Website security
When we transmit information across the
internet, we send it in plain format, but with
the right tools, it can be intercepted. Entering
a username and password onto a website
could also result in these (and any information
returned from the site itself) being intercepted.
To transmit the data securely, we use a
process called encryption: encoding at our
machine, transmission, and decoding a the
server. The server (eg, at Amazon) processes
the data, encodes it and transmits it to our
machine to decode it.
Always a but
However, we need a password or key so that
the process can work securely. This, as with
the very nature of the internet, raises more
problems. For example, our machine cannot
know, ahead of time, the sites we will visit or
the passwords we will need. We need a pair
of keys: one kept secret by the server and
one provided on request to your machine. The
pair of keys is used in encrypting/decrypting to
secure the transmitted data.
SSL
The Secure Socket Layer (SSL) certificate
is our (public) encryption password —
generating the certificate produces the
private certificate (key), followed by the public
certificate (key). These certificates are easy
to produce, but how do we determine that
the person we are exchanging data with is
who they say they are? Hence, the certificate
authority.
Certificate authorities are the companies
deemed trustworthy by your application: we
trust this company if it says they are who they
say they are. The application could be your
web browser, your email client, or even be
built into your operating system. While it is
possible to circumvent this process, using a
certificate authority introduces another step in
the certificate generation process.

After the private certificate is generated, a
request is sent to the certificate authority; they
respond by sending you a public certificate
(combining their key and yours) – allowing
your application to verify to some degree that
you are who you are supposed to be.
Levels of certificate
There are three, with incremental levels of
confidence to ensure that the website is
legitimate.
Domain Validation (DV)
When you register a domain (for example,
icestarmedia.com) you supply an email
address. A DV certificate emails the address
attached to the domain. A response to the
email is sufficient.
Organisation Validation (OV)
A physical address is held within the domain’s
details. This address must match the company
address registered at Companies House;
other countries have similar requirements.
Extended Validation (EV)
You also need a mix of other information (a
certified accountant’s letter, telephone number,
company utility bill, etc).

SSL Certificates and the Web
When we download a web page, we are
usually downloading many files consisting of
one central control file (the web page) and
one or more media and script files. These
additional files could be on different servers.
They can even be forced to encrypted/
unencrypted, which often triggers a warning
if we are visiting a site securely. The warning
is usually: Some elements on this page are
transmitted insecurely do you wish to display?
The problem is that scripts and images can
be used to ‘listen’ to data being sent into and
out of our web browser. If some of our data is
being sent insecurely, this data can be listened
to — a site is not really secure unless all
elements on it are secured.

What’s so special about the EV
certificate?
When everything is properly installed and
all the unsecured elements on a page are
corrected, an EV certificate triggers the
green bar in our web browser — usually the
background or to the left or right of the url bar
(where you type the website you wish to visit).
It is highly visible. It tells your visitors that all
elements on the page are secured and that
you have gone through a lengthy process to
identify yourself to a certificate authority.
Encryption v assurance

All three certificates provide the same level
of encryption, however, encryption is just the
start. Assurance that your site visitors are
actually visiting you, and that you have been
vetted as being a legitimate and registered
company gives visitors the confidence they
need to start entering their confidential data.
For anyone collecting personal or business
critical data on a website, an EV certificate
is definitely recommended. It provides the
assurance in a highly visible manner and also
gives you a gauge as to how well your website
developers are at putting your site together.

SSL certificates (and EV certificates) are a
very good start to website data security.
If you are collecting any sort of personal
or confidential data on your website, you
should certainly have the minimum of an EV
certificate.

(This article also features in the Hertfordshire Chamber of Commerce and Industry’s April-June 2012 Chamber Newsletter).

Many companies now have a website that stores or collects their customers personal details and as has been highlighted by Sony recently, these details are often not as secure as you may think. As a business owner you are caught in the dilemma of not necessarily knowing (or needing to know) the details around how your website is designed, built and secured and that of ensuring that sufficient security is in place to protect that information. As a result of the major theft of data from Sony, where millions of their customers personal and payment details were stolen, we conducted an internal review to ensure that our internal policies and infrastructure not only met best practice, but also provided a measure of protection against the type of data loss that Sony encountered.

During this process we discovered what we consider to be some major flaws in the build of a lot of websites (albeit e-commerce and otherwise) that leave a lot of potentially sensitive data vulnerable to the type of attack that Sony suffered.

This article will hopefully go some way towards explaining the types of procedures necessary to properly secure your sensitive data and to highlight at least one common flaw in the design of most websites that could leave them open to the same level of data theft as Sony.

General Security

There is often a very large separation between your web developer and your infrastructure provider. Your infrastructure provider will provide the hardware (e.g. the servers upon which your web site is hosted), network connection and possibly the web server software itself, they may even keep it all up to date for you. If the server is on your company network it’s very likely you have a firewall between your website and the general internet, if it’s a shared hosting service  provided by a third party this is less likely. Your web developer will usually focus on the design and functionality of your web site and not necessarily on it’s security.

Generally most security measures concentrate on keeping any potential threats out of a server, this will involve a large number of tasks undertaken regularly and (hopefully) with great vigour. All of these security measures are usually aimed at one thing, to allow visitors to access the services they are supposed to be allowed to and nothing else, i.e. not allowing anyone to gain access to the root or administrator accounts (e.g. site managers who have the permissions and capability to do anything they want to).

Most services running on a server will run under an account of some description (much like a user account but with even more restricted privileges), this is to prevent root/administrator access to attackers who manage to break into (for example) your web service.

All of this focus on infrastructure security leads to a tendency on many web developers part to assume that the website is secure as long as they follow one or two simple guidelines, and that anything further is the responsibility of the infrastructure providers. In fact several current practices leave sites vulnerable in specific ways that can lead to disaster.

Sessions and Cookies

As the internet and the World Wide Web in specific has progressed over the years many features have been added and built onto the original standards, the two most important additions, currently are sessions and cookies. Without these you would not be able to experience websites as you do now, there would be almost no e commerce, no webmail etc.

When the Web was first designed, it was for static pages, you went to a site and were displayed the index page, you clicked a link and were taken to the second page and so on. Now behind this concept there is no need for the web server to know, or care that the web browser who is navigating to the second page is the same person who navigated to the index page, the server just delivers the page. To enable such functionality as an e-shop, you need an e-basket that persists across pages, which under this methodology is not possible, and so cookies and sessions were born. A cookie is a small piece of data that is stored in your browser, the server sets this cookie and the browser will only deliver it to the server that set it in the first place. A session is a server concept, where small pieces of data are stored on the server and combined with a cookie enables the server to store things like the contents of your current e-basket, with the cookie telling the server that you are you.

However, all of this data is currently sent back and forth across the internet as plain text, which means that anyone with the right tools can potentially read the data your browser is sending to the server (and that the server is sending to your browser), including the cookie that tells the server that you are you. Again with the right knowledge an attacker can take this cookie and pretend to be you, and thus gain access to your current session on the server (which will usually include the ability to change your password, possibly read you personal data etc.) and so we move to the concept of SSL.

SSL

SSL (Secure Socket Layer) has two purposes, one is verification and the second is encryption. A SSL enabled website is identified in several ways, the URL starts with https:// instead of http:// and you will normally see a locked padlock or a green or blue bar in your browser. If you are viewing a URL that starts with https:// then all the data you send to the server and all the data the server sends to you is encrypted and so the data being sent back and forth should not be readable by a third party. However there are threats that mean that you are not visiting the site you think you are, hence the verification part of this process. Built into your web browser is a verification process that shows that the secure site that you are actually visiting is the one that you think you should be visiting, this is when you get presented with the green/blue bar and the locked padlock.

SideJacking

The threat of sidejacking has been talked about in the IT press quite a bit and still hasn’t been fully addressed in various websites. Sidejacking is a flaw in the development process of web sites and there is nothing the infrastructure people can do about it. It relates to sessions/cookies and SSL and provides an attacker a method to gain access to your on-line account even if SSL is being used. As mentioned above if an attacker can gain access to the un-encrypted cookie that identifies you as you, they can access your account and personal data. The process for accessing a site usually goes something like this:

1. You browse to http://www.securesite.com
2. Click login
3. Land on page https://www.securesite.com
4. Login correctly and start your activities

However, behind the scenes there are several things going on. Normally at point 1 the session is established and the cookie is set, once it is set for the browsing session most sites do not change it. Therefore an attacker can gain access to the cookie at point 1, wait until you login and then gain access to your secure account and all your details with it.

There are two ways to prevent this:

1. Do not have a non SSL site, this is the best and most secure way of doing things, this way all access is encrypted, even the initial cookie, your clients/customers only ever go to https://.
2. Your web developer needs to restart the server session at point 2 and the session needs to be stopped if ever your clients/customers leave the https:// to go to the http:// portion of the site.

Patching

So your infrastructure provider keeps all of your servers up to date therefore you are safe from having your server broken into right? Sorry no, a patch is a fix to an operating system or software bug that, in the case of a security flaw, would allow an attacker into your server. This means that until the patch is applied your server is vulnerable to that flaw, it also means that the bug in your operating system/software that the vendor/maintainer doesn’t yet know about is still in the operating system/software waiting to be exploited and fixed. Ultimately this means that even if your systems are fully patched they are still always vulnerable to the next flaw.

Data Sensitivity

So what data do you consider to be sensitive? Most people when talking about websites will say credit card details which whilst true is not the most significant. The rising crime of the moment is identity theft and it’s easy to see why, if an attacker breaks into a site they can also gain access to the list of used credit cards and then clone them. If they break into a site and gain access to personal details they can steal identities and apply for multiple credit cards, loans etc.

Therefore probably the most sensitive data on your site is your client/customers personal details, which will include name, address, date of birth etc. most of which is stored in a database protected by security, coded by your web developer, on your web server.

PCI Compliance

PCI compliance is a series of tests you have to go through before you are allowed to accept/process credit card payments, in this case on your website. It has a series of conditions you need to meet before you will be allowed to accept credit cards. So if you’re PCI compliant or you are accepting credit cards you are okay right? Sorry again, probably not in fact at least if Sony is any example. PCI compliance only applies if you accept credit cards on your site, so if you are using PayPal, or something similar where during the checkout process your customer is re-directed to a third party site to accept the credit card details you not have needed to be PCI tested and so probably aren’t compliant. Even if you are, a lot of web developers simply do not store the credit card details and thus you only need to meet minimal standards, which will mean personal details that are not credit card related could be stored in your database and accessible by your web server. Even if the details are stored in the database, but encrypted, they are often only encrypted at the web server and are open to an attack.

Encryption

Encryption of data is basically a process of changing the data such that it cannot be read by anyone unauthorised to do so. This will usually use a standard process and will use a key of some description. The use of this key is required to both encrypt and then to decrypt the data. A web developer will, if they are actually encrypting the data (most do not unless specifically required to do so), run the encryption process and store the key on the web server.

Sony specifically said that the credit card details that were stolen were encrypted however no details were released about the level of encryption, if it was possible that the encryption key was stolen, or if the personal details were encrypted at all.

The Problem

We have already established that your sever has a weakness somewhere (it may not have been identified yet but it is there), so therefore there is a possibility that an attacker can get into your server and therefore run commands as the user account that the web server runs under. The problem with this is that anything that your web service can do, the attacker can also do, including but not limited to:

1. Access your database using the same credentials your web service uses, and therefore have access to the same data.
2. Access your web service log files.
3. Access any session details in progress.
4. Read any web code on the server

So what does all of this mean in practice? Well if your web server can access all the rows in your database, so can the attacker, if your security filters are based on your web code, then the attacker can by-pass them. If your site administrator is logged into your content management system, the attacker can highjack their session and have a nice easy way to gain full access to your site. If you do encrypt your personal data and the key is stored in the web code the code can be retrieved and therefore any encrypted data downloaded and un-encrypted.

This is exactly what happened to Sony, the web server was broken into and all of their customers data was stolen.

The Solution

The solution lies with your web developer, you need to make them fully cognisant of the fact that you want your clients personal data to be secured. They need to determine how to store the encryption key off of the web server such that it is not accessible if the web server is broken into. During your discussions with them you need to insist that the data is encrypted and in such a way as to allow your admin staff to be able to decrypt as well as the customer themselves.

In fact it is at least as important that your web developer is as security aware as your infrastructure provider, because if they leave a flaw in your website code that allows access to your site, or even allows access to your un-encrypted data, you may release your clients personal details into the wild and never even know about it.

Sony have more or less regained their feet, could you?

Mark Bond is the Technical Director at IceStar Media Ltd.

This article was also published in Issue 37 (July/August 2011) of the Herts Chamber News.

My business already has a web site, why do I need eCommerce?

Typical business web sites do not usually have the same features as that of eCommerce enabled “web shops”. In order to effectively distribute, market and sell goods or services on-line you will need certain features that will include a shopping cart, the ability to process credit cards securely, an on-line product catalogue, an automated inventory and stock control system, a database to process orders and generate invoices, bulk email facilities to keep customers informed of the status of their order, special offers and promotions, and capture, track and store data for statistical and reporting processes.

So what are the real benefits of eCommerce to my business?

Opening an eCommerce shop offers several benefits both to merchants selling their products and services and their customers. By far the main benefit for merchants is that it is faster, cheaper and much more cost effective to get an on-line shop up and running than a bricks-and-mortar based shop or warehouse where fixed overheads are much higher, particularly in the current climate where many businesses are looking at ways to reduce costs and streamline their sales channels.

For today’s consumer who is constantly battling with the clock to find time, being able to order products on-line and having them delivered without the need to leave their home is a major selling point.

What are the main advantages of selling on-line ?

Having a professional and effective Internet presence is extremely important if your business is currently selling on-line, or is planning to, and there are a wealth of advantages, including:

• Increased Sales

• An eCommerce store that is an extension of a physical shop or warehouse is not only a proven way (please refer to Case Study: Builders Equipment) to boost overall business sales and potentially increase company profits, but is also by far the cheapest way to sell. Companies who already do business from a physical location are typically unaware of how much more they could be making if only they were to expand into on-line market places. Trading on-line also opens up many opportunities for both new and established businesses.

• Reduced Costs

• On-line stores can operate with fewer employees including sales staff, customer service representatives, order fulfillment staff and others. In addition, eCommerce stores do not need a physical location in order to remain operational, which can reduce costs related to building leases, phone bills, utility costs and other costs associated with running a brick-and-mortar store front.

• The direct cost of sale for an order taken from a web site (i.e. on-line via eCommerce) is lower than traditional means (e.g. retail), as there is no human interaction during the on-line electronic purchase order process. In addition, electronic selling virtually eliminates processing errors, as well as being faster and more convenient for the consumers who know what they want.

• With ever changing variations in price and VAT rates it can become a very expensive task to keep reprinting brochures and price lists each time there is fluctuation in price or delivery rates. With an on-line catalogue, product prices and descriptions can be changed in a few seconds and with a few clicks of a mouse a bulk email campaign can inform customers of any changes.

• Expanded Geographical Reach

• An eCommerce business owner typically has no limits as to who and where their products may be sold. Some countries outside of the United Kingdom have additional regulations, licensing requirements or currency differences, etc., but generally you can sell to anyone, anywhere at anytime! Where physical shop fronts are limited to serving customers within their own city, town or country, on-line businesses are not, unless geographical limits are put in place as part of the sales strategy.

• Increased Visibility

• Consumers are increasingly searching for information on the internet prior to making a purchase. A professional and efficient on-line shop that provides detailed information about your products and services (including up to date contact information) will create a positive customer experience and enable consumers to make an informed decision in the comfort of their own home.

• Open for Business 24 x 7

• An eCommerce site gives you the ability to have unlimited store hours, giving your customers 24 hours a day, 7 days a week access to shop and buy items from you. Some merchants choose to limit their hours to 5 days a week, but orders can still be made over the weekend and customers can still make contact 24/7 via email, phone or fax. In addition, the costs associated with having your store open 24/7 are much less than maintaining a physical storefront with customer service advisors with 24/7 operation capabilities.

• Increase Product or Brand Awareness

• Having an on-line business means that you can literally reach out to millions of consumers looking for what you sell from anywhere in the world. By tapping in to new markets and displaying your site prominently in front of them, you will be able to help increase your company’s brand name and also increase awareness about your product line. By providing consumers with 24/7 access to your on-line shop, you will help to create a “buzz” and those who haven’t heard of you will soon discover that you exist and help spread the word about you.

• Create New Business Relationships

• Expanding or opening an on-line shop can create a world of opportunity and helps to establish new relationships with potential customers, potential business associates and new product manufacturers. Customers who don’t know you exist will find out about you, product suppliers will request you add their items and other businesses will approach you about potential partnership opportunities. Many of these opportunities would not present themselves without an on-line presence in which you can be found.

• Establish Customer Loyalty

• An eCommerce shop front will help create an easier means for your customers to purchase the items you sell and offer a unique way to display and describe your products in an informative, visual and interactive way. The customers you have will become loyal shoppers each time they visit, making eCommerce great for improved customer satisfaction and brand loyalty. By offering your products for sale on-line, consumers will be able to shop directly from your catalogues more easily, get updates on new items or product discounts and can buy anytime they wish.

• Target Niche Markets

• Although your customer reach may expand beyond your local area, you may only wish to target smaller consumer markets and buyer niches for your products. An on-line shop gives the merchant much control over who they target and reach out to. This is typically done by placing keywords that those niche markets use on a regular basis when shopping for the items you offer.

• Ability to Generate Multiple Revenue Streams

• With an on-line store you can launch a series of on-line shops and many merchants have gone on to launch a chain of eCommerce stores in order to generate multiple streams of revenue. The potential is limitless!

More information

For further information about eCommerce please visit our dedicated eCommerce section by clicking on the link below:

http://www.icestarmedia.com/ecommerce

The analysis of your site is the hard part, it requires knowledge of your site, your potential visitors, their paths into your site and the reasons they would be getting to your site. In effect it needs to be a collaborative process that will include yourself, your potential clients, and your SEO expert. Once the analysis has been carried out a report will need to be produced outlining the recommendations for improvements to the site.

SEO is also a generic term used to mean “how do I improve the number and quality of visitors to my site”, in this context it is about improving your site to retain visitors past their initial landing page (to entice them to actually buy a product for example).

In addition to all of this, SEO is an ongoing process, it should be carried out regularly to ensure that your site is always optimised to the current potential visitors, search engines and web standards.

SEO – Do I need it?

This is an entirely subjective question, it can be replaced with “Do I want more visitors to my site?”, “How do I get more people to buy from my on-line shop?” and “I am getting lots of visitors, but no-one is buying anything, why?”. If you are asking questions like this (or something similar) then its likely that you need your website analysed and potentially modified.

SEO – How do I get it?

There are many ways and I have included a few hints and tips below to get you started. You start though with ensuring a few basics when building your website, which are often not explained when you get a website designed for you and neither do any of the self-build systems tell you this. The key of course is content, simply put you need to get the textual content on your site correct. After this, ensure that your domain is relevant and if you have a single most used keyword try and include it either in your domain (or a second domain).

You can also purchase SEO services from various companies (IceStar Media are happy to carry out SEO reviews please contact us via the contact details on this site).

SEO Hints

1 HTML Validity – This one is often missed, and while it may not seem important it very definitely is. Getting the HTML compliant means that the tools used by Google/MSN/Yahoo/etc. will have an easier time in pulling out your text and its relevance, and will therefore improve your chances of getting a good ranking.
2 Content – The content you put on your various pages needs to be guided by the key words that your think your visitors will be searching for, but it also still needs to read well to provide the information the visitors need.
3 Location – If your service is location based (or it can be) include the location if possible, this will enable people who tend to search for a region/town/city to pick you up much more easily.
4 Domain Names – If your keyword can’t sit in your primary domain (e.g. www.mycompany.com) buy a second one and point it at your website (i.e. www.ism-webservices.com, your website hosting company can help with this).
5 Meta tags – While the use of these are less important than they used to be, getting the meta keywords, meta description and title tags correct will assist in some search engines rankings, but will also provide legible listings that will enable potential visitors to identify the contents of the page.
6 Image Alt text – Provide alternative text (relevant) for all of your images, most of the tools used by the various search engines will not be reading the actual images, therefore adding alternative text for the images will provide additional text content that can be indexed. In addition to this if the image is a part of a link, this will help to identify the content of the subsequent page.
7 Navigation – A hierarchical navigation structure with cross linking (where pages at the same level are linked where appropriate) will improve your sub-pages performance. In addition to this using an HTML based (rather than Javascript or Flash) menu structure will ensure the search engines can find all of your pages, as well as allow the various alternative browsers to use your site (for example screen readers aimed at people who are visually impaired will need this).
8 DDA compliance – Disability Discrimination Act compliance ensures that your website is able to be used by anyone with a disability, this is a legal requirement but will also increase the potential pool of customers that can use your website.

I recently had a breakthrough whilst developing a Fiscal Adapter for a client, it was such that I felt quite proud of the accomplishment and wanted to shout about it. I was met with a round of blank stares and “well done but I have no idea what you’re talking about”, hence this article.

First of all a bit about IT in general. Information Technology which includes all things computers and software, is generally (at least in a business sense) all about resource multiplication (ie. getting more out of the staff that you employ), it allows people to get more done (at least it should). When your IT starts actually reducing the work that your employees get done, its time to start looking at giving it a bit of an overhaul.

Now on to the purpose of this article, but first a bit of an example.

You start your shop selling a few widgets, you do well so you set up an ecommerce store and do even better so you expand and  you find that someone else is selling do-hickies, in fact these do-hickies are a really good accompanying product to your widgets, so you wander off and speak to the manufacturer and arrange to sell the do-hickies in your store and on your ecommerce site. Things start to take off you have large numbers of widgets and do-hickies being sold at this point you add several more product ranges to your store and ecommerce site and you realise that things are getting a bit complicated, especially the integration of your ecommerce site as you end up having to add new products into the ecommerce shop and maintain a lot of stock levels manually not to mention having to re-enter all of your sales invoices into your finance package, so your accountant can tell you how much you are making.

So the full definition of Adapter:

http://dictionary.reference.com/browse/adapter

–noun