Security advice for the surfer and online shopper
First of all when you buy online, you should know that most mobile platforms have the security of a computer that was made 20 years ago. So the best is to buy online from your work or home computer. Esepcially if your computer is up to date, is behind a firewall and has good abtrusinon, intrusion and virus protection. It is alsmost always great to autoupdate your operating system and security software. And it is also whell know that it is not indifferent which webbrowser you use when buying online. I have been a member on the WebProwWorld forum since 2005 and have written a thread Which browser::: Shopping online? I reccomend that you read and reread the whole thread if you are serious about shopping online security. Personally, the first question I would ask if your Id or your money was stolen, is which browser did you use? Did you use your mobile phone or your computer? When you buy online, you should also look for trusted signs by companies like Verisign etc., but be aware that it is possible to copy that sign and embed it in a fraud site. So at least clik on the sign and note where that brings you. Watch carefully. It is also a good advice to be very careful when you buy something online based on an email you got from a company you do not know. At lest, make your own due dilligence before buying from such a site. Ask your friends where they buy and about their experience. Here are links to some security related sites, articles and forums.
Security advice for webmasters
The advice given above also relates to you as a webmaster. The web browser you reccomend tor your client can be of vital importance. The WebProWorld link above brought you to a thread about Opera. As a webmaster, you should know that there is a new and more advanced webbrowser, Vivaldi a Norwegian competitor to the Opera browser. This is an advanced browser made with the power user in mind. Note that Vivaldi has its own support forum.
As a webmaster I assume that you have your own colocated, dedicated, cloud or shared server. It is far from indifferent which hoster you use. My company site is hosted at my Norwegian registrar where I set the DNS to point to the rest of my sites that is hosted on two different servers at A2Hosting. Before I finally found A2Hosting, I have used 4 other foreign hosters with mixed experience, two of them very bad. Most of my sites are made by my own markup and coding, but I have some third party platforms like phpBB and Wordpress. Sometimes I am lazy to update this third party software and then I get an email from A2Hosting. It may start like this
Software vulnerabilities detected on package ...
Most often these emails are relates to phpBB and / or wordpress files that is not updated. Then it is good to know that A2Hosting uses Patchman
. If I am on holiday away form my computer it is good to know:
Application patching: Patchman detects if a WordPress, Drupal, or Joomla installation requires patching. If this is the case, A2 Hosting Support immediately sends you a notification e-mail that describes the application vulnerability. If you do not resolve the vulnerability (usually by updating to the latest version) within two days, A2 Hosting Support sends a reminder e-mail. If the vulnerability remains unresolved for one week, Patchman applies the patch automatically.
In addition A2Hosting uses HackScan and other security software that can be fine tuned by yourself from their cPanel. If your site gets hacked, you should absolutely read their article How to secure a hacked site that you find on their security page. So when I higly reccomend A2Hosting I hope that I know what I am talking about.
Hacked sites can ruin years of hard work, your reputation and be costly to fix
Patchman is a multi-function security tool that provide the following 3 services free of charge!
1) Out of date version detection
One of the most common ways for a hacker to compromise your site is if you’re using insecure, outdated software on your site. Patchman will send you a notification reminding you if you have installed software that is out of date .
2) Infected file quarantine
Patchman will send you a warning if and when it detects an infected file. If infected files are not addressed, they are quarantined 24 hours later for your protection.
WordPress, Joomla and Drupal security issues will be patched. A notification and a reminder will be sent when files are found that can be patched. The patches are back-ports of bug fixes released in updated versions of the installed software. That means that updating to the latest version will likely eliminate the need for patching. After 2-days, the patch will be applied automatically. The patch will not change the installed version of your software.
Hacks are an unfortunate reality when you run your own website. The malicious nature of hackers can turn a successful website into a nightmare in a matter of seconds. While no website is immune against hacking, there are many things you can do to protect yourself, your clients, and your revenue. If your site is haked it can be used to send out email spam. Your Ip will be recognized by other sites for sending out spam emails. A2 Hosting provides world-class outbound SPAM filtering. The outbound SPAM filtering prevents SPAM emails from reaching their destination. This keeps your server from being blacklisted and allows us to detect and address hackers and spammers who may attempt to use A2 Hosting servers.
When you update your Wordpress or phpBB site, you may get problems. Read more on our Bullitin board:
An example of a security related communication with A2Hosting
I got an email from A2Hosting that started like this:
Software vulnerabilities detected on package ...
Thank you very much for that information. I have read the article you linked to. I note that the vulinerabilities relate to
- phpBB that is not up to date. I am aware of that and will update the software when I have time.
- Wordpress on my add on domains that are driven by software that I bought from company.com.
- I am more vorried about security holes in that file system.
From the article I also note the following:
If you do not resolve the vulnerability (usually by updating to the latest version) within two days, A2 Hosting Support sends a reminder e-mail. If the vulnerability remains unresolved for one week, Patchman applies the patch automatically.
Isn't that good enough?
A2Hosting's professional reply:
Thanks for updating us on these issues. We would recommend fixing the issue as quickly as possible. Ultimately, Patchman will apply the patch automatically after one week.
If you have any further questions or concerns, please let us know.
Fast and truly professional repsonse.
Some related links
General security advice - a summary
- Use intrusion protection software.
It may protect against future virus. Trojans may kill antivirus programs.
Use an antivirus program with live update and good anti spy and anti trojan settings.
No antivirus program can be updated 7/24. Therefore combine with online scanning. There are a lot of links in our link collection. You may make your own alert system by combining RSS feeds from different sources.
Use a router with a firewall and an operating system with a good firewall.
Use secure payment. Never send information about your account or
credit card in an email.
- Serious companies do not ask for such information via emails. If they ask, they instruct you to open a new window in your browser or even better close all your open windows. Then ask you to log into a secure page and give the information. But it may still be fraud, so know what you are doing. More and more pages from criminals are professional.
- Pharming is the new word. "Unlike phishing attacks that try to con you into believing the e-mail's message,
you don't have to be gullible to become a victim of a pharming attack. Pharming - which mostly exists now in the
worries of security experts - directs you to fake Web pages that harvest your information,
even when you type in the right address. Solution: Be cautious about the information you give about yourself while online. If you have any doubt about the legitimacy of the Web site, just don't use it. Make sure your Web browser is kept up to date since, as this threat grows from unlikely to possible, the folks who create the browsers will update them to help foil these attacks".
Source: Bill Husted, The Atlanta Journal-Constitution.
Read more articles about pharming in our link collection.
Never open an email with attachment from unknown sender og sender that is not on
your (safe) secure list..
Never click on a hyperlink (from unknown sender) in an email.
- Be careful about your passwords. Use a strong version with more than 7 letters combined with numbers etc., and change it regularly.
- Learn to distinguish personal from automated (and mass distributed) emails, even if you have signed up for the email.
- Your credit/debit card information must be updated. How would you handle an email with that subject title? Do you think your bank, or payment service would contact you that way? If he does, find a new one. This is pharming.
- Look up for boomerangs and richochets. Spammers are learning to capture remote computers and turn them into secret spam machines.
Not only will you continue to get junk e-mails, it's likely that your computer also will be sending spam
out in your name. This is the latest trends in spamming. Be subspect if you get an email from a reliable
company if you do not await it. It may be a richochet. Solution for your company, use online contact
forms via a secure server.
- If an offer is too good to be true, it nearly always is.
Read (or participate) in discussions on social networks, blogs and forums where some are mentioned above.
- Be aware of cloning of reliable sites that is fraud. Check before you order and pay.
Doublecheck if you are in doubt. Update yourself regularly on fraud and security.
- Use a dynamic IP and change passwords when the router has been truned off for a time. If possible, increase the security settings in your firewall, antivirusprogram and browser before you change the password. Afterwards, you may restore the default (or user specified) settings. Turn on the router, restart your computer, stop unnecessary processes, run a hackercheck and go directly to the site where you shall change the password.
- If you use a search engine and search for an ecommerce site, there is no guarantee that the business does not hide criminal activity. Searchengines does not check the site for fraud. Google is perhaps best, via their "safe search" option. Directories made by people may be better.
- AD pages that are checked for quality via affiliate providers like most of the banner links on this site is better than other links. A trained eye, understands redirection from an affiliate provider to an ecommerce site. So there are at least one advantage with AD driven portals.
- RSS and related readers are relatively new solutions that compets with webbrowsers. Use readers / aggregators from reliable providers. Webbrowsers are mature and relatively secure if used correctly.
- Security in networks require specialists. Note that attacks may come from inside the network via internal software. Be aware of OEM software. It may be infected. If possible use one connection to the internet. Use software that monitors and blocks that connection for unfriendly intrusion and hacking.
- System critical operations should not be run on computeres connected to the internet (or another network).
- This was general hints. If you have better special options, use them. Simplify the list at your own responsibility.
Some useful links if you use PapPal.