iASP Client Login

Blog

Viewing tag: security | View All

A More Secure Web

A More Secure Web

A More Secure Web

If you publish a website - especially one that allows visitors to login and ESPECIALLY if you operate an e-store and ESPECIALLY if you use the iASP Technology Platform - please take a few minutes to review this article and take the recommended action without delay.

Last year Google made an announcement that read in part:

"Beginning in January 2017, Chrome (version 56 and later) will mark pages that collect passwords or credit card details as "Not Secure" unless the pages are served over HTTPS..."

Read the related article: Moving towards a more secure we

What Does This Mean?

Google has made a game-changing decision to pro-actively inform website visitors that the information they are entering is not secure if the web page uses HTTP and not HTTPS.

You can see an example of a non-secure page from the screenshot that we took just this morning of the Vodaphone website (see the blog image in this article).

While Google is currently limiting this new security measure to web pages that collect passwords or credit card details, they plan to label ALL HTTP pages as 'non-secure' in the future.

Not surprisingly, the Firefox web browser (which along with Chrome accounts for around 70% of Internet Users) has already followed suite by labelling non HTTPS Encrypted pages as non-secure. It would seem inevitable that Safari and Microsoft Edge will also comply.

This means that websites that do not offer customers the peace of mind of HTTPS face the significant risk of turning customers away to their competitors.

What is HTTPS?

HTTPS in an Internet Protocol that encrypts the data being send back and forth between a customer's web browser and a website.

Setting up HTTPS encryption requires the purchase, periodical renewal and installation of an SSL (Secure Sockets Layer) Certificate.

An individual SSL Certificate is generally required for every individual domain name resolving to a website, however, there are multiple domain SSL Certificate options available.

SSL Certificates have various properties such as the level of encryption they offer, the amount of warranty paid to customers if a Certificate is issues incorrectly and more.

The purchase and periodical renewal costs vary significantly from only a few dollars to many thousands of dollars. Some providers offer sweetheart pricing for the initial purchase that significantly increase on renewal.

The renewal period for SSL Certificates is either 1, 2 or a maximum of 3 years as determined by ICANN, the global authority for this area of the Internet.

In some cases longer registration periods offer discounted registration costs, and importantly, SSL Certificates must be re-installed each time they renew, which involves a multi-step process that must be coordinated between the Certificate owner and the system administrator managing the related website server or network.

SSL Certificate installation for both new Certificate registration and subsequent renewals typically attracts a cost and therefore the longer the registration period the less the associated installation costs.

What are the Benefits for HTTPS Encrypted Websites?

  • Visible Security - Sites with HTTPS encryption display a secure padlock icon in the address bar that when selected confirms the identity of the website publisher to the visitor.
  • Privacy - End to end encryption of all data entered by visitors into HTTPS pages greatly increases security and reduces the risk of data theft
  • Search Performance Advantages - Secure websites may result in higher ranking in Search Engine Results Pages (SERPs) than non-secure sites

What are the Disadvantages for HTTP Websites?

  • HTTP pages will be marked as non-secure with an 'Information' Icon or 'Non-Secure' exclamation mark Icon
  • Search Performance - HTTP sites may be penalised in SERPs
  • Website Traffic - Website traffic may be effected if users choose to avoid non-secure sites

How Will This Affect iASP Clients?

Enotia Australiasia Pty Ltd. developer of the iASP Technology Platform, fully supports Google's new initiative to provide a safer web.

As a professional service provider adhering to best practice security policies and procedures, in addition to the actual security risks of non-compliance with Google's security initiative, our company's reputation, along with that of our clients, is at risk.

As all iASP Systems require an administration login via user-name and password, and are therefore already being flagged as non-secure unless they are HTTPS encrypted, as advised in the client bulletin distributed on February 21st:

From July 1st 2017 all iASP powered websites will be required to use HTTPS encryption.

This means all iASP Central websites will require an SSL Certificate to be purchased and installed prior to June 30th. 

As indicated in the client bulletin, all Enotia clients are free to purchase the certificate of their choice from any third party vendor, however, the Enotia Network Administrators must install all certificates on our network for which costs will apply.

Additionally Enotia is offering turn-key SSL Certificate registration and subsidised installation services as part of our on-going service offering.

Enotia clients are welcome to contact us anytime, but will be contacted personally regarding this important matter over coming weeks regardless.

If you are concerned with the security of your website or would like more information on purchasing an SSL Certificate, please contact the Enotia Support team on 03 9855 8517 or Get in Touch.




Resources:





The #1 Trick to Increase Your Daily SPAM

The #1 Trick to Increase Your Daily SPAM

The #1 Trick to Increase Your Daily SPAM

Don't you just love SPAM e-Mail?

How much productivity is lost globally, filtering genuine e-mail from the countless, useless, unwanted and sometimes downright offensive e-Mail messages.

What frustrates us as professional web developers is that so many organisations directly invite SPAM by making one of the most common and costly mistakes: Publishing e-mail addresses on websites.


Publishing e-mail addresses on websites is the #1 way to attract SPAM.

It's that simple!
No cheats or gimmicks.
No sneaky fees or subscriptions.
Guaranteed to work every time!


Publishing your e-mail address on your website is about as clever as publishing your credit card number. It's just inviting trouble.

There are countless SPAMbots - simple computer programs that scan the Web looking for e-Mail addresses and adding them to SPAM lists or marketing databases.

And while SPAM might be just one of those things you have to deal with on the Internet, reducing the severity of the problem will always make life easier.


So how can you publish your e-Mail address without leaving it open for Spambots?

Well, there are 3 main methods:

1.) Miscellaneous Teckky Tricks

The end goal is to display an e-Mail address in a readable way to a real viewer, while hiding the e-Mail address from spambots.
To achieve this, there are a few "tricks" you can use to try to "hide" your e-Mail address.

One "trick" is to type the e-Mail address backwards, then use CSS to display it the right way.
A spambot will see 'ua.moc.sserdda@liame-my', but the reader will see 'my-email@address.com.au'.
The difficult part to this trick is correctly writing your e-Mail address backwards. Did you notice my mistake?

Another "trick" is to break up the e-Mail address with HTML code, which is then hidden using CSS to display the e-Mail address correctly.

And yet another "trick" is to replace the @'s and .'s in an e-Mail address with AT or DOT.
Because nothing says "professional" like 'my-email AT address DOT com DOT au'.

These tricks have been around for centuries however (in Internet time), and spambot developers have become wise to them.
They will easily unpick your "trick" and add you to their spam list.


2.) e-Mail Address Obfuscator

An e-Mail obfuscator is a small javascript that adds your e-Mail address to the page after it has loaded, or unjumbles your e-Mail address so that appears jumbled to spambots but becomes readable when the page is loaded.

Like the "tricks" above, however, this method is becoming outdated as well.

Spambot developers are learning how to find if an obfuscator is being used, and how to get around them.
This means that obfuscators need to be adjusted semi-regularly to change how they alter an e-Mail address so it doesn't become predictable.

And now with Google's ability to execute javascript to index websites better, you can bet that it won't be long before spambots can do the same thing.


3.) A Contact form

Really, THE ONLY WAY to save you from the need to publish your e-Mail address on the Web while still allowing people to contact you by e-Mail is to use a Contact form.

The first two methods still leave your e-Mail address wide open for nefarious types to find with a little bit of effort.
A contact form removes the need to publish an e-Mail address entirely, making it much more difficult to find.

Using a contact form also allows comes with some advantages for analytics and visitor tracking as well (if you're into that kind of thing).


Conclusion

While just publishing a link to your e-Mail address may save you some time and appear to be more aesthetic.
It is nothing compared to the pain of deleting SPAM e-Mail every morning after your e-Mail address ends up on SPAM lists around the globe.

All iASP powered websites come standard with a Contact form module, and customised versions are one of many options available.

If you're unsure of how to add a Contact form to your iASP powered website, or you'd like some advice about publishing an e-Mail address, Get in Touch.



Resources:



What's your Opinion? Do you proudly publish your e-Mail address in the open? Let's discuss on our iASP Central Facebook Page, or Get in Touch.

Our 5 Tips to Avoid Domain Name Scams

Our 5 Tips to Avoid Domain Name Scams

Our 5 Tips to Avoid Domain Name Scams

Since our beginnings as Canberra based Internet Service Provider ACTWEB.NET in the 1990's, we've learned that Domain Name related issues are one of the most common causes of significant service issues on the Internet.

Sadly we've also seen many scams and cons that take advantage of unsuspecting Domain Name owners.

In this article we highlight the most common Domain Name related scams and list our top tactics to help make managing your Domain Names a breeze and avoid falling victim to the scammers.

Common Domain Name Related Scams

There are several different types of common Domain Name related scams.

Many involve a variation on the theme of sending Domain Name owners what appears at a glance to be a legitimate invoice for Domain Name Registration renewal.

The fake Domain Name Registration renewal scams usually fall into one of three categories:

  • 1: An invoice from a source claiming to be the Domain Registrar for a real Domain Name that is in fact registered with another Domain Registrar
  • 2: An invoice for a different version of a real Domain Name. Either closely related spelling i.e. if the real domain is abc.com the invoice might be for acb.com or for an entirely different extension of the domain name i.e. abc.net
  • 3: An invoice for a totally unrelated service that is carefully worded to mimic the appearance of a legitimate Domain Name Registration renewal, such as the one pictured on this page.

The image on this page relates to a scam we received recently from http://www.trafficdomainer.com.

The scam relates to an actual Domain Name we owned at the time: iaspestore.com.

The scam message arrived via e-mail within days of the actual registration renewal date of the Domain Name.

The sender of the e-mail was marked as "Domain Service", and the subject was "iaspestore.com notice".

The notice was properly addressed and contained the words at the top: ATTENTION: IMPORTANT NOTICE.

Of course, when you read the fine print, they are actually selling seo domain name registration - whatever that is - apparently a totally unrelated service that the message later warns "failure to complete...may make it difficult for customers to find you on the web".

Which is 100% BS!

While most of the Domain Name registration scams arrive via e-mail, some arrive in the form of physical mail.

We also recently received a very similar scam to the one above via the post - supposedly from an Australian based organisation, whom we reported to Justice Victoria.

Domain Name scams that originate overseas can contain give-aways in the form of poor spelling and grammar, but those sent by Australian based organisations can be harder to tell apart from the real thing.

What makes some of these scams so successful is they not only appear to come from Australian based organisations, but they contain accurate Domain Name owner contact information and are often well timed to coincide with the actual Domain Name registration renewal date.

The good news is that when armed with just a little information about your Domain Names, even the most official looking scams become much easier to spot.

Our Top 5 Tips to Avoid Domain Name Scams

Tip 1:

When you register a Domain Name create a calendar reminder to re-new the domain name 1 month before the due date. Be sure to also make a note of the Domain Name Registrar you used to register the domain name.

Tip 2:

If you have multiple Domain Names registered via different Domain Registrars or contained in multiple accounts a single Domain Registrar, consolidate all the Domains into a single account for easy management.

Provided all your Domain Name contact details are current, transferring Domains Names between Registrars and Registrar Accounts is a very straight forward process.

Tip 3:

Make sure the contact details, especially the Registrant e-mail address (where renewal notices are sent), associated with all your Domain Names is current.

Tip 4:

If you buy or sell any type of operation where Domain Names are involved be sure to provide or request a letter signed by both buyer and seller addressed to the relevant Domain Registrar on the official letter head of the seller explaining that transfer of ownership has occurred.

Be sure to follow up with the relevant Domain Name Registrar until the Whois Registry is updated with the new Domain Name ownership details.

Tip 5:

When a Domain Name Registration renewal notice arrives, don't ignore it - check it against your list of registered Domain Names - does it come from the actual Registrar of a Domain Name that you are expecting to expire?. One of the consequences of the prevalence of Domain Name related scams is that legitimate renewal notices often go ignored. This year alone three of our clients have experienced the inconvenience of website and e-mail services going off-line for extended periods because they ignored legitimate Domain Name Registration renewal notices.

Summary

If you select a reputable Domain Name Registrar and follow the advice outlined in our 5 tips above you'll be a long way in front of most of the current Domain Name scams you're likely to encounter.

Unfortunately, clever new scams surface from time to time, so keep an eye on the Australian Government's SCAMWATCH website and other sites such as your local State based Australian Consumer Affairs website.

If you're unlucky enough to fall victim to a Domain Name related or any form of scam please don't be embarrassed and report the matter to the relevant authorities, that way other potential victims can be educated and warned of the dangers.


10 Ways To Satisfy Your Customer's Privacy Concerns

10 Ways To Satisfy Your Customer's Privacy Concerns

10 Ways To Satisfy Your Customer's Privacy Concerns

In case you missed it, last week was Privacy Awareness Week.

With over 700,000 Australians becoming victim to on-line identity theft in just the past year, protecting customers on-line privacy is one of the most critical issues website publishers must consider.

Under Australian Law, the privacy rights of Australians are protected by the Privacy Act 1988 (Privacy Act), which relates to the protection of personal information about an individual that does or could identify them.

According to the Office of the Australian Information Commissioner, the Privacy Act outlines the "standards, rights and obligations for the handling, holding, accessing and correction of personal information" which privacy law aims to protect.

It may surprise you to know that most Australian small-businesses are not covered by the Privacy Act, meaning they have no responsibility to ensure the privacy of their customer information.

There are however moral and commercial pressures: online privacy is already so important to some customers that it is a determining factor when choosing one eStore over another.

So what can eStores do to allay the fears of increasingly privacy-conscious customers?

We've put together 10 simple but powerful tactics that website owners can use to reduce the fears of customers that are concerned about their on-line privacy:

  1. Ensure that areas of the website that collect personal information (such as the registration form, or the checkout payment page) are secured using HTTPS - Consumers are now learning to "look for the lock" and discriminate if they don't see it. (Pro Tip: Make the whole website HTTPS secure).

  2. Only collect personal details that are absolutely necessary to conduct business - If you don't need it to conduct your business, don't collect it. The more personal information a customer needs to fill into a form, the more wary they become. (Pro Tip: Never collect a customers Date of Birth unless it is a legal requirement for your industry)

  3. Have a clear and easy to understand Privacy Policy, that is easily accessible and visible - Don't just put your Privacy Policy in a small link at the bottom of your website, link to it where ever you are collecting personal information and make it very clear that privacy is important to you.

  4. Clearly state the personal information that you will AND will not collect and what you will do with this information - This allows customers to know exactly what personal information and why they need to provide it. 

  5. Give visitors access to view the information that has been collected about them, and allow them to update it easily. 

  6. Don't use sensitive personal information which could identify a customer in e-Mail or newsletters - e-Mail is an insecure medium. Not only is a bad idea to include sensitive personal information in e-Mail, it also decreases customer confidence when they see their personal details being sent over an insecure medium. (Pro Tip: Never send a clear password in an e-mail: instead send a partially masked password hint or preferably, allow the customer to re-set their password securely)     

  7. Encourage your customers to protect their personal information by using strong passwords, and to change them regularly - Protecting privacy is as much a responsibility of the customer as it is of the business

  8. Where appropriate, allow visitors to interact with your website anonymously - It isn't always necessary to collect personal information to conduct business. This may just be a case of allowing the customer to browse without needing to register first, or allowing them to post comments anonymously.

  9. Opt-In to the Australian Privacy Act, and advertise this fact - Show your commitment to good privacy practice by opting into the Australian Privacy Act. Doing so will have your business name added to the public Opt-In Register, which can increase consumer confidence and trust.

  10. Have a data breach response plan - as some organisations such as eBay have learned, honesty and open communications are the best policies to keep customers informed. A response plan will not only serve to decrease the impact on the affected individuals, having such a plan can also improve customer confidence.


Personal privacy is a very important part of everyday life, and this extends to using the Internet including sending and receiving e-mail, browsing the Web, using social media and especially shopping on-line.

Anything website and eStore operators do to improve customer confidence, including addressing increasingly important privacy concerns, should improve customer experience and satisfaction, and a happy customer is much more likely to be a returning customer.



If you are unsure whether your business needs to comply with the Australian Privacy Act, you can use the OAIC Privacy Checklist for Small Business .



Resources:


How to Crack a Password in 3 Easy Steps

How to Crack a Password in 3 Easy Steps

How to Crack a Password in 3 Easy Steps

With news that 1.6 billion internet username/password combinations have been stolen by a gang in Russia, it goes without saying that updating your passwords and ensuring that you use strong passwords is as important and as urgent as ever!

We often hear about the need for stronger passwords and tips for creating secure passwords, but we don't often hear why.

Cracking a password is as easy as:

  1. Downloading a password cracking application
  2. Enter in the password length, and the combinations to try (numbers, lower-case letters, upper-case letters, symbols/special characters)
  3. Press Go.

Basically, the program will use what is called a Brute Force method to go through every possible combination of letters, numbers and special characters within a defined set until it gets a match.

The stronger the password you use, the longer it will take for this method to match the combination that is your password.

For example: Your password is simply 12345.

Using the Brute Force method, the software will try 0, all the way to 9. Then it will try 00, 01, 02, etc. Then move to 000, 001, 002, etc. Until it finally tries 12345, and BINGO! It's cracked it. A smart program might even start at 1, then try 12, then 123; cracking your 12345 even faster.

Now compare this to a password that is also 5 characters, but has capital letters, lower case letters, numbers and special characters - 1tWo# for example. Now the program has to go through significantly more combinations to find a match. Make the password longer, and the number of possible combinations jumps even higher.

This is why it is highly recommended that you create and use passwords that are at least 8 characters long, and use a combination of numbers, lower-case letters, upper-case letters AND symbols / special characters.

Change your passwords regularly (at least every 6 months), and don't use a password elsewhere if you are using it for something sensitive like on-line banking.

The reason for changing every 6 months is keep your password fresh. If someone does manage to obtain your password, by the time they try to use it, you have already changed it.

HCD Tactic: Use a short, memorable phrase or word combination as your password. Make it something that is difficult for others to guess, swapping some characters for capital letters, and adding some numbers and symbols at the start and at the end (or anywhere in between). For example: $24ILikeCoffee68$.

There are many websites that help you to test the strength of your passwords, and can show you how quickly your password would be cracked by hackers. There are even websites that show how predictable your password is - that is, if you use words to make up your password, software can predict what the next character is more likely to be based on character combinations seen in words.

A list of on-line password strength calculators and testers:

  • How Secure is my Password is a great website to test the strength of a password before using it, and the website will show you how long it would take a normal desktop computer using Brute Force software to crack your password.
  • Telepathwords is also good to test how predictable your password will be for more advanced password cracking software.
  • This password strength tester by rumkin.com also explains the logic behind chosing a strong password a litte better, and is worth reading.
  • And the interactive brute force search space calculator provided by the Gibson Research Corporation explains everything even further.

What are your thoughts? Share on the iASP Central Facebook Page, or Get in Touch.