The Business Protector

It\’s \”Change Your Password\” Weekend

Friday, April 24, 2009

I’ve heard quite a few stories this week from people who have had problems due to passwords. Old, easy to guess, weak… that simply won’t work nowadays.

First off is Josh Spaulding, who talks about a $1,600 credit card bill that came about as a result of a weak password (and thanks, Josh, for taking responsibility. While I’m sorry it happened to somebody like you, it’s refreshing to see you not try to pass the buck).

Another one was discussed at length in the Earn 1k A Day Forum, and another happened to a colleague in the Internet Marketing Inner Circle membership site. Unfortunately, I can’t give you links to those discussions because those are private membership sites.

Finally, Scott Spanbauer writes in the Windows Secrets Newsletter about an unpatched hole in Google’s Gmail service. This hole could allow an attacker to change your Google password — not something you want. The article — and the newsletter — is worth reading.

So the verdict is clear: Change your passwords. Use a hard to guess password that’s at least 10 characters and uses upper case letters, lower case letters, numbers, and special characters. Change it at least every three months. And while some security pros will disagree me, I think it’s OK to write down your passwords as long as you treat that piece of paper like you would a large sum of cash or a credit card.

Even better, get RoboForm and let it manage and create your passwords for you. You only have one password to remember that way — your master password that encrypts the rest of your passwords. Just make sure that you change that password every three months, too!

Filed in tips | Comments (0)

Terms, Privacy Policy, and Your Customers

Friday, April 10, 2009

I talked about Stan Craigie and his GIMP training videos in my last blog post. Today I want to talk about the terms of service on your website, your privacy policy, and whether they truly reflect your concern for your customers. And then I’ll tie the two together — I promise!

Are your privacy policy and terms of service driving away customers? In some cases, they are, especially if I visit your site. I can name at least two instances off the top of my head where I’ve literally had my credit card pulled out of my wallet and was ready to purchase — but stopped when I read what those marketers wanted to do with my personal data. I can also name two other instances (including one that involves Mr. Craigie) where the website owner positively responded by changing the terms to better protect my data, which led to a sale (and in the case of Mr. Craigie, lots of sales — if a few of you reading this will purchase his inexpensive graphics training course).

First off, if you are going to have a website — be it commercial or personal — you need to have a standard set of policies. There are many free ones out there for the budget conscious among us, but I recommend that you invest a few dollars to get a good set. Check out my legal page to read my terms, then follow the link at the bottom of that page to see the solution that I purchased. I think that it represents a good value.

Next: it’s easy to get carried away and to write your terms so that they protect you, and only you. There’s at least one person on the Internet (who is, or was at one time, a lawyer), who seems to have some excellent products — but his terms of service are so one-sided that I won’t purchase any of his products. And the sad thing is that he must be selling a solution so that others can basically use the same terms because I see them popping up on other web sites. I’m certain that they would say, “Hey, don’t worry about it, it’s there ‘just in case’ and I’m sure I won’t have a problem with you” — but am I supposed to give up every single legal right I have — plus $47? — just to get your product? And you can bet your donkey that if a problem does arise, they’ll whip out those terms and use them to severely cut down any claim that I want to make.

Once burned, twice careful. Sorry, but those terms show a lack of consideration for me, your potential customer, so I’m not buying.

And what about privacy policies? I learned the hard way to read them when I started getting spammed by hundreds of wanna-be marketers. Turns out that one product I purchased gave the product and website owner my implied consent to sell my contact details to whomever he wanted to sell them to. I’ve even met this person face to face at a conference; he’s a really nice and smart guy, but he routinely sells your contact information as often as he can.

Of course, the flip side of this is that people who purchase and use his lists get spam complaints, and since they don’t have proof of opt-in, they get to deal with the complaints (and CAN-SPAM allows for fines of up to $11,000 PER COMPLAINT). Think Mr. Nice Guy, But I’m Going To Sell Your Email Address To Anybody and Everybody Marketer is going to help them get out of that pickle? I doubt it. So stay away from those lists unless you have some way of confirming their opt-in status first.

So my advice is this: Read those terms of service and privacy policies before you pull out your credit card and hit the “Order” link. In fact, read the things as soon as you first visit a website (my terms state that simply using my website implies consent to the terms). And if you don’t like the terms, contact the person (unless they are one of these people that says that they can use anything you send to them in any manner they want to, in which case I would not contact them. Do you want your complaint letter posted on Page 1 of their blog?) and simply tell them that you have concerns with their policies and that those concerns are preventing you from purchasing. Some people will listen (and I’ll tell you about two of them in a moment).

Even better: Read the terms on your websites. Is this how you would want to be treated if you were a customer? If not, change them. Now. “Do unto others as you would have them do unto you” is a good rule to follow. Strike a balance between leaving yourself wide open and demanding that web site visitors give up every right they possess just to read your blog.

And now, about those two marketers who listened: As I already (unintentionally) mentioned, the first is Stan Craigie. He made some changes to his policies to make them a bit fairer. As a result, I not only purchased his course, I also promote it.

The other is Dr. Andy Williams, the content site guru and all-around helpful guy. I can’t say enough about his graceful response when I, as an ignoramus, posted complaints about his policies on a forum (instead of contacting him directly). He changed his policies and gained a customer (and I learned a lesson that I’ll try not to forget). I’m glad to see this because his materials really do rock (and if you haven’t already, I recommend his free newsletter; just click on his name to learn how to sign up. Just don’t forget to READ the darn thing when it arrives, OK?).

So here are some takeaways for you:

* Read your own terms of service and your privacy policy. If you would not want to be treated that way on a website, consider changing them.

* Your terms may be driving away customers.

* Read the terms and privacy policy before using a website or purchasing something from it.

* Don’t use a list of emails given to you by somebody else unless you really know what you are doing.

And by all means, if my policies and terms give you heartburn, contact me and tell me about it. I will listen to what you have to say.

Filed in tips | Comments (0)

Use Your Marketing Tools For Public Service

Thursday, April 9, 2009

Like most people reading this blog, I too have a home-based business. This means that I’ve purchased quite a few products to fill in the gaps in my knowledge and am on quite a few mailing lists. And as long as the content sent is good, I actually read those emails, and if I read them, any information in them about computer security immediately grabs my attention. Some of the information put out is either old or inaccurate, but it makes me happy when marketers will use their marketing channels to send accurate computer security information to their customers and subscribers. And perhaps I can help ensure the accuracy of such information (keep reading to see my proposal)…

One of my favorite purchases was from Stan Craigie, whose GIMP Videos training product shows you how to create great graphics using free software (and the price is quite reasonable). This one is great because it meets a need (how to create graphics) and does so while keeping in mind the target market. Most people who create their own graphics do so because cash is tight and they cannot afford to outsource their work, so creating a low-priced, high quality product that shows people how to perform an essential task using free software is a superb idea. That’s why I like GIMP Videos so much!

I just received an email from Stan where he alerted his subscribers to a couple of important issues. Normally I don’t cover the day-to-day issues on this blog (I prefer to write about things that will have a longer term impact, plus I have other places where I talk about such events) but am extremely pleased when I encounter others who are willing to use their marketing channels to keep people informed and educated about computer security issues.

Stan sent out an email talking about current Conficker activity and warned his readers about a rogue anti-spyware / anti-virus application. That’s an email that he could have used for any number of other reasons. He’s not going to make any money from that email — at least not directly — yet he still took the time to create and send that email. And speaking as a certified computer security professional, the information in it was accurate, so he seems to have also taken the time to research these issues before sending them to his list.

Thanks, Stan Craigie. You have set a great example of how you can use your marketing channels and tools to provide a public service. I especially appreciate the fact that you took the time to ensure that the information was accurate before hitting the “Send” button.

I’d like to make the same offer to you that I made to Stan: If you would like me to review any security related messages before you send them to your list or publish them on your blog, contact me via my Help Desk first and I’ll be glad to take a look at it. All I ask in return is a “live” link (from your newsletter, blog, etc.) back to this website.

I’ll look forward to hearing from you so that I can help you help YOUR customers and subscribers! And while you’re at it, help yourself by checking out Stan Craigie’s GIMP Videos.

Filed in tips | Comments (0)

Protecting Paid Membership Site Access, Part 1

Friday, April 3, 2009

If you have some type of paid membership site that requires a login (even if it is a one-time purchase), I recommend that you submit your site for blocking at BugMeNot.com.

ButMeNot is a web site where people can post and access userids and passwords for sites that require logins. The main purpose is to avoid having to register for free sites so that you don’t get signed up for mailing lists and have your contact details sold to others. As a marketer, I have mixed feelings about it, of course.

I have my own mailing list for most of my blogs, and I don’t re-sell any leads, nor do I bombard your Inbox with email promoting every single product to be launched (and then some). I want you to sign up for my mailing list, and once you do that, I try to respect the permission you gave me by not abusing it. But given the abuse (and we are not discussing legalities here — just “what is right” in my eyes) that some marketers like to do with contact information — like sell it under the guise of “lead generation” — I don’t blame people for not wanting to surrender their contact info.

So what is the alternative? Read the Terms of Service and Privacy Policy of every website that you want to use (actually, you should do this, but people get in a hurry, get lazy, etc.)? Create a throw-away email account for every site you want to sign up for? Give false information?

Or use BugMeNot?

No, I can’t really blame people for using them. It’s a pain to have to register for each site I want to view, read their Terms and Policies, and decide if I want to give them the requested info. I’ve been tempted to use it myself on a few occasions.

On the other hand, if your login system is designed to protect a paid product, BugMeNot.com has a page where you can request to be excluded from their database. I recommend that Internet marketers and home business people take advantage of this opt-out mechanism.

If your site doesn’t sell anything and you’re not technically eligible to request a block, there’s a simple solution: Sell Something. Simply offer some type of upsell on the first page when members log in. Even if nobody buys it, you are still protecting paid content, right (and a good upsell offer — as long as it is relevant and delivers good value — will convert quite well)? Most membership site scripts have some type of option for “premium content” that make it quite easy to set this up.

They also do not allow sites that have age access verification under COPPA. I guess you have to be using active verification; it’s not enough to just say “nobody under the age of 18 can use this site”. So if you wanted to use some type of age verification system, that would work, too (but would probably cost more money).

Personally, I think that BugMeNot should allow any site to request a block, and since the Terms at many sites clearly state that passwords and userids cannot be shared, I have to wonder if they are actually facilitating the violation of these terms. And if this is the case, do sites whose users posts login details have any legal recourse against BugMeNot, or can BugMeNot pass the blame back to their users? Interesting questions!

So I recommend that you actually sell something on any site that requires a login, then head on over to BugMeNot and fill out their block request. I’d also check to see if your site has any login details listed; if there are, then I’d ban that user in accordance with your site’s Terms of Service.
–
P.S. — They host their service at NearlyFreeSpeech.net and have private registration, which makes tracing down the real owners difficult to do, short of some type of legal summons (I know that they are not American because of the way they spell “unauthorised” in their Terms). And their terms do not state where legal action has to be brought… And perhaps it’s time to add a statement that your registered users are not allowed to post their login details on sites like BugMeNot (but talk to a lawyer for the specific wording — don’t ask me!).

Filed in tips | Comments (0)

Adobe Reader Security Issue

Monday, February 23, 2009

Adobe has announced a security issue with almost all versions of their Acrobat Reader software (used by lots of people to read PDF documents). Sadly, they said that a fix for the problem will not be available until at least March 11, 2009.

In the meantime, here are some things you can do to protect yourself:

Use a different reader on your computer. I switched to Foxit Reader several months ago and have not had any problems. You can download plug-ins if you want to open PDF documents in Firefox, and if you want to enable JavaScript in Foxit Reader, you have to download an additional plugin. I recommend that you download and use it only if absolutely necessary.
Disable Javascript in Adobe Reader. You can do this by viewing the US CERT’s Advisory for the Adobe Reader vulnerability (see Section III — Solution).
Do not allow Internet Explorer to open and display PDF documents. The US CERT link (above) also tells you how to disable this functionality.
Do not open PDF documents that you did not ask for. This includes email attachments (especially spam).
Don’t download PDF documents from suspicious looking sites. In general, don’t just go “out there” on the Internet, visiting sites at random. Even after this problem is fixed, other threats will emerge.
If you are using an older version of Adobe Reader, consider upgrading. I only know of plans to fix version 7, 8, and 9 of Adobe Reader; if you are using an older version, it may be vulnerable FOREVER. Unsupported software often contains security holes that will never be fixed, so I recommend that you not use it (this also goes for operating system software. Lots of people are still using Windows 98, for example, which has not been supported for several years now).

If you found this post useful, would you consider subscribing to my blog announcement list and telling somebody else about this post? Thanks!

Be safe,
Tom

Filed in tips | Comments (0)

Tell A Lie And Stay Secure

Tuesday, September 23, 2008

I found this post today by Gary Warner, who points out that lying is often a good thing to do (in case you didn’t know, Gary Warner is the Director of the Center for Advanced Caffeine Studies. Pity I’m a raw vegan…). At least it’s a good thing to do when answering security questions which, if answered correctly, allow you to reset passwords for online accounts.

Just ask Governor Palin. Can’t the State of Alaska afford its own email server?

Brilliant, Gary. I’m now subscribed to your RSS feed and you have my permission to further clutter my iGoogle page. The pleasure is mine.

But moving on: Why not create (as Gary suggests) a complete “secret identity”, write it out on an index card, and stick in your wallet with all of those credit cards, identification cards, and $100 bills you all carry around with you (OK, two out of three ain’t bad…). I’ve been saying for a long time that you should use horrendously complex passwords that you write down and guard with your life; this is just a logical extension of that.

So I’m going to cut this short so I can go out and re-invent myself… Hmmm, wonder if Alaska needs a governor?

–Tom

Filed in tips | Comments (0)

Why Password Protect A PDF Document?

Sunday, August 31, 2008

Among the few newsletters that I actually read is Dr. Andy Williams’ EzSEO Newsletter. In this week’s edition — which just came out (he should have it online in a couple of days) — he talks about an ebook that he recently purchased.

The ebook, which he downloaded from the seller’s website, is in PDF format and is password protected. He claims that the password is simply not necessary and further states that anybody passing along the ebook would also pass along the password.

He has a valid point. In this case, I think all that the only purpose the password serves is to inconvenience the legitimate customer. In my case, whenever I get a password protected ebook, I edit the name of it to include the password so that I can always remember it (it’s a part of my system). What about the person who does not have a system?

I can see where you might want to password protect an ebook on physical media. Let’s say that you have a CD that you’re selling for shipping costs (a common way to generate leads in a market). You could include other documents on that CD and password protect them, then send the password to the user once they upgrade. BOOM — instant gratification and your materials are still (at least somewhat) protected.

You might also want to use it on self-generated stuff that’s highly sensitive that you don’t plan on sharing or will only share with a few others. It’s not 100% bulletproof (there are programs that will crack those passwords), but it’s still MUCH better than no protection.

How about it, blog readers? Any comments about password protected documents? Note that I’m not talking about stuff where only you know the password; I’m talking about a “one size fits all” type of password on an ebook. I may be overlooking something, but I agree with Dr. Andy on this one; a password protected ebook that’s downloaded from a web site doesn’t really offer any protection and only serves to annoy and inconvenience the legitimate customer.

–Tom

Filed in tips | Comments (0)

Why You Should Delete Unneeded Scripts

Friday, August 8, 2008

I graciously received permission from Willie Crawford (be sure to check out his blog) to share the following with you. Willie posted it in the forum at his private membership site The Internet Marketing Inner Circle. I’m also a member and forum moderator at the site, and we have a good group of great people with various talents, skills, and levels of experience, who combine their expertise (and “personalities”) to make it a great site to join for anybody involved with an Internet-based business. Please take a moment to check out Willie Crawford’s membership site.

And yes, I’ve been known to jump in and help out people with security questions over there…

Here’s Willie’s post:

After noticing my dedicated server slowed to a crawl, and frequently timing out, I did some digging around.

Tom Brownsword, our resident security expert, shared in an interview that we did that you shouldn’t leave unused scripts on your server.

In looking at one of my databases, I noticed that some fields had several MEGS of data… for a program that I had never used. It’s was an installation of PHPBB (an older version of this forum) that I started installing on one of my servers, but never used the forum after setting it up.

The forum was at http://DomainName.com/forum/

So I guess that someone guessed the url, found and registered for the forum, and then took advantage of exploits in a script that they were all-to-familiar with.

There were three registered users of this forum. One had over 12,000 posts, one had over 10,000 posts, and one had very few posts.

I clicked on the profile of the person with 12,000+ posts, saw a link to a website and clicked on it. My firewall and anti-virus programs both kicked in… informing that they had just protected my computer from an attack.

As I looked at the MySQL database for the unused forum, there was over 10 GIG of data there. Much of it was in the word search category. There was several meg of data in the comment and trackback tables.

I deleted the entire installation, and dropped the tables from the database.

My server is running much faster now

The moral of the story… listen to Tom when he says don’t leave “spare” scripts installed on your computer. Too many “bad guys” are searching for these scripts and know the holes.

The secondary point is that if you notice your website (or computer) running slooowwww, you might want to look for the cause.

Willie

Several other people joined in to discuss similar issues with their web server after that, so this must be a fairly common issue. Their problems ranged from using their allotted bandwidth and disk space to having their accounts suspended. Everybody would do well to follow Willie’s example.

Just a couple of things to emphasize (beyond getting rid of stuff you don’t need on your computer):

Willie pays attention to what’s going on with his websites. Are you paying attention?
Make sure that your computer is protected. One promising new product — a product that combines anti-virus and anti-spyware protection and was written from the ground up to meet today’s malware challenges — was recently released. You can learn more about it — and download a fully functional 15 day free trial — here.
In Willie’s case, I think that somebody did just happen to find his forum and take advantage of it; however, most of these “discoveries” are done by automated scripts. And since the goal is money, your website is valuable to these malcreants, no matter how small or insignificant you think it may be. In other words, regardless of what you think, if you have a website, it is a target for stuff you probably don’t want there.

So “just do it” — get rid of scripts and software and Anything Else on your web server that you don’t need before somebody else finds a use for it!

I’ll cut this post short so you can get to work…

Best regards,
Tom

P.S. — If you’re interested in the interview that Willie talks about in his post, you can click here to learn more and get your copy.

Filed in tips | Comments (0)

Social Engineering On Social Sites

Thursday, August 7, 2008

The same rules that apply to regular web surfing and email, i.e. don’t open strange attachments, don’t go to strange sites, don’t click on unexpected links — also apply to the social networking sites you use.

I came across an article (link here) about malware that is spreading via Facebook and MySpace. Nothing new here. I’ve also heard “grumblings” about the security community about these sites not always taking decisive actions to protect their users. Perhaps their perspective is one of usability, i.e. they prefer to focus on making things available and accessible, and a switch to a focus on security might hinder this goal. But whatever their reason (and it is their network and they are entitled to run it as they please, to a certain extent), it’s up to YOU to ensure that you use these tools safely.

Another article I came across (link here) talks about somebody on Twitter who has created a profile with only a picture. If you click on the picture, you’ll be sent to a site that attempts to infect your computer with malware. Again, if you don’t know the person, don’t click on the link (I’d go so far as to say to not click on a link even if you know the person, but that may be a bit too much; you have to decide. After all, you trust me to give you good links…).

In general, be careful when you surf. And two more quick tips:

1. Separate business and pleasure. If you want to surf the Internet for recreational use, get a second computer and use it. I’d even go so far as to recommend that you do your business surfing from this second computer (although there are other considerations, such as taxes and business write-offs, that should be considered). You can usually find inexpensive laptops for around $500 and desktops for even less.

2. Create a user account that does not have administrative rights and use that account to surf. Most default accounts (which are what people use — by default) have admin rights. Creating and using a regular user account for surfing can help protect your computer.

Of course, you should also use good anti virus software, anti spyware software, a good software and hardware firewall, and “just be smart”. It’s your business (whatever that “business” is) — protect it.

–Tom

Filed in tips | Comments (0)

One Overlooked Detail In This Hacking Case

Sunday, June 22, 2008

I came across an article on The Register about an individual in California who was sent to prison for over 5 years for hacking into his former employer’s network and destroying data. Now there’s nothing wrong with the sentence and fine; the guy did wrong and deserves to be punished.

But there’s one VERY important question that hasn’t been answered:

How in the world did the guy get back into the network after he resigned? Why wasn’t he locked out?

Nobody seems to have addressed this question, but had the company had a solid termination plan and implemented it, the outcome might have been different (even worse: this was a medical records company. Who is holding THEM accountable for not properly protecting their client’s data?).

To make it even more personal, how about YOU? Do you have policies and procedures to deal with former employees? If not, may I make a few suggestions that might help you get started on creating them?

First, when you know that you are going to dismiss an employee or that the employee is going to quit, disable their accounts. Delete them as soon as you’ve walked them out the door (more on that in a minute).

Assign a supervisor or manager to escort the individual until they leave the premises for the last time.

Isolate the individual. Take them to a private office. Talk to them and ensure they know what is going on, what your termination procedure involves, and that they understand exactly what’s going on.

Have them review any computer user agreements and/or non-disclosure agreements to ensure that they know what they can, and cannot, do in relation to company data. Ensure that this agreement clearly states that they are no longer allowed access to company data and networks!

Ensure that any data under their control has been transferred to the right person. Do not let them do it; instead, somebody else should do it while the terminated individual gives any verbal instructions.

Ensure that all company property (access badges, identification, etc.) has been returned.

Notify Human Resources to ensure that they are aware and so that they can get involved, as necessary.

If the person had administrative rights on any systems or networks or used a shared account (never a good idea), ensure that all passwords are changed before the individual leaves the company.

That should be enough to get you started. Remember, your goal is to protect your Business, and thinking through (and perhaps even doing a “dry run”) your procedure is the start. If you wait until you need to terminate somebody, it’s too late, and you stand a good chance of forgetting to do something crucial. While the former employee may pay (as this one did), YOU will still have to deal with the consequences.

It’s always better to take proactive steps to protect yourself.

–Tom

Filed in tips | Comments (0)

It\’s \”Change Your Password\” Weekend

Terms, Privacy Policy, and Your Customers

Use Your Marketing Tools For Public Service

Protecting Paid Membership Site Access, Part 1

Adobe Reader Security Issue

Tell A Lie And Stay Secure

Why Password Protect A PDF Document?

Why You Should Delete Unneeded Scripts

Social Engineering On Social Sites

One Overlooked Detail In This Hacking Case

Recent Posts

Archives

RSS Feeds

eMail address:
First Name: