03 July 2009

Nominet Best Practice Challenge Awards 2009

Last night I had the pleasure of attending the Nominet Best Practice Challenge Awards 2009 at Banqueting House in Whitehall, London.

In the Best Security Initiative Award, OWASP Board member Dinis Cruz, OWASP London chapter leader Justin Clarke and I were representing The Open Web Application Security Project. Our entry for the 2009 Best Practice Challenge had been shortlisted in June.

The judges were impressed by [OWASP's] ambitious work and conference programmes and the way [OWASP] has developed and widened its reach

It was interesting to see the innovative work being undertaken across the UK in security, access, diversity and openness. The Yorkshire Business Crime Reduction Centre (BCRC) won the Best Security Initiative Award. The BCRC is supported by South Yorkshire Police and the Regional Development Agency, and undertakes e-commerce and physical security assessments for small and medium-sized enterprises (SMEs) in the area. Their recent E-Crime Guide is a very useful introduction to the issues.

It is good to see an increasing awareness of online and e-commerce security, and this looks likely to continue with the recent announcement by the Prime Minister of new initiatives to secure the UK from cyber threats, following publication of the Digital Britain report last month.

Posted on: 03 July 2009 at 11:16 hrs

Comments Comments (0) | Permalink | Send Send

30 June 2009

Is Britain Still Under Construction?

Old, backup, "secret" and test pages, scripts and other files shouldn't be left on live web sites. The Visit Britain web site should be a showcase for Britain, but I was trying to find a particular page and looked at their 97-page long full sitemap.

Partial screen capture showing the top left of the Visit Britain full sitemap - the results shown are Videos, Reviews, UK travel and accommodation - Home Page, ad tag test page, Home Page for Familiar Markets, Old Home Page, test-script, weather test, Yell, Delete, Tourist Guides, All UK

Oops, the 4th, 6th, 7th and 8th links were all test or old pages. I couldn't believe this prominent web site didn't have procedures in place to manage draft and test content, or even that they were making such pages live on their web site. The result test-script worried me most but fortunately all four of these returned were not found when clicked.

I wonder what the page "Delete" does though?

People use search engines such as Google to find hidden information on website (aka Google Hacking), but it's uncommon for web sites to clearly list it on their own site map. Rather than ploughing my way through the impenetrable site map, I switched to Google to see what it had found using the search query "site:www.visitbritain.co.uk test". Skipping the results about cricket test matches and testing your handicap, revealed more links to more test pages:

Montage of content from Visit Britain website including test pages and test forms

My favourite must be the page with the parent page labelled "Food & Drink - to be deleted EVENTUALLY" in the breadcrumb trail:

Partial screen capture showing the breadcrumb trail - You are here: * Home * Things to See & Do * Interests * Food & Drink - to be deleted EVENTUALLY * AA Copyright Test

These types of practices don't instill any confidence in the management of the web site. Old, backup and test files may contain sensitive data, allow access to the application or functions otherwise restricted, or contain faults that have been fixed in the current version. And, if you actually list them, it looks terrible! Web sites and web applications, don't just look after themselves—you need clear policies, a well-designed specification, a robust development contract, good management, skilled staff, verification processes and be willing to learn from good practices elsewhere.

Today's message: read Testing for Old, Backup and Unreferenced Files.

Posted on: 30 June 2009 at 08:40 hrs

Comments Comments (0) | Permalink | Send Send

26 June 2009

Don't Stop Password Masking

I was surprised to see the latest advice Stop Password Masking from Jakob Nielsen.

Password masking has become common for no reasons other than (a) it's easy to do, and (b) it was the default in the Web's early days.

Jakob Nielsen's has raised many usability topics in his Alertbox but he is not always correct. Although I used to read his column with an open, somewhat sceptical, mind I gave up some time ago*.

No, password masking isn't just some legacy design artefact. Like other design choices relating to user identification and authentication, these have a significant impact on user trust and data privacy, confidentiality and integrity. It is wrong to suggest that masking should be removed by default. By all means inform users of the risks and let them choose to display the characters being typed, but don't have this status set by default. More-and-more web sites are being accessed away from home, and being overseen by other people or surveillance equipment is commonplace almost everywhere.

Let's clean up the Web's cobwebs and remove stuff that's there only because it's always been there.

On e-commerce sites, the need to log in can often be removed completely, or made non-compulsory. Too often security controls are applied for other reasons, such as to generate information for sales and marketing reports, rather than to ease the purchasing process. For more critical data, the use of authentication mechanisms other than static passwords should be considered.

* I stopped reading Alertbox after Jakob Nielsen became very defensive about his training material only being available on DVD and not VHS tape, as many people had requested. His argument was that DVD players were so cheap, people should upgrade. Yet at the time, he was promoting the idea that web sites would render in all browsers—including old legacy ones.

Posted on: 26 June 2009 at 08:43 hrs

Comments Comments (1) | Permalink | Send Send

23 June 2009

Web Site Security Maturity Model

The Web Site Security Maturity Model gives an at-a-glance indicator, or litmus test, of an organisation's web site security posture!

Illustration like a litmus paper test colour chart, labelled 'Web Site Security Testing Laboratory', the instructions 'Compare your test paper with these colours and pick the correct level' and five maturity level colour/color swabs, red=1, orange=2, gold=3, green=4 and blue=5

Organisations tend to fit into one of five categories, which I'll light-heartedly call the Web Site Security Maturity Model. This is comprised of five maturity levels, and it's very easy to determine your own organisation's level. Start at the lowest (level 1) and work up the maturity model—stop as soon as you agree with the statement:

1: Use FTP to update the web site

2: Worried about web site security

3: Have undertaken a web site security audit or review

4: Security built into web site development and operation processes

5: Don't have a web site

So on this quick guide, the safest option is not to have a web site. Many small and medium-sized organisations are operating at maturity level 1.

But seriously, if you want to review and improve the security of your web site and other software development processes properly, the Software Assurance Maturity Model is the best starting point.

Posted on: 23 June 2009 at 08:36 hrs

Comments Comments (0) | Permalink | Send Send

19 June 2009

Marketing Email Opt Out? Let's Make It Very, Very Difficult!

We all have to deal with too many email messages. Sometimes you opt in for something, or it's a requirements for access to some service, and some time later you want to opt out again.

Well, one email too many from Haymarket Publishing (I can't really remember choosing to opt in for 3Dconferences anyway) and I copied the unsubscribe hyperlink (like http://ecm.hbpl.co.uk/public/unsubscribe.jsp but with some additional parameter values) into a secured browser to visit the unsubscribe form:

Screen capture of Haymarket's publication unsubscribe form with introductory text, a text field for email address and a (disabled) submit button

But the email text field was not activated—I could not tab to or click on the field to enter my email address. The field had the disabled attribute set:

Partial source code for the above form showing the attribute 'disabled' in the text field

Usability failure. Accessibility failure. Security challenge. Well, not so much a challenge as a minor annoyance.

Don't Haymarket Media Group check their response forms? Cynical people might suggest they don't want people to opt out from their mailings. However, allowing user to unsubscribe from marketing emails is not an optional obligation. The The Privacy and Electronic Communications (EC Directive) Regulations 2003 states:

A person may send or instigate the sending of electronic mail for the purposes of direct marketing where ...the recipient has been given a simple means of refusing ... and, where he did not initially refuse the use of the details, at the time of each subsequent communication.

Oh, and where are the privacy policy and company contact details?

Compliance failure.

Posted on: 19 June 2009 at 09:31 hrs

Comments Comments (3) | Permalink | Send Send

16 June 2009

FTP is not an Option

Many websites are updated using File Transfer Protocol (FTP). Don't do it.

A discussion thread How Do You Store FTP Login Information For Your Clients? highlighted what common practices are, but almost entirely missed the issues of transfer of login credentials over unencrypted channels, privileged access to the whole of the server, account sharing, password and user management.

... [I] also put the info in the client file folders (actual paper client folders) for future reference and sometimes in Outlook business Contact Manager...

It's no surprise that some of the most serious hacks are suspected of being undertaken using compromised FTP accounts.

FTP is not an option. Ask your hosting company or systems staff to disable FTP services and block all traffic to/from your web servers on TCP ports 20 and 21, at your network firewall.

Posted on: 16 June 2009 at 09:28 hrs

Comments Comments (0) | Permalink | Send Send

12 June 2009

Privacy Notices Code of Practice

Privacy Notices Codes of Practice is being launched today by Richard Thomas, the Information Commissioner.

Partial view of the cover from the draft 'Privacy Notices Code of Practice'

Apart from the minor concern that Richard Thomas had included his signature in the document, the draft looked like it would be a very useful code of practice for most small-to-medium organisations including local government and professional organisations. One issue I raised at the time was the potential for aggregation of data to have more meaning than the individual parts, and that this should be considered in privacy notices so that users are aware of any potential problems. Some of the web form examples included didn't necessarily include other (non-privacy related) good practice such as for web accessibility and web usability. There was also some lack of clarity over the use of the word "security", e.g. "Security and Privacy Statement", which I hope has been corrected.

The explanation of fairness, and good and bad examples paper and web form layouts in the draft from the Information Commissioner's Office (ICO) were particularly helpful.

I'm looking forward to seeing the final version.

Update 10:30 hrs 12th June 2009: The ICO has published a press release and the final Privacy Notices Code of Practice.

Update 14:20 hrs 12th June 2009: The final version has incorporated over 60 suggestions as a result of the public consultation, including the issues of aggregation and use of the word "security". Watch out for legislation relating to Assessment Notices and dealing with failures to act on Assessment Notices.

Posted on: 12 June 2009 at 08:19 hrs

Comments Comments (0) | Permalink | Send Send

11 June 2009

100,000 Web Sites Lost

The news that a the UK hosting company VAServ lost 100,000 web sites all at once is devastating for the organisations involved. It appears that many cannot be recovered and a considerable number do not have recent backups.

From the temporary status page dated 10th June:

We have worked tirelessly through the night and over the last 48 hours to recover as many VPS as possible. However, we have now reached the end of all of our servers, and as such, if your server is not currently up, or not partly up (i.e. it is up but not working due to a configuration issue) then it is unfortunate that you will have lost your data due to this third party attack.

The event was widely reported:

Particularly sobering is the news that the CEO of LxLabs, implicated as the developers of the software that was hacked, has committed suicide:

Even if you don't have a formal disaster recovery plan, at least make sure you have backups of all your site code, database and other data.

Posted on: 11 June 2009 at 09:46 hrs

Comments Comments (0) | Permalink | Send Send

09 June 2009

BS 10012 on Data Protection and PIMSs

The new British Standard 10012:2009, Data Protection - Specification for a Personal Information Management System, has been published.

Partial view of the cover from British Standard 10012:2009 Data Protection - Specification for a Personal Information Management System showing the words 'British Standard 10012:2009 Data Protection - Specification for a Personal Information Management System'

British Standard 10012:2009 was the subject of an earlier draft for public comment (DPC) and I worked with the OWASP Industry Committee on a response.

BS 10012 is not an alternative to the excellent guidance for organisations now produced by the UK's Information Commissioner's Office, but instead is a specification for a personal information management system (PIMS). A PIMS is a governance process for all types of personal information within a company but could also be used for other types of sensitive data. BSI's slant on this is that a PIMS, and therefore BS 10012, could help maintain and improve compliance with the Data Protection Act (DPA) 1998.

A good start and one to watch.

Posted on: 09 June 2009 at 10:32 hrs

Comments Comments (0) | Permalink | Send Send

05 June 2009

E-Commerce and Insurance - The Definitive Guide

On Tuesday I attended an e-commerce insurance book launch by the Insurance Institute of London in the Old Library at Lloyd's of London.

Partial image of the cover from 'Insurance Aspects of E-Commerce' by the Research Study Group 256 of the Insurance Institute of London showing part of the cover photo - a single key labelled 'help' above the keyboard hanging on its spring

Insurance Aspects of E-Commerce was drafted by members of the Insurance Institute of London (IIL) Research Study Group 256. It's worth pointing out that "e-commerce" here refers to doing business electronically, rather than the narrower concept of online payments i.e. payment by debit and credit cards. The publication has chapters about:

  • the effect of IT on the London insurance markets
  • brokers' views on e-risks and e-trading initiatives
  • security of e-commerce
  • experience in underwriting e-risk insurance
  • online third party risks
  • first party risks
  • regulation of online insurance
  • the effects of the Electronic Commerce (EC Directive) Regulations 2002
  • review of the current London (i.e. UK) market.

So it not only explores the issues and challenges to underwriters of e-commerce insurance (sometimes also referred to as cyber liability, internet liability insurance, online insurance or e-trading insurance), but also the effect of IT on insurance (e.g. streamlining, standardisation and e-trading), the regulatory background, issues of e-trading for insurers and a thorough, yet jargon-free, explanation of the information security issues. The latter correctly highlights that e-commerce security is not just related to technology—it's a combination of technology, people and culture.

The e-risk factors for businesses seeking e-commerce insurance are described and include the organisation's activities, locations, turnover, number of staff and the scale of its online activities such as direct revenue and traffic (e.g. web site visitors numbers). Increasingly the organisation's risk management framework and disaster recovery plans are a consideration in whether insurance can be obtained and what the premium is.

The publication is worth reading by anyone responsible for a transactional web site—regardless if they are seeking any form of cyber insurance—they have ownership, marketing, compliance, governance or information system responsibilities. Perhaps only the 25 pages of Chapter 7 concerning regulation of online insurance would not be of interest to non-insurance readers.

The 170-page A5 book is available from the IIL for £59+postage, with a discount for IIL and Chartered Insurance Institute (CII) members. ISBN 978-0-900493-88-1.

Posted on: 05 June 2009 at 08:45 hrs

Comments Comments (0) | Permalink | Send Send

More Entries

Web Security, Usability and Design
http://www.clerkendweller.com/

Page http://www.clerkendweller.com/
Requested by 67.202.31.88 on Saturday, 4 July 2009 at 09:09 hrs (London date/time)

Terms of use http://www.clerkendweller.com/page/terms
Privacy statement http://www.clerkendweller.com/page/privacy
© 2008-2009 clerkendweller.com