Ava Blog

Your security, our security

Thursday Thursday, April 10, 2014 by Administrator

If you follow these things or even if you don’t, you may be aware of a flurry of IT geeks telling you to reset you passwords.

It’s good advice.

Without getting too technical why? Well to make your on line communications secure and not tell your passwords to the bad guys out there. Those same bad guys who would clean out your bank account. There are one of two major systems used. One you may have heard of is Microsoft and they are good, solid as a rock, as secure as you can get. The one you may not have heard of is “OpenSSL”. It’s just been revealed OpenSSL has been vulnerable (it’s been  called “Heartblead”).

Unfortunately you don’t know which you are using: Microsoft OK, “OpenSSL” not so. We do know what we use and where and it’s overwhelmingly Microsoft. So no need to change passwords when you are using Ava or our hosts Rackspace. In the one area we do implement OpenVPN (and consequentially OpenSSL) the version in use is not any of the versions which have the  Heartblead issue.

 

Elsewhere, please change your passwords!

 

There is a list of popular web sites, if they were affected, have they been fixed (safe to change your password) here

A list of the top 630 sites that have been or are vulnerable and the top 3687 that are not vulnerable

 

You can test individual sites here (example Ava.co.uk) paste the following link into your browser. Unfortunately at the time of writing, there is not a secure link to this test site: 

 

http://filippo.io/Heartbleed/#ava.co.uk

more here http://mashable.com/2014/04/09/heartbleed-nightmare/

 

 Further to the above posts, the issue has been raised that it is (apparently) illegal under UK law to probe 3rd party sites for security purposes. So you should not "test" sites that you don't already have a relationship with. 

 

Heartbleed health checking services may be illegal?

 

BBC re-boadcast original Hitch Hikers Guide radio series

Sunday Sunday, March 16, 2014 by Administrator

 

Just replace "digital watches" with "wrist phones" and it’s completely up to date !

Douglas Adams five part trilogy quantum tunnels out of the BBC archives to appear on the iPlayer 

Not only that but the Vogon’s “Resistance is useless” made is appearance over five years before “Resistance is futile” with the Borg.

I first heard the Hitch Hikers Guide when as a young BBC engineer I was asked to play the tapes down the line to a local BBC Radio station that had missed the original transmission. I put the tape on and set it going with (not knowing any better) the thought of getting back after I had gone to get a coffee… When it started with the dulcet tones of Peter Jones as the Guide, the coffee trip was put on hold.

 

Half an hour later Douglas Adams genius had worked its magic.  Treat yourself here.

www.bbc.co.uk/programmes/b007jm03

 

 

 

Hacking and health £200,000 cost for 10,000 coughs

Saturday Saturday, March 08, 2014 by Administrator

 That works out at £20 per cough!

Expensive for failing to use the correct box of tissues to clean up.

Actually this is about a hacker who sought to extort money from the the British Pregnancy Advisory Service having performed a simple examination of their web site: he discovered 10,000 customers without the correct protection for their er… records.

Make up your own joke and insert here!

Apparently the Information Commissioners Office does not feel charity begins at this particular organisation’s home. It is one of the first major publicised fines raised. It suggests that various excuses including charitable status and lack of knowledge are no defence. It also indicates that the “going rate” is a fine of around £20 per coughed up or incorrectly stored address and contact details used without adequate protection.

It brings into perspective:

  • Our insistence on ensuring all the data we store is in a separate database from the web site.
  • Web site access is always protected by https certificates. 
  • Personal information is split from web profiles.

And many other bits of careful design that meet the criteria for good web security.

The extortionist received a 32 month sentence.

Dave Smith of the Information Commissioner's Office said:

"There's a simple message here: treat the personal information you are holding with respect. This includes making sure you know just what information you are holding and that it's subject to up-to-date and effective security measures."

 

Related links here


BBC article
Information Commissioner's Office (ICO) Ruling

British Pregnancy Advisory Service 

How much could your agency rostering web site cost you?

 

 

How to cut the amount of spam you receive and counter intelligence.

Friday Friday, December 20, 2013 by Ian Pettman

The UK has a fine record of counter intelligence. Part of this is the skill of extracting valuable information from what otherwise seems like a torrent of noise. Historically computer based analysis was led by a team at Bletchley park with central members of Alan Turing, Andy Flowers and Bill Tutte.

Today one of the largest efforts is to gather valid email addresses (yours!). This process is sometimes referred to as phishing. 

Phishing takes two forms:

  • Get you to re-enter your email, password, credit card details and other details on a bogus web form which looks like your bank / major on line shop etc.
  • Get you simply to click on any link in an email which says "to show images from xyz click here" or "Email not displaying properly? Click here to see full version"

This is why with Christmas spirit, the number of emails which contain "special offers" and a "blank" image which is not yet displayed has once again increased.

Why do spammers send such emails?

Surely if they are going to entice you to click on the ad, they want you to see something attractive? How does simply clicking increase spam sent to me?

It all depends who "they" are.  More often than not these images contain a hidden unique reference which the sender can use to find which of the multitude of emails they send has been the source of your click. This information is also sent when you just accept that you want to see the image.  So by responding in any way to that otherwise blank unsolicited email you will probably be confirming to them that the email address they used ends up with a human being viewing it.

The economics of sending emails mean that they can turn a profit on even such slender pickings, so perpetuating spam.

If you use Gmail or many other popular email providers, then in Google's own words:

"Have you ever wondered why Gmail asks you before showing images in emails? We did this to protect you from unknown senders who might try to use images to compromise the security of your computer or mobile device."

Well if you don't display the image, the sender ('s sever) will never receive a request for it and so not get confirmation that it's been received by a valid email address.  Google does not do email marketing. So it is good and helpful that Google download all images and then any link determining a valid or an invalid email addresses is broken for the sender.

Of course Google is where it is today because it's awfully good at using various bits of information to target you with "appropriate" or "high return" adverts. If for some reason it was stopped from "not reading your emails" but scanning them for appropriate phrases" to target ads, then may be it could just use the fact that you downloaded the image instead?

So the next time an email asks you to click on a link or see a picture…just say no.

 

Links that may be of interest.

Google is storing the images for your email

Impact for email marketers

Impact for email marketers another view

The national Museum of Computing (This webpage only exists as a standard insecure webpage however you may navigate to it by pasting the following url in your address bar: http://www.tnmoc.org/)

Alan Turing (New Scientist)

Alan Turing (Wiki)

Tommy Flowers (Independent) (This webpage only exists as a standard insecure webpage however you may navigate to it by pasting the following url in your address bar: http://www.independent.co.uk/arts-entertainment/obituary-tommy-flowers-1184727.html)

Bill Tutte (Wiki)

Bletchley Park (BBC)

Codes and Cyphers (This webpage only exists as a standard insecure webpage however you may navigate to it by pasting the following url in your address bar: http://www.codesandciphers.org.uk/lorenz/fish.htm)

 

 

 

Be as good as Google

Thursday Thursday, December 19, 2013 by Ian Pettman

Google probably have the most extensive and best performing web pages of any. So when we can measure our response time in the same breath as that of Google, we feel we are providing a service to our customers which is second to none. Google also gives points towards page ranking depending on how quicly a site responds. So our web pages and importantly to us, those of our customers' web sites we host do as well as they can for all their web content.

We also monitor both our websites and our customers' and a week ago we moved everything to new (Rackspace) performance servers. It was therefore very gratifying that the speed of both our sites and our customers is to all intents and purposes as good as Google.

Monitoring Location : UK / Europe
Test Name Type Uptime(%) Avg Resp Time(ms) Failures(#)
www.google.com_http Benchmark 100 52.19 0
ava web site_http Rackspace Ava Web Server 100 52.28 0
Customer 1 Rackspace Ava Web Server 100 51.07 0

 

Links which may be of interest

 To read more about the state of the art Web Servers we use and provide for our customers

 

 

Pros and cons of combining an existing Recruitment Web site with the Ava Advanced Agency web site

Wednesday Wednesday, December 11, 2013 by Administrator

 

You want to make the best choice of combining your back office with your web site?

 

 

New support article: moving OpenVPN to new ip address

Sunday Sunday, December 08, 2013 by Administrator

Occasionally there may be a need to move your back office temporary staff recuitment software database to a new server with a new IP address.

At Ava we will typically configure your first server to give around 5 years of usage and may be more.

In the happy circumstance that our software helps you grow very quickly, this move may occur earlier. The software does not change: from experience it is scalable to tens of back office consultants, hundreds of customers and thousands of your temporary staff employees.

However to maintain the highest level of performance we may need to change your server allocation.

 

 

Ava advanced Recruitment Agency web site training tutorials

Friday Friday, November 22, 2013 by Ian Pettman

We have just made as series of videos to help you update your advanced Agency web site as supplied by Ava. We call it advanced because:

It displays equally well on smart phones, tablets, pc and laptops.

It is very easy to use customise for the future. It is very simple to add and update.

All you have to do is add content.

It is designed for small and medium size recruitment agencies to give you the same credability as much more expensive sites from much larger agencies.

It will give you a secure web site that is as good or better than many large recuitment agency web sites.

It is a fraction of the cost of a custom made site and better than most custom made sites.

The Ava advanced agency web site integrates with the Ava web and Ava back office to give a comprehensive and totally flexible recruitment staff scheduling system.

How do we measure our security

Wednesday Wednesday, November 06, 2013 by Ian Pettman

Security is very important in the recruitment industry and an essential part of any Recruitment software package.

There are a number of ways we can measure our security. They all, too some degree, depend on the company quietly getting this right for fifteen years.

For ten years we have been a registered data warehouse with the ICO. We have never had a data loss. We can point to a stack of old hard drives in a locked cupboard. PCs may come and PC cases may go, but the hard drives and their data stay with us.

For those of you who are not familiar with the ICO it's not a typo for IOC (International Olympic Committee). It's the Government organisation that oversees Companies treating your data responsibly.

Actually ICO or No ICO I'd take the same approach. I'm reasonably sure there is a drive which is pre our sign up. That is to say at least ten years Ava of keeping customers data secure and safe.

I'm a little old fashioned about privacy in these days of Facebook et al. So you won't find many pictures if you Google my name, but when you do get hits, you can narrow them down by the fact that I'm not female….That eliminates about 3 billion people.

For our defences against Malware and virus attacks, we use a range of Anti-virus packages. Thus if one is slow to update any infection would be detected by one of the others. The best or most advanced Anti-virus software. In spite of some our customers (from time to time) being infected, we have not yet caught a cold. To be fair some of our customers have a much harder job. For instance a NHS trust will be open to thousands of people with (these days) memory sticks. Notwithstanding, if there was a new apparently undetectable virus, sometime later when an appropriate Anti-virus update came along to detect it, it would eventually cause an alarm. We have never had a true positive report on any of our machines. The occasional false positive yes. Detected attacks, many. In fifteen years, never a real positive.

If we transfer data we do so over secure point to point communications links.

We use enhanced Microsoft security measures. Microsoft is probably the body which is most under attack from the outside world. Their security is well tested and regularly updated. We use it too.

So today I can celebrate at least ten years Ava of keeping customers data secure and safe.  Customer data, employee data recruitment staff data, personal email addresses and phone numbers all treated with the same respect and privacy.

 

How to find credibility for your new Recruitment Company.

Friday Friday, November 01, 2013 by Ian Pettman

We live in a web of intrigue. The internet contains much that is good and (even excluding the pictures of beheadings sponsored by Facebook), much that is abhorrent, deceptive and fraudulent.

So how do people know you are who you say you are? How credible, how secure is your web site?

 

Contact Information

To find out more about Ava solutions you can contact us in a number of ways:
Follow Us...