Increasingly, employees expect to remain connected to social networking sites while at work. But these sites represent a growing threat in terms of malware, for instance. It can be challenging to measure the exact threats posed by the variety of networking sites in this regard, says Larry Ponemon, president of the Ponemon Institute. That said, there does appear to be a significant association between a company granting permission to allow social networking sites and the organization’s level of malware. Networking sites also represent a risk in the area of social engineering. Hackers can use the sites to glean information about employees to carry out targeted e-mail, or phishing, attacks, for example.

Another significant risk is that an employee could post or inadvertently reveal sensitive information. For example, someone could say that he or she “can’t attend a party because they have to work on xyz deal,” says Chip Tsantes, a principal in the financial services office of Ernst & Young. That might have just revealed the existence of a deal or a meeting not meant to be disclosed.

Despite the risks, companies can’t just say no to social networking. That’s not practical in today’s environment, note experts. For one thing, employees are going to participate in these sites on their own time at home in any case, creating some of the exposures regardless.

Another factor is that some workers, the younger ones in particular, may avoid working for organizations that are overly strict on using social networking on the company’s network, says Per Thorseim, a security consultant at EDB ErgoGroup, a Norway-based IT services firm. In some cases, “if employers say ‘we want you here but there’s no access to social networking sites,’ there’s almost no way they’ll want to work there no matter what kind of pay you give them.”

In some cases, employees can access sites through Internet proxy Web sites. It can also be hard for organizations to block sites once they’ve already been allowed for business purposes, says Thorseim. And they are increasingly part of business marketing and communications efforts. For these and other reasons, “few companies have been getting more conservative on what they allow,” he says.

Given that reality, it’s important for entities to draw up strong acceptable-use policies or to reevaluate existing ones. One element of a strong policy, particularly for highly regulated organizations, is to include language forbidding employees, unless expressly authorized, from representing the company, as opposed to themselves, online, says Tsantes. Some policies also require that employees never mention their employing organization, or even anything about their work, unless that is part of their job.

In addition to being told about the specific provisions of the policy, employees must be made to understand why it is important to follow the protocols not only at work but when using social media in their personal lives, says Tsantes. “If you explain it in the context of protecting their family and friends and then apply the same principles at the company, I think it will create a greater attention to the problem and more awareness.” Training can include sending information to employees via e-mail or an internal Web site. It can also be helpful to train an employee after a security incident, such as a malware infection.

Management should create a culture in which it’s considered acceptable for employees to report if they may have had a malware infection or other security incident related to networking and similar sites, he says. “You want to try to reward the behavior.” But the company must also make sure that there are negative consequences for those who do not follow the policies. A policy that is not enforced will serve no purpose.

Apart from setting parameters on what should be said on social networking sites, the company may want to monitor such activity to assess riskiness to the extent that doing so is legal and pertains to the work-related concerns. Certain networking sites can present greater risks than others. Some entities may want to familiarize themselves with the types of security measures taken by certain sites. Some more popular sites are actually stronger in protecting users’ security and privacy. Facebook, for instance, is “one of the safer sites” in numerous respects, Tsantes says. If a site seems insecure, the company may want to deny access to it from the company network.

It can also be important to ensure that employees do not have administrative access to their work computers, says Tsantes. By denying such access, if employees happen to click on something that’s installing malware it “will prevent most but not all infections.” Companies may also want to implement some of the newer security measures that can further reduce the exposure to social-networking-site risks. For example, there is technology that can grant access to Facebook and other sites but make the content “read only,” says Tom Clare, Websense’s senior director of product marketing.

Newer types of data loss prevention (DLP) solutions and technology can also be effective at preventing certain kinds of sensitive information from leaving a company’s network. DLP technology tends to be most effective when it is guarding against the loss of specific sensitive information, such as credit or debit card numbers, says Thorseim. Many DLP solutions can be expensive, however, and many of the newer technologies are largely untested.

No tags

While burglary rates continue to slide, the crime continues to victimise businesses despite simple and cost-effective ways available to protect shops and facilities. However, a large number of owners and managers of businesses are reluctant to invest in security. This doesn’t make much sense considering thieves target businesses more than homes. Businesses struck by burglars also tend to get hit again and again. But empty suburbs during the day, and empty commercial and industrial districts at night, present a variety of burglary opportunities.

Typically most burglars enter by forcing a window or door open, regardless of the target. Business owners and managers have more to deal with than just their sense of violation when burglaries occur; this includes loss of equipment or stock and expensive delays resulting in loss of income. Sometimes a burglary can deliver a knock-out blow to small businesses if important tools or records are stolen.

Young males predominately commit burglaries with approximately 80% being between the ages of 15 and 25. Social prevention programs and police initiatives like crime prevention partnerships can decrease burglary rates and managers can do alot more to prevent a burglary.

A conventional three-part security management plan can reduce the chance of a burglary. It involves conducting timely and comprehensive risk assessments, installing layered security measures and testing the security system regularly. But if this plan is to be effective, the whole business needs to be involved; from the owners and managers down to the cleaners.

No tags

Whether it’s the pop-up alert warning you about a shady Website to the rainbow coloured terror alert system, security researchers and psychologists say security warnings lose their power once familiarity creeps in, reports ABC News.

Researchers at Carnegie Mellon studying the effect of Secure Socket Layers (SSL) on online behaviour discovered that 409 Internet users routinely ignore their browser’s SSL warning. The warnings inform users whether the Website has been authenticated, meaning the Website is who it says it is. Typically, the warning flashes because the certificate that validates a Website has expired. Less often, it means the user could be entering a dangerous Website riddled with malware.

“People get pop-ups in their browsers which say something about security but they don’t know what they are, so they swat them away,” said Lorrie Cranor, associate professor of computer science and engineering at Carnegie Mellon, told ABC News. “Nothing bad happened before and they think nothing bad will happen again.”

The reason why people tend to ignore security warnings is quite simple, according to clinical psychologist John Grohol. “If you’re constantly bombarded with the same message over again, you tend to ignore it,” he said. “The message has lost any intensity or originality or uniqueness in our minds.”

No tags

After the ATM skimming incidents in Auckland recently, it has become apparent that people need to keep a look out for anything suspicious at an ATM and know how to protect themselves from card skimming. There is several ATM security threats that you need to know about.

Skimming:

Skimming is the act of capturing magnetic information from a credit card or ATM card and then using it for fraudulent purposes. Skimming can be performed either with a handheld device, or a magnetic strip reader attached to an ATM, debit or credit card portal.

There are two types of card skimming. With the first, someone takes an extra swipe of your credit card. It could be a waiter, a store clerk, or anyone to whom you’ve handed your credit card for payment. Instead of just charging your card, the thief takes an extra swipe of your credit card using a small, hand-held device known as a skimmer. The skimmer extracts and stores the data from your card, giving the thief all the information he or she needs to create a counterfeit card. A skimmer can store card data from hundreds of different credit cards. Once information has been captured, it can then be downloaded into a computer and emailed anywhere in the world.

A second form of skimming involves the collection of ATM/debit card numbers and PINs. This is accomplished either by simply watching members as they use ATMs (a technique known as “shoulder surfing”), or by installing false card readers on top of existing ATMs. These skimmers record the information from the magnetic strip on the card while a small camera is placed either in the skimmer or near the ATM to record the PIN number. With the stolen information, scammers can manufacture counterfeit ATM/debit cards that then can be used to withdraw money or make purchase from accounts. Since the ATM machines work normally, victims are unaware that they have just given scammers the “keys” to their bank accounts.

Tips to protect you from card skimming:
• Be wary of anything about the ATM machine that looks out of the ordinary, such as odd-looking equipment or wires attached to a device. If it doesn’t look right don’t use it.
• If an ATM has any unusual signs, don’t use it. No bank would hang a sign that says for example, “Swipe your ATM card here before inserting it in the card reader”.
• Be wary of a “no tampering” sign. These are often placed by crooks to thwart anyone curious about a new piece of equipment.
• Be wary of a jammed ATM machine that forces customers to use another ATM that has a skimmer attached.
• If you see anything unusual or suspicious around an ATM machine, or if you find unauthorised ATM transactions on your bank account, notify local law enforcement, as well as your financial institution and/or the establishment where the ATM is located.
• Check your bank accounts regularly to make sure there are no unusual or unauthorised transactions. If you find any unauthorised transactions contact your bank and insurance company immediately.
• Protect your PIN – do not give your number to anyone and cover the keypad while you are entering your PIN. If possible, carry out your ATM transactions during the daylight hours, as most ATM-related crimes happen after dark.
• Never share, write down or disclose your PIN to anyone.
• Always sign your new ATM/EFTPOS card as soon as you receive it.
• Don’t choose a PIN that is easily associated with you eg. your birth date, phone number, or parts of your card number.
• Use different PIN numbers for each different card.
• Make sure that no one is looking over your shoulder when you enter your PIN number.
• Always put cash into your pocket or wallet before walking away from the ATM machine.
• Always remember to retrieve your ATM/EFTPOS card after using it.
• Do not use any ATM or EFTPOS terminal that looks like it has been tampered with (e.g. had components added) as it may have been altered for the purpose of skimming your card details.
• Be wary of anyone offering assistance, especially if the ATM has just retained your card, as they may be attempting to obtain your card or card details.
• When using an ATM be wary of anyone attempting to observe you entering your PIN and do not allow yourself to be distracted by anyone talking to you.
• If your card is retained by an ATM, go immediately to the nearest bank branch or call your insurance company.
• If you lose your ATM/EFTPOS card, contact your bank or insurance company immediately.
• Always keep your ATM/EFTPOS card in a safe place.
• Carefully dispose of receipts from EFTPOS and ATM transactions once you have checked these against your statement. This will help prevent others acquiring information about you and your cards.

No tags

School ID Card Systems provide more than Student ID’s, they help schools create a secure learning environment. Educational institutions of all shapes and sizes rely on ID cards as a way to increase security while also delivering a great deal of convenient functionality. As security concerns grow and budgets tighten, it’s becoming more and more important for schools to maintain effective ID card programs. You can protect your students, faculty and facility and at the same time, streamline operations and procedures, while reducing costs.

A new student comes in, and while their paperwork is being filled out, an ID card is printed. This ID card has a full colour picture of the student, their signature, and a barcode or magnetic stripe.

The student can use it as a library card, it is scanned to record the checkout details. The ID card can also be used to log into a computer in class or the library. That computer then allows access to specific applications only, based on their pre-set configured access levels.

When visiting the cafeteria, instead of handing over money, they can simply have their ID card scanned. As it also works as a meal card, the total amount is deducted directly from their student account so there is no risk of monetary theft at the school.

If a student were to attempt to enter the staff lounge, they would be unable to because their special student ID card also works as a security card, and it does not allow them access to the staff lounge and other restricted areas.

When the student enters a classroom, they swipe their ID and are marked present. When they leave the classroom, they swipe again to verify they were in class the full time and to verify where they were last. If that student turns up missing, the school’s security system will know where they were last, and when.

These same ID cards can be used for faculty and staff. Maintenance crews can have access to boiler rooms or other mechanised areas, while students are not able to enter. Office staff can have access to private computer records, while the student staff is denied.

This level of security in any school system may seem worrying to some people, but in today’s world: it’s a reality that needs to be addressed. With so many people to keep track of these days, especially in today’s volatile society, security could be a nightmare but, can be easily managed. Therefore there is a strong need for ID cards especially among students to monitor and ensure a safe learning environment.

No tags

One value that seems to hold a lot of people back from setting and achieving big goals is the need for security. Security is a feeling of certainty that everything is OK and that all your basic needs will be provided for. On the surface there’s nothing wrong with that. It’s great to feel secure. Abraham Maslow lists it as one of the basic human needs. If we don’t feel secure, we can’t move onto higher levels like love and self-actualization. If we have doubts about paying the rent at the end of the month, how can we possibly go after our really big dreams? You gotta feel secure first, right?

So how is it that most self-made millionaires in America started broke or in debt? How is it that some people are able to start a new business while completely broke and with little or no income and with no guarantee of success? Do entrepreneurial risk takers simply have a lower need for security? If you read the biographies of very successful people, you see a common pattern again and again — from an external point of view, most of these people were not in a secure situation when they started going after their dreams. Sylvester Stallone was so broke he had to sell his dog in order to afford to keep shopping around his Rocky script (which no one would buy). Tony Robbins did his dishes in his bathtub because his tiny apartment had no kitchen. Brian Tracy was a day laborer. Og Mandino was a homeless drunk who wandered into libraries to stay warm. Babe Ruth started out in an orphanage. While some successful people start out with a lot of advantages, most don’t.

Meanwhile, how is it that others who seem to be in a far more financially secure situation are paralyzed from taking action? People who have some money in the bank, a nice home, and a steady paycheck still don’t feel secure. Meanwhile, others with far worse starting positions pass them by. Why?

The reason isn’t that some people need security more than others. I think everyone needs to feel secure. The difference, however, is that the entrepreneurial-minded define security internally while others define security externally.

For example, those who can’t seem to take action will typically define security as $X in the bank, a house that’s fully paid for, a stable high-paying job with benefits, a solid relationship with the boss, a car that runs well, etc. Security is all about the externals. If the externals are stable, this person feels secure. But when the externals are threatened, such as the possibility of getting laid off, then this person doesn’t feel secure. This person will spend a lot of time striving to get these external factors in order.

But the entrepreneurial action-takers define security internally. Security comes from trusting in yourself — in your ability to think and to take action. As long as you have the ability to think and take action, you’re secure. Given this mindset you could be homeless and still feel secure. Why? Because you still have the ability to think and act — your homelessness is only a temporary setback. It’s not a threat to your security. So even while you may be in a financially unstable situation, external circumstances don’t threaten your security. Your security is guaranteed. It cannot be turned off by external events.

Now when it comes time to take action, you can see why one group will be paralyzed, while the other group will speed ahead. According to Maslow’s hierarchy of human needs, security is a more basic need than self-actualization. This means that you won’t be able to fully set and achieve big goals if you don’t feel secure. Security has to come first.

So given that most people don’t start out with sufficient resources to satisfy the external definition of security, those that define their security this way won’t be able to take action to go after their dreams until all the external factors are met. They’ll be waiting and waiting until they have enough money to feel secure, and only after that happens will they be able to go after their dreams. Most of the time, this will never happen — the person will die before they satisfy all these external factors. On the other hand, if they do manage to acquire sufficient resources to pursue their dreams, and their security is again threatened (for example, they lose too much money), then it’s time to put the dreams on hold and re-establish external security. This is a hugely ineffective way to pursue your dreams. In most cases it just won’t work at all. You’ll spend your whole life pursuing security instead of self-actualizing. And sadly, this is what most people currently do.

Now consider the entrepreneurial group who defines security internally. All you need to feel secure is to think and to take action. You don’t need any specific set of external circumstances to feel secure. You’re already secure because you believe in yourself. So you can move straight on to self-actualization, and you can stay there. You can continue to work on your dreams without pause. There’s no need to stop and satisfy some external need for security.

Having an external locus of control is paralyzing. If you define security externally, you’ll always be victimized by factors outside your control. But an internal locus of control is empowering. If you define security internally, you’ll always have that need met, no matter what happens outside your control. And thus, you’ll always be able to take action on your dreams, no matter what happens.

So how do you move from one group to the other? It’s nothing more than a choice. Just as you may have chosen to define security externally, you can choose to do the opposite. You can choose to look externally for verification of who you are and what you’re capable of (this is what most people do). Or you can look internally instead.

Believing that you can handle anything that comes your way is a choice. You don’t have to earn it. You don’t have to acquire a quantity of external validation to somehow earn permission to work on your dreams. You don’t need permission. You don’t need the external world to say, “OK, you’ve finally met the basic security requirements. You now have authorization to work on your dreams, as long as you maintain your current level of external security.”

Yes, it really is that simple, as stupid as it may seem. There’s no physical law that says you have to meet some arbitrary external security requirements before you can go after your dreams. You can be starting broke and in debt with no stable income, and you can still spend the bulk of your time going after your dreams. People keep doing this over and over and succeeding.

If you define security internally (and you’re completely free to select this option), many obstacles that seemed to hold you back will just melt away. While you should pay attention to possibilities like running out of money, most people overemphasize these obstacles and become paralyzed by them.

Money is an important resource to be sure. But time is far more important. When you run out of time, then you’re really done. But what happens when you run out of money? Did you know that you can run out of money and just keep on going? Running out of money doesn’t mean you have to stop living, and it doesn’t mean you have to stop going after your dreams. You don’t automatically die when you run out of money. No referee will show up and haul you off the field. The game doesn’t suddenly end.

The typical self-made millionaire has been broke or nearly broke an average of 3.2 times before making their first million. There are consequences to going broke, and you may need to tighten your belt for a while, but that doesn’t mean you have to stop. Running out of money is largely an imaginary obstacle. For those who define security externally, running out of money is a huge personal threat, something to be avoided at all costs. But for those who define security internally, running out of money is just a temporary setback. Donald Trump experienced this setback, as did Walt Disney, Abraham Lincoln, and many others who went after their dreams with tenacity.

It doesn’t matter where you’re starting from… whether you’re an employee or an entrepreneur, whether you have a lot of cash or are broke and in debt. Time is so much more precious than money. You can afford to lose all your money in the pursuit of your dreams. You can go broke over and over and just keep on going. But what you cannot afford to lose is time. Money can be restored. Time cannot. Even if you have no money at all, you can still think and take action. But when you run out of time, that’s it — game over. Each day of your life that passes is another day gone, never to return again. If you are paralyzing yourself with an external definition of security, you’re squandering your life away. If you aren’t spending your precious time working on your dreams — today, right now — then you’re just counting the days until you die. That external security will never come. The external factors will never be just right. If you are waiting for external security, you’re waiting for death. And in the meantime, you’re forgetting to live.

So what are you waiting for? External security is an illusion. In the words of Helen Keller: “Security is mostly a superstition. It does not exist in nature, nor do the children of men as a whole experience it. Avoiding danger is no safer in the long run than outright exposure. Life is either a daring adventure, or nothing.” So which will it be for you? Have you chosen the daring adventure, or have you chosen the nothing?

No tags

There are three things you need to consider when using an internet service away from home: your internet provider, your internet connection, and your computer. Your ISP can monitor everything you do. I’m not saying that they are, but they can.

Whenever you’re using a wireless hotspot such as in an internet cafe, or even a wired connection in a hotel or somewhere else, they are your ISP for that connection. Again, I’m not saying that the coffee shop, hotel or their wireless provider is spying on you, but I would take care to make sure you trust the provider you’re using. If you’re at “Joe’s Cafe” and it’s Joe’s teenage son that’s just slapped a wireless access point on their DSL connection – yes, he could certainly be monitoring what you’re up to if you’re not careful.

But that’s not really the biggest threat. So while you should of course exercise caution, for this discussion I’ll simply assume we can trust whoever’s providing the internet connectivity. “Anyone within wireless range of your laptop could be monitoring your internet usage.”The people we shouldn’t trust are the other users within range of that wireless connection.Anyone within wireless range of your laptop could be monitoring your internet usage.

 Scary, huh?

 So, here’s what you need to do:

•Use a firewall! Sounds like you’re already doing this, but for everyone else, this is critical. And it doesn’t have to be difficult; for example, I simply enable the built-in Windows firewall when I’m in an open WiFi situation.

Yes, there may be a router or firewall at the hotspot protecting you from threats from the internet, and that’s fantastic. It’s also not at all what I’m talking about here. In an open WiFi situation and in any “internet provided” situations like hotels, you need to protect yourself from everyone else that’s on the same side of the router as you are. They can see and connect directly to your machine unless you have enabled your firewall.

•Use httpS! That’s https; note the “s” at the end. An https connection is encrypted. That means that while someone can see that you’re accessing a particular web site, if you’re using https they cannot see any of the data you send to or receive from that site. This is the only safe way to do online banking. If you can’t connect via https, or the “s” disappears at some point in your exchange with your bank, then stop immediately. If it’s not https it’s not secure and anyone in the room could be monitoring what you’re doing.

•Secure your Email! Email is perhaps the biggest open security hole in these situations. If you use a POP3/SMTP email client, the default configuration for most is totally unsecure. I could sit in a corner of the internet cafe and not only read your email with you, but also steal your account name and password. It really is that unsecure.

With POP3 and SMTP you should contact your email provider and see if they support SSL connections. If they do, it’s a slightly different configuration in your email program but once done all of the communication between your email program and email servers are securely encrypted.

Online or web-based email services deserve special consideration. Most do not support https connections. The one exception is Gmail, which will use https if you make sure to login through an https connection, and have the “always use https” option selection in Gmail’s options.

•Consider a VPN. Not all sites support https as it takes extra work on their part. For example, there is no https version of ask-leo.com; you can only access it through unencrypted http, and that’s the norm for most sites that don’t process confidential information. But that means that someone could still be watching where you go. If you don’t mind them seeing that you’re visiting ask-leo.com, or what you might happen to search for on Google, or whatever other sites you’re visiting in the clear, then you don’t need to do anything.

 And not all email providers will provide secure connections.

However, if you’re a “road warrior” and spend a lot of time in internet cafes, have an unsecure email configuration, or browse a lot of sites that you’d rather not be so easily sniffable, you might consider a VPN (Virtual Private Network) service. I’ve never used one personally, so I can’t recommend one specifically, but there are several. http://www.hotspotvpn.com/ is one example. Using these services you create an encrypted connection to the service and route all your internet traffic through them. When you do this, the folks in the cafe see only encrypted data which they can do nothing with.

•Realize that a “login intercept” protects them, not you. In many free WiFi situations the first time you use the service no matter where you try to go you’re first intercepted and sent to a page where you’re required to “login” or otherwise accept the terms of service. This page does not protect you at all. It has nothing to do with security, wireless or otherwise. It’s nothing more than a bit of legalese to protect the internet provider.

So, how big is the risk, really? It depends.I would expect busy hotspots near sensitive areas to be a fairly reasonable risk. Busy coffee houses, open airport WiFi, libraries and the like seem like “target rich environments” for the potential hacker. These are certainly places where I’d make sure to take these safety measures myself. Less busy hotspots? Perhaps not so much. But it is possible, and more frighteningly, it’s not all that hard for someone who’s technically savvy.

 Article C3269 – November 12, 2009

No tags

There’s a potential threat lurking in your internet café, say University of Calgary computer science researchers. It’s called Typhoid adware and works in similar fashion to Typhoid Mary, the first identified healthy carrier of typhoid fever who spread the disease to dozens of people in the New York area in the early 1900s.

“Our research describes a potential computer security threat and offers some solutions,” says associate professor John Aycock, who co-authored a paper with assistant professor Mea Wang and students Daniel Medeiros Nunes de Castro and Eric Lin. “We’re looking at a different variant of adware — Typhoid adware -which we haven’t seen out there yet, but we believe could be a threat soon.”

Adware is software that sneaks onto computers often when users download things, for example fancy tool bars or free screen savers, and it typically pops up lots and lots of ads. Typhoid adware needs a wireless internet café or other area where users share a non-encrypted wireless connection.

“Typhoid adware is designed for public places where people bring their laptops,” says Aycock. “It’s far more covert, displaying advertisements on computers that don’t have the adware installed, not the ones that do.”

The paper demonstrates how Typhoid adware works as well as presents solutions on how to defend against such attacks. De Castro recently presented it at the EICAR conference in Paris, a conference devoted to IT security.

Typically, adware authors install their software on as many machines as possible. But Typhoid adware comes from another person’s computer and convinces other laptops to communicate with it and not the legitimate access point. Then the Typhoid adware automatically inserts advertisements in videos and web pages on the other computers. Meanwhile, the carrier sips her latté in peace — she sees no advertisements and doesn’t know she is infected ¬- just like symptomless Typhoid Mary.

U of C researchers have come up with a number of defenses against Typhoid adware. One is protecting the content of videos to ensure that what users see comes from the original source. Another is a way to “tell” laptops they are at an Internet café to make them more suspicious of contact from other computers.

“When you go to an Internet café, you tell your computer you are there and it can put up these defenses. Anti-virus companies can do the same thing through software that stops your computer from being misled and re-directed to someone else,” says Aycock.

Why worry about ads? Aycock explains it this way: “Not only are ads annoying but they can also advertise rogue antivirus software that’s harmful to your computer, so ads are in some sense the tip of the iceberg.”

The paper Typhoid Adware can be found: http://pages.cpsc.ucalgary.ca/~aycock/papers/eicar10.pdf.

No tags

Hot spots are hot. Located in thousands of airport lounges, hotels, cafés, and even public parks, they allow anyone with an 802.11b wireless LAN card to surf the Web, check e-mail, or even connect to the company LAN at broadband speeds. Before you experience the thrill of surfing the Net while nursing a latte at Starbucks, however, be sure you take the necessary precautions.

All wireless LANs have security issues, but wireless hot spots raise unique concerns. As with any wireless LAN, signals can penetrate walls and ceilings. That means that anyone in range with a standard wireless card can connect, even if they’re sitting out in the parking lot.

Hot-spot services are designed for maximum ease of use, so they generally don’t offer WEP or WPA encryption; if you connect to a hot spot, just about all the data you send is probably unencrypted. Since wireless LANs allow peer-to-peer connections, the computer-savvy guy at the corner table may be able to connect to your notebook and mooch your Internet connection, look at your unprotected files, or hitch a ride as you connect to your corporate LAN. He can also eavesdrop the airwaves with one of the many wireless sniffers available on the Web and watch as you unintentionally reveal your corporate network log-on information, your credit card numbers, IP addresses of your connections, and even the contents of e-mails, instant messages, and file attachments. Anyone with malicious intent can do lots of damage with this information, both to you and the company that employs you. And of course, you’re vulnerable to the same viruses, worms, and other attacks as you would be on any unprotected network.

So what can you do? Here are several ways you can protect yourself.

• Disable your wireless card’s ad-hoc (peer-to-peer) mode. You can do this via the adapter’s utilities or within Windows XP by clicking on Network Connections in the Control Panel. This will help prevent anyone from connecting to your notebook.

• Remove or disable your wireless card if you’re working offline.

• Install a personal firewall. Windows XP offers the rudimentary Internet Connections Firewall, but more advanced personal firewall products, such as Symantec’s Norton Internet Security and Zone Labs’ ZoneAlarm, can prevent others from accessing your notebook and even alert you when an attempt is made.

• Install personal antivirus software from McAfee, Symantec, or another antivirus vendor, and enable automatic signature updates.

• Take advantage of your e-mail client’s security features, particularly digital signatures and e-mail encryption. Digital signatures verify your identity to your recipients and ensure that messages are not tampered with during transmission. Microsoft Outlook lets you add digital signatures to messages and encrypt messages and attachments using S/MIME. If you’re using a Web-based e-mail service, make sure it offers some type of encryption. Be aware, however, that in many cases with such services only the log-on information is encrypted, while text is sent in the clear. You may want to use third-party e-mail encryption utilities, such as PGP Corp.’s PGP Personal, which offers digital signatures and strong encryption for messages and attachments, as well as for files stored on your computer.

• Make sure you submit credit card information only to SSL-protected Web sites (look for https:// in the address bar).

• For the best protection, use a virtual private network (VPN) to provide strong authentication and encryption for all your hot-spot communications. This is particularly important if you’re connecting to your company’s network, in which case you’ll probably get VPN client software from your IT manager. Small-business users can install VPN-enabled firewall and router appliances from Netgear, SonicWall, 3Com, or Watchguard at the office or use one of the many small-business VPN services available, for example, from Sprint or Verio. • Keep your OS and software up to date with security patches.

And of course, make sure nobody is looking over your shoulder as you enter vital information. Enjoy the freedom and convenience that hot spots offer, but make sure that hot spots don’t land you in hot water.

No tags

Before you click and buy, make sure your online shopping experience is a safe and enjoyable one.

Who are you dealing with?
Check the identity of the retailer, especially if you’ve never heard of them before. Only buy from sites that include adequate address and contact details – phone, fax, email, and street address (not just a PO Box number).
Find out how easy they are to contact. Look for links such as “Contact us” or “Help”. It may be worth calling the phone number to see if someone answers, or sending an email to see how quickly you get a response.
If you’re still unsure about a retailer’s track record, do some research online. Search for complaints by typing their name plus “complaint” or “problem” into Google’s forums. You can also check whether the trader has met the standards of companies that rate online sellers (such as www.shopsafe.co.nz, www.bizrate.com or www.bbbonline.com ).
Be wary if you’re buying from a country where you don’t speak the language. Even if the website is in English it may be difficult to sort out a problem.
Check out returns, refunds and warranties
When you buy online, there’s a greater chance the product won’t be quite what you wanted – clothes might not fit, or an appliance may not measure up to its claims. Check that there’s a clear returns policy offering a full refund if goods are faulty or not what you ordered.
For appliances and electrical goods, check if the warranty is valid in New Zealand – you may need to ask for an international warranty instead. Also check that the company has a New Zealand agent who can repair the item if anything goes wrong. Local agents are usually under no obligation to repair goods they haven’t sold.
Before you place the order, find out when and how you could cancel it or return something for a refund. Are there restrictions on returns? For example, CDs, DVDs and cosmetics must be returned in unopened packaging.
An item may have a money-back-guarantee – but if you’re returning it because you’ve changed your mind, expect to pay the (often expensive) return postage. Where goods are faulty or if you’re sent the wrong item, you should be able to claim the postage costs back from the retailer. This may take some perseverance, however.
Safeguard your personal details
Check the site’s privacy policy and be wary if there isn’t one. A clear privacy policy describes the type of personal information collected from a customer, the reason the information is collected, and who will have access to it.
You should be able to opt out of being placed on any third-party lists. The “better” sites don’t share information with third parties unless you give explicit consent.
Check where your details will be stored later – some businesses store them on a secure server, others destroy them once the transaction is made.
Work out the cost
What’s the exchange rate? Some sites have currency calculators to help you work this out. But when they don’t, it’s easy to forget you’re dealing in US dollars or UK pounds – and you may get an unexpected surprise when your credit card statement arrives.
Check the total costs carefully to make sure they include delivery, taxes, and any other costs. These costs should be disclosed before you start ordering – and certainly before you finalise your order.
Sites should offer both “regular” and “express” delivery options. If the retailer can’t give you a specific delivery cost, make sure you know the maximum amount you’ll have to pay. The cost of postage and packing can greatly increase the price if you’re buying from overseas – so it might pay to buy several items, to make the postage worthwhile. If you need the goods by a certain date, make this clear to the retailer.
Keep your credit card details safe
Check out the site’s security policy. In particular, make sure that the site has a secure checkout. This means your personal information is “scrambled” as it travels over the web and others can’t tap into your details.
A secure page will have one or more of the following:
* a pop-up window warning that you’re about to enter a secure site
* an unbroken key icon
* a URL (website address) that begins with “https” instead of the usual “http”
* a closed padlock icon – padlock icons can be faked so look for one other secure page indicator.
If the site doesn’t have a secure checkout, then never email credit card details to a merchant – use the phone, fax, or snail mail. These methods are more secure.
Paying by credit card can give you extra protection if things go wrong, because you have the right to pursue a claim with the card issuer as well as the internet retailer.
Some sites offer “Verified by Visa” or MasterCard’s “SecureCode”. These verify your identity before processing transactions – you’ll be asked for a user name and password as well as your credit card details. This provides another level of security.
Be aware of the limitations of secure websites. The security icons tell you your details are protected during transit. But once your details arrive at the retailer’s site there could be a risk that they’re not stored properly. To get around this risk, some retailers use a third party such as WorldPay or PayPal. You need to register with this third party – but it means you don’t need to give your details to people you transact with. Large sites like Amazon, eBay, and Strawberry Net offer this service.
TIP! Some of our readers told us that, for online orders, they use a separate credit card with a lower limit – it lowers the risk of online shopping.
Set up a paper trail
Always keep a paper trail. Print off and keep a copy of your order and any confirmation or receipt that you get. It’s also a good idea to keep a copy of the terms and conditions at the time of purchase.
Check whether you’ve been charged correctly and make sure your order matches your bill.
If you contact the retailer at any time because your goods didn’t turn up or are faulty, make a note of it.
What if things go wrong?
Make sure the site has a complaints procedure, and that it gives contact details for handling complaints.
If you buy goods from a New Zealand trader you’re covered by the Consumer Guarantees Act (CGA).
If you believe a New Zealand trader has breached the CGA, you can go to the Disputes Tribunal.
If you’re buying from an overseas site, check which law applies to the contract you’re entering into. In theory, you should have the protection of the relevant country’s consumer laws, but it could be difficult to sort things out if something goes wrong.
Had a problem with an overseas internet trader? Visit www.econsumer.gov. This website (a venture of the International Consumer Protection and Enforcement Network) contains contact details for some overseas consumer agencies, advice and guidance on resolving an online shopping complaint, and gives you the opportunity to file a complaint.
The New Zealand Marketing Association can also help in settling disputes – it may work with a direct marketing association in that company’s home country.
If you don’t get the goods you ordered, or if they’re of an unacceptable quality, ask your bank for a “chargeback”. Banks may be willing to cancel the transaction and reverse the payment to the trader. Policies vary, so check with your bank. There may be a time limit on complaints, so contact your bank as soon as you’re aware of the problem.

No tags