Wednesday, May 24, 2017

Interesting facts

Wal-Mart will spend millions this year to update hundreds of stores, including 12 stores in Michigan. The effort is meant to connect in-store and online shopping, and features changes such as moving in-store pickup to the front of stores, tests of a click-and-collect grocery service, a dedicated lounge area for customers picking up orders, lower shelving and more signs.  Start looking I am starting to see Walmart change like adding more self check out lanes and guess what they are being used!

More info about retailers:

IKEA Group has promoted Jesper Brodin, a 22-year veteran of the Sweden-based furniture retailer, to CEO, effective Sept. 1. Brodin succeeds Peter Agnefjall and will continue the company's focus on growing its online efforts, said IKEA Chairman Lars-Johan Jarnheimer.

 Macy's has expanded a self-serve model in its shoe department to three Chicago stores and it expects to roll out the change to all stores by July. Associates will still be on hand to help shoe shoppers, but the new setup gives customers the option of bypassing help, and early tests in select markets led to higher shoe sales, Chief Financial Officer Karen Hoguet said.

In Nebraska Malls are still thriving look at the end of this short article:
Locally, Nebraska Crossing Outlets in Gretna has been fully leased since its opening three years ago, developer Rod Yates said. The outlet mall also is wrapping up an expansion that will house an Ulta store and an H&M, to open in August. Yates attributes the center’s success to its mix of tenants, many of whom are new to the market, and a technology platform that allows the mall to collect data on its customers and where they shop.  Collect data is the term, know your customer!

React to change and prosper:

What new retail benchmarks say about the way we shop now
Consumers have been quick to make new technology a part of their lives and expect retailers to do the same. NRF's Jessica Hibbard looks at the latest NRF-FitForCommerce Omnichannel Retail Index to see how retailers are adding features that make it easier for shoppers to discover products, get what they want and collect rewards for coming back again. 

The NRF-FitForCommerce Omnichannel Retail Index tracks retailer implementation of 200 digital and multichannel features — those deceivingly small considerations that make an outsized difference on the shopping experience — and found a double-digit increase in adoption rates on several types of initiatives. From the first study conducted in August 2015 to the most recent analysis in October 2016, online and multichannel retailers have been adding features that make it easier for shoppers to discover products, get what they want and collect rewards for coming back again.

Generation Z??

Mathews also dissects Uniquely Gen Z, an extensive NRF/IBM research study about the youngest generation of consumers. The rise of social media and evolving technologies has ushered in rapid change, and the upheaval will continue as Generation Z gains even more spending power.
“They’re impatient,” Mathews says, speaking about the differences between Gen Z and older generations. “They want things now.” Listen to this episode of Retail Gets Real to learn how retailers can better meet Gen Z’s needs and earn their trust early in their careers as consumers

It is through technology at all levels that retailers and business in general will grow and thrive. Another such example of ways to get those customers to buy faster and direct them in a store are products by COOL-ADStm:
  • Energize your P.O.P. advertising and increase sales with sensory messaging.

    Bring your P.O.P. advertising out of the dark ages with beautiful backlit graphics.
    Command your shoppers' attention and drive sales higher with sensory messaging. Backlit LEDs are incorporated into a design structure that diffuses light across the entire panel. Create whatever messages/designs you want. They print easily on inexpensive transparent sheets and can be installed within seconds. A motion detector module controls the automatic on/off and sleep functions. Battery powered using 8 AA batteries located in an easily accessible compartment.  This captures attention in a store and gets a shopper to the product faster! Once again, a retailer can assist their shopper and make them happy thus hopefully bringing them back again and again.

If you are interested in products from Cool-Adstm let me know I can guide you or visit their web page at

More to come soon about retail and about new technology!

Joe Rossini

Tuesday, May 16, 2017

Solar panels and the law: Can you stop your neighbor from blocking your sunlight?

I know this has nothing to do with the web but I am a big solar guy so if you like solar read this it is interesting and might affect us in the USA one day.

Important notice on a new Ransomware

National Cyber Awareness System:

05/12/2017 09:36 PM EDT

Original release date: May 12, 2017 | Last revised: May 15, 2017

Systems Affected

Microsoft Windows operating systems


According to numerous open-source reports, a widespread ransomware campaign is affecting various organizations with reports of tens of thousands of infections in as many as 74 countries, including the United States, United Kingdom, Spain, Russia, Taiwan, France, and Japan. The software can run in as many as 27 different languages.
The latest version of this ransomware variant, known as WannaCry, WCry, or Wanna Decryptor, was discovered the morning of May 12, 2017, by an independent security researcher and has spread rapidly over several hours, with initial reports beginning around 4:00 AM EDT, May 12, 2017. Open-source reporting indicates a requested ransom of .1781 bitcoins, roughly $300 U.S.

This Alert is the result of efforts between the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) and the Federal Bureau of Investigation (FBI) to highlight known cyber threats. DHS and the FBI continue to pursue related information of threats to federal, state, and local government systems and as such, further releases of technical information may be forthcoming.


Initial reports indicate the hacker or hacking group behind the WannaCry campaign is gaining access to enterprise servers either through Remote Desktop Protocol (RDP) compromise or through the exploitation of a critical Windows SMB vulnerability. Microsoft released a security update for the MS17-010 vulnerability on March 14, 2017. Additionally, Microsoft released patches for Windows XP, Windows 8, and Windows Server 2003 operating systems on May 13, 2017. According to open sources, one possible infection vector is via phishing emails.

Technical Details

Indicators of Compromise (IOC)

IOCs are provided within the accompanying .xlsx file of this report.

Yara Signatures

rule Wanna_Cry_Ransomware_Generic {
              description = "Detects WannaCry Ransomware on Disk and in Virtual Page"
              author = "US-CERT Code Analysis Team"
              reference = "not set"                                        
              date = "2017/05/12"
       hash0 = "4DA1F312A214C07143ABEEAFB695D904"
              $s0 = {410044004D0049004E0024}
              $s1 = "WannaDecryptor"
              $s2 = "WANNACRY"
              $s3 = "Microsoft Enhanced RSA and AES Cryptographic"
              $s4 = "PKS"
              $s5 = "StartTask"
              $s6 = "wcry@123"
              $s7 = {2F6600002F72}
              $s8 = "unzip 0.15 Copyrigh"
              $s9 = "Global\WINDOWS_TASKOSHT_MUTEX"       
              $s10 = "Global\WINDOWS_TASKCST_MUTEX"  
             $s11 = {7461736B736368652E657865000000005461736B5374617274000000742E776E7279000069636163}
             $s12 = {6C73202E202F6772616E742045766572796F6E653A46202F54202F43202F5100617474726962202B68}
             $s13 = "WNcry@2ol7"
             $s14 = "wcry@123"
             $s15 = "Global\MsWinZonesCacheCounterMutexA"
              $s0 and $s1 and $s2 and $s3 or $s4 and $s5 and $s6 and $s7 or $s8 and $s9 and $s10 or $s11 and $s12 or $s13 or $s14 or $s15
/*The following Yara ruleset is under the GNU-GPLv2 license ( and open to any user or organization, as long as you use it under this license.*/
rule MS17_010_WanaCry_worm {
              description = "Worm exploiting MS17-010 and dropping WannaCry Ransomware"
              author = "Felipe Molina (@felmoltor)"
              reference = ""
              date = "2017/05/12"
              $ms17010_str1="PC NETWORK PROGRAM 1.0"
              $ms17010_str3="Windows for Workgroups 3.1a"
              $wannacry_payload_substr1 = "h6agLCqPqVyXi2VSQ8O6Yb9ijBX54j"
              $wannacry_payload_substr2 = "h54WfF9cGigWFEx92bzmOd0UOaZlM"
              $wannacry_payload_substr3 = "tpGFEoLOU6+5I78Toh/nHs/RAP"
              all of them

Initial Analysis

The WannaCry ransomware received and analyzed by US-CERT is a loader that contains an AES-encrypted DLL. During runtime, the loader writes a file to disk named “t.wry”. The malware then uses an embedded 128-bit key to decrypt this file. This DLL, which is then loaded into the parent process, is the actual Wanna Cry Ransomware responsible for encrypting the user’s files. Using this cryptographic loading method, the WannaCry DLL is never directly exposed on disk and not vulnerable to antivirus software scans.
The newly loaded DLL immediately begins encrypting files on the victim’s system and encrypts the user’s files with 128-bit AES. A random key is generated for the encryption of each file.
The malware also attempts to access the IPC$ shares and SMB resources the victim system has access to. This access permits the malware to spread itself laterally on a compromised network. However, the malware never attempts to attain a password from the victim’s account in order to access the IPC$ share.
This malware is designed  to spread laterally on a network by gaining unauthorized access to the IPC$ share on network resources on the network on which it is operating.


Ransomware not only targets home users; businesses can also become infected with ransomware, leading to negative consequences, including
  • temporary or permanent loss of sensitive or proprietary information,
  • disruption to regular operations,
  • financial losses incurred to restore systems and files, and
  • potential harm to an organization’s reputation.
Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information. In addition, decrypting files does not mean the malware infection itself has been removed.


Recommended Steps for Prevention
  • Apply the Microsoft patch for the MS17-010 SMB vulnerability dated March 14, 2017.
  • Enable strong spam filters to prevent phishing e-mails from reaching the end users and authenticate in-bound e-mail using technologies like Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent e-mail spoofing. 
  • Scan all incoming and outgoing e-mails to detect threats and filter executable files from reaching the end users.
  • Ensure anti-virus and anti-malware solutions are set to automatically conduct regular scans.
  • Manage the use of privileged accounts. Implement the principle of least privilege. No users should be assigned administrative access unless absolutely needed. Those with a need for administrator accounts should only use them when necessary. 
  • Configure access controls including file, directory, and network share permissions with least privilege in mind. If a user only needs to read specific files, they should not have write access to those files, directories, or shares. 
  • Disable macro scripts from Microsoft Office files transmitted via e-mail. Consider using Office Viewer software to open Microsoft Office files transmitted via e-mail instead of full Office suite applications.
  • Develop, institute and practice employee education programs for identifying scams, malicious links, and attempted social engineering.
  • Have regular penetration tests run against the network. No less than once a year. Ideally, as often as possible/practical.
  • Test your backups to ensure they work correctly upon use.
Recommended Steps for Remediation
  • Contact law enforcement. We strongly encourage you to contact a local FBI field office upon discovery to report an intrusion and request assistance. Maintain and provide relevant logs.
  • Implement your security incident response and business continuity plan. Ideally, organizations should ensure they have appropriate backups so their response is simply to restore the data from a known clean backup. 
Defending Against Ransomware Generally
Precautionary measures to mitigate ransomware threats include:
  • Ensure anti-virus software is up-to-date.
  • Implement a data back-up and recovery plan to maintain copies of sensitive or proprietary data in a separate and secure location. Backup copies of sensitive data should not be readily accessible from local networks.
  • Scrutinize links contained in e-mails, and do not open attachments included in unsolicited e-mails.
  • Only download software – especially free software – from sites you know and trust.
  • Enable automated patches for your operating system and Web browser.
Report Notice
DHS and FBI encourages recipients who identify the use of tool(s) or techniques discussed in this document to report information to DHS or law enforcement immediately. We encourage you to contact DHS’s National Cybersecurity and Communications Integration Center (NCCIC) ( or 888-282-0870), or the FBI through a local field office or the FBI’s Cyber Division ( or 855-292-3937) to report an intrusion and to request incident response resources or technical assistance.


Revision History

  • May 12, 2017: Initial post
  • May 14, 2017: Corrected Syntax in the second Yara Rule
  • May 14, 2017: Added Microsoft link to patches for Windows XP, Windows 8, and Windows Server 2003
  • May 14, 2017: Corrected Syntax in the first Yara Rule

This product is provided subject to this Notification and this Privacy & Use policy.

Tuesday, May 9, 2017

Social Networking security

Often we get on a social network and do not think anything about security but they should. Hackers as the past election might have shown can do some amazing things so you must be vigilant.Here is some info about Twitter:

Twitter: Beware of shortened URLs

Twitter is a valuable source of real-time information. During the devastating Japanese earthquake and tsunami in March, Twitter users shared information and helped raise funds. Unfortunately, as often happens, scammers try to channel that goodwill for their own gain. A Twitter scam impersonating the British Red Cross asked tweeters to send money via MoneyBookers to a Yahoo email address in one Japanese tsunami charity scam. In another scam, emails resembling Twitter notifications included dangerous links disguised as a tsunami video. If you clicked on this link, malicious JavaScript could infect your computer.
Twitter users often shorten URLs via and other services to keep tweets within their 140 character limit. Hackers can also create shortened URLs to easily redirect you to malicious sites, since the URL itself gives you no indication of the site name. Although most shortened URLs are legitimate, if a link brings you to another page that asks for a Twitter or Facebook password, leave immediately.
Similar to Facebook scams, Twitter messages promise such curiosities as the “Banned Lady Gaga Video,” which takes users to a fake YouTube page. If you click the play button, a window pops up and seeks permission to access your Twitter account. If you grant access, you allow third parties to post messages in your name. Another recent scam, “TimeSpentHere,” promises to tell you how many hours you’ve spent on Twitter. Since it appears to come from a Twitter friend, you may think about clicking on it. But this rogue application actually wants your email address, which could be used later for a phishing campaign or spam.
How about Facebook? Facebook has been working hard to protect their users but read this article and realize there may be some ulterior motives: 

Facebook: Self-XSS, clickjacking and survey scams abound

With so many users, Facebook is a target for scams; it can also expose your personal information far beyond your group of friends.
Users need to remember that Facebook makes money from its advertisers, not users. Since advertisers want to get their message out to as many people as possible, Facebook shares your information to everyone, not just your "friends." And most recently, Facebook's facial recognition technology automatically suggests that friends tag you, unless you turn it off.
Scams on Facebook include cross-site scripting, clickjacking, survey scams and identity theft. One of the scammers' favorite methods of attack of the moment is known as cross-site scripting or "Self-XSS." Facebook messages such as Why are you tagged in this video? and the Facebook Dislike button take you to a webpage that tries to trick you into cutting and pasting a malicious JavaScript code into your browser’s address bar. Self-XSS attacks can also run hidden, or obfuscated, JavaScript on your computer allowing for malware installation without your knowledge.
Facebook scams also tap into interest in the news, holiday activities and other topical events to get you to innocently reveal your personal information. Facebook posts such as “create a Royal Wedding guest name” and "In honor of Mother’s Day" seem innocuous enough, until you realize that information such as your children’s names and birthdates, pet’s name and street name now reside permanently on the Internet. Since this information is often used for passwords or password challenge questions, it can lead to identity theft.
Other attacks on Facebook users include "clickjacking" or "likejacking," also known as "UI redressing." This malicious technique tricks web users into revealing confidential information or takes control of their computer when they click on seemingly innocuous webpages. Clickjacking takes the form of embedded code or script that can execute without the user's knowledge. One disguise is a button that appears to perform another function. Clicking the button sends out the attack to your contacts through status updates, which propagates the scam. Scammers try to pique your curiosity with messages like "Baby Born Amazing effects" and "The World Funniest Condom Commercial – LOL". Both clickjacking scams take users to a webpage urging them to watch a video. By viewing the video, it’s posted that you “like” the link and it’s shared with your friends, spreading it virally across Facebook.
Clickjacking is also often tied to “survey scams” which trick users into installing an application from a spammed link. Cybercriminals take advantage of news topics, such as the Osama bin Laden video scam, which takes you to a fake YouTube site in an effort to get you to complete a survey. Scammers earn commission for each person that completes it. Taking the survey also spreads the scam virally to your Facebook friends.
In theory, new Facebook security features provide protection against scams and spam—but unfortunately they’re mainly ineffectual. Self-XSS, clickjacking and survey scams essentially did not exist just a few years ago, but they now appear on Facebook and other social networks on a daily basis.
Our recent social networking poll also asked computer users which social network they felt posed the biggest security risk. Facebook is clearly seen as the biggest risk with 81% of the votes, a significant rise from the 60% who felt Facebook was the riskiest when we first asked the question a year ago. Twitter and MySpace each received 8% of the votes this year, and LinkedIn only 3%.
This information moves fast so keep researching on your own. The above information came courtesy of SOPHOS.

More to come soon.

Joe Rossini

Google and rankings

One area that seems to always be mentioned in rankings is content on a website. Content is important so making sure your website is worthy or considered to be worthy start by making it interesting. The more people read it the more the search engines take notice. A static web page that never changes will not rank well but one that is changed and is read well that is a different story.  Here is a tidbit about Google:
 The content of your pages is more important than ever before
Google wants to show the best results on the results pages. It's not enough that a page of your website is somehow related to a specific keyword. Your website must be relevant to a particular topic.
Without good content, it will be very difficult to get high rankings. Take your time to develop good content for your website.

Focus focus focus....

Have you ever went to a website and read an article or two and became lost as to what the website really is about. An example might be an economic development website that is trying to be all things to all people.Why should I come to your city? Answer it clearly such as because we have cheap power, plentiful water and an abundant workforce! OK well that might catch your eye to at least read on. Write with a purpose.
Another tidbit about rankings 
Your website needs a clear focus
Websites that deal with many different topics are more likely to be flagged as spam (for example 'How to' websites with thousands of topics). The easier it is to find out what your website is about, the more likely it is that your website will get good rankings.

Do not focus on individual keywords, focus on topics. The pages of your website should contain many different keywords that are all related to the topic of your website.

When making a website think first, what do I want to achieve. So often I see fluff pages with no idea as to where you want to take the viewer. More facts about rankings:

A clear website structure helps a lot
Google wants to find out what your website is about. If your website structure helps Google to understand your pages, it is more likely that your pages will get good rankings.

Use categories and sub-categories, use folders and an easy to understand website navigation menu. Breadcrumb navigation also makes it easier to understand the structure of your website: Homepage > Category > Sub category > Tag > Page viewed

More to come, this topic or rankings constantly changes but the worth of your website, how you tell your story is always important. My company writes webpages so if you need help, let me know I can guide you.

More to come

Joe Rossini

Thursday, May 4, 2017

SEO and reporting

I am a big believer in reporting and I use it. Reporting can tell you where you are going and if what you are doing is working. If you are spending money on advertising your company why not see if that advertising is working. A good reporting package can cost as little as "free". Why not see  what pages on your website are being visited and by who. Why not see how long people stay on your website. My customers get weekly reports on how their website is doing, shouldn't you?
Did you know that: If you’re not currently tracking your online marketing efforts, you’re not alone. But that’s still not a good excuse. Did you know that…
Think of those numbers and ask why not? Some of you spend tens of thousands of dollars on building a website then do not evaluate it.  If you want reporting let me know and I can guide you.
More to come soon.

Joe Rossini

Tuesday, May 2, 2017

The growth of mobile and retail and e commerce

  • About 89% of retailers plan to put mobile solutions in the hands of their store associates over the next three years, according to new research from Boston Retail Partners.
  • The BP Special Report – The Mobile World of Retail states that retailers are expanding the use of mobile technology by giving associates mobile devices and apps with specific aims to use them for customer identification, customer engagement, associate training and task management, point of sale (POS) and payments.
  • Regarding those last two, the report also found that about 84% of retailers will use mobile point-of-sale systems in their stores by 2020, and that acceptance of mobile payments by retailer is increasing rapidly with fewer retailers taking a wait and see approach.
Another recent survey from Tulip Retail showed that many customers believed they were more knowledgeable than many store associates. Mobile devices and apps that connect to inventory details — including inventory outside the walls of the store itself — and help store associates more efficiently communicate with co-workers could be the difference maker

Will mobile payment catch on?

Despite advances in mobile payment technology, young Americans don’t seem too eager to use their phones as cash. As many as 35% of millennials don’t use mobile payment apps at all, according to a new survey. And most millennials who do take advantage of the apps don’t use them in stores, but for peer-to-peer transactions via Venmo – suggesting that mobile wallet integration may not be the most strategic digital investment for retailers.

I know that Brenda and I do use mobile for surfing and searches and some banking but we have yet to use it. I believe we will eventually use apps and such for buying and it just appears that slowly the trend is growing.  If you could find out before you got in the car and went to shop if the inventory was in stock this would be great and if you could buy it or hold it at the store that would be great too.

More on mobile to come soon.

Joe Rossini

Tips to Use Public Computers Safely

4 Tips to Use Public 
Computers Safely

Hey Everyone!

We've all run into a situation when we have to use a public computer at an internet café, library, or school to check out Facebook, check banking information or to send an email. User beware! First, you have no guarantee that the computer is protected; it might be riddled with viruses, and, second, unless you're careful the next user might learn a lot more than you'd like about your online session. Here are some steps I recommend taking before you use that public computer.

1. Don't let the web browser store all of your secrets.  Every web browser on a computer keeps a history of sites you've visited and downloads the files and information from that web site for faster loading of sites you visited before. That's fine at home, but when you're using a public computer, you don't want the browser storing your history. Fortunately, modern browsers can protect your privacy. You can right-click on the Firefox icon and choose "Enter private browsing." For Firefox, pressing Ctrl+Shift+P during a normal browsing session switches to private browsing. In Chrome, the private browsing mode is called "Incognito mode." Be sure to shut down the browser when you're done. Private browsing doesn't disable the Back button so you don't want the next user backing into your Facebook session or email account.

2. Don't forget to use private browsing. There's always the possibility that you forgot to go private and you've already checked your email or bank account. Erasing your activity is simple. In Chrome or Firefox, you simply press Ctrl+Shift+Del to call up the dialog for deleting your history. The details vary, but you'll want to make sure you've selected all of the options for deletion. Chrome and Firefox lets you specify how far back to delete, so just clear out all the history just to be on the safe side.

3. Only Visit Financial Sites On Your Own Computer. It's possible that the computer you're using might be seriously compromised security-wise. For example, a stealth keylogger application could capture all passwords typed on the system. A hardware keylogger could do the same, with no possibility of detection by security software.
Your best bet is to simply refrain from sensitive transactions on a public computer. If you absolutely must log in to an important secure site on a suspect computer, here's one way to make password theft difficult: bring up a page with lots of text in the browser and copy/paste characters from that page into the password dialog. This "ransom note" style is decidedly tedious, but even a spy program that captures periodic screenshots can't snap all parts of your password.

4. Keep Your Web Site Visits to a Minimum. As you can see, there's a whole range of precautions you can take to keep any public computer session from turning into an identity theft nightmare. If you're forced to use public computers for sensitive communication, consider using ransom-note passwords and possibly a VPN. Don't engage in any sensitive communication that you could just as well do from your home or office. But even if you're doing nothing more than checking Facebook and e-mailing your dear auntie, do take the minimal precautions. Invoke the browser's privacy mode, or clear browsing data if you forgot. Doing so just takes a second and can save hours of aggravation.
Have you had to use a public computer?  What steps to you use to keep safe.  Drop me a line at This guy has tremendous information!

Monday, May 1, 2017

Web security

Web sites are unfortunately prone to security risks. And so are any networks to which web servers are connected. Setting aside risks created by employee use or misuse of network resources, your web server and the site it hosts present your most serious sources of security risk.
Web servers by design open a window between your network and the world. The care taken with server maintenance, web application updates and your web site coding will define the size of that window, limit the kind of information that can pass through it and thus establish the degree of web security you will have.

Is Your Site or Network at Risk?

"Web security" is relative and has two components, one internal and one public. Your relative security is high if you have few network resources of financial value, your company and site aren't controversial in any way, your network is set up with tight permissions, your web server is patched up to date with all settings done correctly, your applications on the web server are all patched and updated, and your web site code is done to high standards.
Your web security is relatively lower if your company has financial assets like credit card or identity information, if your web site content is controversial, your servers, applications and site code are complex or old and are maintained by an underfunded or outsourced IT department. All IT departments are budget challenged and tight staffing often creates deferred maintenance issues that play into the hands of any who want to challenge your web security.

Web Security Risk - Should You Be Worried?

If you have assets of importance or if anything about your site puts you in the public spotlight then your web security will be tested. We hope that the information provided here will prevent you and your company from being embarrassed - or worse.
It's well known that poorly written software creates security issues. The number of bugs that could create web security issues is directly proportional to the size and complexity of your web applications and web server. Basically, all complex programs either have bugs or at the very, least weaknesses. On top of that, web servers are inherently complex programs. Web sites are themselves complex and intentionally invite ever greater interaction with the public. And so the opportunities for security holes are many and growing.
Technically, the very same programming that increases the value of a web site, namely interaction with visitors, also allows scripts or SQL commands to be executed on your web and database servers in response to visitor requests. Any web-based form or script installed at your site may have weaknesses or outright bugs and every such issue presents a web security risk.
Contrary to common knowledge the balance between allowing web site visitors some access to your corporate resources through a web site and keeping unwanted visitors out of your network is a delicate one. There is no one setting, no single switch to throw that sets the security hurdle at the proper level. There are dozens of settings if not hundreds in a web server alone, and then each service, application and open port on the server adds another layer of settings. And then the web site code... you get the picture.
Add to that the different permissions you will want to grant visitors, prospects, customers, partners and employees. The number of variables regarding web security rapidly escalates.
A web security issue is faced by site visitors as well. A common web site attack involves the silent and concealed installation of code that will exploit the browsers of visitors. Your site is not the end target at all in these attacks. There are, at this time, many thousands of web sites out there that have been compromised. The owners have no idea that anything has been added to their sites and that their visitors are at risk. In the meantime visitors are being subject to attack and successful attacks are installing nasty code onto the visitor's computers.

Web Server Security

The world's most secure web server is the one that is turned off. Simple, bare-bones web servers that have few open ports and few services on those ports are the next best thing. This just isn't an option for most companies. Powerful and flexible applications are required to run complex sites and these are naturally more subject to web security issues.
Any system with multiple open ports, multiple services and multiple scripting languages is vulnerable simply because it has so many points of entry to watch.
If your system has been correctly configured and your IT staff has been very punctual about applying security patches and updates your risks are mitigated. Then there is the matter of the applications you are running. These too require frequent updates. And last there is the web site code itself.

Web Site Code and Web Security

You site undoubtedly provides some means of communication with its visitors. In every place that interaction is possible you have a potential web security vulnerability. Web sites often invite visitors to:
  • Load a new page containing dynamic content
  • Search for a product or location
  • Fill out a contact form
  • Search the site content
  • Use a shopping cart
  • Create an account
  • Logon to an account
In each case noted above your web site visitor is effectively sending a command to or through your web server - very likely to a database. In each opportunity to communicate, such as a form field, search field or blog, correctly written code will allow only a very narrow range of commands or information types to pass - in or out. This is ideal for web security. However, these limits are not automatic. It takes well trained programmers a good deal of time to write code that allows all expected data to pass and disallows all unexpected or potentially harmful data.
And there lies the problem. Code on your site has come from a variety of programmers, some of whom work for third party vendors. Some of that code is old, perhaps very old. Your site may be running software from half a dozen sources, and then your own site designer and your webmaster has each produced more code of their own, or made revisions to another's code that may have altered or eliminated previously established web security limitations.
Add to that the software that may have been purchased years ago and which is not in current use. Many servers have accumulated applications that are no longer in use and with which nobody on your current staff is familiar. This code is often not easy to find, is about as valuable as an appendix and has not been used, patched or updated for years - but it may be exactly what a hacker is looking for!

Known Web Security Vulnerabilities and Unknown Vulnerabilities

As you know there are a lot of people out there who call themselves hackers. You can also easily guess that they are not all equally skilled. As a matter of fact, the vast majority of them are simply copycats. They read about a KNOWN technique that was devised by someone else and they use it to break into a site that is interesting to them, often just to see if they can do it. Naturally once they have done that they will take advantage of the site weakness to do malicious harm, plant something or steal something.
A very small number of hackers are actually capable of discovering a new way to overcome web security obstacles. Given the work being done by tens of thousands of programmers worldwide to improve security, it is not easy to discover a brand new method of attack. Hundreds, sometimes thousands of man-hours might be put into developing a new exploit. This is sometimes done by individuals, but just as often is done by teams supported by organized crime. In either case they want to maximize their return on this investment in time and energy and so they will very quietly focus on relatively few, very valuable corporate or governmental assets. Until their new technique is actually discovered, it is considered UNKNOWN.
Countering and attempting to eliminate any return on this hacking investment you have hundreds if not thousands of web security entities. These public and private groups watch for and share information about newly discovered exploits so that an alarm can be raised and defense against unknown exploits can be put in place quickly. The broad announcement of a new exploit makes it a KNOWN exploit.
The outcome of this contest of wills, so to speak, is that exploits become known and widely documented very soon after they are first used and discovered. So at any one time there are thousands (perhaps tens of thousands) of known vulnerabilities and only a very, very few unknown. And those few unknown exploits are very tightly focused onto just a very few highly valuable targets so as to reap the greatest return before discovery. Because once known the best defended sites immediately take action to correct their flaws and erect better defenses.

Your Greatest Web Security Risks: Known or Unknown?

Your site is 1,000 times more likely to be attacked with a known exploit than an unknown one. And the reason behind this is simple: There are so many known exploits and the complexity of web servers and web sites is so great that the chances are good that one of the known vulnerabilities will be present and allow an attacker access to your site.
The number of sites worldwide is so great and the number of new, as of yet undocumented and thus unknown exploits so small that your chances of being attacked with one is nearly zero - unless you have network assets of truly great value.
If you don't attract the attention of a very dedicated, well financed attack, then your primary concern should be to eliminate your known vulnerabilities so that a quick look would reveal no easy entry using known vulnerabilities.

This article came from  Beyond security

More to come

Joe Rossini

Reporting and the benefits

Usually every Monday I do reports for some of my customers. I wonder if good information can come from reports and can it be helpful. Well one of my reports shows visitors who came in from around the world to see their web page. This information can be helpful in telling a customer just who might be looking. What I usually find is a gem or two about a company that was sneeking a peek at my client or had an interest in a particular area that my client offers. The time the visitor spends on a site or a page can also tell my client if they are really interested or just browsing. Bottom line is we can tell the sales staff who might be following up on a show or a call.

Another report can tell my clients what search engines are working. If you are spending money on an Adword program it would be nice to see where those potential leads are coming from.

I had one client ask me about a company that kept showing up but really was not a name they figured was a real lead. I found that the company was using a BOT to scan their site so the possibility to shut it off was being entertained.

Having a good reporting program is important and if watched can provide very useful information on how your web site is doing or your marketing for your company.

More to come

Joe Rossini