Vulnerability Scanned Websites

vulnerabilityTo me, shopping on the Internet is the best thing to have ever happened to mankind since the invention of the internet itself.

According to a recent study, 51% of Americans prefer to shop online than in stores and 96% of American adults, at some point in their lives, have made an online purchase.

Impressive numbers don’t you think? That is why e-commerce is estimated to be growing at a rate of 23% every year.

The problem of website vulnerability has been a major concern for e-commerce websites.

Hackers are more and more prevalent – as seen this week in the huge Equifax data breach that saw the identity theft of 143 million people in the US, Canada and United Kingdom.

Vulnerability scanning involves the use of computer programs designed to assess computers, websites, networks or applications for weaknesses that can be exploited by hackers and identity thieves. These scans are used to discover the weak points or loopholes in website designs. Currently, Trust Guard scans for more than 75,575 of these security holes.  Unsafe websites is a very big problem for e-commerce owners because they require their customers to submit sensitive information to make their purchases. Imagine how useful this information would be in the hands of  identity thieves. From credit card information to mailing addresses, phone numbers, account details and photographs, it’s like giving these thieves the key to your home, bank account and your office.

Your customers worry about the safety of their personal information when they visit your website.

They worry about the vulnerability of your website. Ask yourself this, why should I save my money in a bank that has a massive hole on the side of its vault through which anyone can have free access? Your customers need to feel as safe using your website as they do at their bank. Look at things from the perspective of your customers. Why would they give their personal information to a website that isn’t safe?

As an online shopper, you should only shop on websites that have been thoroughly scanned for vulnerabilities by a reputable website protection company. Website protection companies like Trust Guard are able to completely uncover a website’s vulnerabilities and instruct the website owner how to fix them. How can you identify e-commerce websites that are free from vulnerabilities? Quite simple. You can check websites for security trust seals. Security scanned trust seals are an indication that the website you’re shopping on is safe.

We know that everything on the internet is hackable. However, it will take expertise and focus for hackers to attack a vulnerability-free website.


 

Identity TheftThis article was written by Emmanuel Ozigi, a biochemist in the making from Nigeria. In my spare time, I’m a science, health, and fitness blogger. I also specialize in graphic design and photo editing. I also have this insatiable hunger for information and the desire to learn new things. Visit my blog at http://sciencehealth24.com.

 

Hackers Can Access Millions of Smart Phones!

Using a malicious app, hackers could access Android-specific security vulnerabilities from Qualcomm chipsets.hackers, security vulnerabilities, mobile apps, Trust Guard

Since 1993, DEF CON has been holding its annual hacker conventions in Las Vegas. As one of the largest such conventions in the world, security companies like Trust Guard share information about the security (and lack thereof) with online and mobile devices and apps. As one of the oldest such organizations, it is privy to much of the available information concerning security breaches – be they online or, more recently, mobile.

2016 was no different. This year computer security firm Check Point and its mobile threat research team revealed details of what it says are a set of “four vulnerabilities affecting 900 million Android smartphones and tablets that use Qualcomm® chipsets.” They call the set of vulnerabilities QuadRooter.

This type of extensive security problem shows how vulnerable our mobile devices are to security threats from hackers. All it takes it to download the wrong app and, often without even realizing it, our personally identifiable information will have been hacked. If you are using one of the above devices, we suggest you go to your phone distributor or carrier to get the patch to fix the security hole as soon as possible.

QuadRooter vulnerabilities are found in software drivers that ship with Qualcomm chipsets. The drivers, which control communication between chipset components, become incorporated into the Android “builds” that manufacturers develop for their devices. Check Point says that since the vulnerable drivers are pre-installed on devices at the point of manufacture, they can only be fixed by installing a patch from the distributor or carrier. Distributors and carriers issuing patches can only do so after receiving fixed driver packs from Qualcomm.

tg-10year-badge-High DefinitionSome of the latest and most popular Android devices found on the market today use these Qualcomm chipsets, including:

BlackBerry Priv
Blackphone 1 and Blackphone 2
Google Nexus 5X, Nexus 6 and Nexus 6P
HTC One, HTC M9 and HTC 10
LG G4, LG G5, and LG V10
New Moto X by Motorola
OnePlus One, OnePlus 2 and OnePlus 3
Samsung Galaxy S7 and Samsung S7 Edge
Sony Xperia Z Ultra

If you are using one of the above devices, we suggest you go to your phone distributor or carrier to get the patch to fix the security hole as soon as possible. If you have a website, we recommend using Trust Guard’s security scanning software to protect your site from online cyber security threats.

This type of extensive security problem shows how vulnerable our mobile devices are to security threats from hackers. These four vulnerabilities, of course, aren’t all the vulnerabilities. And Qualcomm isn’t the only instigator of chipsets with bugs in them. For all app users, Android, Apple’s IOS, or others, all it takes is to download the wrong app and, often without even realizing it, our personally identifiable information will have been hacked.

Special thanks to Sky Valley Chronicle for much of the information about the vulnerabilities found.

 

 

Three Tips to Keep Hackers Away from Your Website

hackersWith hackers making more and more money, and more hackers showing up every day because of it, it’s no wonder online business owners are finally starting to take internet security seriously.

Did you know that, on average, 20 WordPress websites and blogs are hacked every minute of every day? With hackers making more and more money, and more hackers showing up every day because of it, it’s no wonder online business owners are finally starting to take internet security seriously.

Here are a few tips to help keep your website safe from hackers:

Keep Software Updated

It may seem obvious, but ensuring you keep all software up to date is vital in keeping your site secure. This applies to both the server operating system and any software you may be running on your website such as a CMS or forum. When website security holes are found in software, hackers are quick to attempt to abuse them. If you are using a managed hosting solution then you don’t need to worry so much about applying security updates for the operating system as the hosting company should take care of this.

If you are using third-party software on your website such as a CMS or forum, you should ensure you are quick to apply any security patches. Most vendors have a mailing list or RSS feed detailing any website security issues. WordPress, Umbraco, and many other CMS programs notify you of available system updates when you log in.

Keep Error Messages Generic

Be careful with how much information you give away in your error messages. For example, if you have a login form on your website you should think about the language you use to communicate failure when attempting logins. You should use generic messages like “Incorrect username or password” as not to specify when a user got half of the query right. If an attacker tries a brute force attack to get a username and password and the error message gives away when one of the fields are correct then the attacker knows he has one of the fields and can concentrate on the other field.

Utilize Website Security Toolsb_143010289373

There are other tips, of course, like updating unique passwords, keeping your SSL active and being careful of file uploads, but once you think you have done all you can, then it’s time to test your website security. The most effective way of doing this is via the use of some website security tools, often referred malware and vulnerability scanning. Companies like Trust Guard can periodically monitor your website for potential issues and warn you if any are found. High-risk issues need to be fixed immediately to keep hackers from infiltrating your site which could cause you economic, legal, and reputational problems.

As a side benefit, their trust seals (small images that you can display on your front and check-out pages, show customers that website security is one of your top concerns. They will feel safer shopping on your site and consequently more of them will buy from you). Visit Trust Guard today!

Tarrant County, Texas Latest Victim of Ransomware Attacks

RansomwareTarrant County, the third largest county in Texas, was the most recent victim of ransomware attacks.

Luckily the county reacted quickly to the attacks and damages were minimized. Ransomware is a sophisticated piece of malware (malicious software) that blocks the victim’s access to his/her files until a sum of money is paid.

There are two types of ransomware:
1. Encrypting ransomware, which incorporates advanced encryption algorithms. It is designed to block system files and demand payment to provide the victim with the key that can decrypt the blocked content.
2. Locking ransomware, which locks the victim out of the operating system, making it impossible to access the desktop and any apps or files. The files are not encrypted, but the attackers still ask for a ransom to unlock the infected computer.

Why ransomware creators and distributors target businesses:

  • Because that’s where the money is;
  • Because attackers know that ransomware can cause major business disruptions, which will increase their chances of getting paid;
  • Because computer systems in companies are often complex and prone to vulnerabilities that can be exploited through technical means;
  • Because the human factor is still a huge liability which can also be exploited, but through social engineering tactics;
  • Because ransomware can affect not only computers but also servers and cloud-based file-sharing systems, going deep into a business’s core;
  • Because cyber criminals know that business would rather not report ransomware attacks for fears of legal or reputation-related consequences;
  • Because small businesses are often unprepared to deal with advanced cyber attacks (which ransomware is) and have a lax BYOD (bring your own device) policy.
Tarrant County, Texas noticed the issue when an employee realized files had been locked.  An emergency computer incident team was able to isolate the employee’s files, to ensure the ransomware did not spread throughout the network.  They then restored the files and had everything back up and running as normal within an hour.

It is not being disclosed what type of ransomware attacked Tarrant County.  It has been reported by Star-Telegram that the county did not pay any form of ransom to recover the files. The county certainly went about the attack in the most appropriate way possible.  The response team was fast acting, and due to their quick response, the negative results were mitigated.

ransomware-discoveries-CERT-RO-2

If you find yourself victim to a ransomware attack, we encourage you to follow these five steps:

  1. Do not pay the ransom – If you do, you’re just giving the hackers a reason to keep hacking.  Use your backup files to restore your systems.  Again, don’t pay!!
  2. Inform the FBI – By informing the FBI they can investigate to potentially bring legal action against the hacker.  All cyber criminal activity should be reported to the federal IC3 agency.  You can file a complaint with them here.
  3. Communicate with your current security software companyTrust Guard, the leader in website security, helps thousands of companies keep their websites safe from ransomware and other malware attacks by providing business owners with scheduled vulnerability scans and accompanying detailed reports. If you don’t have an online security partner, you’re just asking for trouble. Companies like Trust Guard also provide seals – small images that you display on your site to show online visitors that you care about your website’s security. Such trust seals have been proven to increase sales and conversion rates by an average of 15%!
  4. Educate yourselves and your employees – Many times we attend one training, or listen to one webinar and consider ourselves educated on the matter.  This cannot be further from the truth.  Continued education on current cyber-security threats is imperative.
  5. Reevaluate your security software protection – If your security software has failed you, perhaps you should look for an alternative, more dependable security option.

Special thanks to Tech Talk for some of the information provided in this article.

What is PII?

PIIWith so much emphasis on the security of our personal data lately, with Pokemon Go being the latest culprit (see article here), Personally identifiable information (PII) is something we all should understand.

PII is any data that could potentially distinguish one person from another and can be used for de-anonymizing anonymous data can be considered PII.  To be sure, this article isn’t talking about the pie you eat or the one associated with mathematical equations.

NIST Special Publication 800-122 defines PII as “any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.” So, for example, a user’s IP address is not classed as PII on its own, but is classified as linked PII (see Section 3.3.3 Under “Identifiability” for more detail) Also see federal judge ruling in the District of New Jersey dismissed on the pleadings a VPPA claim against Viacom on the grounds that device identifiers, cookie IDs, and IP addresses, when linked to video titles are not personally identifiable information.

The concept of PII has become prevalent as information technology and the internet have made it easier to collect PII through breaches of online and network security and web browser security leading to a profitable market in collecting and reselling PII. PII can also be exploited by criminals to stalk or steal the identity of a person, or to aid in the planning of criminal acts. In hacker slang, the practice of finding and releasing such information is called “doxing”.  It is sometimes used to deter collaboration with law enforcement. On occasion, the doxing can trigger an arrest, particularly if law enforcement agencies suspect that the “doxed” individual may panic and disappear. To protect your site from hackers, we suggest that you monitor the security of your site with industry leader Trust Guard. As a response to these threats, many website privacy policies specifically address the gathering of PII and lawmakers have enacted a series of legislations to limit the distribution and accessibility of PII.

However, PII is a legal concept, not a technical concept. Because of the versatility and power of modern re-identification algorithms, the absence of PII data does not mean that the remaining data does not identify individuals. While some attributes may be uniquely identifying on their own, any attribute can be identifying in combination with others. These attributes have been referred to as quasi-identifiers or pseudo-identifiers.

The following data, often used for the express purpose of distinguishing individual identity, clearly classify as PII under the definition used by the National Institute of Standards and Technology.

PII

 

 

  • Full name (if not common)
  • Home address
  • Email address (if private from an association/club membership, etc.)
  • National identification number
  • Passport number
  • IP address (when linked, but not PII by itself in US)
  • Vehicle registration plate number
  • Driver’s license number
  • Face, fingerprints, or handwriting
  • Credit card numbers
  • Digital identity
  • Date of birth
  • Birthplace
  • Genetic information
  • Telephone number
  • Login name, screen name, nickname, or handle

The following are less often used to distinguish individual identity because they are traits shared by many people. However, they are potentially PII, because they may be combined with other personal information to identify an individual.

  • First or last name, if common
  • Country, state, zip code or city of residence
  • Age, especially if non-specific
  • Gender
  • Name of the school they attend or workplace
  • Grades, salary, or job position
  • Criminal record
  • Web cookie

When a person wishes to remain anonymous, descriptions of them will often employ several of the above, such as “a 34-year-old white male who works at Target”. Note that information can still be private, in the sense that a person may not wish for it to become publicly known, without being personally identifiable. Moreover, sometimes multiple pieces of information, none sufficient by itself to uniquely identify an individual, may uniquely identify a person when combined; this is one reason that multiple pieces of evidence are usually presented at criminal trials. It has been shown that, in 1990, 87% of the population of the United States could be uniquely identified by gender, ZIP code, and full date of birth.PII-chart_FINAL

Report Shows an Increase in DDoS & Web App Attacks

web app attacksAccording to Acamai’s State of the Internet/Security Report for Q1 of 2016, there has been an increase in DDoS and web app attacks.

For those of you who might not know, DDoS is short for Distributed Denial of Service. DDoS is a type of Denial of Service (DoS) attack where multiple compromised systems, which are often infected with a Trojan, are used to target a single system causing a DoS attack.

According to the report, there has been a 23% increase in DDoS attacks and a 26% increase in web application attacks, compared with Q4 2015, setting new records for the number of attacks in the quarter. The rise in repeat DDoS attacks, with an average of 29 attacks per targeted customer – including one customer who was targeted 283 times.

PCI compliant security scanning from Trust Guard can help protect your website from hackers by monitoring the level of security of your site. They then send you a detailed report to inform you that your site is safe or that one or more of over 75,406 vulnerabilities that hackers use to infiltrate sites and servers are readily accessible to them.

With this report, you and/or your hosting company can quickly repair the issue. A new scan of your site from Trust Guard will show whether or not you fixed the issue. Once your site passes its scan, they will continue to monitor – since new vulnerabilities are being found every day.

If you’d like, Trust Guard can even provide you with a trust seal to display at strategic locations on your website (above the fold and on your check-out page) so that you can show your online visitors and potential customers that you take their safety and security seriously. These seals are guaranteed to increase your online sales.

For a free scan to see where you stand regarding your website’s level of security and potential for web app attacks, visit freepciscanning.com.

To view the entire report from Acamai, click here.

Feel Safe & Secure with Trust Guard

Website security is one of the biggest priorities for online shoppers.

website securityWhen they visit a website, they hope that it is a legitimate site. They’ve heard the horror stories. They’ve maybe even starred in a few of them. Internet shoppers are concerned about mean, greedy predators that are looking for ways to steal their personal information and take their money.

Online business owners want their visitors to have enough peace of mind that they will feel comfortable when visiting their site – so much so that shoppers will want to purchase their products and tell all their friends and family members about how amazing the experience was for them. They want visitors to feel all warm and fuzzy when they see their logo.

That’s where Trust Guard, the leader in website security and verification, comes in. They provide the trust and confidence your customers need to become buying customers by providing images (trust seals) for you to display on your website. These images show people visiting the site that you are a real company that cares about their safety and security. 

Trust Guard is the best in the business at instilling trust and confidence in online shoppers. In fact, several comparison tests show that Trust Guard’s seals increase conversion rates on e-commerce sites by an average of fifteen percent. They’re so confident that they provide a double-your-money-back guarantee if you don’t increase your conversion rate using their Security Scanned trust seal. 

Repetitive Trust Guard security scanning is the most effective way to keep hackers out while simultaneously boosting sales. And did we mention it’s super easy? They scan for tens of thousands of vulnerabilities that hackers can exploit to steal from your website. Simply put, Trust Guard finds security holes on your website and server so e-commerce business owners can close them up before hackers can get in.website security

Once your website is safe (after it has successfully passed the security scan), they provide e-commerce website owners with a trust seal. Owners (or their IT team) then place it above the fold and on their checkout pages and watch as their sales take off. The process to copy and paste the coding onto the website is fast. In just a few minutes online business owners can secure their website, build customer trust and loyalty, prevent hacking attacks, and boost their conversion rate.  This simple process and the fact that Trust Guard’s seals are guaranteed to help e-commerce business owners make more money are two reasons not to hold off any longer. Start growing your business today – with Trust Guard!

Free PCI Scanning

pci scanningIt’s in all the news all the time nowadays.  One business or another is getting hacked. If you own a business yourself, you know that one of the best ways to keep your site safe is through PCI scanning.  Not only is it one of the best ways, but it is also required to be PCI compliant if you accept credit cards. You know that you want your website to be safe and your customer’s confidential information safe.  Did you know that you can get free PCI scanning?

FreePCIScanning.com will scan your website and search for vulnerabilities that hackers may use to access your site.  After the scan is complete, they send you a free detailed report.  If it comes back OK you will have the peace of mind knowing that your site is safe. If it doesn’t pass, they will let you know where the problems are so you can get them fixed. This is a $47 value, for free!

Because new vulnerabilities are found constantly, you should always get scanned periodically even after your free scan. The Payment Card Industry requires that you scan at least quarterly.  Trust Guard is another company that will help you with PCI Scanning. They can scan your site daily, weekly or monthly to keep your site safe and secure for a low monthly fee. So get started now.  Request your free scan and then keep scanning!

Is Your Site Safe? Get a Free Scan | EpicEcommerce