Beanstalk on Google+ Beanstalk on Facebook Beanstalk on Twitter Beanstalk on LinkedIn Beanstalk on Pinterest
Translate:
Published On:
SEO articles and blog published on ...
Hear Us On:
Webmaster Radio
Blog Partner Of:
WebProNews Blog Partner
Helping Out:
Carbon balanced.
Archives
RSS

XMLRSS

Ebay Hit by Cyber Attack

Ebay has announced that it was the hit by a massive cyber attack today that may have exposed some customer information. Although it’s been reported that no financial information was stolen, they are urging clients to change their passwords immediately

The compromised information included :

  • Name
  • Password
  • Email Address
  • Physical Address
  • Phone Number
  • Date of Birth

Ebay’s official release has stated that hackers may have gained access through employee log-in credentials which in turn granted them access to the corporate network. Ebay has stated it is working closely with it’s security experts and law enforcement agencies. For more information, please read the full story here.

SEO news blog post by @ 5:48 pm on May 21, 2014


 

Is the heart of your website beating or bleeding?


The Heartbleed Bug is a serious SSL/TLS encryption vulnerability in the popular OpenSSL cryptographic software library. So what is it?


Seems like we’ve heard this all before?



To put it into layman’s terms, Heartbleed or CVE-2014-0160, depending on your pedantic nature, is a really bad thing.

In less simple terms, the ‘heartbeat’ service of OpenSSL can be exploited to ‘leak’ it’s memory and reveal the contents of of otherwise protected/encrypted data.

But we’ve heard of OpenSSL exploits/vulnerabilities before, why is this one exciting?

Heartbleed vulnerability logo

Not only does Heartbleed have it’s own logo:

..it has it’s own website: http://heartbleed.com/


If you wanted to know all about it, the heartbleed.com website is full of information and details on the vulnerability if you want to dig right in for maximum info.


Essentially these are the points made:

  • This vulnerability has been around for years and so if someone had captured traffic from a year ago, and then got your secret keys with this exploit, this could allow them access to data you thought nobody could touch.

  • Using this exploit to impersonate your servers could allow an attacker even more access.

  • This is untraceable at the moment, meaning you don’t know what secure/protected content was stolen, or when.

  • This isn’t even all about you and your servers, think about the private data of your users and how a common password could be stolen from your server and used to infiltrate other more-secure servers around the internet.



Who is impacted :

  • Everyone that uses SSL is impacted in some way. Even if you just have to change some passwords. This will impact you.

  • OpenSSL 1.0.1 through 1.0.1f are vulnerable. OpenSSL 1.0.1g and newer are fine. Very old servers that didn’t upgrade to the heartbeat feature may be immune.

  • It’s estimated that this applies to over 66% of the web servers on the internet.

What to do :

  • Upgrade OpenSSL and/or disable the heartbeat function.

  • If you don’t disable the heartbeat function you can expect to be contacted by security teams checking to make sure you’ve upgraded.

  • Make sure your users know, either by a site bulletin, or perhaps a blog post?

  • Urge users to make password changes once you’ve secured your server.

  • Make it clear that users need to update that password on all sites that it was used on.

  • Be honest. No data can be assumed private at this point, your users should consider this truth.

  • Revoke and reissue your server’s primary keys.

  • As servers get patched you can reconnect with them, but there should be a ‘patch first, trust after’ policy.


..and above all else, Don’t Panic. :)

Update: If you are hosted on CentOS don’t assume you are vulnerable based on the version. In our case we had version 1.0.1e installed but it has been patched for CVE-2014-0160, which I can confirm with SSH access and looking at the RPM changelog.
 

SEO news blog post by @ 3:27 pm on April 9, 2014


 

Security Tips for Cyber Monday

Notebook SecurityWith Holiday shopping in full speed many small businesses have been preparing for a successful season. With a steady increase to internet banking and shopping there is an unfortunate rise of identity theft as well as fraudulent transactions. The unfortunate case of becoming a victim to online theft can leave many people or businesses facing financial as well as personal loss. Michelle Stone from AmOne, gives us some basic tips on how small businesses can keep themselves and others safe online.

More than ever small businesses are utilizing online shopping to engage a larger clientele. What would be the first move to help prevent online scams and fraud?

Simply put, online retailers, regardless of size, should have at least the basic security and encryption in place. There are a number of companies that provide authentication and security for ecommerce sites. In addition, many web host providers offer packages that include site security. The best, first move? Think like your customers. You’re a customer yourself. Use your experience in shopping online and think of how safe you feel your personal and financial information is. Which online stores have you used and how secure are they? Do they display things like HTTPS before their web address, is there a green padlock in the address bar of the browser, do they have some form of certification? Odds are they have all of this and more and you as a consumer felt confident that your payment information wasn’t going to be compromised. Take notes from these retailers and apply them to your own business.

Are there ways of safeguarding online customers from a cyber-attack?

Customers can be compromised from a number of areas. While you can work to make your website as secure as possible, it’s harder to make sure that your consumers haven’t been compromised in visiting another website or falling prey to a phishing scam. You can educate your customers on what to look for when it comes to spoofing, phishing, pharming, smishing, and even vishing. If you don’t know what those terms are, you should. Do you have frequently asked questions on your website? If so, talk about how you take their online security seriously and explain what they should be on the lookout for. Tell them that they should always go to your website directly and access their account from there. If you have a newsletter or other email marketing, add this information in as well on a regular basis. It can be a monthly security tip. Help your customers help you by informing them and keeping their computers safer. This in turn will help your system limit exposure to a possible attack.

Is there any benefit to educating employees to internet safety?

Your employees are as likely to fall prey to fraud or an online scam as your customers are. There are even more direct threats to your business, threats that use your employees as a way to access sensitive data. Your employees are your first line of defense. Making them aware of social engineering techniques such as someone calling the company and posing as a vendor (or even as a coworker) will help to protect your business from someone wanting to steal information.

What would you consider the best possible way to educate employees?

Keep your employees informed. Many of the exploits that can target your business also affects them as consumers. This will help make the training materials easier to relate. Just like with assessing your business and where you shop to get a sense of how you can prevent identity theft, put yourself and your employees in your consumer’s shoes. It’s easy to stay informed on the latest scams, fraud schemes, and vulnerabilities through government websites like USA.gov and BusinessUSA.gov.

Is there a particular role a business can play when engaging the online community from social media and client communications?

If nothing else, listen to what’s being talked about in social media and listen to your customers. What are the current security issues and concerns? Twitter is a fast way to find out the latest information, whether it’s breaking news or Twitter chats with non-profit organizations like the Identity Theft Resource Center to learn how you can learn about threats and how to counter them. You can also take part in these chats and share information via social networks and emails to your clients (like a monthly newsletter). You should also claim your name on the major social networking sites, especially those that relate to your business. It can be easy for a fraudster to sign up a social media account in your company’s name and use that to try to defraud your customers out of their personally identifiable information. Make sure your employees and customers know which social networks your company is on and monitor your name and activity for any sign of potential issues (including client reviews).

To sum up online safety for the small business; what would you say is the number one necessary piece of advice to maintain a healthy and safe experience on the internet?

Think of how you use the Internet and what you expect from retail, media, government, medical, even entertainment websites when it comes to the safety and security of your information. Would you trust your own website with your email address? What about your credit card information? If not, why not. Then follow up with, why should a customer trust your site? Keeping it to that simple question, do you trust your own company’s website? can help to guide you in safeguarding your customers’ sensitive data.

SEO news blog post by @ 10:38 am on December 2, 2013

Categories:Cyber-Security

 

Adobe Hacked

A siege on Adobe.Adobe has been hacked with the credit card information of almost 3 million accounts compromised. This is a huge blow for the company and for the trust users have in them as well as a solemn reminder for all of us as the fragile nature of our data. We discuss often the privacy concerns around Facebook and Google but ti takes an event like this to remind us that the systems we take for granted every day, like eCommerce – mandatory now for the smooth functioning of our society – are vulnerable at even the highest level.

Admittedly, the belief currently is that the credit card data pulled was encrypted, anyone familiar with encryption knows that with enough time and computing power, it can be cracked.  You can simply ask the NSA for verification on that point and sophisticated hackers (say for example, like the ones that could break through Adobe’s security) will have access to the knowledge and resources to get it done.

I personally got my email notification from Adobe at 11:01PM yesterday, hours after the event occurred.  Now fortunately, I’ve paid for everything via PayPal (admittedly more to avoid currency conversion fees) so it’s not a sizable issue for Beanstalk but for many of my friends and clients this is a huge issue. On their blog they reported the following actions being taken:

As a precaution, we are resetting relevant customer passwords to help prevent unauthorized access to Adobe ID accounts. If your user ID and password were involved, you will receive an email notification from us with information on how to change your password. We also recommend that you change your passwords on any website where you may have used the same user ID and password.

We are in the process of notifying customers whose credit or debit card information we believe to be involved in the incident. If your information was involved, you will receive a notification letter from us with additional information on steps you can take to help protect yourself against potential misuse of personal information about you. Adobe is also offering customers, whose credit or debit card information was involved, the option of enrolling in a one-year complimentary credit monitoring membership where available.

We have notified the banks processing customer payments for Adobe, so that they can work with the payment card companies and card-issuing banks to help protect customers’ accounts.

We have contacted federal law enforcement and are assisting in their investigation.

I’ll give them kudos for doing what needs to be done and can’t even blame them for it happening.  For those affected, make the appropriate arrangements and for those unaffected, take this as a serious reminder about what can happen to your credit care information, other private information and to your website.

Image source: http://runawayjuno.com/2012/07/21/taos-pueblo-adobe-architecture-new-mexico/

SEO news blog post by @ 10:30 am on October 4, 2013


 

Erasing Your Embarrassments

The online social world has permanently altered the future. Young people are coming of age in an era where they can easily take and post photos online, share them with friends and family, and garner an audience of strangers. Teenagers — notoriously short in foresight, susceptible to “groupthink” and peer pressure, anxious to fit in and define themselves as individuals, exploring new aspects of adulthood — now have access to an infinite audience on the web. The combination often makes for toxic results, and sadly having a sloppy drunken photo on your Facebook page is often the best case scenario. There are already some infamous cases in which teenagers were persuaded or coerced into taking nude photos of themselves, only to find that their audience held them at ransom for years afterward, ruining their lives and threatening their futures. We all know that employers are going to check an interviewee’s social media to see what sort of person they are in their off time; can you imagine trying to apply for a job when you know that your boss could find your most humiliating secret at any time?

From http://www.connectsocialmedia.com.auThe abuse and exploitation of minors in social media circles is an area where the law has yet to catch up to reality. Due to the anonymous nature of the internet, it can be tough to track down a bully — or prove beyond reasonable doubt that the virtual abuse caused real-life harm. But a lot of the time a teen can be his or her own worst enemy. Take a look at any ‘Facebook Fails’ website and you’ll see hundreds of examples of poor judgment — of kids engaged in dumb, illegal, embarrassing, or self-incriminating behavior. They tweet before thinking and comment; all of which will come back to bite them when they find themselves on a major job search.

In this vein, it’s refreshing to read that California Governor Jerry Brown has signed a bill into law which requires websites to remove content when requested to do so by a minor. The bill allows minors to essentially push an “erase button” for digital content; while sites may not be required to completely eliminate the requested data, they have to remove it from the view of the public.

It’s important to note that this law doesn’t apply to content posted by a third party; it sadly can’t remove compromising photos posted by friends, enemies, or blackmailers. The bill doesn’t apply to sites which anonymize the content and/or their users, making it difficult to identify the minor individually. However, it does apply to social media sites, and even sites registered outside of California have to comply if a Californian teen requests the removal of content.

It’s tempting to scoff at this measure and chuckle at the hubris of adolescence. Many people argue that these digital records, however embarrassing or incriminating, are nonetheless important — and public — records of major prejudices, risk-taking behaviors, and other indicators of reliability and respect. But today’s teens are guinea pigs in an experiment which has no precedent; there has never been anything like Facebook before. Their mistakes aren’t unique to their generation; they are, however, far more widely recorded for public consumption. I think it’s a great step towards incorporating the social web into our lives and accepting that it is going to be a permanent part of how we interact with one another for the foreseeable future. If the California law gives teens a chance to clean up their act when those frontal lobe brain cells finally sprout, then they should have the same opportunity as their predecessors to put their best foot forward into young adulthood and beyond.

SEO news blog post by @ 4:40 pm on September 24, 2013


 

That escalated quickly: Google Glass prices, dates, and a spec leak?

I’ve talked about Google Glass already, Finnish them! (Google Glasses and WiFi Liabillity), Google Chronos?, Google develops ARGs for Pirates, many times..

In those articles we were mostly looking at patents and prototypes.

Now we have WIRED.COM and arstechnica.com both spewing out specs based on more patents and some developer info…

A bone conduction listening device.
Hello? Can you ear me?
  • 802.11 b/g 2.4 GHz WLAN
  • Bluetooth ver 4.0 low-energy radio
  • “Bone Conduction” audio playback
  • a $1,500 (£962) price tag
  • developer shipments in early 2013
  • a projected 2014 launch date

Breaking this down, we learn a fair bit from each fact we can establish.

802.11 b/g support means that N mode WiFi won’t likely be supported, and the best guess would be the it’s getting dropped due to power consumption. Additionally, there’s a rumor that the primary data connection for the Google Glass will be a tethered cell phone acting as a ‘modem’ of sorts to expand the Google Glass’s communications range without bulking it up.

The 4.0 version of the Bluetooth radio stack is an exceptionally good match for a device running off of batteries, that sits on your head. This version of the Bluetooth stack supports BLE – Bluetooth Low Energy mode operations that allow a device like Google glass to sip on power and still remain connected to other devices.

If Google Glass had an option to support class 1 (100mW transmissions) networks it would supply you with a range of up to 328′ or 100 meters. If you were a household cleaner you could leave your phone in a central location, put on your Google glasses, and record your cleaning efforts directly to your phone or relay it to a remote server. By doing this you could safe guard yourself against damage claims and other issues presented by the homeowners.

In fact you could also be listening to some music, without blocking your ability to hear other sounds, like a knock at the door, or someone coming home. This is because the Google glass does not block incoming sounds/cover your ears.

The ‘bone conduction‘ audio drivers on the Google Glass send audio vibrations via your skull bones to your inner ear which then ‘hears’ the vibrations as sound.

This means that if you are driving, biking, walking, etc., you can expect the Google Glass audio feedback to be less of an obstruction/safety risk than typical in-ear or over-ear style systems.

Picture wearing these as a lawyer, and someone is attempting to hold you to words you’ve never even said. You could jump to the date/time the original discussion occurred and play it back verbatim, clearing up any mistakes/poor recollection that might otherwise cause endless headaches.

The trick in this case, since a lawyer/doctor, couldn’t ethically record video to an insecure/public location like a ‘Google Hangout’, would be for Google to either offer some sort of private video storage/search/retrieval service (I hear they have some experience with video?), that has the sufficient security clearances to avoid any concerns about storage.

The $1,500.00 price tag is for the Developer’s build of the device, currently being called the ‘Explorer Edition’, that will be shipping this year. In fact Google has said “early this year” as the date, so “sooner than later” is a fine guesstimate.

The signup for the Explorer Edition was actually quite the event, while the attendees were sitting in the conference center Google dropped some ‘Glass’ equipped sky-divers onto the site from an overhead balloon. The video from their Glass units was then streamed inside the event for a bit of a surreal effect.

At the end of the conference the developers willing to pay the $1,500.00 price tag were given a specially etched slate of glass with the serial # of the unit they will be shipping to you later.

A glass brick with a serial number etched into it.
Ooooh my precious.. So shiny..

SEO news blog post by @ 10:44 am on February 7, 2013


 

Forget Your Password…it’s ok.

The days of trying to remember passwords and worrying about hacked accounts may be limited. Passwords have been somewhat effective in the past and are an easy way to authenticate web users, but they fall tragically short in security in today’s internet; and they always will.

USB token

According to a research paper from Google regarding the future of authentication on the web, the password problem could be solved with the aid of a USB -based Yubico log-on device. Google envisions a future where you only need to authenticate one device (with your smartphone, Yubico key, or perhaps wirelessly) and then use that similar to a car key to open up your webmail and other online accounts.

“Along with many in the industry, we feel passwords and simple bearer tokens such as cookies are no longer sufficient to keep users safe,” state Google’s Eric Grosse and Mayank Upadhyay.

This small cryptographic device will automatically log in a user to Google using a new protocol (patent pending) for device-based authentication that will be independent of Google and will also prevent web sites from tracking users.

Other than requiring a browser that supports the technology, there is no additional software required and it could be as easy to use as tapping or swiping your card or key device the device you want to authenticate. In order for this new security standard to take hold, Google will need many other websites to get on board.

Two years ago, Google launched a two-step authentication option as part of their attempt to increase security for its users. The story of Mat Honan’s encounter with hackers, helped to inspire a quarter-million people to adopt the two step process. Google has not given any idea as to when we may see the new technology released.

SEO news blog post by @ 11:30 am on January 23, 2013


 

In Capitalist Amerika, Television Watches You!

Samsung SMART TV Zero Day Exploit

Thinking of getting someone a great new television for Christmas? You may want to reconsider. There have been many conspiracy theories surrounding the use of televisions by the government to spy on the oblivious population.

1984 book cover

Concerns are rising again with Smart televisions that could be used to not only survey the population by the government, but by criminals for nefarious purposes. The scenario reads almost verbatim from George Orwell’s classic novel Nineteen Eighty-Four; with its ubiquitous Telescreen that monitors the private and public lives of the populace in a not-so-far-off dystopian future.

A security exploit called the “zero day” hole has been found in at least one of Samsung’s Smart TVs that if left unpatched, could allow hackers to not only glean a users social media credentials, but to steal files from connected USB devices and the ability to use attached microphones and cameras to spy on unwary individuals.

The exploit was revealed the ReVuln company who offers research on technology security issues to its subscribers, states that the hole affects the Samsung Smart TVs running the latest version of the comany’s Linux based firmware.

ReVuln – The TV is watching you from ReVuln on Vimeo.

ReVuln posted a video showing an attack on a Samsung TV LED 3D Smart TV that shows an attacker gaining shell access, copying the contents of the hard drive to an external device and mounting them on a local drive, allowing access to photos, documents, online credentials for social networks or other online services.

Samsung sells a number of different Smart TVs that combine high definition viewing with tablet-like features and allow for web browsing (Anyone remember WebTV?). One of the accessories that is offered is the Smart TV Skype Camera which allows users to chat with other Skype users through their television. So far, Samsung has not commented on the details of the security hole, or what they are doing to correct it.

Smart TVs do not offer any native security features standard to most IP-enabled devices such as a firewall, user authentication or application white listing. Perhaps most shocking is that there is no way to independently apply a software update to correct the problem. This means that without a firmware update directly from Samsung, the security hole remains unchecked and cannot be patched without voiding the manufacturer’s warranty.

SEO news blog post by @ 11:35 am on December 17, 2012


 

Microsoft Fails AV–Test Certification

Every couple of months, the company AV-Test, The Independent IT-Security Institute runs a barrage of test on popular antivirus security programs to see how they compare to each other and whether they meet certain criteria to be effect as antivirus programs.

Microsoft Internet Security fail

There latest tests was run on both Windows XP and Windows 7 and ran from September to October. The results were quite shocking; especially for those of us running Microsoft Security Essentials. Microsoft received the lowest rating of all security products test and was the only one that failed to receive AV-Test’s "Pass Certificate."

The tests that AV-Test run fall into three categories: protection, repairs and usability. In each category, a product can earn from 0 – 6 points per category. To become certified, a product needs to earn at least 11 out of 18 possible points. Of the 23 products that were tested, 16 products scored less this time than in the previous test.

The Losers:

  • AVG Anti-Virus Free Edition = 12.5
  • VIPRE Internet Security = 12.0
  • Microsoft Security Essentials = 10.5

Each of products all scored a full 3 points lower than in the previous Windows 7 test. At 12.5 and 12.0 points respectively, AVG, and VIPRE barely passed. Microsoft at 10.5 points failed miserably.

The Winners:

BitDefender Internet Security emerged as the victorious at the top of the list of contenders, with 17 points. F-Secure, Kaspersky came in at a close second with 16.5 points (the previous test had them at 15.5 and 15.0). Norton Internet Security dropped from 15.5 to 15.0.

Parallel tests were run by AV-Test on security products geared towards businesses such as F-Secure, Kaspersky, McAfee, Microsoft, Sophos, Symantec, Trend Micro and Webroot.

The results showed very similar figures. In the lead was F-Secure with 16.5 points and Microsoft was again a dismal failure, sitting on the bottom with a scant 9.5 points; 2.5 points below the cutoff for the lowest level require to obtain AV-Test Certification.

Windows Defender comes pre-enabled on the new Windows 8 release in the absence of other security products installed leaving your system in a dismal state of vulnerability. I will definitely be uninstalling Microsoft Security Essentials tonight!

SEO news blog post by @ 10:31 am on December 3, 2012


 

Time to look at your Google Calendars (Again)

October is a trade off between birthdays (New-years babies unite!), feasting, and parties, vs. bearing witness to the lament caused by waking up in the dark, low energy, and the changing seasons.

Google can’t change the position of the sun, but it could improve your mood by helping quickly add events to your calendar.

Example of a Google calendar with more calendars added to it.
I tried to get a screenshot of the weather feature but only so much fits in 550px

 
To get more events on your calendar, without importing or adding them one at a time you need to ‘subscribe’ to additional calendars.

The first step, after getting logged into a Google account is to click on the Other Calendars menu and choose the “Browse Interesting calendars” option:

The Other Calendars menu in Google Calendars.

 
On the next page you should see three tabs, “Holidays”, “Sports”, and “More”.

I’d say everyone should add their national holidays, even if you’ve done this before, take a moment to preview the official calendar for your country, as the official version is likely a lot better than what you’ve been subscribing to.

The sports tab is pointless, since we’re nerds, and there’s no WRC/Drifting events in the list. (I kid, I kid.. No, not really.)

Finally the ‘More’ tab is where the magic happens.

Under the ‘More’ tab you want to seek out: “Contacts’ birthdays and events”

Subscribing to this calendar and allowing it to show on your main calendar will help you track all those birthday parties that will help get you through this dreary fall season.

Keep in mind however that subscribing to a calendar does not modify your calendar, nor does it add notifications or alerts to your calendar.

If you want to be reminded a week ahead of your best friend’s birthday, you should go make that event manually.

If you just want to know on the day of his birthday that you forgot, then you can simply click on the birthday’s calendar item and then click on “copy to my calendar” to get that event on your personal calendar.

All my friends use FB not G+ so who cares?

Well, at least in New Zealand, G+ user interest is actually passing Twitter/Linked In for new users, and making up ground quickly on Facebook.

Roy Morgan’s analysis of Social Media trends in NZ is a bit hard to look at (even upsidedown) but his data is very telling of the growth that G+ is getting from the adoption of Android phones and other Google products.

I’d love to say that G+ is just more social/edgy/trendy than FB but that’s never what it’s been for/about.

If you’ve read any of my rants about comparing the two social networks you’ll know I look at it like replacing a banana (FB) with an orange (G+).

On one hand, a banana can be fun, especially if you’re care-free about discarding the peel, but an Orange has some serious potentials that a Banana lacks, especially in clean presentation.

Ultimately as SEOs we would advise paying respects to both networks as each has it’s perks, though G+ hasn’t made news this week for app developers selling 1 million user profiles for $5 US.

TL;DR: Man buys 1 million user data records (mainly First/Last Name, Gender, Age, Email, Phone #,etc.. data) for $5 and FB thanks him by telling him not to talk about it.

So really, enjoy your access to private data while it lasts, build those calendars while it’s easy, because if we have app developers selling a million user data records for $5, you can be sure people won’t want to share valid info with insecure sites. In fact due to this, it’s better to put in intentionally incorrect info and only trust services with solid security reputations.

SEO news blog post by @ 11:47 am on October 25, 2012


 

Older Posts »
Level Triple-A conformance icon, W3C-WAI Web Content Accessibility Guidelines 1.0 Valid XHTML 1.0! Valid CSS!
Copyright© 2004-2014
Beanstalk Search Engine Optimization, Inc.
All rights reserved.