Thanks to the Internet, small businesses are better able to compete with their bigger competitors. Most boutique real estate agencies are hip to the importance and value of maintaining a website with an active blog and social network, as are top-producing agents in many of the big brokerages.
A solid Web marketing strategy can be a boon to business of any size, but it can also make a business more vulnerable to cyber attacks if proper precautions are not taken. Two recent security breach incidents – the Heartbleed bug and Internet Explorer security flaw – have prompted me to take a closer look at security for Federal Title’s website.
Real estate agents out there who manage their own websites and social networks, may want to do the same. This post highlights a few of the issues I’ve been dealing with.
What is Heartbleed?
This story broke during the second week of April. For a bit of background, read “Why Heartbleed is the Ultimate Web Nightmare,” a nice article from Mashable that explains what’s at the crux of the matter: OpenSSL.
In short, OpenSSL makes it possible to send private information between two computers by encrypting the message. It’s like passing a note in a cryptex from The Da Vinci Code. Only those with the key can unlock it.
For example, let’s say you want to log into Facebook. You enter your private password and press enter. The password is then encrypted as the data is sent to the server at Facebook, where the private information is unlocked so you can log in safely. It’s the same thing for making purchases on Amazon or sending email through Google.
Heartbleed is a flaw in OpenSSL that makes it possible for someone else to gain access to that secret, private information by intercepting the key, which is especially bad because about 66% of the Web uses OpenSSL to send encrypted messages.
What’s most interesting (and scary) about Heartbleed is that it went undetected for two years, so there’s no telling how many people knew about the flaw – and how many bad guys exploited the flaw.
A patch was introduced to eradicate the threat, but as precaution you should change your passwords if you have not done so already. Here is a comprehensive list of Heartbleed-affected websites that advise you to change your password. Among those listed are Facebook, Google, Amazon, GoDaddy, YouTube, Instagram, WordPress, Dropbox and more.
Why are you still using Internet Explorer?
I’ve been telling our office for years that IE is the worst. Anyone who develops and/or maintains websites, including our own IT vendors, tends to agree with me. (Read “Why do so many geeks hate Internet Explorer?“)
Microsoft’s browser is buggy. It doesn’t adhere to Web standards – much to the chagrin of developers – which is why websites look great in every other browser and require special code fixes to render properly in IE. And as a news story that broke over the weekend illustrates, Internet Explorer remains susceptible to security breaches.
In case you missed it, IE versions 6 through 11 are affected and users running the no-longer-supported Windows XP are particularly vulnerable because there will be no security patch for them.
The flaw has the federal government on high alert because the bug could potentially give data thieves using a network computer the same level of access as a legit user, and at least 10 percent of federal government computers are running in this vulnerable configuration.
The best way to protect yourself and your business from IE security breaches is to stop using IE!
What is a brute force attack?
“How I became a password cracker” is a pretty interesting blog post from a guy who had never cracked a password before his “experiment” but was able to crack 8,000 passwords in one day. It sheds light on the technical side of how brute force attacks work.
In a brute force attack the hacker typically uses a software tool called a password cracker, which enters usernames and passwords over and over again until it gains access. (This is why you’re not supposed to use passwords like “123456,” and why it’s best to avoid usernames like “admin.”)
This threat hit particularly close to home for me a few weeks ago when I received a call from my Web host alerting me to a high number of login attempts – the call sign of a brute force attack. Our content and website were safe because the username and password were strong, but the incident led me to install additional security features on our site.
All websites with login forms are susceptible to brute force attacks, including WordPress used by many real estate agents. WordPress is a popular content management system and therefore a common target. Another popular target is the content management system Joomla, which is what I use to run our website.
Both the WordPress and Joomla communities have developed several methods for preventing brute force attacks beyond the basics of creating a unique username and complicated password. Many of the solutions are free and easy to install so there’s really no reason not to install login protection to your website.