InetSolution Blog

Mintuition.org Makes its Debut

Fri, 12 Apr 2013 10:58:40 -0400

The Filene Research Institute unveiled its latest cool web app called Mintuition (www.mintuition.org). Mintuition will help students and parents better evaluate college and career choices by helping to quantify the Return on Tuition a student can expect after completing a degree from various colleges. Filene gets all the credit for the data analysis and fancy algorithms driving the web app, but we’re quite proud of the responsive design and slick code driving the app.

If you’re contemplating college, be sure to give it a try at www.mintuition.org. If you want to checkout the responsive design, be sure to use visit on your smart phone or tablet, too.

Delivered Secure v4.0 Brings New Drop Off Feature and Security Enhancements

Mon, 04 Feb 2013 20:41:23 -0400

Delivered Secure, our secure messaging and document delivery solution for banks, credit unions, and anyone else who wants to safely send messages and files, is getting a much requested new feature, and some security improvements. The new Drop Off feature will be especially useful for loan officers in banks and credit unions.

Drop Offs Make Getting Files Easier from Infrequent Senders

In the past, only registered users could send documents through Delivered Secure. This approach made exchanging files safer by removing the risk of anonymous users uploading files, but also created extra work for those infrequent outside senders.

Drop Offs make receiving files simple. Now, instead of repeatedly setting up Delivered Secure logons for those infrequent senders, admins and employees can create Drop Offs. Delivered Secure emails a link to your sender that she can use to upload files to you. The whole process takes just seconds.

Remember Me is Changing

We’ve disabled the Remember Me function by default now.

We know this won’t be a popular decision. In fact, more than half of Delivered Secure users take advantage of Remember Me. While this is super convenient feature, it is also a security concern that keeps us up at night.

For those who don’t want to give up the convenience of Remember Me, we have given administrators the option to enable this feature. This will let you decide just how secure your file exchange system is, and let us sleep better at night.

Long Pass Phrase Support

With all the computing power available to hackers today, using long, complex passwords is a key aspect of good security. We’ve increased the maximum password length up to 100 characters. You now have no excuse to use wimpy, easy to crack six character passwords (yes, we’ll still let you, but for the sake of your sensitive data, don’t do it).

Don’t delay, logon and create a long pass phrase, something like “PickingTURNIPSisafun##waytoSpendtheW33kends” which will take a really, really long time to crack. While you’re at it, enable Delivered Secure’s optional multi-factor authentication for the ultimate in protection of your files and messages.

Visit www.securefileexchange.com to instantly start a free trial.

Removing Meta Data from Documents on Bank Websites

Mon, 04 Feb 2013 20:10:00 -0400

When you upload documents, such as PDFs or Word files, to your website you may be unwittingly divulging information that could prove useful to hackers and other outside parties. If you’ve had any sort of vulnerability assessment performed on your website, you may see a reference to this metadata existing on your website. While it’s a relatively low risk threat, to stay in the good graces of your risk department, you’ll likely want to remove this data from documents before you publish to your website.

What is metadata?

Metadata, in this situation, refers to extra information embedded into a document when it’s saved, such as the author’s name, department name, keywords used for indexing and searching, and sometimes file paths to internal network resources. PDF documents are by far the most common type of file that is likely to contain metadata on a bank and credit union website. To view the metadata associated with a PDF, open the document in Adobe Acrobat Reader and then click the File > Properties menu item (or CTRL+D). The screen shot below is the first PDF that Google returned to me when I did search for ‘bank rates PDF’.

Example of metadata in a PDF file on a bank website

You can see that the author’s name associated with this document is Gerry Pfeffer. While it’s no secret that Gerry Pfeffer is somehow affiliated with this bank since the information is readily available elsewhere on the internet, there is a good chance that this will still show up on a vulnerability assessment and will likely fall under the heading of something that sounds ominous.

Removing Metadata

The easiest method to prevent accidental disclosure of metadata is to not insert it into your PDF documents in the first place. In Microsoft Word 2013, when saving a file as a PDF Word will present you with an Options button. When you click this button you can uncheck the box to include the document properties, otherwise known as metadata, and your PDF will not contain any of the metadata that Word normally saves to the PDF file.

Uncheck the box Document properties box

If you plan to publish Microsoft Word documents to your website (we highly recommend creating PDF versions instead), you can also remove the metadata from the Word file before you save it. Microsoft has instructions for removing meta data here.

Complex Passwords Harder to Crack, but It May Not Matter

Fri, 15 Jun 2012 08:18:18 -0400

If your organization provides any computer security training at all then it should be no news to you that long, complex passwords are more difficult to crack than the more simple passwords that most users choose today; however, nearly all people I’ve talked who work in banks don’t realize how fast their passwords can be cracked by today’s modern computers.

Mike Halsey, a Microsoft MVP, posted the chart below on Ghacks.net. This chart shows how long it would take a modern computer to crack passwords of varying complexities, assuming the hacker knew the basic password requirements for the application.

Length of time to crack passwords of varying complexity

The passwords I use are all off the chart, which is a good start toward protecting my online data. But even a super long, complex password is still no defense against one very common practice – using the same password for all services. When sites such as LinkedIn get compromised and passwords are stolen, your super long, ultra complex password that you use on every site is now as useless as having no password at all.

In all likelihood, many of the users in that LinkedIn database use the same username + password combination on every application they access. Duplicating your credentials across all applications completely undermines the value of using a strong password.

Consider these principles when choosing your credentials for websites and applications that you use:

Use long, complex passwords that use spaces, capital letters, lower case letters, numbers and special characters. To make them easier to remember, consider using a sentence that has meaning to you.
Use a different username and password for online banking and similar sensitive systems than you use for forums, Facebook, e-commerce and other websites
Change your most frequently used passwords once a month
When offered challenge questions, avoid those with easily guessed answers, such as “What is your favorite color?”
Limit the data that you post about yourself on social sites that makes answering challenge questions easy, “What is your Mother’s maiden name?”, for example

Finally, if you work for a bank or credit union and you have influence whatsoever over your online banking security processes, demand that your system allow strong, complex passwords. Banks have been slow to adopt strong password policies, with many online banking sites still prohibiting people from using special characters in their passwords and limiting passwords to an 8 character length. Worse than not choosing a strong password is an online banking system that will not let you create a strong password.

Unusual E-mail Marketing Move That Caught My Attention

Sat, 05 May 2012 08:25:00 -0400

If you’re an email marketer, you have people – probably the majority – on your marketing lists that never open your email campaigns. They promptly delete, ignore or flag your emails as spam. Yet, like most marketers, you keep sending more campaigns until the recipient either unsubscribes or permanently relegates you to the rank of Junk Sender in their email system. Continuing to send to these people wastes money, computing resources and reduces your open and click-through ratios on your campaigns. Have you considered simply removing these subscribers who never open your emails?

Yesterday I received a campaign from Stonyfield. I must have subscribed to receive their offers in the past, though I don’t recall when. I do recall seeing and deleting (without reading) their messages numerous times in the past. But today this particular message subject line caught my attention.

This email subject line caught my eye

The subject line says “Sorry to see you go.” That caught my attention because I didn’t recall unsubscribing. My first thought was that it might be a scam, but that proved false. To my pleasant surprise, Stonyfield’s marketers were actually removing me from their list because their analytics show that I never open their emails.

Stonyfield's email message to notify me of my pending removal from their list

Removing people from email lists (after all, the monetary cost to continue sending is next to nothing) may make most marketers wriggle uncomfortably in their seats. But I applaud Stonyfield's proactive approach to clearing out the dead wood and applaud Stonyfield’s marketers.

While I have no concrete, peer-reviewed data to back up my hypothesis, I would be willing to bet that Stonyfield will not see a negative sales impact from this move. I predict they will, however, gain an measure of increase in goodwill with customers (I do buy their products, I just don’t read their emails). They’ll also most likely see an increase in their open rates on their next round of campaigns.

If you’re an email marketer, have you tried this before? Also, what percentage of people who receive this type of notification actually choose to stay subscribed?

[UPDATE: See The Financial Brand's take in the comments below on why Stonyfield may be using this approach]

Why a simple typeo may be leaking your business's private data

Fri, 09 Sep 2011 12:16:00 -0400

Have you ever mistyped an email address? Ever had someone misspell yours? Email address typos occur all the time, and these misspellings can actually be a very large security concern for your business.

We've all had this phone conversation:

"That sounds great, let me just email you that document. What's your email address?"

"Mark Williams at co solution dot com", "Great, is it Williams with one l or two? "One l", and you said solution or solutions with an s?" "no s", and how do you spell co".

Recently a group of security researchers setup an experiment where they registered domain names that were common misspellings Fortune 500 company domains. The researchers then setup email servers that were configured to receive all email sent to any address ending in that misspelled domain name.

You can think of an example of someone at fedex. An email intended for mwilliams@fedex.com might easily be misspelled mwilliams@fedx.com by someone in a rush. That email could have sensitive information, as the security researchers clearly demonstrated.

These researcher's were able to collect over 20 GB of e-mail over the course of six months. 20 GB! These emails included everything from usernames and passwords to trade secrets and highly sensitive network configuration information.

Tips to Protect Your Organization

1. Register Common Misspellings

If you have a domain name that is commonly misspelled, register those variants. Heather Pizzala at Tri-Pointe Community Credit Union recognized years ago that people might forget to include the dash in their name when typing their domain name, so Heather wisely registered the tri-pointe and tripointe versions of their domain. Heather also correctly predicted that people may forget to include the E at the end of the name, so she also registered variants without the E at end.

For credit unions especially, it's not uncommon for people to forget to include the "cu" that is commonly at the end of many credit union domain names, such as applevillecu.com. If you're able to register the variant of your domain name without the CU (i.e., appleville.com in this example), we recommend doing so. You can register domain names at Network Solutions or many other registrars.

2. Do Not Use Email for Sensitive Communications

Secure File Exchange came out of our own needs to prevent exactly this kind of security issue. You must not trust email to share sensitive information. When you are dealing with loan documents, payroll files, tax forms, passwords and other sensitive data, you must take extra precautions to ensure the file you're sending is going to the intended recipient and only to that recipient.

Secure File Exchange helps fix this by only letting you send files to those people you've configured and authorized to receive files. In addition, you receive a read-receipt when the recipient picks up the payload so you know for sure it arrived. Finally, Secure File Exchange automatically purges data you've sent so that it's not a sitting target for data theft.

Give Secure File Exchange a try (free trial, whoo-hoo!) and let us know what you think, we're always looking for great feedback.

Book: Read This Before Our Next Meeting

Wed, 31 Aug 2011 09:51:00 -0400

I recently finished Read This Before Our Next Meeting, a great short book explaining how to re-purpose our traditional meetings into those that are concise, thorough and purposeful.

The message of the books rings to many concepts we've heard around from the likes of Seth Godin and the 37 Signals crew. Have a purpose, do your homework and make decisive decisions and stop stalling/wasting time.

Al Pittampalli introduces his concept of the "modern meeting" with the basic premiss that a meeting has only two reasons for being, to resolve conflict or coordinate efforts. At the core of it any meetings purpose is to support a decision that has already been made.

I really liked Al's point that today our use of "meeting" has really grown to encompass so many different activities, and thus everything is now regarded as a "meeting". When in fact so many things fall into the other two categories he delves into of a conversation or a brainstorm.

Al explains the idea that the burden of the meeting preparation goes onto the shoulders of the organizer. Not that participants shouldn't be prepared but its up to the organizer to do the leg work that will provide enough information and background to make a decision before the meeting begin. Then the actual meeting time can be used to communicate the reasoning for that decision and address any questions or concerns.

Overall the book can be boiled down to:

Have an agenda
Stick to your time limit
Only invite those that are absolutely needed
Do your homework

I enjoyed it and it's worth the very quick read. All in all, stop stalling with meetings, take decisive action and move on, communicating as needed.

Are you choosing a good password?

Wed, 10 Aug 2011 09:48:00 -0400

Passwords, ugh, don't you hate them? Passwords are a shared annoyance and inconvenience for all of us these days. Passwords are our main line of defense to verify we are who we say we are and to protect our identity and data. Since passwords are such a critical component to our daily technology lives we've been forced to make them less "guessable" more cryptic and thus harder to remember.

The most common technique for making your password has been to take a word, it is called a pass-WORD after all, and add some capitals, a number and then maybe some funky symbol like #, % or !. This is great, but surprisingly enough, this isn't really as secure as it could be AND it's silly hard to remember.

Today the witty folks at xkcd, an online daily comic for techie nerds such as ourselves, posted a great little comic covering this topic.

Comic courtesy of xkcd

The first row explains, in some super geeky math, that a "standard" "secure" password, with today's computing power, is hackable/guessable in around three days...Scary right?

The second row shows the technique that I really like and have been using for years. A simple sentence with regular words that may or may not correlate with one another. In their example it would take nearly 530 years to crack the example passprhase and is probably 100 times easier to remember.

So next time you're forced to reset your password or need to think of a new one, try a short sentence. You can still capitalize and use punctuation as you'd like, but at least you won't need that sticky note on the side of your monitor to help you remind you what cryptic non-english word you choose this month.

5 Creative Uses for Secure File Exchange

Tue, 02 Aug 2011 16:57:00 -0400

Secure File Exchange is one of those apps that we just love to work on because there are so many creative ways our customer's using it. So, we figured we would share a few:

New Customer Signup - When you're in the financial field, getting someone to come to your office and sign paper work isn't always convenient (or possible). When a digital PDF is all that's required, a customer can fill out their application and then send it to you with ease.
Fax Replacement - Who does business by fax anymore? Besides, faxing a form isn't any more secure than sending an email.
Engineering Drawings - Engineering these days is done with expensive CAD software, resulting in huge 3D rendering files and plenty of intellectual property. Most email servers are not too fond of 1GB files be sent through them.
Adoption Paperwork - The adoption process involves a lot of sensitive and personal data being transferred between potential families, agencies and governments throughout the world.
Secret Newsletter - Sneaky right? A newsletter that shouldn't be sitting around in an old email inbox. You have to know who's who and the secret handshake to get onto this list.

If you're using Secure File Exchange in a creative way please drop us a message or leave a comment below, we'd love to hear your stories.

Upgrade InetActive or any Website CMS to Meet New FFIEC Guidelines with Multi-Factor Authentication

Mon, 01 Aug 2011 09:20:00 -0400

The latest FFIEC security guidelines recommend that financial institutions add multi-factor authentication (MFA) to all Internet systems, including website content management systems. Our 2011 InetActive includes multi-factor authentication support, but the older versions do not, nor do most other website content management systems (CMS).

Thanks to Authly®, we now can offer an affordable solution to add MFA to your older InetActive or other website CMS.

Authly works by generating a one-time use pass code when you logon to InetActive. Authly delivers this pass code to either your cell phone via a text message or to your email address. The pass code expires in 60 seconds or immediately after you’ve used it. This helps make it very difficult for hackers to gain access to InetActive even if they somehow steal or guess your username and password.

What is Multi-factor Authentication?

Multi-factor Authentication is the act of verifying a user by something they have, a pass code sent to a cell phone, with some thing(s) they know – like a username and password.

How much does Authly cost?

There are two costs involved in adding multi-factor authentication to any website.

Integration: $1,500 (typical InetActive integration)
Monthly Authly service: $50.00 (up to 500 logon codes per month)