That's great, until it becomes popular and there's a single vulnerable implementation where your information is intercepted and can then be replayed electronically ad nauseum.
Biometrics are neat, but there's a great rule of thumb (no pun intended) in security - never use a key (cryptographic or physical) you can't change when it has been compromised.
Nov. 11, 2008 - The Multiple Listing Service Mission Statement
When Clareity Consulting facilitates Multiple Listing Service (MLS) strategic planning sessions, one agenda item is almost always to discuss the MLS Mission Statement. Sometimes the group just needs to be reminded of the Mission Statement, other times the group may want to discuss and change it, and sometimes the MLS doesn't have a Mission Statement at all and Clareity needs to work with them to develop it.
Mission Statements are very important for a complex company to have. These statements embody the organization’s purpose and values, define the stakeholders and what the organization will do for them. While some Mission Statements contain additional elements, those are the basics. Typically, a Mission Statement is both clear and brief. In the strategic planning context, it can serve as a guideline for evaluating the relevance and priority of both current and new initiatives. Without a clear understanding of the Mission Statement, it is much more difficult to discuss, frame, and gauge the relevance of strategies, let alone the specific lower level critical success factors, initiatives, tactics and action plans.
Let’s look at a few actual MLS Mission Statements as examples.
[MLS Name] is the recognized source for reliable, integrated Real Estate information services for the [MLS Geography] area.
In this example, the customer is not clear. Other than defining a specific service activity, neither the purpose nor values are made clear.
Here’s another one:
To facilitate cooperation and compensation among its members through a common database of real estate information.
This one defines the customer as “members” – this is good, but it doesn’t differentiate between agents and brokers as customers, and not being clear about that can cause tensions on a board. It’s also defined the specific purpose the company will engage in – “to facilitate cooperation and compensation” and how it will accomplish that “through a common database of real estate information”. This is a fairly complete mission statement, based on the definition provided at the beginning of this article, but is it a good mission statement for today’s MLS? It doesn’t address the service and support provided by the MLS, or provide any context for the MLS’s public property listings site or other initiatives undertaken by this MLS. It’s okay to have a limited mission statement – but maybe this one needs to be revisited to encompass what is now clearly a larger mission.
Here’s another one:
The function of [MLS Name] is to provide to the shareholder and customer associations a basic core of MLS services that are dependable, efficient, and cost-effective and to encourage vendors to introduce into the [MLS Name] marketplace optional products that REALTORS® may choose to purchase.
Maybe a bit longer than a typical mission statement, but a lot has been said here. The customer is clearly defined as the Association. I’m not sure what happens when Association, broker, and agent interests are not aligned – that’s a situation that should be considered. The basic purpose from the previous example, cooperation and compensation, is implied, though not explicitly stated in “core of MLS services”. But, this mission statement is especially interesting because it makes it very clear the method and business model that will be used for non “core” MLS services – that these will be optional, for REALTOR® purchase. The site licenses many MLSs purchase for transaction management, digital document management, and other information products and services would clearly be out of bounds for this MLS – the Mission Statement has truly focused the activities of this group.
Let’s look at the next three Mission Statements together:
To develop, promote and provide the highest quality of real estate information, products and services to our members at a reasonable cost.
To provide our members the highest quality real estate information, products and services at a reasonable cost, so they may better serve the consumer.
The mission of [the MLS] is to provide state-of-the-art, cost effective and superior multiple listing services, information and programs to advance the professionalism and success of its customers.
The first one clearly identifies the customer again as the “member” as well as what is being provided “real estate information, products and services”. The business model made so clear in the previous example is not so clarified in this one. The “reasonable cost” is a nice touch – providing a condition that generates discussion and evaluation of cost (and value) for each initiative. The second example expands on the first, by adding a consumer-centric purpose that reflects the modern consumer-focused position that has started to gain favor in real estate industry discussion. The third example is in many ways very similar to the first, but worded very differently. The addition of advancing member professionalism and success is admirable.
Here’s another one:
To empower, support and educate our members to achieve their goals by providing cutting edge resources that improve and enhance their business and personal lives.
Since most MLS subscribers don’t use the range of tools provided by the MLS organization, there is value in the addition of support and education to this mission statement – this MLS clearly is focused not just on providing tools, but having them used. Improving and enhancing member business is a fine goal, though somewhat vague. I must admit to not understanding how or why the MLS is getting involved in the “personal lives” - I wish I had been at the meeting where this mission was developed! Most MLSs shy away from the term “cutting edge” because of the risk that is often associated with “cutting edge technology” and steer toward “excellent”, “best”, or as in previous examples, “highest quality”.
Let’s look at a very different Mission Statement:
[MLS Name] is a real estate information and technology company that creates value for our shareholders by providing premier business solutions to real estate professionals.
This one has many of the previous elements, but adds a corporate touch, with its primary purpose to provide shareholder value.
One last example:
To preserve a REALTOR® owned information service that serves, always the good of the brokerage community at large. To continue to provide the most effective, user-friendly MLS system available to our community of agents, by constantly working toward improving and expanding our services and system, while always controlling the cost to the individual agent.
Slightly longer than most Mission Statements, this is somewhat unusual in its explicit nod to REALTOR® ownership, the bigger picture of the “good of the brokerage community at large”, and the need for a “user-friendly” MLS system. It is also explicit in defining the direction of the organization as providing services beyond the core. This is all good and useful guidance for a group trying to make decisions about MLS initiatives.
What is the mission of MLS organizations? Clearly, from the examples above, it varies. There isn’t really a right or wrong. Each organization can define its customers and the balance between customer subsets as it wishes. Some organizations see the mission as evolving, while others are focused on the core function of the MLS system. Different organizations strive for different amounts of greatness. Some focus on just systems, while others expand the mission to education and other services. Prioritizing operational parameters such as cost control, user-friendliness, and dependability in the Mission Statement are all fine choices as well.
It's always interesting to assist in the facilitation of MLS strategic planning sessions and review the Mission Statement for relevance to MLS present and planned future activities. When the mission statement is aligned with those activities, there tends to be less arguing about the strategies, tactics and action plans that reflect the mission - and MLS management and decision-making benefits.
As part of a thorough MLS selection process, I facilitate a number of MLS demonstrations every year for MLS clients. I'm always shocked when professional salespeople make basic mistakes and knock their company out of the running.
While it's part of my job to make sure that the decision makers account for all of the information gathered throughout the selection process rather than just how good the demo was, if a salesperson has thoroughly embarrassed themselves and made demo attendees ask the MLS staff, "Why was this vendor was even asked to present?" there's little I can do for the vendor when the final decision is being made.
Sometimes vendors have me come in to evaluate why their demos are not meeting with better response, and presentations can always be fine-tuned - but here are some helpful hints for a successful presentation:
Prepare for your visit - know what integrations they want, public record availability and quality, mapping data layer availability and quality. Preparation shows you care and that your company is professional. Being able to say, "I researched this and found out..." always beats, "I'll have to look into that and get back to you".
Another preparation tip - run through the demo before you go before the group. If you put in a few price ranges and keep getting a "No results found" or have to call someone to ask for a URL you can use for your demo, it looks bad.
Never talk about how much successful your company is, unless you can relate it directly to customer benefits.
Show the core system - the "post login" screen, searches, reports, hotsheets, CMA, listing maintenance. Show additional functions, from calculators to roster. If they have an interest, be prepared to show the mobile product, PC/Mac based product, and your IDX/VOW solutions, as well as key functions for MLS staff ... and whatever else is applicable to their interest. Time your demonstration so you can get to everything and still have some time for questions. Going the right speed - not to fast or too slow - can be difficult, but if the other vendors were able to do it, you should also be able to do so.
Don't get buried in typing - or worse, just talk about features without showing them.
Talk about each feature in terms of the benefits to the users - don't do a dry presentation of technology in terms of functions.
That's a starting point. I could probably go on all day - if you've been through enough demos I bet you could too!
As a part of the ongoing effort it takes to be a real estate IT and management consultant, I keep track of the competitive features of the many MLS systems, RETS servers, transaction management systems, compliance systems, membership systems, broker back-office systems, real estate listings web sites and various other systems that make up the universe of real estate industry IT.
Yesterday I performed some maintenance on my MLS list:
Starting Number of Features:
539
Features Removed (obsolete / less useful to track):
12
New Features Added:
26
Total Features:
553
Then I went through the list and updated all (at least most) of the vendors and systems, tracking which features each system has.
I still have another list of 'lesser' MLS system feature additions to merge into the big list, but that's going to have to wait until things quiet down again as the winter holidays approach. For now, the list will be good enough for my upcoming MLS Selection / RFP projects.
Oct. 13, 2008 - There's No Safe Wireless Internet Encryption Anymore
With the latest version of Elcomsoft Distributed Password Recovery (costing about $1,000) it is now possible for someone to 'sniff' a wireless network, intercept just a few packets, then crack your WPA or WPA2 keys in just days or weeks. This works against static keys - anyone using more complicated authentication schemes will not be at risk ... for now.
So, I recommend not using any non-encrypted traffic (other than casual web browsing) when using a wireless network. That means HTTPS, VPN, and other encrypted protocols only. And keep changing those wireless encryption keys - and mitigate the risk as much as you can by using STRONG encryption keys.
The following is a transcript of my speech at the Council of Multiple Listing Services 2008 Convention
The long-term relevance of MLS organizations has been questioned at numerous conferences and on Internet sites over the past few years, but I believe these organizations are uniquely qualified and positioned to deliver technology and support needed by the industry. If we determine strategically what the MLSs need to provide to help the real estate professional service the modern consumer and participate in the real estate transaction of the future and we work vigilantly toward that end, the relevance of MLS organizations – and the value of real estate professionals - will no longer be questioned.
We all know that consumers are often coming to the table with more information than professionals. Even when that information is poor - like the original Zestimate - consumers think they are 'one-up' on the professional, and believe that the value of the professional is diminished. Our real estate professionals must differentiate by having clearly better, professional-grade tools, knowledge, and processes. Most brokers are not getting this done on their own, and our whole industry is painted with the broad brush of poor service and unjustified commissions.
Successful deployment of real estate information systems has typically been both the charter and strength of the MLS organization. However, there has been some tension because the MLS system (that has been the MLS organization's primary function) was chartered solely as a system to facilitate cooperation and compensation. Today's real estate systems need to go beyond that, including not just the MLS, but Public Records, Transaction Management, Forms, Digital Document Management, Lockbox systems, Showing scheduling management and feedback systems, listing syndication, professional-grade automated valuation modeling software, real estate customer relationship management and lead management - and a bevy of other tools. There is also a great deal of additional information needed to provide professional services, including unlisted property information from homebuilders and FSBOs, mortgage and foreclosure information, environmental information, agent and property ratings, as well as community, school, and demographic information. To be clear, I’m not talking about just providing a library of additional information – I’m talking about well-integrated tools and information that help the professional provide efficient and timely customer service, unparalleled capability in interpreting the plethora of property and population information available, and highly reliable and secure settlement processes.
If the MLS organization is not re-chartered, re-missioned, and re-branded more generically as providers of information systems for organized real estate, we will continue to see pushback against the MLS organization offering systems that don't solely address cooperation and compensation. I know that some of you have mission statements that are already broadened – I see them when facilitating strategic planning sessions – but in most cases your board doesn’t even know the mission statement and understand its broader implications, and if they do, your members certainly don’t. If our industry doesn't reposition its MLS organizations or find some other means of improving the toolset and processes of the real estate professional in an organized, consistent manner, our industry will continue to lose its value perception with the consumer. And, as ex-NAR president and broker Bill Chee said to me back in 2002, "The lion really coming over the hill is the consumer."
This technical effort of which I speak must be executed in concert another effort, working with our trade associations, as well as ARELLO and state licensing organizations - working in concert at every level, we need to change what it is to be a real estate professional. Too long have some members driven their industry toward the lowest common denominator. Some brokers will keep a whole market in the stone ages on digital document management and transaction management ruining any possibility of cooperation in the electronic transaction of the future so they can have a six month technology advantage over one of their competitors. And, most MLSs recognize that less than 20% of subscribers use the bulk of tools the MLS already makes available to them -- and better is not required of those subscribers. Henry Ford, automotive pioneer, once said, "If I'd asked people what they wanted, they would have said faster horses." Can our industry thrive if being driven by these people?
I'm not ignorant of the tensions it would cause if real estate organizations started trying to tell independent professionals what to do, and I'm also aware that many real estate associations are incented to keep barriers to entry low and membership numbers high. But there needs to be more of a balance between listening to members and leadership in defining our industry, if we want it to thrive. David Charron recently asked me, “If 75% of the ... folks that surf real estate are using functionality that is not provided by the MLS or the broker, what does that tell us?” What does that tell us about our industry’s relevance, about our part in the real estate conversation? Lamplighters … typesetters … movie projectionists - none of those professionals or professional organizations were protected by resisting the future. Industry leaders aren’t doing their members and subscribers a favor by letting our industry be driven by those that want to maintain the status quo. We can’t be afraid of the future and, as Alan Kay of Apple computer once said, “The best way to predict the future is to invent it.”
Look at how libraries are being reinvented. Look at how the insurance industry reinvented their independent agents as “financial planners”. To sustain - or even improve - the long term value of the real estate professional, real estate industry leaders must redefine the profession, and MLS leaders must envision, build or license, maintain and support the new real estate information systems, requiring that technology vendors adopt standards and interoperate, providing real estate professionals with professional grade tools, integrating better with tools already fielded by brokers. Those could be the challenges our industry takes head-on, via organized efforts at national, regional and local levels.
I see many industry news articles, blog posts and speakers at conferences saying the MLS – or even the whole industry - is irrelevant, that it should be gone in a few years, that there's no future for it. I disagree. I have a vision of the future of our industry and for the MLS - both the system and the organization - that is more vibrant than ever. Can we attain that vision? Can "organized real estate" actually organize to get the job done? Can we re-charter, re-mission and re-brand the MLS? I don’t believe our industry can afford to fail in redefining and creating an exciting future for itself. I don’t believe we can sit back and let outsiders take control of the real estate conversation and create the future of our industry. The effort wouldn't be easy, but that's the leadership challenge I put before you.
It’s time once again to register for Clareity’s Annual MLS Executive Workshop, which will be held March 5-6, 2009 at the Scottsdale Plaza Resort in Scottsdale, Arizona. Optional afternoon outings and a cocktail reception will be held the day before, so plan to arrive on March 4th! Many of you have urged us to keep the workshop small and that means turning away late registrants - so please go to the website and register - http://www.callclareity.com/MLSWorkshop/.
Who should attend? Anyone that will be involved in selecting a new MLS system, managing an MLS system, or building an MLS system will benefit from this conference. This workshop is not for MLS vendors or other suppliers.
Every year we listen to your suggestions and strive to make the next year's event even better. Last year we improved the wireless access and added more power outlets. Several participants urged us to continue to provide the presentations on thumb drives – we’re glad you liked that improvement over the heavy binders we used to hand out!
As we do every year, the agenda will befinalized in the two months before the Workshop, to ensure that we don't discuss "old news" and only the most current topics will be discussed. If you have a specific topic you feel is a "must", please let us know so we can add it to the agenda. Like last year, even topics that aren't covered in formal sessions can be addressed at the "Open Session" at the end of day two.
When asked, "What did you like best about the workshop?", we heard some nice kudos including:
The great topics and content
Knowledgeable speakers
No fluff or sales
The informative panel discussions
The opportunity to network
Ease of communication and interaction
Every year we have to turn people away when we run out of space - so please go to the website and register:
Also, please book your hotel early to guarantee a room at the event hotel – the Scottsdale Plaza Resort. More information is available on our web site - ask for the Clareity group rate.
Thanks again for the many kind words and I look forward to seeing you next March!
If you require immediate assistance or have questions about the workshop, please contact Gregg’s assistant, Stacy Pritchard (Stacy.Pritchard@CallClareity.com or 480-444-2087).
As the price of energy continues to increase, consumers are looking for efficiency in their properties and some consumers are even looking for properties that have had lesser environmental impact or even that create a more healthful environment inside via incorporation of 'green' design, technology, construction and maintenance elements. As these practices become more common and consumers want to find properties with them, they will need to be accommodated in the MLS system as a property feature. The question is how to add enough MLS fields to accommodate the differences between "green" and regular properties, yet make them easy to search, and end up with data that will stand the test of time?
I'd suggest standardizing on the most robust "green" standard, the "U.S. Green Building Council" (http://www.usgbc.org/) LEED standard. They have developed LEED certifications for different property types, including New Construction, Existing Buildings, Commercial Interiors, Healthcare, Homes, Neighborhoods, and more. Each property type has checklists with scores or features that affect different "green" aspects that a consumer might care about, such as energy efficiency, water efficiency, and indoor environmental quality to name just a few. A certifier goes through such checklists and adds up points gained for each good practice and the property may attain one of four LEED levels: Certified, Silver, Gold, and Platinum. So, for example, a newly constructed home may attain a LEED New Construction Gold Certification. Note that the property may or may not be located in a place that has achieved LEED Neighborhood Development certification of any level, or which has LEED certified schools, healthcare, or retail. I doubt that an MLS is going to add the scores of green features that make up the LEED checklists for a property to the MLS, let alone add all of the fields that make up the certifications for surrounding neighborhood, schools, etc. - but they may want to at least pick the correct LEED type and level for the property, and may additionally have a separate field for searching out LEED certification for neighborhood, nearby schools, etc. All the detailed information on LEED certification for a property could be made available as an associated document for a listing in the MLS, and eventually some elements of the LEED checklist may merit listing as a separate MLS field.
If you're a consumer that wants to know, in general, what to look for in a "green" home - or you are a REALTOR® that wants to be a better guide, you can always read the detailed checklists on the aforementioned web site, or just read this handy, short Green Homes Checklist: http://www.greenhomeguide.org/what_makes_a_green_home/green_home_checklist.html
Of course, there are also numerous companies trying to make a buck off their own certifications - and various cities and locales have created their own standards - for example, see http://www.floridagreenbuilding.org/db/. If your area has created a popular "green" certification of its own, or if one of the commercial certifications has made inroads in your market, you may need to have these additional property certification statuses searchable in the MLS. Just make sure that the certification is robust, and like the LEED certification, auditable and verifiable. If your MLS allows for associated documents to be uploaded and linked to the listing, I'd suggest that certification documents become required attachments for listings which claim to have achieved a certification.
According to NAR, "Forty percent of Realtors® report that green building is important to their business and clients, while 87 percent believe it will be of even more interest a year from now." So, last week (September 04, 2008), the National Association of Realtors® introduced a new Green designation for Realtors®. To earn the designation, Realtors® must complete a core course plus one elective. The program is designed to help Realtors® understand green properties, explain green features and practices to clients, understand the ratings systems, list and market green homes and buildings, and discuss financial incentives for going green. It looks like soon you'll have another option to add to your MLS roster search as well! For more information on NAR's Green designation, see http://www.greenresourcecouncil.org/
Microsoft Photosynth (http://livelabs.com/photosynth/) and the technologies and products sure to follow it could turn out to be quite the boon for the real estate industry. This free tool allows users to upload pictures and it automatically stitches them together into an environment. This is more than just a 360 degree virtual tour - if done right it can take you from room to room and give you the feel of how a house flows. Also, unlike most virtual tours, it doesn't make me dizzy!
Yahoo's new Fire Eagle (http://fireeagle.yahoo.net/) is an interesting tool for creating geo-aware applications. It's a framework for sending an application updates about where you are based on GPS, from your phone or from a web site, doing so automatically or manually, and for applications to retrieve and use that information. Generally, people are thinking about geo-targeted content, ads, and social networking. I can imagine a Realtor giving a consumer or client access to their user generated mapping content via a geo-aware application on the client's cell phone.
Aug. 1, 2008 - Coming to CMLS in Minneapolis this fall?
I'll be moderating and speaking at the event - more details as we get closer to the event date.
The converence is located in Minneapolis, near where I live, so I've prepared a little something to help folks navigate the area. Here is a map of the CMLS conference area, including my reviews of restaurants and cultural sites.
Inman news reported today that ex-NAR president Bill Chee, who delivered the "Lions Over the Hill" speech in 1993, now says that his fears of Microsoft and other threats to real estate industry at the time turned out to be unwarranted. In hindsight that may be true - but one should consider that Bill's own words and influence may have had at least some effect on how the industry responded to threats at the time and the resulting outcome.
Bill Chee is a very, very smart man, and I remember very clearly something he said to me when we were on a panel together for the Wisconsin Association of Realtors conference in 2002 - I even wrote it down at the time. He said, "I was wrong about Microsoft being the lion coming over the hill ... the lion really coming over the hill is the consumer."
I believe that our industry still has a lot of work to do to meet that next challenge. I've been doing a lot of thinking about that .... stay tuned.
"Which MLS system is the best?" Clients perpetually ask me that question, and it also regularly comes up on email lists and in web-based discussions.
To some extent, the question is a bit silly – akin to asking someone, "What’s the best place to eat in town?" Of course no two people agree on what restaurant is the best – they have different cuisine preferences, tastes, service requirements and budgets. One person will have a good experience at a restaurant and recommend it, while another will go to the same restaurant - maybe on an 'off' night - and have a bad experience and subsequently warn people away. We’ve got to recognize that answering the MLS question is similarly difficult.
Most vendors have both very happy customers and unhappy ones, as well as a number that are between those extremes. When one asks the "Which MLS system is the best?" question on a email group or web site, you will likely get answers from both extremes – and it’s just not that helpful. Every year Clareity Consulting performs a survey of MLS Customer Satisfaction (e.g. http://www.callclareity.com/7thAnnualMLSCustomerSatisfactionSurvey.pdf) to try to provide a more comprehensive answer to how each MLS vendor is doing – but while you have to take reference checking and customer satisfaction into account in such a system selection decision, the experience of others is not necessarily the best or only predictor of your own experience.
What differentiates the MLS options, really? At a high level, system and service. After all, MLS vendors are Application Service Providers (ASP) – they provide both system and service, and need to be evaluated on both. Service may seem easy to evaluate, but it can be difficult to measure. If the vendor is providing support to staff or MLS subscribers, what call center metrics can they share with you? How much service will they provide in customizing the system to your specific needs and how will they respond to ongoing enhancement requests? The “company fit” and relationship that your MLS will have the vendor can sometimes be difficult to gauge in advance. As for the system, sometimes things we take for granted, such as speed, reliability/accuracy, and uptime may not be a given, at least not these days. Each system also has a unique feature set for the web-based system as well as for PC-based software, PDA, or voice interface – we have to answer the question, “What would your subscribers be giving up if they were moved to a new system and what would they gain?” The MLS staff also has to consider how much functionality there is in the system to help them provide a high level of service to subscribers – this may includes features like listing compliance workflows, easy to use robust RETS / data feed setup, and features providing staff with direct control over many aspects of the system. There are other considerations these days as well – for example if your market is considering a data share, how much experience does the vendor have implementing them and what is their track record? Finally, though the vendors are generally very cost competitive, sometimes cost enters the equation. I always advise clients to choose the system they really want over a system they don’t want nearly as much but with which they could save some money. I don’t think any MLS ever regretted selecting a great system that they could afford, but I know of plenty that regretted going with the lesser preferred system to save money.
Changing systems is hard for MLS staff and subscribers alike, and it isn’t something to do lightly. I typically perform an extensive member survey as part of the selection process, and more than once in the past year clients have seen such high levels of satisfaction with their current system that they’ve decided there was no way a new system would provide enough benefit to justify moving to it. Of course, you have to find a good balance of listening and leading – if all MLS executives did was listen to subscribers, we may still be using books! Also, thoroughly evaluating the benefits of moving to a new MLS system involves rigorous work, and building a robust Request for Proposal (RFP) and evaluating the proposals obtained from qualified vendors as part of an MLS Selection Process is one of the more complex services my company provides.
Which MLS system is the best? Honestly, there’s no one answer that’s true for every potential customer. Only with rigorous evaluation of your system and service needs and comparing those needs to the capabilities, system, and services provided by each vendor can I even begin to know which vendors may be good to include in an RFP – let alone have some sense of the answer the final question: “Which MLS system might be best for your MLS?” When I’m involved in a selection process, my goal is to make sure that all of the appropriate information needed to support the decision has been gathered and presented clearly so that the MLS leadership (board of directors, committee, task force, etc.) can easily answer the question for themselves.
Jul. 21, 2008 - Alert for Web Programmers and Managers: SQL Injection
This is for my readers who are, or who manage, web application programmers. I sent this update to my security assessment clients about a month ago but the urgency has continued to increase as attack rates are rising ...
I've been seeing a lot more injection attacks on industry sites - some automated, some manual. If you have web applications and haven't been testing for SQL and XSS injections - get on that PRONTO!
Even if you think your input validation is under control be careful - attackers are getting a LOT sneakier:
* Using HTML entities instead of the characters, encodings like UTF-8, long UTF-8, UTF-7, Unicode, US-ASCII and even HEX. Watch out for 'declare' and 'cast' in inputs ... not your friend.
* Not using special characters - leaving off the single quotes, using 'fromCharCode' to create them, or even use a grave accents as a replacement.
* Messing up regular expressions looking for SCRIPT by embedding tabs, spaces, carriage returns - or encoded versions of the same!
* Sending you naughty content not just through traditional inputs and URL strings, but through cookie manipulation.
* Leveraging your platform - such as SSI (if installed), renaming JS files to image extensions for upload, even using your application platform to create the script.
* Going beyond JavaScript and using VBscript.
* Injecting into image tags - including dynsrc and lowsrc attributes, in BODY onloads, in CSS calls, in titles, meta tags, iframes, TD backgrounds, DIV styles, BASE tags, OBJECT tags, XML, Flash actionscript and more!
I think my "favorite" workaround for XSS validation is where the validator gets rid of script tags in inputs but doesn't search recursively, so the hacker inputs [SCR[SCRIPT]IPT]" it gets rid of the middle "[SCRIPT]", leaving.... [SCRIPT]!
And they're using every combination of the above that you can think of!!!
Many of my MLS, association, and brokerage clients have computers in their offices that they allow visitors to use or which are used by employees for limited purposes. Windows Vista Home and Ultimate editions have easy to use controls that you can use to increase the manageability and security of those computers as well as lower the amount of maintenance they need as a result of user activities.
I'm referring to the "Parental Controls" features, which can be accessed through the main Windows menu, selecting Control Panel, and then Parental Controls. Assuming that you only allow your visitors and employees to access computers using a non-Administrative account - an Administrator account would let them change these settings at will - you can use Parental Controls to enforce useful policies for a specific user's login account. These policies include restricting web use to specific sites or types of web sites, putting time limits on when the computer can be used, and allowing or blocking specific programs.
The Web Filter allows you to limit use to specific web sites that you specify. This is a very powerful feature because if you only intend a computer to be used to access the MLS system, your organization's web site, or other specific sites, you can restrict the user to those "white-listed" sites only. If you do that, the chance of them visiting inappropriate sites or downloading malware is greatly reduced. You can also specify specifically that the user can not download any files to the computer. Not letting users save unwanted files decreases how often staff must 'clean' the computers, providing a management cost savings. Vista also comes with a web filter that attempts to block sites based on different types of content (e.g. pornography, hate speech, etc.), however I'm not confident that these filters are foolproof. But if you have a policy regarding harassment or other Internet misuse the least you can do is to enable this type of filtering, perfect or not.
Time limits are useful if you have users that you only expect to use the computer during a specific time of day and/or when the computer use can be supervised. It's easy to set specific days and hours when the computer can or cannot be used.
The Parental Controls that allow you to "Allow and block specific programs" (Application Restrictions) are also very easy to use. If you limit computer use to only those applications that are needed it increases the computer security by making it somewhat harder for users to install and use unapproved software and for malware to be accidentally executed by the user. Not letting users clog up computers with unwanted programs also decreases how often staff has the 'clean' the computers - additional management cost savings.
There are a number of additional features in the Parental Controls as well, including usage reporting and game-blocking features. Just remember, no one tool will be a silver bullet when it comes to security - but if you have deployed Windows Vista Home or Ultimate editions in your business you may find Parental Controls a useful tool to increase the manageability and security of your computers.
Jul. 9, 2008 - New software provides Java API for RETS server access
Check this out! RETS IQ RETS Library™ is a Java API that allows simple access to RETS servers. The API is designed to allow developers to connect to RETS servers and execute searches, photo downloads, metadata requests and updates without having to deal with the nuts and bolts of the RETS protocol.
Jul. 8, 2008 - Telecommuting and the 21st Century Gas Crisis
With ever-higher gas prices putting the squeeze on employee wallets, some Clareity Consulting clients are exploring creative ways to help employees, including having some of them telecommute at least part time. According to a popular telecommuting website1, 40% of the U.S. workforce have jobs that could be performed at home, potentially saving 625 million barrels of oil annually – that's over 80% of our annual Persian Gulf oil imports! Telecommuting also has a positive environmental impact.
However, there are some telecommuting issues to consider and manage. Some employees can't work productively at home while others work too much and burn out. Sometimes employees who can't work remotely resent those who can, and telecommuting can have a negative impact on employees working as an effective team. Managers used to a high level of hands-on organization, communication, and productivity measurement may be frustrated unless compensating mechanisms are implemented. There may be additional IT and management costs for facilitating remote work, and there are also possible liability and workers compensation issues that must be evaluated by human resources staff2.
Finally, consider that one of the most disastrous information security breaches in U.S. history – involving the personal information of 26.5 million veterans, occurred because an employee took sensitive data home and didn't take steps to properly protect it3. Ask yourself, "Does my organization have appropriate information security policies and practices to address the risks of telecommuting?" The following questions need to be answered via a strong information security policy:
What information can be taken from the office to a home office or to other locations?
Are the computers being used at home properly secured? What are processes for ensuring:
Operating System security hardening
Platform and software security
Anti-virus / Anti-malware practices
Is only authorized, licensed software installed on telecommuters' computers?
If the employees work with sensitive or confidential information:
How is sensitive information securely transferred between work environments, both electronically and physically?
Can employees provide physically secure home environments? Do they have a media safe? Is there a process for proper disposal of both physical and electronic sensitive data at telecommuters' location?
How is sensitive information encrypted ‘at rest'?
Are employee computers on a separate firewall segment from the remote network, and is network traffic strictly controlled?
If wireless access is used, are routers securely configured and use constrained to WPA encryption?
If allowing additional remote network access, consider your VPN:
Is the VPN ready for increased load?
Is the VPN property encrypted?
Are individual accounts set up with appropriate privileges?
Does the VPN require a strong password be entered at every connection – or even use two-factor authentication?
Do the accounts time out after a short period of inactivity?
Is split tunneling disallowed?
Are banners displayed regarding monitoring?
Is there auditing of remote access?
Do users know not to engage in risky computer activity while connected via your VPN?
Does the policy cover what to do if there is an information security incident involving company data in the remote work location?
Are there appropriate and secure methods of backup and disaster recovery for remote locations?
Are telecommuters regularly trained on security requirements for remote locations?
Is there a process for monitoring and enforcing policy security compliance over time?
Have managers and telecommuters signed off on all of those policies and procedures reflecting the questions above?
Telecommuting is a very exciting opportunity that allows employees to save on ever-more-expensive gas costs and to protect our environment. It's not the right thing to do for every organization, and it won't be possible for every job to be done remotely. Some Clareity Consulting clients are considering alternatives such as allowing some employees to work four days a week and ten hours each day and organizing carpools. However, if management takes the aforementioned steps to ensure employees are properly managed and to protect the organization against legal and information security risks, telecommuting can be a worthwhile endeavor that merits consideration.
About the author: Matt Cohen is Clareity Consulting's Chief Technologist. Matt has spoken at many conferences, workshops and leadership retreats internationally, and is a well-regarded real estate industry expert on real estate software, product and project management, risk management and information security.
Clareity Consulting was founded in 1996 to provide information technology consulting to the real estate industry and its related businesses. Clareity has successfully executed a vast array of projects, including:
Request for Proposals (RFP) for MLS, public records, and transaction management systems
Regionalization and data share facilitation
Strategic planning
Contract negotiation
Executive Recruiting and Placement
Information security and business continuity assessments
Project planning and management
Software and system design and review
Mergers, acquisitions and strategic alliances
Market research including surveys and focus groups
Email is one of the most dangerous activities any of us does online. The way most companies implement email, it’s trivial for email account access to be compromised and for sensitive information (human resources, budgets, etc.) to get into the wrong hands. SPAM reduces our organizational efficiency and malicious software often enters networks through email. What can be done to lower these risks?
First, find out - by looking at your email settings or talking to your network staff or ISP - if you are using an unencrypted protocol (POP or IMAP) to get your email. If so, then someone – an employee or other fellow network user using a ‘sniffer’ tool - can capture your login information and intercept the emails. If your email provider can’t provide you a secure protocol, you must take other steps to encrypt the emails. If you are using a public network, you can encrypt all your network traffic – including your emails – by using a Virtual Private Network (VPN). If your company has a firewall that includes VPN capability and you connect to it before checking your email, then the traffic can’t be ‘sniffed’ as easily.
Note that my blog is hosted by Internet Crusade, and their email solutions are fully capable of secure protocols such as SSL encryption for POP mail – according to Mike Barnett you just have to ask for it and they can hook you up!
You can also encrypt your email and attachments in other ways. While this doesn’t stop people from ‘sniffing’ an insecure email protocol, it can stop people from reading email and opening attachments that are sent to them by accident. Encrypting the whole email is not easy for the non-techie, depends on the platform being used for sending and receiving email, and gets most complex when the sender and receiver are on different platforms. Helping the reader navigate this maze is not something that can be done in a short article. In terms of encrypting files and email attachments on Windows computers, I’m fond of free-to-inexpensive products from http://www.kryptel.com/.
The next tool in your security arsenal is to use company policy to educate employees on safer email behaviors. The policy can include instructions not to use email to distribute offensive materials, not to send or forward SPAM, how to try to recognize phishing, pre-texting, or other social engineering involving email, not to send confidential information via email and when to use encryption, and not to open attachments from un-trusted sources – or even from trusted sources without phone verification. The policy should also set the expectation that email may be monitored for policy compliance, and that there should be no expectation of privacy. The policy may also set email security standards for technical staff to implement, such as whether email servers pass on executable attachments at all.
None of the above steps address SPAM and the tremendous threat of malicious software that can be attached to email. At a time when spammers are becoming ever more sophisticated at evading anti-spam tools and there are free tools are available for hackers to create malicious software that cannot be detected by most anti-virus and anti-malware tools, making the right technology choices is more important than ever. As part of the ongoing support provided after an Information Security Assessment, Clareity Consulting has guided many clients through the maze of technical options that might work best for their individual needs, and strongly encourages its clients to take reasonable steps to secure their email, as it is one of the largest threats to organizational information security.
I'm very excited about some of the new security improvements in the new Firefox 3 browser release.
One improvement is some built-in protection against Cross-Site Scripting (XSS) attacks, though it's important to note that the vulnerabilities extant on many of our industry sites are still not caught by the Firefox filter. Firefox add-ons that I have mentioned in the past on this blog, including NoScript and NoRef are still of value, and the Firefox improvements don't mean vendors don't need to follow secure coding practices consistently and that users don't need to be very careful about the sites they visit.
Another improvement is seen just to the right of the address bar (now called the "Awesome Bar" in Firefox). That area now shows the site's icon (or a blank page if the site has no icon) with a color background that makes it easier for users to see the security status of the page. As you can see below, colors include gray, blue, green (and red) and if you click on the icon you can get more information about the site.
Grey is normal - no SSL encryption on the connection or other identifying information about the site.
Blue means you are viewing the site through an SSL certificate and all content (even images) are being transmitted to and from the site encrypted.
Green means there's not only an SSL certificate, but also an "Extended Validation Certificate" (a.k.a. EV Cert) that means the site owner (not just the site) has been validated in some way by a "certifying authority". These certificates are spendy (about $500 / year), and some people complain that they are an unnecessary expense. That will certainly be an ongoing argument!
There's also a RED color - this means a site is known to cause compromise - I'm not going to a site of that nature to collect an image - sorry!
The 'More Information' button lets you see if you have visited the site before today, if there is a cookie (and lets you see the cookie contents), if you have saved passwords for the site in the browser (tsk!), if the connection is encrypted, and also lets you see information about the site owner.
Internet Explorer 7 and Opera 9.5 both also have support for the EV Cert, but I think that Firefox's implementation is the most 'in your face' and in that way, the best.
Some believe (and others don't) that the color approach (including EV Cert) is still vulnerable to homograph and picture-in-picture attacks (sorry about the tech-vocab...) - but I still think this approach is a worthwhile endeavor toward reducing phishing attacks and I applaud Mozilla Firefox for improving its interface to be helpful in this way.
More than half of REALTORS® use Personal Digital Assistants (PDAs) – devices that create a significant information security risk. Real estate professionals use PDAs to store sensitive data, including email, contacts, documents, spreadsheets, passwords, bank account information, and MLS data. More than a quarter of PDAs are lost, according to a 2003 survey conducted by Pointsec Mobile Technologies, and that’s just one part of the problem. PDAs and memory cards are stolen or infected by viruses; wireless transmissions are intercepted, and many professionals don't enable passwords on their devices, allowing anyone who finds or steals their PDA to see their data. Besides keeping as little information as possible on your PDA, there are many steps you can take to secure it:
The most basic step is to reduce the risk of losing the PDA. Keep it locked up in a briefcase, desk drawer, or lockable case when not in use - do not leave the PDA unattended in plain sight.
Require a hard-to-guess password to access the device and its applications - if you don't already require a password on startup, there's nothing to stop someone from accessing your information. Whatever you do, don't configure your PDA applications to memorize your application and web site passwords.
Most people are not aware that viruses can affect their PDA. There are many anti-virus tools for PDAs, and you can download free antivirus software for some PDA models from Trend Micro (http://www.trendmicro.com/download/product.asp?productid=2).
Using a wireless connection poses a substantial risk that your information can be intercepted. If you must use an unencrypted wireless connection, the web sites and email providers you use should provide an SSL encryption option to reduce your risk. If your office or service provider offers a Virtual Private Network (VPN), that will provide an even greater degree of protection.
Many security products for PDAs exist to encrypt the information on the device - they put a password on your data, which you must enter to access the information. Examples include:
To encrypt your data on a Blackberry with a password already set, just click Options > Security and set Content Protection to "Enabled".
There's no such thing as perfect security. If you run a program from an untrusted source on your PDA, none of the steps mentioned above will be a cure-all. But, if you've taken the basic steps to secure your PDA and have your email address on the back, you don't have to worry as much about the information on a lost PDA – and you may even get lucky and have it returned to you.
Matt Cohen is Clareity Consulting's Chief Technologist. Matt consults to MLSs, Associations, brokerages, and many real estate industry software companies and has spoken at conferences, workshops and leadership retreats around the country on a wide variety of MLS-related topics. Matt is a well-regarded real estate industry expert on industry trends, software design, product management, project management, and information security. Clareity Consulting was founded in 1996 to provide information technology consulting to the real estate industry and its related businesses.
About the author: Matt Cohen is Clareity Consulting's Chief Technologist. Matt has spoken at many conferences, workshops and leadership retreats internationally, and is a well-regarded real estate industry expert on real estate software, product and project management, risk management and information security.
RSS Blog Feed