orions'

COMPUTER LECTERNS

2009-02-09T00:52:00.001-08:00

Advantages of a custom website versus using a Website Builder Tool

2009-01-11T21:46:00.000-08:00

The internet has revolutionized business all around the globe. Almost every competent new or existing business wishes to exploit the incredible potential of the internet, and the first step is to have a web site designed done and maintained by a professional web site design service or build and maintain it yourself. One of the first things to consider is your computer ability. If you despise computers and software and find them confusing and frustrating then building your own website can be quite a task. One that you may not want to undertake. However, if you enjoy working with computers and learning new things or if you just have the patience to stick with it, then building a website is within your grasp. You may also decide to do it yourself to save cost. If you still feel that you want to build your own site you should choose software that is easy to use and user friendly.

Your website should be as unique as you and your business. You should select the website that is specialized in what will meet all your needs, both now and in the future. Custom based websites are for those who already have a website but are looking for those special finishing touches that quality custom graphics can provide. Designer graphics can make your website stand out above the rest and a custom website specializes in taking your original graphic or photo and turning it into a unique work of art. Quality graphics make an incredible difference in the visual appeal of your website.

Actual site "content" continues to be essential to the success of a website. More often than not though, visual appeal is the determining factor as to whether or not a client or customer will remain on a website long enough, to actually see the product or service the business is providing. Custom websites are for those who don’t have the time to design or create, but want to get things mush better and fast with a nice graphics.

Web site builders are online tools which anyone can use to build a professional looking Web site without programming and have it hosted instantly. No software to buy, no code to learn, all you need is to be a little Internet savvy and know how to click your mouse.

Most business owners today know that having a web site is an essential component of marketing. In the past, the choices were to hire a professional web designer, hire a local teenager to create a site for mall money, or learn to do it yourself. The last two options, are the least expensive, and were the preferred method for small businesses. The results are often not what businesses need to grow, reach, and impress new potential customers, however. They seem good at the start but quickly become limiting.

If you operate or manage a business, you surely must realize the increase in e-commerce taking place today. Many businesses find themselves searching for the best way to increase their exposure on the internet, and for most a website is the first course of action. As most businesses operate on firm budgets, finding cost effective solutions are usually one of the first thoughts when looking to make new purchases. When it comes to creating a website there are many affordable software programs that can produce professional results. Business software should be capable of handling your needs today and in the future. Business are always changing, adding new products, changing or removing old products, offering specials, having sales, etc. By choosing a business website builder over a professional web designer you will be able to make changes to your website whenever you want to. Another benefit is that you will be avoiding the high costs associated with developing the website and costs for making any necessary changes.

Website Builder tools advantages to you are increased revenue, cost control, caters to the large demand existing for web designing in the SME sector and can increase the client base without adding to your overhead. The advantage that your customers gets is a professional quality website, up and running in minutes and a User friendly and easily customizable interfaces that gives a complete website with all its frills and features and a nice attractive design. The downside is that you are limited to the look and functions of the tool and the templates or designs they provide.

On of the advantage of a custom website design is that the web site will look and function exactly as you want. A custom made web site can promote your brand and increase sales. The functionality and design of your website is important, because the images and text on the screen can make an indifferent visitor turn into a keen client, and the goal is to optimize your site to evolve maximum traffic conversion.

As more and more people are starting their own small home business many are finding that having a website is an important factor to consider. When one starts to consider building a website, especially the novice, many questions arise including…. can I create a website myself or should I hire a professional?

Hiring a professional is a great way to go if you can afford it. Although there are several things to keep in mind: how much will it cost? How much will ongoing maintenance cost? What will changes cost? How long will changes take? etc. As a result, many people opt to build their own website and begin searching for software that can easily help them.

As you start searching for an easy web site builder, there are some factors that you should take into consideration so that your new software will serve you now and the future.

There is quite a variety of easy web site building software and content management(CMS) based websites on the market today. In addition, some of the software available today is very expensive, geared more for the professional web designer, and come with a huge learning curve.

The options for small businesses to get a site developed have changed from the past. There are now sophisticated "site builder" tools available to small business owners, bundled with many web hosting packages. By using templates, and a content management system to manage updates to the site, it became easier to set up and maintain a web site, and many development companies have canned this functionality, for a fee. Hosting providers are increasingly offering tools to automate the web site building process, and with good reason. This new option has many benefits, as long as the business owner recognizes that there are trade offs and limitations to getting a web site this way. Some of the downsides are…the design is limited to their predefined templates. The functionality is limited to the tool. Also, in most website builder tools it is hard to perform search engine optimization, which is essential for a site to be found in the major search engines.

One of the biggest attractions for site building tools is the cost. It won't necessarily cost less to get your site this way, but it does provide a way to spread the cost over time. The cost for a custom website varies as per the feature and function it carries with itself.

Many people are concerned with building their own website, fearing boring designs and complexity. However, it is now becoming apparent that there are many custom web site builder software products on the market that promise dynamic layouts, professional templates, and user friendly web design tools. The professional web designers know there are a few more things to know, but sometimes they find some irony in the fact that web developers, in their quest to improve and better the web, have made themselves "optional". Most site building tools today are very robust, making it simple to add forms, searching, maps, guest books, calendars, and a whole variety of elements to a web site. Even better, the hosting company sometimes offers an entire suite of services - the site builder, email marketing, search engine optimization and statistics, all in one package along with the hosting.

There is also a possibility that the service will require you to keep some branding on the site telling people that you used their website designs and tools. This is more common with the free site builders - which pay for themselves by putting ads on your site. If your goal is to build a business web site, it's really not worth sacrificing your professional image by getting something free, which screams CHEAP.

Low quality websites sometimes attempt to sell expensive products or services. These websites cannot succeed. Studies reveals people spend more time on a well designed web page than on a low quality web page. There is a comparative relationship between the amount of time that an average visitor will spend on a web page and the amount of time that was spent building the web page.

Websites are an important aspect of online businesses. They are the first face of interaction between the user and the business. The website creates the first impression on the user and hence needs to be effective and impressive too. It is the job of web design services to make the website user friendly and search engine friendly too, so that it can serve the purpose of both effectively.

A tool can make things happen - but if you don't know what to make happen, it is either a useless tool or a dangerous one. There is a learning curve in knowing how to present information online (called information architecture in the profession), as well as for using the site builder. In other word, the fuller featured the tool; the more there is to learn. If you aren't familiar with color theory, use of typography, information architecture, navigation and interface design, and page layout and design, you can potentially make something that will hurt your business more than help it. So, unless you are already computer and web savvy, figuring out all the features within your web hosting and site builder package can be time consuming and frustrating.

In the end there are ways that a business can take advantage of these new options and still create a functional and professional web site. One way is simply take your time and research the available website templates, and find the one that has the most features and flexibility, that meet your functional requirements. In other words, spend the time to learn the things a seasoned pro would bring to the table. The internet is a massive library of "how to" information, where you can literally teach yourself anything - and with enough time spent, you could potentially learn how to layout information, what colors and fonts work well together, how to conduct your marketing online and optimize the site for search engines. The second is choosing the best suitable custom website design company and work with them to build a professional website that meets your needs get your imaginations carried and make business a greta success.

About HostChart.com

HostChart, a Web Hosting Company Resource, is a leading web hosting directory website that has been in business for over 5 years. They provide numerous web hosting articles and tutorials as well as news, interviews, and reviews. You can use their extensive set of tools to research and evaluate your current or future web hosts. HostChart is a Property of Advantage1 Web Services, which also operates ResellerConnection.com, a a href="Reseller" class="hft-urls">http://www.resellerconnection.com">Reseller Web Hosting Resource, HostingKnowledge.net, and FoundHost.com, a a href="Budget" class="hft-urls">http://www.foundhost.com">Budget Hosting Resource.

The Importance of Play

2009-01-11T21:41:00.000-08:00

For children, play is naturally enjoyable. And since it is their active engagement in things that interest them, play should be child-led, or at least child-inspired, for it to remain relevant and meaningful to them. Children at play are happily lost in themselves; they are in their own realm of wonder, exploration, and adventure, pulling parents in at times with a frequent “Let’s play, mom!” as an open invitation into that world.

As early as infancy, children immerse themselves in play activities with the purpose of making sense of the world around them. Play gives children the opportunity to learn and experience things themselves, which is vital for their development. Although peek-a-boo games seem pointless to adults, tots are awed by the surprise that awaits them as they see the suddenly emerging faces of people they love.

(Stages of Play)

During toddlerhood, children experience a motor-growth spurt that equips them to solitarily fiddle with anything they can get their hands on – be it a construction toy or the box from where it came.

Toddlers also love breaking into song, wiggling and jiggling to tunes, and imitating finger plays they are commonly exposed to.

Preschoolers begin extending their play to involve others, whether they bring others in at any stage of their game or they plan their game and its players’ way ahead. Their physical and motor skills allow them to widen their lay arena, from dramatic play to table games to outdoor pursuits.

School-age children start appreciating organized play – such as innovated songs and rhymes, games with rules, relays and other physical activities, sports and projects that they can accomplish over a certain time frame.

Play Perks:

Why the big fuss about playing? Play benefits the child in ways that might be a tad difficult for adults to imagine.

1. Play brings pure and utter joy.

A toddler who jumps into an empty box and runs around the house ‘driving a car’ shows the sheer happiness that play brings him or her. When children are asked what they did in school and they answer ‘play,’ it is a clear sign that these kids remember a feeling of genuine joy that is captured in this four-letter word.

2. Play fosters socio-emotional learning.

What does a ten-month-old baby who shrieks at the sight of her stuffed toy have in common with a ten-year-old boy who plays basketball with his friends? They both deal with their confidence as they choose to embark on their play activities. At the same time, they are displaying their independence in the decisions that they make. These two children are also internalizing social rules in their respective play situations: the baby waits patiently for her stuffed toy to appear, while the school-age child has to contend with an impending loss in a ball game.

3. Play hones physical and motor development.

Play often involves the use of the senses, the body, and the extremities. When children play, they exercise their bodies for physical strength, fluidity of movement, balance and coordination.

Perceptual-motor ability, or the capacity to coordinate what you perceive with how you move, is an essential skill that preschoolers need to develop. A three-year-old who is engrossed in digging, scooping, and pouring sand into a container must match his or her perception of the space in front of him or her with actual hand movements, so that he or she can successfully fulfill the motor activity.

4. Play facilitates cognitive learning.

Play is vital to the intellectual development of a child. We live in a symbolic world in which people need to decode words, actions, and numbers.

For young children, symbols do not naturally mean anything because they are just arbitrary representations of actual objects. The role of play is for the child to understand better cognitive concepts in ways that are enjoyable, real, concrete, and meaningful to them. For instance, through play, a child is able to comprehend that the equation 3 + 2 = 5 means ‘putting together’ his toy cars by lining them up in his makeshift parking lot. When he combines 2 triangles to make a square during block play, or writes down his score is a bowling game, the child is displaying what he knows about shapes and numbers.

Through play, the child is constructing his or her worldview by constantly working and reworking his understanding of concepts.

5. Play enhances language development.

Toddlers who are still grappling with words need to be immersed in oral language so they can imitate what they hear. They benefit from songs and rhymes that provide the basis for understanding how language works.

When these tots are playing with toys, adults model to them how language is used to label objects or describe an event. At play, preschoolers use language to interact, communicate ideas, and likewise learn from dialogues with more mature members of society.

6. Play encourages creativity.

Barney the dinosaur was right about using imagination to make things happen. A lump of Play-Doh suddenly turns into spaghetti with meat sauce and cheese; a small towel transforms into a cape that completes a superhero’s wardrobe; and a tin can serves as a drum that accompanies an aspiring rock artist. Play opens an entire avenue for children to express themselves, show what they know and how they feel, and to create their own masterpieces.

7. Play provides bonding opportunities.

Play is an important factor in child development. It provides for interaction, experimentation, and moral development. Here are some ways by which parents can encourage and support their children’s playtime.

- Let your child be the player-leader. Let children initiate their activity, set their own theme, choose the parameters where the play will take place. Play becomes a venue for children to express their feelings and be in control.

- Help them help themselves. When your 5-year-old asks for help, say, figuring out how to piece a puzzle together, stop yourself from coming to her rescue and first ask your child questions that allow him or her to help himself or herself. Say, “Where do you think this piece should go?” Afterward, commend his or her success.

- Play attention. Once you make a commitment to play with your child, watch for the following signals: Does he or she want you to actively play a part in the activity? Does he or she need encouragement? Is he or she tired or hungry? Does he or she need to take a break?

- Have a play plan. If you seem to have little time for playing with your child, consider using self-care chores to have fun with him or her. Also, get support from other people in your household, like older siblings, household help, or the child’s grandparents, so that they understand why play is important and how they should continue to encourage it.

Can Data Breaches Be Expected From Bankrupt Mortgage Lenders?

2009-01-11T21:38:00.001-08:00

The stock market is in a tumult. Actually, it has been for about a year, ever since the subprime fiasco (anyone take a look at Moody's performance over the past year?) Now that that particular issue has been beaten to death, other mortgage related issues are cropping up. Most of the stuff covered in the media is financial in nature, but some of those mortgage related issues do concern information security.

It's no secret that there are plenty of companies in the US that discard sensitive documents by dumping them unceremoniously: leave it by the curb, drive it to a dumpster, heave it over the walls of abandoned property, and other assorted mind boggling insecure practices. In fact, MSNBC has an article on this issue, and names numerous bankrupt mortgage companies whose borrowers' records were found in dumpsters and recycling centers. The information on those documents include credit card numbers and SSNs, as well as addresses, names, and other information needed to secure a mortgage.

Since the companies have filed for bankruptcy and are no more, the potential victims involved have no legal recourse, and are left to fend for themselves. In a way, it makes sense that companies that have filed for bankruptcy are behaving this way. (Not that I'm saying this is proper procedure.) For starters, if a company does wrong, one goes after the company; however, the company has filed for bankruptcy, it is no more, so there's no one to "go after." In light of the company status, this means that the actual person remaining behind to dispose of things, be they desks or credit applications, can opt to do whatever he feels like. He could shred the applications. He could dump them nearby. He could walk away and let the building's owner take care of them. What does he care? It's not as if he's gonna get fired.

Also, proper disposal requires either time, money, or both. A bankrupt company doesn't have money. It may have time, assuming people are going to stick around, but chances are their shredder has been seized by creditors. People are not going to stick around to shred things by hand, literally.

Aren't there any laws regulating this? Apparently, such issues are covered by FACTA, the Fair and Accurate Credit Transactions Act, and although its guidelines require that "businesses to dispose of sensitive financial documents in a way that protects against 'unauthorized access to or use of the information'" [msnbc.com], it stops short of requiring the physical destruction of data. I'm not a lawyer, but perhaps there's enough leeway in the language for one to go around dropping sensitive documents in dumpsters?

Like I mentioned before, inappropriate disposal of sensitive documents has been going on forever; I'm pretty sure this has been a problem since the very first mortgage was issued. My personal belief is that most companies would act responsibly and try to properly dispose of such information. But, this may prove to be a point of concern as well because of widespread misconceptions of what it means to protect data against unauthorized access.

What happens if a company that files for bankruptcy decides to sell their company computers to pay off creditors? Most people would delete the information found in the computer, and that's that-end of story. Except, it's not. When files are deleted, the actual data still resides in the hard disks; it's just that the computer's operating system doesn't have a way to find the information anymore. Indeed, this is how retail data restoration applications such as Norton are able to recover accidentally deleted files.

Some may be aware of this and decide to format the entire computer before sending it off to the new owners. The problem with this approach is the same as deleting files: data recovery is a cinch with the right software. Some of them retail for $30 or less-as in free. So, the sensitive data that's supposed to be deleted can be recovered, if not easily, at least cheaply-perhaps by people with criminal interests.

Am I being paranoid? I don't think so. I've been tracking fraud for years now, and I can't help but conclude that the criminal underworld has plenty of people looking to be niche operators, not to mention that there are infinitesimal ways of defrauding people (look up "salad oil" and "American Express," for an example). An identification theft ring looking to collect sensitive information from bankrupt mortgage dealers wouldn't surprise me, especially in an environment where such companies are dropping left and right.

The economics behind it make sense as well. A used computer will retail anywhere from $100 to $500. The information in it, if not wiped correctly, will average many times more even if you factor in the purchase of data recovery software. Criminals have different ways of capitalizing on personal data, ranging from selling the information outright to engaging in something with better returns.

Is there a better way to protect oneself? Whole disk encryption is a way to ensure that such problems do not occur: One can just reformat the encrypted drive itself to install a new OS; the original data remains encrypted, so there's no way to extract the data. Plus, the added benefit is that the data is protected in the event that a computer gets lost or stolen. However, commonsense dictates that encryption is something ongoing concerns sign up for, not businesses about to go bankrupt. My guess is that sooner or later we'll find instances of data breaches originating from equipment being traced back to bankrupt mortgage dealers.

The stock market is in a tumult. Actually, it has been for about a year, ever since the subprime fiasco (anyone take a look at Moody's performance over the past year?) Now that that particular issue has been beaten to death, other mortgagerelated issues are cropping up. Most of the stuff covered in the media is financial in nature, but some of those mortgagerelated issues do concern information security.

It's no secret that there are plenty of companies in the US that discard sensitive documents by dumping them unceremoniously: leave it by the curb, drive it to a dumpster, heave it over the walls of abandoned property, and other assorted mindboggling insecure practices. In fact, MSNBC has an article on this issue, and names numerous bankrupt mortgage companies whose borrowers' records were found in dumpsters and recycling centers. The information on those documents include credit card numbers and SSNs, as well as addresses, names, and other information needed to secure a mortgage.

Since the companies have filed for bankruptcy and are no more, the potential victims involved have no legal recourse, and are left to fend for themselves. In a way, it makes sense that companies that have filed for bankruptcy are behaving this way. (Not that I'm saying this is proper procedure.) For starters, if a company does wrong, one goes after the company; however, the company has filed for bankruptcy, it is no more, so there's no one to "go after." In light of the company status, this means that the actual person remaining behind to dispose of things, be they desks or credit applications, can opt to do whatever he feels like. He could shred the applications. He could dump them nearby. He could walk away and let the building's owner take care of them. What does he care? It's not as if he's gonna get fired.

Also, proper disposal requires either time, money, or both. A bankrupt company doesn't have money. It may have time, assuming people are going to stick around, but chances are their shredder has been seized by creditors. People are not going to stick around to shred things by hand, literally.

Aren't there any laws regulating this? Apparently, such issues are covered by FACTA, the Fair and Accurate Credit Transactions Act, and although its guidelines require that "businesses to dispose of sensitive financial documents in a way that protects against 'unauthorized access to or use of the information'" [msnbc.com], it stops short of requiring the physical destruction of data. I'm not a lawyer, but perhaps there's enough leeway in the language for one to go around dropping sensitive documents in dumpsters?

Like I mentioned before, inappropriate disposal of sensitive documents has been going on forever; I'm pretty sure this has been a problem since the very first mortgage was issued. My personal belief is that most companies would act responsibly and try to properly dispose of such information. But, this may prove to be a point of concern as well because of widespread misconceptions of what it means to protect data against unauthorized access.

What happens if a company that files for bankruptcy decides to sell their company computers to pay off creditors? Most people would delete the information found in the computer, and that's that-end of story. Except, it's not. When files are deleted, the actual data still resides in the hard disks; it's just that the computer's operating system doesn't have a way to find the information anymore. Indeed, this is how retail data restoration applications such as Norton are able to recover accidentally deleted files.

Some may be aware of this and decide to format the entire computer before sending it off to the new owners. The problem with this approach is the same as deleting files: data recovery is a cinch with the right software. Some of them retail for $30 or less-as in free. So, the sensitive data that's supposed to be deleted can be recovered, if not easily, at least cheaply-perhaps by people with criminal interests.

Am I being paranoid? I don't think so. I've been tracking fraud for years now, and I can't help but conclude that the criminal underworld has plenty of people looking to be niche operators, not to mention that there are infinitesimal ways of defrauding people (look up "salad oil" and "American Express," for an example). An identification theft ring looking to collect sensitive information from bankrupt mortgage dealers wouldn't surprise me, especially in an environment where such companies are dropping left and right.

The economics behind it make sense as well. A used computer will retail anywhere from $100 to $500. The information in it, if not wiped correctly, will average many times more even if you factor in the purchase of data recovery software. Criminals have different ways of capitalizing on personal data, ranging from selling the information outright to engaging in something with better returns.

Is there a better way to protect oneself? Whole disk encryption is a way to ensure that such problems do not occur: One can just reformat the encrypted drive itself to install a new OS; the original data remains encrypted, so there's no way to extract the data. Plus, the added benefit is that the data is protected in the event that a computer gets lost or stolen. However, commonsense dictates that encryption is something ongoing concerns sign up for, not businesses about to go bankrupt. My guess is that sooner or later we'll find instances of data breaches originating from equipment being traced back to bankrupt mortgage dealers.

Can Data Breaches Be Expected From Bankrupt Mortgage Lenders?

2009-01-11T21:38:00.000-08:00

Shopping Safely Online

2009-01-08T02:10:00.001-08:00

Online fraud can take many forms from non-delivery of goods to non-return of damaged
goods. In many cases, online fraud can be deterred by following a few simple practices.
Just as consumers should take obvious measures to protect themselves in brick-and-mortar
stores – not leaving a purse in an unguarded shopping cart, protecting their PIN (personal
identification number) at checkout, not carrying large amounts of cash in their wallets –
online shoppers should consider sensible precautions, as well.
1. Learn as much as possible about the product and seller: Shoppers will feel more
secure and confident if they are familiar with the merchants from whom they’re buying.
The Internet offers the platform for retailers to provide information about their
companies and histories while the buyers are empowered to do their research about
the products and companies. Shoppers might also learn about a retailer from its
reputation, from previous purchases, from referrals through friends or from reviews
and comments by other shoppers found online.
2. Understand the retailers’ refund policies: Look for and ask about what the refund
policies are. Questions to ask include: the required timeframe a buyer must contact
the retailers and return the items, if a full refund will be offered or a merchandise
credit, and if an item that has been opened can be returned. For retailers without
refund policies, consumers can use buyer protection programs from either the site or
through the payment method. This ensures that if there is a problem with a transaction,
the payment will be covered or refunded as a result of the protection guarantee.
3. Choose a secure password to protect account information: Many people use passwords
for online stores that could be guessed, like their birthday, Social Security
Number or a family member’s name. Instead, a password should contain a
combination of upper and lower case letters and numbers and symbols that no
one else will know.
4. Use a secure checkout and payment process: Many Web sites use a technology
called Secure Sockets Layer (SSL) to encrypt the personal and financial information
sent over the Internet. To know if the retailer is offering a safe checkout process, look
for the logos from companies like VeriSign or TrustE logo. A browser will also display
the icon of a locked padlock at the bottom of the screen to indicate encryption.
When it comes to choosing which method to use when paying online, consumers
should take precautions when entering credit card or checking account information
at each online retailer they visit. By entering this on several different merchant Web
sites, the likelihood of this information being compromised increases. A safe and
easy-to-use payment service allows shoppers to enter account information only once
at a highly secure and reputable site that protects this financial information from
merchants and other intruders. Future purchases should be made from that one
account to avoid the need to enter credit card information separately into the Web
sites of individual retailers.
5. If an offer sounds highly suspicious or too good to be true, it probably is: As with
any purchase, shoppers should read the fine print (or, in some instances, click the
links describing the purchase agreement). While Internet shops frequently offer lower
prices than brick-and-mortar stores, shoppers should be wary of unreasonably low
bargain prices or unusually attractive promises.

E-commerce 2006

2009-01-08T02:09:00.001-08:00

• In 2006, e-commerce grew faster than
total economic activity in all of the four
major economic sectors covered by the
E-Stats report. However, change over
time in the e-commerce share of each
sector’s overall shipments, sales, or
revenues continue to be gradual.
• In 2006, as in prior years, Manufacturers
and Merchant Wholesalers relied far
more heavily on e-commerce than
Retailers or Selected Service
businesses. Manufacturers also
increased their use of e-commerce at a
faster pace.
• In 2006, as in prior years, business-tobusiness
(B-to-B) activity—by definition
here, transactions by Manufacturers and
Merchant Wholesalers—accounted for
most e-commerce (93 percent).
• Evidence from Merchant Wholesalers
indicates that B-to-B e-commerce relies
overwhelmingly on proprietary
Electronic Data Interchange (EDI)
systems.
Sector Highlights
This edition of E-Stats provides estimates of
e-commerce activity in key sectors of the
U.S. economy for 2006, revises previously
released 2005 estimates, and places these
estimates in historical context. Underlying
data are collected in four separate surveys
from approximately 137,700 manufacturing,
wholesale, service, and retail businesses.
The data show that in 2006:
• Manufacturers led all industry sectors.

e-shipments were concentrated. Six
manufacturing industry groups accounted for
more than 71 percent of the sector’s 2006
e-shipments: Transportation Equipment,
with 24 percent of all e-shipments ($383
billion); Chemical Products with 13 percent
($205 billion); Petroleum and Coal Products
at 10 percent ($160 billion); Food Products
at 10 percent ($154 billion); Computer and
Electronic Products at 8 percent ($121
billion); and Machinery Products at 6 percent
($93 billion). In 2006, these six industries
accounted for 63 percent of total
manufacturing shipments.
From 2005 to 2006, e-shipments grew
substantially in three manufacturing industry
groups: Textile Mills (65 percent), Textile
Product Mills (61 percent), and Food
Products (56 percent). Of these, one
group—Food Products was among the
largest e-shippers. Two other large
e-shippers, Paper Products, and Machinery
Products increased their e-shipments at a
vigorous pace—33 and 29 percent
respectively.
with e-commerce accounting for 31.2
percent ($1,568 billion) of total
shipments—up substantially for the fifth
straight year.
• Merchant Wholesalers, including
Manufacturing Sales Branches and
Offices (MSBOs), ranked second, with
e-commerce accounting for 20.6 percent
($1,148 billion) of total sales.
• Retailers’ e-commerce sales increased
by 22 percent. As a share of total retail
sales, however, e-commerce sales
remained modest—2.7 percent ($107
billion), up from 2.4 percent ($87 billion)
in 2005.
• E-commerce sales for Selected Service
Industries, a special group of service
industries created for the E-Stats report,
increased by 14.9 percent. E-commerce
accounted for 1.8 percent ($114 billion) of
these industries’ total revenues—up from
1.7 percent ($99 billion) in 2005.

linking customer behavior to e-commerce strategy

2009-01-08T01:36:00.000-08:00

In an article on Nov.13, 2000, in the Financial Times' Mastering Management
series, Wharton operations and information management professor Eric
Clemons and Wharton Ph.D. student Michael Row note the critical
importance of consumer behavior when it comes to establishing a web
retailing strategy. Below, the researchers look at the type of relationship
between buyer and seller, the scope of goods and services linking buyer and
seller, and the four competitive landscapes that result from the interplay of
these forces.
Consumer behavior should be the principal determinant of corporate ecommerce
strategy. While technology will improve, consumer loyalty, for
example, is likely to differ significantly between, say, online booksellers and
providers of financial services. Two factors seem critical in predicting behavior
and determining an appropriate e-commerce strategy.
First, what is the duration of the relationship between buyer and seller? That
is, does the buyer have a relationship with a favorite seller, in which they
come to learn about each other, or does the buyer search for a different
electronic vendor for each interaction? The former suggests an opportunity for
tuning offerings; the latter precludes stable relationships.
Second, what is the scope of goods and services linking buyer and seller?
Does the consumer purchase a single good or service, or a bundle of related
goods and services? The former suggests the consumer searches for the
provider of the best individual goods and services, while the latter suggests a
search for the best provider of a collection of goods and services.
Combining these indicates that different companies, in different industries, will
find themselves in one or more of four competitive landscapes.
Consumers buying products that can be described as opportunistic spot
purchases exhibit no loyalty; each purchase may be from a different vendor
and there is no one-stop shopping. They may buy a ticket from British Airways
one day and United the next, and book their hotels separately.
Opportunistic store markets occur when consumers exhibit no loyalty or
relationship continuity to brands or stores. Unlike the spot market, however,
they do use intermediaries to construct bundles of goods. They may shop at
Sainsbury one day and Tesco another; they may use Amazon.com one day
and Buy.com another.
Consumers buying in categories that may be described as loyal links exhibit
continuity when choosing vendors and service providers, but have no desire
to have bundles prepared for them. They may never leave home without their
American Express cards, but see no reason for their card issuer to be their insurance provider or financial planner.
Finally, consumers buying in categories that may be described as loyal chains
will have preferred providers. Additionally, they will count on these providers
for a range of tightly coupled offerings. They may work with a financial
consultant at Merrill Lynch who helps pick stocks, reminds them to draft a will
and arranges guardians for their children, helps find a lawyer and reviews their
insurance. The integrated service is so effective they seldom consider
switching providers or taking the time to provide these things for themselves.
Each of these environments has a different competitive feel, and requires a
different strategy and use of different assets. This is as true in the physical
world, where companies understand it pretty well, as it is in the dot-com world,
where companies are struggling to develop profitable strategies.
Note that no e-commerce company [operates in just one environment]. There
are, for instance, loyal link customers and companies may pursue them with
loyal link strategies, but in reality some customers may use a web site for spot
purchases and others may show great loyalty. The challenge for companies is
to guide the consumer to the behavior matching the company's strategy;
where this is not possible, companies should match the strategy to the
customer's behavior. The approach given here may help managers discover
the forces that determine their best strategy.

Opportunistic spot
Competition in opportunistic spot markets is based on price, since there is little
loyalty to influence consumers' decisions. This brutal competition is
exacerbated by nearly perfect web-based information. Thus, for standardized
products such the latest Harry Potter book, we observe both Amazon.com and
BN.com selling at cost price. Where possible, companies try to soften
competition by creating quality differences and ensuring consumers are aware
of them. However, this branding must be based on real differences, since with
nearly perfect information it is difficult to deceive consumers. There is a limited
role for intermediaries. They may reduce risk in conducting transactions, but in
most instances, consumers will buy from a set of trusted, well-known
manufacturers and service providers.
The Internet will be used for supply chain management and logistics to ensure
the lowest cost structure and the lowest prices. It will also support access to
information on consumers, both current and potential new accounts, to allow
the most accurate setting of prices where differential pricing is required. That
means no applicant for insurance can be undercharged based on inaccurate
risk assessment and no applicant for a credit card can be given too good a
deal. In a market where no one can be overcharged without losing the
account, there is little margin for error and little opportunity to recover from
under-charging anyone. The ability to predict the profitability of a new
customer, and so to determine a price to offer, is called predictive pricing.
It is essential to recognize consumers exhibiting opportunistic spot market
behavior and to develop an appropriate marketing and pricing strategy. For
example, in markets that exhibit this behavior, buying market share is unwise
since it can be acquired only temporarily; when prices are raised to cover
losses, customers will flee. Similarly, a policy of offering selected items below
cost as loss leaders to attract traffic will be unwise, because consumers may
easily purchase loss leaders from one site and the rest of their items
elsewhere. Only time will tell whether the market for books, CDs or DVDs exhibits this behavior, so it is too early to assess the validity of Amazon.com's
customer acquisition strategy or the promotional items of other web retailers.

Opportunistic store
In the absence of consumer loyalty, competition in opportunistic store markets
again is based on price; however, it is the pricing of bundles rather than
individual items that attracts consumers. Unlike spot markets, there are
opportunities for intermediaries to add value, through logistical savings
(shipping a box of books), or through assembly or integration (selling a
package tour or designing a digital imaging platform where camera, printer and
computer work together).
In this scenario, intermediaries enjoy power over manufacturers because
consumers select bundles with little attention to components. Thus, when filling
an order for paper towels, a grocer will use the product with the highest
margins. This pursuit of margins, in the absence of brand loyalty from
customers, shifts economic power to intermediaries.
Manufacturers will attempt to use the web for branding, to create consumer
awareness of product differences and to weaken intermediaries' power. While
it is dangerous to antagonize the existing channel in the opportunistic store
scenario by trying to sell directly, branding offers manufacturers the ability to
counter some of the power of intermediaries. As in the spot markets,
manufacturers will also use the Internet to improve efficiency. Intermediaries
will use the Internet to create branding for their web stores, so weakening
price competition. They will use customer information, as manufacturers did in
spot markets, for predictive pricing.
As in spot markets, no consumer can consistently be overcharged, so it is
difficult to recover from undercharging anyone. While loss leaders can work in
these markets, since a customer may fill a basket or obtain a bundle of
services, there is little loyalty to assure repeat business; thus, as in spot
markets, buying market share is risky since there is no assurance that initial
losses can be recouped by overcharging for later purchases.
Of course there may be reasons to buy share in a "scale-intensive" industry
where volume is needed to bring down unit costs. Indeed, some aspects of
online retailing, such as grocery shopping, may be extremely scale-intensive,
which could initially appear to justify buying share. However, without customer
loyalty, the danger is that capital will be spent more on training users to accept
online shopping and less on training users to accept your online shop.
Loyal Link
Competition in loyal link markets is based on retaining the best customers
through a careful blend of service and pricing. For the customer, relationship
value and pricing improve over time. For example, anecdotal evidence
suggests online PC seller Dell has succeeded in creating loyal link behavior in
customers, many of whom have bought several generations of computer from
Dell.
In fact, no incumbent should ever lose desirable business to an attacker. If a
less well-informed competitor were to attempt to persuade a loyal customer to
transfer his or her business, the current supplier could decide whether or not
to match the new offer. If the current supplier, with its detailed knowledge,
were to choose not to match the new offer, odds are that the new supplier is making an offer that is too low. Successful attempts to get customers to switch
in loyal link markets probably represent pricing mistakes by the attacker.
Relationship pricing and value work to soften pure price competition in loyal
link markets.
Buying market share will work under certain conditions, since it is possible to
learn enough to price effectively. However, buying market share is ineffective
without loyalty, as online brokerage firms are discovering; so it is critical to
assess whether the company is operating in an opportunistic spot or loyal link
market.
Using loss leaders in a link market will be unrewarding; offering online banking
below cost to gain credit card business is unlikely to succeed in a link market,
where customers will pick the best hotel and the best air service, or the best
online banking and the best credit offers, independently.
Systems will be used for branding and attracting customers and to support
relationship pricing and relationship service to keep the best accounts. These
markets may appear to have only a limited role for intermediaries; however,
intermediaries enjoy an advantage in controlling customer information and may
end up owning customer relationships.
Loyal Chain
Competition in loyal chain markets, as in loyal link markets, is based on
attracting and retaining the best customers and, as in loyal link, relationship
value and relationship pricing improve over time. However, in chain markets,
which are composed of a tightly coupled set of links, pricing to individual
customers and the value they receive are determined by a bundle of goods
and services.
Taking the earlier example of the digital-imaging platform, it may not be
necessary to replace all components when upgrading. However, if buying a
higher-resolution camera and a faster laptop, it is helpful to determine if the
new computer and the old printer and are compatible, otherwise the customer
may experience an unpleasant surprise if picking and choosing components in
a spot or link fashion. If the previous chain supplier is used to update the
components, unpleasant surprises are likely to be avoided, since his vendor
can be relied upon to provide components that are compatible with those
bought before. Evidence suggests Amazon has succeeded in encouraging a
degree of loyal chain behavior from its best customers, who value the book
recommendations made to repeat buyers.
Loyal chain markets represent a power shift from producers to intermediaries.
Online intermediaries can reconfigure the virtual store to show loyal
purchasers the brands they wish to see; customers without a preference can
be shown brands that earn the highest margins. Indeed, it is a small step from
this relationship-based presentation to demanding rebates from manufacturers
to ensure that their offerings will be shown to customers with no brand
preference. While physical stores charge a fee for preferred locations such as
displays near checkouts, they cannot reconfigure the store for each customer.
This shift in online power greatly increases the importance of branding for
manufacturers, because a powerful brand is the best counter to pressure from
retailers. It also suggests that, to the extent permitted by legislators,
manufacturers should form consortia for web retailing. This would avoid loss of
control to retailers with significant information advantage. However, a broad consortium is needed since online markets reward scope and breadth.
Intermediaries may effectively buy market share through pricing low, enabling
them to pursue informed relationship pricing over time. Likewise, they may use
loss leaders to increase traffic through their web site, selling other items to
consumers interested in a complete bundle.
Systems play many roles in chain markets. Intermediaries will use them for
branding, to attract customers and for informed relationship pricing and
service. Likewise, manufacturers will use the Internet for branding, so limiting
price pressure from online retailers. However, efficient markets still place
significant price pressure on retailers, assuring the role of systems for
logistics and other forms of cost control. Likewise, manufacturers and service
providers will use the web for their own cost control.
Conclusions
Three observations are true across all four competitive landscapes:
l Only differences between brands, and consumer awareness of them,
can blunt pure price competition in an efficient market.
l Cost control is important: efficient access to information makes it
almost impossible to overcharge.
l As online information makes markets more efficient, predictive pricing
will be used in spot and store markets, and relationship pricing in link
and chain markets. Pricing strategies will be limited by adverse publicity
that companies receive from charging different prices for the same
goods.
Other conclusions follow from these:
l The role of buying market share will vary. In opportunistic markets,
buyers will leave when you raise prices.
Similarly, the role of loss leaders will vary. In spot and link markets, consumers
will pick off loss leaders and do the rest of their shopping elsewhere. Once
customer traffic has been acquired, there is a chance to sell extra items.

Securing instant messaging in your corporation

2009-01-07T22:56:00.000-08:00

Instant messaging may soon become an indispensable business tool; however, the risks of using an
unsecured IM platform in corporations are high. This section explores the security issues introduced.
with the use of corporate instant messaging and offers best practices that can help in deploying a
secure IM platform.
UNDERSTANDING INSTANT MESSAGING AND CORPORATE FIREWALLS
Many corporate customers may wish to use their network firewall to block users from communicating
over insecure instant messaging systems. Unfortunately, out-of-the-box firewall configurations
are often not sufficient enough to block access to the latest generation of popular IM systems. These
IM systems were designed with firewalls in mind and employ a number of techniques to sneak past
corporate firewalls to reach their servers.
All IM clients are preconfigured with one or more TCP/IP network addresses that allow them to
connect to their IM server(s). Once connected, the clients can exchange messages with other
IM clients. Because many companies configure perimeter firewalls to block all Internet services
except for a small critical set (e.g., SMTP email, HTTP Web surfing, and DNS), IM providers have
designed their clients to tunnel over these commonly allowed Internet services, if required, and
slip past the corporate firewall .
For instance, if they initially encounter trouble connecting to their servers, many IM programs attempt
to contact these servers using network port number 80, the port used by browsers to surf the Web.
Given that most corporate firewalls are configured to allow any PC on the company network to surf the
Web, the firewall will pass transmissions through port number 80, including transmissions sent by an
IM client to contact its server. To the firewall, the IM client looks just like any other Web browser.
However unbeknownst to the firewall, the IM client sends messaging commands rather than Web
surfing (HTTP) commands to its server.5
Imagine that an instant messaging client is a fugitive on the run from the authorities. The fugitive
wants to cross a police roadblock (a firewall) on the main highway to reach his safe house (the instant
messaging server) and hide. Because the fugitive knows that the police are blocking traffic on all
lanes of the highway, he decides to take the bike path next to the highway (HTTP, port 80). Since the
police assume that only legitimate cyclists (Web surfers) will use the bike path, the fugitive can safely
slip by the roadblocks and reach the safe house. This analogy illustrates at a basic level how instant
messaging systems avoid detection by corporate firewalls.
In summary, to block instant messaging clients in a corporation, they must be prevented from reaching
their IM servers. To do this, the firewall administrator must add either the server address name(s)
(e.g., instantmessageserver.chatservice.com) or the server IP addresses (e.g., 11.22.33.44, 11.22.33.45)
to the firewall block list for every instant messaging service to be blocked. Given that some IM systems
(such as IRC) can connect to multiple independent servers, blocking these systems may require a fair
amount of research; however, this is the only way to achieve the desired results with any certainty.
UNDERSTANDING INSTANT MESSAGING FILE TRANSFERS AND CORPORATE FIREWALLS
Because existing instant messaging systems use peer-to-peer communications to send files
between users (rather than communicating through a central server that can be tweaked to allow
access), it is much easier to configure perimeter firewalls to block file transfers than to block simple
message exchanges.
The best way to block file transfers at the corporate firewall is to add rules to block the port number(s)
used by popular IM products for peer-to-peer file transfers. This ensures that any attempt to transfer
files through the firewall using one of these IM systems will be stopped. However, transfers between
two users within the corporation will not be blocked by this technique. Furthermore, at least one
existing commercial instant messaging system provides file transfer mechanisms that allow users to
sneak past corporate firewalls. For this reason, and because no current commercial corporate firewalls
scan instant messaging file transfers for viruses, organizations should deploy antivirus software on all
desktops to detect any infections entering through IM services.
In the future, we will likely see the commercial release of new firewall products and other types of
proxies that can scan IM file transmissions traveling between the corporation and the Internet.
Symantec is currently investigating various solutions in this space.
INSTANT MESSAGING BEST PRACTICES
Symantec recommends the following best practices for securely deploying instant messaging
systems within an enterprise:
Establish a corporate instant messaging usage policy
Given the risks involved in using public instant messaging systems, corporations should consider
prohibiting the use of public instant messaging systems entirely, or ask employees to refrain from
using public instant messaging systems for business communications.
Properly configure corporate perimeter firewalls
System administrators should configure perimeter firewalls to block all non-approved instant messaging
systems. Given that the firewall must block both messaging and file transfers, adding firewall rules for
both cases is also a good practice.
To block messaging, an administrator may add rules to their firewall to block access to all popular IM
servers. If this is not feasible, administrators can configure firewalls to block commonly used IM port
numbers from all clients on the network. Note, however, that this still permits properly configured IM
clients to tunnel through the firewall.
To block file transfers, system administrators can identify the port number(s) used for peer-to-peer file
transfers by each IM product and configure the firewall to block all communications over those port(s).
Deploy desktop antivirus software
Because current corporate firewalls are unable to scan IM file transfers for computer viruses, worms,
and Trojan horses, it is imperative for an enterprise to roll out up-to-date antivirus protection on all
desktops. Desktop antivirus is currently the last—and only—line of defense against IM-delivered
malicious code.
Employ personal firewalls to ensure policy compliance
Personal firewalls like the Symantec™Desktop Firewall (SDF) can be configured to prevent uncertified
and unapproved programs, including unapproved IM products, from communicating over the Internet.
A desktop firewall can provide far more granular protection than a perimeter firewall because
the desktop firewall can be configured to permit or deny communications on a per-program basis
(e.g., Chat Program A can use the Internet, but Chat Program B cannot use the Internet), whereas
the perimeter firewall can provide only a blanket policy for the entire machine.
Deploy corporate instant messaging servers
If at all possible, a corporation should deploy a secure instant messaging server on the company
network and configure all IM clients to connect to this server.
A number of private companies offer IM products for sale to corporations. In addition, systems such
as IRC can be obtained for very reasonable prices (or for free). Deploying one or more IMservers within
the corporate network to ensure that all internal IM communications are kept behind the corporate
firewall is a valuable practice.
Recommended instant messaging client settings
If a corporation chooses to use an external instant messaging system—one whose servers are operated
by the instant messaging provider—the following security practices should be kept in mind:
1. For the best security, do not use any external IM system that does not employ a certified
encryption system.
2. Configure all IM clients so that they will accept chat requests only from users specified in
employees’ buddy lists. This prevents attackers from connecting to computers on the network
and sending malicious code. Only those users explicitly specified by employees should be able
to contact them.
3. Configure the IM system to either block file transfers or allow such transfers only from users
specified on the buddy list. If this is not feasible, configure the IM software to prompt the
employee before all file transfers.
4. Configure the IM system to use antivirus software to scan file transfers, if supported.
5. Configure IM accounts so they are not listed on public servers. This further prevents unsolicited
chat requests.
Install all instant messaging patches as soon as possible
System administrators should roll out new fixes as soon as possible when security holes or bugs are
found in corporate instant messaging systems. CodeRed, Nimda, and even the Internet Worm of 1988
all used known vulnerabilities to spread to new systems. It is likely there will be future attacks on instant
messaging systems employing similar techniques.
Use vulnerability management solutions to ensure policy compliance
Corporations should consider using vulnerability management (VM) tools, such as the Symantec
Enterprise Security Manager (ESM), to ensure that users don’t change IM client settings in a manner
that violates company policy. Such tools can provide system administrators with an overall view of IM
policy compliance and facilitate the process of updating machines that violate policy. VM tools also help
administrators determine whether IM software is up-to-date, whether users are running versions with
security holes or buffer-overflow vulnerabilities, and whether users are running company-required
antivirus and personal firewall packages.

Instant messaging vulnerabilities and exploits

2009-01-07T22:51:00.000-08:00

This section describes significant vulnerabilities that are present in common instant messaging
systems and the types of attacks that can exploit them. A discussion on safeguarding corporations
from these threats immediately follows in the next section entitled “Securing instant messaging in
your corporation.”
EAVESDROPPING0
Given that most IM systems do not encrypt network traffic, a determined third-party can eavesdrop
on conversations between two IM users using a packet sniffer or similar technology. As discussed
previously, this holds true for both client-server and peer-to-peer messaging models.
ACCOUNT HIJACKING
Many instant messaging systems are vulnerable to account hijacking or spoofing, allowing an attacker
to hijack another user’s instant messaging account and impersonate that user in conversations with
others. A number of Web sites provide do-it-yourself tools or describe techniques for launching such
an attack.
Password protection is very limited in most instant messaging systems. Some IM systems store
user passwords in data files on the client’s PC. In some cases, these passwords are encrypted; in
other cases, they are plainly visible. There currently exists at least one Web site that gives detailed
instructions on how to crack the password encryption scheme for one popular IM system.
DATA ACCESS AND MODIFICATION
Like all Internet-enabled software, IM programs could have bugs that may be exploited by attackers
over the Web. Using attacks such as buffer overflows or malformed data packets, an attacker could
gain access to a PC on which a vulnerable IM client is installed. Given the large number of ancillary
features present in many IM products, there are numerous potential areas for attack.
As an example, in May 2002, a hacking group known as w00w00 identified a vulnerable piece of
computer code in a popular instant messaging program. This vulnerability could have been exploited
by an attacker to gain full access to targeted systems. From there, the attacker could have installed
computer viruses, stolen or deleted data, and even grabbed passwords. Fortunately, the IM vendor
moved quickly in this situation and issued a fix for the vulnerability to protect their customers.
WORMS AND BLENDED THREATS
Like email systems, instant messaging platforms provide the enabling technologies that are needed
for spreading worms and blended threats (such as CodeRed).
First, the instant messaging software provides a robust communications channel between system
users. Second, virtually all IM software products maintain a list of buddies with whom the user
frequently interacts. Like email address books, buddy lists can be leveraged as hit lists to spread
a worm rapidly through the IM user base. Lastly, some of the instant messaging systems are
scriptable or programmable, providing malicious programs targeted at these systems with a
mechanism by which to spread.
Given the ubiquity of popular instant messaging systems, a blended threat targeted at such a system
could potentially spread to tens of millions of personal and business computers in just a few hours. Once
in each system, a worm could delete data, install back doors, and possibly export critical data.
Symantec™ experts predict that such an attack will more than likely happen within the next decade, if not
sooner. The fast growth of broadband Internet connections will only exacerbate these security problems.
Blended threats and computer worms can spread through instant messaging systems in two ways:
by leveraging IM scripting and by exploiting a buffer overflow or other vulnerability in an instant
messaging system.
Scripting instant messaging threats
As described earlier, IM systems provide scripting capabilities that let other programs or script files
(e.g., Visual Basic or JavaScript) control the client IM software via simple programming commands. By
taking advantage of such commands, malicious code can use the IM system as a communications
platform to send itself into other members of the system, change program settings, steal confidential
information, and perform other potentially malicious actions. Similar functionality in traditional email
clients has been exploited in the past by malicious worms such as LoveLetter and SirCam.
There are dozens of real-world worms that propagate using IRC as a communications platform.
These worms are written in a scripting language provided by popular IRC client software and typically
work as follows: a user with a computer that has been infected by a worm joins a discussion group
and begins chatting. As subsequent (and still as yet uninfected) users join the same chat group, the
worm detects the new users and sends a copy of itself to them in the form of a script file. In some
instances, the receiving user is prompted to open the file; in others, the user receives no notification.
Once the worm infects the new computer, the cycle begins anew.
In addition to IRC worms there now exist a number of Windows®-based worms targeted at certain
IM systems. These worms use scripting techniques similar to those used by the Nimda and
LoveLetter and SirCam threats, to send themselves from user-to-user via instant messaging software.
Fortunately, none of these worms have been widespread so far, but they clearly demonstrate that
instant messaging platforms are susceptible to such attacks.
INSTANT MESSAGING THREATS THAT EXPLOIT VULNERABILITIES
As we have seen with CodeRed and Nimda, it is possible to construct a blended threat that spreads
without user interaction by exploiting vulnerabilities in an Internet-enabled software platform such as
a Web server. In the future, we could see similar worms or blended threats that exploit bugs or other
vulnerabilities in client-side IM software. Such a threat could, for instance, use a buffer overflow
attack on an IM client program to gain access to a new system. Once in the system, it could access
the user’s buddy list to gain a new set of targets.
This is an area of great concern, given the speed at which such a threat could possibly spread
and the large number of machines the threat could affect. While CodeRed was able to attack
several hundred thousand Internet servers in hours, a well-crafted IM-based worm would have the
potential to hit millions or even tens of millions of home computers or wireless devices in the same
amount of time.
Denial-of-Service
Like other communications systems, instant messaging platforms are susceptible to denial-of-service
attacks. For example, an attacker could send large numbers of specially crafted TCP/IP packets to IM
servers residing in the IM provider’s infrastructure to prevent legitimate messages from flowing
through the system. This would be similar to the denial-of-service attacks launched on major Internet
properties in the last few years. Alternatively, an attacker could send large numbers of packets to a
specific user or set of users to flood them with chat or file transfer requests.
Instant messaging server vulnerabilities
While many security experts have focused on the vulnerabilities of IM clients, it is also important to
consider potential IM server vulnerabilities. If attackers gained access to these servers, they could also
eavesdrop on all conversations, impersonate any user, launch denial-of-service attacks, or spread
malicious threats with little effort. Recall that little, if any, IM traffic is encrypted, meaning that an
attacker in control of an IM server can gain access to the contents of every transmission.

Instant messaging primer

2009-01-07T22:14:00.000-08:00

While instant messaging may seem like a new technology, it is actually decades old. The first system,
IRC, was developed in 1988 by Jarkko Oikarinen3. Still in use, this system allows users to form ad-hoc
discussion groups, chat with one another, and exchange files. Since the introduction of IRC, many
new IM systems have been launched; for example, ICQ, AOL Instant Messenger, MSN Messenger, and
Yahoo Messenger. While each of these offers different features, they all provide the same basic
zxservice: peer-to-peer real-time chatting and file transfer capabilities.

INSTANT MESSAGING AND CLIENT-SERVER COMMUNICATIONS
Virtually all IM systems employ the same basic client-server
architecture. Users install instant messaging clients on their
client machines—desktop computers, wireless devices, or
PDAs, for example—and these clients communicate with an
IM server in the messaging provider’s infrastructure to locate
other users and exchange messages. In most instances,
messages are not sent directly from the initiating user’s
computer to the recipient’s computer, but are sent first to
an IM server, and then from the IM server to the intended
recipient. (See Figure 1.)
In the majority of client-server instant messaging systems,
data exchanged between users is plainly visible, making it
susceptible to eavesdropping.

INSTANT MESSAGING AND PEER-TO-PEER COMMUNICATIONS
While most instant messaging systems use centralized servers to
transmit all messages, some systems do offer peer-to-peer messaging.
In such a model, clients contact the IM server to locate other clients.
Once the client chat program has located its peer, it contacts the peer
directly.

INSTANT MESSAGING AND ENCRYPTION
Today few, if any, public instant messaging systems encrypt messages
as they travel from the client to the server and back to the second client.
This data is potentially visible to eavesdroppers anywhere along its
Internet path or within the IM provider’s network. Also, popular IM systems do not encrypt
peer-to-peer traffic. As shown in Figure 1, even if two users are sitting in adjacent cubicles, their
messages travel over the Internet, potentially revealing sensitive information.
Corporations should consider the confidentiality of instant messaging to be only as safe as sending all
internal and external company email using a public email service. For client-server-client
systems, traffic sent between two users can be assumed to travel unencrypted over the Internet. For
peer-to-peer systems, if either client is outside the corporate firewall, all traffic again flows unencrypted
over the Internet. In both cases, content can be intercepted by attackers with the proper tools.

INSTANT MESSAGING AND FILE TRANSFERS
In addition to sending messages between users, instant messaging systems allow users to exchange
files. Current systems transfer files directly between peers rather than through the server, as with text
messaging. In other words, the technique shown in Figure 2 is always used for file transfers. This
peer-to-peer scheme is used to eliminate the high bandwidth demands that server-centric file
transfers would place on the provider’s network.
Currently, none of the major instant messaging systems encrypt files transferred between instant
messaging clients. While the files do not directly flow through instant messaging servers, they may
flow over the Internet, over a corporate LAN or WAN, or over both. If both users are on the same
company network, file transfers will likely remain on the corporate network; however, if one of the
users is outside the network, files will be sent unencrypted over the Internet.

INSTANT MESSAGING AND SCRIPTING
A handful of instant messaging platforms offer scripting capabilities, enabling users to write Visual
Basic, JavaScript, proprietary script code, and other complex programs to control various features in
the messaging client. This functionality, while convenient, provides mechanisms that enable the spread
of computer worms and blended threats. Scripts such as these are able to instruct the instant messaging
client to do any number of things: contact other users, send files, change program settings, and/or
execute potentially malicious actions. A more detailed discussion surrounding these kinds of security
issues is provided in the following section on instant messaging vulnerabilities and exploits.

INSTANT MESSAGING AND OTHER FEATURES
Finally, in response to a highly competitive instant messaging market, some instant messaging
companies have added additional functionality to messaging clients to gain customers. For example,
ICQ contains a mini-Web server that allows users to run small Web sites directly from a desktop
computer. As with any Web-enabled software feature, such functionality creates the security risk that
the site could be hacked to break into a system.