SaaS – Ecommerce Sites – Twitter Case Provides Critical Lessons in Administrative Security

In June, 2010, the Federal Trade Commission (FTC) settled charges that Twitter’s micro-blogging site had engaged in lax security practices that amounted to “unfair and deceptive trade practices”.

While previous cases brought by the FTC for lax security procedures focused on lax electronic controls, the Twitter case focused on lax administrative controls. Webmasters of SaaS and ecommerce sites who fail to learn and apply the critical lessons of the Twitter case do so at their peril.

Twitter Case Facts – Two Hacks

The FTC’s complaint against Twitter alleged that lax administrative controls for data security permitted at least two hackers to acquire administrative control of Twitter resulting in access to private personal information of users, private tweets, and most surprising – the ability to send out phony tweets.

Here’s how the hackers got access to Twitter. According to the FTC, hacker no. 1 was able to hack in by using an automated password guessing tool that sent thousands of guesses to Twitter’s login form. The hacker found an administrative password that was a weak, lowercase, common dictionary word, and with it the hacker was able to reset several user passwords which the hacker posted on a website that others could access and use to send phony tweets.

Hacker no. 2 compromised the personal email account of a Twitter employee and learned of the employee’s passwords that were stored in plain text. With these passwords, the hacker was then able to guess the similar Twitter administrative passwords of the same employee. Once into Twitter, the hacker reset a user’s password and was able to access the user information and tweets for any Twitter user.

Twitter Settlement Lessons

The FTC noted that Twitter’s website privacy policy promised: “We employ administrative, physical, and electronic measures designed to protect your information from unauthorized access.”

Focusing on Twitter’s administrative controls (more accurately on the lack thereof), the FTC alleged that Twitter failed to take reasonable steps to:

* require employees to use hard-to-guess administrative passwords that they did not use for other programs, websites, or networks; * prohibit employees from storing administrative passwords in plain text within their personal e-mail accounts;

* suspend or disable administrative passwords after a reasonable number of unsuccessful login attempts;

* provide an administrative login webpage that is made known only to authorized persons and is separate from the login page for users;

* enforce periodic changes of administrative passwords, for example, by setting them to expire every 90 days;

* restrict access to administrative controls to employees whose jobs required it; and impose other reasonable restrictions on administrative access, such as by restricting access to specified IP addresses.

* The FTC settlement included (among other things) the requirement that Twitter set up and manage a comprehensive data security policy that will be reviewed by an independent auditor periodically for ten years.

Conclusion

The FTC represents consumer interests to prevent fraudulent, deceptive, and unfair business practices. Privacy and data security have been high-priority issues for the FTC, as evidenced by the 30 cases brought over the last few years for lax data security practices.

In its investigations of data security cases, the FTC looks at 2 standards:

* what the FTC considers as “standard, reasonable” security procedures, and

* what a website’s privacy policy promises to consumers regarding data security.

If the website’s actual data security practices do not measure up to either of these standards (a worst-case scenario would be the failure to measure up to both), the FTC concludes that the website has engaged in lax security practices that amount to “unfair and deceptive trade practices”. A complaint and costly lawsuit may follow.

The reason that the FTC publishes the results of its settlements is to provide lessons to others regarding what the FTC regards as an “unfair and deceptive trade practice”.

Do you know if your site measures up to the two standards?

Copyright: 2010 Chip Cooper

Plan Your Blog For Your Future

I have been using Blogger as my blogging platform for 1 year already, and I must say that this has been a mistake all along. Blogger is not as flexible as any other self-hosted blogs or has as many useful widgets like WordPress, and Blogger is not so SEO friendly too. Why am I telling you this? Its because I have failed to do one thing before everything else started:

I failed to plan

Planning is an important factor of blogging if you are seriously going to make it earn for you. You have to do your research thoroughly beforehand, and ask yourself questions like ‘What kind of blog will I be making so that I can earn optimally?’ ‘What security measures must I adopt to protect my blog from hackers or malicious softwares?’ or ‘Which niche will I choose?’ Lets go through step-by-step to what I am trying to say here.

‘What kind of blog will I be making so that I can earn optimally?’

I will mention 2 types of blog today, and those are:

1. the normal blog with Google AdSense installed
You can make a normal blog with Google AdSense installed without spending any money at all, and setup is really easy. You can earn from this kind of blog by writing content interesting enough to make readers feel compelled to click on the ads on your blog, earning us a few cents per click. There are many resources on the web which tells you how to earn more from just blogging, but at the end of the day your earnings won’t be as much as an eCommerce blog.

2. an eCommerce blog.
An eCommerce blog is a blog that buy and sell goods online, be it business-to-business (B2B), business-to-consumer (B2C) or consumer-to-consumer (C2C). Often this kind of blog is harder to make because as consumers may use credit card to purchase our goods online, we must be able to gain their trust because credit card fraud is rampant on the internet. There are many eCommerce consulting agencies on the net and you can always get help from leading ones, for example such as ECommercePartners. These interactive agencies provide eCommerce solutions to a wide variety of fields including fashion web design and many others. An eCommerce blog can earn you large sums of money at times but its earnings may not be as frequent as normal blogs with Google AdSense installed.

‘What security measures must I adopt to protect my blog from hackers or malicious softwares?’

Hackers can hack our blogs through advance methods like XML injection and such, but if your blogging platforms already provide you with the basic security measures then you won’t have to worry about it so much. What you should worry about is how hackers can still use the primitive method of hacking and ruining your blog for good:

1. Weak passwords
Your admin password must be strong; it must contain a mixture of small letters, capital letters and numbers. It is also not advisable to use your name, your birthday or even words from the dictionary as your password. Hackers today have advance programs which will expose your passwords to them in no time if you have these common passwords.

2. Weak anti-virus / internet security softwares
Even though your blogging platforms have some of the security measures already adopted to fend off hackers, it is still suggested that you have internet security programs installed too. Hackers can use spywares to retrieve sensitive information while you are typing your password out on your keyboard so today, I will be introducing to you the antivirus program called ZSecurity. It can provide extensive internet security and anti-spyware capabilities so do get your own copy.

‘Which niche will I choose?’

You should choose a niche with a large target audience and one which you can update about everyday. By doing so, a large amount of traffic will come to your blog. You will also be able to update everyday, so these visitors will come back frequently for more information.

That’s it for my post. Do plan your blog carefully. That’s all, c u

Year In Review: Top Ten Internet Businesses 2004

The internet boom hit a high mark in 2004. With old
standbys and new emergences, the top ten internet
businesses 2004 show a variety of companies all with one
thing in common: they have adapted well to the World Wide
Web. Many companies have difficulties and struggle amidst
the huge ocean of the internet, especially since it is
quite difficult to maintain a personal face. The
companies in the top ten have not only succeeded in the
business sense, they have invaded out daily life and have
become a household name. From meagre beginnings, these
top ten entrepreneur companies have mastered this new
medium and are an inspirational to any budding
entrepreneur interested in starting an internet based
business.

The Internet search engine Google was the top internet
business of 2004. The world’s largest search engine
receives over 200 million hits a day. Businesses pay
Google to have an ad for their website appear to the
right side of the user’s search. The paid advertising
targets consumers seeking information. Google’s initial
public offering gave it a market capitalisation of over $23
billion dollars, placing it between Yahoo and Amazon.com.
In addition to becoming an economic success, the company’s
name has invaded our language. The verb “google” entered
the dictionary with a definition meaning “to look someone
or something up on the internet.” The essence of a truly
successful business is not only one that makes money but
also serves its clients to the utmost potential.

The online auction site eBay.com continued to expand its
services and customer base throughout 2004. As the industry
leader it boasts over tens and millions of members and has
websites in over 17 countries. eBay.com generated over $3
billion in revenues off of a record $34 billion dollars in
Gross Merchandise Volume.

Amazon.com continues to be the world’s number one internet
retailer with 2004 sales in excess of $6.9 billion dollars.
The retailer continues to expand its offerings and
partnerships with other retailers. Recently Amazon.com
rolled out a9.com, which provides consumers with expanded
search options to find merchandise on Amazon.com’s website.
As part of the Tsunami relief effort and in conjunction
with the American Red Cross, Amazon.com set-up an online
donation channel, which raised over $13 million dollars.

Yahoo Inc. provides comprehensive global internet services.
It remains the most visited website with over 3 billion
page views per day. Yahoo launched its own search engine
technology after dropping Google-powered results. Boasting
free and paid email accounts and website complete with
design tools, many pleased clients are using Yahoo.

Expedia, the Washington-based travel company has
revolutionized the entire travel industry. Allowing
individuals to serve as their own travel agents and search
a database of airfares, rental cars, and hotel rooms,
Expedia has allowed everyone to gain access to the
phenomenal travel deals that would previously be
reserved for insiders.

Technology giant Microsoft launched the Microsoft to serve
a variety of needs for a consumer. Boasting email, news,
chat software, and website hosting, MSN is one of the most
visited websites on the internet.

America Online has found a great deal of competition with
companies like MSN and Yahoo! but is still one of the most
popular internet service providers out there. Boasting an
entire network of satisfied customers, AOL goes beyond the
service of other providers. Many individuals new to the
internet choose to use AOL due to its ease of use and
availability all over the globe.

Netflix has become an increasingly popular option for many
movie-renting customers. Instead of having to travel to
your local movie store, the movies are shipped directly to
your home. You have an unlimited number of rentals and
pay a nominal monthly fee for the service. By lowering its
fees in the middle of the year to compete with lower
competitor prices, Netflix drastically increased its
clientele.

With the popularity of burning audio and video files to
create your own CDs, many copyright issues have taken
center court. Instead of illegally trading music for free
using person to person programs; Real.com has a wide array
of songs available for legal download for a nominal fee.
Additionally, Real.com offers a variety of free and pay
media players so individuals can play MP3s, CDs, DVDs, and
any other type of media file directly on their computer.

The last internet company in the top ten is online retailer
and technology giant Apple. Their website Apple.com boasts
an amazing number of customers each month, as it provides a
forum to purchase Apple products along with different
programs necessary for maintaining your Apple computer,
iPod, or any other electronic product sold by the company.