Massachusetts is enacting a data protection law in response to a significant rise in electronic data breaches. The law affects any company that stores personal information of a Massachusetts resident. The four page law can be read here: http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf

Companies will be required to develop, implement and maintain a comprehensive information security program that is written and contains administrative, technical and physical safeguards appropriate to safeguard the data.

Every comprehensive information security program shall include:

(1) Administrative Safeguards:

1. Designating one or more employees to maintain the comprehensive information security program
2. Taking reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect such personal information consistent with these regulations and any applicable federal regulations
3. Reviewing the scope of the security measures at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information
4. Developing security policies for employees relating to the storage, access and transportation of records containing personal information outside of business premises
5. Providing ongoing employee training that educates the employees on the proper use of the computer security system and the importance of personal information security.
6. Documenting responsive actions taken in connection with any incident involving a breach of security, and mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of personal information.

(2) Technical Safeguards:

1. Preventing terminated employees from accessing records containing personal information
2. Providing means for detecting and preventing security system failures by regular monitoring to ensure that the comprehensive information security program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information; and upgrading information safeguards as necessary to limit risks
3. Implementing secure user authentication protocols including:
   1. (a) control of user IDs and other identifiers;
   2. (b) a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices;
   3. (c) control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect;
   4. (d) restricting access to active users and active user accounts only; and
   5. (e) blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system;
4. Implementing secure access control measures that:
   1. (a) restrict access to records and files containing personal information to those who need such information to perform their job duties; and
   2. (b) assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls;
5. Encryption of all:
   1. (a) Transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly.
   2. (b) Personal information stored on laptops or other portable devices;
6. On any system that is connected to the Internet  and contains files with personal information on them
   1. (a) Keeping reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information
   2. (b) Keeping reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis.

(3) Physical Safeguards

Definitions used in the law:

• Breach of security, the unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of personal information, maintained by a person or agency that creates a substantial risk of identity theft or fraud against a resident of the commonwealth. A good faith but unauthorized acquisition of personal information by a person or agency, or employee or agent thereof, for the lawful purposes of such person or agency, is not a breach of security unless the personal information is used in an unauthorized manner or subject to further unauthorized disclosure.
• Electronic, relating to technology having electrical, digital, magnetic, wireless, optical, electromagnetic or similar capabilities.
• Encrypted, the transformation of data into a form in which meaning cannot be assigned without the use of a confidential process or key.
• Owns or licenses, receives, stores, maintains, processes, or otherwise has access to personal information in connection with the provision of goods or services or in connection with employment.
• Person, a natural person, corporation, association, partnership or other legal entity, other than an agency, executive office, department, board, commission, bureau, division or authority of the Commonwealth, or any of its branches, or any political subdivision thereof.
• Personal information, a Massachusetts resident’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver’s license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; provided, however, that “Personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.
• Record or Records, any material upon which written, drawn, spoken, visual, or electromagnetic information or images are recorded or preserved, regardless of physical form or characteristics.
• Service provider, any person that receives, stores, maintains, processes, or otherwise is permitted access to personal information through its provision of services directly to a person that is subject to this regulation.

Compliance Deadline:

• Every person who owns or licenses personal information about a resident of the Commonwealth shall be in full compliance with 201 CMR 17.00 on or before March 1, 2010.

This was a very interesting article I came across: http://technet.microsoft.com/en-us/library/ee672311.aspx

It was part of Microsofts Security Newsletter, which always seems to have something interesting: http://technet.microsoft.com/en-us/dd162324.aspx

Any website on the internet can be subject to domain masking.

And every website should be setup to prevent it. For example, for some odd reason the site http://www.xsjl.cn/ is setup to mask my website. I have absolutely no idea why, but if you go to http://www.xsjl.cn/ in the browser it takes you to my site, but keeps http://www.xsjl.cn/ in the URL path. So to stop it I added to the following PHP code to the top of my pages.

<?php
$domain = preg_replace("/^(.*\.)?([^.]*\..*)$/", "$2", $_SERVER['HTTP_HOST']);
if($domain != "matthewstevenkelly.com")
{
echo "<html><head><title>Error domain: ".$domain." is invalid!</title></head><body>Error domain: ".$domain." is invalid!<br><br><a href=\"http://who.godaddy.com/whoischeck.aspx?Domain=".$domain."\">http://who.godaddy.com/whoischeck.aspx?Domain=".$domain."</a></body></html>";
exit;
}
?>

It seems that every day we are finding more and more that what goes online, stays online, whether you delete it or not. An interested read on CNN today about digital images not going away after being deleted: http://scitech.blogs.cnn.com/2009/05/21/study-photos-stay-online-after-you-delete-them/

Which intrigued me to look into how content management sites are handling deleted content.

Twitter

http://www.cio.com/article/print/493009

“However, by using Twitter’s Advanced search facility, all posts (whether they have been deleted or not) can be found, meaning that thousands of Twitter users can still get hold of Ross’s personal email address.”

Social networking sites in general

http://www.bbc.co.uk/blogs/technology/2009/05/your_photos_stuck_in_the_cloud.html

Every site served the test image given knowledge of its URL except for Windows Lives Spaces, whose photo servers required session cookies (a refreshing congratulations to Microsoft for beating the competition in security). We ran our initial study for 30 days, and posted the results below. A dismal 5 of the 16 sites failed to revoke photos after 30 days:

Facebook

Here is a picture of my dog from facebook. All of my privacy settings are set to friends only,

I wonder if it is because the privacy setting is only for “Photos tagged of You” not “Photos you upload” (see my settings below).

Even better, is that on albums where the Privacy setting is set to “Only Friends” they provide a link for public access. If you go to the link you can see the images, even if you are not a friend.

The moral of the story is only upload pictures of your pets or other images you don’t mind the world seeing!

As I have recently worked on two computers with multiple viruses (one literally reported 177 viruses found, the other only a mere 14), I wanted to make a note about Anti-Virus software. These two different relatives of mine both had computers that were  un-usable, and asked for help to make it so their computers did not run so slow when they tried to use them. Were they ever suprised by the amount of viruses I found!

My antivirus software program of choice is AVG Free Anti-Virus. Mostly because while it is FREE, it is still very good. I used Symantec Anti-Virus (Version 10) for long period of time but had real problems with its sluggishness and responsiveness on my computer. It was OK (not great) when my laptop was XP, but then when I switched to Vista, it was a resource hog that noticeably slowed my computer down.

I think of AVG Free like I do Google Chrome. Fast, efficient, and loads quickly. I find those things important.

At any rate, if you do not have an anti-virus program on your computer right now, at least download AVG FREE and do a computer scan. You might be surprised by what you find.

What to do if you find out you have a virus:

1. This may be a given, especially if you already know you have a virus, but make sure you have UP TO DATE ANTI-VIRUS software running on your PC. A lot of users think they have up to date anti-virus software, but really they only have the 6 month trial version of Symantec or McAfee, which while it runs after the 6 month period, offers you zero protection.
2. Make sure to change all passwords you use on the web (of course only after the virus is removed). A common virus users have is a Trojan Horse which can log what passwords you enter and where you entered them and send that information back to a hacker.
3. Make sure Windows has all of the latest updates. Go to http://update.microsoft.com/ (in Internet Explorer only unfortunately) until it tells you that you have no more updates to download and install. You should also set up Windows to update nightly on its own. That can be done with the Microsoft Security Center. While you are there, make sure the Windows Firewall is turned on (if you are not using a commercial firewall product).Make sure other programs you use, such as your web browser, email client (if not using web mail), etc are also up to date. Many viruses exploit flaws in web browsers and email clients as those are typically much easier to break than Windows itself.
4. Stop doing things that help cause viruses, such as going to shady internet sites, opening email attachments from unknown sources, or downloading files. If you are using a program like Limewire or Bearshare… STOP. Not only are you probably downloading illegal files with those programs; programs like Limewire load tons of adware on your PC, not to mention the likely hood that files you download could have viruses in them. Oh, and the possibility of six figure fines, but I digress.
5. Other than that… don’t panic. You can get a virus by just being connected to the internet. The most important thing to do is keep your computer up to date and protected. Happy internet-ing!

Sorry, there are no polls available at the moment.

If you are a company that will be (or currently is) accepting credit cards online I hope you are aware of the security requirements that your company is required by law to implement. All Internet merchants – not just large companies – are required to be compliant with the Payment Card Industry (PCI) cardholder data security requirements. A company that is not compliant can have large fines imposed against them or worse – lose the ability to process any credit cards.

For the small business owner, it does take some work to ensure PCI compliance and it should be noted that unless specifically stated, shared hosting accounts are NOT PCI compliant. Typically shared hosting sites offer a way to be compliant, such as GoDaddy, whose shared hosting sites are not PCI compliant unless you add on their E-Commerce and Shopping Cart Software. As of this post, their service agreements state that their hosting is NOT PCI compliant: The Services are not intended to provide a PCI (Payment Card Industry) compliant environment and therefore should not be considered as one.. Even their dedicated hosting servers are the same way: The Dedicated Services are not intended to provide a PCI (Payment Card Industry) compliant environment and therefore should not be considered as one.

The basic qualifications of PCI compliance are detailed here, and as follows:

Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes

Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security

There is a self assessment questionnaire available at the PCI website. All internet merchants will most likely qualify as option D. Take a read through the requirements. The form gives you step by step instructions on what needs to be done to ensure compliance.

It may also help to have a third party verify your PCI compliance status. This not only gives your visitors peace of mind, it can give you peace of mind as well, ensuring your site is always compliant. For as little as $79 a year C-O-M-O-D-O offers PCI compliance testing. Two other well known services available are Control Scan and McAfee (previously Scan Alert).

Depending on your volume of business, these scans can be required by the major credit card companies.

This site has a few sections that need to be secure when data is transmitted between the server and local computer. I implement an SSL certificate to accomplish this encryption. However, the issue arose as to how I ensured every time someone visited those pages they were using SSL. If I forgot even a single link to those pages and left the link as http:// instead of https:// users would get to the page unsecured. Additionally a user could always simply manually enter the URL into their web browser’s address bar without the https:// as well. The solution of course is for the web server to detect if the user is viewing the secured page with http:// and redirect them to https:// if they are.

Server Requirements:

1. Apache web server
2. Uncomment the mod_rewrite LoadModule call (LoadModule rewrite_module modules/mod_rewrite.so) in the httpd.conf file
3. Make sure AllowOverride is set to “All” instead of “None” in the Directory section of the httpd.conf file

Since this site is powered using Apache web server I can perform this switch over using mod_rewrite and the .htaccess file:

All you need to do is create a file called “.htaccess” with the above contents and put it in the directory of your web server you need to switch to SSL (remember that your server must first be configured to use SSL). This is a great feature for webstores, etc. Simply create a directory called “secure”, place all of your web store files in that directory along with the above .htaccess file and you have just ensured your web store is always using encrypted HTTPS communication. The alternative, trying to manage every link into the web store pages, is a nightmare (I’ve done it before).

Take note that since Windows will not allow a file without a name stored on your hard drive, you will need to name the file “htaccess.txt” locally and then rename it after uploading it to the web server using the FTP program used during upload.

Any time time a user inputs data to your site the input should be validated to ensure it cannot cause any harm to the system. The obvious characters that cause problems are double and single quotes which are used in injection attacks to trick the server into executing malicious code. However, there are many other special characters and situations that can cause problems. This is especially important with taking input data and storing it a database, or emailing it off, etc.

PHP has built in functions to handle these tasks including preg_replace and substr. I created some functions below that I use for field validation:

They can be called like this:

substr is used to trim the length of text like below. This is especially useful when inputting data into a database fields such as varchar that have limited character lengths.

For the rest of my filtering, I always use regular expressions to filter out bad characters. I do this because regular expressions allow you to filter characters by specifying what characters you allow – not what characters you want to reject. This is an important distinction because there are so many different character sets and special characters that if you only filter by character replacement, instead of character exclusion, you open yourself up to faulty characters entering the system. If you are currently using str_replace to remove apostrophe’s and quote’s consider upgrading to regular expressions.

This text filtering allows for periods, comma’s and spaces to be used in the text:

Only numbers are returned with this function:

When you need to filter a URL, different special characters such as ?, % and / are to be allowed

This email filtering function doesn’t just filter the characters in email address it also validates it is in username@domain.domaintype format: