THE NEED FOR GREAT WEB AND INTERNET SECURITY JUST ESCALATED.

It seems that every day brings new challenges to the world of e-commerce security, but now with the popular idea of becoming a “hacker” with so many misaligned folks, those daily challenges are jumping right into your living rooms. Nothing is sacred and has not been for quite some time.

In early September 2015, during the course of ethical investigation regarding additional utilization of our security technologies, we happened to discover a truly bothersome situation that required a step back and several weeks of further verification. We have notified directly affected manufacturing and sales entities. When we have fulfilled our responsibility to them, we will then fulfill our additional responsibility to inform everyone.

We had no sooner completed our research and issued the first courtesy notifications on Monday the 19th of October 2015, than on the very same day,  MICHAEL CASEY of FOX NEWS released a CYBERCRIME article titled  “Companies need to start making security part of their brands, experts say.” This is an absolute “MUST READ” for everyone that owns and uses a computer – period.

There is a disturbing connection between the content of Mr. Casey’s article and our recent discoveries-  which confirm his pronouncements. Once we have fulfilled our obligation to affected businesses, we will publish that information in generic form at the appropriate time.

Additional information is forthcoming.  Meanwhile, please locate and follow the manufacturers instructions for resetting the password on your modem and your WiFi router.

© 2015-2017 THE IRON JACKET,™ LLC

& RAIDIAN™ Global, Inc.

Why all Websites, ESPECIALLY small businesses, need The Iron Jacket™.

You may be thinking; “My Website only gets 30 or so users per month, who would hack ME?”

This is a fatal flaw in today’s modern security environment. The risks of being hacked go well beyond a dedicated attack.

Hackers these days scan huge numbers of Websites. They scan them by the millions, looking for even one with a known exploit. When a vulnerable website is found, no matter how small, they automatically exploit the Website for a number of nefarious purposes. If you are lucky, all they will do is send out spam or scams which can be used to attack other Websites.  However, they can also use your Website to host attacks to directly steal money and implicate you in a criminal act.

But what does it matter to me?” you say.

Consider that if your Website is used to send spam, all of your legitimate email may eventually be marked as spam or even a scam. Law enforcement may get involved if your Website is un-secure and has become a portal for sending out millions of Nigerian type scams. In this case you’ll have to answer some tough questions. See the information regarding FTC vs Wyndham below.

If you have a shopping cart, the situation is even worse.

Consider the case of a client we had recently; the client refused to let us diagnose and secure her Website.  Inevitably, her site was soon hacked and dozens of customers had their identities and money stolen.

Thousands of dollars – VAPORIZED, gone forever because her Website wasn’t secured. The problems didn’t end there. Her credit card processor stopped doing business with her and put her name on a “Black” list. Her online store had to be shut down because she could no longer process credit card payments. Without asking questions, no one would do business with her. Many years of work circled the drain and then vanished.

All this happened because of a hack by a person who had no knowledge of who she was or what her Website represented. The hackers don’t know or care who they hurt in their quest to enrich themselves.

These days, a hacker may never even visit your website to exploit it.

The hack is done remotely and automatically. Anyone can download the software to do this off the internet. Anybody can simply “Google” these things and have free access to them. They don’t even have to be a real hacker because this software is so easy to use. Hundreds of thousands of small, low traffic Websites are compromised this way, sending scams and spam, attacking other websites and stealing personal information. An un-secure Website is an open portal to your network and everything else sacred.

Worse, these scoundrels will even install malware on your Website to distribute to YOUR customers as they unsuspectingly visit you. When that happens, you can say “Goodbye” to your position on Google and other search engines. They will outright remove you from their indexes because your Website is compromised.

The problem is compounded by the fact that now you can’t even pay for legitimate advertising and your “bread and butter” Website is effectively ruined.

No one is safe because of their size or what kind of information is on their Website. If there is a vulnerable crack, hackers will find it and screw you over maliciously and without remorse.

STILL NOT CONVINCED

Consider the fact that recent announcements of law suits related to Web Security emphasize the necessity of using “Best Practices” and “Due Diligence” to protect your customers from the harmful aftermath of a hack on your Website. For confirmation of this statement, look at the following link and read page 8.

FEDERAL TRADE COMMISSION v. WYNDHAM WORLDWIDE CORPORATION  –  Third Circuit Court of Appeals Ruling Rejecting  Wyndam’s Appeal – dated August 24, 2015.  READ Page 8.  http://www2.ca3.uscourts.gov/opinarch/143514p.pdf

(if you see only code on this PDF – refresh the page)

Every layer of protection you can add makes it harder for hackers and reduces the potential for malevolent and unrecoverable penetration.

Undeniable fact: Adding The Iron Jacket™ to your Website helps comply with the expectation of “Due Diligence” security and protection efforts the FTC and your customers are already  demanding!

Click here to read about our “Web Security Audits” and learn how we can help you get on track to a more secure future.

© 2015-2016 THE IRON JACKET,™ LLC

& RAIDIAN™ Global, Inc.

Good Web Security Begins With YOU!

Good Web Security begins with YOU!

Are you an employee? If so, do you leave your house unlocked, or even the doors and windows open when you head for the office? Of course not! Being the smart person that you are, your home is  locked up tight and perhaps even protected by a security service. So why then do you jeopardize your workplace and expose your employer to all kinds of costly mayhem with sloppy Internet surfing habits on your office desktop? If the company IT department has not choked down your browsing privileges, do you not owe it to the company, and yourself, to practice some integrity and refrain from leaving “doors and windows” open to potential thieves? Losses due to interrupted productivity and compromised information can substantially affect the company revenue position, to the point its managers do not have the money for raises, or even for keeping you employed. Smart employees selfishly protect their workplace as well as they do their own homes. Lest a disgruntled employee feels that leaving the company network exposed would be a good way to even a bad score with an employer, think again. Cyber forensic teams can track you down, document all of your keystrokes and provide the employer with enough information to pursue both criminal and civil charges. If you are unhappy, do your self-esteem a favor and find another job.

Are you an employer? If so, do you set the example and apply the same standards you expect your employees to follow? Using a personal laptop in your office for non-business Internet use and communication is the most ethical and secure way to set that example. Further, consider making your example attainable by your employees. Every office has used equipment. If not, it is easily attainable. Have your IT department set up a separate wired Internet access on a few old desktop units in a quiet room your employees can use during breaks. A separate Wi-Fi for employees and guests who have their own devices should also be a standard service. With these tools in place, there is no excuse for employees to use their company desktops for anything other than non-compromising work. The best office set-ups that we have observed also have locking desk drawers or lockers where employees are required to store their personal smartphones, tablets and laptops during assigned shift hours.

The bottom line; an adaptive, high integrity workplace is a happy, productive and secure workplace.

© 2015-2016 THE IRON JACKET,™ LLC

& RAIDIAN™ Global, Inc.

The Demise of IE

There was a great, collective sigh of relief in our office when we received word that Microsoft was retiring Internet Explorer. This announcement came six weeks after we had decided that doing anything to make our Orange Connection software compatible for use with IE was a waste of time and resources. As we posted earlier, the best choices for general Internet Browser services are Firefox and Safari. Safari has made a rather decent step up with their private viewing and regular security updates. After putting Safari Private Viewing to the test, the performance is impressive. Both browsers work on all platforms.

Used with careful practices along with DuckDuckGo or ixquick™ and a VPN, your Internet use with either Firefox or Safari should be  safe.

© 2015-2016 THE IRON JACKET,™ LLC

& RAIDIAN™ Global, Inc.

Security And Privacy Online Guide

Privacy and Security Online Guide

Version 1.9

This is a live document, updated as required.

– January 2016 –

Why Privacy?

Every single action you do online is tracked and logged for a number of reasons: Marketing, advertising delivery, security, warrantless NSA tracking, usage statistics, demographic studies, and so many more.  

The end result is dozens of private companies, your ISP, our government (and likely foreign governments) all have detailed files about you. Your browsing habits, what bank you use, your financial situation, your interests, your contacts, your friends, your employer and job, your medical history, games you play, political affiliations, just about every single detail of your life is logged and recorded. Most of this is used for government criminal investigations and marketing purposes, but it’s anyone’s guess what else the data is being used for.

Not to mention the fact that the data is routinely sold between companies further completing detailed records of every single Internet user.

Furthermore, the majority of major web services (Google, Yahoo, Twitter, Facebook, etc.) have been known to be compromised by the NSA and God knows who else.

Privacy is important in this day in age, not only to defend yourself against warrantless searches, but against simple corporate manipulation.

How bad is the problem, really?

Short answer: Terrifyingly bad.

Take this simple example of an average day of Internet use:

First, you check your email on Gmail. Then you check your Facebook, add a friend, make a post, and like a few others. After that you check the news on the CNN and Fox News websites. You look up a recipe for bratwurst for dinner and Google the symptoms of a cold your roommate has. Look up some funny cat pictures, check your bank balance, and buy a book and a new coat on Amazon (looking good!). Then you install a flashlight app on your phone and look up directions to your friend’s house.

Over the course of this normal day of web browsing you have been tracked and your activities logged by no less than 30 private organizations, who now know:

  • Your name
  • Your location.
  • Your friend’s location.
  • Your friends on Facebook.
  • Your taste in books.
  • Your fashion tastes.
  • That you shop on Amazon.
  • Your sense of humor.
  • Your food preferences.
  • What banks you use.
  • A general idea of your financial situation.
  • What search engine you use.
  • All the websites you visited that day.
  • In some cases, your precise location in real time.
  • Other web and social media accounts you possess,
            and all the data associated with them.
  • The type of computer and web browser you use
  • Your model of phone and carrier.
  • What ISP you use.
  • Your travel plans and when you are going to be away from home.
  • Most Names of family members and the name of your pet.
  • Most likely a whole host of other information.

You have also been exposed to no less than 75 advertisements, many of which are automatically tailored to you (using the information gathered as described above) to increase sales rates.

Needless to say, if this happens after ONE DAY of normal use, imagine how much is known about you after years of unprotected use.

How does this tracking work?

There are a number of different ways to track you and they are mostly extremely technical. Typically tracking is done through purposeful logging by the website you’re using. Also, the advertisements loaded onto the page track your every move. Beyond that, tracking cookies and even more insidious LFO cookies that are hard to remove are used. Then, non-advertising analytics software is installed on web pages to even more easily track you.

This all happens without the unsuspecting visitor even signing up for an account or logging in to anything. Once you sign up for an account anywhere and log in, even MORE data is logged.

How do I stop this nonsense?

Unfortunately, due to the extremely sophisticated nature and range of tracking methods, this is no simple task. It will require the installation of new software, configuration of add-ons, and preparation of white lists. You will also have to change some of your browsing habits and change some of the services you use online. You will also have to learn the concepts and application of common encryption technology (like PGP), which can be difficult for the novice to grasp. Also, ideally, it will require the purchase of a VPN (Virtual Private Network) to the tune of approximately $40 per year. The rest of the techniques are completely free.

Still, for all the inconvenience in set up, its certainly a worthwhile venture to not only maintain your privacy and security, but to make a statement that you don’t consent to activity that should be illegal and in some cases is outright criminal.

Configuring your web browser

Step 1:  Switch to Firefox.

Internet Explorer and Google Chrome track your browsing habits. Ditch them. Safari tracks if you don’t use the private browsing feature. If you are going to use Safari, make sure you have Private Browsing turned on and no history will be recorded. Also, Under the Privacy tab, select “Tell Sites I Don’t Want To Be Tracked.” Best plan is to switch to Firefox, which has all the useful add-ons that you will need.

Download Firefox from http:///www.getfirefox.com –

it’s totally free.

Step 2:  Make Firefox Amnesic

The next step is to make configure Firefox to forget everything every time you close it.

Click on the three horizontal lines in the top right corner and then click on Options.

Under the Privacy tab, select “Tell Sites I Don’t Want To Be Tracked” under Tracking and select “Never Remember History” under History.

You will have to log in to each account every time you start your browser because it will clear cookies each time.

Use bookmarks as shortcuts to your favorite sites instead of relying on browser history- it’s much more secure.

Step 3: Block Advertisements and trackers

Click on the three horizontal lines again and click “Add-ons.”  Search for and install “ublock.” This will block an impressive number of advertisements and trackers.

Step 5:  Force SSL Encryption Wherever Possible

Now install the ad-on HTTPS-Everywhere. It will automatically request sites to encrypt the connection wherever possible. Download it here https://www.eff.org/https-everywhere

Step 6: Block Tracking Cookies

Install the ad-on “BetterPrivacy.” This will block the majority of tracking cookies and the harder to eliminate LFO objects.

Step 7: (Semi Optional) Block Scripts and Embedded Plugins

NoScript” is an extension that blocks JavaScript, Java, and Flash automatically by default, allowing you to manually choose what scripts and plugins are run on each page. This is best used by technically proficient users who understand, at least in some basic way, how these things work. You will need some time fiddling with allowing useful scripts before your Web browsing goes smoothly again, so it can be a bit of a pain. Still, there is no better privacy add-on available.

To do this, install the NoScript add-on.

Step 8: (Optional, Very Technical) Block Externally Loaded Objects by Default

RequestPolicy” is a powerful security tool that will block all externally loaded objects (images, scripts, style sheets, fonts, etc.) by default. It can be tricky to use and is certain to disrupt your browsing experience frequently, forcing you to whitelist a number of externally loaded objects on Web pages. But, it is a powerful tool that will ensure no third party can steal your information.

Step 9:  Stop Using Google Search

I know that Google is everybody’s favorite search engine, but it is also among the most prolific trackers on the Internet. Change your default search engine to Startpage SSL by clicking on the Google logo in the search box and selecting Startpage SSL.  Startpage SSL doesn’t log anything, doesn’t track you, and keeps you completely anonymous while searching.

Step 10 (Optional):  Get Control of Cookies

The use of the ad-on Advanced Cookie Manager can be useful to understand and take individual control of cookies that websites have left on your computer.

Step 11:  Configure Flash Player

On Windows, go to Control Panel and the Flash Player. Select “Block All Sites From Storing Information On This Computer,” then click “Delete All.” Check both options and click “Delete Data.”

Change Your Browsing Habits

Now that your browser is secure, you still need to change some habits to remain secure.

Step 1:  ALWAYS Log Out When You’re Done Using a Website

This is ESSENTIAL. Not only to prevent that very same Website from tracking you (Google, Facebook, etc.) but also to keep your account secure. CSRF (Cross Site Request Forgery) is one of the most common Web security issues there is, but it only works if you are logged in to your account. Log out! Also, on a daily basis or more often, completely shutdown and re-launch your browser.

Step 2:  Switch Websites You Use (As Much As Possible)

Getting away from major providers like Google, Microsoft and Facebook is often nearly impossible. Whenever possible, find alternative providers for things like email and productivity if possible. This may be a lost cause and even I regularly use quality Google products. Still, when selecting a new service to use in the future, keep their privacy policies in mind.

Step 3: READ AND UNDERSTAND TERMS AND CONDITIONS

This one is a huge pain, but extremely important. Deliberately and carefully read any agreement and understand it. If you see something that bothers you, try to find another service. Please don’t just carelessly click “I AGREE” when you don’t know what you’re agreeing to. Remember, clicking “I AGREE” is legally the same as signing a document in person and IS legally enforceable in the US. Also, it’s usually impossible to escape any tracking or sale of private information after clicking. Click with caution!

Step 4:  Try To Avoid Signing Up For Accounts

The more accounts you sign up for online, the easier it is to track you. Accounts are often a necessary evil, but try to avoid them as much as is practical.

Step 5:  Good Password Policy

This one is a hassle, but very important. First of all, the majority of passwords hacked are done by brute force. Hackers try every possible combination of letters and numbers until they find the right password.

A long, complex password is the best defense against this. To make an easy to remember, long password, try coming up with an easy to remember sentence and mix up capital and lowercase letters, add numbers and symbols, and make it L O N G.  Characters like spaces are usually the strongest when allowed. It is rare for a brute force hacker to include spaces in the search.

Also, using a different password for each account is important. It is often more convenient to use one “base” password and modify it slightly for each site.

Beyond that, you should change passwords regularly. Yes, it is a hassle, but critically important. Try our recently added  “Passgen” password generator in the “Free Tools” section of this Website.

Step 6: Two-Factor Authentication

Several major websites like Google, Amazon Web Services and Digital Ocean offer two-factor authentication. This is where you log in with a password as well as a generated code that is either generated on a phone app or is texted to you. Using two-factor authentication wherever possible makes your account much more difficult to hack into.

Protect Your Computer

The next step is to protect your computer. Malware, hardware theft, and even nosy friends can be a threat to your security and privacy.

Step 1:  Antivirus

This one is pretty obvious, but be sure to install a quality antivirus and keep it updated. Set a schedule to scan regularly. On Windows, the free Microsoft Security Essentials is good and light weight.

Step 2: Password and Screen Lock

Don’t leave your computer without a user password! Be sure to set your password and make the password secure. (See note on passwords above) When leaving your computer unattended, always log out or lock the screen. On Windows, lock the screen with the key command [Win]+L.

On a MAC, set your security to require a password to require signing back in after the MAC has gone to sleep. Log out and shut down when not using your MAC.

Step 3:  Hard Drive Encryption

This will protect your computer in the event of theft or unlawful seizure. There are a number of ways to do this. In Enterprise versions of Windows, BitLocker is available.  If you don’t have that available find a third party application to do it.

Follow the guides on the site and BE SURE TO BACKUP YOUR DATA BEFORE YOU BEGIN!

We will also be using VeraCrypt in the next step to encrypt individual files.

Step 4:  Sensitive File Encryption

Use VeraCrypt from the last step to create an encrypted volume for extra security. We would suggest creating a “Hidden Volume” where one password will open the real volume, and the mock password will open a fake volume. This is in case you are coerced to reveal the password for the volume.

Also, be sure to use keyfiles with it for extra security. We also suggest using cascading encryption like AES-Twofish-Blowfish to make extra, extra sure it can never be cracked. A good strong password is also essential.

Step 5:  Encrypt and Anonymize Your Internet Connection

This is the only step in this guide that costs money, but its well worth it. Sign up for a VPN (Virtual Private Network) and always use it. A VPN will not only hide your IP address from websites but also strongly encrypts the traffic. This will eliminate MiTM attacks, network sniffing, and general tracking. It will allow you to remain truly anonymous online until you log in to an account and identify yourself. We use Private Internet Access for $40 a year and have found the quality to be excellent.  Also NordVPN

Step 6:  Keep Your System and Software Up To Date

Be sure to regularly install updates for you operating system and software. This is especially so for Firefox!

Step 7:  Uninstall Unneeded Programs

Remove unused software from Control Panel->Add/.Remove Programs.

Protect Your Communications With PGP

As email is an old and flawed protocol, email and file transfers are still widely insecure. Gmail and other email providers read and log all email and use it for marketing purposes, and no doubt companies and governments have full access to it. By encrypting sensitive messages you eliminate this problem.

About PGP

PGP stands for Pretty Good Privacy. Its a form of public key encryption that will secure emails, files, and allow you to sign a message or file to confirm that it was in fact you who sent it and that it has not been tampered with en route.

PGP has two key files: the public key, and the private key.

Say you want to send an encrypted message to Sally. You will use her public key to encrypt the message and then only her private key can decrypt the message. Then, when she responds, she will use your private key to encrypt it, and you will use your private key to decrypt it. The private key can also be used to sign a message, even if its not encrypted.  

Using PGP

A good, basic software for PGP is OpenPGP Studio.

PGP has a bit of a learning curve to understand and use fluently. Check the OpenPGP Studio Documentation to learn how to use it.

Protecting Your Phone

Your phone is one of the most insidious ways to track you in terrifying ways.  Some apps will literally use the phones built in GPS and location services to track everywhere you go in real time and use the information for marketing purposes.  It is suspected that the NSA also routinely uses this technology. 

Most of these steps are generalized because of the number of models and makes of cell phones and you may have to look up the documentation for your device to do some of these.

Step 1:  Disable Location Service

While its still possible to track your approximate location, disabling location service will help a lot.

Step 2: Never Use Bluetooth

Bluetooth is probably the most insecure protocol known to mankind. Don’t use it and disable it entirely.

Step 3: Use Screen Lock

However you do it, be sure to use some manner of screen lock. We prefer using phones with a fingerprint scanner for convenience.

Step 4: Encrypt your phone

Encrypting your phone will require a password on boot. This is a great way to foil thieves or anyone else you don’t want snooping through your phone. 

Step 5: Pay Attention to App Permissions

Many apps have horrible tracking and privacy features. If your phone supports app permissions, be sure to read and understand the permissions of all the apps you install. You would be surprised at the number of apps that do amazingly sketchy tracking things. Games, utilities, toys, just about every category of app has some malcontents that will abuse permissions. If the permissions don’t seem necessary for the nature of the app, find another one.

Step 6:  Use VPN on Your Phone

Private Internet Access has apps for Android and iPhone. Be sure to install them to secure the network connection on your phone.

Step 7:  Close Apps When You’re Done With Them

Be sure not to keep unused apps running in the back ground! Not only will it improve performance, but it will also inhibit tracking and reduce security threats.

Step 8:  Use Firefox Mobile if Possible

Android supports Firefox Mobile. Use that instead of the default browser. Configure the browser to be amnesic and install the available add-ons just like on your computer browser.

Remember to exit the browser properly to clear the history and cookies. Tap the three dots in the top right and scroll down to Quit.

Step 9: Link As Few Accounts As Possible

Always assume that every account linked to your phone will be tracked. Link as few as possible.

Top

 

   

© 2015-2016 THE IRON JACKET,™ LLC

& RAIDIAN™ Global, Inc.


Our servers are protected by THE IRON JACKET™