Google Malware Warning – How to check if your site has a problem

Google has recently taken a more active role in helping their search user’s avoid malware infections via the web. Google has begun flagging results by mentioning when a site that shows up in search is suspected of containing malware.

Why should you care if Google detects malware?

Google is by far the biggest search engine and is likely driving a large percentage of traffic to your site. If Google is flagging your site with a malware warning message many potential customers will heed the warning and steer clear of your site costing you potential traffic and potential sales in the process.

How will you know if you have a problem?

You could learn that your site has been flagged with a Google Malware warning a number of ways. A customer could mention that a Google malware warning has been detected or a browser warning was detected and express concern to your contact email address. You might also detect the problem by studying your analytics data and investigating a sharp traffic decline that could signify a problem of one sort or another. But these are very reactive measures wouldn’t you prefer to find out about a problem before it caused a major business impact?

How can you be proactive and check if Google has detected a problem with your site?

There are several methods you can use to validate if Google has detected a problem with your site

Check your site using the Google Safe Browsing Tool

Insert the following url into your browser and replace informationsecurityhq.com with the name of the site you would like to check.

http://www.google.com/safebrowsing/diagnostic?site=informationsecurityhq.com

The example below shows that Google has not detected any issues with my site. If any suspicious activity is detected from the site you check you know you have a serious problem that requires immediate attention.

googlecheck Google Malware Warning   How to check if your site has a problem

Utilize Google Webmaster Tools

Google Webmaster Tools has a lot of functionality for a webmaster including the ability to check your site for malware. This can be done by navigating to Diagnostics > Malware If no problem is detected you will receive a message that states: Google has not detected any malware on this site.

If either of these methods detect a problem it is important you quickly take action to fix your site and regain its good standing. I will cover some common tips for removing malware from a site in my next post.

Posted in Google | Tagged , | Leave a comment

Google Page Rank Changes – Can your online business survive drastic changes?

evil google 300x249 Google Page Rank Changes   Can your online business survive drastic changes?

Google Ranking Changes - Can your business survive?

Business contingency planning is essential to ensure your business can survive events that are both within and outside your control. For online businesses one key event to consider contingency planning for is the following scenario. What would happen if your Google ranking fell dramatically overnight? Established online businesses with loyal customers would likely be fine but any online business overly reliant on organic Google traffic could be devastated. Think it can not happen? Think again. Leading web traffic ranking company Alexa served notice that broad Google algorithm changes caused drastic swings in traffic by as much as 80% for certain websites. If you visit Google support forums you can validate this phenomenon as frantic site administrators desperately seek answers to what happened and advice on how they can restore their previous rankings to save their business.

What can you learn from other online businesses that have experienced drastic Google page rank changes?

1. Validate that your site is not infected with malware

Many online businesses that experience drastic ranking declines have been infected by malware and are penalized as a result. The best method to validate if this is your problem is to utilize the Google Webmaster Tools suite and perform a malware diagnostics test. If no malware is detected you have likely run afoul of Google for a different reason.

2. Do not expect restitution from Google

A quick scan of the Google support forums quickly confirms that Google regularly tweaks algorithms that will result in changing site rankings that they usually maintain is being done to improve search results for their customers. Most often times that will be the case but that will not make you feel any better if you feel your site has been unfairly removed from the coveted first page of google search rankings. A Google representative will likely advise you to review the overall usefulness and uniqueness of your site content effectively deflecting the question of the appropriateness of the ranking change.

3. Results of algorithm changes are unpredictable

Ranking changes are unannounced and could occur at any time. Site owners that regularly monitor their traffic with analytics software rapidly detected  drastic changes but many of us might not be as quick to notice. Would you notice a drastic traffic drop?

What can you do to protect your business to withstand drastic Google rank changes?

1. Diversify your income streams

If you are like many of the frantic site owners in the Google help forum and fail to diversify your business income stream you are at the mercy of Google. Heed this warning and take steps to reach out to your customers directly. Build relationships, build mailing lists, use RSS and take other steps to mitigate the damage drastic search rank changes can have on your business.

2. Build a relationship with a Google support rep

Google support reps are people too so try to befriend one and make them part of your network. Relationships make the world go round so get on friendly terms with someone who might have your back should things go against you for the wrong reasons. If you do not have a personal contact I recommend being polite, factual and taking the conversation offline of forums to increase your chances of getting a satisfactory outcome.

3. Budget for down cycles so your business will survive

Individuals are advised to have a 6-12 month cash slush fund in case of hardship and businesses are no different. If you are reliant on this months income for survival any setback could be a permanent one.

This post should not be interpreted as anti Google because that is not my intent. It is only meant to remind you that uncontrollable events happen and that these events can have a material effect on your online business. You must be ready to anticipate and respond to these challenges when they arise and take the needed steps to keep your business healthy despite the obstacles you may encounter.

Posted in Business Contingency Planning | Tagged | Leave a comment

Facebook Security Tips – How To Stay Secure while using the largest social media site

A recent article I read stated that nearly 7% of the world’s population is currently utilizing Facebook. That fact comes as no surprise because Facebook is a convenient way to stay in contact with friends and family, spend some downtime, or for businesses a   growing avenue to market products and interact with new and existing customers. But what are the information security risks you should consider when using Facebook? Many of the information security risks you face while using Facebook are equivalent to those you face while doing general web surfing or using email so everything you read below won’t be unique to Facebook but should serve as a good reminder.

Top 10 Facebook Security Tips

1. Do not click on links or emails that look suspicious Facebook has the largest dedicated user group on the planet and that makes them an attractive target for all types of spammers. The spammers goal might be to sell you a product, steal your credentials, or infect your pc. Use good judgement to avoid email and link scams to keep yourself protected and notify friends or colleagues if you have reason to believe their account may have been compromised by spammers.

2. Use a unique password to access Facebook

Do not reuse passwords on multiple sites especially for sites that you consider important. The Gawker password loss incident (among other notable events) helps highlight the potential risk that a site you utilize less frequently might compromise the security of sites that are more important to you. Mitigate this risk by using unique passwords for sites that are most critical to you.

3. Select a strong password that can not be easily guessed

A lot of the information we post on Facebook is a rich source for potential password guessing and identity theft. Until we reach the days of stronger authentication using good password management practices is key to keeping your account secure.

4. Implement general information security controls for any machines that will be accessing Facebook.

All of the standard PC protection mechanisms including patches, updates, anti-virus and firewall protection are required to help secure your machine and the accounts that you access. These controls give you additional protection to prevent or detect problems before they do serious damage.

5. Avoid logging into Facebook on shared PCs or machines you do not own

It may not be convenient if you want to quickly check Facebook or your email while on vacation or at a friend’s house but you can not be confident of the security of a machine you do not control. Your credentials could be cached or recorded in a hidden keystroke logger leaving you vulnerable to account abuse. It is preferable to check your accounts on a mobile device you own vs. resorting to utilizing a machine you can not vouch for.

6. Be careful about utilizing insecure wireless hotspots

The information you send could be intercepted so it is wise to stick to utilizing trusted networks. If you do use an untrusted wireless hotspot it is a good idea to change your password once you return to your primary location.

7. Recognize Facebook information can be used by identity thieves and other agencies

Identity thieves have begun to mine Facebook for information to aid their schemes. A lot of this information involves maiden names, former addresses, and relations to family members all of which could be available via Facebook. This is especially a risk if you have an extensive group of friends or are quick to approve new requests. If you have a wider network consider separate Facebook accounts to segment the information you share and lower your risk.

8. Facebook ads or applications may contain malware

Be selective about which ads you click on and which applications you install. Just because these ads and applications are available via Facebook does not mean Facebook the entity vouches for their security.

9. Monitor your account and take action if you notice a problem

Many people fail to act even if they notice a problem or if someone reports an issue to them. Be a responsible user and quickly follow-up to address any security issues so you are not a source of spam or malware to friends or colleagues.

10. Consider the appropriateness of information you are posting

Once you post information there could be instantaneous eyeballs and replies plus an archived copy of your post somewhere on the web so be sure to use good judgement before posting and make sure information you share is in line with the image you are trying to maintain.

Posted in Information Security Awareness, Social Media Security | Tagged | Leave a comment

Hard Drive Wiping – It doesn’t take a rocket scientist

RocketScientist 300x258 Hard Drive Wiping   It doesnt take a rocket scientist

Photo courtesy of http://www.flickr.com/photos/jurvetson/

You have likely heard about the recent NASA information security incident where PCs were sold without first having their hardrive’s properly wiped. Failing to perform this essential information security step has resulted in an embarrassing public disclosure and also the possibility that sensitive shuttle information that was subject to export control restrictions may have been disclosed.

What are the information security lessons that you should learn from the NASA incident?

1. Old assets are often overlooked in the desire to quickly get rid of them. Out with the old in with the new right? Not so fast remember that if you do not take security steps to securely wipe the data prior to selling or returning the asset your information is at risk.

2. Build the requirement to secure data prior to asset disposal into your security policy (NASA did this but failed to enforce it which brings up pt #3)

3. Audit compliance against your policies to validate that actions are happening as they should be and take corrective action when you find a problem.

Make sure to follow our previously published hard drive wiping recommendations to take the necessary steps to protect your data before it leaves your location to help keep your company’s information secure.

Posted in Hard Drive Wiping, Information Security Awareness | Tagged , , , | Leave a comment

Web Filtering is costing you money – Get your web traffic back now

Web Filtering software is widely deployed by all major companies to block material on the Internet that they deem to be inappropriate. The definition of what is inappropriate varies widely but if it is likely to cost a company money from a lawsuit (think sexually inappropriate material) or is considered a waste of employee time (think gaming sites) then it is a good candidate to end up on the blocked list. Some of the major categories of sites blocked by most filters include: adult oriented material, gambling, hacking, illegal activities, p2p file sharing, racist material, and sites that have been flagged as containing malware.

So what is the problem?

Web filtering is a complex task and while it hits more than it misses it experiences both false negatives and false positives. A false negative represents sites that it failed to block that should have been blocked while a false positive is a site that has been inappropriately classified as being a site of concern. The biggest risk to your site from a web filtering perspective is that you could be unfairly categorized as an inappropriate site costing you precious traffic in the process. If your site is being blocked by some of the larger web content filtering software packages you are costing yourself a lot of corporate web traffic and that traffic ultimately means money. Many of your customers might be making purchases or providing eyeballs during work hours and losing out on this opportunity should not be taken lightly.

What should you do to protect your business from web filtering run amok?

1. Listen to your audience/customers – If you hear reports about your site being blocked at someone’s work location or local ISP take the matter seriously and follow-up promptly. Ask them to provide you the name of the web filtering company if possible and what filtering category your site violated to aid you in your follow-up.

2. If you have received feedback about your site being blocked and you believe it is inappropriately blocked you need to take action by contacting the web filter vendor to get your site cleared for business. When contacting the web filtering companies remember to be polite and state the reasons your site does not belong in the blocked category and be proactive by suggesting a more appropriate classification for your site.

Reporting a web filtering issue to the major vendors:

Barracuda Networks

McAfee

Symantec

Websense

3. Scan for malware using Google Webmaster Tools - If your site contains malware (even without your knowledge) it is a prime candidate to end up on a web filtering black list. Be proactive and scan for malware using the Google Webmaster tools malware scanner to validate that you are protected.

4. Run McAfee’s free domain health check to get a free report on the current status of your website from their point of view. They are a large player in the Web Filtering market via their Total Protection Suite so you want to make sure they have not detected any problems. My site did not generate a broader report when queried but I was able to verify that it was considered a minimal risk site and was classified in a web category that is unlikely to have problems with any web filter. Have you checked your site?

domainhealth Web Filtering is costing you money   Get your web traffic back now

5. Do not take no for an answer. If the company refuses your polite request for a reclassification do not reluctantly accept your lot in life. Escalate the issue, follow-up again and let me know because I plan to start a space for people that are having problems with various web filters and would love to be of assistance.

Posted in Online Brand Management, Web Filtering | Tagged , | Leave a comment

WordPress Backups – How should you be backing up your site?

Your WordPress site may be a critical part of your business, a source of some extra income, or just a favorite hobby. In any of these scenarios you have put a lot of time into your design and posts and you don’t want to lose it right? If you have not implemented a WordPress backup plan that is exactly what you risk doing.

Critical WordPress Components to Backup

The official WordPress backup guide is specific in mentioning that there are two major components to backup related to a WordPress site, the database and the site files. Few people read the manual so it is a common mistake to back up only one of the WordPress components (usually the site files are overlooked)

WordPress Database -The site database contains all of content on your site including the posts, comments, and links. Since content is the heart of every site you risk starting from ground zero if you neglect to backup your site database. The two major ways to backup a WordPress site database are via your webhosting control panel or utilizing a WordPress plugin.

WordPress Site Files - The site files consist of the core installation, installed plugins, themes, images, files and scripts. The site files give your site its unique look and if you do not backup this component you could be in for a lengthy redesign.

What is my WordPress backup plan?

I utilize the WordPress Database Backup plugin to automate a daily backup of my mysql database. I have the backup emailed to my email account and the eventual plan will be to save it to a secure server directory when the file becomes to large for email.

For my WordPress site files I backup via my web hosting cpanel two times a month. I have strategically opted to backup the site files less frequently then the database since my content is updated a lot more frequently then my site design.

I always have both the site files and database backed up prior to attempting a WordPress version upgrade.  In the future I am going to look into automating my site file backup and will review some plugins that claim to backup both the site files and database to see how effective they are.

To conclude I’d like to review my list of the Top 5 WordPress Backup Mistakes

Mistake #1 – Assuming that because you have installed a backup plugin that you are covered. The backup plugin may only be backing up the database or the site files so you might be missing a critical component of your needed WordPress backup.

Mistake #2 -Neglecting to test your backups. You can’t be sure your backups work unless you have tested and validated the results and successfully recovered your site.

Mistake #3 – Failing to adequately secure your backups. Backups contain sensitive site information such as user login/password information and database credentials. If your backup falls into the wrong hands it could mean bad news for your site.

Mistake #4 – Maintaining a manual backup process. If you do not automate the backup process there is an increased likelihood that you will forget to backup your site on a regular basis.

Mistake #5 – Upgrading WordPress versions without taking a fresh backup. WordPress version upgrades are one of the more risky activities from a site availability standpoint so it is important to take a current backup prior to performing an upgrade. If unforeseen errors occur you can restore your site to the old version with minimal impact.

Make sure you avoid these top 5 mistakes and implement an effective WordPress backup strategy.

Posted in Backups, Wordpress Security | Tagged , , | Leave a comment

Apple iOS4.2 – What are the security benefits?

Apple released iOS4.2 in late November and it is applicable for the iPad, iPhone, and iPod Touch. From a functionality perspective the upgrade provides a lot including the ability to create folders and multitask on the iPad (features previously lacking) plus the AirPlay feature for all three devices that enables streaming of content to the Apple Tv or Airplay enabled features.

These features are intriguing but since this site specializes in information security my primary focus is to discuss the security implications of the iOS4.2 upgrade.

What is the most significant security benefit of iOS4.2?

The Find My iPhone, iPad, or iPod touch application is now available as a free application and this is an important breakthrough because these services typically were subscription only in previous iOS’s via the Mobile Me service. Once the Find My app is installed an owner of one of the devices mentioned above can perform the following security functions:

  • Find the location of a lost device on a map
  • Display a remote message on the device screen (with hope it will be returned to you if found so perhaps offer a reward as incentive)
  • Remotely set a passcode lock so your device and data can not be accessed inappropriately
  • Wipe the device remotely if it is stolen or lost for good and you are not likely to recover it.

These security features are significant and go a long way to help prevent loss of data confidentiality on a loss or stolen device and possibly may even with the recovery of your device itself.

How do you upgrade your iPad or iPhone to iOS4.2?

First back up your data and then connect your iPhone or iPad or Ipod Touch to your computer and load up iTunes and click check for updates. Download and install the upgrade.

How do I activate Find My (iPad/iPhone)?

Here is a nice Apple instruction video showing how to configure your device on Me.Com

* Be sure to set this up right away if you wait until you need the features it will be too late.

What security vulnerabilities are corrected by iOS4.2?

In addition, to the Find My functionality there is a big list of other security vulnerabilities fixed in the iOS upgrade. In scanning the list several of the vulnerabilities mention arbitrary code execution that could lead to a lack of security integrity of the device. If you have not already done so an upgrade to i0S4.2 is highly recommended to close these vulnerabilities and take advantage of the new Find My capabilities. Install it and configure your device on Me.com as soon as possible.

Posted in IPhone Security, iPad Security | Tagged , , , | 1 Comment

WordPress 3.0.2 – When should you upgrade?

Newton 300x225 Wordpress 3.0.2   When should you upgrade?

Caption provided by http://www.flickr.com/photos/ell-r-brown/

Newton’s Law or some distant relative of his smacked me in the face today when I logged into my site administration panel and saw that WordPress version 3.0.2 was now available for install. After all I just finished my post about WordPress Security Plugins and 3.0.1 compatibility and now we have a new version to deal with. Such is life, but now we have a working example to apply some information security principles regarding upgrades.

You are probably asking yourself when should I upgrade to WordPress version 3.0.2?

I have looked at the WordPress security vulnerabilities addressed in the upgrade from 3.0.1 to 3.0.2 and none appear urgent enough to require an immediate upgrade. I recommend waiting two weeks to perform the upgrade unless news of 3.0.1 exploits in the wild causes the need for a quicker upgrade timeframe. That means I will be looking to update my site around 12/15 which should leave plenty of time for any high impact bugs to be discovered and resolved.

Things to do before you upgrade to WordPress version 3.0.2

  1. Perform a full backup of your WordPress Database. If you are using an automated backup plugin and have tested it you are good to go otherwise you may want to read more about WordPress official backup guidance.
  2. The WordPress documentation recommends disabling plugins prior to upgrading to a new version to prevent an incompatible plugin from making your site inaccessible. This is prudent advice but adds to your administrative burden so my advice is to be aware that it is a risk and be ready to manually disable the plugin via your web account should the need arise. This is a practical risk mitigation step that avoids the extra working of disabling a lot of plugins.
  3. You are now ready to update your site and for most of you that will mean using the automatic update feature. If by chance you are doing a manual update be sure to cleanup the maintenance file as WordPress recommends.

You are now ready to test your site and validate that it is operating as expected. If you have a caching plugin enabled be sure to clear the cache so you are working with the current version WordPress and do not become confused. High value sites with large audiences might also want to consider testing the upgrade on a test site that mirrors their production site and installing the upgrade during off hrs (defined by their particular audience geography) to minimize potential disruption.

Posted in Wordpress Security | Tagged , , | Leave a comment

WordPress 3.0.1 & Security Plugins Which Are Recommended?

WordPress security plugins can be effective tools to help keep your site secure. Here are the specific security plugins I am currently using with my WordPress 3.0.1 (current version) installation and some  things I have learned along the way about using them.

#1 – Akismet – Current version of the plugin is 2.4.0 and it is fully compatible with WordPress as you would expect since the plugin comes native with WordPress and is the most widely used security plugin.

Is Akismet difficult to install?- The plugin is very easy to install all you need to do is register for a unique API key via email to activate the plugin.

Why do you need Akismet? – Akismet is extremely effective, I have not had a single SPAM message since activating it and do not believe other spam related plugins are necessary at this time.

#2 – Login Lockdown - Current version of the plugin is v1.5. It is compatible with the latest version of WordPress.

Why do you need Login Lockdown? – Provides an additional level of security by locking out an account that has had a certain # of failed login attempts within a specified time frame (both settings are user customizable).

What settings do I use for Login Lockdown? - I altered the defaults to lock my account out after 3 failed attempts from a given IP address in a 30 minute time period and it remains locked out for 1440 minutes

What is the risk of using Login Lockdown? - The biggest risk you face using Login Lockdown is not being able to access and administer your own site from a certain IP address. To mitigate this risk make sure you set the settings explained above at the right level for you and it also helps to have a secure alternative IP address that you can use to access the site (perhaps a relative’s house). It is also possible to edit your database directly to free a locked IP address if your IP address becomes locked out.

#3 – WordPress Firewall 2 – Current version of the plugin is v1.3  and works fine with WordPress 3.0.1

Why do you need WordPress Firewall 2? – Provides an additional layer of security to your site by protecting against web related directory traversal, database injection and other WordPress specific attacks. The verdict is still out there on this one for me as I have not seen any alerts after a few weeks of install so I am either low on the radar or it has not done much thus far.

How to configure Wordpress Firewall 2? – I installed the plugin with the default settings and the only change I made was to configure the alerts to go to my email address.

#4 – Secure WordPress – Current version of the plugin is 1.0.6

Why do you need Secure WordPress? – Tweaks a variety of security settings primarily those related to excessive information disclosure. Click here for a list of security functions performed by the plugin.

#5 – WP Security Scan – Current version of the plugin is 2.7.1.2

Why do you need WP Security Scan? – Provides a variety of useful security functions including looking for password, database, and directory permission vulnerabilities. Helps provide an automated way to regularly check these items.

#6 - WordPress Database Backup – Current version of the plugin is v2.2.2 and it is compatible with the latest version of WordPress. Although it is technically backup software vs. true security software, backup is such an essential component of information security I have included it on this list.

Why do you need WordPress Database Backup? – There are a few other WordPress Database backup plugins available but this is the one I use to perform my daily backups which are automatically emailed to my account. One recommendation I have is to make sure to save your backups somewhere else if your email account is hosted by the same company as your site as this gives you additional protection if they have a catastrophic failure.

How often should I test my WordPress Backups? – Testing your backup and validating it is recoverable the first time is the biggest hurdle. After that I recommend retesting every 6 months and either more or less frequent makes sense depending on the value of your site.

Two other WordPress Security Plugins I am interested in but do not yet have installed:

1. Better WP Security – Disclaimer says it is only in testing stage and it is not recommended for production sites. I will be testing this on a development site soon so I can take a look and check out the tool. I agree with the creator that you should never use a non production plugin on a production site.

2. Ultimate Security Check – Claims to be the #1 Security Plugin for WordPress so I am always intrigued by those type of grandiose claims and would like to check out whats under the hood.

Lastly, I will mention that I have played around with Admin-SSL a good bit as I really want to encrypt administrative traffic but have not had much luck getting it to work with the latest version. Anyway who has a good workaround or a better plugin to perform this function please drop me a line.

Posted in Wordpress Security | Tagged , , | 1 Comment

WordPress Security – Defense in depth

WordPress Security posts often focus on mentioning a few magic plugins that you can install to get and stay secure. I use many of these plugins myself but they are not silver bullet to keeping your site secure. WordPress like most other technologies being considered from an information security perspective requires defense in depth to do the job right. For those of you not familiar with the defense in depth strategy it means that there is no one magic bullet to get and stay secure. An effective information security program requires a layered approach of multiple techniques to help mitigate the risk of any one control suffering a failure.

What are the different layers of WordPress Security?

Client Security -If the PC you administer your WordPress site on becomes infected with a keylogger your site is likely to be compromised. An attacker can use a keylogger to capture your WordPress, webhosting account, ftp, or database credentials any of which will cause major security headaches.

Network Security – If you administer your WordPress site or access your webhosting administrative log on page on an insecure network your logon credentials can be intercepted via a network sniffer program. Unless you have taken additional security measures such as encrypting your log in sessions with SSL that means your passwords will be captured in clear text making it easy for an attacker to login with your credentials. That is reason enough never to login to your administrative accounts on a network that may not be secure.

Webserver Security – Most of you are hosting your WordPress site on a shared service and are therefore very reliant on your service provider to take the needed steps to secure their DNS and Web servers. The major way you can influence security in this space is with your dollars and via the hosting companies help desk. If you experience or read about serious security incidents affecting your site you have the option to leave when your hosting contract ends and get your web hosting from a more secure provider.

Database Security – When you first install your WordPress site a MySQL Database is created. This database is the backbone of your site containing the structure and table entries that make your site work so it is essential that the integrity of this database be protected. The primary areas of concern here the database administrator password, managing database versions, and SQL manipulation attacks that could lead to unintended data disclosure.

WordPress Application Security - When you first configure your WordPress site you must select an administrative password to protect your account. It is essential that you follow good password practices when setting this password and be sure to change it promptly if you ever suspect it has been compromised or if your client PC becomes infected with malware. In addition, WordPress updates should also be applied promptly to ensure your site is protected against known vulnerabilities. If you run a WordPress site with multiple contributors it is important that you delegate access using role base security to limit their privileges to only what is necessary to perform their function.

WordPress Plugin Security – WordPress plugins should be considered an application and standard application best practices should be followed. Reference these WordPress plugin security tips when you are installing a new plugin.

Now that you are more aware of the various components that must be taken into account to have a secure WordPress site in the next article I will provide detailed recommendations on how to secure each one of these layers to help keep your site secure.

Posted in Wordpress Security | Tagged | Leave a comment