SaaS – Ecommerce Sites – Twitter Case Provides Critical Lessons in Administrative Security

In June, 2010, the Federal Trade Commission (FTC) settled charges that Twitter’s micro-blogging site had engaged in lax security practices that amounted to “unfair and deceptive trade practices”.

While previous cases brought by the FTC for lax security procedures focused on lax electronic controls, the Twitter case focused on lax administrative controls. Webmasters of SaaS and ecommerce sites who fail to learn and apply the critical lessons of the Twitter case do so at their peril.

Twitter Case Facts – Two Hacks

The FTC’s complaint against Twitter alleged that lax administrative controls for data security permitted at least two hackers to acquire administrative control of Twitter resulting in access to private personal information of users, private tweets, and most surprising – the ability to send out phony tweets.

Here’s how the hackers got access to Twitter. According to the FTC, hacker no. 1 was able to hack in by using an automated password guessing tool that sent thousands of guesses to Twitter’s login form. The hacker found an administrative password that was a weak, lowercase, common dictionary word, and with it the hacker was able to reset several user passwords which the hacker posted on a website that others could access and use to send phony tweets.

Hacker no. 2 compromised the personal email account of a Twitter employee and learned of the employee’s passwords that were stored in plain text. With these passwords, the hacker was then able to guess the similar Twitter administrative passwords of the same employee. Once into Twitter, the hacker reset a user’s password and was able to access the user information and tweets for any Twitter user.

Twitter Settlement Lessons

The FTC noted that Twitter’s website privacy policy promised: “We employ administrative, physical, and electronic measures designed to protect your information from unauthorized access.”

Focusing on Twitter’s administrative controls (more accurately on the lack thereof), the FTC alleged that Twitter failed to take reasonable steps to:

* require employees to use hard-to-guess administrative passwords that they did not use for other programs, websites, or networks; * prohibit employees from storing administrative passwords in plain text within their personal e-mail accounts;

* suspend or disable administrative passwords after a reasonable number of unsuccessful login attempts;

* provide an administrative login webpage that is made known only to authorized persons and is separate from the login page for users;

* enforce periodic changes of administrative passwords, for example, by setting them to expire every 90 days;

* restrict access to administrative controls to employees whose jobs required it; and impose other reasonable restrictions on administrative access, such as by restricting access to specified IP addresses.

* The FTC settlement included (among other things) the requirement that Twitter set up and manage a comprehensive data security policy that will be reviewed by an independent auditor periodically for ten years.

Conclusion

The FTC represents consumer interests to prevent fraudulent, deceptive, and unfair business practices. Privacy and data security have been high-priority issues for the FTC, as evidenced by the 30 cases brought over the last few years for lax data security practices.

In its investigations of data security cases, the FTC looks at 2 standards:

* what the FTC considers as “standard, reasonable” security procedures, and

* what a website’s privacy policy promises to consumers regarding data security.

If the website’s actual data security practices do not measure up to either of these standards (a worst-case scenario would be the failure to measure up to both), the FTC concludes that the website has engaged in lax security practices that amount to “unfair and deceptive trade practices”. A complaint and costly lawsuit may follow.

The reason that the FTC publishes the results of its settlements is to provide lessons to others regarding what the FTC regards as an “unfair and deceptive trade practice”.

Do you know if your site measures up to the two standards?

Copyright: 2010 Chip Cooper

E-Commerce – What You Need?

Since the advent of internet, dictionary has been changed a lot. New words are coming and added up. Businesses are getting new meanings. In such terms Ecommerce is widely used in IT world. What is Ecommerce. Ecommerce is simply doing business online.

Is it worth to have Ecommerce for all the businesses? No, this is not true. Ecommerce is only viable for those businesses, which are willing to cross the boundaries and are not limited to a specific local area. This can be a small retail store selling sweets to a huge multinational company selling medicines.

There is lot of potential in Ecommerce. It is the most in expensive way of doing business but it need well planned strategy and patience. It takes years to get your position on the internet and start getting real customers.

In order to start Ecommerce what you need is a good web site with complete ecommerce facilities and then search engine optimization of your site so that it can start pulling real customers.

In Ecommerce solution there should be facilities for:

1. Product catalogue

2. Order Management

3. Merchant Account

4. Shipping

5. Client Management

It should be so simple that any one can buy products easily from your web site. Web site should also give a feel of comfort particularly for the safety of credit card so that every one can shop with any fear of misuse of credit card.

Site must have attraction for the visitors so that they can come again and again. There should be some sort of incentive for buying online.

Shipping should also be prompt and reliable.

This is very important not to jump in the ecommerce without thoroughly searching the net and having plan for your site. It is always good to prompt your site in a limited area than doing it globally.

eCommerce Website Integration with Microsoft Dynamics GP – Overview for Developer

When you are facing e-commerce transactions volume growth – typical solution is to remap backoffice ERP system to more scalable. In this small article we consider the case, when you remap eCommerce to Microsoft Great Plains Dynamics GP. If you make your homework and search the internet to understand your options, you will see that several out of the box solutions are out there, however it is typically not what you are looking for: you would like to keep your existing ecommerce solution with shopping cart, checkout and credit card processing. In this case – you way is eCommerce integration to Microsoft Dynamics GP

o Remapping technology. Let’s assume that you had something like SAP Business One, where you deployed SAP B1 SDK and programmed eCommerce to SB1 integration in Microsoft Visual Studio C# project. When you remap to GP – you also use MS Visual Studio and C# programming language and GP integration tools, described in the next section

o eConnect. The core logic of eConnect is realized as a set of SQL stored procedures and you can manipulate such GP objects as Customer, Sales Invoice (or Order if you plan to transfer order to invoice later on)

o Automatic Posting dilemma. Looking back to SAP Business One – there when you create Invoice – it is already “posted”. In the case of Great Plains – Invoice is created in so-called “work” status, then typically placed into the batch for approval and posting by GP operator. eConnect does allow you to create Sales Inovice, but it doesn’t allow you to post it automatically from eCommerce application. This is natural restriction of Great Plains Dexterity architecture

o Posting Server. This solution is available for purchase and it uses Microsoft Dexterity posting engine. What you need to do as eCommerce developer is to place the batch into the table, and so approving it for posting. Posting Server checks the approved batches table every five seconds and posts the content of the table. Alba Spectrum Posting Server requires GP workstation running on separate computer – expect one additional user license

o Excurse to Microsoft Dynamics GP Dexterity. It was designed as a shell, written in C programming language to resolve DB and OS dependency. Dex.exe is the application and it launches dictionaries, such as DYNAMICS.DIC. you can find Dex dictionaries, listed in Dynamics.set file. Programming Dexterity should be left to professionals, as it proprietary and pretty unique scripting language: sanscript – plus dex programmer should be familiar with dex architecture and tables structure. Dexterity enables various customizations, integrations, modifications to existing GP business logic.