Archive for the ‘Web Security’ Category


SSL Certificates Essential To Website Security


What is Secure Socket Layer (SSL)? Basically, it is the standard security technology used to encrypt online data. SSL offers encrypted communication between the web server (server-side) and the customer’s web browser…

Read the rest of this entry »

One of the greatest miscalculations a business owner can commit is by not prioritizing how he will protect his computer system from unauthorized intrusions and data theft.

There is a common belief among business owners especially those that do not operate a big business that their small size makes them safe from the malicious intent of computer “phreakers” and data thieves. They think that in a sea full of big fishes a small fish will be ignored, secure in the fact they are not worth the exertion and computer time for notorious data thieves.

Nothing can be further from the truth. In fact, smaller businesses are far more vulnerable to Internet security threats and all manner of data theft and electronic sabotage. Based on a study made by research firm AMI-Partners, almost half of all small and medium sized businesses have failed to implement even the most rudimentary security precautions – which includes the installation of antivirus and anti spyware programs. This oversight could be the main reason why when the My Doom worm hit a few years back, one in three small and medium sized businesses were affected compared to just one in six among the larger companies. This was discovered by the Internet Security Alliance, a non profit organization that deals with information security issues.

In fact, now more than ever data and network protection should be given more attention because of the ever evolving sophistication of data thieves. They are now more equipped with the software and hardware necessary to break into security measures instituted by data managers. What could the chances be for a company to weather an attack if the owner forgets or ignores putting in place data security and encryption policies for his business because he thinks it will just be an additional cost? Practically zero and the untold cost to his business would be far greater.

It is for this reason that data security and encryption should be one of the priorities of a business. Anyone is vulnerable to an attack whether that business is an international conglomerate or a new start up. In fact, a big business will have a much better chance to recover compromised data or processes compared to a small business because a big company will have the funds available to rebuild the business. A small business, on the other hand, will not in most cases, have the necessary funding to start the business all over again – making an attack quite catastrophic.

These facts are not lost on many software providers who are now coming up with many types of solutions that guarantee the safety of data in an office’s network. There are also software that bring security to a higher level by incorporating encryption technology in order to safeguard not only sensitive data but also to make it harder for hackers to get into networks or intercept data being transmitted from the corporate network to devices outside of the network. Encryption technology can, in fact, be seen as one of the highest levels of protection that a business can employ in order to ensure the integrity of its data and its computer network.

Did you enjoy this article? Please join our Mailing List to subscribe to our newsletter!

There’s a storm brewing, and although we have only seen the first rumblings, it’s gonna be a whopper! I’m talking about what I call the “WI-Fi Security Crisis”, and if you don’t know what it is, then please read on…

Ask Yourself One Or More Of These Questions:

Q: Would you let a terrorist walk in off the street and call their buddies in Iran or Afghanistan using your phone?

Q: Would you allow a pervert to use your Internet connection to download child pornography?

Q: If you are a hotel General Manager, would you knowingly allow a thief to steal the data from a guest’s computer?

EVERY DAY, this and much more happens at WI-Fi hotspots around the world, but nobody seems too concerned about it. WHY?

Some recent examples:

1. A US Military war driving team finds an access point installed on the base granting open, unencrypted, unrestricted access to the internal US Military unclassified network. The access point is accessible from a K-Mart parking lot outside the military base.

2. A six-page, full-color article in Russia’s “Hacker Magazine” describes in complete, step-by-step detail how to attack hotspots of three Moscow Marriott Hotels operated by MoscomNET.

3. In a recent prosecution of a man for possession of child pornography. His defense that “he was on an open access point so it must have been someone else” failed, and he’s now looking at doing some hard time with the other criminals.

Open, unsecured access points aren’t the only threat, but they make a great entry point. Just drive around with NetStumbler and see how many access points still have the default D-Link or Linksys SSID and even the default username and password for administrative access and you have a small sample of the scope of this problem.

Even if the hotspot has reasonable measures to protect unauthorized users from accessing the Internet, few operators bother protecting legitimate users from intra-site attacks. Once the attacker can associate with an access point — any access point — they can begin port-scanning and attacking any users… that means YOU…associated with the same access point, and most often, users associated with any access point in the entire hotspot — all without needing any connectivity through the gateway.

Unsecured, unpatched client computers are juicy targets for data thieves, or anyone wishing to implant key loggers, root kits or any other malware. Hackers can easily get access to your passwords, credit card information, and now…automation codes for your home and security systems that protect your family. Such computers are all too easily found with simple, freely downloadable scanning and analysis tools. On the Internet, stolen identities are bought and sold everyday like so much coffee.

Interestingly enough, when interviewing one of the major authentication providers in preparation for writing another article, when asked what his company was doing about security, his response was, “We don’t worry much about it, the only hackers are in Russia…”

For operators with these attitudes, the wake-up call may be coming sooner than they think. Just go to Google Video and search for WI-Fi, war driving or wireless hacking and you will find videos with step-by-step demonstrations on exactly how to do it and what tools to use.

Hotels represent a unique problem. Most hotel IT Managers are ill equipped to understand let alone respond to the dangers wireless networks present. If the hotel is relying on a third-party operator to run their hotspot, the hotel IT Manager won’t have access or control of that network and couldn’t apply additional security even if they wanted to.

This is the case in Moscow where the three Marriott hotels rely on third-party operator MoscomNET to operate their hotspots. What baffles me is why virtually nothing has been done to secure the network since August 2006, when the Hacker Magazine article was published. To this very day, from the hacker’s perspective, nothing has changed and the same vulnerabilities still exist.

One major flaw in the Marriott/MoscomNET WI-Fi system is that they are still using MAC-address-based authentication. Such systems are wonderful for ‘ease-of-use’ but a total disaster with regards to security. (MAC addresses are the simplest thing in the world to harvest and spoof.)

For example, at a popular American hotel, I borrowed a WI-Fi adapter for my notebook computer, plugged it in and had instant, free access to the WiFi network. How did that happen? Very simple… the guest who borrowed the adapter before me returned it while time still remained on his account. The MAC address from the adapter automatically authenticated me to the system — no other credentials required.

And what if I did something evil, such as setting up a P2P server pirating music? As I had never purchased an account, the previous user of the account would receive the blame. As for attackers just capturing MAC addresses out of the air and spoofing them — they are completely untraceable and can do whatever they want with complete impunity.

Who can be held responsible and accountable? Hotel General Managers? Hotspot operators? IT Managers? Authentication and roaming partners? There is plenty of blame to go around, but nobody wants to take responsibility or action. It seems the safety and security of the guest’s computer or any other security matters are of no concern.

Is the problem a technical one? Not at all! Every commercial-grade access point is easily secured with WPA or WPA-2. (Forget about WEP.) Newer commercial access points allow simultaneous dual-mode operation — where the user can choose to associate insecurely or securely. This simple measure could reduce the risk of wireless eavesdropping to near zero. Only clients whose computers were incapable of operating in the secure mode would remain vulnerable.

So why don’t hotspot operators implement even minimal security precautions? I suspect it could be because:

1. Many WI-Fi operators simply lack the knowledge, skills and experience to properly secure and monitor their networks.

Let’s face it…setting up a couple of access points to share an Internet connection isn’t rocket science — but properly securing and managing even a small system does require knowledge, skills and experience well beyond the capability of the local ‘computer guy’.

2. WI-Fi hotspot operators who are more concerned about profit than security.

Secure systems ARE harder to manage and harder to use — which is another reason commercial operators are less likely to implement even the most basic of security measures. Real security would mean implementing encryption all the way from the client to the Gateway, and secure authentication — likely implemented through a Public Key Infrastructure and digital certificates.

Of course I realize that some client systems can not support certain security mechanisms, but at least give the client the option of borrowing supporting equipment and/or notifying them of the potential hazards they could be exposed to.

As of this writing, it does not appear that WI-fi cafes, hotels, or local small business will be taking any precautions to protect their customers from any level of threat here. I can only say that if you are considering transmitting your company information over a unsecured hot spot…think twice.

Did you enjoy this article? Please join our Mailing List to subscribe to our newsletter!

Our Mission

Our mission is to show small business owners how to REALLY use the Internet to drive growth and profits in their business.

Reach Out

The McQueen Organization

825 N.Tower Rd.
Fergus Falls, MN. 56537
Phone: (218) 332-0162
Tampa: (813) 858-4357
Email: Click HERE