Thursday, May 27, 2010

Website Security

 

3 Critical Alerts Regarding Your Website Legal Forms For Privacy and Data Security

04 2010 Tuesday

13

By Chip Cooper in Security

Website privacy and data security violations continue to be the most critical legal concern for webmasters of software-as-a-service (SaaS) websites and ecommerce websites.

Just think about it – most marketing practices involve capturing data, including personal information about prospects, and using this data to market products or services.

How you collect, store, use, and share this information is now highly regulated, not only by the Federal Trade Commission (FTC), but also by various states. What you say in your website legal forms, website legal documents, and privacy policies is critical.

Three recent legal developments illustrate why webmasters of SaaS websites and ecommerce websites should monitor and stay current with these developments, or suffer severe consequences.

New Massachusetts Data Security Statute

Effective March 1, 2010, the Commonwealth of Massachusetts requires new data security requirements for personal information of Massachusetts residents (201 CMR 17.00). The new requirements apply to all persons or businesses that “own, license, store or maintain personal information about Massachusetts residents.

“Personal information” includes a Massachusetts resident’s name if linked to his/her social security number, driver’s license or state ID card number, or financial account/credit/debit card number that would allow access to the resident’s financial records.

If you’re regulated by the new statute, you’re required among other things to develop and maintain a data security policy and to require encryption “to the extent technically feasible” of the storage and transmittal of personal information regardless of whether the storage is electronic or the transmittal is by portable device (laptop or handheld device) or over public networks or the Internet.

Penalties and fines for violations are $100 per person affected with a maximum cap of $50,000.

FTC Issues Guides for Peer-to-Peer Networks

On February 22, 2010, the Federal Trade Commission (FTC) announced that it had notified almost 100 organizations — including large and small private and public companies, schools, and local governments – that their customers’ or employees’ personal information was vulnerable on peer-to-peer (P2P) networks.

The FTC was concerned that P2P networks operated by these organizations may inadvertently be providing an opening for unintentional access to personal information. According to FTC Chairman Jon Leibowitz, “Companies should take a hard look at their systems to ensure that there are no unauthorized P2P file-sharing programs and that authorized programs are properly configured and secure.”

In addition to the notification letters, the FTC issued a guide on its ftc.gov website entitled “Peer-to-Peer File Sharing: A Guide For Business”. The guide provides data security recommendations including identification of security risks and steps to protect personal information from unauthorized access on P2P networks. are no unauthorized P2P file-sharing programs and that authorized programs are properly configured and secure.”

ControlScan CEO Pays $102,000 in FTC Settlement

On February 25, 2010 the FTC announced a settlement with ControlScan.com of FTC charges that ControlScan had misled consumers about how often ControlScan monitored websites, including steps taken by ControlScan to verify the websites’ privacy and security practices.

The founder and former CEO of ControlScan entered into a separate settlement requiring him to pay $102,000 in ill-gotten gains.

Privacy and security certification programs such as ControlScan are used by webmasters to provide assurance to consumers regarding how the website treats the privacy and security of personal information. The FTC alleged that ControlScan provided its certifications to websites with “little or no verification” of their privacy protections.

Most of these website documents and legal forms should be posted on the website, and therefore would be visible to any potential joint venture partner checking out your website.

This case underscores how seriously the FTC views privacy and security of personal information stored on websites, as well has how closely the FTC is observing representations regarding privacy and security. The FTC is on the lookout not only for websites that misrepresent what they do regarding privacy and security, but also what certification websites represent that other websites do about privacy and security.

Conclusion

The worst mistakes a n ecommerce webmaster can make is to have “borrowed” a privacy policy from someone else or to have an outdated privacy policy that either does not make the required disclosures or misrepresents what the website does regarding privacy and security.

The legal liability can be substantial.

This article is provided for educational and informative purposes only. This information does not constitute legal advice, and should not be construed as such.

Leading Internet, IP and software lawyer Chip Cooper has automated the process of drafting website legal forms, website legal contracts, and website documents online. Use his free online tool – Website Documents Determinator – to determine which documents your website really needs for website legal compliance. Discover how quick, easy, and cost-effective it is to draft your website legal forms at http://www.digicontracts.com/ .

Are Your Websites Secure Or Is The Back Door Wide Open?

02 2010 Friday

5

By Willie Crawford in Security

One of the topics that all of us online business people are aware of but usually don’t feel totally on top of is website security.

Coming from a background of having spent over 20 years in the U.S. military, and having spent four years as a software tester, I have a greater awareness of the need for continuous vigilance in this area than your average marketer.

I also know that you can never make your websites or your computers completely secure. Instead, you can only do things that reduce the risk.

Given that you spend a lot of time, money, and energy, building your online business, it only makes sense that you set aside time periodically to review security related issues, and to look for problems that can be easily minimized.

Here are a few easy “fixes” that you can implement today that will increase the security of your online business.

1) Delete outdated scripts that you no longer use from your server. Many of “the bad guys” have studied the exact same scripts that you use to power your websites, and they know where the backdoors and vulnerabilities are. They know exactly which file will allow them to create all kinds of havoc.

If you have old programs on your server that you are not using, simply delete them.

2) Update older scripts that you are using. Often, the reason that updates are released for a script IS to patch a vulnerability that the developer has become aware of.

YES, upgrading can seem time consuming, and it can be tempting to skip an update, and just wait for the next one. When you wake up one day and can’t access your server, or all of your websites have been defaced or erased, you’ll see the wisdom in ALWAYS keeping the scripts powering your websites completely updated.

If you are as non-techie as I am, you simply hire a trusted programmer to perform this task.

3) Change the default setting when installing scripts on your servers. Many scripts have default passwords, and default locations for critical directories that make these scripts work flawlessly. Since everyone obtaining a copy of these script have these settings, you probably want to change them, and you also may want to rename certain directories.

4) Secure your web logs. Many web hosts have a standard location for the website’s logs and statistics on each hosting account. The files that allow you to access, read, download, and manipulate this data often aren’t secured. At a minimum, password protect that directory.

The danger in someone readily accessing your logs is that they can see the names and paths of the files on your server, including your download pages and the file names of files that may actually be for sale products :-(

There are not only people who search on your product name, looking for unsecured files – there are also people who enjoy posting those links on sites where this type of information is shared.

5) Put an index page in every directory on your server. If someone surfs to the domain name of one of the directories on your server, and there is no index page in that directory, they will get a directory tree… showing them all of the files in that directory, and allowing them to simply click in a given file name to access it.

Servers can be configured to prevent this, but for many people, the quickest and simplest way to protect their directories from prying eyes is to stick an index page in each directory.

6) Give your download pages hard to guess names. Don’t use urls like YourDomain.com/ProductName/download.html Instead you want to give download pages names comprised of a random sequence of letters and numbers, perhaps stick them in directories not even associated with a given product, or use a “download guard-type” script that gives each customer a unique download link and protects your files.

There are a lots of other things that you can do to easily close common holes in your website’s security. This article barely scrapes the surface, and is intended more to make you aware of the problem, and to get your thinking about it. Make regularly reading articles and reports on the topic a part of your education in how to operate a successful online business.

Willie Crawford has been operating an online business for 13 years and believes that too many online marketers simply pretend that problems with website security don’t exist. For a really eye-opening report on website security, get the recordings of an interview Willie did with a leading web security expert at: http://timic.org/CloseTheDoor

SEO company STOLE my traffic!

04 2008 Tuesday

29

By admin in Security

securityBelieve it or not, the article is true. This is what happened to a friend of mine. I am not at liberty to name the SEO company, especially since the investigation is still ongoing, but this is what happened.

A couple months ago, my friend hired an expensive SEO company (charged $2500) to reoptimize his website to get maximum exposure for the search engines.

After he paid the fee, he soon learned that they contracted out the job overseas to a bunch of random people who asked for his website hosting username and ftp password and told him that it should be ready in a few days.

They made some changes to his website. He visually saw many of them but not all of them. They said wait 3 months before making any other changes and let our SEO work do the job.

He waited, and his traffic started dropping. He contacted them, and they told him that it was completely normal while his website was being reindexed by Google, and to be patient.

His orders began to suffer, his visits were decreasing, he barely lasted the 3 months. When he tried to contact them again, they had disappeared.

He hired someone else to go in and take a look at his website to figure out what had gone wrong.. This is what they had done..

In his product catalog, some of the product names had a special hidden javascript next to them. When someone would go to the main website and click everything, the website would perform normally…

HOWEVER, if they came through a google referer in the http request, the javascript would activate and send his visitor to a competitor / spammy website who was selling the same products.

The only way he could have seen this, is if he visited his website like a normal visitor would who showed up from Google. Instead, he manually typed in his website address and therefore the javascript wouldn’t activate.

So here is a guy, who pays $2500 to an SEO company to help increase his traffic, and instead, all they ended up doing was stealing his money, AND his traffic.

This is something that everyone needs to be careful about. Don’t EVER trust an SEO company unless you have investigated THEM first. Don’t just hand over your FTP username and password to someone, and say “go ahead, and do what needs to be done”

…in this case what needed to be done was to hijack his website, steal a nice sum of cash, and run off in the middle of the night. His payment was cashed overseas, and the free mail accounts they had were no longer operational.

A real nice scam. Plus you have to wonder how much they made off his free traffic they stole over that 3 month period. How much other website hosting traffic did they steal from other websites caught in their SEO scam?

We’re all so desperate to get to the top rankings of the search engines, sometimes, we lose our business sense, and just hand money over to the first person who promises what we want to hear.

Jie Fang – Please share this story with anyone you know. More useful articles like this are at http://sillyinternet.blogspot.com

Effective Ways to Optimize Security in IT

08 2007 Friday

17

By Eddie Bannister in Security

Chances are your computer network or PC has been attacked at some point or another. Perhaps a worm caused your system to slow down severely, a virus erased your entire hard drive, or, malware plagued your registry and browser, leaving you helpless and frustrated. What you probably learned from these attacks was how or where to find a quick-fix while your overall security remained unchanged. What you may not know is that there are a few fundamental practices in relation to the hardware, software and people that can help to improve or optimize the safety level of your computer network and personal system. These practices or ways are sound, easy to implement and highly effective.

On the Hardware/Software Side

While they may appear relatively basic at the onset, some practical measures should be taken to not just establish and maintain but also to increase ongoing security to computer hardware and software. Failure to adhere to these measures or ways of implementing security can potentially lead to disaster. Of course, you can further add to or enhance these measures depending on your particular situation–such as budget restraints, time-frame, etc.

Specifically, you will want to:

  • Upgrade or replace. Older hardware can malfunction and become unstable; older software can have security holes and vulnerabilities or could fail to properly integrate with newer technologies.
  • Patch up and harden. Whether it’s a domain controller or your home PC, install anti-virus software, configure a firewall, update the OS using service packs and remove unnecessary services.
  • Limit access. Keep the system away from prying eyes and unauthorized users. Implement strong passwords; use encryption. Locks and biometrics are strongly recommended, too.
  • Monitor regularly. Make a habit of watching network activity and reading system logs to find inconsistencies and unusual traffic patterns.
  • Maintain good backups. Backup often and verify your backups always. Keep one or more copies off-site, if possible.

On the People Side

When it comes to security, people usually are the weakest link in the chain. They can be lazy, indifferent, uninformed or represent some other security liability. Because you, too, may possibly exhibit such characteristics and behaviors yourself, here are ways to address these people problems and successfully increase and ensure IT security. For example, you should:

  • Establish controls. Rules and policies can help to specify what is or isn’t acceptable use. Enforce them. Be prompt at acting on the slightest deviation.
  • Train and educate. You and your staff can never be too knowledgeable about the newest technologies or the latest types of attacks–worms, viruses, Trojans, malware and others. Be prepared to learn and learn to be prepared.
  • Be safety aware. Don’t expose yourself or your systems to potential attacks by linking to questionable websites. And, opening an email attachment from an unknown source could quench much more than sheer curiosity.
  • Go “long” on commitment. Engage people by assigning them (or yourself) duties and responsibilities with realistic goals and rewards. Foster loyalty and support alongside accountability for non-performance.

Experiencing a malicious attack is sometimes the result of weak or ineffective security practices. And, while finding quick solutions to the attack may be reactionary and expected, it is not necessarily the only or best course of action in securing PCs and networks. There are far more sensible and fundamental ways to implement and address security in relation to the hardware, software and people involved in day to day operations. It is, in fact, by applying those ways and practices that you can effectively and successfully improve upon and optimize security in IT.

Author:  Eddie Bannister works as a network consultant and computer instructor. He also enjoys writing about a wide range of topics.

7 Steps To Effectively Take Control Of Your Inbox And Reduce Spam

08 2007 Friday

10

By Corey Geer in Security

Everbody hates spam! I am sure spammers hate getting spam too, but they still continue to dish it out. Why? Because it is still effective. Believe it or not, many of us still click on the links or follow-up with the spam message. As long as we continue to do this, spam will exist. If everybody understood this and paid no attention to spam, the spammers will eventually give up because it costs them realy money to send out emails. It is hard to quantify what the cost of sending out one, two or fifty emails is, but 1 million or 5 million emails certainly has a cost that is not negligible. When the payback starts to get so small that the spammers cannot make a decent living, they will find something else to do. This day will come and I cannot wait for it to arrive.

In the meantime, what can we do about it. Well, I am not going to tell you that there is a perfect solution that will stop all spam, but what I will tell you is that there is a way to reduce the problem and manage it effectively using the 7 steps outlined below.

Step #1: Get Your Own Domain Name
Fighting spam effectively starts with getting your own domain name. For example if your name is Andy Williams, you would purchase a domain name called andywilliams.com, which is of course already owned by the famous singer. This has some unique advantages over using an ISP given domain name or a webmail service such as Hotmail or Gmail. It also has some minor disadvantages. Let’s examine these.

One major advantage is that you control the entire email address. You could create emails addresses like [email protected], [email protected], [email protected] and so on. This is in stark contract to an ISP assigned name like [email protected]. If you wanted another one, you’d have to open up another account or pay extra for each additional ISP assigned address. If you ever decided to switch ISP’s, you would lose that email address and have to start over using a new one, and inform everyone you communicated with about it – a very messy proposition.

Many get around this problem by getting a Hotmail, Yahoo Mail or Gmail account which you can access from anywhere as long as you have internet access. These types of email accounts definitely have a place in your email toolchest, but do not suffice as your primary personal email address. One reason is that you do not have access to your email messages and address books when you are not online, like during a long flight. Anotehr drawback is that they do not allow you to export the online address books making portability very tedious.

I prefer owning my own domain name which I call my permanent email address. I will always have this email address as long as I renew this domain name every year. The cost of registering a domain name varies from $4 to $8 per year for most common ones. This is a small price to pay for the advantages it brings you.

The one minor disadvantage of owning your own domain name is that you need to manage it yourself, or have someone do it for you. This in my opinion is far outweighed by the advantages mentioned above.

Step #2: Create Private Email Adresses
A private email address is one that nobody but your inner circle knows about. Every person that you give your personal email address to is someone that you trust and want to receive email from.

Setup one private email address for every person who is going to need to receive messages. This could be you and 5 other members of your family or 12 employees that work for you. This part is quite straightforward, you simply login to your email control panel and create new accounts for each email address that is going to be used to receive email.

Step #3: Create Public Email Addresses As Aliases
A public email address is generally known to the public. It can be specific like [email protected] or generic like [email protected].

A public email address is created as an email alias. An email alias is not a real email address, but an address that gets redirected to a real email address. For example, you setup [email protected] as an alias that redirects to [email protected]. Whenever some sends an email to [email protected], it will end up in Mary’s inbox. If you change receptionists, you simple modify the redirect for a very elegant solution. You can then publish this public email address on a website, in a brochure, on print advertising, business cards etc. without giving away your personal email address and without having to make much changes if Mary leaves and a new receptionist is hired. This is a huge benefit and maintains your privacy as well as those of others you have created email adresses for.

How does this help with spam, you ask? By using email aliases in a smart fashion, you could very easily shut down any spam that starts coming in. Let’s examine how this can be done.

Step #4: Setup the Default or Catch-all Email Address
Your email control panel will have something called a “default address” or it is also sometimes called a “catch-all address”. This is a valid email address that all unresolved emails go to. If you set this up to be your personal email address for example, then you will receive all emails that are addressed to “anything”@andywilliams.com, this includes [email protected], [email protected], [email protected] etc. Herein lies the secret to combat spam.

Step #5: Create Specific Named Public Email Addresses As And When Required
When you are forced to register on a website where you want to get some information from, you are usually asked for a valid email address. Well guess what, you now have an unlimited supply of valid email adresses. I usually use a specific format when registering at websites – it is “websitename”@andywilliams.com. So if I am registering at a website called www.get-rich-quick.com, I would use the address [email protected] as my valid email address. When the site sends me an email, it gets redirected to my personal email or whatever the default or catch-all address is.

Step #6: Send Spam Back To Where It Came From, If Possible
Here comes the real bonus, if you subsequently start receiving spam addressed to none other than [email protected], you simple create an email alias for [email protected] and redirect the email back to exactly where it came from, for example [email protected]. You will then never get another email from anyone using that email address ever again. This is cool and is my favourite part. Bear in mind that spammers usually send email from an address that is not their own, so if you see an address like [email protected], then you would redirect it somewhere else, for example a Hotmail address that you setup just for redirection purposes. Please exercise some discretion here because spammers often use the email addresses of real people and we don’t want these innocent people getting redirected email.

Step #7: Be Diligent In The Ongoing Management Of Your Domain
If you do this diligently for each website where you register by identifying the website name, you will very quickly know which websites are selling email addresses and which ones honor their promise not to share your information. ALl this while, nobody by your personal inner circle knows your private email address.

A real-life example in my case: I use a specific email alias for my Paypal account which nobody but Paypal knows. I have never ever received spam on this address, but I have received hundreds of spam messages on other email aliases that I have created. All of these emails supposedly come from Paypal and address me as “Dear Valued Paypal Member” or something similar, warning me that my account is going to be closed or suspended unless I click on their link and update my credit card information.

I hope that I have given you some food for thought on how to manage the ever growing spam problem by protecting yourself by taking some initiative and getting your own domain name. The added benefit is that you now have a permanent email address no matter where you choose to live or which ISP you use to connect to the internet.

Author:  644 EBooks – Marketing – Arts – Autos – SEO – Tools – Traffic – List Building – Society – Shopping – Sports – Self-Improvement and MUCH MUCH MORE! All For only $7 A Book. http://coreygeer.blogspot.com/

Spyware Cookies Stealers: An Emerging Threat In The Age Of Information

07 2007 Monday

30

By David Faulkner in Security

In this age of information, cookies are an essential element in making transactions faster and so much more convenient. We are not talking about the food item, of course. In the computer vernacular, cookies are actually files that store important information which are sent from your system to remote terminals in order to process certain requests.

These cookies have become the targets of some devious individuals who could be after some important information pertaining to you or your business. Spyware cookies stealers are programs developed by these unscrupulous people to make stealing information easier for them.

Whenever you perform an online transaction – say, you log on to a website to pay your electric bills – you enter your user name and other personal information. The website saves these bits of information so you don’t have to enter them again each time you log on in the future. What spyware cookies stealers do is look for this information in your hard disk and steal it from you. Usually, you won’t even know this has happened.

Once the spyware cookies stealer has acquired your information, this will be available to other people who can do whatever they want with it. In order to visualize the potential damage that spyware cookies stealers can cause, think of all the data that you enter into websites…user names, passwords, credit card numbers, bank account numbers, and other personal information.

Now imagine those information being in the hands of some malicious person. In these times when you can do practically everything online, an individual in possession of all your passwords and financial data can destroy your life, literally.

An online thief can empty your bank account with just a few clicks and you can be bankrupt in an instant without even knowing what hit you. People can use your identity in performing criminal acts and you can end up suffering the consequences of their actions.

The scary part is that this does not happen only in movies. It can actually happen to you, thanks to the many spyware cookies stealers that abound in the Internet.

The good news is that spyware cookies stealers can be removed from your system, and if they are detected early, you can minimize the damage they can bring. A good anti-spyware program can detect these spyware cookies stealers that may be hiding within your files.

When you have spotted and removed the spyware cookies stealer in your system, the next thing to do is to delete your cookies. You will then need to perform a thorough scan of your system to make sure that no threat is left behind.

To prevent future infiltration of spyware cookies stealers in your hard disk, upgrade your anti-spyware software regularly. You may need to pay a fee for these upgrades but when you think about the protection it can give you against spyware cookies stealers, a few dollars worth of protection is definitely worth it.

Author:  You can also find more info on Spyware and Spyware And Adware. Removespywarehelp.com is a comprehensive resource to know about Spyware.

Scam Alert: Domain Hijacking

07 2007 Friday

27

By Douglas Miller in Security

There’s a frightening new batch of scams going around now that can damage your reputation as domain “squatters” steal your domain name.

There are a number of ways the “game” is played. The first is entirely legal, if more than a little questionable. In this version, the name of a city or geographic area is grabbed by a domain squatter and pointed to… “sites that you wouldn’t want your children visiting. (ie: porn)”

A prominent notice is placed on the sites, offering them for sale at prices that range from $2500 to as much as $500,000!

The idea here is that city officials will feel that enough damage is being done to the reputations of their towns that they’ll pay to keep them from being associated with that type of material.

It’s obviously safe to say that it’s not appropriate to pop those kinds of images into people’s faces while they’re looking for info on a completely different topic.

That’s where the pressure on the cities comes from, and why this is such a disgusting scheme.

In essence, the domain squatter says: “Pay us, or continue to watch as your city’s reputation suffers.”

Many would call this blackmail…

The second variation on the theme is not always legal. When someone takes a trademarked name (or variation of the spelling of one) or a famous person’s name, and does the same thing.

For trademarks or close variations, there’s a specific procedure for addressing the problem. (See the resource section at the end of this issue.)

For the names of famous people, there MAY be a remedy. But, it can be tricky — and expensive.

For example, if someone named John Jones registered http://WalterCronkite.com and pointed it to one of “those” sites, Walter Cronkite could probably force the domain away from him.

However, if someone named Steve Cronkite registered http://Cronkite.com and did the same thing, Walter Cronkite would have no recourse. It would be very hard to demonstrate that Steve registered the domain in bad faith. And if Steve’s son’s name is Walter, the same is true for http://WalterCronkite.com.

If you feel that your name is likely to be typed into a browser when people are looking for information on you, you should consider getting both the .com and .net versions of the domain if they’re available.

It will cost you a few bucks to prevent the problem. Fixing it, assuming you win, will cost you hundreds — if not thousands — of dollars.

And there’s no guarantee you’ll win.

A third version is a bit more benign. It’s common among members of affiliate programs. In this version, names very close to, or even including, the trademark are registered. The sites are created to drive traffic to the affiliates’ URL at the main site.

This may or may not be acceptable to the affiliate program owner. If it is, it’s a good technique for getting traffic. If not, it could get you into hot water. Check with the owner of the trademark before doing this. Less benign is an alternative version of this technique where someone grabs domain names that are close to the trademark of a competitor and uses them to grab competitor type-in traffic. This is often done by finding out the most common misspellings of the real domain name or trademark. Watch for people doing this with your domain. Here’s the worst version of this — and it can hit anyone if they have enough traffic and don’t pay close attention to when their domain registrations expire.

In this situation, someone grabs expired domain names and points them to “those” kinds of sites. This is a “no lose” for the hijacker, as they will profit from the traffic even if the previous owner doesn’t pay the requested ransom for the domain.

The more traffic the URL gets, the greater the clickthrough value to the hijacker. This means more potential damage to the original owner — and a higher ransom to get it back.

In effect, your own popularity is your worst enemy in this case.

The solution to this one is simple — and very important: Don’t let your domain names expire!

Useful Resources:

If you find yourself a victim of domain hijacking, there is hope for correcting the problem.

For a more formal explanation of the legal aspects of this problem, visit: http://www.llrx.com/congress/100200.htm

For specific information on the UDRP (Uniform Domain Name Dispute Resolution Policy), the procedure for taking domain names that are being used in violation of a trademark, see http://wipo2.wipo.int/process1/index.html .

For information on taking action under the Anti-Cybersquatting Act (A US law that provides for damages in addition to the less severe penalties of the UDRP) see:

Editor’s note: Author’s suggested resource link was dead and replaced with those below:

The Anticybersquatting Consumer Protection Act
FAQ: The Anticybersquatting Consumer Protection Act
Anticybersquatting Consumer Protection Act vs. Uniform Dispute Resolution Policy

If you have a famous name or trademark, the best defense is to make sure that you register the main variations in both the .com and .net form. The .org is probably only necessary if you are heavily involved with charitable activities. Protect yourself. Scammers come up with new schemes all the time…

So, keep your eyes open.

Author:  Douglas Miller is a retired fire service captain, now making a living working from home. His company Hundred-Fold-Life is not just a name but also a belief. To learn how to find the best home based business ideas and opportunities so you can work at home visit: http://www.clixgo.com

What Can We Do About Spam?

07 2007 Monday

23

By Jim Pretin in Security

I receive approximately 5,000 emails containing spam each and every day. Well, maybe not that many, but it sure seems like it. Spam is spiraling out of control and shows no signs of stopping. The question is, where does spam come from, and can you do anything about it?

Most of the spam I receive in my inbox is sexually explicit, but I still like to look at it because some of this junk is actually quite entertaining. My personal favorites are offers to purchase discounted Canadian Viagra, ads for pornographic websites, and bogus work-from-home programs.

How do these people get their grimy hands on your email address? One way they can get it is through opt-in email. When you order something online, as part of the subscription or service that you signed up for, you may have inadvertently agreed to receive offers via email from that company in the future.

As a result, said company adds you to their mailing list and begins to send you email. This is perfectly legal as long as the company provides you with a way to unsubscribe from their mailing list. If they do not provide you with a means to unsubscribe, then the emails they are sending you are considered spam.

To make matters worse, a spammer will sell your email address and any other information you submitted to them to hundreds or even thousands of other companies who are looking for leads. Before you know it, your email address has been circulated everywhere. Once this happens, there is almost no way to prevent spam from reaching your inbox.

Another common way your email address can end up on a mailing list is when an internet marketer purchases a list of email addresses from someone else, and then sends a joke or an interesting cartoon to everyone on that list and asks you to forward it along to all your friends and relatives.

Once you forward the message, the email has a program attached to it that will copy the list of addresses that the message has been forwarded to and send that list back to the person who originally sent you the email. So now, that person not only has your email address, but also has the email address of everyone you forwarded the message to.

Another popular technique is known as harvesting. This is accomplished by writing a simple retrieval program that searches through every web site listed on a search engine for a certain keyword, and then grabs any any email addresses that are posted on those sites, and subsequently sends them back to the harvester. Using this technology, it is possible to acquire thousands of email addresses in an hour or less.

Harvesting has become a legal dilemma. The email marketing community feels that they should be allowed to harvest email addresses that are posted on public websites. In their opinion, if someone has posted their email address for all to see, then other people have the right to contact that person and ask them questions or send them offers.

However, web sites where email addresses are posted have threatened legal action against anyone that harvests email addresses from their site and uses them to build spam lists. Unfortunately, these web sites really have no way to prevent this, and it will only get worse in the future.

We will never stop spam completely. Both big businesses and small businesses have a strong incentive to send bulk email, because it costs nothing, and is a valuable tool for increasing their customer base. Sending regular mail or hiring a telemarketer costs a lot of money and is extremely ineffective. As a result, most companies would prefer to send massive amounts of email. So, expect your inbox to be chock full of spam for many years to come.
Author:  Jim Pretin is the owner of http://www.forms4free.com, a service that helps programmers make an HTML form

A Brief History of Spyware

07 2007 Monday

16

By Chinedu Norbert in Security

“Spyware” has evolved in the cyber era as the most dangerous, damaging and menacing technological appliance in current history. It is no aggravation of statement that if you are linked to the Internet, there’s every chance of being affected by this nuisance. So, it is a good time for us to possess a peripheral view about “spyware”.

It was on 16th October 1996, when the word “spyware” was used in the public for the first time. It appeared on the Usenet. Basically it was on an article sarcastically aimed at the business strategies of the global leader Microsoft. Later still, around about the year 1999, its usage was synonymous to spy equipment like microphone bugs or miniature cameras. Later that year in a press release of Zone Alarm Personal Firewall by the Zone Labs Company it was used in the meaning we know it today.

The word “spyware” was an instant hit in the mass media and among the general mass and soon after in June 2000, the first anti-spyware application OptOut was released by Steve Gibson. Gibson planned to market its OptOut for a very competitive price but they faced tough competition from Lavasoft, around the middle of 2000 with their free anti-spyware software version 1.0 offered absolutely for free. Lavasoft’s application was more competent as a spyware removal component and already was performing multi-tasking applications. As a result Gibson had to abscent himself from the race leaving their OptOut with no more development. Nevertheless, OptOut could be termed as the pioneer of anti-spyware applications.

It must be stated that the term “spyware” yields a bit of confusion. Though the word renders a notion of information being send back to certain individuals, not all spyware applications may perform this job. Many computer personnel dealing with data security management prefer the word “malware” in place of “spyware” as it indicates a software that is particularly detrimental to the computer system. Another word “adware” is also popular to specify software applications like keyloggers and Trojans, which are nothing but “spyware” in usage.

According to a once celebrated cyber report, an explicit spyware application was put forward to numerous internet users under the covering of a free, exceedingly user friendly and a mass alluring game software named “Elf Bowling”. This occurrence took place in around the 1999s. At present, and in general, the Windows operating system is the more favorable target of the spyware applications.

A few of the most iniquitous spyware programming are Xupiter, Gator, XXXDial, DirectRevenue, Euniverse, CoolWebSearch, 180 Solutions, Bonzi Buddy and Cydoor. One thing is to be noted. All these applications attack only Microsoft Windows operating systems. Platforms like Linux and Mac OS X are never ever reported to be affected in anyway by these spyware applications.

In October 2004, America Online and the National Cyber-Security Alliance performed a survey. The result was startling. About 80% of all internet users have their system affected by spyware and about 93% of spyware components are present in each of the computers and 89% of the computer users were unaware of their existence. Out of the affected parties almost all, about 95% confessed that they never granted permission to install them.

Legally speaking, spyware cannot be entitled as a virus as it never replicates itself. As a result it remains undetected when anti-virus applications are used. What’s more, you actually agree to be spied upon while you click the ‘I agree’ button on the screen while you install software which contains spyware files (often bundled in). Unfortunately, people rarely read end user licence agreements while downloading and, if they were to read them, the documents are written in legalize. People never refer to a lawyer while doing such things as downloading or installing.

To safely enumerate what spyware actually is, we can easily quote what Dick Hazeleger, famous for his “Spyware List”, said, “Spyware is the name which was given to software that – without the user of the program knowing that the software performs this kind of action – traces the user’s usage of the internet and sends this information – again without the user knowing this is happening – to a computer (”Server”) designated by the developer of the Spyware software. By performing these actions, detailed user profiles may be collected – without the user’s knowledge and approval – which then can be used for commercial or other purposes. By gathering and sending this information both resources on the user’s computer as well as bandwidth on the Internet is abusively used, not to mention the breach of privacy such a User profile would be.”

The state of Utah has already gone a step ahead of others and announced that several tasks performed by spyware would be strictly proscribed. Even the US Congress is preparing to follow the same line of operation. House Resolution 2929–the Spy Act has been prepared to control this menace.

This is what Utah’s antispyware law, the Spyware Control Act, has to say, “… we would not consider any application that uses pop-ups, is distributed through file sharing such as Kazaa or is not removable. Beyond that, we would look for applications that provide consumers value and would be installed on their own if people knew about them. The aggressive tactics of some advertising-supported software has given the whole sector a bad name. But if the software is fully disclosed and doesn’t rely on intrusive methods such as pop-ups, the consumer should have a choice to view ads in return for software. What’s more, the developer should have a right to make money. Beyond these guidelines, the legal risks and moral problems become clear, and legitimate businesses should stay away from these practices.”

At present Microsoft can champion about its anti spyware application release and it is mandatory for the software developers to be certified by the International Charter as Spyware Free.

Author:  Chinedu Norbert writes a blog about spyware and adware removal at easilyremoverspyware.blogspot.com. He recommends using a product called NoAdWare.

I Won The Lottery! Or, Maybe Not

07 2007 Monday

2

By Shari Hearn in Security

I must be the luckiest person alive. In the past three days I found out I won 1.5 Million Euros in the UK lottery, One Million Euros in the Winx International Lottery, 1.5 Million Euros in the 2007 E-Mail Lottery, and 500,000 Pounds in an e-mail lottery held by the Coca Cola Company. Wow! What did I do to receive all these riches?

The sad truth is there are actually people who fall for these schemes. For the promise of a quick buck (or million Euros as the case may be) people will turn over their bank account numbers, wire money in the hopes of getting more back, or give other information that could lead to identity theft.

These lottery and sweepstakes schemes have gone on long before the internet, with one of the oldest being the phony sweepstakes which required an entrance fee to claim your prize, which amounted to more than the “prize” was worth. Another variation of that scheme was requiring the potential “winner” to call a certain number to find out if he or she was a winner. The phone call cost the potential “winner” a certain amount per minute with an unusually-long wait time on hold. The real winner was the scamming company which made money off the phone calls.

Today’s thieves have a wide choice of scam-delivery mechanisms, including in person, the mail, phone and internet. However, the same holds true no matter how the scam is delivered: if it sounds too good to be true, it is.

How Can You Recognize the Lottery or Sweepstakes Scam?

There are certainly legitimate lotteries and sweepstakes offers. Who hasn’t bought a state or multi-state lottery ticket from their local lottery retailer? Or, who hasn’t seen one of those sweepstakes offered by a recognized company advertising in the coupon section of the Sunday newspaper? You fill out the entry form or reasonable facsimile (usually a 3″x5″ card) with your name and address and send it off.

Therein is your biggest clue as to whether you’re the victim of a scam. In a legitimate lottery or sweepstakes you have bought the ticket or entered your name and address. In a scam lottery or sweepstakes you are notified you’ve won when you haven’t even entered or bought a ticket.

In addition, it’s illegal to use the mail or telephone to play lotteries across borders, whether national or state lines. Any lottery offer involving the purchase of lottery tickets for other state or country lotteries could end up with you being charged with illegal activities.

One ploy used by foreign scammers involving lotteries or sweepstakes is offering you an “advance” on your winnings. The scam artist will send you a check for part of your “winnings.” All you have to do is wire them payment for “taxes” or other official purposes. By the time you find out their check has bounced the money you wired is in their hands. And, because it was wired it’s harder to trace.

Lottery scammers don’t always use e-mail or the phone. Sometimes they do their dirty work in person. A typical scam would go something like this: You are approached in person by someone who claims he or she just won the lottery but isn’t eligible to claim it. They offer to split the money with you if you claim the prize. Sounds good, right? Except that before you claim the prize from the lottery retailer you are required to withdraw some money from your account and give it to the ticket holder as a good-faith gesture. By the time you find out you’re holding a non-winning lottery ticket, the thief is long-gone with your good-faith money.

In order to protect yourself from these scams, it’s important to remember the following:

Lotteries

* It’s illegal to use the mail or telephone to play lotteries across borders.

* If you ever receive a phone call, letter or e-mail announcing you just won a lottery, it’s a scam.

Sweepstakes

* It’s illegal for a company to require you to pay to win or claim a sweepstakes prize.

* It’s illegal for a company to suggest that buying something will improve your chances of winning.

* Companies cannot ask for money from you for taxes they say you owe on a sweepstakes winning.

* Be cautious when entering sweepstakes from displays you see in malls – often times these are people just wanting your name and address for a future sweepstakes scam.

* Only enter sweepstakes from recognizable companies, and never pay a fee to enter.

Avoiding being the victim of a scam takes a healthy dose of skepticism. If you are ever unsure about the legitimacy of an offer made to you, you can call the National Fraud Information Center’s Hotline at 1-800-876-7060

Author:  Shari Hearn is a writer and creator of Safety Tips 411, where you’ll learn how to guard against identity theft.

SiteProNews: Webmaster News & Resources » Security

Posted by emilcohen.com at 3:15 PM

1 comments:

dashka said...

thanks for info, but for control network activity I prefer to use ProteMac Meter

May 28, 2010 2:53 AM

Post a Comment

Subscribe to: Post Comments (Atom)