Geek Certs Blog

Consider how much money that eBay saves (and is able to pass on to us through lower pricing) by not having the traditional ‘brick and mortar’ storefront, as it is called. The savings are tremendous. Of course, eBay makes money by charging sellers a percentage of their gross sales price.

Think about how different eBay is from Amazon (or other non-auction e-merchants). Amazon has to have some type of storefront. The question is, what type? Their store isn’t what you’re thinking of! Their store is a number of warehouses that keeps inventory in a ready-to-ship state. They keep just enough on-hand to meet demand over a short period of time. They figure out how much they need to stock (for each item) by looking at previous sales and then adding to that their guess – or forecast – of upcoming sales. If they guess correctly, they don’t have to pay excess insurance, storage (which includes heat, electricity, storage space), and interest expense (on the money they probably borrow to purchase inventory). They only pay these expenses on things they sell quickly. This process is known as JIT (just in time) inventory. You would learn about this in cost accounting.

When you purchase online, always use a credit card or PayPal. Never pay cash! If you do, you are on your own if a dispute arises. They have your money and you have a poor product or no product at all, and a complaint. I know what you’re thinking: ‘I’ll report them to the authorities, such as the Better Business Bureau (BBB).’ Well, you would need to hop in line because there are tens of thousands of fellow complainants in front of you. And guess what? The BBB only has a few people handling our complaints. So, unless you have a large, valid complaint, you’re out of luck.

However, if you purchase with a credit card or PayPal, then you have a buddy who will fight for you. And, if the online merchant is non-responsive, evasive, or can’t be found, they will almost always get your money back for you. All you need to usually do is complain within 90 days of the date of purchase. If you complain late, then you might lose your buddy. Check with your credit card company to make sure you know when your deadline is to file a complaint against a merchant.

Another important consideration is that every time you do anything that relates to money or your personal identity, check that the Web site’s URL begins with HTTPS before you enter your login name and password. This should ensure that your communication is encrypted and hidden from other Internet traffic. However, keep in mind that if the computer you use for these transactions is not secure, then using HTTPS doesn’t do you much good.

As a side note, you should consider using a number of logins and passwords, depending on the type of account to which you are logging into. For example, if you purchase from a secure vendor, use a certain login/password set for one or more vendors. If you log in to a site that is not secure, don’t use your secure login/password set on that site. Finally, use another login/password set for your bank and other financial institutions. This way, if one of the merchants is compromised, you will not suffer complete exposure when an identify thief gets one of your login/password sets.

Okay, you guys probably think I’m crazy, but this is the stuff I love! I guess I say that all the time, don’t I?

Security is broadly defined as the protection of assets from unauthorized access, change, or destruction and can be broken down into two general categories: physical security and logical security. Physical security involves protecting asset you can touch, such as computers, routers, tapes, and vaults. Security of nonphysical - or logical - assets protects the rules and policies that allow and restrict access to the network. Anything that endangers an asset is known as a threat. The measures that you take to protect your assets are known as countermeasures.

One way to protect your computer is to place it behind a locked door and securely attaching it by steel cable to the desk on which it sits. The methods we use to secure hardware can range from total control, where the computer hosting is not connected to any network (including the Internet), to no security at all, where the computer is connected to the Internet, allowing public access to its files. A middle-of-the-road approach is where the computer is protected from potential threats and is not completely isolated from the outside world. This approach is adequate for most home and business environments.

The depth and number of your countermeasures depend upon the potential threats to your physical and logical data and their value to your organization. A network housing your recipes on a database might be considered a low-value asset and we might decide that a simple firewall will do. On the other hand, a network that contains your bank and other financial data would probably be considered high-value and be protected with a number of measures.

In the latter case, we plan for a heavy attack against our assets and hope we never have to implement our plan. Always consider your valued assets as under attack as the best course of action. Usually, the countermeasures we take are dependent on the amount of funds we have available for the project. Just remember that the value of the data on the network moves this up (more value = more funds) or down (less value = less funds).

You’ve probably noticed that when you bank or access credit card data online, your URL looks like https://www.somewhere.com, as opposed to the http://www.somewhere.com that we usually see in our address line. The difference between these two (the “s”) is based on security. The financial institution is using public-key encryption in an attempt to validate your identity and safeguard your assets.

You might recall that using the PGP email client introduced us to Public-key encryption, which uses two different keys – a public key known to everyone and a private key which is known only to the (computer of the) sender. So, if I’m using PGP, I can send you my public key but I never share my private key. The only way a message encrypted with a public key can be decrypted is by using the private key. Therefore, if you send me a message that your PGP client encrypts using my public key, only my private key can decrypt (or read) it.

If someone else gets a copy of my public key, we’re still safe. One of my public keys cannot decrypt a message encrypted with one of my public keys. Only my private key has the ability to do this and as long as I safeguard it, my messages are safe. As you can see, the security of my private key is paramount to my security.

With this in mind, if my computer is infected with a virus, or hacked, then my private key might be stolen. When this happens, my private key isn’t very secure anymore, since that private key is the basis for my security! Can you see why keeping my computer (or server) virus and hacker free is of utmost importance? I can take all types of countermeasures that cost a lot of money. But, if I don’t keep the computer clean, it’s all for naught.

In the old days (about 7-10 years ago), most hackers were quite skilled in writing programs that were designed to hack into other computers. You don’t need much skill anymore because there are free programs available online that write the code for you! People who use these programs are sometimes called script kiddies by old school hackers in an attempt to separate themselves from their less talented peers. And, it’s true; many hackers are of high school age. Kids, looking for a thrill rather than thieves at work. However, don’t underestimate any threat. Once your network has been compromised, anyone can get in as hackers often tell each other about where they’ve been successful.

About 18 months ago, a student at one of the colleges I teach at notified me that she had purchased a motorcycle online via eBay for approximately $6,700. She said that the seller told her to send half the payment to two countries located in the old Soviet Union in certified funds. Further, they said that when the checks cleared, they would then send her the cycle. Guess what happened? You got it. She never heard from them again. Further, she wasn’t really on eBay. It appeared that she was on a site with the name of Square Trade. It was a total fraud. Just Google the term “ebay square fraud” and you will see many stories similar to the one above.

In this case, there was no hacker. It was an online scam. Therefore, always purchase by credit card online to protect yourself. Some credit cards, in an effort to protect consumers, let you create transaction credit card numbers. These are pretty cool because you can say that the new credit card number is only good with a specific vendor, up to a certain amount, for a certain period of time. You never have to disclose your real credit card number.

Many people think that cookies are, on their own, a threat to their computer. They’re not. The Web site that creates the cookie is the only site that can read it. However, they can pose a small risk if the Web site’s server is compromised by a virus or hacker. Cookies only store information. They are not programs, they are only text files. These text files can store usernames and passwords along with information about things you’ve done online. Whoever owns the server can read the cookie. That’s the risk with cookies.

I’m no fan of adware. I don’t have a problem with free products and adware so long as they are honest about what they’re going to do to your computer and give you a clean way to uninstall it. On the other hand, I detest those who through deceit, install adware on your computer and make it virtually impossible to remove it. My personal view on this is that it should be illegal with heavy fines.

Digital signatures are electronic, encryption-based, secure stamps of authentication that are applied to objects (databases, documents, spreadsheets, or macros) that you create. To obtain a digital signature you must purchase one from a qualified certification authority (CA) or you can create one yourself. CAs are commercial companies that issue and validate identities using digital signatures, for a fee. Choose a CA if you need a high-level of security. Most countries have stringent laws that regulate CAs so that purchasers can be sure that their digital signatures are valid.

We can create a personal digital signature, which is known as self-signing, using Microsoft Office Tools and attach it to items immediately before we distribute it to other users. Keep in mind that a digital signature does not prove that you own the object. By use of a time stamp, it can prove that you were the last person to modify it. You provide the timestamp information to others when you distribute, or publish, your object. By examining the timestamp on your object, you can prove that is has or has not been modified since you applied your signature. A timestamp is a combination of the date and time that is encrypted as part of the digital signature. For a timestamp to be truly valid to others, it must be passed through some time stamping service provider. Again, this can be a commercial entity or a server located on your network. Further discussion of this process is outside the scope of our discussion.

Phishing is another form of attack against your security. Protecting yourself from this type of assault depends more upon having educated users than any other course of action you might take as a countermeasure. Phishing occurs when you are contacted, usually via email, by someone representing themselves to be someone they’re not. For example, on occasion I receive email from admin@paypal.com or services@paypal.com asking me to log in to my account to verify my identity. PayPal does not ever ask its customers to do this (and I know it). When I examine the email item’s properties (right-click it and select Properties), I notice that if I click the Web page link within the email I’m redirected to a completely unrelated Web site. If I log in, they capture my login name and password. Then, they use it later to hack my account. Don’t fall for this type of trap! I always send these to PayPal (or any other company being falsely represented). PayPal and other financial institutions always investigate every item you send to them.