Choosing an eCommerce web hosting plan can be a very difficult process, especially when one considers all of the aspects that need to be taken into consideration before an informed decision can be made. Perhaps even more difficult than selecting an eCommerce hosting plan, is actually going through the process of becoming acquainted with the hosting account once you have purchased it.

With so many modules and options, it can be difficult to keep your mind on the important issues, such as business expansion and security. The latter of the aforementioned terms (security), may be the single most important factor in creating any business website.

What is an SSL Certificate?

An SSL (Secure Socket Layer) certificate is essentially a certificate that is placed on your website that lets your visitors know that your site is in compliance with SSL protocol. SSL is a secure method of file transfer that ensures that any information sent to and from a website is encrypted and completely protected from third-party interception. Even more important than the actual security of a website, is the trust and confidence that visitors place in the security of that website. You can have the most secure website in the world, however if you’re visitors are not aware of the security measures you employ, then they are likely to assume your site is insecure.

Do I Absolutely Need an SSL Certificate?

A website without an SSL certificate will undoubtedly be seen in this light by many of its more knowledgeable visitors, and therefore will ultimately suffer in terms of sales volume. To prevent  this from happening, you’ll need to make sure you not only have all of the proper security measures in place, but that you also make this information readily available in your site’s privacy policy and on all checkout pages. If you’re running a site that does not directly process payments or other critical data that contains financial or personal information, then you will not necessarily need an SSL certificate. However, if you are operating an eCommerce sites that sells items and process payments, then an SSL certificate is absolutely crucial to the success and sustenance of your online business.

Obtaining an SSL Certificate

There are several methods that can be used to obtain an SSL certificate. In some cases, your web hosting provider will offer the SSL certificate as an included feature with a  hosting plan. In fact, many web hosting companies do offer SSL certificates along with their standard eCommerce plans. If you are planning on operating several eCommerce websites, then you’ll need to make sure you have an IP address for each of these sites. This is important to note, as many web hosting companies do not allow you to have multiple IP addresses per hosting account. In most cases you’ll need to buy a separate hosting account for each eCommerce site. Although this may be slightly time consuming, it will help you offer a secure website for your visitors.

The single most important feature a web hosting plan can have is a good encryption service. Without proper data encryption, all of the information sent to and from your website can be intercepted by hackers and other cyber criminals. If you run an online business, this can prove to be especially dangerous, as there is important information being transferred on your web server daily, including credit card numbers, bank account numbers, addresses, phone numbers and other information that your customers entrust to you. If this information is intercepted you may be held liable, and ultimately your business could be dismantled.

What is Encryption?

Encryption is the transformation of plain information into encrypted information which cannot be viewed by an outsider without a special key that unlocks the encryption. When data transfers through an encryption service it is scrambled in a seemingly arbitrary fashion. By the time it reaches the other side of the portal, the data is completely unrecognizable and cannot be used by any third party without the key that is custom generated during the encryption process. The encryption services uses a computer algorithm to create a random cipher which prevents hackers from accessing the encrypted information. Many people also use the term decryption to refer to the process of deciphering the information for the end users usability. Over the years the standards for encryption has changed notably.

WEP

WEP – (Wired Equivalent Privacy)  is an algorithm that has been deprecated to effectively secure all IEEE 802.11 wireless networks. Since wireless networks broadcast their messages utilizing radio waves, they are susceptible to intruders, even more than conventional networks with wires attached.  When it was first released, WEP  proposed to provide  completely confidentiality similar to that of a conventional wired network. However, in 200 various crucial weaknesses were noticed by professional   cryptanalysts, and it is now a widely accepted fact that a  WEP connection can be hacked easily obtainable software in a very short time period.

WPA

In response to the aforementioned weaknesses of WEP, WPA was created.

WPA/WPA2 – (Wi-Fi Protected Access)  is a program that provides certification, developed by the Wi-Fi Alliance to represent complete compliance with all security protocol instilled by the Wi-Fi Alliance. These protocols are specifically designed to maintain safety in all wireless networks. The WPA protocol enables safe functionality of IEEE 802.11i standard, but was initially meant to an intermediate security measure to temporarily substitute WEP while 802.11i was being prepared. The later developed WPA2 established an advanced protocol that is now seen as the full standard in data encryption.

Conclusion

Having the proper encryption services to protect your online website is absolutely imperative, especially when running an online business. Knowing the nature for encryption services and what the industry standard is will help you make the right decision without having to experience costly trial and error mishaps. Using only thee best encryption services will keep your business from suffering, and will prevent you and your customers from being victimized.

Most of the security risks on the internet today are the result of faulty programming and exploitable code. Many developers do not place security high on their list of priorities, as they’re often rushed for deadlines that they must meet in order to finish a paid project. Sadly, most of the security flaws within their programs are not discovered until the flaw has been exploited and the program is the cause of a compromised site or network. Of all the programming types, PHP is the most common, and is said to be the most useful. PHP is also easier to use than any other programming tool, and as the popularity of PHP programming increases, more new programmers are becoming interested in using PHP. This  influx of inexperienced programmers designing web applications has resulted in an internet full of unsafe websites.

Web Applications and Security

Web applications enhance the functionality and productivity of websites in a variety of ways, and have therefore become very popular amongst website owners. Unfortunately, website owners don’t realize how much of a risk they’re taking by installing and using these applications. Web applications are installed directly into your control panel, which makes them part of a your administrative interface. If a hacker can gain access to your user interface, they can basically do whatever they’d like with your website, including deface it with questionable or inappropriate content. In fact, some web applications are designed by hackers specifically for this purpose. Before you install a web application you should make sure it is from a reliable source, and only install applications that are absolutely necessary towards the progress of your site. If possible, try to work with professional developers to have your own web applications made.

BruteForce

Another way hackers can gain access to your administrative interface is by sending requests to your website’s server repeatedly in order to receive certain information. Many times this information will be something as simple as a password or nickname. They use the information returned to see if they’re guessing the right password without having to wait for a long time. This method is incorporated into hacking programs called Bruteforce programs. These programs repeatedly input information into your sites login fields, in order to guess a correct username and password.

Since the process is done remotely, the hacker will need to know when they have successfully logged in to the account in order for the program to stop sending information. If they fail to realize they are logged in, then the program will continue sending login information which will reverse their success. Hackers avoid this pitfall by getting your site to send them a line of code when they have successfully penetrated the user area of the site. To prevent this from happening you’ll need to change a few settings in your administrative interface to restrict HTTP requests from unknown sources. You can also limit the amount of requests per a certain time frame, to stop the Bruteforce program from receiving information from your website repeatedly.

As of the last quarter in 2009 it is illegal in Austin, Texas to post messages on social networking sites using a name other than your own (impersonating) with the intent to harm, defraud, intimidate or threaten.  In fact, it is now considered to be a third-degree felony.  This law is seeing quite a bit of favor from the Austin police as the department has been on the receiving end of a number of impersonations and attacks.  On the surface, this seems to be a law that is easy to understand and implement.  However, digging a bit deeper will show how this may not be as simple as we think.

Defining

Part of the problem with proving the intent is on the definitions of harm and intimidate.  Harm is defined at physical injury or mental damage.  Physical injuries are simple enough to prove.  It’s not so easy when it comes to proving mental damage – mental damage to one person may simply be an annoyance to another.  Intimidation is another difficult concept to pinpoint.  The truest definition is to make timid or to fill with fear.  Again, we’re left with wide interpretations of what causes fear for one person and not another.  Some very clear definitions should be put into place in order to keep frivolous lawsuits from happening.  With very broad definitions, one could easily state that grievous mental harm was caused when in reality all that occurred was some minor annoyance and since intimidation is very personal, just about anyone could claim they were filled with fear as a result of a faked posting.

Tracking

The next issue with this new law is the cost that could be involved in tracking the imposter.  There are hundreds upon thousands of programs available to the average internet user allowing him or her to fake his or her IP address, route through one of many proxies and generally make their digital path a lot more hidden and harder to track than one might expect.  And it’s even easier to just use a public connection at one of the local hot spots to do whatever anonymous and possibly nefarious things you wish to do.  With all the anonymity tools at the user’s disposal, how much money would be spent purely in the act of attempting to track the supposed criminal?  Will this sort of tracing be left to the owner of the web site or will a third party become involved?  And if a web site owner is considered responsible for this sort of activity, how will they need to protect themselves from possible legal action?

Broader implications

And where will it stop?  This sort of law inevitably leads to broader issues.  What is to stop the creation of a law where it simply is illegal to post out information with the intent of harming, defrauding, intimidating or threatening another individual all the while not being anonymous or posing as another?  Case in point, Perez Hilton.  Notorious for his scathing “reporting” of many celebrities in their not so great moments, postings by this man could be considered by many to be mentally harmful and threatening on many levels.  It’s all left up to the individual’s personal definition of harm and how it applies specifically to them.

Final Thoughts

Simply put, the more effective law would have been to make it illegal to impersonate another online, period.  Just as it is illegal to impersonate any official in “real life”, so should it be on the internet.  The way the law stands now, the monetary costs may be prohibitive and the frivolous suits to come may prove more than what the law originally intended.

The best way to know how ones online business is doing is by allowing customers to leave feedback.  Many businesses are incorporating blogs into their web sites to not only disseminate information but to also engage with their customers.  While the gain is knowledge in what works and what needs to be fixed, the downside is the opening up of the floodgates known as spamming and trolling.

Spam

Spam is defined at the sending of unsolicited bulk messages.  This form of abuse can take place in a forum, Usenet newsgroup, wiki, instant messaging program, e-mail or blog.  The messages sent usually have no tie-in or bearing on the conversation at the time and quite often are used to sell a product or service.  The costs of such unrequested messaging is one that is borne by the web site owners and ISPs (Internet Service Providers).  Fortunately, the growing trend has been to prosecute those found guilty of spamming online entities.

Troll

In the same vein but not for the same reasons, trolls are those who actively participate in online conversations with the sole purpose of creating controversy.  Trolls will purposely leave off-topic and inflammatory comments in the hopes of invoking an emotional response and thereby completely disrupting the conversation.  In its most basic form, trolling is simply a form of harassment.

Prevention

For the prevention of e-mail spam, many experts suggest a number of tips.  The first of these is creating an alias email address that can be replaced when needed.  This e-mail address can be listed out on public web sites and, should it become compromised, tossed and replaced with a new alias.  Never use the “unsubscribe” link that is quite often offered within spam e-mails.  These links are used to authenticate e-mail addresses and will ensure further spam will ensue.

To effectively prevent spam or trolls from infiltrating a web site, many web site software programs used for online communications will often come equipped with spam filtering or “comment jailing”.  A great example is WordPress.  This blogging program will allow web site owners to set all comments to being placed in a monitoring pool.  Once the owner has perused the comments recently left, they can be either approved or be marked as spam.  WordPress also allows web site owners to see the IP addresses used by spammers – great for reporting issues to ISPs should the need arise.

“Do not feed the trolls” is a phrase often used when faced with trolling behavior.  Basically, if the troll is ignored, they will eventually give up and move on.  However, if the behavior is having a negative effect on a web site and needs to be placed under control immediately, the use of post or comment moderating that is standard with most blog, bulletin board and other online communications programs should allow a web site owner to quickly and efficiently get things back under control.

Final Thoughts

The bottom line is that with a business web site that is geared toward communicating with its customers, spam and trolling will occur.  A bit of prevention and a lot of monitoring will go a long way to ensuring the issues do not get out of hand.

The search for a good web hosting company can be very confusing, especially with the ever increasing selection. Each company promises they are the best, so who do you believe? Before you can make your decision, you should know that all features are irrelevant unless the web hosting service offers top notch security. Before deciding on a web host you’ll want to make sure they are capable of keeping your website secure. The following terms will help you make your decision by letting you know what you should be looking for.

Secure Sockets Layer (SSL)

SSL is an encryption protocol that keeps all of your website’s communications, both incoming and outgoing, secure from intruders. The incoming information ( credit card numbers, addresses, emails) is the most sensitive information and can be used by hackers to commit fraud with your customers’ information. For this reason SSL is one of the most important security features, and most online shoppers will not buy products or services form you if you do not have an SSL certificate posted on your website.

File Transfer Protocol (FTP)

FTP is a network security protocol that facilitates file transfer on both internal and external networks.  FTP is an important security feature because it gives the webmaster the ability to manage site accessibility and send files securely.

Secure File Transfer Protocol (SFTP)

SFTP is a stronger version of FTP, offering more of a guarantee than standard FTP by using a secure shell to transfer data over the internet and between networked computers. Serious business owners will want to make sure their web host offers this as part of their security package.

Firewall

Nearly every web host is protected by a firewall of some sort, however not all web hosts give the end-user access to the administrative functions of the firewall. If you are serious about the security of your website, then you will choose a host that grants customer access to the configuration of their site’s firewall.

Spam Filter

You may think spam is just a nuisance, however there are many hackers that use spam to plant nasty viruses on your computer. Among the bad things that can happen because of simple spam is phishing (password stealing), and even data loss caused by malicious software. Spam not only threatens the security of your website and the safety of your computer, it also consumes plenty of bandwidth and it clutters your inbox with unwanted messages. A spam filter will solve nearly all of the potential problems that are caused by spam.

Distributed Denial-of-Service (DDoS) Protection

A DDoS attack is very well know yet common attack executed by a hacker with access to multiple compromised computers. This attack is particularly dangerous because it can comprise an entire network of computers in short period of time.  Every website on the server, including yours will be affected detrimentally. In fact it is more than likely that the end-users will be affected the most by this type of attack. It is vital that you make sure your web hosting service has protection measures in place to prevent this kind of attack.

As an online business owner, the security of your website should be at the top of your priority list. Web hosting security is a field that is constantly evolving, with new threats developing every day. Just as you work hard on a daily basis to improve the quality of your website, hackers work just as diligently to circumvent the security measures put in place by your web hosting service provider. The detrimental effects of compromised security can range from minor to major. You may simply experience a short downtime/data loss, or you may even be the victim of fraud. One of the worst scenarios that occurs regularly is when a webmaster is blamed for fraud due to their website being hacked.

When the security of your website is compromised and an intruder gains access to your administrative interface, there is often no way for the defrauded client to distinguish between the actions of you and the hacker. This can result in the loss of your website, your business, lawsuits,  and in some cases even unjustified incarceration!

Fighting an Infinite Yet Invisible Threat

When you think of a hacker, you probably envision a young kid sitting in his mother’s basement typing extremely fast, trying to hack into databases manually. Unfortunately, this is not how hacking works in reality. Real hackers do not do tons of work manually, they use networks of “drones” to do their dirty work for them. These drones are personal computers that have been “hi-jacked” and are being used to carry out small individual tasks that ultimately compromise the security of a server or a network of servers. A single hacker can have as many as 20,000 drones, or more, carrying out pre-set functions at any time. In fact, your personal computer at home may be a drone! If your computer’s RAM is being consumed by a hidden application or “virus” then there is a small chance that your computer’s resources are being used by a hacker!

Resistant Viruses

Online viruses are similar to biological viruses, as they are constantly mutating and becoming stronger and more resistant to treatment. To prevent your personal computer from becoming the victim of a new virus, it is important to keep your anti-virus software updated.  Choosing a web hosting company that updates their security measures regularly will prevent your website from becoming a victim as well. This bring us to our next segment.

Security Capabilities of Your Hosting Provider

If you are like 90 percent of webmasters, then chances are your website is hosted by a third-party hosting service.  It is important to realize that many of these hosting companies are losing employees regularly due to the falling economy, and simply do not have the resources necessary to combat the ever-growing security threats in modern cyber-space. Since the security of your website is in the hands of a third-party company, it is important to make the necessary inquiries regarding their manpower, server capabilities and support staff. Choosing a cheap web host is not recommended for a serious online business owner.

An Example of a Serious Security Threat

Some hackers engage in the practice of “click stealing.” Click stealing is when a hacker places a redirect link over a button on your website, causing the information to be secretly sent to a third-party website. This is especially dangerous when the information is private financial information. An example would be an order form submit button. The hacker “steals” the click from the submit button, and the information is redirected to a phony web page that mimics the check out page of your website. This is a serious threat, and if you are using a third-party host it is important to make sure they are aware of this.

Resentful Employees

If you run a large online business, with tech savvy employees, it is important to change your site’s passwords and security configuration every time you fire an employee. Some employee’s may attempt to seek revenge if they are resentful towards your decision to terminate them.

Just when it seems as though malware and Trojan attacks could not get much worse, along comes yet another to toss a monkey wrench into the works.  The latest Trojan horse program to be released on the Web is the URLzone Trojan that attacks banks.

Is that your bank?

The URLzone Trojan horse program was discovered by Finjan Software at the end of September, 2009 and has been reported as being extremely advanced.  The program rewrites bank pages in such a way that unsuspecting victims have no idea that their bank accounts are being emptied.  With an integrated command-and-control interface, nefarious types can set specific amounts they would like to remove from their victims accounts.

Slippery little bugger

Not only has this bit of malicious coding gathered the interest of Finjan but RSA Security has been tracking and researching URLzone.  Thus far the Trojan horse program has proven to be a bit of a slippery one to catch.  The malware uses several techniques to peg machines being used by law enforcement and investigators in attempts to catch URLzone.  The one good thing to come of is the creators of the program know they are now being watched and reacting.

Just how slippery is this Trojan?  Once it has detected it is being monitored, it continues to force a money transfer.  Instead of using one of its own people, it grabs a legitimate and innocent victim who has been part of legal money transfers in the past and makes it appear as though that person is generating the transaction.  The end result is a bunch of very confused investigators.

To date, over 400 unsuspecting accounts have been used as mules, over 6,400 computers have been infected with URLzone, and the total amount cleared on a daily basis has been in excess of $17,500.

How does it work?

How does URLzone work its way onto unsuspecting computers?  Once the malware executes, a copy is made of itself to c:\uninstall02.exe.  An ID is created and this is sent along with a version ID of URLzone to the command-and-control interface.  This effectively sends a confirmation that the machine in question is now infected with the Trojan.  The command-and-control interface then logs the information, downloads a new executable, and copies itself to the SYSTEM32 directory with a random and hidden name.  The program does not change any existing system files and needs to add itself to the startup registry each time the machine in question is rebooted.

At this point, URLzone hooks itself to the svchost.exe process and quietly checks with the command-and-control interface for new updates and commands while simultaneously watching for web browsers to open.  Once a web browser is opened, the Trojan horse program goes to work and the unsuspecting computer user is completely unaware anything is happening.

Final Thoughts

All in all, the URLzone Trojan horse program is one nasty piece of work.  The best defense any computer user can take is ensuring that their operating system is up to date with the latest security updates and their anti-virus protection software has been recently updated with all the latest information.

Being hacked is one of the unfortunate facts of life for a web site.  Of the most heavily attacked, open source and commercial CMS (Content Management Systems) programs are at the top of the list.  Secure information such as credit card numbers, banking information and other confidential items could be leaking from ones own web site and often one wouldn’t even be aware of it.  How can web site owners combat this constant barrage of attacks and security leaks?  Simply by utilizing security software that incorporates itself into an existing CMS setup.

CMS programs covered

SecureLive is a CMS security tool that easily incorporates into many major CMS programs – WordPress, Joomla, Magento and more.  The products offered by SecureLive seem to be more heavily geared toward Joomla but it appears as though the company is striving to ensure as many different CMS and PHP programs normally used are included.  One CMS program that it does not work with just yet is Drupal.  However, support for Drupal is pending and should be released soon.

Live monitoring

This program works in real-time and is a live monitoring service that increases the security for web sites containing secure information.  As soon as a web site has been attacked, SecureLive immediately sends a notification of the attack to the server administrator.  Information regarding the attacker is captured and saved.  A notification is also sent to the SecureLive staff enabling them to file a report with the appropriate entities so that immediate action can be taken against the attackers.  All alerts and notifications can be sent either by text messages or emails.

Products offered

SecureLive offers ten different products to suit specific needs.  There are products specific to online blogs, shopping carts, forms, forums and analytics.  All separate software programs run $197 each.  If needing a complete system encompassing all different aspects of an online web site, SecureLive offers SecureLiveMax.  At $497, this software is a combination of other products offered – SecureBLOG, SecureCART, SecureFORM, SecureFORUM and SecureANALYTICS.

Add-on services

Beyond the actual programs offered, SecureLive also offers add-on products.  SecureLive PLUS is an add-on that places a dedicated admin within one’s system to allow for system adjustments and quick follow ups on site security violations.  For a complete server security optimization, the company offers SecureRX as another product add-on.  For those who have had the misfortune of already being the victim of an attack, SecureLive also offers SecureRESCUE – a de-hacking service that repairs a hacked server and gets it back online as soon as possible.

Support

The SecureLive web site has a few areas one can utilize for support should it be needed.  The support forum area and Q&A area seem to be rather sparse but the company does offer a toll free support number to call.  Perhaps as the product grows and becomes more well-known, the support sections for the company’s web site will be expanded.

Conclusion

As threats and attacks to web sites increase on a daily basis, growing not only in number but sophistication, the need for employing good security measures is paramount.  One of a business’ most important assets can be their online web site – ensuring good customer relations, gather new customers and getting their product or service out there for the general surfing public.  Putting into place a good, solid security program to safeguard not only the web site but the secure information that is entailed with customer relations is just good business sense.

Recent statistics released by Dasient show there has been a rise in malware being hosted on web sites – many of these sites are unknowingly spreading the malicious software.  Dasient states that over  640,000 web sites are infected with malware.

Blacklisting by Google

As a result of this sudden rise, Google’s blacklist of infected sites has doubled over the past year.  How does a site end up on Google’s blacklist?  There are several reasons for Google to blacklist a site but in as far as how it pertains to malware, the culprit is doorway pages.

Parading as a doorway page

A doorway page is a page created specifically for search engines.  Anyone visiting a doorway page would be completely unaware of it as they are designed to be invisible to the regular visitor.  These doorway pages are keyword rich specifically targeting each search engine.  The malware being placed on unsuspecting web sites creates exactly this type of blacklisted action.

How malware is placed within the site

Exactly how are these pieces of malicious software being placed into unsuspecting web sites?  They are created using javascript and iframes and are inserted into web site advertisements or even widgets.  In the case of infected advertisements, the ads are designed in such a way as to fool the average user.  The usual modus operandi is to pop-up and flash a warning that the user’s computer might possibly be infected.  Once the unsuspecting user clicks on the ad in any way (either by clicking “OK” or “Cancel”), they are immediately redirected to a web site that sells anti-virus software.  The reality is the user’s computer is perfectly fine and they have been a victim of “scareware”.

How to prevent malware attacks

How can web site owners prevent their web sites from being attacked by malware creators?  One straight forward way to fend off possible attacks is to not use javascripting within the web site.  Another simple tactic is to remove any PHP scripting that requests user input.  This can often be used to use SQL injection tactics.  Placing tighter security rules within the server PHP.ini and htaccess files is also a very good step.

How to repair if already attacked

What if a web site has already been attacked?  If the web site is small, a file by file clean-up can be done.  A thorough search of each file for any unwanted javascript code or iframe coding will have to done.  However, if the web site in question is rather large and extensive, contracting a service that specializes in web site malware removal may be the best option.  There are a few places that can be found on the web that would be able to help should a web site already have this malware infection.

Conclusion

All told, it is a good practice to eliminate javascript and PHP coding that requests user input.  Continuous vigilance over the security of one’s web site, unfortunately, is a fact of life.