 |
Senator Ted "Series of Tubes" Stevens (Alaska) along with Senator Olympia Snowe (Maine) introduced the Anti-Phishing Consumer Protection Act this week. The problem is they are honestly in need of phishing education. The APCPA just doesn't make much sense. First, phishing is already illegal. Second, phishing is going to continue happening no matter how many laws there are. The root of the problem has to be addressed. Blanketing more laws over existing ones is not helping. Third, there is a section in this bill about domain name Whois privacy. This has nothing to do with stopping phishing either. From the pages of the act: (9) Phishing operators utilize deceptive domain names for their schemes. They routinely register domain names that mimic the addresses of well-known online merchants, and then set up websites that can fool consumers into releasing personal and financial information. That is hardly the most popular method of phishing. Phishing most often happens within "cracked" directories on existing websites owned by innocent people. If a phish is reported, the data center which hosts the website is notified. This is because IP addresses do not lie. The person who owns the domain name has nothing to do with the phish (at least in a direct way) and they have every right to keep their details private if they want. Phishers are not in a habit of registering "bankofamericaaccountlogin.com" and buying hosting every day, that opens them up to being found easily. So the idea of possibly disallowing private domain registration is a foolish and definitely unfair to domain owners. (Disclaimer: I do believe businesses should have their details listed, but private citizens should have a choice.) With all of the phish attention lately, I am ready to start a website with the real story of how the series of tubes is really being compromised. More About Kayla Surpass Hosting
I received what you might call unsolicited mail from the post office. It arrived addressed to Postal Customer and in bold was the title "Identity theft prevention tips." If the majority of receivers do open these letters, this project will have very good results. Educating the public about phishing and identity theft online is hard enough so any outside help is really a good idea. The letter inside reads: "Enclosed is a brochure that provides you with helpful tips, phone numbers, websites, and steps you can take to deter, detect and defend yourself against identity theft. Please take the time to read through it and follow the advice. Sincerely, John E. Potter, Postmaster General." The brochure itself is produced by the FTC and is actually the best brochure I've read yet. Most organizations are definitely becoming more savvy about these issues so explanations and solutions are more detailed than ever. The problem with phishing is still rampant but ever since we implemented our anti-phishing redirect page a lot of other companies are following with the same. Our page had 4,083 visits in January alone due to the scams we have had to disable, mainly on dedicated servers. This is a huge improvement since my last post about the redirection page. I think this is because I continue to believe that the key to solving phishing really lies in educating dedicated server customers. The freedom we allow them should really be considered a danger and treated as such. Dedicated server hosts can still give customers the control they seek but they have to give them guidelines with it. More About Kayla Surpass Hosting
It's the first month of 2008 and you know what that means. Instead of naming off goals to lose weight, stop smoking, eat organic, and run every morning at 6:30 A.M. what about our tech resolutions? Here's my list for you. 10. Organize: If you never clean out old directories and files from your servers, what better time than now to get started? Go through your website error logs to clean up files which no longer exist but are still requested, change graphics that may have old dates or other inaccuracies, give your web presence an overall spot check and you will be amazed at how inspired you'll become during the process. As you go along you'll get new ideas of what new features should be added to your site. Do a spot check and brainstorm each month this year and you'll have the most organized and easy to use website ever for your customers. (And how about cleaning up your own desktop? Sheesh... look at all of those icons.) 9. Apologize: Let's admit that we made mistakes last year. Did you not announce a few things that happened with your company? Did you postpone a feature for too long? If your hosting company has a blog, why not make a post that simply says you are sorry for the downfalls of the previous year and you are committed to setting everything right in 2008. 8. Ask: Through polls, blogs, forums and newsletters, ask your customers more questions. Get to know them and see what they think is missing from your services. In this process you will see what they do value the most already and you can work on completing the picture this year. 7. Give: You do not have to give an iPod away with each dedicated server order, but give back to your customers more this year and show them that you appreciate them. Have contests and giveaways to connect your customers and reward them at the same time. 6. Focus: As the day goes by, it's easy to lose track of your ideas, especially when issues pop up with servers or customer situations. Even though we proclaim to be the geekiest of the geeks, it is not a bad idea to keep a notebook or organizer around and actually use a pen sometimes! I have personally found that writing down notes on paper and crossing them off is better than a text file. It's easy for a little text file to get lost behind thirty other windows (which seem to get all of the attention). The paper is always there by your mousepad and you will constantly be reminded it's there. Or, maybe get one of these:  ubergizmo.com/15/archives/2008/01/iriver_ebook... 5. Listen: This goes along with "Ask" but sometimes you have to focus more on hearing what people have to say instead of injecting your own comments. You may miss something important if you are too immediately concerned with what you think about it. Let's say a customer is upset and has sent you a long ticket which makes you feel terrible, do not think of the ways they may be wrong, think of the ways in which they are truly right. Act upon it patiently and in the future, proactively. 4. Progress: Take a look at the features you offer. What have you changed or added in the past two years? In the past year? If you cannot make a list of at least 10 major changes/additions, then it is time to rethink your offerings and create excitement this year. 3. Help: Do you ever find yourself sending a customer a link to a blog post or tutorials site for help with a question? Sure that's the great part about the wealth of information the Internet makes available to us, but you should also create a massive amount of resources on your own site. Not only would this help your customers in-house, it can also improve your own search engine rankings. 2. Lead: Your customers largely depend on you so this year become your own tech warrior. Be on the lookout for the next big thing, the next best applications, and your customers will benefit like never before. And they'll appreciate your hard work and dedication for bringing them the best new services and features. 1. Relax: It is hard to pull ourselves away from the computer (or stop carrying the laptop everywhere) but if you do not take the time to sit and read a book, take a walk in the park, all to have some quiet time in your mind, you may miss a revolutionary thought. You know, they can pop up at the strangest times! Let all of your experience quietly guide the way into something wonderful for your company in 2008. More About Kayla Surpass Hosting
 You may remember my recent blog about our network's anti-phishing page. Basically, when we find a compromised account on a server, we apply a redirection on any phish content ( dimenoc.com/antiphish) rather than just disabling the page from view. Ray, one of our lead abuse administrators, analyzed the web stats for our phishing redirect page. In only four months over 11,000 unique IP addresses have hit the page. Can you believe it? Some of those visitors may not have fell for the scams (had they still been online), but for the rest: this amount of visits is startling. I was not expecting so many hits! I thought the Internet community was largely around this curve. There is obviously a lot of teaching yet to be done. I am very pleased that those Internet users have been saved by our actions. Hopefully many of them will never click such links again and help others to understand the same. This redirection method may be one of our last chances to educate, at least where "phish spam" is concerned. Our overall experience with this has truly inspired me so I will be writing further about this topic in my next post. Feel free to comment with your thoughts and any ideas. More About Kayla Surpass Hosting
 You know that I feel data center responsibility is very important, my past blog posts reflect that. I may be most familiar with the world of cPanel servers, but overall the ideals of security are the same for all data centers. No matter the types of servers we're hosting, we have to guide our customers in keeping their systems clean and up to date. In order to gauge our collective success I am always seeking articles that discuss if hosts are doing a good job administrating their customers. The latest press release from StopBadware.org has really turned up the heat in this topic. They released the findings of a data study which collected information on the hosts of spyware and malware distributors. The most disturbing fact revealed was that nearly 11,000 sites at iPower were reported to host some form of badware. This does not mean that all of the sites still exist on their network, but it's an alarming number to collect in the first place. EIG will have a lot of work to do, if they choose?"Web hackers and badware distributors are constantly finding new ways to work around the safeguards that are put in place to protect consumers," Palfrey said in a press release. "Web hosting providers must do their part to stay ahead of the curve and help keep the Web sites they host safe from malicious attacks." To our credit, it truly is a hard job to stay ahead of that all important curve. This is especially so when it comes to dedicated server clients. They can configure their servers however they would like and their choices aren't always the best ones. Then we guide them, one by one, when issues come up on their servers from port scans to spamming. Then with each report of malicious activity that we receive from third parties, we have to ask ourselves is this happening on any other server with this configuration? If so, plans must be made to counteract the issue to prevent it from happening again. I think companies are also capable of attracting a certain type of client. If you make your stance on security clear and upfront, you will attract clients that also hold your same values. If you don't have a section of your website devoted to security, it really is time to create one in order to help every type of customer you have (from experienced to not so). Education is the only way we will combat these problems. Hosts have placed focus on topics that have been easier to talk about, from increased storage space to free applications included with plans. Now it is just as important to mention your security plans right along side the marketing speak. And just as Lou Honick so expertly stated in his latest post, "Make no mistake, customers expect 100% uptime, all of the disk space and bandwidth included with their plans, and enough processing power to do whatever they need with their website. Whether we like it or not, whether it is fair or reasonable, that IS the expectation. And it will continue to be the expectation until we tell customers otherwise, emphatically and clearly." There is no doubt about it: until we make security as important of a "feature" as everything else we offer, it will not be serious to our customers. We have to make our mission very clear to our client base or we will not progress. In the meantime, what happens now with the companies listed in StopBadware's report? Are they going to begin a mass cleanup or will the sites remain? We are responsible for large "pieces" of the Internet and the actions we take now can make the Internet a better and safer place for the future. More About Kayla Surpass Hosting
Is 2007 the start of a new era, where even the modest hosting company trumpets their impeccable security measures, or is it really more of the same - lots less action than marketing speak? More and more companies cite their security services as a selling point today. To hosts who want to serve the needs of their customers today and in the future, their charter for 2007 is clear: Security impels careful vigilance. Develop the best system today, leave it to rust and you'll find that scammers will certainly overwhelm it. As those who seek to defraud adapt, so too must the web host, and with it their procedures and plans. If you're a system administrator you already know that it's a bad month for PHP. This is scary because so many web hosts and resellers out there are putting servers online without any PHP hardening. The "default" is no longer good enough. If you are already aware of that, you are definitely deserving of much applause. If you're a customer looking for secure hosting, you might give Google a search right? Well this is another scary part. The first result for a "secure web host" returns this hosting plan, and I really don't see what is so secure about it. Plus how can something so secure be available to you within minutes? Most of the results are just like that one: murky and questionable. Now is the time to make sure your procedures are clear and become known as a host that is serious about security and not just talk. What are you doing exactly to prevent PHP exploits? PHP is the biggest problem for hosts right now, by far. In my next blog I'll tell you what I'm doing. More About Kayla Surpass Hosting
A multi-layered approach is necessary to prevent exploits and spam outbreaks in your network. Unfortunately there are some problems you'll never have complete control over. As detailed as your company's processes may be, and despite the security rules and regulations outlined to users, phishing will still occur occasionally. In these situations the swiftness of the takedown becomes most important. Your response time is likely excellent if you already have an abuse team scanning reports around the clock. However, besides disabling scams as quickly as possible, it is also important how you disable them. You might consider redirecting phishing pages to an educational resource about online scams. Our data center has been doing this for some time with good results. DimeNOC.com/antiphish is the page we define in the compromised directory's .htaccess file. This way instead of simply disabling a directory containing a phish or showing a suspended note, we aim to help the Internet community along the way. It is nearly impossible to keep on top of every server in a data center, so being quick with the takedown is first priority while educating society takes the stage as well. You also must remember that when you are proactive and responsive, you are also giving your company a competitive advantage. Many hosting companies are more concerned with the amount of sales they are getting in one day than giving careful attention to network activity. This is something that must change. Abuse hurts your servers, your reputation, and innocent people -- especially when it comes to phishing. Hosts and data centers have an important role in consumer awareness and that cannot be overlooked. Make sure that your customers know that you care about these problems.  [Antiphish Redirection Page] More About Kayla Surpass Hosting
I know you are all busy contributing on community driven websites, building a force of collective knowledge and working very hard in this new Web 2.0 world. So I'm here to give you a much needed break - in security at least! One of the most important things to cover first as we head into 2007 is spam control. There are many preventive measures that individual web hosts and data centers need to take and stay on top of. It's a good idea to keep yourself updated on trends by reading security sites and blogs on a regular basis. Browsing through the comments on the latest post in Bob Sullivan's blog has me amazed. Some of the readers posed interesting ideas on how to combat spam while some only left me baffled! Ideas ranged from charging everyone 5 cents to send an email, requiring Internet users to take a test to get an "Internet License" and to the very bold and simple solution of, "If ISP's don't police their customers, then they should be shut down." Case in point, one commenter confidently stated: "Internet providers [in the Netherlands] are mandated to cooperate, but are happy to do so since spam costs them dearly in bandwidth and blockages from foreign servers (especially from the US). Oddly enough, most spam these days does not come from servers in distant Pacific Islands, but from the US. So, US government: flex your muscles!" While another commenter challenged spammers to launch an attack against his inbox: "BRING IT ON! I don't care if there is spam! The spam just doesn't get past my defenses and it is nearly all an automated process. I'm not hit by malware, phishers or trojans and most of that is canned before I even see it. Maybe I am just very different because I am a responsible computer and Internet user. I guess I won't make the headlines, because I am never plundered." Until everyone masters his spam fu, hosts and data centers must do their part to outsmart the spammers and scammers, and to help Internet users understand the "why and how" of it all. Most of us are already doing a superb job, but there are some serious problems lingering out there without answers. Have you ever noticed that Verizon houses nearly 100 ROKSO spammers? Verizon's Spamhaus records go back to 2002 with the help of leftover MCI listings. Why are they allowing these organizations to operate freely in their turf? This is what I am trying to find out. To know that larger corporations are not doing their part is disappointing as we work so diligently on the sidelines. I am currently doing research with Spamhaus right now and in my next article I hope to shine more light on this. I want to give a sense of what responsibility really means to us as web hosts and to all Internet users. More About Kayla Surpass Hosting
| |
|
|
