Skip navigation
2013

QAtendellhacker_Body.jpgby Erin McDermott.

 

Charles Tendell is often the guy you wished you had called sooner. He’s what’s known in the cybersecurity business as a “white hat hacker”—an expert in the ways malicious hackers try to breach computer systems, who also helps teach businesses how to keep them out. (Think of a Lone Ranger for the Internet era.) Writer Erin McDermott recently talked with Tendell, a Denver-based certified ethical hacker, about protecting small businesses, the challenge of social media, and outsmarting the bad guys.

 

 

EM: How did you get started? How do you become an “ethical hacker”?

CT: I got into computers at a pretty young age. My dad brought home our first computer and told me not to touch it—and that was, by far, the biggest mistake my father ever made. I learned my way around the keyboard very quickly, and this was back in the days before we had graphical user interfaces and you had to know the actual command line. As I grew up, I was pretty malicious in high school—I was into the school’s systems, the library’s. If I could get into it, I got into it. I joined the Army right out of high school.

 

I was self-taught about a lot of the security things I did and the Army gave me the opportunity to go to school, so I got a degree in information systems security. I was in the Army for about six years and did computer forensics, penetration testing, and security architecture for the military police, the military Criminal Investigative Division, the Air Force, and Marines. I helped design security implementations for the 82nd Airborne Division. After I got out, I continued my education, but I worked with companies like Lockheed Martin, Boeing, and a lot of small companies. Then I started a few investigations firms, like what I’m doing now. Along the way, I’ve teamed up with the EC Council to get their certified ethical hacker designation.

 

EM: The word “hacker” makes some people nervous, even though there are good hackers as well as bad ones. How are “ethical hackers” monitored to be sure they are on the level?

CT: They monitor my activity—I have to give them my continuing practical education points, that show I’m authoring a book or reading this or took this training course. Without those, they can take my certification from me. Beyond that, say you and I are talking and you ask me to do something unethical and I actually do it. Or if you catch me doing something unethical. You can report me to EC Council and they’ll do an investigation, but over the course of the investigation they’ll also suspend my certification. If they do find that I violated the code of ethics, they’ll rescind it and I’ll no longer be able to call myself a certified ethical hacker.

 

EM: Anyone who wanted to hire an ethical hacker would be able to verify that you and your colleagues are, in fact, genuine good guys? Is there a website?

CT:  With EC Council, you actually have to submit a request in writing. As a security professional, we’re all, well, mildly paranoid [laughs] so privacy is a big deal. But if you submit your request in writing to verify my information, they will respond back and can say he or she is indeed a certified hacker, from this date, and in good standing.

 

QAtendellhacker_PQ.jpgEM: What happens when you get hired by a small business?

CT: There are two types of clients. There’s the pre-hack client, who just feels they’re going to come under attack and maybe just need to tighten security or get started with a security program. And then there’s the post-hack client, who has been breached and has some information that has been posted online or they’ve had some proprietary information or some intellectual property stolen. They want to know how it happened and what their recourse is.

 

For the pre-hack clients, I’ll come in and meet with the leaders of the company and find out what security means to them as an organization, what their situation is and what they’re worried about protecting. From there we’ll work together to design a roadmap for security implementation. We’ll do a risk assessment, a gap analysis, and a vulnerability assessment to see what holes might potentially be in their infrastructure. We’ll do a penetration test to verify any vulnerabilities we can validate. Then I’ll show you how to patch those holes.

 

For the post-hack clients, all of the same processes applies except now I’m tracing back the source of your breach and guiding you down the path of where it went, and here are some of your potential legal avenues. I’m not an attorney, so I can’t give legal advice. In both cases, I get to what’s called a “black hat test,” where the client gives me as little information as possible: “Here’s my URL and here’s my phone number. See what you can get.” Those are a lot of fun because I get to do all of the research and pretend to be the bad guy. Then there’s the “gray hat” one, where they give me their entire network structure and say: “Just tell me what we’ve got.” That’s a little less fun because there’s not as much investigation involved. In both cases now, small business owners are worried about mobile devices.

 

EM: What are you seeing with mobile devices?

CT:  A lot of companies are now using a BYOD—Bring Your Own Device—policy. They’re saving themselves money by allowing their employees to use their own mobile devices and letting them connect them to email and company WiFi. A lot of breaches are happening because you get the cats with the jail-broken phones or the rooted Androids who can circumvent certain security mechanisms on your network and potentially infect you with malicious software.

 

EM: If you’re using your laptop to do a lot of things besides financial transactions, there are reports that there are entry points to your computer through sites like Twitter, Facebook, a webcam, etc.

CT: Absolutely. A lot of small business owners, I’ve found, buy one computer and want to be able to do everything from it. But they mix business and personal. They get a business Twitter or Facebook account and they still use it like they would their own personal computer. They go to websites they might not want to go to where they can potentially pick up malicious content or malware. They download files without really thinking about everything. And they don’t really have the back-end protection to prevent some of the attacks there. A lot of people will say they’ve got antivirus software that’s up to date or all these other protections, but there are ways for hackers to make those what’s called “FUD,” or fully undetectable, by your antivirus system and they can honestly infect you.

 

One really big mistake that a lot of business owners use is making their Twitter password the same as their Facebook password, which is also the same as their email password, which is also the same password to their local machine. A lot of these online social media are designed to be as user-friendly as possible. But on the security end, there’s a triangle that goes Security, Functionality and Ease of Use. As you get closer to any of those pillars, naturally you move away from the others. A lot of social media sites are more geared toward functionality and ease of use, so security isn’t necessarily the top of their list. And it’s far easier to compromise a Twitter account than it is an enterprise email exchange that’s fully patched.

 

EM: So say I’ve got a bricks-and-mortar store along with an online shop. What are the biggest mistakes for me to avoid?

CT: Aside from not duplicating passwords, and keeping your antivirus and anti-malware software on your machine updated? Be very wary of public WiFi—if you’re going to be doing any transacting there. In social media, if you get an email or message that contains a link in it, even if it’s from your friend or appears to come from someone you know on Facebook—sometimes it may be a photo or a link to a survey there—contact the person who sent it, via another method, before you click on it. In recent months, I’ve seen a lot of people send out that “I Just Won This Great Vacation!” post. [Laughs] I will instantly call or text that person and tell them I think they’ve been compromised and this is what they need to do right away. I take those links into my “sandbox” and oftentimes, sure enough, it’s been what’s called a drive-by Java infection. You click the link and your browser will download a remote-access Trojan, giving an attacker full access to your machine. So, be wary of people sending you links.

 

Be very, very, very cautious of any type of link, even if you see a message from Facebook’s security center, that says click here to log in or click that link. If it’s telling you that you need to re-log in to that account or go somewhere to take any kind of action, type the URL in yourself or go to Facebook.com and log in normally. Facebook will get you to your message box and you can deal with any security issues there. As often as possible, don’t click the link, especially if it takes you to a log-in page—avoid logging in there. There are ways where hackers are able to do credential harvests, so basically you’ve just given them your log-in and password even though it looks legitimate to you. But somewhere, someone sitting at a terminal just got your Facebook password.

 

EM: Social media must be a nightmare for the people in your business. Although I suppose it has created a lot of work, too?

CT: [Laughs] It is both a blessing and a curse. It’s got its good things, but when you don’t use it appropriately it’s also got its negative things. A lot of small business owners get the advice that they need to be using social media and all these different avenues to promote their business. And that’s all a small business owner is thinking about—the bottom line. How can I promote my business? How can I increase my revenue? So they jump on these things and security is an afterthought. Their accounts get compromised and send out all these different links, people click on it, and until that happens they’re not really thinking about it.

 

EM: This has to be pretty exhilarating work for you at times.

CT: It’s good to see the ‘Aha!’ moment. It’s even better when clients ask me to do an assessment or an investigation and they implement the things that I recommend. Then someone tries to hack them again and fails. And then I can show them this is how it was foiled, this is where the attacker came from, this is what they were using—they love that. And I love being able to save the day like that.

 

Disclaimer: The opinions expressed are solely those of the author and interviewee. You should consult a qualified professional to assist you in developing and implementing sound security policies and practices.

DigitalSecurity_Body.jpgby Erin McDermott.


Small business owner, you’re not paranoid—everyone really does seem to be out to get you, judging by recent cybercrime reports.

According to the U.S. Secret Service and Verizon’s forensic analysis unit, in 2009 27 percent of corporate-data breaches involved companies with 100 employees or fewer. In 2010, their analysis put that figure at 63. The most recent data, for 2012, found that a whopping 85 percent of all data breaches targeted small companies, with some 96 percent of those hacks deemed to be “not highly difficult.” Small businesses’ computers are so enticing to criminals that they’re now a go-to crime target. In fact, law-enforcement experts recently told the Wall Street Journal that the number of U.S. bank robberies has decreased as thieves have moved on to easier prospects, like hacking into small companies’ financial networks.

In part, this growing number of breaches at small businesses is a result of criminals discovering that many have very weak security due to limited budgets and small or no technical staff. The cost of all of this cybercrime has been hard to measure—many victims are unaware that they’ve been breached. Security software maker Symantec pegged it at $388 billion worldwide in 2011, though those figures have faced scrutiny.    

What can you do to start making your enterprise a harder target? Here are some of the easier steps that experts say you can implement to make your office’s technology a tougher nut to crack.

1. Watch your point of sale systems. In the Verizon report, food, beverage, and hospitality businesses sustained more than half of all the reported attacks in 2012. The reason: Hackers around the world have been finding IP addresses that stem from remote credit-card readers and determined that many have easy-to-crack passwords. With numerous staffers needing such codes to process payments, passwords are often written right on the machines—so that even passing customers can see them. Once cracked, POSs have been used to steal customers’ credit card information and resell it on the black market. (The Verizon team was so alarmed, they made a clip-and-save note that customers can hand to waitstaff with their cards—Page 62 of the PDF.) Be sure to re-set the password after installation on all of your Internet-facing devices, change them frequently, and never use them to browse the Web.


DigitalSecurity_PQ.jpg2. Be smart about WiFi. At the office, stop broadcasting your WiFi network ID and protect it with a strong password. This will make the network more difficult for bad guys to spot and can even help keep them out if they find it. Companies that have guests can invest in affordable dual-network routers and create an unprotected guest network. If you’re on the road and have to use public WiFi, like at Starbucks, McDonald’s, or a public library where it’s impossible to control the network, consider using VPN to secure the connection between your computer and the office.


3. Erase your photocopy machine’s memory. Now this is scary. If you lease a photocopier, multipurpose fax/scan/copy combo, or just bought your own, it turns out that these machines have quite a memory—since the early 2000s, everything printed gets stored on the hard drive of photocopy machines. (Watch this CBS News investigation.) If you’re leasing and switch one out for an upgrade, you should know that many of these multi-function peripherals (as they’re known) are often resold overseas, containing a log of every document you ever printed, faxed, or copied. Even if it is scrapped, you can still pull out the hard drive and download all information within, which could include Social Security numbers, medical information, employee records, and who knows what else. Consider (again!) strong passwords for users, securing network access to the machines, and keeping the hard drive from copiers you’re trashing.


4. Shred everything.


5. Install security software on everything and update regularly. It’s not just PCs and laptops that you need to worry about: Tablet computers and smartphones also need protection. (Forget the myth that Macs are safe from being compromised.) Deploy antivirus software on all of your devices and ensure that everything, servers included, is configured to automatically check for updates daily and keep definitions current. And sign up for the FBI’s email alerts about new online scams to stay informed.


6. Know who you’re dealing with. Got a service person working inside your business or near your technology? Be sure to make a copy of their credentials, get their photo, and don’t hesitate to verify their identity with their company. Establish a sign-in process for visitors that need access to secure areas (e.g. computer equipment rooms), keep a trusted escort with them, and, sad to say, watch out for impersonators of authority figures. Never allow customers to use your computers, laptops, tablets, or cellphones.


7. Argh!x99, those passwords. Change them once a month, don’t repeat them, and individualize them for each machine.Strong passwords have upper and lowercase letters, numbers and punctuation marks, and don't use common names, dictionary words, your children or pet’s names—or anything easily discovered in a Facebook profile. Think about two-step authentication, which would turn text messages into a verification-code token.

SpamSickness_Body.jpgby Jennifer Shaheen.


If your business has a website, you are very familiar with the irritating, sometimes embarrassing phenomenon of spam. Annoying commercial messages that promise everything from free money to a more organized kitchen, spam can show up in the comments section on your company blog, on any social media presence you maintain, or be delivered directly to your in-box.

 

There’s no question that spam is unattractive and irritating, but did you know it can also hurt your business? Spam can make your website sick, infecting it with viruses that expose your customers to all kinds of harm, from computer damage to identity theft.

 

Why spam?

“Spam is any type of deceptive advertisement,” says Anirban Banerjee, co-founder of Stop the Hacker, a SaaS firm specializing in web malware, security, and reputation protection. “It could be any content that is not related to the theme of the site, or relevant to the website visitor but is intended deliberately to advertise or sell products without the express knowledge of the website owner, he explains.

 

Considered with a critical eye, it’s hard to believe that spam sells anything. Poorly spelled, erratically punctuated—it doesn’t seem like the type of messaging strategy that would encourage anyone to break out their credit card and buy. Yet the sheer volume of spam messages— Askimet, a spam filtering service, says it recently stopped nearly 90 million spam messages in just one day—indicates that there’s tremendous effort being put into spam distribution. What’s the reward?

 

“They want to increase their search engine rankings,” says Adam Harvey, Technology Director at Glad Works, an advertising agency. “Good search engine rankings result in the spammer's commercial site being listed ahead of other sites for certain searches. That raises the number of people who will visit the site and perhaps become paying customers. Many search engine ranking algorithms base page ranks at least partially on number and rank of referring links, so the more comments ‘out there’ that link back the better.”

 

In other words, every spam comment that makes it onto your company website gives the spammer a tiny SEO boost. And the longer the comment remains in place, the longer the spammer gets the benefit. The cumulative result of millions and millions of spam messages can be enough to propel a spammer’s website into an attractive position. Customers consistently choose from the first handful of results of any search inquiry. The sites they find are professional productions, bearing little resemblance to spam messaging.

 

From irritant to infection: enter the virus

Spam is always a problem, but it becomes a really big problem when the messages infect your site with a virus. Spam is not a primary delivery mechanism for viruses—the bad guys tend to hack into a site through weak passwords far more often—but it is a potential route to infection.

 

“It used to be that only blogs were experiencing problems with spam,” Harvey says, “but now any form on the web that takes input can get hit.” Customer data collection points are vulnerabilities. Anywhere that you’re inviting people to leave comments, request more information, schedule a consultation, or engage further with you is a potential penetration point for a virus-laden comment.

 

SpamSickness_PQ.jpgProtect yourself with best practices

“It's not just The Good Guys who have access to the code which runs your site,” explains Bud Kraus, Chief Education Officer for Joy of Code, a web design training firm. “The Bad Guys know the source code too and know where your site is vulnerable to attack.”

 

The only absolute method to eliminate the risk of spam-delivered viruses is to eliminate input forms from your site—but closing this door to customer engagement may not fit your business model. With that in mind, there are best practices you can use to minimize the risk, including:

 

1. Choose strong passwords

“Passwords are key. It’s tempting to use the same password for everything we do because that’s easy to remember, but it’s a practice that leaves us very vulnerable to hacking,” Harvey says. “Not only should you change your passwords frequently, but you should also be sure to use a mixture of numbers, symbols, and letters—perhaps even passphrases.  You want to be as frustrating as possible to stop hackers.” 

 

2. Update your website & antivirus software

“If you run a web application such as Wordpress, keep it updated. Most of the security issues we handle are due to web site owners failing to update their software. Join the software vendors mailing list,” recommends Jeff Huckaby, CEO of RackAID, a server management company.

 

Antivirus software should be kept up to date on all computers used for your business. Make this very clear to all of your employees. If they’re using an unprotected laptop to work on your website, you’re vulnerable.

 

3. Use a malware monitoring service

Malware monitoring is the equivalent of a flu shot for your website. Just like there are many strains of the flu, there are many types of computer viruses. A good monitoring service will regularly scan your website, identify any infection, and resolve it promptly.

 

4. Choose CAPTCHA

Spammers have been developing ways to outwit CAPTCHAs—the small boxes where website visitors need to enter a few characters or solve a simple puzzle to prove they’re human—but the technology still has merit. CAPTCHAs won’t stop all spammers, but they do significantly reduce the volume of unwanted messages that do get onto your website.

 

5. Backup, backup, backup!

Adam Harvey’s heartfelt advice for the small business owner: “Make frequent backups of your server files and your database. If you update your website every day, make backups every day. Remember it’s not the backup that earns the money: it’s the restore.”

 

6. Work with your website provider

“Web sites are not Ronco Rotisseries. You cannot simply set it and forget it—unless you hire the right team,” Huckaby says. “While that $100 a year budget hosting plan may sound great, you will likely be responsible for keeping everything updated and secure. Just as you would not skimp on good legal or accounting advice, do not skimp on good web advice. A security breach will not only cost money to clean up, but could cost you your customers.”

 

Choose a web company based upon their ability to provide three levels of service: site design, functionality, and security.  Make sure to ask your team about when and how updates are performed. You want to know what default settings have been changed to enhance your site’s resistance to viruses, including back-end and database passwords.

FBGraph_Body.jpgby Erin McDermott.

 

Your small business’s Facebook page is about to need a makeover.

 

Graph Search, the social network’s new internal search engine, is aiming to take away some of Google’s dominance by tapping into information that’s more personal to its one billion-plus users. The key question: Will people trust their friends more than the links Google’s search algorithm produces?

 

The new element is slowly being rolled out—so far, about five percent of users have access. But an early look at the technology shows why it may be a powerful tool for small businesses. Graph Search harnesses information that real people take their own time to post, identifying themselves along the way with the things that make them happy. The results could lessen the value of strangers’ opinions on service-review sites like Yelp, Angie’s List, Zagat, or TripAdvisor. After all, who would you prefer to listen to for advice about a business, an anonymous poster or a friend you’ve known since the sixth grade?

 

Think of Graph Search like this:

 

I’ve lived in my town for just a few years and I’ve come to rely on the advice I get from my hair stylist. Tiffany is not only a small business owner and wizard with color charts, she has always steered me right about other local things, like finding a reliable mechanic and the difference between October’s annual beerfest and brewfest (skip the beerfest).

 

Tiffany is also a Facebook friend of mine. When I recently got access to the Graph Search beta, I tested it with a question I might otherwise pose to her: I was seeking a pediatric chiropractor. The top result was a nearby office’s Facebook page—and there was Tiffany’s little profile picture below it. That’s because she became a fan of the chiropractor’s page, giving it her virtual recommendation. This is where my real and digital worlds collided.

 

What else can you now see?

 

From the new search prompt, once you type something like “People Who Like…” followed by the name of any business on Facebook, it opens a window into the profiles of everyone with that shared affinity, not just your friends. If that affinity happens to be you and your small business, you’ll see a scrolling list of all of the customers who consider themselves your fans, complete with other things they say they like, such as tastes in music, organizations, or what they watch on TV. You can even see if they have some affection for your competitors. One step further: Try typing in “People Who Visited…” followed by the name of your business and you’ll see who has checked in after saying they’ve come through your door. Within these lists should be the clues you need to figure out how to get these clients more engaged with your social media—and by extension, your business—and to become more visible to their friends, and potential new customers.

 

FBGraph_PQ.jpgThere are also going to be major questions about privacy, as with anything involving the massive social network. One example: A search of “People Who Work at XYZ Café” would bring up the profiles of any employee who identified themselves on Facebook as being part of that business. Paul Crossman, a marketing specialist for social media at Cybermark International, says the new search exposure could shed unwanted light on employees’ postings, particularly if it’s offensive material or conflicts with the company’s mission. One other interesting tool: Change the search terms to “People Who Used to Work at XYZ Café”, and the ranks of former employees pop up. (Check out this spot-on thinkpiece about privacy and other hurdles facing social search.)

 

It all could dramatically expand a business’s footprint on Facebook. Here are a few early tips from the pros about Facebook Graph Search optimization:

 

Make a Facebook profile, even if you don’t intend to use it. Local searches are going to bring up your business whether you like it or not. Take the time to make sure your URL is right, the phone and physical addresses are accurate, and you’re listed as being in the right industry. Even some old-school shops generate dozens of likes in some cases, outranking tech-savvy newbie competitors in small markets. Plus, claim your stake so that a hacker (or rogue competitor) can’t hijack it.

 

Fill in all of the blanks, the more the better. Make sure your “About” section is completely and accurately filled out, with all of the pertinent details and SEO-friendly search terms. “The more check boxes you have checked as a small business means the better chance you have of showing up in results,” says Cappy Popp, a principal and co-founder of Boston-based Thought Labs, a social media strategy advisory group.

 

Location data is very important. Like the hyper-local search that Google, Yahoo, and other giants are pressing, Facebook Graph Search—and the social network’s advertising setup—will be targeting even the smallest businesses—the enterprises that users see every day. A search for something like “Italian Restaurants Nearby My Friends Like” or “Flower Shops in North Jersey” will show the spots closest to users, so getting your business on Facebook’s map will be crucial. If your business has multiple locations, now’s the time to consider claiming and setting up a page for each of them and adding relevant information like each location’s hours of operation. That way, consumers can find individual locations in Graph Search results, rather than just your brand or main location page.

 

Likes will matter more, and so will check-ins. Under Graph Search, Popp says Facebook’s EdgeRank algorithm for users’ news feed will calculate the timing of fans’ engagement a bit differently. While the equation once favored the reaction to the most recent content, now “likes” will never go away. “If I do a search on ‘Restaurants My Friends Like,’ the results of that will stay static forever,” Popp says. “The more likes you can get as a small business means, by far, you have a better chance of showing up in those search results.” So encourage people to like your Facebook fan page in your physical store and encourage them to also check in. Provide online coupons (through Facebook) that if they like your fan page, they get a certain percentage off their next visit.

 

Engaging content will remain paramount. The formula won’t change for what draws people to your social media offerings. Frequent posts of relevant and attention-getting information, photos, and offers are the lifeblood of Facebook for small businesses. The more your fans interact with your business on Facebook by liking, commenting on, and sharing your posts, the higher your EdgeRank score will become. And the higher your score, the more likely you are to show up in your fans' news feeds. By taking a look at the newly displayed interests of your fans, it will be easier than ever to see what might draw them to your business. For instance, Kate Dinkel of Cybermark suggests taking a look at the musical interests of your followers. If you notice a number of them are Beatles fans, why not play the Fab Four in your shop? Is there a band that many of them like that is coming to your town? Get tickets and run a contest for your customers. “I think it will be more about content now,” Dinkel says. “You need to be sure that each individual post has positive feedback. It’s also going to be better for promotions—and you’ll be better able to see what your clients really want and you can gear those promotions toward that.”

 

Think a lot about privacy, too. Access to this new treasure trove may be a delicate thing for some customers. Privacy settings on Facebook are always evolving and many users take months or years to adjust to their comfort level. So just because you have access to all of this new information doesn’t mean you’re now best pals with the fellow who stops in to your shop once a month. Over-familiarity can be killer and cost you a fan, and a customer. Keep the long view of what your demographic is—that’s what the “Graph” part is all about.

Filter Article

By tag: