Note all the GoDaddy WordPress hack news here:
http://www.wpsecuritylock.com/

SlashDot
http://tech.slashdot.org/story/10/04/26/1527215/Massive-Number-of-GoDaddy-WordPress-Blogs-Hacked?art_pos=1

My thoughts after the jump.

My Thoughts:

Companies like GoDaddy that charge $5 a month per customer for a blog can’t possibly fix this issue, and GoDaddy has been tight-lipped about this problem.  I spoke with someone who was hacked today, and he is an IT pro from PA that I have been friends with for years.  He says that his site has ridiculously long passwords, and they were hacked already, which makes him think that the server that he is on has been rooted (hacked at the root of the server).

We like WordPress, this blog is running on WordPress (for now), but we will be leaving WP as we add more blogging features to our CMS-Logic system.   My friend is telling me that he spent all weekend fixing sites that have been hacked on GoDaddy.  Yes, you can use open-source software and build a great website, and yes, you can host that website for $5 a month.   But your site won’t evolve, and you will be a target.  This is one of the reasons we invested in building our own CMS instead of building websites on free blog software.  

The first question that you need to answer is how many end users will need support?  If that number is high you may be looking at more then one salaried position depending on the demands of your end users.  Where as with an on-site company who has multiple technicians they come prepared for whatever issue you may be having.  This can dramatically cut down on network and end user downtime.

The next question but one that is just as important is what kind of hardware will you be using?  Cisco for networking, Microsoft or Apple based computers, VOIP (voice over IP) or regular landlines.  As you become more and more advanced as a company the price tag on your in-house technicians go up as well.  The median for a basic network engineer with 1-4 years of experience in anywhere from $45,000 to $60,000 a year.  The cost of a Delaware.Net on-site technician in $110 an hour.  That is 545 hours of work.  Even our biggest clients don’t even come close to half of that in yearly costs.  On-top of that with each specialty you add on like Cisco Certified and Microsoft Certified the price of your technician goes up.  Not with Delaware.Net.  We have technicians experienced in Apple, Cisco, and Microsoft and combined have over 13 years of experience.

So if you are worrying about how to manage your technology, or would just be interested to see what we can offer you.  Give us a call at 888-432-7965 ext 2 to get us to come out for a FREE consultation.

1 YEAR: $52.47 48% Savings from previous pricing
2 YEARS: $93.40 53% Savings from previous pricing
3 YEARS: $121.20 60% Savings from previous pricing
4 YEARS: $144.80 (NEVER OFFERED BEFORE) 64% Savings from previous pricing
5 YEARS: $170.49 (NEVER OFFERED BEFORE) 66% Savings from previous pricing

*We will be requiring a credit card at the time of purchase or renewal.

We are happy to offer you this opportunity to secure your site and save some money!

These attacks are perpetrated through bot-nets. The concept is simple: A user opens an email containing an attachment, (lately in the form of a pdf or zip, but any attachment can work.) The attachment executes the virus code, and the users computer becomes part of the bot-net. These bot-net infected computers can lay dormant for days or even months before being called into action by the spammer controlling the bot-net. Once called into action, the user’s pc becomes a spam and virus sending zombie. Infected machines can send thousands of emails per day using legitimate credentials. This traffic causes mail servers across the Internet to become bogged down slogging through all this junk. You could be infected right now and not even know it.

What can you do to protect yourself?

1. Make sure your virus scan definitions are up to date. If you bought your pc last year and are still running the “free trial” virus scan that came with your computer, you are NOT protected.
2. Scan ALL of your incoming attachments before you open them. The virus code MAY come from someone you know.
3. Enable Windows firewall or better, install a 3^rd party firewall. Run it in the most restrictive settings and allow programs to connect as you need them. Check your documentation for more details. After being infected, the spammer will likely send control signals to a certain Internet port on your machine. Running a firewall decreases the chances of this being successful.
4. Install the Microsoft Malicious Software Removal tool. (http://www.microsoft.com/security/malwareremove/default.mspx) this tool is designed to catch anomalies in your system that virus scan might miss.
5. Ask Delaware.net about spam and virus filtering for your organization’s domain. For only $1 per month per user, you can reduce up to 90% of the spam and virus traffic coming into your domain. Call today!

For more botnet information, follow these links:

Botnet Basics

Botnet Definition

Is the Botnet Battle Already Lost?

Botnet Hunters in Closed-Doors Redmond Summit

Computer Hacking Results In Armed Police Raid (botnet infected)

I found an interesting article today while doing some research on this topic:

There is an old joke I saw once where a ship’s captain needed work on a boiler. He called a boilermaker who went down into the ship’s hold and tapped on the boiler in some different spots with a hammer. He said he was done and presented a bill for $1,000. The captain was upset and demanded an itemized invoice. Here is what he got…

Tapping with hammer: $1.00
Knowing where to tap: $999.00

I think too many of us in this trade are focused on the hammer tapping part (which is the actual coding) and not the part of knowing where to tap (which is the planning, experience, education, etc.)

Now, I would never say this directly to a prospective client but it did give me a chuckle and the fact is, web site development is no longer as simple as it once was. Database driven applications have become more complex and web site visitors expect more than just “cool” graphics. Some development firms are very good at animated Flash as a means to win-over clients and others employ some of the best graphic designers in the world but the fact is, you need it all now, including world-class application developers located in house, not overseas.

Here is another great article related to pricing web site development.

Please design and build me a house. I am not quite sure of what I need, so you should use your discretion. My house should have somewhere between two and forty-five bedrooms. Just make sure the plans are such that the bedrooms can be easily added or deleted. When you bring the blueprints to me, I will make the final decision of what I want. Also, bring me the cost breakdown for each configuration so that I can arbitrarily pick one.Keep in mind that the house I ultimately choose must cost less than the one I am currently living in. Make sure, however, that you correct all the deficiencies that exist in my current house (the floor of my kitchen vibrates when I walk across it, and the walls don’t have nearly enough insulation in them).

As you design, also keep in mind that I want to keep yearly maintenance costs as low as possible. This should mean the incorporation of extra-cost features like aluminum, vinyl, or composite siding. (If you choose not to specify aluminum, be prepared to explain your decision in detail.)

Please take care that modern design practices and the latest materials are used in construction of the house, as I want it to be a showplace for the most up-to-date ideas and methods. Be alerted, however, that kitchen should be designed to accommodate, among other things, my 1952 Gibson refrigerator.

To insure that you are building the correct house for our entire family, make certain that you contact each of our children, and also our in-laws. My mother-in-law will have very strong feelings about how the house should be designed, since she visits us at least once a year.

Make sure that you weigh all of these options carefully and come to the right decision. I, however, retain the right to overrule any choices that you make.

Please don’t bother me with small details right now. Your job is to develop the overall plans for the house: Get the big picture. At this time, for example, it is not appropriate to be choosing the color of the carpet. However, keep in mind that my wife likes blue.

Also, do not worry at this time about acquiring the resources to build the house itself. Your first priority is to develop detailed plans and specifications. Once I approve these plans, however, I would expect the house to be under roof within 48 hours.

While you are designing this house specifically for me, keep in mind that sooner or later I will have to sell it to someone else. It therefore should have appeal to a wide variety of potential buyers.

Please make sure before you finalize the plans that there is a consensus of the population in my area that they like the features this house has. I advise you to run up and look at my neighbor’s house that he constructed last year. We like it a great deal. It has many features that we would also like in our new home, particularly the 75-foot swimming pool. With careful engineering, I believe that you can design this into our new house without impacting the final cost.

Please prepare a complete set of blueprints. It is not necessary at this time to do the real design, since they will be used only for construction bids. Be advised, however, that you will be held accountable for any increase of construction costs as a result of later design changes.

You must be thrilled to be working on as an interesting project as this! To be able to use the latest techniques and materials and to be given such freedom in your designs is something that can’t happen very often.

Contact me as soon as possible with your complete ideas and plans.

PS: My wife has just told me that she disagrees with many of the instructions I’ve given you in this letter. As architect, it is your responsibility to resolve these differences. I have tried in the past and have been unable to accomplish this. If you can’t handle this responsibility, I will have to find another architect.

PPS: Perhaps what I need is not a house at all, but a travel trailer. Please advise me as soon as possible if this is the case.

Most of our clients come to us after dealing with smaller (and usually cheaper) firms that are good at one or two areas of web development and outsource the rest. Delaware.net, Inc. has four teams of true internet professionals in which we pay full medical benefits and 401k retirement.

After 10 years of experience managing hundreds of projects at once and making it profitable to do so, we continue our mission to develop world-class applications and provide unmatched service and support. We have the experience to make your web site not only graphically pleasing but more importantly, useful for web site customers. We have seen MANY small companies come to town, make a splash and vanish over night, leaving their customers feeling stranded. Be very cautious when your web development firm does not own their servers or they work out of a house.

Delaware.net uses time as a measurement for a projects cost, not the budget that a client has or a per-page pricing structure. Price shopping is great when shopping for a new coat but when you are considering a company to manage your data and online marketing, I think you will agree there is something to be said for longevity and experience.

If you would like for Delaware.net, Inc. to submit a proposal for your new web site project, click here and fill-out our free consultation form.

What happens after you request a web site design proposal?

Six years ago Delaware.net, Inc. developed a Customer Relationship Management (CRM) Application called Team-Logic , our business runs on this very robust framework. We continue to add features to all of our applications daily. Once you submit the free web development quote form on our web site, you become a user of Team-Logic which allows you to login and view the progress of your site development and it’s ongoing care right from our web site http://www.delaware.net. Once you are logged-in, you can view/add notes, files, follow-up, history and work requests. All web design and web development proposals include QA/QC, Search Engine Optimization (SEO), free training, 30 days of free maintenance changes that do not increase the scope of the project and unlimited free technical support.

Contact Us Today! 1-888-432-7965

Social Engineering, defined as “the practice of obtaining confidential information by manipulation of legitimate users”, is more common than many realize (Reference.com.) There are many varieties of social engineering attacks. There are direct personal or phone attacks, where the attacker pretends to be someone with proper credentials requesting privileged information, shoulder surfing, where the attacker observes the victim typing in a password or PIN code, dumpster diving (digging through trash for corporate documents), and on line phishing scams such as the “eBay scam” (Granger, 2001.) While much time and effort is spent defending the infrastructure from a technical standpoint, many organizations fail to adequately address this threat. Training in how to deal with a social engineering incident is often limited, or non-existent. Social engineering is often the easiest way for a criminal hacker to gain access to a company’s network.

The reason that social engineering is such a successful vector of attack, is that it exploits tendencies that are common to all human beings. “The average user wants to believe the colleague on the phone and wants to help” (Granger, 2001.) There are certain psychological situations which can be exploited by a hacker using social engineering techniques. One is the diffusion of responsibility. If a user can be made to believe that they will not be held responsible for their actions, they will more willingly give up information. The next is the chance for ingratiation. Most employees will do anything to impress their management, and they do not want to get in the way of their boss or displease

them. Another factor is that most people will try to do what they believe is right. If an attacker can appeal to a victim’s sense of moral duty, the victim will play into the attacker’s trap, giving up information and believing that they are doing the right thing (Brenner, 1997.)

An attack may sound something like this:

Attacker: “Hey, this is Elaine from accounting, I need Peterson’s password.” Helpdesk: “I’m sorry, I can’t give that to you.” Attacker: “Please, this is really really important, if I don’t get this report done Peterson’s going to have me fired.” (appealing to moral duty)

Helpdesk: “How do I know you’re Peterson’s assistant?” (trying to be helpful)

Attacker: “His mothers name is Estelle, and he has a dog named Barney.” (information gained through evesdropping)

Helpdesk: “Ok, it’s ‘bigboy’.”

In this example, the attacker appealed to the helpdesk technician’s sense of moral duty. The helpdesk tech wanted to be helpful and did not want to impede what sounded like important work. Other attacks may be more insidious. There have been numerous document incidents of attackers gaining access to corporate networks by sprinkling media containing trojan horses around the area. In one such attack, a CD-ROM labeled: “2005 Financials & Layoffs” was left in a restroom to be picked up by an employee and inserted in the employee’s computer. When the employee inserted the disc, a trojan was installed on his machine that opened a back door to the entire network. This is known as a “180 degree attack” (Miller, 2005.) These kinds of attacks appeal to a person’s sense of scarcity. People desire knowledge that they are forbidden to have. It is not necessary to breach an security measures by technical means, in this type of attack, as an attacker gains direct access to the network.

There are certain precautions an organization can take to protect itself. The first and most important of these is user education. Every member of an organization must learn how to recognize a social engineering attempt, and must know how to prevent them. Employees must be trained to properly dispose of classified information by shredding or incineration. Policies must be set forth defining what information is deemed to be classified and what the proper procedures are regarding access to classified information. In addition to user education and training, risk can be mitigated by properly segmenting the network, and restricting user access to only the sections required. By doing this, a company can avoid the “180 degree attack” by limiting the resources the compromised workstation has access to.

The best information security posture is a multi-layered defense. Social engineering is a threat that cannot be addressed by throwing technology at it. Only through diligence, training, and awareness, can an organization defend itself against these techniques. Companies that continue to ignore this reality do so at a great financial risk.

Works Cited
Brenner S. (1997). The psychology of social engineering. Retrieved
June 22, 2007, from Web site: www.cybercrimes.net/Property/Hacking/Social%20Engineering/PsychSocEng/PsySocEng.html
Granger S. (2001). Social engineering fundamentals, part I: hacker tactics . Retrieved
July 22, 2007, from Web site: www.securityfocus.com/infocus/1527
Mitnick K. (2001). My first RSA conference . Retrieved
June 22, 2007, from Web site: www.securityfocus.com/news/199
Miller D. (2005). Social engineering; you have been a victim. Retrieved
July 22, 2007, from Web site: www.windowsecurity.com/whitepaper/Social-Engineering-Victim.html