Posted by Karim Dharamshi on Fri, Jul 30, 2010
We think our credit or debit cards are safe and secure when swiped on a Point of Sale (POS) terminal. Yes, the common POS terminals found at retailers and restaurants. With LCD monitors, touch screen functionality and the like, the POS termi
nal appears to be very secure and, for the most part, it is. However, the criminal mind is always one step ahead. Forget stealing data through some sort of complex phishing scheme - thieves are now just taking the hard drive in its entirety. Good old-fashioned break and enters.
A recent episode of CBC’s Marketplace - “Who’s Minding the Store?” exposed the measures thieves are taking to obtain a massive amount of credit and debit card numbers from POS terminals. They break into stores, restaurants, gas stations and any other location where a POS is commonly used. It doesn’t matter if it’s a large retail chain or a small independent store, they are after the POS. Regardless of the size of the retailer, POS terminals contain records of credit and cards that have been used in the past week, month, even year- depending on when the hard drive was last wiped clean.
As a customer, we tend to trust retailers with our credit or debit card information and so assume the hard drive is wiped clean at least on a daily basis; however, this is not always the case. According to Marketplace, many retailers do take action to clean out all of the credit and debit numbers on a daily basis, but the numbers are never really gone. They still exist on the system for thieves to access. Visa and Mastercard have a Customer Information Security Program (CISP) which sets out guidelines for POS software to ensure that it is effectively wiped clean and that your card information is protected. According to POS Helpdesk, most POS terminals do not comply with these standards. POS Helpdesk encourages retailers to update their software to comply with the CISP standards or run the risk of being fined by Visa and Mastercard. Worse still, having customers’ credit information stolen can result in retailers losing the trust of loyal customers and having such incidents going viral.
In fact, if you find that your credit information has been stolen, you should ask where the thieves obtained your information. According to Marketplace, Canadian banks are not obligated by law to tell you where thieves obtained your credit information. However, it doesn’t hurt to ask. If you find out, you may think twice about paying with plastic at that retailer again.
This brings us to the big question surrounding all of this plastic identity theft: How do you protect yourself? You may not like the answer. POS security experts suggest that you pay with cash as much as possible. Sure, it is a little old-fashioned and maybe not as convenient, but the less you use your plastic, the less risk you have of getting your information stolen.
In the end it may not seem like such a big deal as banks and credit card companies usually refund the amount stolen from your credit card or debit card. But the bottom line is that the more thieves steal from banks and credit card companies through POS theft, we – the consumer – ultimately pay through higher bank fees.
Some food for thought for the dog days of Summer.
Posted by Karim Dharamshi on Thu, Apr 01, 2010
Daily, even hourly, we hear about email fraud; perpetrators who use sophisticated software (malware) to track every single one of your movements on your computer- including passwords. Scary stuff, and definitely an area in which we are still complacent. How do we inexplicably click on a link we know we shouldn’t? Or what about that tempting email in our spam folders which looks so legit? Remember, it arrived in your spam folder for a reason. Delete. Delete. Delete. We all have received the emails from Nigeria begging for money on b
ehalf of a kidnapped aristocrat in destitute circumstances- or so they say. Those are almost passé now given the massive growth of Social Media along with the cyber pharma industry. Interestingly, I received an email this week from Facebook about resetting my password. NOTE: I do not have a Facebook account. Many “experts” believe the next great frontier of crime will be through Social Media sites. Users openly share personal information, such as stating when they will be away from their homes and for how long. Users become so immersed within these sites that they do not even realize they are exposing themselves to potential mischief. Moreover, your email accounts are directly linked to these sites. One can read daily the countless attacks on popular sites such as Facebook and Twitter. These are wonderful sites which do have a purpose, but it is time to be more vigilant.
Some basic ways to protect yourself against email fraud are:
- Do not open any attachment if you do not know the sender
- If it sounds too good to be true, it probably is
- Do not engage in transactions from unsolicited emails
- You did not win 20 million dollars by not entering a lottery
- No bank or social media site is going to ask you to re-set your password; this is a prototypical phishing attack
This may all seem like common sense but as our lives become more immersed with passwords and the technologies that come with them, a little re-enforcement can go a long way.
Posted by Minal Pithia on Wed, Mar 03, 2010
How do you feel when you lose or forget your iPhone or Blackberry? I asked my friend Sarah the same question a
nd her response was "I would be ‘techno-stressed' and sit in a corner and cry". Our phones have become an extension of our body - it's something we need to have on us all the time. Smartphone's are all the rage and highly in demand. With the availability of countless number of apps that make everything available at the click of a button; online shopping, micro-blogging, and making financial transactions are much easier. This brings us to look at the future of Smart phones and the vulnerabilities that come with it.
Did you know that Google ships out 60, 000 Android phones every day? Which means they send out 21.9 million every year. These phones are in high demand and critiques predict that the new trend for 2010 will be "Mobile Malware". We've already seen potential malicious mobile apps available via the Apple store and Android Market. Recently, Google removed about 50 apps from their Android Market which also targeted a few financial institutions. Here, at Brand Protect our Incident Response Team removed unauthorized apps from a website targeting our clients. 10, 0000's of new apps are submitted everyday to these popular app stores creating a hot spot for the hacking community, leading to more phishing, malware and identity theft. Mobile banking is also growing throughout the world. Recently Barcelona hosted the GSMA - Mobile World Congress 2010, where YellowPepper a leading provider of mobile financial services in Latin American announced the launch of YellowPepper Mony. "YellowPepper Mony enables financial institutions and corporate clients to deliver secure, convenient and easily accessible financial services to consumers, such as mobile money transfers, international remittances, mobile bill payments and pre-paid cell phone service". This signifies that mobile banking is going to spread fast throughout the world - fraudsters, phishers and malware authors are already putting on their "thinking caps" ; thinking of ways to turn banking services offered on mobile phones into cash for themselves. While mobile banking is still in its infancy in North America, we know that it will grow fast. CIBC is already one of the first banks in Canada to offer a mobile banking app for the iPhone. Although, Canada has a slower adoption rate for mobile banking; as more banks jump the bandwagon, the masses will follow.
This also brings us to look at the open source market available for application developers. For instance, Google and Apple are open to anyone and many critiques fear the deficiencies in the testing process which could bypass malware apps. Apple does require that all apps sold in the store are verified and signed by them which give them the power to withdraw the certificate so no one can install it anymore. However, with Apple there is also the risk of "jail breaking" which allows iPhone and iTouch users to run any code on their device without authorization from Apple. Once your iPhone or iTouch is "jailbroken", you can download apps from anywhere - this could lead to malicious content installed on to your phone that can steal all your personal information. Moreover, the vulnerability with the Google Android market is that it allows users to self-sign the code "with their own home generated certificates". As a result, this also poses security risks as the status is only checked upon installation, so once you install a bad app on your phone Google can't take it back.
As we all become dependent on our phones to check our email, make financial transactions, and shop online our "user behavior" also changes. Just like the internet, mobile phones have also become a "social device" which makes people more vulnerable to security risks. Do people pay the same attention when opening an email or downloading something on their computer VS their mobile phone?
Smartphone users beware - Make No Assumptions, ensure Physical Security - don't leave your phone lying around and be Mindful of Malware.
Posted by Dylan Sachs on Fri, Feb 19, 2010
Before the advent of high-resolution security cameras, dye packs and GPS trackers, criminals would simply walk into a branch, pull out their guns, take the money and escape on their steeds. The criminals have evolved. They would then walk right up to the teller, hand them a note, and walk out with a bag full of money, right past blue-haired grandmothers updating their bankbooks and blue-collared workers depositing their paychecks. Technology evolved. So did the criminals. Now, criminals are robbing banks in even easier ways.
Phishing sites, vishing or smishing phone numbers, card skimmers - these tactics all enable the criminals to acquire the precious details they 
need to defraud financial institutions and their customers of hard-earned dollars without ever leaving their homes. Simply acquiring this information isn't enough for the criminals to start planning their retirement in a non-extradition country - they need someone to actually get the money for them.
Criminals are (typically) quite adept at protecting themselves - whether it be having a safe house, a getaway car, or rigging their hard drives with thermite - to ensure that getting caught doesn't mean hard time. So what is an aspiring fraudster to do these days? Find a Money Mule.
Money mules are typically recruited online, lured unknowingly into the criminal world by the prospect of quick, easy money.
You see the recruiting posts everywhere. Job postings and spam with subject lines of "Work from home!" or "Make $1000/wk CASH!" can seem like a blessing to those desperate in today's harsh economic times.
Once the "employee" (mule) makes contact with the fraudster (who pretends to be a corporation), the mule is instructed to open a bank account exclusively for use by the "corporation." At this point, one of two things happens: either the "corporation" will send the "employee" a legitimate-looking check, or; the "employee" will forward the account details to the "employer", who transfers a modest sum of money - maybe a few thousand dollars - into the account. The fraudster then instructs the mule to withdraw 90-95% of the money. Once the cash is in-hand, the mule is sent to a Western Union office, where they transfer the money back to the "employer", keeping their 5-10% share as their "salary."
Unfortunately, the only real check this mule is going to get is a reality check. The check provided by the "corporation" is counterfeit, but this only comes to the attention of the mule sometime later on, well after the withdrawal and transfer is completed. Once the bank realizes the check is counterfeit, they reverse the deposit, which then brings the account into overdraft, leaving the mule with a fairly significant debt to the bank. When a direct transfer is made into the account by the fraudster, it comes from a compromised bank account. Once the transfer is reported to the originating bank as fraudulent by the account owner, they reverse the transaction, with the same results - the mule is left on the hook for the debt.
This means that the person without a job is now jobless and in debt, the person struggling to get out of debt is now deeper in it, the retiree's pension check just got much thinner. The bank is upset with the mule, the mule is upset with the "employer," and the "employer" is laughing all the way to the bank (for lack of a b 
etter term).
The mule now feels like an ass, having been taken advantage of and victimized as a result of their ignorance and/or greed. To make matters worse, when the "employee" opens an account for their "employer", they are instructed to provide the account details - along with all other common employment information like Social Security/Insurance Numbers, full name/address, etc. to the "corporation". This instantly makes the employee a victim of identity theft, as the fraudster collects this information for sale on the black market (or personal use) later on.
According to the Internet Crime Complaint Center (IC3), money mule handlers have tried to steal $100 million from small- and medium-sized businesses - who knows how much money the mules have lost as a result of these schemes.
Money mule handlers - I'm hesitant to use this term, but the "masterminds" behind these schemes - are good businesspeople. They are only interested in streamlining their business and maximizing their profits. Some are part of larger, real-world criminal organizations/gangs, some operate exclusively in the tubes of the Internet. Regardless, money remains the driving factor, and as banks get hip to the tactics of money mule operations, they begin implementing strategies to prevent their customers from suffering the same credit-score-reducing fate. The handlers pick up on this, and start blacklisting banks - essentially telling the mules where they should be opening accounts.
Throughout our travels around the ‘Net, BrandProtect comes across all kinds of scams and associated data. One juicy tidbit was a list sent around by a mule handler's handler - the person that directs the handlers how to run their "departments" efficiently, and makes executive decisions for the group. So, what's on this list? Well, Dearest Reader, I'm glad you asked. The list contains names of almost 50 U.S. banks that are known to have lax account security in place, idyllic environments for the growth of the criminal's business.
Straight from the file itself: "Ask your clients... to open a Checking account and provide the log in details, such as "User name, Password, the 3 Security Questions and Answers". They should go into the bank and get the account opened. It should NOT be done online. In a state that has more than one bank, please send all the banks to him so that he will choose the one that is convenient for him."
As you can see, this is not the work of a half-baked junkie looking to make a quick score - lots of time and effort has been invested in this, because the perpetrators know the rewards are great.
Are you on the list of banks known by criminals to have lax account security in place? Drop us a line, and we'll let you know.
Co-authored by: Michael Kiefer, BrandProtect
Posted by Shanna Gordon on Tue, Feb 02, 2010
If someone was breaking into your house every night while you slept and was taking money from your piggy bank….wouldn’t you try to stop it? So why aren’t large corporations not doing more to stop perpetrators from continuously stealing revenue from their bottom line? Through traffic diversion schemes
selling of counterfeit goods, unauthorized associations, identity theft attacks and defamatory social media discussion, brands are being violated, reputations tarnished and significant revenues lost.
Traffic diversion schemes include domain cyber squatting (i.e.www.fasebook.com), and many various tactics to direct traffic away from your site (sometimes to competitors sites or even pornography).
Why spend thousands or even millions of dollars on a marketing budget just to have the benefits diluted and revenue stolen from you through various traffic diversion schemes. CMO’s need to start paying attention to this and start protecting their brands.
Wouldn’t you also want to know if someone was saying they were a partner of yours? Think it’s not important? Take for example a financial organization down south….we recently found a “hate group” site claiming on their website that they conduct all their banking at this organization. If one influential blogger/tweeter comes across this post, the banks reputation can be tarnished in days or even hours through social media. Which brings me to my next point…
Marketers also need to continuously monitor social media sites for potentially damaging situations. It only takes minutes for once again an influential blogger to say something slanderous, someone to make a negative video or a disgruntled employee to post confidential information and the word spreads like wild fire. Free tools can provide some minimal coverage but the time it takes to weed through the junk is prohibitive. Prioritizing what’s relevant and emotionally charged to mitigate negative impact on your brand is necessary.
I think some of the hesitation in the past for marketing departments not leveraging brand protection services is that they didn’t know what they would do with these “issues” once they were uncovered. They also strongly hesitated getting their legal departments involved in these situations, for obvious reasons (very expensive!)…..so why not just ignore it? That is where cease and desist capabilities can help manage these situations in a very cost effective way and help r
emove the vast majority of the threats uncovered. Not to toot our horn, but BrandProtect’s track record for getting infractions removed via cease and desist methods alone is approximately 70-80%.
So once again, I ask the question…..if someone was breaking into your piggy bank every night, wouldn’t you try to stop it?
Posted by Jamila Hunte on Mon, Jan 18, 2010
We live in an age where there is a need to have information right at our finger tips. Not only do we need to have information that is easily accessible we also need to be mobile.
With the introduction of mobile devices like the iPhone, users are able to have the best of both worlds. Apps are all the rage. You can make your shopping list, check the weather, see your new friend request on Facebook, play your favourite video game and read your favourite book and these are just the tip of the iceberg.
Recently, a new app had found its way to Google’s Android market, an apps store maintained for its mobile services. This new application appeared to offer a feature that would allow the user to gain access to
their bank’s website through this shortcut. It is now believed that this app and 50 similar apps were harnessing malicious activity – activity that could lead to phishing attempts. A recent article in computerworld.com
provides more information on this app created by a developer only known as “09Droid”.
This android app was brought to my attention and was a concern for one of my clients. We were concerned that this app could have been downloaded by their customers who were innocently looking for an easy way to access their bank account.
Luckily we were able to make contact with one of the sites that were advertising the app and since then it has been removed. There was still a concern, however, that there could be other sites that provide this app. According to a recent article in willhall.ca
droid apps have been removed by Google.
We have been put at ease, at least for now…
There could be another android app lurking around out there, but the word is getting out and banks and credit unions are beginning to make their customers aware that what may appear to be a handy shortcut, could get them in a world of trouble. So buyer BEWARE!!!
Posted by Kevin Joy on Mon, Jan 04, 2010
“Lies, damned lies, and statistics”
For quite some time now, we have increasingly
encountered a question when talking to potential clients: “What is your average takedown time?” This is a completely logical question to ask
– cutting the lifetime of phishing sites is the whole point of employing a
takedown service such as ourselves - but the question is a dangerous one.
First and foremost, there is no average phishing attack. Each has different characteristics, sources
and impact, and therefore the notion of an average takedown time is very
misleading. Simple attacks can be taken
down in a matter of minutes, while some of the more sophisticated attacks,
particularly those hosted on a fast-flux bot net, can take several hours or
even days to resolve despite continuous efforts by the takedown provider. Since
there is no caveat that smaller organizations will be targeted less, and rarely
in a fast-flux attack, the average takedown time is almost completely
irrelevant.
Vendors also have different definitions of what
exactly constitutes an incident. Some of our competitors consider every
distinct URL an incident, whereas BrandProtect has special guidelines for
grouping similar URLs into one incident. This diversity amongst providers makes
calculation of the average takedown time inconsistent, despite the unfortunate cases
that some of our competitors are trying to lay claim to having the fastest
average takedown times.
Somewhat unsurprisingly, if BrandProtect were to
play that game, our data suggests that our takedown times would equate to being
significantly faster than those for our nearest competitor. But BrandProtect doesn’t play that game. We don’t claim to have the fastest takedowns
in the industry; we claim to be the best. Being the best is more than getting sites
disabled quickly (which we do quite well, thankyouverymuch!), but also
providing our customers with above-and-beyond service.
Success in
dealing with identity theft attacks cannot be measured by something as variable
as takedown time – success is a function of detection, takedown, and
communication effectiveness, all of which have a significant bearing on the
overall time in which a phishing attack can cause damage. Collaborating with clients and other partners to improve every aspect
of our offering – detection, analysis, customer education programs, our client
portal, reporting processes, etc. – is the only way to ensure the utmost client
confidence that our response to an attack will result in minimal damage.
Posted by Minal Pithia on Mon, Dec 21, 2009
Marshall McLuhan's 1962 prediction of the "global village" is manifested today in the form of the internet, a self-governing community without borders involving the integration of different cultures. Worldwide communication is instantaneous and the internet is becoming more global and accessible. Did you know that the first official domain name in non-Latin characters will appear in 2010? The Bulgarian government is one of the first to register internet domains in
Cyrillic. It will be interesting to see the impact this will have on the internet.
Recently, the Internet Corporation for Assigned Names and Numbers (ICANN) approved a fast-track process for implementing non-Latin domain names by early to mid 2010. As Latin characters dominated the internet, a switch to non-Latin characters will allow people from all over the world to register domains in Arabic, Mandarin, Japanese and Russian to name a few. With this new implementation it may become problematic in controlling spammers and phishers. Peter Wood, member of ISACA's Conference Committee and founder of First Base Technologies states, "While we understand the interest in expanding the 
characters offered in other languages, we are concerned that an increase in web site characters could lead to greater security risks and consumer fraud," As, most modern scripts have a similarity to Cyrillic scripts, many experts predict an increase in spoof URL's that confuse users into distinguishing a fraudulent site from an authentic one. For example, here is a list of characters in Cyrillic that look like Latin characters: y, k, e, x, b, a, p, o, c and g. Characters that look alike are known as homographs. The scope for homograph attacks widens, as IDN's allow for the use of full Unicode character set. One could see the implications of this as it's possible to create domains like "bank" using the lower case Cyrillic ‘a'.
There is a defense mechanism for this; Firefox has an add-on which "Puts a little flag in the status bar that tells you whether you are visiting a Traditional Domain Name (green TDN) or an International Domain Name (UN-blue IDN with translation to Punycode)". It is also important to educate yourself about various phishing attacks and to never click on suspicious links in an email. When in doubt, it would be good to get into the habit of typing URL's directly into browsers.
The borderless world of the internet provides many oppo
rtunities for companies to create a global online presence. The introduction of IDN's increases the potential for more online business, since it allows companies to effectively target larger audiences and widen their scope on the internet. Protecting brands and reputation online has never been more important than it is today, in the ever evolving world of the internet.
Posted by Dylan Sachs on Fri, Dec 04, 2009
It has been well known for some time - at least, amongst those in the industry and by those with coverage - that having a solid takedown service is essential to limiting the exposure you and your customers face as a result of phishing attacks. Studies have shown - consistently - that brands who have a well-defined takedown process (including a third-party takedown company) experience significant reductions in the lifetimes of phishing sites targeting their customer base.
Recently, there has been a spike in fast-flux, high-volume phishing activity. Previously, this was known as "Rock Phish" activity; however that can be considered version 1.0 - domains, hosted on a botnet, targeting multiple financial brands and their customers via phis
hing sites. Version 2.0 - known as Avalanche or ZBOT - is particularly troubling as they have evolved to include a malware payload, and broadened their target base by including social networking sites, government agencies, and even spoofing the email recipient's domain. While complete fraud-loss and malware infection rates are difficult to come by, Damballa research found that the Zeus Trojan - the malware payload included in the Avalanche attacks - has infected 3.6 million systems in the U.S. alone.
In addition to giving up their banking credentials, hundreds - possibly thousands - of users are unknowingly becoming infected daily with one of the most difficult-to-detect pieces of malware ever seen. Zeus makes up 44% of all finance-related malware, and provides the fraudsters with complete access to the infected host, allowing them to upload keylogging software, automatically steal login credentials, even route legitimate domains to phishing pages. Even those systems with up-to-date anti-virus software aren't immune from infection by Zeus - Trusteer found that up to 77% of infected systems had up-to-date AV definitions (and that across all AV software, there was only a 23% detection rate of Zeus). Earlier, I mentioned that the Avalanche attacks were targeting social networking sites - the same social networking sites that have been used as command-and-control centres for other pieces of malware.
The simplest solution is often the most effective, and when dealing with hosted malware and phishing sites, the simplest solution to prevent further infections or credential loss is to get the content removed. Anti-Phishing Working Group recently published their 1H2009 Global Phishing Survey, in which they have a section detailing the Avalanche phish. Their findings showed that Avalanche domains had an average lifetime of 18 hours, 45 
minutes from the time the email was sent out to the time the site became unavailable. In the grand scheme of things, this is a fairly short lifespan - the same report outlines the average lifetime of standard phishing sites as being 39 hours, 11 minutes. While this is promising, it still leaves 18 ¾ hours open to steal credentials and infect unwitting users.
BrandProtect first saw our clients being targeted in late June, with three more clients being added to the target list in the following months. In total, 506 domains were launched which had pages (either phishing, malware, or both) targeting our clients. BrandProtect's 24/7 Incident Response Team has a distinct advantage over other takedown providers in that they have team members spanning the globe, able to converse with the registrars of these domains in their native tongue, during their normal business hours. This advantage resulted in an average lifetime of the domains targeting our clients of 7 hours, 48 minutes - or a 60% reduction over the reported industry average. Needless to say, our clients are quite pleased with these results.
Now, if only there was a way to prevent people from clicking links in email messages...
Posted by Minal Pithia on Tue, Oct 06, 2009
As an Incident Response Analyst at BrandProtect I communicate with ISP's, registrars and domain owners on a daily basis. Recently, I spoke with an aggravated website owner who said to me "I don't understand why my site has been repeatedly hacked, I changed my passwords, deleted the fraudulent folders and my hosting company is no help". Many frustrated website owners experience the same thing. They don't understand why they keep getting hacked. If you leave doors open to your site, it's very easy for, perpetrators to get in. The key to protecting your site is to maintain it and make sure security always comes first. A website is like your home-it's your virtual space. You should invest in secure doors and locks. It's mind boggling to see the number of sites that get hacked. Nowadays, creating your own website or blog is simple and inexpensive; unfortunately people are avoiding taking various security measures.
When building a website, don't build a castle on a cloud. Although it's important to make the site look good, what's the point if it's unsecure? From my experience, I noticed that website owners lack the background to maintain their sites and don't understand the vulnerabilities sites have that hackers expect to find. Most often when sites get hacked we hear about terms like Patches, SQL injection and Cross Site Scripting (XSS). But, what do these terms really mean? Here are a few definitions that will help us understand how sites get hacked:
Patches - Patches work like bandages, they seal flaws in software to make it work better. Software companies often have to fix bugs on their program due to security problems or to add new features.
SQL injection - this is one of the most popular security vulnerabilities in web applications today. We see this in sites that allow users to query a database; when a user enters data into a field, it is then inserted into a SQL command without any checking. This type of attack allows the perpetrators to manipulate the database of a site and allows them to bypass authentication into a site. Here is some more good info on SQL injection.
Cross Site Scripting (XSS) - this security vulnerability allows a malicious website to upload another website to another frame and use java script to read or write data on the other website. Attackers find clever ways of infecting malicious scripts into web pages where they can gain access to sensitive information. Unfortunately, many XSS vulnerabilities lead to phishing sites.
The key to protecting your site from getting hacked is simple, maintain it and keep it up to date. If you are using Word Press, Joomla or Apache make sure you update it with the latest security patches. Updating your software is extremely important. Unlike Microsoft, web applications don't always alert their users to update. Therefore, be proactive and don't always rely on your webhosting company. They are not responsible for maintaining your website and are not responsible if your site gets hacked. Always look for the latest updates and do your research. Lastly, secure your password. Take a look at Dylan Sachs blog on "Password Security - sing a song, save some stress".
For expert advice I turned to BrandProtects IT Manager Adam Chrichton, who lists a few important tips:
1. If you operate your own web host, keep it up to date (whether IIS or Apache) with current patches. Same goes for the database if you use one. If you use a hosted service, make sure they keep things up to date/patched. If they don't, find someone else.
2. Use very secure passwords for all logins. If you must use a dictionary word, use two with a space or punctuation between them, and put at least one capital, one number and perhaps a punctuation mark. Make sure it's at least 8 characters long. If possible, change it every 45 - 90 days.
3. Guard against code errors like SQL injection vulnerabilities by having your web site code verified by a professional programmer. While lots of people can make a web site, and often at an inexpensive cost, they don't know how to format their database queries and statements to protect against common attacks.
4. If you operate your own web host, run a server antivirus product on it if it's Windows. While some Linux viruses do exist, they're much less common since there are fewer desktop computers running Linux.
5. If you operate your own web host, make sure you have a good (i.e. tier one or two vendors like Cisco, Juniper, Watchguard, Sonicwall) firewall to protect it. Put the web host server in a DMZ, not in your main (trusted) network. Don't permit access between the DMZ and your main (trusted) network.
6. Don't be afraid to pay for a reputable firm to do a security audit if budget allows. While security audits can't always practically have all recommendations followed to the letter, they will at least help you understand in what ways you're exposed.
Websites are fun and easy to create and also very useful. It's worth going the extra mile to get a professional to look at your site. The key to building a good website is to treat it like your home; secure it, clean it and maintain it.