Your 10 Biggest Network Security Worries

The right hardware, policies and user education can help in the fight.

From spyware and phishing to intrusion attempts, the threats
attacking today’s computer networks are more dangerous
than ever. Many threats are targeting specific industries with
convincing-looking e-mail and phone calls. The hackers hope
to direct employees to counterfeit Web sites, in order to harvest
passwords and private financial information or steal computer and
network resources. “The revenue from cybercrime in the United
States now exceeds that of illegal drug activity,” says Scott Pinzon,
editor-in-chief of WatchGuard’s LiveSecurity Service, WatchGuard
Technologies Inc.

“We’re seeing a change in the threat landscape, from ones that were noisy and
targeting the perimeter of the network, to becoming much more silent, difficult
to detect and highly targeted,” says Kelly Martin, group product manager,
Symantec Corp. “These attacks are mostly targeting Web browsers and the client
applications on the computer itself. And while a small business network may not be
as complicated as an enterprise network, they still have desktop and mobile clients.”
Because small businesses have fewer IT resources at their disposal, they need
solutions that provide comparable protection, at affordable costs and requiring
minimal administration. Here is a list of the biggest threats or sources of
vulnerabilities today’s small business IT professionals need to defend their networks
against, along with tips on how to fight them.

1 Spyware
Spyware is software that installs itself on a computer without the knowledge or
permission of the owner, be it your company or the main person using the system.
According to antispyware vendor Webroot Software Inc.’s State of Spyware Report,
nine out of 10 PCs connected to the Internet are infected with spyware, and some
form of spyware can be found on 87 percent of corporate PCs.
Spyware can get into your computer from executable attachments in e-mail,
“hostile applets” on Web sites, hidden on installation CDs or downloaded files and through security holes in other applications. Spyware also “piggybacks” on top
of quasi-legitimate downloads, often pretending to be a browser accessory or
important security update. Sometimes the “permission” is buried in the fine print of
an end-user license agreement (EULA) document or Web page.
Once installed, spyware programs often masquerade as legitimate files or
programs, or do other tricks to avoid detection. Some spyware may simply attempt
to change your browser’s home page or present pop-up ads. Too much spyware
— even of this type — can seriously degrade a computer’s performance,
increasing startup and shutdown times, slowing regular operations to a crawl
or bringing the machine to a complete halt. But increasingly, most spyware is
malicious in intent, monitoring a user’s keystrokes or examining their files for
passwords, financial account numbers and other sensitive data, and then sending
that information back to the spyware’s creator, who may use it for identify theft.
Spyware can be difficult to detect and difficult to remove. The best solution is to
prevent it before it gets onto your computers, by doing URL (Uniform Resource
Locator) and content filtering at the network gateway and, if possible, on the
computer. However, it’s also important to run antispyware software on user
machines, such as McAfee AntiSpyware, Trend Micro Anti-Spyware and Webroot
Spy Sweeper. For a hardware solution, consider Barracuda Networks’ Barracuda
Web Filter, previously known as the Barracuda Spyware Firewall. The Barracuda
Web Filter attacks existing spyware installations by detecting any spyware access
to the Internet and notifying the administrator.

2 Blended Attacks
As the name suggests, blended attacks combine several types of activity. They
combine the characteristics of viruses, worms and other malicious code with
server and Internet vulnerabilities to rapidly initiate, transmit, spread and cause
widespread damage.
“The goal is to extract confidential information from your system,” says Symantec’s
Martin. “It may start with a phishing attack through e-mail, instant messaging
[IM] or a ‘voice phishing’ call as the point of entry, figuring out how to get your
attention.” Then the attack tries to trick the user into going to a Web site that
drops malicious code, so even if the user doesn’t give private information, their
system gets compromised.
Tools to block blended attacks include deep packet inspection (DPI) firewalls,
intrusion prevention and “behavior blocking” — tools that alert on unusual
software activity — and, of course, ensuring that your users know what not to
click on.

3 End Runs
While many attacks start by “pounding on the front door” — hitting the gateway
that connects your local area network (LAN) to the Internet — many will go
around, possibly never even touching the network en route to a computer.
Gateway-level security won’t protect computers from threats on CDs or USB
(Universal Serial Bus) flash drives. Nor will it protect an employee computer or
handheld that’s being used outside the office, such as in a wireless hotspot,
where eavesdroppers or rogue access points (APs) may intercept traffic if the
machine being used doesn’t have sufficient client-level security. These attacks
are called end runs.
According to “Network Security and Intrusion Prevention,” a January 2005 survey
of 250 North American security professionals conducted by Enterprise Strategy
Group (ESG) Research, Milford, Maine, infected employee notebooks make up 39
percent of worm attacks that get into a company LAN. The second most common
source was through the firewall, followed by nonemployee notebooks and virtual
private networks (VPNs) connected to home systems. “Three of the top four
sources of this threat went around the firewall,” says Jon Oltsik, senior analyst at
ESG Research. “This is why multilayered ‘defense in depth’ threat management
is necessary.”
Some threats can go right through older gateway-level security, which may not
recognize threats that are spread across multiple packets or don’t match their
database. DPI and URL/content filtering and blocking play an important role in this
type of threat prevention.

4 Rogue Access Points
Rogue access points — APs that don’t belong to IT or aren’t configured by IT to
reflect company security policies — represent a major network security threat.
They can allow unauthorized parties to eavesdrop on network traffic and attempt
to inject threats. Once a rogue AP has been connected to the network — which
can be as simple as plugging a Wi-Fi adapter into a USB port, connecting an AP
to an untended Ethernet port or using a Wi-Fi-equipped notebook or handheld
computer — an unauthorized user may be able to access your network from
outside the building or even further away.
Features for detecting rogue APs and blocking their access are available in many
new wireless switches, as well as in gateway-level Unified Threat Management
(UTM) security appliances from such vendors as Cisco, Juniper, SonicWALL and
WatchGuard. UTM appliances take the place of separate single-purpose security
devices, reducing cost and management. Capabilities include firewall, VPN,
intrusion prevention, antivirus/antispyware and content/URL filtering. Increasingly,
UTM appliances have a range of security engines built in. IT can then choose which
modules to pay for and activate.

5 Web and Browser Exploits
Web exploits attempt to breach security through Web servers, such as Microsoft IIS
Apache, Sun’s Java Web server and IBM WebSphere. Successful attackers may gain
complete control of systems, allowing unauthorized access to directory listings and
the ability to create new accounts and read, change or delete data. According to
the Common Vulnerabilities and Exposures list compiled by the MITRE Corporation,
a not-for-profit technology research and development organization, roughly a
quarter of the security flaws from 1999 through 2005 were Web exploits.
Browser exploits, similarly, seek to take advantage of security vulnerabilities
in users’ Web browsers due to unpatched versions or unsecure configuration.
Malicious JavaScript, ActiveX or Java applets can, for example, crash user
computers, download “backdoor” or other malicious code, giving intruders full
access to the computer. Successful attacks can steal user logins and other sensitive
data and compromise user computers.
Solutions include URL/content filtering at the gateway, switch and client levels,
running vulnerability scanner software to check Web servers and client systems for
potential vulnerabilities, applying security patches, and configuring Web servers
and browsers securely.

6 Worms and Viruses
Viruses, which infect existing computer programs, and worms, which are
executable programs, are some of the oldest and most well-known types of
computer threats. Viruses tend to be in document, spreadsheet and other files and
spread via e-mail, while worms typically spread themselves directly over networks.
Once a worm or virus has infected a computer, it may begin wreaking havoc in
addition to attempting to replicate itself to other systems.
To protect against worms and viruses, run antivirus software both at your gateway
and on your computers. Also, consider also using secure switches inside your LAN.
Most of all, be sure to keep your antivirus definitions and software up to date.
7 Information Theft
Your company’s information includes user names and passwords, which can be
misused to gain access to databases, applications and systems. Lost, changed or
compromised names or passwords can, in the wrong hands, put your company at
risk from regulatory fines, loss of business and other costs.

7 Information Theft
Your company’s information includes user names and passwords, which can be
misused to gain access to databases, applications and systems. Lost, changed or
compromised names or passwords can, in the wrong hands, put your company at
risk from regulatory fines, loss of business and other costs.
Preventing information theft requires securing your network to keep unauthorized
users away and also block unauthorized attempts to extract sensitive information.
Solutions include gateway-level firewalls, intrusion prevention, antivirus,
antispyware, spam blocking and URL/content filtering, as well as the use of VPN
connections for mobile and other remote users, Network Access Control (NAC)
and endpoint security to ensure that client devices are secured. (Don’t forget
physical security of your facilities and proper disposal of paper, computer media
and hard drives.)

8 Phishing
Phishing simply attempts to fool end users into believing that bogus e-mail, phone
calls or Web sites — often related to online banking and payment services — are
legitimate, with the intent of getting them to provide private information or
download hostile applets to infect the user’s computer. According to SonicWALL,
over six billion phishing e-mails are sent worldwide each month.
“Phishing is one of the harder threats to protect against, because it’s more about
[exploiting] human behavior,” says Sanjay Beri, director of product management,
security products group, Juniper Networks. “Web filtering, which blocks requests
to sites identified as phishing sites, helps a lot. If an employee tries to go there,
they’ll get a message indicating it’s a phishing or otherwise restricted site.”
To prevent phishing, look for gateway-level security that examines incoming e-mail
and Web code. Consider adding outbound blocking — blocking e-mail and URLs
from browsers to known or suspected phishing addresses.

9 Keystroke Logging
Keystroke logging, or keylogging, refers to programs that can record a user’s
keyboard (and possibly mouse) input to get user names, passwords, e-mail, instant
messages and other employee activities. Keylogger programs typically capture this
information to a file, and then surreptitiously forward these files for identify theft
or other misuses.
The most common method of keylogging is using spyware or other unauthorized
programs on a user’s computer. Other approaches include electronic
eavesdropping — hardware devices snuck into keyboards or a computer’s USB or
PS/2 ports. Along with vigilance, DPI and URL/content filtering are key defenses.

10 Instant Messaging Vulnerabilities
Like e-mail, instant messaging is a common vector by which viruses and spyware
spread, typically through sent files that users open. “When employees use IM and
peer-to-peer applications, they can easily download spyware without being aware
of it,” says Jon Kuhn, director of product management, SonicWALL Inc. “And often,
once opened, an IM virus will resend itself to everyone on the user’s contact list, as
well as installing spyware.”
To prevent IM-borne threats, use network, switch and client antivirus/antispyware
tools, keep computer operating systems and IM applications up to date — and
teach employees not to click on unrequested files. ◊

10 TRIED, TRUE AND FREE SECURITY TOOLS TO CONSIDER

Online shopping reaches record highs

Ikea joins the e-retailing revolution.

Internet shopping is growing at the fastest rate in six years, shrugging off the gloom being seen on the high street.

Online spending on retail purchases rose by 35% to £14.7bn last year as the number of internet shoppers hit an all-time high, according to Verdict research. The rate of growth is almost 10 times that of the overall UK retail market.

This growth is set to continue thanks to faster broadband, with online retail predicted to rise to £44.9bn by 2012, amounting to 13.8% of total spend.

The number of online shoppers rose 24.7% to 22.6 million last year.

Yet, despite some degree of cannibalisation - people switching to the internet to buy what they would previously have gone to the shops for - physical shopping is far from doomed, Verdict said.

"In many cases, online and in-store sales channels will blur into one, becoming fully integrated," said Malcolm Pinkerton, senior retail analyst at Verdict. "There is still a need for physical locations but the number of stores required will vary according to sector. With the rise in music downloads, there will not be such a need for music and video stores, for example. Having an internet presence is now vital and the combination of an in-store and online presence, with strong links between the two, is essential."

Electrical goods and food and grocery made up just under half of all online retail spending in 2007. Music and video has the highest online penetration at 30.8% of total sales.

Online shoppers are purchasing more frequently (an average of 16.9 times last year, an increase of 2.7 times on 2006) and each spent an average of 7.8% more than in 2006.

Convenience is the main factor cited by more than half of online shoppers from the 4,059 people surveyed.

"The internet is widely perceived as a cheaper and easier way of finding lower prices and bargains in most sectors," Pinkerton said. "As the cost of broadband falls, consumers become accustomed to internet shopping and retailers continue to enhance their online propositions, the channel will find itself well-placed to capitalise on the falling consumer confidence and lower levels of disposable income impacting the retail market."

In the long run, growth will be driven by the ageing population - as today's younger shoppers get older and their spending power increases, they are likely to spend more online.

Last year, new entrants to the online retail market included home-furnishing retailer Ikea.

Banks slip through virus loophole

Is my money safe? A quiet rule change allows British banks to refuse to compensate the victims of online fraud if they do not have "up-to-date" anti-virus protection, says Shaun Stanislaus

A small addition to the Banking Code seems like such a minor thing. But the change, which came into effect at the end of March, has analysts and academics alike alarmed at what it could mean for online banking customers. Since the 2005 edition of the code (which dictates how UK banks do business with customers), section 12.9 has advised customers to keep their PCs secure. "Use up-to-date antivirus and spyware software and a personal firewall," it says.

The contentious addition to the new version is section 12.13. "Unless you have acted fraudulently or without reasonable care (for example, by not following the advice in section 12.9), you will not be liable for losses caused by someone else which take place through your online banking service," it says.

Thieves in the site

To banking security expert Steven Murdoch, that signals an official shift in liability for online banking fraud to the end user. "The most likely way the new rules will be applied is that the bank will decide they don't want to refund a customer, and may choose to quote this rule in their reasoning," says the researcher in the security group at the University of Cambridge's computer laboratory.

It's easy to see why banks might be worried about online security. Although losses from online banking fraud dropped a third last year compared to 2006, banks still lost £22.6m to online banking thieves. And Graham Cluley, senior technology consultant at antivirus firm Sophos, warns that banking trojans - malware that watches your PC in an attempt to steal your banking details - is becoming more sophisticated.

"The traditional way they do it is to log your keystrokes, but more sophisticated ones examine your mouse clicks or even take a little movie," says Cluley, adding that the trojans often target UK banks.

The code seems to allow it, but would banks ever really dictate that customers must use antivirus software if they're going to be compensated for internet fraud? "I wouldn't say never, but it's not on the agenda currently," says Sean Gilchrist, director of electronic banking at Barclays, which already distributes a pinpad which provides two-factor authentication for customers accessing its online banking service.

"I think that there may be particular circumstances where there has been a piece of fraud and we might challenge a customer harder," says Gilchrist, "but we're saying that we have an online fraud guarantee, and there's nothing in our plans to review that stance."

While at least some UK banks leave their options open, experts worry about other banking industries that have set a precedent by imposing draconian online security measures.

Breaking the bank

The New Zealand Bankers' Association (NZBA) revised its own banking code with a clause giving banks the explicit right to access customers' computers in the event of a fraudulent transaction. They could check whether the computer had anti-virus and anti-spyware protection, and if customers refused to hand over their equipment, their fraud claims could be dismissed.

Upset by customer protests, some New Zealand banks subsequently distanced themselves from the NZBA's code, essentially creating an unofficial, more lenient interpretation. "If they had gotten away with it, it would certainly have deterred a lot of defrauded customers from claiming," says Murdoch's colleague Ross Anderson.

"And what would happen when you bank using your PC at the Guardian, you get defrauded, [the bank] demands the PC, and the Guardian says no?" asks Anderson. "What if your wife or your daughter says no, as they have personal and sensitive data on the PC?"

Eric Domage, research manager for security products and services at analyst firm IDC, worries about social exclusion. If banks decide to interpret the UK Code in a way that forces computer users to guarantee the security of their PCs, a subset of UK society could be affected, he warns.

"Those who can't afford to have a PC but use a web cafe PC - including many immigrant workers in the UK - how would they have access?" he asks. After all, verifying the security level of a publicly used PC is as difficult as verifying the security of a private PC, weeks or months after a security breach.

Such arguments are premature, according to banking industry spokespeople eager to ease customer concerns. "This is not an offloading of responsibility," says one spokesperson at the British Bankers' Association, which administers the code. "We don't envision banks saying 'you lost money online so we're not paying you'."

Mark Bowerman, spokesperson for APACS, argues that the new provisions are there to protect customers by making responsibilities for online banking security clearer. But where one ambiguity is resolved, others may arise. "The Banking Code is a recommendation and always vague and high level," says Domage, who worries that banks may interpret the code as they see fit in the future. Are APACS and the BBA really in a position to guarantee that won't happen?

The code leaves other ambiguities, too. "For example, what is a good antivirus software?" Domage asks. Barclays is currently reviewing the F-Secure antivirus software that it provides for free to members of its online banking service and may switch packages. Would banks be happy for customers to use antivirus software that they didn't authorise? Several respected security researchers have a dim view of antivirus software overall. "It's not completely worthless, but mostly worthless," says Joe Stewart, senior security researcher at SecureWorks, who writes his own malware analysis tools from scratch.

Part of the problem is that malware writers increasingly test their work against antivirus engines before trying to infect computers with them, he says, which gives them a head start over the companies writing the antivirus software.

You can't stop them all

Most security vendors agree that there's no silver bullet for malware, and that a complete security guarantee is unlikely. But you're better off with antivirus software than without it, they add. "You won't be able to stop 100% of the viruses and infections," says Cody Pierce, a researcher at security research and intrusion prevention firm TippingPoint, "but you'll stop some of them."

But if you can't guarantee that you'll block banking trojans or other malware with antivirus software, how useful is it to mandate it in the Banking Code (or, as New Zealand's code did, to explicitly suggest that your fraud claim would be dismissed without it?)

Bowerman emphasises that banks would only begin to question customers' online security in cases of obvious negligence. "If you are the victim of a phishing attack, the vast majority of people get their money back," he says. "But if it happens seven times in seven weeks, then the bank is probably within its rights not to give you your money back."

That would be a clearcut case, but not all incidents are as black and white. Exactly what constitutes negligence when it comes to online security? "Every bank has their own fraud investigation team and will look at each instance on a case-by-case basis," says Bowerman. This makes it difficult for customers to know where the line is drawn.

Even though security experts may have difficulty agreeing on how effective online security measures really are, the Banking Code's new clause seems pretty clear on what insecurity means. Using such resolute language to address a problem as complex and volatile as online security apparently leaves the banks as the only party with room to manoeuvre.

Is online shopping ever secure?

Few websites meet industry standards when it comes to storing our credit card details. So, asks Danny Bradbury, is e-commerce in the UK fundamentally flawed?

If you use an e-commerce site in the UK, how safe are your personal details? Not as safe as you might think, according to SecureTest, a security consultancy that specialises in "ethical hacking". After testing 100 UK websites, it has accused the UK e-commerce community of fundamental flaws in the way it handles customers' details.

Ethical hacking is normally done with the target's consent: paid security experts look for holes in the system. In this case, the tests were not sanctioned, and so SecureTest was careful not to breach the Computer Misuse Act (CMA). Instead, its team signed up for customer accounts on each website, and then walked through the standard procedures all customers have access to, drawing conclusions about how those sites handled customer data.

For example, almost all sites use a customer's email address as a username, which they ask for when helping customers with a forgotten password. Of those tested, 60% responded to forgotten password requests by explicitly stating whether the email address was in the database or not.

"That's a fatal mistake," says SecureTest's managing director, Ken Munro, arguing that it lets attackers verify that a particular email address is registered on an e-commerce site. An attacker could then create lists of addresses with which to start testing targeted attacks. "If I wanted to deliver a cross-site scripting attack via email to steal their customers' account details, I now know the email addresses of their customers," he says.

Pass the password

The sites surveyed recovered user passwords in one of three ways, all via email: sending a link to a web page where users enter a new password; generating and sending a new password; or simply sending the original one.

Sending account credentials over an unprotected network is a bad idea, says Michael Owen, head of security management at security consultancy and penetration tester IRM. "I wouldn't recommend any system that mailed back passwords," he says. "You're assuming that you can trust all of the machines that it will pass through, and that the customer definitely has control of his email at the time you're sending it out."

Even sending a link to a password reset page is insecure unless the page also asks the user a secret question when they arrive there. Only 14% of sites took that approach, Munro explained.

Tom Kellermann, vice-president of security awareness at security firm Core Security Technologies, goes even further. "Passwords themselves are obsolete. It is shocking to me that the standard in e-commerce is pushing people towards stronger passwords," he says, arguing that they're notoriously difficult for consumers to manage securely. "We should be moving towards two-factor authentication".

Some banks have started to adopt this approach (which generally combines something you know, such as a pin, with something you have, such as a smart card). Few, if any, e-commerce sites do it, though: the cost of giving away hardware tokens to every user would put most of them out of business. The contention over these basic security issues raises an important question: how can e-commerce companies walk the line between usability and security?

These decisions seem to be based on a mixture of de facto approaches to the problem and gut instinct, says Owen: "At the end of the day, it boils down to the risk appetite of an organisation."

Compliance complaint

The credit card industry has imposed its own regulations on the storage of credit card details. The PCI-DSS standard governs the security with which companies store credit card information. Unlike most security regulations, it was imposed by the private sector, rather than the government.

The credit card companies which designed them have promised to fine companies that don't conform to the guidelines, but most still fall short. LogLogic, which makes software that analyses security logs, commissioned a survey last week of 65 UK firms with at least 500 employees that handled credit card transactions. Only 14% were PCI-DSS compliant.

Littlewoods, which also manages the website for Adidas, isn't yet compliant, says spokesperson Anthony Taylor. But they are "well on our way to achieving compliance within the agreed timescales".

Nor is retailer New Look, says Shaun Wills, strategy and business development director, who admits that newlook.co.uk doesn't encrypt its customers' passwords either. He's not that worried, though, because the company doesn't hold customers' credit card data. Like some other sites, it forces customers to re-enter their credit card details for each transaction - thus dodging the PCI bullet. "It's a big disadvantage," he says. "But for the time being until we're absolutely confident that we have robust systems in place; we think that's probably a better way to go."

For Donal Casey, principal consultant at systems integrator Morse, the most trustworthy websites don't take credit card information at all. "I'm more interested in sites that use things like PayPal or Google Checkout because I don't necessarily want to give my card details out," he says.

The LogLogic survey didn't say what level of certification the handful of compliant companies had attained. The PCI standard has several, based on the volume of transactions a company processes. Only tier one (the highest) is externally audited, says James Cronin, CTO of tier one-compliant e-commerce platform provider Venda. "Anyone who wants to can be level two, three or four compliant just by filling in questions on a web form. It's not really a validation," he says.

But PCI only addresses the handling of credit card data. Today's websites face other problems. For several years, one way for criminals to infect victims' computers with malicious software was by using shady websites serving porn and pirated software to covertly deliver malicious scripts. Once infected, the computers became part of a botnet, remotely controlled by online crooks. Recently, criminals have refined their tactics, hacking into legitimate websites and turning them to the dark side. A survey by security firm WebSense in January found that 51% of all sites serving up malicious scripts were legitimate sites that had been hacked. "Our figure is 83%," says Graham Cluley, senior technology consultant at anti-virus firm Sophos. Every 14 seconds, Sophos finds a site delivering malicious scripts, and eight in 10 are legitimate sites that were hacked, he says.

On Valentine's day, the company found an e-commerce site selling flowers that was unwittingly infecting customers' machines. "The florist wasn't really interested, and didn't understand what we were talking about. He was into flowers, not websites," recalls Cluley.

Some sites using databases to serve up their content have been attacked using SQL injection, in which criminals manipulate the web server's database by typing carefully crafted text into a web form or the address bar. Another attack involves stealing FTP passwords from an infected PC, says Joe Stewart, senior security researcher at managed security services firm SecureWorks. "Someone gets infected with a bot, it's stealing their other passwords, and so it steals FTP passwords as well," he warns.

Web advertisements are another attack vector, warns Stewart's colleague at SecureWorks, senior security researcher Don Jackson. E-commerce companies may have control over their own content, but if banners display advertising content from third parties, how do they know they're not serving malicious scripts?

A question of trust

Such trust relationships often extend to a third-party web host looking after a company's e-commerce site, says Kellermann. "Those who host websites, portals and e-commerce engines are not being effectively tested and forced through contracts to remediate exploitable vulnerabilities before the enemy does," he warns.

These issues are worryingly real. Last October Fasthosts, a UK web hosting company, was forced to ask all of its customers to change their FTP and email passwords (stored unencrypted) following a data breach. And many e-commerce websites hosted by third parties share servers with other companies' code, so one infected application can affect others' software.

All of this makes it difficult for e-commerce customers to know who they're trusting, let alone how secure they are. And with criminals now operating in stealth mode so that they can milk compromised computers of their data for as long as possible, how will we ever really know?

E-commerce: the facts

14%

Proportion of websites tested that ask users a secret question to reset password

51%

Proportion of sites serving up malicious scripts that are hacked legitmate sites

14 seconds

The time it takes Sophos to discover a new website with malicious scripts

Tips on Gaining Web Traffic to your Online Shop for pro online entrepreneurs

Let your customers contact you

Make your site’s contact information street address, e-mail address, and phone number – easily accessible through a “Contact Us” link. Doing so will inspire confidence in both current and prospective clients.

Enlarge product descriptions

Give the customer as much information as you care about the features, capabilities, and limitations of your products, whether there are different configurations, and how they compare with other products. A mere product number just doesn’t hack it.

Ensure transaction security

The safest online transaction method is via credit card. When using one, you can challenge charges and withhold payment in the event of a dispute with a merchant. Under the federal Fair Credit Billing Act, you are liable for only $50 if your card is used fraudulently (and you are rarely required to pay even that).

Print out your orders

Print out paper copies of any orders you place. Most vendors will send an e-mail confirmation, often with a link for package tracking, but e-mails can get lost or deleted.

Having a physical copy of the order ensures that you get what you paid for.

See what other customers say

Before ordering from an unfamiliar Web site, do a search on the company or site name to see what customers have to say. Or check with the Better Business Bureau (www.bbb.org), which accredits and rates businesses as well as summarizes customer complaints, noting whether the company resolved them.

 

Make Sure an offer is legit

If a deal looks too good be true, it probably is. Call the merchant with any questions you may have. No phone number or physical address offered on the Web site? Fuhgeddaboutit.

Investigate possible scams

Think you may have been scammed? The National Fraud Information Centre (www.fraud.com), a program of the National Consumers League, provides information on a wide range of online and telemarketing scams, helps you determine whether something is fraudulent, and lets you file complaints online.

Pretty pictures sell products

Adding plenty of product photographs makes a site appealing. First, get a good photographer to shoot them. Later, in a program like Adobe Photoshop, you can optimize size, contrast, and brightness, and minimize file size by saving as JPEGs. Keep images small (but linked to larger, better-quality versions) or your pages will take forever to load.

Make sure you’re encrypted

A safe Web site has SSL or similar encryption. Pages that ask for or display personal information should have a URL that begins with https://. You should also see a lock icon (in the locked position) near the address bar or at the bottom of the page.

Keep in touch with customers

Collect e-mail address from customers who wish to subscribe to newsletters or other mailings. You can do this by adding a form to your site or providing a link to a separate subscription page.

Create a privacy policy

Your e-commerce site should have a privacy policy detailing what you will – and won’t – do with customer information. Examine the policies of Web sites you visit to see what they include. Still need help? The Direct Marketing Association provides a privacy policy generator at www.the-dma.org/privacy/creating.

Buy search terms

You can advertise your business in search results from Google, Microsoft Live, or Yahoo! For surprisingly low costs of entry; Google AdWords Starter Edition carries a start-up cost of just $10, with no minimum monthly spend on keywords. Yahoo! Has a $1 minimum per day, and Microsoft has a $2-per-month minimum. All three offer lots of help and make it easy to get started.

Recommend products

Provide a list of recommended products and things “other customers also bought” with each item. You can do it in your database by connecting products based on customers’ actual purchase.

 

Web Traffic

 

Sound Structure

 

Make sure your HTML structure is correct. While not as important as they used to be to search-engine spiders, metatags (the HTML tags at the top of the web page, such as title, keyword, and descriptor tags) are a vital part of optimizing your site for SEO.

 

 

Use trackbacks

 

When you leave comments on a Web site or blog or participate in a discussion forum, use the trackback feature to boost traffic to your own site. A trackback is basically a line back to your site that connects to your comment, so participants and visitors can click on it and “track back” to your page.

 

 

Link. Link. Link.

 

You must link, but link properly and effectively. Google looks at links to and from your Web site when it determines your PageRank (Google’s formula for determining a Web page’s importance). And the words you use in hyperlinks are of key importance; instead of saying, “Click here to read more about Topic X,” you should say, “Read more about Topic X.”

 

 

Read all about it

 

A newsletter is one of the easiest ways to drive traffic. Visitors can opt in or out, and they get exactly the content they’re looking for. But make sure you create newsletters that are focused and provide value. Spamming people will just irritate them.

 

 

Tighten up your titles

 

Pay attention to page titles. Keywords used in the title tag often have more weight (in ranking) thank keywords used just in the body of an article.

 

 

Don’t get too fancy

 

Flash and JavaScript may make your site look cool, but overwhelming visitors with flashy graphics and no substance won’t get you anywhere. Many experts believe that search engine spiders still prefer HTML.

 

Outside influence

 

Pitch and plant your stories, Submitting your stories to social media sites, blogs, and rating engines (like Digg and Yahoo! Buzz) can help drive lots of traffic to your site.

 

 

Optimize for SEO read more about SEO on page 6

 

Optimize your site for search-engine optimization (SEO). By implementing sound SEO practices on your pages, you can help improve your ranking in search-engine results. Just one example of a very complex subject: Choose words relevant to your business and make sure they appear prominently in page headers and titles.

 

 

Get Listed

 

You need to get people to your site. One way to do so – and boost your organic or unpaid-for, traffic – is by listing your site in search directories (like Yahoo!) and search engines (like Google). Various services and companies will do this for you, or you can head over to the Open Directory Project (www.dmoz.org/help/submit.html) and submit your site yourself.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Security Market Survey

Callpod Chargepod Universal Charger Down to $39.95

One of our favorite multi-tipped chargers, the chargepod, has just gotten a $10 discount down to $39.95 for the base. We're not going to be d-bags and say that our recommendation in the review last year for them to drop the price down to $39 had anything to do with it, because our egos aren't that gigantic. Their bundle pack with six adapters, chargers, and some various other stuff (carrying case) is $79, but that's a pretty small price to pay to keep your charging station organized and compact. [Callpod via PRnewswire]

New MIT Research: Technologies for a Better Future

MIT researchers are paving the way for a number of new technologies that will undoubtedly affect all of us in the near future; one hopes one of those ways would be to relieve economical pressures, as we all suffer through high gas prices, food shortages, and too-expensive housing. The institute issued a report this week with quotes from researchers on some of these technologies and how close they might be to reality. Embedded Electronics: A few years from now, James Bond won't be the only one with the cool gadgets. A new trend is on the rise with the embedding of low-cost electronics into just about every object. "A pair of sunglasses may have the ability to project a visual display accessing the Internet, have an embedded cell phone and actuate other devices as one glances at them," says Michael Strano, a Charles and Hilda Roddey associate professor of chemical engineering at MIT. "Everyday objects may sense, detect and constantly adjust to our environment, controlling temperature, lighting, noise level, etc." More technologies after the jump; and for more in-depth info on this research, check out MIT's news site. Robotics:There are currently millions of robots cleaning American homes and thousands in the U.S. military, and many of these robots are becoming more specialized. In a recent Gearlog post, they talked about one kind of robot that had superhuman strength, which was the Army's effort for stronger troops in the future. Rod Brooks, MIT"s Panasonic professor of robotics says, "Just as computers we interact with personally (e.g., desktops, laptops, PDAs, cellphones) transformed our lives over the last 25 years, so, too, will robots transform our lives over the coming 25." Fusion: Many countries around the world are scrambling to find new sources of fuel and energy, so as not have to rely on foreign oil. Fusion may be a possible solution. "The hydrocarbons from waste could be turned into hydrogen-rich gas, which could be passed through catalysts to create liquid fuel," says Leslie Bromberg, principal research engineer for the Plasma Science and Fusion Center. "Although the process could increase the cost of fuel, it is CO2-neutral and would provide energy security." Digital Fabrication: This futuristic technology, as described by Neil Gershenfeld, MIT's director for the Center for Bits and Atoms, will allow people to make almost anything anywhere. "Coupled with digital video and digital libraries, this means that the formerly scarce resources (facilities, books, people) of advanced technical institutions (such as MIT) can become much more widely accessible," Gershenfeld says. Electrochemical Energy: In addition to fusion, another potential source of future energy is electrochemical energy: the reduction and oxidation of materials to generate or store energy. Paula Hammond, Bayer professor of chemical engineering, says, "We're on the cusp of very real achievement in this area--leading to new, more-efficient photovoltaic devices, batteries, and fuel cells." Sustainable Cities: The tech of the future will enable cities to be more efficient and sustainable. William J. Mitchell, professor of architecture and media arts and sciences, says that gasoline-powered automobiles will be replaced with personal mobility systems that are lightweight, wirelessly networked, electric and smart. He also says we'll see "the emergence of clean, efficient, geographically distributed systems for electricity generation, storage and distribution. A third part will be the embedding of networking capability and intelligence in buildings and products of all kinds. And finally, ubiquitous networking will--like a nervous system--tie all this together so that cities respond, like intelligent organisms, to dynamic changes in their environments and the needs of their inhabitants." Bioengineering: Technology in the future can help us to protect all life forms. This includes increasing the production of foods and materials through biological processes. Phillip Sharp, institute professor says, "Design of biological organisms and engineering of production processes will be more important tomorrow than today. We need to make investments now. In the short term, the merging of engineering and biology will generate new technologies that will impact the economy through generation of better medicines, agriculture and materials." Life Extension: Advancements in medicine will help us save more lives and extend life to millions. "These technologies will probably span everything from small molecule therapies and nano- and microscale devices to whole organ replacement technologies using stem cells," says Mehmet Fatih Yanik, assistant professor of electrical engineering. "Beyond the scientific and technological hurdles, temporary challenges will include the cost versus benefit of these technologies, legal and ethical concerns, and regulations and strategic investment choices among various options."

HughesNet plus Wayport

 

Wayport announced today that subscribers of the satellite-based HughesNet ISP--the lowest-scoring method of Internet connection in the annual PC Magazine Readers Survey on service and reliability, so much that dial-up service scored better--now can get access at any of up to 10,000 Wi-Fi hotspots operated by Wayport. That includes many hotels, Hertz rental locations, and, of course, about 9,500 McDonald's restaurants.

But not for free. This service costs HughesNet subscribers an extra $14.99 a month.

So next time the satellite service is making a HughesNet customer tear out his hair in clumps, he can rest easy knowing he can pay more to drive to the local Mickey D's for some actual Internet time. With fries.