Chapter 3
IN THIS CHAPTER
Shutting down your site
Breaking through security barriers
Spreading Internet illnesses
No phishing allowed
Putting the brakes on mobile scammers
More than 3 billion people will use the Internet worldwide in 2017, or approximately 46 percent of the world’s population. Of that 3 billion, over 2 billion users will access the Internet using a smartphone or other mobile device. (Mobile devices have officially taken over desktops as the way people are accessing the Internet!) Whether it’s via desktop computer or mobile phone, with so many people and businesses online today, the Internet has provided a unique opportunity for cybercriminals, or what we refer to as the Net-thief. Estimates provided to the United States Congress showed that global losses from cyber-related crimes have surpassed the $1 trillion mark, and there’s no sign of it slowing down. Online thieves continue to find new and sneaky ways to rob you of money, data, and a sense of personal security.
Given that figure, if you haven’t been on the receiving end of an online security threat, consider yourself lucky. As an online business owner, your vulnerability to cyberattacks increases. Studies show that companies suffer from multiple security incidents per year from hackers, viruses, worms, spyware, and other malicious efforts. And when companies are suffering from Internet-related attacks, they can lose an average of a few hundred dollars per attack in small incidents, and potentially millions, or even billions, of dollars in revenue in larger, more severe attacks.
As an online business owner, you need to minimize the opportunity for any type of security interference that threatens your success. Before you can defend yourself and your computer, though, you need to know what to expect. In this chapter, we review the security threats that are most likely to take a bite out of your business if you let your guard down.
Any time an Internet thief, or Net-thief, can prevent you or your customers from accessing websites and other online information or applications, it’s a denial-of-service (DoS) attack. Okay, maybe you don’t think that your website is large enough or popular enough to interest someone in disrupting it. If you think DoS or distributed DoS (DDoS) attacks are no longer as prevalent, think again! DoS attacks are still considered one of the top Internet security threats. In the past few years, several large DoS attacks affected government sites as well as business and e-commerce sites. Previous DoS attacks have gone after major sites, but this type of malicious action can affect smaller businesses too. Some research indicates a growing trend of targeting smaller businesses (websites) with all types of cyberattacks because they have less sophisticated online security and are easier to breach.
Even if your site is fairly secure, consider this: What if the company your business uses for online payment transactions is attacked? Or maybe your online banking site is hit? Worse, what if the company that hosts your website falls prey to a DoS attack? You and hundreds of other small sites can be wiped out for several hours — or an entire day or more. Each of these is a real possibility and is an example of how easily a DoS attack can prevent you from being productive or possibly even hurt your company financially.
The hard truth is that your small or midsize business is more likely to experience a DoS attack these days because it is most vulnerable. As we mentioned, the Net-thief knows that online security is often at the bottom of a long list of concerns for smaller e-commerce sites, and you’re also not investing much money in sophisticated security tools, like the big corporations are doing. That situation translates to opportunity. Intruders troll the Internet every day, looking for sites that offer security holes. Plus, DoS attack-launching tools are now fairly cheap and easy to come by, so instigating an attack has become easier. An intruder can divert legitimate traffic away from your site and drive it to other sites. The attacker may be paid every time your customers visit the rogue site, whether or not they intended to go there. With lots of dollars at stake, you can understand why the frequency of DoS attacks has spiked.
Fending off a DoS episode isn’t easy. After you’re under attack, your choice of responses is limited. However, you can take certain steps to reduce the chances of an attack occurring and to minimize the damage that can be done if your site suffers from a DoS attack:
Report attacks. If your site comes under a DoS attack, report it to the FBI. A special division of the FBI, the Internet Crime Complaint Center (IC3), was created to address these concerns. You can access the division at www.ic3.gov
. Additionally, the U.S. Computer Emergency Readiness Team (US CERT), which is part of the U.S. Department of Homeland Security, monitors, tracks, and responds to cyberthreats. You can report attacks on the US CERT website at https://complaint.ic3.gov
.
McAfee, an online security division of Intel Security, offers a Threat Center that provides updated information about the most recent cyberthreats (for both businesses and individuals). This resource also provides online security tips and risk assessment tools to help reveal your potential online security vulnerabilities. You can access this portal at www.mcafee.com/us/threat-center.aspx
.
Be aware. As DoS attacks increase in frequency and type, you must stay up-to-date on security issues. Your best defense against any attack is to be aware and knowledgeable of current threats and recommended preventive measures.
To stay ahead of potential cyberthreats, get tips to keep your business secure by visiting the tip site from US CERT at www.us-cert.gov/ncas
.
Behind every DoS attack or any other harmful Internet-related threat is usually a single person or group of people responsible for starting the malicious activity. Discovering the identity of these electronic thieves isn’t easy. Recent data suggests that roughly 25 percent of hacking incidents originate from the top 15 countries known for attacks — and while the United States is considered one of those 15 countries, it was responsible for just over 1 percent of known attacks. So, what — or who — exactly is a hacker? In general, a hacker is anyone not authorized or given permission to intrude on or to gain access to your information systems. Hackers are basically opportunists.
Some hackers are motivated by the challenge of merely trying to break through a security system and then bragging that they did it. Those hackers are typically attracted to large high-profile sites or government sites. In another growing trend, hactavism, the hacker purports to break into sites for a greater good or for some cause that the hacker believes needs attention. For example, in 2015, hackers attacked a dating site for married people called Ashley Madison, which connects its members for the purpose of “discreet affairs.” The hackers gained access to users’ real names and personal data and leaked the information to the public for the point of exposing and shaming the site and its members. Similar acts of hactavism have occurred recently in an effort to expose or embarrass politicians, banks, and other corporate entities that the hackers perceive as being corrupt or dishonest. Your organization can be vulnerable to hackers not only for financial gain, but also to get access to your company data or to draw attention.
For most online businesses, the threat of hackers is simply based on the possibility of making money from your site. The “rewards” for this type of action can be enormous for a hacker. There have been several notorious hacking incidents in the last few years that have targeted retailers and restaurants, including Target, T.J. Maxx, and Wendy’s. In each case, the hackers obtained shoppers’ credit and debit card information stored by the businesses and stole millions of dollars from unsuspecting customers. Similarly, when Sony’s online game network, PlayStation, was breached a few years ago, hackers obtained access to the credit card numbers and passwords of millions of Sony customers. The network was shut down for 23 days and for a staggering financial loss of more than $171 million. Again, big or small, online companies have a lot to lose to a hacker.
Among the most popular methods of hacking-for-pay are stealing these elements:
As we’ve shown, your data is worth a lot of money to a Net-thief. Sites that fall prey to this type of hacker are vulnerable because they’re easy targets. Think of this type of breach in terms of your home’s security: Although locks and alarms don’t always stop thieves, they deter them. Given the choice, most bad guys break into places that are easier to get into and out of without being noticed.
If a hacker sees that you’re sloppy with security, he doesn’t waste any time taking advantage of you. These days, computer programs allow a hacker to scan the Internet and look for vulnerable sites.
Implementing firewalls and antivirus software certainly helps deter a hacker. You can take some additional measures to irritate a cybercrook:
Use uncommon passwords. Yes, using uncommon passwords is good ol’ common sense, yet most people choose passwords that are easy to remember or have special meanings, such as birthdates and anniversaries. Many people also use a simple string of numbers, such as 1234, or other combinations that are easy for a cybercriminal to decipher. Instead, use a nonsensical or complex mixture of words and numbers. Be sure to create a different password for each application or program that you access.
For added security, you can get help creating unique passwords by using a password generator. This software creates random passwords for you. Free password-generator programs are available, or you can purchase programs for $15 to $75, depending on whether it’s for personal or business use.
Change passwords frequently. Merely creating good passwords isn’t enough. You have to create them repeatedly. Generate new passwords every 3 months (depending on the sensitivity of the information being accessed) for applications you use all the time. Change other passwords annually for low security-risk applications or websites.
Remembering unique and constantly changing passwords is difficult. And keeping written records of your passwords defeats the purpose of changing them. Now you can get help remembering passwords by using a password manager. KeePass is a free, open-source application that keeps all your passwords locked away, so to speak, in a secure database with only one master key, or key file. You can get started creating a secure password manager by visiting www.keepass.info
.
Shut down your computers. In this 24/7 world of the Internet, you’re always open for business. It’s tempting to leave your computers on around the clock, too. A better idea is to shut them off at the end of day to limit the possibility of unwelcome access to your system. This advice is especially good if you have a home-based business and use cable modems to access the Internet. The shared bandwidth makes you much more vulnerable.
If you use computers with built-in cameras, shutting down your computer also prevents hackers from infiltrating your camera and gaining visual access to your home or office.
According to the McAfee security firm, hundreds of thousands of active virus threats are invading computers right now. Named for the germlike nature of an illness that rapidly spreads, viruses were originally a nuisance more than anything else. Similar to thwarting hacking, programmers face the challenge of preventing the spread of irritants from one computer to another.
A virus is a program or piece of programming code and is usually spread by way of e-mail attachments. The attachments can be Word documents, photos, games, or other types of applications. By opening the attachment, you unknowingly unleash the virus onto your computer and possibly help spread it to others. Viruses are almost impossible for you to detect without using some type of antivirus software.
The capability to hide a virus combined with its ease of distribution makes these attacks increasingly more threatening to the health of your computer and your online business. Some computer experts now refer to viruses as a part of malware, short for malicious software. In recent years, a powerful form of malware, called Heartbleed, affected a popular open-source (free) software called OpenSSL, which is used by web servers of all sizes to encrypt information and make the transfer of data more secure. Normally, OpenSSL is used as part of a limited exchange of data, but the bug in the software allowed for the malicious retrieval of additional pertinent data, such as passwords, and caused much concern for businesses and organizations worldwide. Customers of websites using OpenSSL were also encouraged to immediately update their passwords. In 2016, security experts saw a return in macro malware, which infects Microsoft Word and Microsoft Excel users. The malware tricks users into thinking the malware is a legitimate macro (or time-saving command) in Microsoft programs. Instead, the malware, including versions called DRIDEX and ROVNIX, loads and runs malicious software of the user’s computer.
Here are some other types of malware, viruses, and annoyances to be aware of:
Worms: Unlike most viruses, worms don’t need your help to spread. You don’t have to open an attachment or accidentally launch a harmful program. A worm simply replicates itself and then spreads to other computers over a shared network. Worms have been known to go after specific computer hardware, such as routers. After compromising the router, it scans for other vulnerable devices on the network and replicates itself to infect those devices. Other well-known worms have caused havoc (and major inconvenience to users) by continuously shutting down infected computers.
Worms have also been used to infect mobile devices. In 2014, the Samsapo worm used malicious text messages to infiltrate Russian Android phones (yes, these were geographic-specific worms). The worm would access an infected phone’s SIM card and captured personal data. The worm was also able to trigger a text-to-pay system and steal money, which was charged to the mobile phone owner’s cellular bill. Worms are not only infectious but also potentially costly.
Ever since the Internet started gaining in popularity, devious minds with a creative bent have found ways to cause problems. In addition to the other methods that hijackers use to derail your sales and your business — such as virus and DoS attacks — a determined Net-thief has one more trick: stealing your domain.
Domain slamming occurs when you’re tricked into moving your registered domain from one registrar to another. In this scenario, you receive an e-mail saying that it’s time to renew your domain. It even appears to be from your legitimate registrar. Unfortunately, a competing registrar has gained your information and is waiting to collect a domain renewal fee from you. Although domain slamming might be more economically detrimental to your originating domain registrar (they lose your business), it’s still a hassle for you, too.
Somewhat more disturbing is the opportunity for a hacker to take over your domain by using the registration process. When a thief takes possession of your domain, you can spend years trying to get it back. Some documented cases show that small e-commerce companies never recover ownership. Whether your domain is hijacked for a day or an eternity, here are some common problems that occur when your name is stolen out from under you:
Here’s how domain stealing happens: If hackers can find enough personal information about your account, they can transfer your registered domain into their name and basically take ownership of your domain in a few short hours. Most of the information needed to achieve this process can be found by simply viewing the public records of the WHOIS directory.
Sadly, domain stealing is becoming more common. Domain registrars and the Internet Corporation for Assigned Names and Numbers (ICANN) continue to put policies in place that prevent or limit the damage. Still, no policy is foolproof, so here are some other tips you can follow to minimize the risk of domain hijacking:
You should be familiar with two schemes that affect the way you handle e-mail and keep your business safe: phishing (“fish-ing”) and pharming (“farm-ing”). Both methods use unscrupulous means to find personal or private account information about you and then use it for a hacker’s personal gain. While both scams have been around for a long time, they are simple and easy for the Net-thief to deploy. E-mail scams remain a popular method for tricking people into giving up lots and lots of money!
Phishing occurs when you receive an e-mail that seems to be from a legitimate source, such as PayPal, Amazon, or even your bank. The e-mail usually requests that you immediately update your account information because it has been compromised or needs to be verified for other reasons. When you click the link (included in your e-mail notice), a bogus site opens that captures your personal information as you “update” the account. In 2015, a multi-year phishing scam that targeted employees of banks was discovered. The e-mail scam allowed the scammers to get access to bank accounts and even dispense money at ATMs. The phishing attack stretched across multiple countries and netted the cyberthieves close to $1 billion from more than 100 banks. This is an important reminder of how phishing scams go beyond individuals and can impact your business by going through employees.
Legitimate companies have done a good job of alerting users to potential phishing scams and making it easier for you to spot e-mails that don’t originate with the company.
Generally, you should be aware of these details:
[email protected]
— not [email protected]
, for example.Suppose that you visit a favorite shopping site. You type the domain name, and the site pops up momentarily on your screen. You log in using your password, enter your credit card information to buy products, and perhaps fork over some personal information as part of an online giveaway. Everything seems normal. What you don’t realize is that a hacker has rerouted you to a website that looks like the one you intended to visit, but this one is bogus. In the meantime, all the passwords and personal information you entered into the site are pharmed out and the data is used for malicious purposes.
You can fall victim to a pharming scam in a couple of ways. The first occurs when a virus, delivered by e-mail, compromises your computer’s information. The virus can enable the computer to redirect you to a bogus site when you type a URL into your browser.
The second method is when a hacker uses DNS poisoning, which alters the string of numbers in your DNS (Domain Name System), causing the real URL to be redirected to a fake domain. Pharming that uses DNS poisoning is a little more destructive because it can affect a larger number of users. And that destruction becomes especially costly if you’re an online business owner whose site has been poisoned.
Because no standard method exists for helping visitors confirm that a site is legitimate, it can be difficult to avoid becoming a victim. The best protection against pharming attacks as an individual user is to
In your Internet business, protecting your site from becoming a victim of DNS poisoning is much more difficult. In fact, no sure way to avoid it exists. The best defense is to talk with the company that hosts your site, to ensure that its servers are running the latest updates of DNS software and that all patches are installed. If you have an in-house server, you or your IT manager should be responsible for the same thing.
The rising popularity of mobile devices, from smartphones to tablets, has only increased the appeal of the wireless world to not only users, but also to opportunist cybercriminals. Many e-commerce applications and solutions used to manage all areas of your online business now come with the capability of using the app or service via a mobile device. That means you can run your online business from almost anywhere.
Freedom of that nature comes with a price, of course — security risks. Like it or not, if you’re using a wireless connection, you’re vulnerable. The increase of mobile applications is undeniably at the center of many wireless security concerns. Whether you use an iPhone, an iPad, or an Android device, you are at risk to data breaches that can occur right under your nose.
Another business and consumer trend that is raising the bar on mobile security risks is the growing popularity of cloud-based computing. Also referred to software as a service (SaaS), cloud solutions are essentially the use of subscription-based or pay-for-use service over the Internet in real-time. This type of computing has become an affordable way for businesses of all sizes to expand their capabilities. For example, a business can host its phone system in the cloud and use cloud-based shopping carts. Most business services can be delivered from and managed in the cloud. Although cloud computing isn’t strictly wireless, this “outside the network” approach to conducting online business introduces the opportunity for increased security risks.
Still another growing trend is called IoT, or the Internet of Things. IoT, in simple terms, allows a collection of unrelated devices to communicate to one another — this is a network of devices that each use unique identifiers to help transmit data without the need for people to be involved. For example, you may recall seeing a commercial for a new refrigerator that can send information directly to your smartphone about what items you need replenished. IoT is also enabling lots of other “shortcuts” in the home and office, but the wireless transmission opens up the opportunity for interference by the Net-thief or simple mischief makers.
With mobile usage skyrocketing and technology advances allowing more services to be consumed in the cloud, it’s important to understand as much as you can about wireless security.
Before you can protect against a security breach of any kind, consider how a wireless network operates. In short, a wireless local area network (WLAN) provides access to the Internet without the need for cables or other wires hooking directly into your computer. Instead, an access point (AP) connects other wireless devices to your local area network (LAN). Then high-frequency radio waves transmit the signal from the LAN to your mobile computer. Figure 3-1 shows you an overview of this process.
Keep in mind that whether the wireless LAN is set up in your home, in a hotel, or at a city park, the result is the same: You share a signal that’s broadcast over public airwaves. Why does this matter to you? Think about your house as it sits in the middle of your neighborhood. Now imagine that your house has no walls. If you don’t mind neighbors — or perfect strangers, for that matter — being able to walk through your house and root around in your drawers and file cabinets, you don’t have a problem. However, if you have things you would rather not share (such as credit card numbers, passwords, and other sensitive data), being exposed to that degree can be harmful.
Any type of security measure is only a deterrent. If someone really wants access to your network, he or she will find a way. In most cases, though, online thieves and hackers take a more random approach. They look for someone who is careless or naive and then take advantage of that opportunity to intrude.
Unfortunately, wireless networks can leave plenty of doors unlocked to usher in a roaming thief. Check out some of the threats that leave your wireless network exposed:
Obviously, the real problem with these and other wireless network threats is that your bottom line is at risk. For online thieves, it’s not a harmless hobby: It represents money in their pocket and out of yours. That’s why investing in precautionary security measures is worthwhile.
When protecting your wireless network, you can choose from a range of services, applications, and common procedures that can lower the risk of being compromised.
Here are some basic rules you can follow to minimize your risk:
Change the SSID. Wireless network devices that you buy are supplied with a preset SSID, which makes access convenient for thieves. Because this preset SSID identifies your network, you should immediately create a new SSID after installation of the wireless device. Create your SSID by following suggested guidelines for creating any password:
To change your SSID, disable the broadcast feature, or configure devices for WPA, refer to the owner’s manual supplied with your particular wireless router or access point.
Update your OS and apps. Make sure you always install OS (operating system) updates, as well as any updates to applications you use, as soon as the updates are available. The updates frequently include patches or fixes to security flaws.
The increased use of social media networks, virtual games, cloud-based services, and other apps on wireless devices provides plenty of opportunity for security vulnerabilities. One of the best ways to fight it is to install the most recent updates, as soon as they are available.
Use two-factor authentication. This security process requires two methods of identification, usually a password (something you know) and a physical token (something you have), such as your mobile phone. If Net-thieves get your password over a wireless network, they must still have the physical token before they can gain access to your online data.
Many websites provide two-factor authentication, and taking the time to enable it is worthwhile. Some of the most important sites where you should consider using it are Gmail, PayPal, Amazon Web Services, Apple, Dropbox, Microsoft, and WordPress. Because social media sites are increasingly vulnerable to security attacks, two-factor authentication is recommended for LinkedIn, Twitter, and Facebook. Keep in mind that if a site such as Yahoo! or Twitter gets hacked and passwords are stolen (which has happened several times recently), the stolen passwords are run through programs to find matches to other sites that use the same password. If you use the same password for multiple sites (a real no-no!), you could have a serious data breach on your hands. Similarly, more sites allow you to sign in by using a social login. This means you let other websites use your social media profiles (access passwords and login information) from Facebook or other popular sites. If you stay logged into the social networks then this type of login is a time-saving shortcut, but it leaves you more vulnerable to thieves. We recommend avoiding social logins if at all possible.
When you use a virtual private network (VPN), you create a protective tunnel around your wireless connection. The VPN keeps your transmission secure and also keeps out anyone not specifically granted access. To set up a VPN for your home office or small business, you can purchase a wireless VPN firewall from companies such as Netgear (www.netgear.com
).
If you plan to work frequently at hotspots, consider signing up for a subscription-based VPN service. As we mentioned, one of the biggest threats when working from free Wi-Fi hotspots is Firesheep. Because Firesheep is so easy to access and use, the chances of becoming a victim of this threat are super high. So far, one of the best protections against a Firesheep attack is having a VPN. You can connect to a VPN for added protection in restaurants, hotels, airports, or any other Wi-Fi hotspot. Check out providers such as Private Internet Access (www.privateinternetaccess.com
), which costs as little as $7 per month or $40 per year. TorGuard (www.torguard.net
) offers two kinds of VPN services, starting at $5 per month.
No single method is best for protecting against wireless crimes. Instead, use a combination of security measures and common sense. You can never be too secure — the more the more measures you take, the better off you are.
18.221.85.33