Posted by David Lyle on January 22, 2010
Today (1/21/2010) Microsoft issued an emergency patch for IE – that should plug the hole used in the Aurora attack. It should roll out to pretty much everyone within 24 hours.
If you’re running automatic update, you should be patched – but here’s the skinny: Microsoft Security Bulletin MS10-002-Critical
At this point, the real-world attacks have only occurred under IE 6, but the flaw exists in all unpatched versions of Internet Explorer. Please see my previous entry: The Aurora attack – can you be safe from cyberattack in your business for more information.
Additionally, we’re seeing continued traffic from China that is spam-bot and probing attacks against civilian business. These attacks are mostly aimed at web sites currently. Blocking code seems to be holding at this point, I will soon post an article on how to do that.
As usual, keep up the basics. In a future article I will go over some thoughts about where to focus on next.
-David Lyle
Thunderpaw
Posted by David Lyle on January 18, 2010
The latest news items revolve around the quite large alleged attacks on Google (and other companies) from China. Mcafee on Operation Aurora
“Microsoft Internet Explorer that was used as an entry point for “Operation Aurora” to exploit Google and at least 30 other companies.” – Mcafee.
Microsoft posted this security advisory:
Microsoft Security Advisory (979352) – Vulnerability in Internet Explorer Could Allow Remote Code Execution
However, this is simply a continuation of larger issues.
When investigating cyberattack against businesses, we see an awful lot of sloppy security. Of course, not where most people expect it. Most everyone runs virus protection (sometimes 3 or 4 – I guess just to slow down their computers), firewalls (again sometimes 3 or 4! A corporate Firewall, then Windows Firewall, then McAfee or Norton as well!) Perhaps it’s fear of the unknown, perhaps it’s the old “more is better” concept. Try removing all those extra anti-virus and firewall apps, use one and make sure it’s working properly.
However, the real threats are not so much from random attacks. Real threats generally come from inside somewhere. Either an unhappy employee, or simple social engineering. I suspect both are at play in the Google attack. The weakest link in your corporate computer security often sits at one of your corporate computers drinking coffee.
Security always goes back to basics. Additionally, there is no security which is 100%. None. Well, ok there is one way – disconnect your computer from the ‘net and turn it off. That should protect you pretty well.
If, however, you feel the need to remain connected, then continue with the basics. Don’t panic over the little stuff. Here are some basic common sense security tips (which are amazingly not so common sense!)
- Change passwords regularly and use strong passwords.
- Change all important system passwords when employees leave.
- Backup backup backup. Store backups in multiple locations. Offsite if possible.
- If it’s important to your business, TREAT it as important!
- Let your IT people upgrade Internet Explorer. If you’re still using IE6 for business then you don’t care about your business. (or switch to an alternative browser)
- Hire professional IT people, and trust them.
- Let your IT professionals know of “odd” behavior. Sometimes it points to security issues that need to be addressed.
Finally, do your best, and understand that there are people, companies, and countries which do nothing but try to hack. Many are after information, so think seriously what you store and how. Ponder how you’ll feel if you find out Google lost vital information about your company.
Posted by David Lyle on January 13, 2010
The vast majority of web sites rely on Google Analytics (GA) for all their marketing data. So I decided to try a few other sites out and compare head to head. The results may surprise you.
If you’d like a full copy of my reports when completed, send a feedback or comment through our contact form.
Today: Google Analytics (GA) vs. Statcounter
Overall Winner: Statcounter.
How they work:
GA: Javascript in footer
Statcounter: Javascript in footer, along with image url for non-script enabled browsers.
My test methodology: I selected random web sites to install both GA and Statcounter code
Cost: GA – Free , Statcounter – Free up to 500 log entries, 1500 costs $9/month, and upward.
Comparison:
GA being only javascript is already at a disadvantage to Statcounter – as anyone with javascript disabled (like myself) will automatically be invisible to GA. This is a huge disadvantage to GA stats. Generally speaking, the more technically savy of your visitors won’t be counted. On average, that works out to anywhere from 5%-10% or more of your visitors!
Let’s take a quick look at the stats.
I compared the same day the same web site with GA and Statcounter. In a full 24 hour day, GA reported 649 page views, and 181 unique visitors. If I didn’t maintain the logs myself, I’d have to simply trust GA on those numbers, as there’s no way in google analytics to drill down and actually look at the logs. Statcounter, on the other hand, reported 736 page views, and 355 unique visitors. That’s a significant difference (Statcounter is more in line with the web logs on the server, by the way).
Features:
Integration with adwords: Google obviously maintains excellent integration with Google Adwords – no question there. Winner: Google.
Personal data – Statcounter offers a lot more personal information – you can drill down and follow a single user’s path through your website, find where they left your site and where they went. This in particular is so valuable to marketing and SEO! Winner: Statcounter
Returning Visitors – GA will tell you how many are return visits, but nothing else. Statcounter adds the ability to drill down, find out who returned, and where they went. Winner: Statcounter
System Stats – both GA and Statcounter offer a breakdown of your visitors by the hardware they use to access your site, screen resolutions (if you’re still designing for 800×600 then you’re outdated!), browser versions, etc. GA seems to have more accurate data on this than statcounter. Winner: Google.
Logs – Statcounter offers the ability to download their logs in csv format. You can see exactly who hit your site when in the raw data form. GA offers no such reporting. This is definitely a feature for the more tech savy or numbers oriented people. Not a show-stopper for most people. Winner: Statcounter
Reports – Both services offer reports by email, scheduled and immediate. Both are quite configurable, but the Statcounter report out of the box is pretty poor. The GA report is quite beautiful with graphs. I’m going to give the win on this to GA. Winner: Google.
Summary!
Every professional web site needs good stats. You simply must know who is visiting your site, where they’re going, and why they’re leaving! Both GA and Statcounter offer excellent real time reporting. Chances are, GA will be on your site, and serves the purposes of most people. However, if you are like me, and want more detailed information – then you really should have Statcounter on your site. Try running both yourself and see which you like better.
In my opinion, having drill down paths of visitors, and more accurate numbers of visitors is more important to me than google adword integration. Of course, your needs may be different! The cost for Statcounter is pretty minor compared to the data, if you even need more than 500 log entries. Additionally, nothing prevents you from having two different services on your site, just don’t go overboard or you’ll slow your site down needlessly!
Disclaimer – I am not paid by either GA or Statcounter to comment on their services. I have no financial interest in either company.
-David Lyle
