Stop! Thief! Online Identity Theft

Online Identity Theft
Online Identity Theft

Stop! Thief! Online Identity Theft.

How Your Identity is Being Stolen

If you’ve had your identity stolen, you know the problems it can cause. Even a simple unauthorized use of a credit or debit card can cost you hours upon hours of frustration, sometimes tying up needed funds. The U.S. Department of Justice says about 18 million people per year are victims of at least some form of identity theft. While many of these thefts are conducted on a massive scale, others are much more targeted. We may have a vision that these hackers are sophisticated technological wonder-kids or they originate from Nigeria but often the story is much closer to home and individualized. In some cases, it’s not all that complicated. In a recent highly publicized case, hackers obtained confidential data through a server using a default “admin” username and password that was never changed.

Stopping identity theft takes with understanding how thieves are getting your information from you.

Data Theft from Large Companies

This is the most publicized area of identity theft because it affects so many people and the theft is out of our individual control. Data breaches have occurred at companies ranging from retail stores to the recent breach at a major credit reporting agency. To conduct commerce today, we must be connected digitally these consumer-oriented companies need to verify identities. This means our personal information is stored on massive servers that are not only available to authorized employees and management but potentially to their technical contractors and, of course, hackers.

Skimmers

If you’ve ever used a credit or debit card at a fuel pump, grocery store, retail store, ATM or elsewhere, you may have been susceptible to a card skimmer. These skimmers or “card readers” commonly fit over the original card strip or insert without impairing the transaction. The skimmers read the data from your card’s magnetic strip and either store them to be retrieved by the thieves or digitally send them to a nearby device. In some cases, cameras are attached on or near them to see the PIN you have entered. Some skimmers use pads that fit over the original keypad of the device to gain your pin. While credit card chips are designed to limit this theft, many of the chipped cards still contain a strip to make them versatile enough to use in non-chipped machines. While skimmers may be difficult to detect, inspect any credit card machine closely before use and attempt to move the cardholder to see if it is the original. Cover one hand with the other when entering your PIN and make sure no one is looking over your shoulder.

Phishing

Phishing is one of the original forms of identity theft in the digital age, although today it is more sophisticated than ever. Phishing usually involves the thief sending out a large amount of bulk or spam emails, “phishing” for a bite. These emails may urge you to update your personal information and direct you to a fake website where you are encouraged to input your personal information voluntarily. These faux websites may even include the company name in the URL and are often designed to closely mimic a company’s original website. Phishing tactics may also claim you have an inheritance, won a contest or offer some other financial incentive to get your personal information.

Vishing

Vishing is essentially voice phishing using the telephone. The caller will often pose as a representative from a bank or credit card company and use suspected identity theft as the purpose of the call. They will ask you to verify your personal information. Instead, call your bank or credit card directly and ask if your information has been compromised.

Social Media and Internet Searches

There is already much data about you available on the internet without adding to the problem voluntarily on social media. Many users commonly display their birth dates, emails, places of work, education, work experience, and even phone numbers and addresses online. They can easily pose as a “friend” to get even more information. If you use social media, be careful of what data you make available and make sure only invited friends have access to your profile.

Online Identity Theft

Handing Your Credit Card to Someone Else

When you hand your credit card to a server at a restaurant, a clerk at a hotel or even let a family member borrow it, you are increasing the odds of identity theft. The front and back can be quickly and discretely photographed, videoed or copied for unauthorized use. New cards can be created from the data on your magnetic strip and all it takes is a simple card reader that can be plugged into any computer.

Trash

If you don’t have a paper shredder, get one and use it. Many identity thefts come from your trash that contains personal mail and account data from banks, credit cards, and even tax forms. A credit card statement alone contains a wealth of information that when combined with just a few more pieces of info can lead to problems. Pre-approved credit card offers are a must-shred item.

Regular, Old Fashioned, Theft

When you realize how much personal information is contained in your wallet, cellphone, and even in your car’s glove compartment you will take better steps to protect it. Protecting your cash and credit cards isn’t enough today. Not when thieves will find your personal information just as, if not more, valuable. Always know where your phone, wallet and personal is located.

Being careful about identity theft is not paranoia, it is prudent. Be cautious about how and where you share your personal data including cell phone calls in public places. Make sure you only share info on websites with a secure Hyper Text Transfer Protocol Secure (https) address that designates your information is encrypted. If you conduct e-commerce on a website, make sure you are protecting your customer’s information safely with encryption. Be cautious and minimize your risk of identity theft.

The Serious Business of Guarding the Images Used on Your Website

How To Protect Your Images
How To Protect Your Images

How To Protect Your Images

For those of us who have lived through the early, “Wild West” days of the internet, we can recall the frequent lawlessness of the experience. It was not uncommon at all to come across “sharing” websites for the distribution of music, images, films, software, and other intellectual property without authorization of the rightful owners. This was, and continues to be, theft, pure and simple. It didn’t take long for lawyers to get involved. Courts quickly agreed that online intellectual theft is no different from stealing someone’s car. Companies from software producers to movie production houses began pursuing those they suspected were guilty of it.

While such dark places are still available online, more and more companies and individuals are taking steps to protect themselves. This includes those involved in the construction of websites. After all, if you’ve taken the time to make sure a website was designed and constructed using completely legal and authorized images, or more importantly, if you created the images or took the photography yourself, you don’t want someone else coming along and taking them. It’s not quite the “Wild West” it once was but it is still a significant problem and serious business. There are ways, however, of protecting yourself and your images.

Where to Start?

You can start by seeing if you have a problem with stolen images. This can simply be accomplished by typing the name of any images you use into the Google image search. Some who “borrow” images or graphics, however, know they can lessen their chances of being caught by changing the name of the image file. The Google image search may not turn up your photo or image. You can search for more generic names that may fit your image if you are inclined to investigate further.

In a Google image search, seeing the image as used on your site should be expected but if it is an original image you created or a photo you have taken and someone else is using it without your knowledge, it can be a problem. This is likely because you did not take the necessary steps to protect it.

Now, you may say to yourself “Hey, but isn’t that like blaming me for not locking my house and allowing someone to steal my property?” Perhaps. But let’s also just add that it is always better to make sure your house is locked, to begin with. In this case, let’s make sure your images are as safe as possible.

“How To Protect Your Images”

How To Protect Your Images

Better Protecting Your Images

You can take steps to protect your images, but just as locking the door on your house won’t prevent someone from entering your home, most steps just make it tougher for an image theft to occur. Here are some of the more common steps you can take in protecting your images online.

  • Disable the right-click copy option. One of the first skills we learn on a computer is that by right-clicking, we are given the option to “copy”. It didn’t take long for us to learn it works on website images as well if they are unprotected. WordPress has an easy to download and use plug-in that will accomplish this for you. The plug-in also has some other clever protective services.
  • Disable hotlinkingHotlinking is the nasty little practice of someone using both the benefits of your image and your bandwidth to share that image. For the most part, it is considered illegal but, of course, that doesn’t stop some from engaging in the practice. While disabling hotlinking may not totally prevent someone from using an image, at least it will prevent the indignity of having them use your bandwidth to do it. To disable hot linking in WordPress, use an FTP program and go to the main directory folder and open the .htaccess file. Cut and paste the following code into the .htaccess file:

/* hotlink blocking */

RewriteEngine on

RewriteCond %{HTTP_REFERER} !^$

RewriteCond %{HTTP REFERER} !^http(s)?://(www\.)?yourwebsite.com [NC]

RewriteCond %{HTTP REFERER} !^http(s)?://(www\.)?google.com [NC]

RewriteRule \.(jpg|jpeg|png|gif)$ – [F]

Of course, replace “yourwebsite.com” in the 4th line of the coding with the name of your website. This will prevent someone from hotlinking to your image while the 5th line still makes your image available to Google for search purposes.

  • Use a watermark. Watermarks on an image have been protecting photographs since long before the internet. A Watermark is a discrete but visible marking over the image that usually bears the name of the owner. Most photographers use them on proofs before clients purchase the non-watermarked prints. They are still an effective way to protect your images but can be distracting to your own viewers. Those skilled at photoshopping have also been known to be able to cover watermarks.
  • Place a DMCA badge on your website. DMCA is dedicated to stopping thieves from stealing content from websites. While they have a suite of products, you can get started by placing a DMCA badge on your page that will deter theft. With a registered badge, you have the resources behind you to take down any content that is used without your approval.
  • Place a copyright notice on your website or on images. You automatically have the right to any content created for your website. By placing a copyright notice on your website you are letting others know that you know this. You should also keep proof that you created the content. While this can sometimes be difficult to prove or enforce, it is another form of locking the doors on your house. It is very easy to do, so do it.

While sharing images without the permission of the owner can be problematic, sharing solid, helpful information about making your website secure can be very helpful. If you have found this article useful or if you know someone who might find it interesting then, please feel free to share it.

Hacking Scandals: The Biggest, Baddest, And Scariest

Biggest Hacking Scandals of all Times

The Internet is a worldwide platform for sharing information. It is a community of common interests. No country is immune to such global challenges as cybercrime, hacking, and invasion of privacy.

—Lu Wei

Biggest Hacking Scandals of all Times

Biggest Hacking Scandals of all Times

Knives and guns are no longer the weapons of choice for criminals. A keyboard is. Hacking has become the most effective way to either gain the most reward or do the most damage in a single crime. And due to the fact that individuals and companies care more about locking their doors and installing security cameras than encrypting and protecting their digital information, it is arguably easier to rob data than a house or an office building. Additionally, as hacking has popularized, a hacking community has emerged, creating competition for the biggest or baddest hack. Here are just a few of the worst:

1. and 2. Yahoo

Yahoo takes the cake when it comes to data breaches. Two breaches that their systems have undergone hold the top two places on this list. In September of 2016, Yahoo announced that two years prior 500 million Yahoo accounts had been breached. The evidence, according to Yahoo, pointed to a state-sponsored actor. A few months later, at the end of 2016, another Yahoo hacking incident came to light. A much bigger one. Yahoo announced that in August of 2013, 1 billion accounts had been breached, making it the largest hack on record. From the evidence that investigators found, the two hacking incidents were not linked. However, in both hacking incidents, everything from dates of birth and email addresses to encrypted security questions and answers and hashed passwords were stolen. Fortunately, no financial information was taken.

3. Myspace

This massive data breach garnered nowhere as much news as Yahoo and other lesser hacks. But that is not because it was not on a wide scale, it is simply because Myspace is no longer a company that garners as much news. The attack compromised 360 million Myspace accounts sometime before June of 2013. Usernames, email addresses, and passwords were all stolen. Myspace, its owner Time Inc., and investigators have not been able to nail down an exact date for when the attack took place, which is not uncommon as many hackers can get access to a system and stay there for months without being detected.

Biggest Hacking Scandals of all Times

4. eBay

In early 2014, the massive online auction house was hacked. 145 million accounts were breached. It was a similar hack to the Yahoo ones, with email addresses, mailing addresses, birth dates and more being stolen. And still similarly to Yahoo’s hacks, no financial information was taken. The route of the hacking was identified: The hackers managed to obtain employee login credentials, which gave them access to the company’s corporate network.

5. LinkedIn

The LinkedIn hack was a special one because the information that was stolen was very publicly sold. In May of 2016, the hacker who stole the information, an individual going by the name ‘Peace’, attempted to sell 117 million LinkedIn emails and passwords—this was 100 million more accounts than the company had originally believed to have been affected by they 2012 hack.

6. Target

The Target hack may not be the largest hack of all time, but it has arguably been the most destructive hack. So destructive, in fact, that Target had to pay out $10 million to the victims of the massive data breach. The breach itself happened in 2013 and it affected 110 million individuals, who had all of their credit or debit card information stolen. This included everything from customer names and card numbers to the magnetic strip code and PIN data. Each victim, who could prove that their card information had been used or their credit history had been tarnished, could claim up to $10,000.

7. AOL

In 2003, a crime was committed by an AOL employee. He hacked into the corporate system to steal a list of AOL customers, their emails, and their screen names. The employee sold this list of 92 million email addresses for $28,000. It was then circulated among spammers who sent unwarranted marketing emails to all of the addresses on the list. It cost the company $400,000, not to mention the loss in customers that it likely triggered. The employee was found guilty in court, sentenced to 15 months in prison and slapped with a hefty fine.

8. Ashley Madison

While no financial harm came to any of the individuals who had their information stolen in the Ashley Madison hack, it has arguably become the most famous hack in recent years. The main reason for this is the loss of privacy. For a dating website that caters to married people, privacy is key. This privacy was lost when, first, the website was hacked and 32 million users’ information was stolen and then, second, that information was posted online for the world to see who was cheating on their spouse. The released data included user information, such as their names, addresses, passwords, and phones numbers, as well as transaction history on the website and descriptions of what the individual users were looking for.

These are just a handful of the hacks that have been perpetrated over the last few years. And these type of attacks are only becoming more and more common. Businesses, of every size and in every sector, as well as individuals, need to protect themselves. This is exactly what OrangeWebsite helps people and organizations do. We provide the highest level of protection against both hacking and governmental collection of private information. Try out our services with a 30-day money back guarantee, utilize our 24/7 technical support, and protect yourself, your information, and the information of those you do business with. For more information, please contact us.

The Trouble with Let’s Encrypt

Lets Encrypt Free SSL

Lets Encrypt Free SSL

Lets Encrypt Free SSL

SSL certificates all perform the same task, but they aren’t all equal in quality. Let’s Encrypt issues certificates that are free of cost and easy to install, with the aim of making secure Web connections as universal as possible. The downside of this approach is that its certificates don’t offer much confidence in their authenticity. At OrangeWebsite, we’ve decided not to accept them on our shared hosting, though you can use them on a VPS or dedicated server. We’d like to let you know our reasons.

Not all SSL certificates are the same

Having an SSL certificate provides an encrypted connection between a browser and a Web server. The protocol family that supports this is widely known as SSL, but current versions are more properly called TLS. Connecting by TLS guarantees that the server belongs to the owner of the certificate. A certificate authority (CA) digitally signs the certificate, indicating it has confirmed its authenticity.

Anyone can create a self-signed certificate. It will enable encrypted connections, but without a CA’s signature, there’s no guarantee that the site owner is who it claims it is. Browsers warn users against trusting self-signed certificates.

Let’s Encrypt acts as a “free, automated, and open certificate authority.” It allows anyone to set up a secure website at no cost and with little effort. This is good, but prominent figures in the tech industry have expressed serious concerns about its certificates.

The process for setting up a certificate is simple. A couple of commands on a Linux server will do the whole job. The problem is with the level of authentication provided. The only validation is that the applicant for the certificate controls the domain it’s issued to. If you’re getting a certificate for example.com, you have to register it from example.com. There’s no checking who you are. This type is known as a “domain validated” certificate. Let’s Encrypt isn’t the only CA to issue domain validated certificates, but it’s the only one that doesn’t charge anything for them.

Lets Encrypt Free SSL

Certificates and trust

Just having an SSL certificate, especially one that’s only domain validated, doesn’t make a site trustworthy. It could be a near-lookalike for a well-known domain (e.g., micros0ft.com). Let’s Encrypt has reportedly issued over 14,000 certificates to domains that impersonate PayPal.

Some domains allow users control of subdomains (e.g., mydomain.example.com). They can obtain certificates for their subdomains. This can give the impression of approval by a well-known site. The subdomain may redirect to a different domain, on an independent server which the primary domain has no control over.

The most trustworthy SSL certificates are EV certificates. EV stands for “extended validation” and signifies that the CA has met certain standards for checking the applicant’s identity. It has checked and confirmed that the applying organization legally exists and is who it claims to be. Browsers generally indicate an EV certificate with a green symbol, such as a padlock.

Unfortunately, most people don’t recognize the nuances. If they see a padlock, they’re likely to assume the site is trustworthy. Since Let’s Encrypt doesn’t even require a payment method, its bar to registering a certificate is very low. It plans to check the Google Safe Browsing API for known phishing or malware sites, but that’s about the extent of its checking. There have been confirmed reports of malvertisers using its certificates. When certificates are free, it’s easy to set them up with throwaway domains.

We hope that in time, Internet users will better understand the difference between a secure site and a legitimate one. When the large majority of sites display a padlock in the address bar, browsers will need to make a clearer distinction among the levels of validation. Eventually they may warn users about sites whose certificates are only domain validated. If a browser did that today, though, it would have to issue a constant stream of warnings.

For the present, it’s a good habit to click on the padlock symbol of a secure site if there’s any doubt about it. The browser should give information about the site’s level of validation and its owner of record. Some browsers, though, will say nothing more than “This site is secure.”

Lets Encrypt Free SSL

Openness and trust

Let’s Encrypt has explained its policy. It argues that a CA is in a poor position to police a site’s content. It’s difficult to determine if a site is clean, and harder to check if it stays clean. The primary aim of the project is to make as much of the Web as possible use TLS. That will inevitably include rogue websites. These sites exist anyway; the only difference is that some people may trust them more when they see the padlock symbol.

Any issuer of domain validated certificates faces this risk, and even the EV level isn’t completely safe against malicious sites. A signed certificate isn’t and can’t be proof of trustworthiness. Let’s Encrypt doesn’t want to take on the role of a censor, and we appreciate that. At the same time, we don’t want to give dishonest websites the appearance of legitimacy if we can avoid it.

We offer several options for purchasing SSL certificates. The lowest priced ones are domain validated, but the annual fee will discourage acquiring certificates for throwaway domains. For a better level of validation, we offer the Comodo InstantSSL certificate with business-level validation. The best validation comes with our Comodo EV certificates, either for a single domain or for multiple domains sharing the same IP address.

Balancing trust and openness can require some difficult tradeoffs. One of our chief goals is to enable free expression, but we don’t want to be a magnet for deceptive and dangerous sites. We hope you understand the reasons for our choice. Feel free to contact us with any questions.

What Can We Learn from the Cloudflare Leak?

Cloudflare Leak
Cloudflare Leak

What Can We Learn from the Cloudflare Leak?

Cloudflare calls itself the “web performance and security company,” so it was a serious blow to its reputation when researchers discovered that it had a security bug that made sites’ data visible on other sites. What was really disturbing was that supposedly secure data from HTTPS requests leaked out this way. Passwords, session cookies, credit card information, and other sensitive data simply showed up in random places.

Google researcher Tavis Ormandy discovered this problem on February 17, and tech media have attached the name “Cloudbleed” to it. Cloudflare provides services to millions of websites, and any of them could have suffered a loss of confidential data. Many of them have urged users to change their passwords. The risk to any individual is low, but the effect was so widespread that personal data could have been stolen from a significant number of people.

Cloudflare has fixed the bug, but the leaked data could still be lurking in the caches of search engines and edge servers, and data thieves now know to look for it.

Cloudflare’s incident report explains that the problem stemmed from a buffer overrun bug. For efficiency reasons, low-level system software is often written in programming languages, such as C, which don’t automatically guard against accessing memory structures outside their limits. An HTML parser had a bug of this type, resulting in its picking up data from whatever was past the end of a memory buffer. It could be anything, and sometimes it was private data from another website.

The risk in third-party services

Any website can have bugs in its software that open security holes. That’s one reason HTTPS connections aren’t 100% secure. Old versions of SSL (TLS) have problems. The “Heartbleed” bug in older versions of the widely used OpenSSL software showed it was possible to exploit the weaknesses. The latest version fixes the problem, but there’s no guarantee that it’s completely bug-free. Many websites still use old versions of OpenSSL, with known weaknesses.

When a site uses a third-party service such as a caching proxy or a content delivery network, it can gain or lose security. A top-quality CDN has better security measures than most do-it-yourself sites, and it filters requests to the sites’ servers. It can absorb DDoS attacks that would kill a one-machine server. Cloudflare features a web application firewall (WAF) that protects sites at the application level from many kinds of attacks.

This comes at a price, though.

To get the full range of services from Cloudflare, a website has to hand over its most precious secret: its private SSL key. Without that datum, Cloudflare couldn’t do anything with HTTPS requests and responses but pass them through. It wouldn’t be able to see anything except what server and port number they were going to.

The fact that the breach included HTTPS data underscores this issue. If Cloudflare didn’t have sites’ private keys, it could never have leaked passwords that were properly sent through HTTPS. By the same token, it couldn’t have provided a useful WAF to protect servers that use secure communication. Sharing a private key with a CDN creates a potential risk, even if there’s an overall gain in security.

Cloudflare Leak

Vulnerability to governments

However, giving a CDN a site’s private key opens up one serious hole, which no software can guard against. A government can demand it, compel the CDN to stay silent, and have access to all of the site’s SSL transactions. Government agents can spy on it indefinitely, and the site’s owners won’t have a clue that it’s happening.

In the United States, a National Security Letter can accomplish this. Anyone who receives one isn’t allowed to say anything about it or challenge it in an open court hearing. The Electronic Frontier Foundation has called the power to issue them “one of the most frightening and invasive” surveillance power created by the PATRIOT Act.

Cloudflare has received at least two NSLs and possibly more. The FBI could have compelled it to turn over customers’ private keys and not tell them. In a similar case, the FBI tried to compel Lavabit, a confidential email service, to turn over keys that would give it access to every user’s private mail, even though it was just after Edward Snowden. Founder Ladar Levison was under a gag order not to disclose this until recently.

Other countries have similar or worse issues. The UK’s Investigatory Powers Act gives law enforcement the authority to make telecommunication companies break their encryption. They would be under a compulsion of secrecy comparable to a National Security Letter. In the truly authoritarian states, the situation is even worse, with privacy being virtually non-existent.

How many websites do governments have access to, without their knowledge, because CDNs had to give up their private keys? There’s no way to know.

The OrangeWebsite Difference

At OrangeWebsite we take your privacy seriously. We don’t share our private keys, or yours, with third-party services. Government agencies in North America or Europe can’t demand anything from us. We maintain state-of-the-art server security, performing regular security audits and keeping system software up to date. Optional two-factor authentication is available.

Nomad Capitalist has called Iceland the best host country for data privacy. The Icelandic Modern Media Initiative, passed by our Parliament in 2010, commits the country to freedom of information and expression. We allow anonymous registration, so that even torture or telepathy wouldn’t get us to disclose your identity. Contact us to learn how to set up a secure, censorship-free website.