Beanstalk on Google+ Beanstalk on Facebook Beanstalk on Twitter Beanstalk on LinkedIn Beanstalk on Pinterest
Translate:
Published On:
SEO articles and blog published on ...
Hear Us On:
Webmaster Radio
Blog Partner Of:
WebProNews Blog Partner
Helping Out:
Carbon balanced.
Archives
RSS

XMLRSS

Ebay Hit by Cyber Attack

Ebay has announced that it was the hit by a massive cyber attack today that may have exposed some customer information. Although it’s been reported that no financial information was stolen, they are urging clients to change their passwords immediately

The compromised information included :

  • Name
  • Password
  • Email Address
  • Physical Address
  • Phone Number
  • Date of Birth

Ebay’s official release has stated that hackers may have gained access through employee log-in credentials which in turn granted them access to the corporate network. Ebay has stated it is working closely with it’s security experts and law enforcement agencies. For more information, please read the full story here.

SEO news blog post by @ 5:48 pm on May 21, 2014


 

Is the heart of your website beating or bleeding?


The Heartbleed Bug is a serious SSL/TLS encryption vulnerability in the popular OpenSSL cryptographic software library. So what is it?


Seems like we’ve heard this all before?



To put it into layman’s terms, Heartbleed or CVE-2014-0160, depending on your pedantic nature, is a really bad thing.

In less simple terms, the ‘heartbeat’ service of OpenSSL can be exploited to ‘leak’ it’s memory and reveal the contents of of otherwise protected/encrypted data.

But we’ve heard of OpenSSL exploits/vulnerabilities before, why is this one exciting?

Heartbleed vulnerability logo

Not only does Heartbleed have it’s own logo:

..it has it’s own website: http://heartbleed.com/


If you wanted to know all about it, the heartbleed.com website is full of information and details on the vulnerability if you want to dig right in for maximum info.


Essentially these are the points made:

  • This vulnerability has been around for years and so if someone had captured traffic from a year ago, and then got your secret keys with this exploit, this could allow them access to data you thought nobody could touch.

  • Using this exploit to impersonate your servers could allow an attacker even more access.

  • This is untraceable at the moment, meaning you don’t know what secure/protected content was stolen, or when.

  • This isn’t even all about you and your servers, think about the private data of your users and how a common password could be stolen from your server and used to infiltrate other more-secure servers around the internet.



Who is impacted :

  • Everyone that uses SSL is impacted in some way. Even if you just have to change some passwords. This will impact you.

  • OpenSSL 1.0.1 through 1.0.1f are vulnerable. OpenSSL 1.0.1g and newer are fine. Very old servers that didn’t upgrade to the heartbeat feature may be immune.

  • It’s estimated that this applies to over 66% of the web servers on the internet.

What to do :

  • Upgrade OpenSSL and/or disable the heartbeat function.

  • If you don’t disable the heartbeat function you can expect to be contacted by security teams checking to make sure you’ve upgraded.

  • Make sure your users know, either by a site bulletin, or perhaps a blog post?

  • Urge users to make password changes once you’ve secured your server.

  • Make it clear that users need to update that password on all sites that it was used on.

  • Be honest. No data can be assumed private at this point, your users should consider this truth.

  • Revoke and reissue your server’s primary keys.

  • As servers get patched you can reconnect with them, but there should be a ‘patch first, trust after’ policy.


..and above all else, Don’t Panic. :)

Update: If you are hosted on CentOS don’t assume you are vulnerable based on the version. In our case we had version 1.0.1e installed but it has been patched for CVE-2014-0160, which I can confirm with SSH access and looking at the RPM changelog.
 

SEO news blog post by @ 3:27 pm on April 9, 2014


 

Adobe Hacked

A siege on Adobe.Adobe has been hacked with the credit card information of almost 3 million accounts compromised. This is a huge blow for the company and for the trust users have in them as well as a solemn reminder for all of us as the fragile nature of our data. We discuss often the privacy concerns around Facebook and Google but ti takes an event like this to remind us that the systems we take for granted every day, like eCommerce – mandatory now for the smooth functioning of our society – are vulnerable at even the highest level.

Admittedly, the belief currently is that the credit card data pulled was encrypted, anyone familiar with encryption knows that with enough time and computing power, it can be cracked.  You can simply ask the NSA for verification on that point and sophisticated hackers (say for example, like the ones that could break through Adobe’s security) will have access to the knowledge and resources to get it done.

I personally got my email notification from Adobe at 11:01PM yesterday, hours after the event occurred.  Now fortunately, I’ve paid for everything via PayPal (admittedly more to avoid currency conversion fees) so it’s not a sizable issue for Beanstalk but for many of my friends and clients this is a huge issue. On their blog they reported the following actions being taken:

As a precaution, we are resetting relevant customer passwords to help prevent unauthorized access to Adobe ID accounts. If your user ID and password were involved, you will receive an email notification from us with information on how to change your password. We also recommend that you change your passwords on any website where you may have used the same user ID and password.

We are in the process of notifying customers whose credit or debit card information we believe to be involved in the incident. If your information was involved, you will receive a notification letter from us with additional information on steps you can take to help protect yourself against potential misuse of personal information about you. Adobe is also offering customers, whose credit or debit card information was involved, the option of enrolling in a one-year complimentary credit monitoring membership where available.

We have notified the banks processing customer payments for Adobe, so that they can work with the payment card companies and card-issuing banks to help protect customers’ accounts.

We have contacted federal law enforcement and are assisting in their investigation.

I’ll give them kudos for doing what needs to be done and can’t even blame them for it happening.  For those affected, make the appropriate arrangements and for those unaffected, take this as a serious reminder about what can happen to your credit care information, other private information and to your website.

Image source: http://runawayjuno.com/2012/07/21/taos-pueblo-adobe-architecture-new-mexico/

SEO news blog post by @ 10:30 am on October 4, 2013


 

The Sci-Fi Reality of Google’s Pay-Per-Gaze Patent

Steven Spielberg’s 2002 film Minority Report takes place in Washington, DC, in the year 2054. It centers around a police officer (Tom Cruise) who is the head of the PreCrime police force, which uses precognitive visions to prevent murders before they take place. When Cruise’s character is predicted to commit murder, he is forced to go on the run and try to clear his name. The film garnered praise not only for its action-packed plot, but also for its uniquely plausible vision of the future of American life. One of the most memorable—and plausible—aspects of the setting was the way retinal scanners were used to track citizens at all times. But the technology wasn’t only for identification purposes; it was also used by electronic billboards in public areas, which would deliver direct advertisements to passersby. In fact, the constant identification forces Cruise’s character to undergo a black market eye replacement so that he can move in public without being called out by name and tipping off the authorities.

Spielberg received praise for Minority Report‘s examination of privacy invasion and the consequences of having personal information used for commercial gains; it was a unique spin on the conventional Orwellian surveillance scenario that was grounded in the established advertising industry’s continual efforts to maximize their advertisement ROI. According to Jeff Boortz, who oversaw the product placement in the film, the billboards would “recognize you—not only recognize you, but recognize your state of mind.”

minority google glassLast week, tech blogs reported that back in 2011, Google patented a Gaze Tracking System for a head-mounted device that—in 2013—sounds an awful lot like Google Glass. The technology (found here) monitors eye movements to track what a user is looking at, and can even sense emotional responses via pupil dilation. The technology is proposed to have several useful applications, but one of the most prudent for Google is a “pay-per-gaze” advertising feature. According to the patent, the system can potentially charge advertisers based solely on whether a user actually looked at their ad—not just for online advertisements, but also for billboards, newspapers, and other commercials. The idea is similar to the existing pay-per-click model used on Google search results, except it would apply to everything you viewed while walking to work on a Monday morning.

The patent was filed two years ago, but only became public in mid-August, and it sounds remarkably similar to the constant surveillance in Minority Report—where your personal information is most highly valued for its ability to direct efficient advertisements your way. To companies, it’s a dream come true; rather than trying to guess how to appeal to a large demographic, they could target individuals who are far more likely to buy the product. The ratio of advertising cost to return on investment could shrink immensely. There are even benefits for the user, who would only see relevant ads and wouldn’t have to suffer through annoying ones they’d normally ignore. But it’s also not surprising that some have voiced concerns over being constantly tracked like this; it’s enough to give any privacy expert nightmares, and it’s not difficult to envision how the pay-per-gaze system could be used against you. While a set of removable glasses is far less invasive than the retinal scanners in Minority Report, and it’s unlikely that a fugitive on the run would don the specs, it’s still not impossible to imagine a scenario where a private matter is made public by advertisers because of what you’ve looked at recently.

To their credit, Google has anticipated the possible backlash; the patent details options to anonymize data and to opt out of what information is gathered and collected. Furthermore, as Phys.org points out, a patent does not necessarily guarantee a product will be developed. But that said, Google Glass is already in existence, and its use in commercial advertising ventures has yet to be seen. Time will tell if this technology will end up integrated into the glasses, and whether we as a society will be willing to sacrifice a large amount of our privacy for the convenience of personalized advertisements.

SEO news blog post by @ 3:45 pm on August 20, 2013


 

Forget Your Password…it’s ok.

The days of trying to remember passwords and worrying about hacked accounts may be limited. Passwords have been somewhat effective in the past and are an easy way to authenticate web users, but they fall tragically short in security in today’s internet; and they always will.

USB token

According to a research paper from Google regarding the future of authentication on the web, the password problem could be solved with the aid of a USB -based Yubico log-on device. Google envisions a future where you only need to authenticate one device (with your smartphone, Yubico key, or perhaps wirelessly) and then use that similar to a car key to open up your webmail and other online accounts.

“Along with many in the industry, we feel passwords and simple bearer tokens such as cookies are no longer sufficient to keep users safe,” state Google’s Eric Grosse and Mayank Upadhyay.

This small cryptographic device will automatically log in a user to Google using a new protocol (patent pending) for device-based authentication that will be independent of Google and will also prevent web sites from tracking users.

Other than requiring a browser that supports the technology, there is no additional software required and it could be as easy to use as tapping or swiping your card or key device the device you want to authenticate. In order for this new security standard to take hold, Google will need many other websites to get on board.

Two years ago, Google launched a two-step authentication option as part of their attempt to increase security for its users. The story of Mat Honan’s encounter with hackers, helped to inspire a quarter-million people to adopt the two step process. Google has not given any idea as to when we may see the new technology released.

SEO news blog post by @ 11:30 am on January 23, 2013


 

Oracle is meddling with search results?!

Like most headlines, there’s some leaping between facts going on, but we’ll connect the dots in short order, don’t you fret.

Scooby Doo Cartoon with additional logos
We want our Google results, not some Mystery Machine!?

 
Have you noticed how much/often Oracle has been updating Java on your machine lately?

You’d think, with all those security patches they are fixing, if you turned on a PC that has been dormant for 6 months it would be instantly hacked by it’s outdated Java upon loading nearly any web page?

Well that’s not exactly true, so what is true?

Here’s a list:

  • Oracle gets page traffic with each update
  • Ask.com pays for each install of the Ask Toolbar
  • By default the Ask.com toolbar is installed
  • Each update is a risk you won’t opt-out and click next
  • The Ask.com install waits 10 mins to install
  • Delayed invisible installs are a malware tactic
  • The Ask.com toolbar intercepts and modifies searches
  • Removing Ask’s toolbar won’t restore your search settings

Those are facts, and it doesn’t take a silver-tongued writer to get the reader to acknowledge how they all connect.

It’s so bad that IE, FireFox, and Chrome are all delivering UI changes to make these installs a LOT more clear to the end user..

.. and Ask.com has already started adding ‘helpers’ to make the new UI’s less likely to halt an installation where the user is just clicking along.

So it’s a back and forth struggle to keep your web browser free from unwanted clutter that pretends to be of value but actually alters your search results and steers you towards paid sites/links vs. organic search results.

How can you opt out of the war for your clicks?

If you don’t need Java, just don’t install it to begin with. If you hit something that needs Java then go ahead and use it; But don’t just install Java because you think it’s crucial.

You also don’t want to confuse JavaScript with Java; For some folks the Oracle Java installation can be completely avoided.

Use a clean installer without the added Ask.com payload. Since Oracle isn’t publishing any recent versions of the Java installer without the Ask.com toolbar components, this requires you to trust an outside 3rd party’s assistance, or use a risky/outdated version of Java.

Ninite icon
Ninite.com

What can I say about Ninite.com? In my nerdy travels online I’ve yet to discover an easier method of installing apps without the added payloads.

Not only that, but Ninite allows you to bundle up a ton of installs into one package with zero ‘next’ clicking as the packages install. Heck, you can even save the package URL for later, or share it with friends to help them install a specific set of apps!

Since Ninite grabs the source from the actual websites, you will get trusted/current code, without the bother of carefully installing each app and side-skirting all the additional packaged software/malware.

Plus as a one-stop reference to the most popular free installations, Ninite is also great for folks that want to stick with mainstream applications and avoid trying out some ‘less popular’ choices.

I hope this helps our readers avoid some hassles, get honest search results from the search engine you’ve selected, and perhaps even gives folks the motivation to try uninstalling Java completely to see just what the heck is using it anyways.

SEO news blog post by @ 1:31 pm on January 22, 2013


 

In Capitalist Amerika, Television Watches You!

Samsung SMART TV Zero Day Exploit

Thinking of getting someone a great new television for Christmas? You may want to reconsider. There have been many conspiracy theories surrounding the use of televisions by the government to spy on the oblivious population.

1984 book cover

Concerns are rising again with Smart televisions that could be used to not only survey the population by the government, but by criminals for nefarious purposes. The scenario reads almost verbatim from George Orwell’s classic novel Nineteen Eighty-Four; with its ubiquitous Telescreen that monitors the private and public lives of the populace in a not-so-far-off dystopian future.

A security exploit called the “zero day” hole has been found in at least one of Samsung’s Smart TVs that if left unpatched, could allow hackers to not only glean a users social media credentials, but to steal files from connected USB devices and the ability to use attached microphones and cameras to spy on unwary individuals.

The exploit was revealed the ReVuln company who offers research on technology security issues to its subscribers, states that the hole affects the Samsung Smart TVs running the latest version of the comany’s Linux based firmware.

ReVuln – The TV is watching you from ReVuln on Vimeo.

ReVuln posted a video showing an attack on a Samsung TV LED 3D Smart TV that shows an attacker gaining shell access, copying the contents of the hard drive to an external device and mounting them on a local drive, allowing access to photos, documents, online credentials for social networks or other online services.

Samsung sells a number of different Smart TVs that combine high definition viewing with tablet-like features and allow for web browsing (Anyone remember WebTV?). One of the accessories that is offered is the Smart TV Skype Camera which allows users to chat with other Skype users through their television. So far, Samsung has not commented on the details of the security hole, or what they are doing to correct it.

Smart TVs do not offer any native security features standard to most IP-enabled devices such as a firewall, user authentication or application white listing. Perhaps most shocking is that there is no way to independently apply a software update to correct the problem. This means that without a firmware update directly from Samsung, the security hole remains unchecked and cannot be patched without voiding the manufacturer’s warranty.

SEO news blog post by @ 11:35 am on December 17, 2012


 

Microsoft Fails AV–Test Certification

Every couple of months, the company AV-Test, The Independent IT-Security Institute runs a barrage of test on popular antivirus security programs to see how they compare to each other and whether they meet certain criteria to be effect as antivirus programs.

Microsoft Internet Security fail

There latest tests was run on both Windows XP and Windows 7 and ran from September to October. The results were quite shocking; especially for those of us running Microsoft Security Essentials. Microsoft received the lowest rating of all security products test and was the only one that failed to receive AV-Test’s "Pass Certificate."

The tests that AV-Test run fall into three categories: protection, repairs and usability. In each category, a product can earn from 0 – 6 points per category. To become certified, a product needs to earn at least 11 out of 18 possible points. Of the 23 products that were tested, 16 products scored less this time than in the previous test.

The Losers:

  • AVG Anti-Virus Free Edition = 12.5
  • VIPRE Internet Security = 12.0
  • Microsoft Security Essentials = 10.5

Each of products all scored a full 3 points lower than in the previous Windows 7 test. At 12.5 and 12.0 points respectively, AVG, and VIPRE barely passed. Microsoft at 10.5 points failed miserably.

The Winners:

BitDefender Internet Security emerged as the victorious at the top of the list of contenders, with 17 points. F-Secure, Kaspersky came in at a close second with 16.5 points (the previous test had them at 15.5 and 15.0). Norton Internet Security dropped from 15.5 to 15.0.

Parallel tests were run by AV-Test on security products geared towards businesses such as F-Secure, Kaspersky, McAfee, Microsoft, Sophos, Symantec, Trend Micro and Webroot.

The results showed very similar figures. In the lead was F-Secure with 16.5 points and Microsoft was again a dismal failure, sitting on the bottom with a scant 9.5 points; 2.5 points below the cutoff for the lowest level require to obtain AV-Test Certification.

Windows Defender comes pre-enabled on the new Windows 8 release in the absence of other security products installed leaving your system in a dismal state of vulnerability. I will definitely be uninstalling Microsoft Security Essentials tonight!

SEO news blog post by @ 10:31 am on December 3, 2012


 

Time to look at your Google Calendars (Again)

October is a trade off between birthdays (New-years babies unite!), feasting, and parties, vs. bearing witness to the lament caused by waking up in the dark, low energy, and the changing seasons.

Google can’t change the position of the sun, but it could improve your mood by helping quickly add events to your calendar.

Example of a Google calendar with more calendars added to it.
I tried to get a screenshot of the weather feature but only so much fits in 550px

 
To get more events on your calendar, without importing or adding them one at a time you need to ‘subscribe’ to additional calendars.

The first step, after getting logged into a Google account is to click on the Other Calendars menu and choose the “Browse Interesting calendars” option:

The Other Calendars menu in Google Calendars.

 
On the next page you should see three tabs, “Holidays”, “Sports”, and “More”.

I’d say everyone should add their national holidays, even if you’ve done this before, take a moment to preview the official calendar for your country, as the official version is likely a lot better than what you’ve been subscribing to.

The sports tab is pointless, since we’re nerds, and there’s no WRC/Drifting events in the list. (I kid, I kid.. No, not really.)

Finally the ‘More’ tab is where the magic happens.

Under the ‘More’ tab you want to seek out: “Contacts’ birthdays and events”

Subscribing to this calendar and allowing it to show on your main calendar will help you track all those birthday parties that will help get you through this dreary fall season.

Keep in mind however that subscribing to a calendar does not modify your calendar, nor does it add notifications or alerts to your calendar.

If you want to be reminded a week ahead of your best friend’s birthday, you should go make that event manually.

If you just want to know on the day of his birthday that you forgot, then you can simply click on the birthday’s calendar item and then click on “copy to my calendar” to get that event on your personal calendar.

All my friends use FB not G+ so who cares?

Well, at least in New Zealand, G+ user interest is actually passing Twitter/Linked In for new users, and making up ground quickly on Facebook.

Roy Morgan’s analysis of Social Media trends in NZ is a bit hard to look at (even upsidedown) but his data is very telling of the growth that G+ is getting from the adoption of Android phones and other Google products.

I’d love to say that G+ is just more social/edgy/trendy than FB but that’s never what it’s been for/about.

If you’ve read any of my rants about comparing the two social networks you’ll know I look at it like replacing a banana (FB) with an orange (G+).

On one hand, a banana can be fun, especially if you’re care-free about discarding the peel, but an Orange has some serious potentials that a Banana lacks, especially in clean presentation.

Ultimately as SEOs we would advise paying respects to both networks as each has it’s perks, though G+ hasn’t made news this week for app developers selling 1 million user profiles for $5 US.

TL;DR: Man buys 1 million user data records (mainly First/Last Name, Gender, Age, Email, Phone #,etc.. data) for $5 and FB thanks him by telling him not to talk about it.

So really, enjoy your access to private data while it lasts, build those calendars while it’s easy, because if we have app developers selling a million user data records for $5, you can be sure people won’t want to share valid info with insecure sites. In fact due to this, it’s better to put in intentionally incorrect info and only trust services with solid security reputations.

SEO news blog post by @ 11:47 am on October 25, 2012


 

Windows 8 / IE10 and Flash Certification

Windows 8 is a tablet OS, and like any modern OS focused on tablets/touch/mobility options, there’s compatibility concerns with content not specifically written for a tablet/mobile device.

Apple’s famous for their certification process and using it for more than just the sake of ‘quality’ or ‘compatibility’ controls.

Indeed Microsoft has had certification for drivers, and applications in Windows for some time, but never to the point where something cannot be used without their certification.

If you wanted to install something that isn’t certified you’ll get a spooky warning, but I’ve never seen something completely fail to work due to a bad/missing certification on Windows.

Enter Windows 8 and IE10, a whole new ballgame, with two browser modes, one for normal use and a ‘desktop’ integration mode which has to play nice with the new Windows UI.

If you wish to publish web content that leverages the new ‘desktop mode’ you’ll want to visit Microsoft’s ‘developer guidance’ page for information on new meta tags and HTTP header codes that help flag such content.

In a nutshell they explain that either the header:

X-UA-Compatible: requiresActiveX=true

OR the meta tag:

<meta http-equiv="X-UA-Compatible" content="requiresActiveX=true" />

… work to create a handy little prompt explaining that the content on the page requires the page to be viewed in ‘desktop’ mode, and even gives a single-click shortcut to switch over:

IE10 desktop warning

The same page also deals with ‘Compatibility Verification’ and the steps to test/certify that your flash content is compatible with the extra features of a tablet OS.

Of particular interest is the option of a single registry entry that allows testing of your site for ‘debugging’ to see just how broken your flash content is.

The key is located here:
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Flash\DebugDomain
.. and if you wanted to make a .reg file for easy access the contents would be:
REGEDIT4
**Blank Line/Carriage Return**
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Flash\DebugDomain] @="www.mywebsite.com"
**Blank Line/Carriage Return**

At that point you could right-click the .reg file you made and click on ‘install’ from within the pop-up menu.

Passing this .reg file to your developers would be fine, but since only one site can be specified, this is NOT a solution for your end users.

Obviously the best advice we can give, as SEOs, is to ditch your Flash content completely.

HTML5 with all it’s perks can replace almost anything you’ve done in Flash and Google’s even willing to help you make the switch by offering the Swiffy Flash -> HTML5 Conversion Tool.

If you feel your content is too sophisticated for Swiffy, or you haven’t tried the tool recently, you should!

Here’s an example of how well the tool works on a flash game with keyboard and mouse controls:

[iframe src="https://swiffypreviews.googleusercontent.com/view/gallery/example3_swiffy_v4.9.html"][/iframe]

SEO news blog post by @ 12:07 pm on October 11, 2012


 

Older Posts »
Level Triple-A conformance icon, W3C-WAI Web Content Accessibility Guidelines 1.0 Valid XHTML 1.0! Valid CSS!
Copyright© 2004-2014
Beanstalk Search Engine Optimization, Inc.
All rights reserved.