Let’s Talk about Security

Let’s Talk about Security

News News & Updates

This morning, Burlington Electric Department announced that they’ve disabled their online bill pay system, citing security flaws in how they store customer passwords.  They will be working to update their systems to meet modern security standards, and to put outside auditing procedures in place, before reinstating the system.

The unexpected cost of this sort of rewrite and audit is extremely taxing to even the largest businesses, and can be fatal to small businesses.  Some businesses might even face hefty fines from credit card processors, if flaws like this are discovered.  Furthermore, since over 55% of users reuse the same username and password on all their accounts, any potential leak could lead to major monetary losses for your users.  Finally, there is a potentially greater loss due to customer loss of faith that comes as a result of the discovery of such flaws.

For these reasons, it’s crucial that strong, easily upgraded security systems by put in place from day one, to prevent unexpected costs in the future.

Here at Burlington Bytes, security is an everyday concern, but to most people it’s a bit of a mystery. We decided it was a good time to clear the air, and give you all a primer on basic password security from the developer’s side.

Wait, I Just Check a Password, Right?

In the earliest days of internet security, the process basically involved three steps: You’d store a password for each user in your database, and check it when they tried to log in.  If successful, you’d put a cookie on their system that stored the password, to authenticate on other pages automatically.  This is, in essence, what Burlington Electric’s system did.

It seems secure on the surface, but storing passwords to check means that there is a list of user passwords somewhere, that someone has access to.  That someone could be your Database Administrator or it could be a hacker who has gained system or database access.  In either case, if that list gets out, you have a serious problem on your hands.

Also, storing user passwords in a cookie leaves the users account open to attack from viruses on their own systems.

So.. Can’t I Just Encrypt my Database?

As it became clear that this method was insecure, some businesses began encrypting passwords in their database, and unencrypting them to check.  Unfortunately, this is only a stopgap solution, as someone (or some system) still has access to the encryption key, and either obtaining the key or brute forcing the system would still provide the same list of usernames and passwords as the original process of just storing passwords.

Ok, then what about these Hash things?

Hashes are at the core of how modern website security works.  A hash is a number produced by a Hash Algorithm.  Hash Algorithms are amazingly complex and hard to explain, but the basic result is this:

Any data (e.g. password) fed to a hash algorithm will produce a statistically unique hash value.
However, the original data cannot be calculated from the hash.

Put simply, hashing is a one-way process.

Once plain-text passwords and encrypted passwords were shown to be unacceptably weak, hashing passwords came into prominence, with one of the most common algorithms being the MD5 Hash.  Websites would store the MD5 of a password in the database, and just take the MD5 of any password entered by the user, and compare them.  This seemed fairly secure, but had two major flaws.

The first flaw was that MD5 hashes (along with several other popular hash algorithms, like SHA-1) were proven to be vulnerable to attack.  Once an attacker knew the MD5, they could reverse it in minutes, providing a password that would work on the system (even if it wasn’t the same password the user originally created).

To combat this weakness, security experts began using more secure hash algorithms like SHA-256.  However, as computing power continues to grow, and more discoveries are made in computer security, more hashing functions are certain to become insecure.  That is one of the core principles for good security: all security must be regularly assessed and upgraded.

The second flaw was that some passwords are fairly common (given a large enough pool of users), and if two users had the same password (hunter2, for example), the hashes stored in the database will be identical.  So, if you can gain access to the database of hashes, you can access multiple accounts by reversing one hash.  With common hash functions like MD5, attackers create and share massive databases of common passwords and their hashes, called rainbow tables.  These tables can make reversing common hashed passwords instantaneous.

Ok, SALTING?  Now you’re just making up words.

To address the issue of these rainbow tables, a new process was created, called Salting the Hash.  It’s actually pretty simple.  When a user chooses a password, like Hunter2, the system creates a unique long random number, called a Salt.  This salt is stored with the username in the database.  Before hashing the password, the system adds the salt to the end, ensuring that no two identical pieces of data are entered into the hashing function.  This means that User A and User B might both have the password Hunter2, but User A’s salted password is Hunter28543098639, and User B’s salted password is Hunter25374628950.  as a result, User A’s salted hash is a5d98b44e49f0937581bb38b76598fdf9663f1fef6d1bf6bbe003c60d57b3994, and User B’s salted hash is 2d168ab0e6c931b113e181fa44a9b96e1569f92fae81ebb4a356c81c9103ea7c.  Neither of these is likely to appear in a precomputed table of hashes, and reversing one hash will not help an attacker reverse the other.

I know OAUTH isnt a real word.  I took English in School…

If you’ve ever seen websites offering “Connect with Facebook” or “Login with Google”, you’ve come across a new option for login security, called OAUTH.  OAUTH uses a known good service, such as Facebook or Google, to handle all the password and identity verification for you.

For low-risk websites like forums or sites that allow commenting, it can be a fast way to skip a lot of the problems intrinsic with security, but it comes at a cost.  In an OAUTH system, your service is only as secure as your user’s facebook or Gmail password, and those services often are subject to a much greater number of attackers than most businesses.

Instead of relegating all login tasks to a third party, many new sites are now simply using a third party to verify logins, with two factor authentication.

Ok then, Smart Guy, What the Heck is Two Factor Authentication?

Despite proper salting and hashing, ensuring strong passwords, and even changing them regularly, it is still very possible for an attacker to gain access to your user’s password.  After all, it’s only a set of numbers, letters, and symbols.  It might be used on an insecure site, or written down somewhere, or sniffed from an insecure wifi connection, or gained via a keylogger or virus on your computer, or one of a million other ways, but unfortunately, it is possible to for an attacker to gain access to your user’s password.  Two Factor Authentication is an optional method of improving login security by using a third-party trusted service and a trusted device, like your user’s smartphone.

With a two-factor system like Authy in place, when an enabled user enters their username and password, they get a notification on their phone, asking if they want to log in, and providing them with a one-time, time-limited token that they enter on their computer (or a prompt to just allow the connection).  Most people are familiar with a simplified form of two-factor used in “forgot my password” forms, where they email a one-time link to you.  This is simply an evolution of that process to leverage a device that is in your users’ pockets all day, and is a little harder to gain access to.

Unfortunately, as not all users have smart phones, Two Factor is not yet a universal security requirement, but rather an option to improve security for tech-savvy users.

Ok, I’m confused and annoyed, but I think I get it.  Is that everything?

Unfortunately, safely checking a user’s credentials is only the very tip of the iceberg when it comes to building a secure system.  Developers need to deal with Cookie-hijacking, Session Persistence, Token invalidation, SSL Forgery, MITM attacks, Cross-site scripting attacks, Brute Force attacks, PCI Compliance, Social Engineering, SQL-Injection, Remote Execution, File Inclusion Vulnerabilities, (D)DOS attacks, and thousands of other issues in the ever-changing landscape of Information Security.

As a small business, attempting to create a secure system on your own is a risk you don’t want to carry.  That’s why we keep security in the forefront of our work here at Burlington Bytes.  Contact us, if you’d like to put our expertise to work, protecting your customers.

Google Webmaster Tools – Fix Mobile Usability Issues

Google Webmaster Tools – Fix Mobile Usability Issues

News & Updates

If you have Google Webmaster Tools configured on your non-responsive site, you’ve probably received the following email:

Fix mobile usability issues found on http://your-domain.com

This email is related to Google’s upcoming algorithm change which is rolling out starting on April 21.   We all know that more and more users are browsing the internet on their mobile devices, this algorithm aims to make sure that Google is showing these users websites that are optimized for their devices.  Google has stated that this is a yes/no signal, your site will either be seen as mobile-friendly, or not.  Sites that are not mobile-friendly will no longer show up on mobile devices. Take a moment and run your website through Google’s Mobile-Friendly Test.

If your result says “Not mobile-friendly”,  you should take immediate steps to ensure you’ll be listed in mobile Google results after April 21. 

Contact us today!
802-472-1174

Need help making your website mobile-friendly? We can help!

Google Algorithm Update

Google Algorithm Update

News News & Updates

Yesterday Google released more information regarding the search algorithm update they have been discussing for the past couple months pertaining to mobile search traffic.  As part of this release there are two key changes. 

1)  The most critical update will be introduced on April 21st using mobile-friendliness as a ranking factor when displaying results on mobile phones.  This follows the recent trend that places increasing importance on usability for mobile devices.  As of May 2014 for the first time Mobile device usage exceeded traditional desktop/laptops.

 Mobile traffic stats:

  • Global mobile data traffic grew 69% in 2014.
  • 70% of time spent on social networks is done on mobile platforms(up 55% in one year)
  • Facebook drives 24% of all mobile traffic
  • 35% of all organic search traffic is conducted through Android, iPhones, or a tablet.
  • 60% of all online traffic is now on mobile. This number in large part by mobile apps such as Pandora, Facebook, and Twitter.

 

 

Share_US_Digital_data_platforms

 

 

With mobile traffic growing at such an aggressive rate there is a sense of urgency to ensure your website can maintain its rankings.  If you are unsure whether Google views your website as mobile friendly visit this tool they are providing which will scan and report issues it finds:

https://www.google.com/webmasters/tools/mobile-friendly/

If you do not have a mobile friendly website contact your website provider or a trusted web developer to inquire about getting mobile optimized.

2)  The other update that Google has announced, which goes into place immediately, is incorporating active apps to help dictate search results.  From Google’s announcement:

“Starting today, we will begin to use information from indexed apps as a factor in ranking for signed-in users who

have the app installed. As a result, we may now surface content from indexed apps more prominently in search”.

The full effects of this change remain to be seen but are again solidifying their shift to mobile usability and pertinent content.

Contact the Burlington Bytes team for any questions or help on becoming mobile friendly, (802) 472-1174 or pete@burlingtonbytes.com.

Update your website before the holiday rush

News & Updates

The hoiday shopping season is fast approaching and we all know that customers are going to be hitting their favorite retailers in droves in the coming weeks. Does your website need some tweaks in preparation? Contact us!

Here are some of the ways we can help with that:

  • Optimize your website with a mobile friendly version
  • Turn on advertising and get a $200 AdWords credit
  • Improve your rankings with SEO link building
  • Update your holiday hours of operation
  • Create “Holiday Focused” content on your landing pages and social media platforms
  • Highlight new brands or sales

Get the most out of your website this holiday season. If you have any questions or want to know more about what we do, please give us a call at (802) 472-1174.

We look forward to hearing from you!

We say “Goodbye and Good Luck” to our previous Copywriter and Social Media Strategist, Amanda Shepherd and welcome a new member to the team!

News & Updates Uncategorized

A few weeks ago, Amanda accepted a position as Web Developer at Vermont Public Radio and we couldn’t be happier for her. Her attitude and dedication to the profession has contributed to where she is today. She played an important part on our team and we will miss having her around. We hope she’ll still make it to our Christmas Party next month.

We hoped to fill Amanda’s shoes with someone who possessed a friendly demeanor, tenacious work ethic and valuable skill set. After searching and searching for the perfect candidate, hoping to find the best woman for the job, we found who we were looking for.

We welcomed Emily Bellmore to join the Burlington Bytes team on November 10th. Emily, or “Boo” as some of her friends and colleagues call her, lives here in Burlington and has for fourteen years. She received her Public Relations degree from Champlain College in 2007. It was then that she decided the great state of Vermont was going to become her permanent home. After graduation she landed a job at American Flatbread Burlington Hearth. As she moved from host to server, manager to bartender, she realized a perfect opportunity to utilize her degree. In 2010, she designed a Social Media Coordinator position aimed at streamlining the restaurant’s marketing strategies. Since its inception, she has been responsible for planning events, community outreach and managing various social media platforms.

Emily currently serves as a mentor for the Boys and Girls Club, and has been with the same mentee for almost seven years. In her free time, she loves to travel, go hiking, biking and when it is not summer or fall, bowling in a local league.

We’re thrilled to have a new member join our team here at Burlington Bytes. We believe Emily will help our customers grow on all social platforms while maintaining a voice that is fun, motivating and exciting. We think “Boo” has what it takes, to not only work with a bunch of guys, (no really, the ratio is 4:1), but also a funny, fresh and meaningful attitude that will vibe great with our clients, goals, and workplace.

Welcome to the team!

Come Play with our Robot at Tech Jam and Enter to Win an iPad!

Come Play with our Robot at Tech Jam and Enter to Win an iPad!

Events News & Updates

If you’re going to the Tech Jam this Friday and Saturday (Oct 24th & 25th) stop by our booth to play with the robot that one of our developers created and shoot nerf arrows at action figures.

As if you need more incentive than that; take a photo of yourself playing with the robot, upload it to the social media platform of your choice, and use the hashtags #TECHJAMHUNT and #KILLERADVERTISING. Be sure to tag @BurlingtonBytes and if you complete the scavenger hunt throughout Tech Jam, you’ll be entered to win an iPad.

While you’re at our booth, why not chat about how we can help get your business more leads and customers through an amazing website and targeted advertising? Just saying…

See you at Tech Jam on Friday and Saturday at Memorial Auditorium. Admission is FREE!

Facebook Giveaway

Facebook Giveaway

Events News & Updates

Let’s be friends! Be sure to like our page on Facebook if you don’t already and enter below to win an awesome Chromecast. Contest ends October 31st. Good luck!

Enter to Win a Free Chromecast!

* indicates required





By entering our Facebook Giveaway, you are also signing up for monthly newsletters from Burlington Bytes. You can unsubscribe at any time. This contest is not affiliated with Facebook in any way.

WordPress 4.0: What You Need to Know

News News & Updates

Last week, WordPress launched Version 4.0 named “Benny,” in honor of jazz musician Benny Goodman. The new version boasts easier content management, video integration, and more.

First things first: Do you need to worry about upgrading your site? If you’re one our clients, the answer is no. We’ve already updated all of our sites and worked out any kinks that came up along the way. If you’re not already on our hosting plan, learn more about it here. If you need instructions on updating your own site to WordPress 4.0, click here.

Once you’ve updated to WordPress 4.0, enjoy smoother content creation with a new details preview for all media items and an upgraded text editor that expands to fit your content as you write. Embedding videos and tweets into posts is now as easy as copying and pasting the URL into the editor. WordPress 4.0’s new feature instantly embeds it into your post or page, saving you time and energy.

We’ve all battled with finding the right plugin amongst the over 30,000 options in the WordPress plugin directory. But battle no more – In WordPress 4.0, they’ve improved the search capability, added new metrics, and made the plugin directory experience much more visual.

Have questions about WordPress 4.0? Send us an email or write on our Facebook Wall. Our developers are happy to help!

Use Google Callout Extensions to Maximize Leads

Use Google Callout Extensions to Maximize Leads

News & Updates

Google ad extensions is a powerful tool that keeps getting better.

This week Google AdWords Callout Extensions have been launched, allowing advertisers to show “additional text with search ads that provide detailed information about your business, including products and services you offer.” The callouts will be located in ads running at the top and bottom of the search results page.

Here is one example of how they could look:

Google Callout Extensions

Callout extensions are added and edited in the ad extensions tab at the campaign or ad group level. To be eligible to run these extensions, you must create at least two (and up to four) callouts per campaign or ad group. Google will look at the order of callouts, their length, and how they perform when deciding how many callouts appear and when they show.

Using Callout Extensions:

There are a number of features that will help your ads take full advantage of the new callout extension rollout. Callout scheduling allows you to decide when certain callouts show. This can be helpful if you run promotions certain times of the day, such as a dinner special at a restaurant or time sensitive sale at a retail store. To schedule callouts, go into the ad extension tab and click the callout extension link in the drop-down menu. Click the pencil icon next to the callout you want to schedule and then the “start/end dates, scheduling” link.

Another great feature is combining site link extensions with callout extensions to provide more context to your ad. As with everything else, Google rewards advertisers for relevancy. Providing callouts that provide context to site links or relate to desired actions will be favored. Other tips include keeping text short (12-15 characters per callout is recommended), being as specific as possible, capitalizing sparingly, and optimizing for mobile devices.

To get more tips and advice on digital advertising, like us on Facebook.

Position Filled – Entry-level LAMP developer

Position Filled – Entry-level LAMP developer

Careers News & Updates

This position has been filled but we’re growing. Skilled developers, feel free to submit a resume

Burlington Bytes is looking for a full-time LAMP web developer, entry-level is okay, as long as you’re ready to learn. Most of the work will be in PHP/JS/HTML/CSS with Apache servers, MySQL databases and GIT version control.  We build most of our sites in WordPress & Magento, but you should be comfortable in working in a variety of PHP frameworks and CMS’s as we do have some clients that require custom work.  Ideally, you should able to interface with clients on occasion.  We have a portfolio of 60+ clients and are growing rapidly.  Casual work environment with a great team.  If you’re interested, send a resume and cover letter to pete@burlingtonbytes.com and we’ll be in touch.