IN THIS CHAPTER

Shutting down your site

Breaking through security barriers

Spreading Internet illnesses

No phishing allowed

Putting the brakes on mobile scammers

More than 3 billion people will use the Internet worldwide in 2017, or approximately 46 percent of the world’s population. Of that 3 billion, over 2 billion users will access the Internet using a smartphone or other mobile device. (Mobile devices have officially taken over desktops as the way people are accessing the Internet!) Whether it’s via desktop computer or mobile phone, with so many people and businesses online today, the Internet has provided a unique opportunity for cybercriminals, or what we refer to as the Net-thief. Estimates provided to the United States Congress showed that global losses from cyber-related crimes have surpassed the $1 trillion mark, and there’s no sign of it slowing down. Online thieves continue to find new and sneaky ways to rob you of money, data, and a sense of personal security.

Given that figure, if you haven’t been on the receiving end of an online security threat, consider yourself lucky. As an online business owner, your vulnerability to cyberattacks increases. Studies show that companies suffer from multiple security incidents per year from hackers, viruses, worms, spyware, and other malicious efforts. And when companies are suffering from Internet-related attacks, they can lose an average of a few hundred dollars per attack in small incidents, and potentially millions, or even billions, of dollars in revenue in larger, more severe attacks.

As an online business owner, you need to minimize the opportunity for any type of security interference that threatens your success. Before you can defend yourself and your computer, though, you need to know what to expect. In this chapter, we review the security threats that are most likely to take a bite out of your business if you let your guard down.

Fending Off Denial-of-Service Attacks

Any time an Internet thief, or Net-thief, can prevent you or your customers from accessing websites and other online information or applications, it’s a denial-of-service (DoS) attack. Okay, maybe you don’t think that your website is large enough or popular enough to interest someone in disrupting it. If you think DoS or distributed DoS (DDoS) attacks are no longer as prevalent, think again! DoS attacks are still considered one of the top Internet security threats. In the past few years, several large DoS attacks affected government sites as well as business and e-commerce sites. Previous DoS attacks have gone after major sites, but this type of malicious action can affect smaller businesses too. Some research indicates a growing trend of targeting smaller businesses (websites) with all types of cyberattacks because they have less sophisticated online security and are easier to breach.

Even if your site is fairly secure, consider this: What if the company your business uses for online payment transactions is attacked? Or maybe your online banking site is hit? Worse, what if the company that hosts your website falls prey to a DoS attack? You and hundreds of other small sites can be wiped out for several hours — or an entire day or more. Each of these is a real possibility and is an example of how easily a DoS attack can prevent you from being productive or possibly even hurt your company financially.

The hard truth is that your small or midsize business is more likely to experience a DoS attack these days because it is most vulnerable. As we mentioned, the Net-thief knows that online security is often at the bottom of a long list of concerns for smaller e-commerce sites, and you’re also not investing much money in sophisticated security tools, like the big corporations are doing. That situation translates to opportunity. Intruders troll the Internet every day, looking for sites that offer security holes. Plus, DoS attack-launching tools are now fairly cheap and easy to come by, so instigating an attack has become easier. An intruder can divert legitimate traffic away from your site and drive it to other sites. The attacker may be paid every time your customers visit the rogue site, whether or not they intended to go there. With lots of dollars at stake, you can understand why the frequency of DoS attacks has spiked.

Fending off a DoS episode isn’t easy. After you’re under attack, your choice of responses is limited. However, you can take certain steps to reduce the chances of an attack occurring and to minimize the damage that can be done if your site suffers from a DoS attack:

• Know your host. When selecting a hosting company for your website, understand which security measures it has in place. Ask how your host would work with you if your site experienced a DoS attack as well as whether security experts are part of its support staff. The more prevention at the network level, the better.
• Update the basics. Individual users and their computers are also responsible for creating security holes. The best defense is to continually update antivirus and spyware programs as well as download the most recent patches (or fixes) for your computer systems. Keep your browsers updated, too — especially Internet Explorer, which has proven to be quite susceptible.

• Report attacks. If your site comes under a DoS attack, report it to the FBI. A special division of the FBI, the Internet Crime Complaint Center (IC3), was created to address these concerns. You can access the division at www.ic3.gov. Additionally, the U.S. Computer Emergency Readiness Team (US CERT), which is part of the U.S. Department of Homeland Security, monitors, tracks, and responds to cyberthreats. You can report attacks on the US CERT website at https://complaint.ic3.gov.

  McAfee, an online security division of Intel Security, offers a Threat Center that provides updated information about the most recent cyberthreats (for both businesses and individuals). This resource also provides online security tips and risk assessment tools to help reveal your potential online security vulnerabilities. You can access this portal at www.mcafee.com/us/threat-center.aspx.

• Block traffic. You can work with your host company to block traffic coming from suspicious or malicious IP addresses. Although you run the risk of also blocking legitimate users, this choice might be your best option.

• Be aware. As DoS attacks increase in frequency and type, you must stay up-to-date on security issues. Your best defense against any attack is to be aware and knowledgeable of current threats and recommended preventive measures.

  To stay ahead of potential cyberthreats, get tips to keep your business secure by visiting the tip site from US CERT at www.us-cert.gov/ncas.

Deterring Hackers

Behind every DoS attack or any other harmful Internet-related threat is usually a single person or group of people responsible for starting the malicious activity. Discovering the identity of these electronic thieves isn’t easy. Recent data suggests that roughly 25 percent of hacking incidents originate from the top 15 countries known for attacks — and while the United States is considered one of those 15 countries, it was responsible for just over 1 percent of known attacks. So, what — or who — exactly is a hacker? In general, a hacker is anyone not authorized or given permission to intrude on or to gain access to your information systems. Hackers are basically opportunists.

Some hackers are motivated by the challenge of merely trying to break through a security system and then bragging that they did it. Those hackers are typically attracted to large high-profile sites or government sites. In another growing trend, hactavism, the hacker purports to break into sites for a greater good or for some cause that the hacker believes needs attention. For example, in 2015, hackers attacked a dating site for married people called Ashley Madison, which connects its members for the purpose of “discreet affairs.” The hackers gained access to users’ real names and personal data and leaked the information to the public for the point of exposing and shaming the site and its members. Similar acts of hactavism have occurred recently in an effort to expose or embarrass politicians, banks, and other corporate entities that the hackers perceive as being corrupt or dishonest. Your organization can be vulnerable to hackers not only for financial gain, but also to get access to your company data or to draw attention.

For most online businesses, the threat of hackers is simply based on the possibility of making money from your site. The “rewards” for this type of action can be enormous for a hacker. There have been several notorious hacking incidents in the last few years that have targeted retailers and restaurants, including Target, T.J. Maxx, and Wendy’s. In each case, the hackers obtained shoppers’ credit and debit card information stored by the businesses and stole millions of dollars from unsuspecting customers. Similarly, when Sony’s online game network, PlayStation, was breached a few years ago, hackers obtained access to the credit card numbers and passwords of millions of Sony customers. The network was shut down for 23 days and for a staggering financial loss of more than $171 million. Again, big or small, online companies have a lot to lose to a hacker.

Among the most popular methods of hacking-for-pay are stealing these elements:

• Keystrokes: This kind of attack might not seem like a big deal, but even inexperienced hackers can monitor and record the keystrokes on your computer. By using a keystroke logger tool, hackers capture your data, making it a snap to gain access to your system.
• Sales: Hackers divert your traffic to a rogue site (which might even look like yours), where customers spend money, in the belief that the site is legitimate.
• Data: By obtaining passwords to your or your customer’s secure data, hackers can build a lucrative business. With passwords, hackers gain access to pertinent information, such as bank accounts, birthdates, and Social Security numbers.
• Credit card numbers: Hackers relish the chance to obtain your customers’ stored credit card numbers. These days, those numbers can easily be resold for cash — and before anyone realizes that the accounts have been compromised.

As we’ve shown, your data is worth a lot of money to a Net-thief. Sites that fall prey to this type of hacker are vulnerable because they’re easy targets. Think of this type of breach in terms of your home’s security: Although locks and alarms don’t always stop thieves, they deter them. Given the choice, most bad guys break into places that are easier to get into and out of without being noticed.

If a hacker sees that you’re sloppy with security, he doesn’t waste any time taking advantage of you. These days, computer programs allow a hacker to scan the Internet and look for vulnerable sites.

Implementing firewalls and antivirus software certainly helps deter a hacker. You can take some additional measures to irritate a cybercrook:

• Use uncommon passwords. Yes, using uncommon passwords is good ol’ common sense, yet most people choose passwords that are easy to remember or have special meanings, such as birthdates and anniversaries. Many people also use a simple string of numbers, such as 1234, or other combinations that are easy for a cybercriminal to decipher. Instead, use a nonsensical or complex mixture of words and numbers. Be sure to create a different password for each application or program that you access.

  For added security, you can get help creating unique passwords by using a password generator. This software creates random passwords for you. Free password-generator programs are available, or you can purchase programs for $15 to $75, depending on whether it’s for personal or business use.

• Change passwords frequently. Merely creating good passwords isn’t enough. You have to create them repeatedly. Generate new passwords every 3 months (depending on the sensitivity of the information being accessed) for applications you use all the time. Change other passwords annually for low security-risk applications or websites.

  Remembering unique and constantly changing passwords is difficult. And keeping written records of your passwords defeats the purpose of changing them. Now you can get help remembering passwords by using a password manager. KeePass is a free, open-source application that keeps all your passwords locked away, so to speak, in a secure database with only one master key, or key file. You can get started creating a secure password manager by visiting www.keepass.info.

• Keep data out of site. Hackers can originate close to home. Whether you’re working from home or an office surrounded by employees, get into the habit of protecting your information. Don’t leave account numbers, passwords, and other pertinent data out in the open. Thieves lurk everywhere.

• Shut down your computers. In this 24/7 world of the Internet, you’re always open for business. It’s tempting to leave your computers on around the clock, too. A better idea is to shut them off at the end of day to limit the possibility of unwelcome access to your system. This advice is especially good if you have a home-based business and use cable modems to access the Internet. The shared bandwidth makes you much more vulnerable.

  If you use computers with built-in cameras, shutting down your computer also prevents hackers from infiltrating your camera and gaining visual access to your home or office.

• Update your computer system automatically. Configure your computer for automatic updates to your operating system.

Avoiding Viruses and Other Malware

According to the McAfee security firm, hundreds of thousands of active virus threats are invading computers right now. Named for the germlike nature of an illness that rapidly spreads, viruses were originally a nuisance more than anything else. Similar to thwarting hacking, programmers face the challenge of preventing the spread of irritants from one computer to another.

A virus is a program or piece of programming code and is usually spread by way of e-mail attachments. The attachments can be Word documents, photos, games, or other types of applications. By opening the attachment, you unknowingly unleash the virus onto your computer and possibly help spread it to others. Viruses are almost impossible for you to detect without using some type of antivirus software.

The capability to hide a virus combined with its ease of distribution makes these attacks increasingly more threatening to the health of your computer and your online business. Some computer experts now refer to viruses as a part of malware, short for malicious software. In recent years, a powerful form of malware, called Heartbleed, affected a popular open-source (free) software called OpenSSL, which is used by web servers of all sizes to encrypt information and make the transfer of data more secure. Normally, OpenSSL is used as part of a limited exchange of data, but the bug in the software allowed for the malicious retrieval of additional pertinent data, such as passwords, and caused much concern for businesses and organizations worldwide. Customers of websites using OpenSSL were also encouraged to immediately update their passwords. In 2016, security experts saw a return in macro malware, which infects Microsoft Word and Microsoft Excel users. The malware tricks users into thinking the malware is a legitimate macro (or time-saving command) in Microsoft programs. Instead, the malware, including versions called DRIDEX and ROVNIX, loads and runs malicious software of the user’s computer.

Here are some other types of malware, viruses, and annoyances to be aware of:

• Worms: Unlike most viruses, worms don’t need your help to spread. You don’t have to open an attachment or accidentally launch a harmful program. A worm simply replicates itself and then spreads to other computers over a shared network. Worms have been known to go after specific computer hardware, such as routers. After compromising the router, it scans for other vulnerable devices on the network and replicates itself to infect those devices. Other well-known worms have caused havoc (and major inconvenience to users) by continuously shutting down infected computers.

  Worms have also been used to infect mobile devices. In 2014, the Samsapo worm used malicious text messages to infiltrate Russian Android phones (yes, these were geographic-specific worms). The worm would access an infected phone’s SIM card and captured personal data. The worm was also able to trigger a text-to-pay system and steal money, which was charged to the mobile phone owner’s cellular bill. Worms are not only infectious but also potentially costly.

• Trojans: A computer Trojan employs the same type of subterfuge as the Greek Trojan horse. Delivered in a seemingly harmless package (usually by e-mail), it sneaks onto your computer system. Then, without your permission, it opens and performs some type of unwanted activity, such as shutting down your computer. Unlike some other threats, Trojans do not replicate themselves.
• Ransomware: This type of malware is used by hackers to access your computer files and hold the data hostage. Imagine opening your computer to find a hostage note appear on the screen. You cannot get to anything on your computer; the note instructs you to deposit money into an account within a certain amount of time or lose all your files, photos, tax documents, invoices — whatever you have stored on your computer! This is ransomware and it’s a popular form of malware used by hackers and cybercriminals.
• Adware: This phenomenon started out as annoying pop-up windows that disrupted your computer surfing with unwanted ads. Now adware is big business. Someone makes money every time this advertising software displays ads.
• Spyware: Much like adware, spyware is a type of malicious software that plants itself deep into your computer system, posing as a legitimate program. It wants to stay around as long as possible so that it can collect information about you. Spyware can redirect you to certain websites or track and record your personal information and send it back to the spyware’s originator — without your knowledge.
• Botnets: When your computer is infected with malware, it can also become the unknown host that helps spread malicious software to other computers. Essentially, your computer becomes part of a robot network called a botnet, which is made up of thousands of controlled computers that instruct your computer (and other vulnerable computers now in their network) to send out infected e-mails, without your permission.
• Hoaxes: It isn’t unusual for rumors about false virus threats to circulate around the Internet. Although these little pranks don’t infect your computer, they waste your time. You can tell whether a threat is real or a hoax by noting these characteristics:
  • Source: If an e-mail alert came from your antivirus software provider or another trusted source, it’s probably real. If it’s part of a chain of e-mails being circulated by friends and family, it’s more likely to be a fake.
  • Participation: An e-mail alerting you to this latest threat and prompting you to send it to everyone you know to spread the news is a classic sign of a hoax.
  • Authority: If the e-mail contains a link to a recognized antivirus software vendor or a legitimate Internet security source, it’s probably real. If not, you might be participating in a virus hoax.

Keeping Your Domain Name Safe

Ever since the Internet started gaining in popularity, devious minds with a creative bent have found ways to cause problems. In addition to the other methods that hijackers use to derail your sales and your business — such as virus and DoS attacks — a determined Net-thief has one more trick: stealing your domain.

Domain slamming occurs when you’re tricked into moving your registered domain from one registrar to another. In this scenario, you receive an e-mail saying that it’s time to renew your domain. It even appears to be from your legitimate registrar. Unfortunately, a competing registrar has gained your information and is waiting to collect a domain renewal fee from you. Although domain slamming might be more economically detrimental to your originating domain registrar (they lose your business), it’s still a hassle for you, too.

Somewhat more disturbing is the opportunity for a hacker to take over your domain by using the registration process. When a thief takes possession of your domain, you can spend years trying to get it back. Some documented cases show that small e-commerce companies never recover ownership. Whether your domain is hijacked for a day or an eternity, here are some common problems that occur when your name is stolen out from under you:

• Reselling: Your domain name can be resold to an unsuspecting third party. Popular names can fetch millions of dollars, making domain hijacking a lucrative career for a thief.
• Lost sales: If you have an active e-commerce site that’s taken over, you lose sales during the time it takes to regain ownership. Some companies have lost thousands of dollars in sales, not to mention the legal expenses involved in recovering the domain name.
• Damaged reputation: Even if you regain your site domain, you might be stuck convincing customers that it’s safe to shop with you again. In some cases, stolen domains are used to redirect visitors to sites that download adware or spyware onto computers. Unsuspecting customers might be hard-pressed to return to your site.

Here’s how domain stealing happens: If hackers can find enough personal information about your account, they can transfer your registered domain into their name and basically take ownership of your domain in a few short hours. Most of the information needed to achieve this process can be found by simply viewing the public records of the WHOIS directory.

To prevent having personal or business information readily available for public viewing, choose to make your contact information private. The WHOIS directory then shows a third-party vendor — a proxy — as the point of contact and lists its information rather than yours. Your domain registrar offers the private registration service for a small annual fee, usually for as little as $10 per year.

Sadly, domain stealing is becoming more common. Domain registrars and the Internet Corporation for Assigned Names and Numbers (ICANN) continue to put policies in place that prevent or limit the damage. Still, no policy is foolproof, so here are some other tips you can follow to minimize the risk of domain hijacking:

• Lock down: Registrars offer the simple and free service of locking down (restricting others from changing) your URL. When registering your domain, select the check box indicating that you want to lock the domain name. If you have an active domain name, you can change its lockdown status by using account-management tools or sending a lockdown request by e-mail (or phone) to customer support.
• 24/7 support: Use domain registrars that offer 24-hour support or give you access to support after business hours. This strategy is important so that if you discover that your domain has been hijacked, you can start the investigative and recovery process immediately.
• Standard notification: Choose domain registration services that state standard methods of contacting you for changes or that will agree to contact you by using multiple methods (such as by both phone and e-mail).
• Review status: Frequently check the WHOIS directory to ensure that you’re still listed as the owner of the domain and that your contact information is current and correct.

Staying Away from E-Mail Scams

You should be familiar with two schemes that affect the way you handle e-mail and keep your business safe: phishing (“fish-ing”) and pharming (“farm-ing”). Both methods use unscrupulous means to find personal or private account information about you and then use it for a hacker’s personal gain. While both scams have been around for a long time, they are simple and easy for the Net-thief to deploy. E-mail scams remain a popular method for tricking people into giving up lots and lots of money!

Mobile Security Risks

The rising popularity of mobile devices, from smartphones to tablets, has only increased the appeal of the wireless world to not only users, but also to opportunist cybercriminals. Many e-commerce applications and solutions used to manage all areas of your online business now come with the capability of using the app or service via a mobile device. That means you can run your online business from almost anywhere.

Freedom of that nature comes with a price, of course — security risks. Like it or not, if you’re using a wireless connection, you’re vulnerable. The increase of mobile applications is undeniably at the center of many wireless security concerns. Whether you use an iPhone, an iPad, or an Android device, you are at risk to data breaches that can occur right under your nose.

Another business and consumer trend that is raising the bar on mobile security risks is the growing popularity of cloud-based computing. Also referred to software as a service (SaaS), cloud solutions are essentially the use of subscription-based or pay-for-use service over the Internet in real-time. This type of computing has become an affordable way for businesses of all sizes to expand their capabilities. For example, a business can host its phone system in the cloud and use cloud-based shopping carts. Most business services can be delivered from and managed in the cloud. Although cloud computing isn’t strictly wireless, this “outside the network” approach to conducting online business introduces the opportunity for increased security risks.

Still another growing trend is called IoT, or the Internet of Things. IoT, in simple terms, allows a collection of unrelated devices to communicate to one another — this is a network of devices that each use unique identifiers to help transmit data without the need for people to be involved. For example, you may recall seeing a commercial for a new refrigerator that can send information directly to your smartphone about what items you need replenished. IoT is also enabling lots of other “shortcuts” in the home and office, but the wireless transmission opens up the opportunity for interference by the Net-thief or simple mischief makers.

With mobile usage skyrocketing and technology advances allowing more services to be consumed in the cloud, it’s important to understand as much as you can about wireless security.

Understanding How a Wireless LAN Works

Before you can protect against a security breach of any kind, consider how a wireless network operates. In short, a wireless local area network (WLAN) provides access to the Internet without the need for cables or other wires hooking directly into your computer. Instead, an access point (AP) connects other wireless devices to your local area network (LAN). Then high-frequency radio waves transmit the signal from the LAN to your mobile computer. Figure 3-1 shows you an overview of this process.

Keep in mind that whether the wireless LAN is set up in your home, in a hotel, or at a city park, the result is the same: You share a signal that’s broadcast over public airwaves. Why does this matter to you? Think about your house as it sits in the middle of your neighborhood. Now imagine that your house has no walls. If you don’t mind neighbors — or perfect strangers, for that matter — being able to walk through your house and root around in your drawers and file cabinets, you don’t have a problem. However, if you have things you would rather not share (such as credit card numbers, passwords, and other sensitive data), being exposed to that degree can be harmful.

This might seem like a far-fetched example. However, someone using a laptop or any other wireless device (portable gaming devices come to mind) can pick up and use your wireless signal from outside your home or office — without your even knowing it.

Any type of security measure is only a deterrent. If someone really wants access to your network, he or she will find a way. In most cases, though, online thieves and hackers take a more random approach. They look for someone who is careless or naive and then take advantage of that opportunity to intrude.

Unfortunately, wireless networks can leave plenty of doors unlocked to usher in a roaming thief. Check out some of the threats that leave your wireless network exposed:

• Sniffing: Hackers use software programs called sniffers that scan the activity (or traffic) on a network. When a sniffer detects a vulnerability, it grabs data that’s being sent across the wireless network connection.
• Sidejacking: Using a program called Firesheep, essentially anyone can use an open Wi-Fi connection in a public facility to take advantage of another user in that same Wi-Fi environment. In this case, the unsuspecting user logs into a website, such as Amazon, and upon the verification of the user’s name and password, a cookie is created for that and subsequent sessions. When sidejackers use Firesheep, they intercept the session cookie, basically snagging it as their own, and can then proceed to assume the identity of the original user and buy things under that name or account. In our example, the sidejacker now has the cookie and Amazon can’t tell whether or not the legal member is using it.
• Wardriving: Using a wireless device, such as a laptop or smartphone, a person literally drives around picking up unprotected wireless signals from homes and businesses. The wireless identification information (service set identifier, or SSID) is documented along with your physical address. Your information is put into an online database that lets curious thieves know that your wireless network is accessible.
• Evil twin: In this scenario, your access to a legitimate wireless access point is blocked or jammed. Then you’re redirected to a second access point that’s managed by a hacker. At that point, all the information you transmit is vulnerable, and thieves can even capture keystrokes to find passwords. This type of threat most often occurs in public Wi-Fi spots such as airports and coffee shops.
• WiPhishing: Similar to the evil twin threat, thieves basically lure you to what looks like a safe access point. By using common SSIDs of public hotspots, your computer connects to a hacker’s network. Again, your information becomes readily viewable; in some cases, viruses and Trojans are unknowingly sent to your system.
• Snoopy: With this threat, mobile phones and any other wireless devices with Wi-Fi enabled are at risk of being compromised by drones. It sounds like something out of a spy novel, but drones armed with computers programmed to track and profile wireless devices and intercept or spoof a network can capture your data. The attacker gains access to all types of data (such as passwords and credit card numbers) shared between the mobile device and the intended network.

Obviously, the real problem with these and other wireless network threats is that your bottom line is at risk. For online thieves, it’s not a harmless hobby: It represents money in their pocket and out of yours. That’s why investing in precautionary security measures is worthwhile.

Establishing Barriers

When protecting your wireless network, you can choose from a range of services, applications, and common procedures that can lower the risk of being compromised.