Phishing
Now Playing: An Interesting Twist On A Common Scam
Topic: Web Security
Imagine you are the CIO of a national financial institution and you've recently deployed a state of the art online transaction service for your customers. To make sure your company's network perimeter is secure, you executed two external security assessments and penetration tests. When the final report came in, your company was given a clean bill of health. At first, you felt relieved, and confident in your security measures. Shortly thereafter, your relief turned to concern. "Is it really possible that we are completely secure?" Given you're skepticism, you decide to get one more opinion. The day of the penetration test report delivery is now at hand. Based on the previous assessments, you expect to receive nothing but positive information...... The Results Were Less Than Pleasing During this penetration test, there were several interesting findings, but we are going to focus on one that would knock the wind out of anyone responsible for the security of online systems. Particularly if you are in the business of money. Most people are familiar with the term "Phishing". Dictionary.com defines the word Phishing as "the practice of luring unsuspecting Internet users to a fake Web site by using authentic-looking email with the real organization's logo, in an attempt to steal passwords, financial or personal information, or introduce a virus attack; the creation of a Web site replica for fooling unsuspecting Internet users into submitting personal or financial information or passwords". Although SPAM / unsolicited e-mail and direct web server compromise are the most common methods of Phishing. There are other ways to accomplish this fraudulent activity. Internet Router Compromise Makes For A Bad DayIn this case, the Internet router was compromised by using a well-known CISCO vulnerability. Once this was accomplished, the sky was the limit as far as what could be done to impact the organization. Even though the company's web server was secure, and the Firewall that was protecting the web server was configured adequately, what took place next made these defense systems irrelevant. Instead of setting up a duplicate login site on an external system, then sending out SPAM in order to entice a customer to give up their user ID, password, and account numbers, another approach, a much more nefarious approach was taken. Phishing For Personal Or Financial Information You remember that router that was compromised? For proof of concept purposes, the router configuration was altered to forward all Internet traffic bound for the legitimate web server, to another web server where user ID, password, and account information could be collected. The first time this information was entered, the customer would receive an ambiguous error. The second time the page loaded, the fake web server redirected the customer to the real site. When the user re-entered the requested information, everything worked just fine. No one, not the customer, nor the company had any idea that something nefarious was going on. No bells or whistle went off, no one questioned the error. Why would they, they could have put the wrong password in, or it was likely a typical error on a web page that everyone deals with from time to time. At this point, you can let your imagination take over. The attacker may not move forward and use the information collected right away. It could be days or weeks before it is used. Any trace of what actually took place to collect the information would most likely be history. What Do You Really Get Out Of Security Assessments I can't tell you how many times I've been presented with security assessment reports that are pretty much information output from an off-the-shelf or open source automated security analyzer. Although an attacker may use the same or similar tools during an attack, they do not solely rely on this information to reach their goal. An effective penetration test or security assessment must be performed by someone who understands not only "security vulnerabilities" and how to run off-the-shelf tools. The person executing the assessment must do so armed with the tools and experience that meets or exceeds those a potential attacker would have. Conclusion Whether you are a small, medium, are large company, you must be very careful about who you decide is most qualified to perform a review of your company's security defense systems, or security profile. Just because an organization presents you with credentials, such as consultants with their CISSP....., it does not mean these people have any real-world experience. All the certifications in the world cannot assure you the results you receive from engaging in a security assessment are thorough / complete. Getting a second opinion is appropriate given what may be at stake. If you were not feeling well, and knew that something was wrong with you, would you settle for just one Doctor's opinion? Quite frankly, I've never met a hacker (I know I will get slammed for using this term, I always do), that has a certification stating that they know what they are doing. They know what they are doing because they've done it, over and over again, and have a complete understanding of network systems and software. On top of that, the one thing they have that no class or certification can teach you isFree Web Content, imagination.

A blog and a website
Mood:  bright
Now Playing: People are now choosing to have both a website and a blog. What makes an interesting blog, and why have one anyway?
Topic: Internet
If you haven’t noticed already, blogs are the new big thing on the Internet. In case you don’t know what a blog is, I’ll let you in on the not-so-secret secret. A blog is a website that is in journal or diary form. Essentially, it’s a place online where you can write about your life and your interests and share yourself with the rest of the world. Journals used to be secret books you hid under the bed, so this is a huge change in paradigm for this medium. Now, it’s about telling other people in the world what you think and do. The blogging community is already massive; there are millions of human beings with these new, simplistic websites, everywhere from Timbuktu to Kalamazoo. For a little research into the blog craze I went to one of the biggest blogging sites, http://www.blogger.com which is now owned by Google. This site is pretty cool, and within a very short time you can have your own free template-based blog set up complete with your specified name. Your URL or web address usually has the name ‘blogspot’ after it, which can look a little unprofessional but I’ve heard that there is some way of getting around this obstacle. Otherwise, you can always go to a web-hosting company and set up a blog which will be more original in its design, as well as having any address you like. Meanwhile, I checked out three blogs at Blogger to see how and why people are making their online journals. At http://funnycute.blogspot.com/ I found a really interesting social diary made by a cartoonist. One thing that made the journal entries so attractive to read were of course, the cartoons. She really is a great artist. The images-as they are self-drawn, add much-needed life to the text, as well as producing an individual authenticity which gives visitors instantaneous deep insight into the personality of the artist. Her blog site is obviously very popular as each entry has around 50 comments made by others attached to it. This is one of the main reasons why people write blogs: to connect with others of like-mind. This blog is well constructed as it has a good biography of the human being who it belongs to, lots of links to other blogs that relate to its general topic (in this case ‘cartoons’), and it has a link to the artist’s personal website. See, that’s the real phenomenon, to have both a blog and a general website. With the blog we get to see the workings of the mind behind the artist, whereas at her personal website, in this case: (http://www.katienice.homestead.com/), we get the opportunity to have a look at her professional portfolio. The second blog site I checked out was at http://www.birdchick.com/blog.html. This site interested me because of photos of birds and other animals that accompany each day’s journal writing (again that essence of true life and not just text on a page makes it interesting). Here is a person whose site definitely focuses on the one central theme, in this case bird-watching. A standout on her blog’s home page is the long list of blog links, both to other personal bird-watching blogs, as well as to general media-owned bird-watching sites. One cool section of the list is dedicated to bird webcams. These are actual websites that have 24-hour-long camera shots of certain areas where specific types of birds are known to frequent (E.G. Great Horned Owls). What’ll people think of next? Again there is a link to the blog owner’s own personal website, http://www.birdchick.com/, which I assume is supported by a web-hosting company. Check it out, it has a cool photo of the blogger holding a huge hawk (I think it’s a hawk, I’m not very knowledgeable about the world of Ornithology!) on her arm. She’s even gone to the trouble (unless someone else out there did it) to put her website up in French as well. The final blog I visited was called ‘Paradise Found’ which was located at http://tomquinn.blogspot.com/. An interesting point about the blogger at this site is that they reside (in the blogger’s own words) on a small speck of rock in the middle of the Atlantic (Bermuda). This just shows that even in a place so remote that people have even believed it to be supernatural (‘The Bermuda Triangle is where planes and ships are often reported to go missing never to be seen again), the Internet is alive and well and individuals are sharing their experiences, hobbies, beliefs, and interests with the rest of the now-interconnected planet. The blogger here calls his blog a ‘Photo blog’. Every diary entry contains at least one photograph personally taken by the photographer himself. There is also a link to his site at http://flickr.com/photos/tquinn/ where he has an archive of over 400 pictures that he’s taken. Again this pattern of blog for thoughts and personal points of view matched up and linked to a general website showing actual work, a portfolio, or general life interestPsychology Articles, seems to be the way most people are now communicating with each other over the Web. Today we are gaining so much more insight into what life is like for other people in the world. It seems that having both a blog and a website has been a natural progression undertaken by people who truly want to share themselves and their ideas with the rest of the human community.

Internet Marketing
Mood:  bright
Now Playing: Complying with the CAN-SPAM Laws in Your Online Business
Learn the rules of the road in advertising your online business via E-Mail. There are some things that you should do and things you should not do when you embark on this method of advertising. Find out what the law is and how to insure you are in compliance. Your success depends on it. Internet Marketing Has Many Challenges When you are first learning how to make money on the Internet, you can be faced with many challenges. Along with needing to know where to start, you must also learn the rules of the road. One of the most popular methods of marketing your business is email advertising. There are some things that you should do and things you should not do when you embark on this method of advertising. There are some hard and fast rules to follow when beginning to make money online by using email advertising that will increase the effectiveness of your advertising. It would be great if there was a practical; easy to understand, and easy to implement rulebook to follow to insure your online business and financial well-being are guaranteed, however, the only true gauge of success is: how you go about starting your business and marketing it, as well as the methods you use to increase your wealth by improving the way you do business. Your own efforts in learning about operating an online business and paying attention to the lessons learned from others in the trade are your best recourse. Learn From the Business World There is plenty of cutting-edge educational information coming straight from the trenches of today’s business world. Today, when you open your email inbox, pay attention to the formatting of the advertising messages you receive and how they are presented. Much of the information you receive is often mixed in with a mountain of spam and advertisements each day, but there are ways to overcome this limitation and get your advertisements read. Complying with the Law The difference between spam mail and the correct, effective way to advertise via email is that you must use a technique to allow subscribers of your advertisement to ‘opt-in’ by signing up for the information you want to send them. To accomplish this step, you should place a simple form on your website to inform your visitors that you have valuable information for them and they can sign up to receive it. This way you insure that your visitor is truly interested in your information and that you are not violating any spamming laws. The premise of the CAN-SPAM law that became effective on January 1, 2004, is that Your email's "From," "To," and routing information – including the originating domain name and email address must be accurate and identify the person who initiated the email. Also, the subject line cannot mislead the recipient about the contents or subject matter of the message. You must also provide a return email address or another Internet-based response mechanism that allows a recipient to ask you not to send future email messages to that email address, and you must honor the requests. The law also requires that commercial email be identified as an advertisement and include the sender's valid physical postal address. You can find more information about this law at the Federal Trade Commission's web site. With this in mind, it is important to learn ways that you can collect email addresses effectively and determine that your subscriber has requested information from you. Doing this will give you the ability to market your advertisements in a way that will help you improve your online business, make money online and comply with the email advertising laws. The Best Way to Get Subscribers The best way to build your list of “opt-in” subscribers to your offer is to place a simple form on your web page indicating what information your subscribers will get when they sign up to receive it. What You Can Do When You Get Subscribers Your offer can then be freely sent to your subscribers as well as any other offers that may be of interest to them. By indicating that you are offering something of value in your email, you are explicitly following the rules of the road. What You Must Do When a Subscriber "Opts-Out" You can continue to send emails to your subscribers unless they decide to exercise their right to “opt-out” and stop receiving emails from you. When subscribers do this, it is your duty to remove them from your list within 10 days. How You Can Guarantee You are Following the Rules of the Road Use respected auto responder services that fully comply with the rules of the road and enforce these policies. Before using such servicesFree Articles, you will be required to agree to the anti-spam laws and the service provides mechanisms such as “Opt-In” and “Opt-Out” built into their extensive monitoring systems. A good service can be found at GetResponse.com.