The Business Protector

One Overlooked Detail In This Hacking Case

Sunday, June 22, 2008

I came across an article on The Register about an individual in California who was sent to prison for over 5 years for hacking into his former employer’s network and destroying data. Now there’s nothing wrong with the sentence and fine; the guy did wrong and deserves to be punished.

But there’s one VERY important question that hasn’t been answered:

How in the world did the guy get back into the network after he resigned? Why wasn’t he locked out?

Nobody seems to have addressed this question, but had the company had a solid termination plan and implemented it, the outcome might have been different (even worse: this was a medical records company. Who is holding THEM accountable for not properly protecting their client’s data?).

To make it even more personal, how about YOU? Do you have policies and procedures to deal with former employees? If not, may I make a few suggestions that might help you get started on creating them?

First, when you know that you are going to dismiss an employee or that the employee is going to quit, disable their accounts. Delete them as soon as you’ve walked them out the door (more on that in a minute).

Assign a supervisor or manager to escort the individual until they leave the premises for the last time.

Isolate the individual. Take them to a private office. Talk to them and ensure they know what is going on, what your termination procedure involves, and that they understand exactly what’s going on.

Have them review any computer user agreements and/or non-disclosure agreements to ensure that they know what they can, and cannot, do in relation to company data. Ensure that this agreement clearly states that they are no longer allowed access to company data and networks!

Ensure that any data under their control has been transferred to the right person. Do not let them do it; instead, somebody else should do it while the terminated individual gives any verbal instructions.

Ensure that all company property (access badges, identification, etc.) has been returned.

Notify Human Resources to ensure that they are aware and so that they can get involved, as necessary.

If the person had administrative rights on any systems or networks or used a shared account (never a good idea), ensure that all passwords are changed before the individual leaves the company.

That should be enough to get you started. Remember, your goal is to protect your Business, and thinking through (and perhaps even doing a “dry run”) your procedure is the start. If you wait until you need to terminate somebody, it’s too late, and you stand a good chance of forgetting to do something crucial. While the former employee may pay (as this one did), YOU will still have to deal with the consequences.

It’s always better to take proactive steps to protect yourself.

–Tom

Filed in tips | Comments (0)

Just Say NO To AVG Anti-Virus Version 8

Sunday, June 22, 2008

For years, AVG Anti-Virus has been the choice of many home computer users because of one simple factor: it’s free for personal use. Based on that, their user base has grown to about 70 million users, mostly due to word of mouth advertising and marketing. It’s been a brilliant marketing strategy and they’ve gotten TONS of free publicity and advertising because of this policy. Even better, others have imitated it, giving everybody more choice in how to best economically protect their computer.

I predict, however, that the situation is about to change. I honestly believe that AVG has done something that is going to result in a lot of their subscriber base drying up and going away — along with the free publicity that’s helped them so much in the past.

According to an article on The Register, AVG acquired Exploit Prevention Labs and its LinkScanner about six months ago. They have incoporated this technology into the new version of AVG. As a result, when somebody using AVG 8 visits a search engine (Google, Yahoo, and Live Search for now), the software actually connects to the pages listed in the search engine results and scans them for malware, even if the pages are never visited by a human.

In other words, if you own a web server that gets listed in search engine results pages (SERP), AVG is abusing YOUR bandwidth and YOUR server’s processing power to do THEIR work. A bit parasitic, if you ask me. While their desire to protect their customers’ computers is correct, doing so at the expense of web site owner — the ones who alerted people to this free product in the first place — is, in my opinion, about as smart as putting a screen door on a submarine.

While I’m all for malware protection, doing so in this manner is not the way to go. If they are really interested in doing it right, they should set up a system that will scan a website once and store the results in a central server for use on demand by all customers, then update the database as the web site changes. Of course, that would cost money, and since it’s a free product, getting the money to pay for it would be problematic. Instead, they’ve simply shifted those costs onto millions of unsuspecting web site owners without permission and without authorization.

Is this good business, AVG? Nope; you’ve shot yourselves in the foot, if you ask me. Why should the cost of mitigating YOUR risk fall on MY business?

So how big will this AVG problem be? With over 70 million users of AVG (and about 50 million have not yet upgrade)d, it could very well cause tremendous problems. The Register article tells about their experience, as well as the experience of others, and it’s easy to see where web analytics will go out the window while bandwidth and server costs skyrocket.

And here’s something else to think about: If you have set Google to display 100 results per page, do you want to wait for AVG to scan 100 websites? For that matter, if you are on a dialup (or even broadband), do you want to wait for 10 pages to scan? It’s going to slow stuff down a lot for everybody, including users.

So for now, I’m recommending that people NOT upgrade to AVG 8, especially those of us with web servers. Of course, everybody has to decide for themselves.

I’ll take it a step further. I’m asking people everywhere to consider pulling their recommendation for AVG free anti-virus software from their websites because that free recommendation will most likely end up costing THEM in the end. Imagine the irony, if you will: you try to be helpful on your website by pointing out to people about this free anti-virus program, and in return, that free recommendation increases your web hosting costs while stripping away your ability to do any sort of traffic analytics. Why would you want to recommend a program that does that to you — especially when there are alternatives that work just as well, if not better?

And if you’re looking for a good free replacement for AVG, Avast offers free anti-virus software for personal use (among others). As always, please read the license agreement first to ensure that you are eligible for the free version.

–Tom

P.S. — Please bear in mind that this blog post, as always, is simply my own personal opinion and is based on what little I know about the situation. It has nothing to do with the effectiveness of the software (I haven’t seen any test results); rather, it is my way of criticizing their way of doing business. Do your own research and come to your own conclusions before deciding on your own course of action.

Filed in tips | Comments (1)

OT: Warner Brothers And Intellectual Property

Thursday, May 15, 2008

I came across this post where somebody wanting to do good apparently did it the wrong way. They wanted to raise some money for a children’s cancer charity — Candlelighters — but were doing so in the form of an auction that featured artists’ reproductions of DC Comics characters.

Apparently Warner Brothers is the owner of the intellectual property rights for those characters (I didn’t bother to check this out) and stepped in to have the auction shut down, leaving the auction organizer in a bit of a bind and the cancer charity with a bit less cash than they might have had.

I can’t blame Warner Brothers. If they own the intellectual property rights, they have the right and obligation to protect their rights. And a lot of people are thinking, “Gee, Warner Brothers, what a heavy-handed thing to do!”

Let’s take a step back and look at this for a moment.

Let’s suppose that the auction organizer had taken YOUR trademarked and copyrighted items, reproduced them, and was selling them without asking first (that last point is important; it appears as if this step never took place). As a fellow business owner and holder of intellectual property rights, you’d probably do the same thing, i.e. move to have the auction shut down. And to be honest, I’d probably take similar action.

Hey, charity is a good thing (I sponsor two children via Children International — PLEASE consider sponsoring a child!), and being generous and helpful is a part of our mission while we are here on this planet. That’s why I included a link to the Candlelighter’s site; you can make a donation, if you wish (NOTE: I have not evaluated the charity but posted the link anyway because they are approved to receive donations via the Combined Federal Campaign, which at least means that they are an official charity, and from Thomas’ post, they actually do help people). Heck, you can even go to Amazon via the link on the Candlelighters’ home page and buy some stuff there — they’ll get a small commission when you purchase (another win-win, eh?). That’s a great thing, and I hope that you’ll at least take a look at their web page.

On the other hand, Warner Brothers acted properly, even though it appears to be heavy-handed.

What would I do if my stuff were being sold from a charity auction? Pretty much the same thing… If I didn’t want my name and company associated with the auction and/or the charity, I’d have it shut down in a heartbeat. If I liked the cause, I’d still consider my actions carefully, simply because I depend on business revenue to earn a living, and if I allow one person to use my property for a charity auction without prior coordination and permission, then I’ve set a new standard that could quite possibly lead to LOTS of charities doing it, thereby diluting my brand — and my ability to pay my bills.

Having said that, if somebody came to me BEFORE the fact and told me what they wanted to do — which is the way it should be done — I’d at least listen to them (at least right now). I could gain some great publicity from it, perhaps some new customers, along with the knowledge that I made a tiny bit of difference in somebody’s life.

So Thomas, your heart is in the right place (and this post is made with a prayer for Ben), and I sincerely hope that you find some way to help Candlelighters. And I’ll be watching your blog!

–Tom

P.S. — VitalSecurity, while I normally agree with you, I can’t this time. (it was my daily check of your blog that tipped me off to this). While Warner Brothers does seem to be coming across heavy handed here and could have handled it in some other manner, remember that as computer security professionals, we are obligated to uphold intellectual property rights. Otherwise I love your blog and what you’re doing; thanks, and keep up the good work.

Filed in tips | Comments (0)

Website Security and Permissions

Monday, May 12, 2008

There’s a series of website attacks going on right now that take advantage of a number of vulnerabilities. I just read on the Prevx Security Blog (one of my daily stops) about an often overlooked, yet easily exploited security vulnerability that sadly exists on many websites.

777. Yes, wide open permissions! World-wide read, write, and execute permissions.

What makes this even worse is that many in the Internet Marketing arena ENCOURAGE people to set permissions to 777 in order to get some script to work.

A few things here. First, fix your scripts, guys! No script should need world write permissions to operate. If your coder doesn’t know how to do it so that you don’t need such wide open permissions, get a new one. Next, many web hosting companies no longer allow 777 permissions on their web servers. I know that my favorite web hosting company doesn’t allow it; if you try to set permissions to 777, it’s like locking up your web site. Absolutely NOTHING happens until you change them.

755 is a much better idea.

And note the comment about “least privilege”. It’s a computer security foundational concept. It’s bedrock. You need to build your security on it.

What “least privilege” means is that you take away ALL rights for something to operate, then add back in only those that the application or user needs to operate. Don’t need web access? Don’t grant it? Need to update the books? Then grant access (but keep an audit trail — and REVIEW the thing, OK?). Web site script doesn’t need 777 permissions to operate? Then why did you grant it? And even worse, Web Developer, why did you write a script that requires it (or did you simply say to set the permissions to 777 in the documentation to save on support costs? SHAME ON YOU!).

Rant over. Now get busy and do something about it.

–Tom

Filed in tips | Comments (0)

WordPress Unplugged — And Upgraded

Tuesday, May 6, 2008

Don’t want to upgrade your WordPress blog to the latest version? Why not? I can only think of a couple of reasons:

1. You have plugins or custom coding that won’t work under the new version (or you simply THINK that some of your plugins or custom coding won’t work with the new version).

2. Upgrading your software is a hassle.

Let’s talk about the first one first. If you have somebody doing your custom coding, then just have them ensure that your customizations are compatible. This would include plug-ins plus anything else you’ve done to customize it. If not — if your concern is only about templates and plug-ins and stuff like that…

I’d like to point out a post on the Village-Idiot.org blog. The author of this post said it quite well:

The fact is that if you cant code, or you don’t have a guru, (or both), you are at the mercy of whatever web application you happen to be using.

Yes, if you can’t code or can’t pay to have it done, you’re at the mercy of the WordPress developers and the authors of that plugin / theme / whatever.

Oh, one more thing: If you think that it’s OK to not upgrade, there are already vulnerabilities with the older (pre-version 2.5.1.) versions of WordPress — stuff like people finding hundreds of links stuffed in their themes and megabytes of bandwidth being sucked from their sites (I found out about this on a private forum; sorry, no link…).

OK, on to number two. I think we’ve already determined that you’re either going to upgrade or fix the problems with WordPress and why this is true. So what to do about #2? Is there an easy way to upgrade your WordPress blog?

Yes, there is an easy way to upgrade your WordPress blogging software. I can do it with just a couple of clicks; it takes me less than three minutes per website now that I’ve gotten the initial configuration taken care of. And did I mention that I use a dialup connection?

Yes, that’s right. A dialup connection. You can’t even download the updated software in that much time, much less get it re-uploaded to your website. So how do I do it?

That’s going to be the subject of an upcoming post. Stay tuned!

–Tom

Filed in tips | Comments (1)

Mark Hendricks\’ Internet Super Star Conference

Monday, April 21, 2008

It’s not too often that I’ll promote a live event because most of them turn out to be nothing but “pitch fests”. I’m making an exception today.

Now don’t get me wrong; almost any live event that you attend that relates to Internet marketing and Internet business will have some type of product for sale. In some cases, those products complement what was presented on the stage and can provide you with more comprehensive information. In other cases, the offer will include a substantial discount or a bonus that’s not usually available. The ideal offer will contain all three. In fact, I recently took advantage of such a deal at the event I attended at the end of last month. I saved over $1,000 on the package and qualified for a special contest in the process. I was quite happy and the information I’m learning is superb.

The problem is that a lot of these live events are really nothing more than a two or three day long infomercial (otherwise known as a pitch fest) — an infomercial for which you get to pay for a hotel, a plane ticket, the conference itself, restaurant meals… plus the time cost of being away from your loved ones and etc. Why should you have to pay for the “privilege” of sitting through The Infomercial Pitchfest From You-Know-Where?

You shouldn’t — and that’s why I rarely promote any live events or conferences from this blog.

I’ll make an exception for anything that Mark Hendricks puts on.

I first met Mark back in December 2005 at the first Live Event that I attended. Mark was a speaker there… No, check that: Mark was a TEACHER there. He provided solid teaching content during his sessions and made a definite impression on me. I’ve purchased several of his products (all of them good) and will consider becoming a member of his mastermind once I move back to the States. He’s that good.

Mark is teaming up with seven other individuals to put on what he’s calling the “Internet Super Star Conference”. Now you may look at some of those names and say, “Who are they?” — and perhaps with good reason. So let me tell you the story of one person I’m familiar with that will be speaking — David Perdew.

I don’t even remember where I first heard about David, but he offered a product called “The 60 Day Experiment” that basically walks you through how to build an Internet-based business in 60 days. He’s since gotten into some other things, and I’ve had the pleasure of getting to know him well inside The Internet Marketing Inner Circe, Willie Crawford’s membership site. Successful marketers are starting to join such paid membership sites so that they can focus on making money, developing partnerships, and building their businesses instead of having to deal with the forum trolls.

So David has a lot to say that’s worth listening to, and even though you may not have heard of him, I’ll certainly vouch for him. I even wish that I could travel to the event to meet him in person (alas, I can’t; too much going on at home this summer). And I’m sure that the rest of the speakers are top-notch or Mark wouldn’t allow them to even set foot on the podium.

I invite you to check out the sales page for this event (click here to learn more about the Internet Super Star Conference). It takes place in Baltimore, Maryland (at a nice but inexpensive hotel near the airport — not at one of those overpriced downtown hotels — and stuff like Internet access is included in the hotel price) the weekend of 14-15 June, 2008.

And I’ll sweeten the pot a bit.

To help you get more from this conference, if you sign up using the above link, I’ll give you a copy of my unpublished guide to getting more out of Live Events. It will eventually be sold; I just haven’t quite gotten it finished yet. This little offer will help motivate me to actually get it done…

It’s a great guide, written by somebody who has been attending such events since 1979 (that would be me!) that will take you from selecting a live event that best meets your needs, preparing for the event, what to do at the event, and what you should do once you leave the event. It gives you a step by step plan to squeeze every last cent out of your investment.

And I’ll make it even better by offering you free lifetime upgrades to the ebook. In other words, each update and upgrade will be emailed to you at no additional cost. I normally charge for version upgrades (even for registered owners); you won’t ever have to pay for it as long as you maintain your email address.

If you want to take advantage of this offer (and it’s open to everybody), here’s what you need to do:

1. Clear your browser’s cookies.

2. Sign up and pay for the conference using the following link:

http://www.internet-success-system.com/amember/go.php?r=759&i=l12

3. Submit a ticket at Protector Support (my Help Desk). Be sure to leave a copy of your receipt. You will also need to leave a good email address, as I explained above.

4. Once I verify your purchase, I’ll send you a copy — via email — of my guide to getting more out of every live event you’ll ever attend (IF you apply what I’ll show you; it’s up to you).

One more thing: if you’re interested in attending, sign up for the event TODAY (and the price is quite nice right now as I write this on April 21). The price goes up on May 1 (and again on May 15 and June 1), and from past painful experience, I can vouch for the fact that Mark does keep his word; he will raise his prices. But I think it would still be an outstanding value, even at the final price.

So you get a non-pitch fest from one of the best teachers of Internet marketing and Internet business at a nice but inexpensive hotel, plus my guide to getting the most from any live event — along with free lifetime updates.

Here’s that link again: http://www.internet-success-system.com/amember/go.php?r=759&i=l12

–Tom

Filed in tips | Comments (0)

My Relatives Are Dying Like Flies?

Sunday, April 13, 2008

Twice today I’ve received spam emails (obvious phishing attempts). They look like the standard Nigerian 419 scam attempts — but with an interesting twist.

In the first one, the person writing was claiming that a Scott G.Brownsword of the 2nd Battalion,505th Parachute lnfantry (sic) Regiment,3rd Brigade combat Team, 82nd Airborne Division at Ft Bragg NC had passed away and they were asking if I’d stand in as an heir since I had the same last name.

As a retired soldier, I could easily verify this so-called deceased person’s identity by simply logging into the Army’s portal and doing a search, but why bother?

The other one claimed that a James Brownsword died in a Gulf Air flight crash in the Persian Gulf back in August 2000. I think I know why that plane crashed; I think I’ve received at least 1,000 emails about standing in for the next of kin for deceased passengers on that flight, so it obviously crashed because it was way overcrowded and hence overweight.

Again, the interesting part of these particular scam / phish emails is that they used my last name and suggested that I would be a good candidate to stand in because of that. So it looks like the criminal scammers are resorting to new and desperate tactics to keep the flow of cash coming in.

Just say no. A matching last name still means a scam.

Thanks,
Tom

Filed in tips | Comments (0)

Test Post

Sunday, April 13, 2008

This is a test post. I apologize for the inconvenience.

–Tom

Filed in tips | Comments (0)

Comments With Links To Chinese IP Addresses

Friday, April 11, 2008

I received several blog comments overnight that included links to Chinese IP addresses. All of them were in perfect English. Some were complimentary, some were insulting.

While they were quite comprehensive, none of them had anything to do with the content of the blog post.

Therefore all of them were spam. I also suspect that the links included point to sites which, if visited, would do things to your computer that you’d rather not have happen.

These comments are making it past my Akismet filters (although they will be reported to Akismet) and I have my blogs set up as follows:

* No registration required, but you must have at least one approved comment before your comments will be automatically approved (in other words, all of your comments will be held for moderation until I approve at least one).

* I receive email notification (to my main account) of any comments awaiting approval, as well as any approved / pre-approved comments.

I strongly recommend that you configure your blogs to do the same. I did have “registration required” and “moderate all comments” at one point, but that tends to cut down on the number of comments you receive.

Each email you receive (if you follow this system) will show you the IP address and domain name that the link points to. In this case, the “.cn” at the end of each link set off alarm bells. When I saw how good the English was and how off-base the rather verbose comments were, my suspicions were aroused even more.

They are spam. They could point to malicious websites.

While I’m not in a position to tell you how to manage your blog, please keep this in mind: Any link on your website is a link that one of your website visitors could click on. Do you want to send them to sites that could trash their computer? I say that it’s in your best interests to help protect your customers’ computers by providing as safe a site as possible.

So please; consider saying “no” to these links and report them to Akismet as spam.

Thanks,
Tom

P.S. — While all of the comments thus far have pointed to Chinese IP addresses, I suspect that I’ll soon start seeing such comments pointing to IP addresses from other countries. It’s not JUST a “Chinese Thing”…!

Filed in News, tips | Comments (0)

Can You Still Get Product Launch Formula 2? Maybe!

Wednesday, April 2, 2008

Can you still get a copy of Product Launch Formula 2? Maybe.

To find out if you can, click on this link (don’t wait; access is limited):

http://www.tdbx.com/r/plf/

Jeff Walker is going to re-release Product Launch Formula 2 at noon Eastern Time on Wednesday, April 2, 2008. It’s going to be a limited re-release.

Why? Because unlike Product Launch Formula 1, Version 2 is going to be different.

(Incidentally, Jeff just announced that he’s adding a “streamlined” version of Product Launch Formula 1 as a bonus for purchasers of Version 2.)

Each Monday, Jeff is going to upload a video for owners to watch. This will be followed with a LIVE teleconference where owners will be able to ask questions (if you have to miss it, don’t worry; Jeff will record it). And knowing Jeff, he’ll stay on the phone until every question is answered.

Jeff is also going to be running surveys and soliciting feedback to ensure that every owners’ questions are answered and that they get the help they need.

Add that to some of other incredible bonuses that he’s giving away and Product Launch Formula 2 turns out to be an incredible value.

As an owner of Product Launch Formula 1 and 2, I’d also like to add that Jeff really does value his customers. He’s personally answered several emails from me and has been known to host private receptions for his product owners at live events (I’ve attended one of them). I also sat next to him at dinner once and received quite an education! Jeff’s not going to run and hide somewhere; he’s accessible and truly does want to hear from his customers.

So enough already; since Jeff is running this version as a live training course, he’s only selling a limited number of seats for this course. So to make sure that you get one of them, head over to this link NOW (even if it is before noon; you can sign up for a reminder email, and Jeff doesn’t spam!):

http://www.tdbx.com/r/plf/

Thanks for listening,
Tom

Filed in Uncategorized | Comments (0)

One Overlooked Detail In This Hacking Case

Just Say NO To AVG Anti-Virus Version 8

OT: Warner Brothers And Intellectual Property

Website Security and Permissions

WordPress Unplugged — And Upgraded

Mark Hendricks\’ Internet Super Star Conference

My Relatives Are Dying Like Flies?

Test Post

Comments With Links To Chinese IP Addresses

Can You Still Get Product Launch Formula 2? Maybe!

Recent Posts

Archives

RSS Feeds

eMail address:
First Name: