements, email inboxes, and so on. Passwords that merely access a members-only area are less sensitive, because these resources are shared and not truly private.

Note that personal information such as names, email addresses, phone numbers, and mailing addresses are not private. This is information that is meant to be shared with others. SSL does not really protect information that is already publicly available in more accessible formats such as the phone book.

(However, you do need a good privacy policy when storing and using people’s personal information, to assure your users why you need their personal information, and what you intend to use it for. This is mostly because some organizations have a history of selling their databases of personal information against the wishes of their clients. SSL does not help with this, however.)

There is a grey zone between private data (which should be known only to you and the user), and personal data (which is known and used by many others). Individual pieces of personal data may not be a big deal, but if you collect enough personal data, identity theft may become a plausible threat. Special account or identity numbers (SSN, SIN, drivers license, health care, or passport numbers for example), along with birth dates, common security questions (eg. mother’s maiden name, names of family members), and information of that nature may collectively comprise an identity that could be stolen for nefarious purposes. The more of this sort of information you collect, the more SSL might be a worthwhile addition to your security policy.

I don’t store lots of personal data, my private members’ area is not especially sensitive, and I outsource credit card processing to a secure e-commerce provider. Is there any other reason why I might want SSL?

Not everybody knows what SSL protects or how it works. All they know is that the little padlock icon is “good”. If your users are pestering you because you don’t have the padlock icon, then it may be easier just to get SSL than to try to explain all the security nuances of why it won’t help them in this case.

Web browsers often throw up security dialogs when you move between SSL web pages and regular web pages. These dialogs are meant to be a more obvious variant of the padlock icon–to advise the user when their communications are encrypted and when they are not. They may pop up, for instance, when you finish paying at an e-commerce page, and are then redirected back to your website to get your receipt. However, dialog boxes sometimes seem like error messages to inexperienced users, who may attempt to cancel or reverse the operation they started. If this causes problems for you on your website, you may want to consider adding SSL just to prevent these dialog boxes from appearing.

In both of these cases, it is important to understand that SSL is not really protecting your website communications. Rather, it only being used to smooth over user interface and security issues that your users may not adequately understand.

One extra useful thing that SSL allows for is verifying that the website owner is really who they claim to be. If you are at risk of being spoofed by phishers, or otherwise need to be able to prove to your visitors that you really are who you claim to be, then SSL can help users confirm your identity by clicking on the padlock icon to get more information about you.

I probably don’t need SSL, but it might be best to get it just to be safe. Is there any downside to using SSL when you don’t need it?

Yes. SSL is slower because every single byte of information needs to be encrypted and decrypted by both the user and the webserver, and this takes significantly more effort than simply transmitting in the clear. SSL not only encrypts information typed into forms by users, but also the text of web pages, style sheets, scripts, images, and videos. Most of this does not need to be encrypted, but it gets encrypted anyway (otherwise the browser will complain that the secure page contains insecure elements). If you use SSL on a website that doesn’t need it, every user will pay a price in speed, and your website will “max out” on its performance sooner because much of that performance is being diverted to encryption.

SSL also creates an administrative burden, because the certificates cost money, require paperwork and verification by a third party, and need to be renewed, just like domain names. They also require private IP addresses, which may incur an extra cost if you do not already have a private server.