Even if your web site does not hold any national security document you should take the security of your web site seriously. This is especially important if you are selling products on your web site.

A typical setup is that you have one or more sales pages for your product and when a prospect clicks on an order link they are redirected to PayPal, 2CheckOut or some other payment processing service. This setup is good for several reasons, the most important being the fact that you avoid having to deal with credit card numbers and other sensitive customer information. So far in 2007 there have been published reports of more than 89 million identity records exposed from data breaches. See the Identity Theft Resource Center for some really scary reading. Leaving data theft worries to companies who specialize in handling financial information is a great strategy for most small businesses.

But that does not leave you totally in the clear. If you are selling a digital product that the customer can download immediately after the purchase, you need to ensure that the product is protected. There are many ways that web site owners inadvertently leave their valuable products unprotected – making them available for free to anyone who knows where to look.

Here are the 3 most common errors:

1. Easy to guess filenames.

If the title of your e-book is “AdWords Secrets”, then don’t name the file AdWordsSecrets.pdf. It is just too easy to guess that the URL for downloading your e-book might be www.example.com/AdWordsSecrets.pdf

At least add a version number or a date into the filename, e.g. AdWordsSecrets_v42.pdf or AdWordsSecrets_20070707.pdf. This will make it much more difficult to guess the filename and the URL.

2. Search engines indexing the download page or the product itself.

Today’s search engines are extremely efficient in spidering content on the web and keeping your web pages secret from search engines is becoming increasingly difficult. Even if you don’t have any public links to your secret product download page there are several ways that a search engine can find out about the page and index it. Once it’s indexed anyone who uses that search engine may see your product download page in the search results, and they can download your product for free.

You should regularly check what each search engine knows about your web site. In most major search engines you can use the site: operator, e.g. site:example.com, to get a listing of all the pages on your web site that have been indexed.

3. Improperly configured robots.txt

robots.txt is a text file that you can place on your web server to guide search engines to what content they are allowed to index and what is off limits. While this may prevent most search engines from indexing your secret web pages, it opens up another vulnerability: any curious web surfer is able to view your robots.txt file. If the file explicitly forbids search engines from looking in the /downloads or /report directories, then it’s very likely that’s where the secret files are stored. With this knowledge the web surfer can more easily find your product and download it for free.

You need to strike the right balance between protecting certain files and directories in robots.txt while not revealing too much about the structure of your web site.

Selling digital products online is a great business. Make sure that you get paid for the products that you have painstakingly created by following the guidelines above and applying common sense.

More details on how to protect your digital products can be found in my latest report: The Digital Security Report.

Share This

A computer virus cannot give you a cold or flu or anything more deadly. A computer virus is a program that causes harm to the computer or worry to the user. Today the manner of transmission is usually via the Internet either from web sites that you access or e-mails that you receive. Understand that many people who you inform that they have sent out a virus will not thank you for that information and often it is ignored by small businesses or charities.

Many years ago in the days of 8086 computers there was a little program called drain. You usually ran it from a floppy disc and the prompt on the computer looked normal and then whatever the person tried to do on the computer next the program displayed a warning message that water had been located in the hard drive. The system would now attempt to remove the water. A message was displayed that “the spin dry cycle was started” and it sounded as though a spin dryer was starting and water was gurgling out of the machine. The program completed with the message that “the spin dry cycle was complete”. Mostly this was harmless fun where one person would play a prank on a colleague, friend or a family member. It could cause considerable concern to the person who was suddenly faced with water in their hard drive. I would not recommend this prank being played on someone who had a bad heart. Pranks like this are still perpetrated but the virus in these days is more deadly, and it damages or destroys data or even the computer operating system.

Computer virus detection is big business and has to operate 24 hours a day 7 days a week. Special dates like Friday 13th or 07/07/07 are obvious targets for the virus writers to aim at. You never know when a virus may hit and disable your computer network. I remember turning up for work at an office and every 5 minutes there was a warning broadcast on the public address that no-one was to turn on their computers as the network servers had been attacked by a virus and they did not want any other computers infected before they received the patch. This was a company where every e-mail was scanned by the ISP prior to being allowed onto the local system and then scanned again both at the e-mail server and by your own computer. Always take the time to regularly update your anti-virus software and any anti-spam, adware, spyware, or malware defenses. It is worth paying to allow another year’s updates of anti-virus etc. If it is too expensive then consider the options and give up a meal or two in a restaurant and eat at home

A Trojan horse is what appears to be a harmless or even a helpful program that is in fact harmful and may be deadly. This may be a virus or spyware installation. When you are offered a free program ask if you are 110% certain that the person or web site offering the product has no malicious or financial motive for harming you or your computer. The only way you can be certain is if the program comes from a trusted friend or a well trust web site such as an anti-virus web site. Otherwise do not download.

Put in place a Firewall that can prevent a person or program from accessing your computer. These firewalls can be hardware or software based. Recently I have been researching a wireless’ router for my home network and I noticed that a large number of the routers had a firewall built in to protect from unauthorized access. Also within windows there is a Firewall program and also in a number of the other all-in-one virus and Internet suites such as Norton Internet security or Kaspersky. Put as much in as you can now and then research how effective the computer magazines think this is so you can decide if there is something else on the market that is better.

To run a computer without anti-virus software in these days is like playing Russian roulette. Very quickly you will find your computer gets very badly infected. If you do not believe me then some of the large anti-virus companies offer a facility to check your computer online. Look at Symantec’s web site. I should imagine that McAfee, Kaspersky and others have a similar offer. If you have a computer that is on the Internet and not protected by an anti-virus system then try out one or more of these free offers to see what the state of your computer’s infection is.

Shop around and find yourself some affordable protection. You may need to look on the web, and find out local prices and those on the Internet. If you have any sort of affiliate program running on the web then you may want to look at becoming an affiliate especially if you can save on buying the anti-virus for yourself. Today the anti-virus software can be downloaded from the net but make sure you are on the exact site you want.

Share This

Phishing is sending out an e-mail that appears to come from a reputable business and asking for information. This information can then be used to access your bank or credit information Identity theft is someone who manages to find your id’s and passwords so they can pretend to be you. It may be that they will attempt to pretend to be you by sending e-mails out in your name. It may be that they will access your bank details and steal money from you or arrange for loans in your name.

There are many different program names that can be installed on your system by unscrupulous people. They all come under the general name of keyloggers as they will create a log of the keystrokes you make including web site names and access passwords. As it is in the form of separate keystrokes then it needs to be put together by a program to get unscrambled information that can be analyzed. This can then be used to target advertising to you and your preferences when you access the web site.

Intrusion detection systems are becoming more and more important. You do not know what someone else or an intrusive program is going to do so to stop it when it begins to intrude into your computer. Stop the intrusion before you lose your information.

Open source and commercial intrusion detection systems. It sounds very posh but it is all very simple. In order for your computer to be infected by adware, spyware or malware there must be some sort of intrusion of some software from outside your computer into your computer’s system. So in order to detect and prevent problems with adware, spyware or malware the prevention of their intrusions is the best place to start. The software then is called an intrusion detection system. There are commercial versions of these systems from people like Symantec, Kaspersky and McAfee and also there are Open source versions of this software. Open Source can be acquired for free but the whole idea of Open Source is to contribute to the continuing development of the product either by giving some money when you get it, or by contributing to the user group or by writing some new parts of the software when needed. I am not making any recommendations of the best Commercial or Open source software to purchase as the situation could change in the next few days and either a new company comes into the market that is the best or one of the established companies gets it wrong and a large number of people become infected. Beware of any company boasting about their ability to completely eradicate adware, spyware and malware as there are always new problems coming to light. Beware of taking any free software at face value as there are some unscrupulous people who say they are giving away an intrusion detection system and all they are giving you are copies of spyware and malware programs to infect your system. So read computer magazines and reviews on the web, and ask not only your friends but also your business contacts to see what they are using. If you are working for a company, what do they use, and can the same software be installed on your home computer at no extra cost in order to prevent cross infection when you take work home. It is always worth asking and even if they say no there may be someone in your IT department who can recommend an Open Source, free or low-cost software.

In order to minimize the intrusions into your computer it may be necessary to surf anonymously. This is even more important when your company or country blocks certain web sites that you want or need to have access to. A company may block access to MySpace and other gaming sites so that employees work when they are supposed to, but that may not be very helpful when someone is working out of hours and is waiting for results of tests, so a proxy server may be the answer. Also within some countries there may be attempts by the government to block access to certain sites. The countries with the most extensive list of blocked sites are Iran and China.

Share This

Spyware is software that enables an individual or company to see what web sites you are accessing, search your hard disc for “useful information” and also what your account numbers and passwords are. Adware on the other hand will display adverts for various types of products and services available on the Internet. Adware is annoying; spyware can be catastrophic to your computer and to you. Malware is spyware in its worst forms where in the end the malware will give all of your computer information to a third party, mess up your web browser settings and your Internet sites and prevent you from using your computer as it runs so slowly.

Spyware can perform many functions. One single spyware program or script on your computer can install some other spyware onto your computer so instead of having one spy looking at your computer there can be many. Each program and script will have the effect of slowing down your computer. Spyware can also mutate so that the simple program that comes into your system first will become a more complex second generation program which is harder to remove and will collect more information from your computer. Spyware and adware can both deliver annoying advertisements so when you want to do a task you are slowed down and unable to do what you want to do quickly. Spyware will also search through your hard disc. The spyware will search all your cookies to see what websites you have accessed; it will snoop to see what applications are on your system and scan all the files located on your hard disc. Spyware will snoop on you by reading your keystrokes to find out exactly what you are doing, so confidential information can be read and known. This information could be company confidential, trade secrets, or government classified, it could also be detailed information on a takeover or other secret information. Anything that is keyed into a computer or is stored on the hard disc can become public knowledge. Your credit card and national insurance numbers are spied upon together with passwords and your other personal information. Spyware can change the home page on your web browser, sometimes to a page that would be embarrassing for your partner to see and for you to explain. Spyware will add advertising links to your web pages that you are not paid for but the spyware owner is paid for. Spyware will never allow the computer user any uninstall option and often places itself in unexpected places making it difficult to remove.

Share This

Spam is the next thing we need to consider. What is spam? The basic reply is unwanted or junk e-mail. Note that some countries already have laws in place to make spamming an offense but the problem comes when the e-mail is sent from a country other than your own. Get to know the laws concerning spam in your own country so you do not unintentionally break the law. A simple example is that it is very tempting when your wife has just had a baby to tell everyone on your e-mail address book of the facts, but that could constitute spam. Make sure you check your spam folder regularly. By regularly I mean at least once a day so you can delete anything that is spam and deal with any e-mails that have ended in the spam folder by mistake. It is no good deleting everything in the spam folder every month only to find that some one has been trying to contact you and has become very upset as their e-mails have been deleted without being read.

Avoid releasing your own e-mail address out on the net. If you have a web site or advertise online use a generic e-mail address like “sales@account.com” rather than one specifically aimed at you. The other option is to set the link so that it is checked before allowing spam in. Look at the options on the Internet and also those from your ISP.

Get spam blocking software. This can be integrated with your existing anti-virus, be part of your mail server or be a stand alone program that runs in the background on your computer.

Get multiple e-mail addresses. That way you can start to find out if someone is either selling off your e-mail address or is using a spider to locate potential e-mail addresses.

Do not open attachments from people you do not know. Seems a simple statement but when you are tired or have had a few days from your computer you may not always avoid this one. It does not matter what is promised the danger is not worth it, even if it is your favorite film or TV star.

Get an e-mail provider who can process bulk mail baskets. Another way to try and stop the spam is for your e-mail provider to help you by locating e-mails that are sent out to many addresses. They are not passed to you but held on the e-mail server for you to check. Again check the e-mails rejected by this regularly and only read those you know who the senders are.

Share This

Patch your computer’s operating system. Many people get the idea that operating system manufacturers are only there to cause hassle. In fact they are there as a safeguard. Take the time to look at the patches that are being downloaded. The vast majority are there to improve security. It is in your best interests to close any security or virus holes and keep your computer and its data safe.

Turn on your firewall. It sounds so simple but with Windows XP there is a firewall so turn it on. In Windows Vista there is Windows Defender to stop spyware and Windows Firewall to prevent unauthorized access to your computer. Remember that as these Microsoft Windows tools are so common they are often the first to be targeted by those seeking to gain access to your computer.

Browser settings set for maximum security. This seems like common sense but it adds to your work. You will need to authorize when a site can be accessed and so it will slow down the speed of your surfing at times. Protect yourself and your work by checking these security settings. You can also protect yourself by choosing another Internet browser. There are many free ones to choose from Opera, Mozilla and Mozilla Firefox, are some that come to mind. If you wish to amend Internet sites then you may want to consider Mozilla Seamonkey. Try them out and see what you prefer. It is often down to personal preference.

Install anti virus and set for auto update. Most computers will come with an anti-virus or a complete package such as Norton Internet Security. It is good to try out the package you have there. Make sure that when your trial period runs out that you have selected a new anti-virus or Internet security. Take a look at Norton, McAfee or Kaspersky and surf the web for other options. Always take advice from computer magazines and friends as to the packages they use so that you will not be caught by a site offering anti-virus software that really infects your machine instead.

Do not open unknown e-mail attachments. It may be a beautiful picture on the outside and a whole heap of trouble on the inside. If you do not recognize who this is from then bin it.

Do not run programs from unknown origins. There are literally millions of programs and scripts on the Internet. You could say that most of them are harmless to your computer but that can still mean hundreds of thousands of programs that will cause harm either to you, or your computer or both.

Disconnect your computer from the Internet when not using it. That is easy for me to say sitting on a portable with easy access to the LAN cable and a switch to turn off the wireless LAN. It may be a different matter as you sit with your computer linked to a LAN and the local printers and file servers are attached to that and the link to the Internet is simply another path to it. If you have some sort of system responsibility for the LAN then consider the positioning of firewalls and defenses both inside the LAN and at the junction of the LAN and the Internet. It may be that you have a single computer linked directly to the LAN via a modem but everything has been neatly installed so you cannot physically get access to the LAN cable or the modem to break the link, then spend the time learning to use the icons in the notification area of your computer to programmatically turn off the Internet while you are doing other things.

Turn off your computer if you are not going to use it for a while. Note that this is a trade-off. If you are stopping long enough to make a drink and a toilet break then leave the computer on as the process of starting and stopping the computer are the most dangerous times. Some companies that I have worked for insisted that their employees and consultants leave the personal computers running all the time and only turn off the screen. This is impractical in these days when your computer network links to the Internet and many threats come from that direction. The point I want to make is that if you are leaving your computer for a number of hours consider turning it off. If you leave it for a few minutes check to see if anything has been running while you were away.

Share This

Do not forget your PDA. The data on that may be backed up onto your personal computer, but what about backing that up.

Remember that your PDA is always vulnerable to careless use or loss. Many PDA’s are seen as desirable by thieves. The loss of a PDA may be a source of embarrassment, especially if you use the diary feature to make appointments. Dropping a PDA into water or alcohol or stepping on it with a stiletto heel can mean the end to a trusted companion and friend. So what can be done to protect ourselves from the loss of our pocket computer?

Make backups is the first and essential start to protect the data there. Use the software provided to copy your data onto your personal computer and to download data from your computer onto the PDA. It may not be as convenient to manipulate the data on your desktop or portable computer but at least it is there.

Make backups of the data from your PDA in your regular backup of your personal computer. If you fail to do this then the loss of both would land you into deep problems

Most PDA’s are either Palm based or Windows based. Make sure that you are confident with the software on your personal computer that you can export the saved data from your existing PDA so it can be used in the alternative if you decide to make the switch following a break or loss of a PDA. Using the software now can save hours of heartache or a large bill when it comes to have to make the change of hardware and/or software.

Remember that your PDA is an extension of your personal computer and be treated with the same care as the information held in the computer can be essential for you or your employment.

Now for one final word on mobile devices. There are now USB attachments that can be used to copy all the telephone numbers from your mobile telephone onto your computer. These are not just a good idea but a lifeline so you do not lose that one vital telephone number Get the ability to store off those telephone numbers and back them up in your regular backup.

Share This

Computer boot discs. Usually the question is, “where did I put them when I created them years ago?” and since then you have relocated both your home and office. When you need your boot discs you need them now.

Get yourself a small CD holder (10-12 CD’s will be ample) and put in there the boot and recovery discs for your machine and any software that you consider essential. What is essential will vary depending on what software you use most. It could be the Microsoft Office suite or it could be Open Office with Mozilla Thunderbird and Lightning. If you can make a second copy of these discs and put them in a safe place. If you use a portable then carry this small number of discs with you when you travel. You should then be able to fix most problems on the run. In the case of Microsoft Office you may find that it is essential to have the disc with you to install some extra part of the package that is not installed as default.

Armed with these discs you should be able to overcome a failure of the machine to boot up. Hopefully you can reboot the computer and back up any changed files. If you are away from home then it is far better to be able to sort out a problem temporarily and then get a permanent fix when you get home afterwards than have to take time and effort to get a fix in a strange place.

Also these boot discs can help you restart your computer when it has been damaged by a malicious program. Make sure that the boot discs are not R/W discs so they cannot be written to once they are complete. Be careful if you think that your computer has been compromised by a virus or malicious program, and seek the advice of your anti-virus supplier.

Share This

Backups are essential. We have already talked about backups when we looked at storage, we will cover that now in more detail here. A backup in its simplest form is a copy of some or all of your data that is in a separate place from your computer. In the beginning of the personal computer era the backup had to be on floppy discs 8″ then 5.25” then 3.5″ floppy discs were used but the biggest capacity of these was 1.44MB and with the capacity of most personal computers being 60GB another medium had to be found. The best would be to backup to magnetic tape. This means the purchase of a tape drive that is linked to your computer either by firewire, USB or internally within your desktop. Other options are DVD or CD R/W discs with occasional copies to non-rewritable discs.

The tape is produced and all the data and programs can be stored on one tape so that a complete record of the contents of the computer can be made. Often these tape backups are incremental. For an incremental backup a complete copy of the machine is made (let’s say on a Saturday) then every day any files that have been changed are copied to separate tapes (Sunday through Friday) and finally another complete backup is made on the next Saturday. This may seem like overkill but for a business with a high turnover of files being changed it is essential. A business would typically keep a cycle of 3 weeks of the incremental backups and several months of the complete backups. Then a complete copy of the data and programs can be produced at any time as required by auditors.

The backup strategy to a DVD or CD R/W is very simple. Simply copy all files from the user documents onto the DVD or CD. The result will be that there are copies available for all the files in the store command. Care must be taken to backup the e-mails and any other messages on the system so they can be recovered easily. The weak link in this type of system is that the CD and DVD discs can deteriorate over time so care must be taken not to scratch them or put them in a place affected by excess heat or sunlight. Again, as with the tape, a cycle of discs must be used, this means that the backups are not taken relying on one disc. If any disc shows problems in writing or verifying then replace the disc. It is cheaper to replace a disc than to replace the data that you lose.

Store the tapes or discs in a place remote from the computer. This may not seem feasible but you cannot afford to lose both the computer and its backups. In a large business where they are using tapes to store all the changed information they may send the newest backup tapes to their bank for safekeeping. Some businesses take 2 backups, and send one to the bank and another they keep themselves. So they have a backup for immediate use and a second backup for “disaster recovery”. These days the very term “disaster recovery” will reveal a big business where there a many mainframe, and minicomputers together with personal computers and their LAN connections on standby a specific locations ready for a disaster to strike and then the computers are rolled in usually in a prefabricated building or in the trailer of a truck. For a smaller business then keeping the discs from the office computer at home and the home computer in the office may be enough. You may choose to rely on a fireproof safe. If you do choose a fireproof safe then take careful note of the manufacturers instructions. One company where I worked had a new manager of the computer center and he insisted that the doors of the “fireproof” safe were always kept closed until he realized that the safe’s fireproofing was so old that it was no longer any guarantee of the fireproofing anyway.

However you choose to store your backups make an informed choice and do not leave anything to chance as the chance is that you will lose your computer and the backups without careful planning.

Share This

Remember that your personal security is important. You may have left your computer at home and are getting a drink at a coffee shop and find a computer available for you to just check your e-mails. You check what you want to see and think you are resetting the computer but you did not sign out of the web-based e-mails so the next person could delete everything or send out malicious e-mails to the people in your address book. The number of times I try to use Gmail at a coffee shop and find someone else is still logged in is very high. The same with any web site you access that needs you to log on, you will need to log out completely before leaving the machine to someone else.

Protect all your online accounts with a password that is not just “password” or the name of your dog, cat, partner, or child. These can be too easy to guess especially for someone who knows you.

Bank details are important. It does not matter if it is your current account, credit card or PayPal account, all is important. Protecting them is vital to your financial well-being. Be careful where and when you use your credit or debit card.

Be very careful when using Internet cafes and free Internet computers in coffee shops and bars. Make sure that it is a reputable company you use. If there are any doubts in your mind do not use any web site that needs a password and do not enter bank or credit card information. Using the wrong Internet cafe could mean that the owner of the business can trace and use your secure information. So remember where you used the Internet or make a note and if there are any subsequent problems trace back where it all started.

Share This