Translate:
Latest SEO Articles: Speaking At:
    Speaking at SMX London 2013
Follow Us:
Follow beanstalkseo on Twitter
Hear Us On:
Webmaster Radio
Blog Partner Of:
WebProNews Blog Partner
Helping Out:
Carbon balanced.
Archives
    • RSS

    XMLRSS

    Top Posts

    Beanstalk's SEO News Blog

    At Beanstalk Search Engine Optimization we know that knowledge is power. That's the reason we started this SEO blog. We know that the better informed our visitors are, the better the decisions they will make for their websites and their online businesses. We hope you enjoy your stay and find the SEO news contained within this blog useful.

    June 21, 2011

    Bitcoin takes a beating..

    Bitcoin had a serious case of the Mondays yesterday as the EFF dropped the currency for donations, and MtGox, a major international exchange, managed to spill over $5 million worth of BTC in a public ‘free for all’ moment. One lucky fellow snatched up over $5 million worth of BTC with a mere $2,613 by wisely setting an unlimited buy order at $0.0101 (everyone else was bidding $0.01).

    The EFFs move wasn’t so bad when you pick it apart. Accepting any donation might seem harmless, but if the charity needs to convert that donation to a currency then it becomes an issue. The EFF cannot responsibly spend BTC, or exchange it, without exposing themselves to legal entanglement in doing so. Until the currency is ‘trouble free’ the best option for a huge non-profit is to avoid that donation.

    In a post from Cindy Cohn on the EFF blog the issue is broken down three ways:
    EFF Logo

    • Lack of understanding with regard to legality of BTC
    • Misleading donors with regard to value and use of donations
    • Giving a false endorsement of Bitcoin technology

    Going forward the EFFs plan is to simply dump the donated BTC into the public faucet where they will be given away in small chunks to fresh Bitcoin users (or existing users who have never drank from the faucet). Don’t hurt yourself rushing on over for your handout, the current give-aways are only around 55 cents US when there’s more than 50 BTC in the faucet.

    Speaking of give-aways, the $5 million I mentioned at the start of the article is apparently pending the decision of the folks running the exchange. The story is the very essence of TL;DR, so let me try to put it into point form:
    BTC Value

    • MtGox setup a BTC exchange in Japan
    • MtGox’s auditors were hacked and an encrypted file was stolen
    • Alerts went out to change passwords and secure accounts
    • At some point on the 19th an MtGox user put a gigantic sell order up
    • As the sell was taking place Kevin Day took note, offering $0.0101 per BTC
    • By the end of the trading Kevin had purchased ~260k BTC for $2,613
    • Kevin took out 643.27BTC (~$8,000 US) and placed it into a personal wallet
    • MtGox claims that the day of trading broke exchange rules and must be reversed
    • Initially MtGox was considering a review by the FBI but at the moment it seems they are focused on a roll-back
    • MtGox has not mentioned an ability to reverse coins that left the exchange which creates a large problem

    At this point the MtGox sites are having a hard time staying up and as of 11:40AM GMT they are struggling to allow users access to ‘reclaim’ accounts. I gave up on the site personally and have just been looking in Google’s cached results (a great solution for overloaded websites any time something like this happens).

    There is also mention of the exchange going back on-line when the accounts are sorted out, and the claim that once the site is back on-line, trades 218869~222470 will be reverted and the exchange price will be going back to ~$17.50/BTC. Given everything that has happened this seems really optimistic to me.

    Can’t wait to see what happens tomorrow.

    SEO news blog post by @ 8:48 pm

    Categories: Google,Internet Law,internet security,Privacy,Search Engine News,web hosting
    Tags: , , , , , ,

     

    May 26, 2011

    There’s no defense for popularity..

    I was going to title this post with something a bit more ‘Apple’ but the real problem with malware is popularity.

    Recently Apple had to fight off a rather annoying malware attack from an application called Mac Defender that masqueraded as a useful utility for Apple’s OSX. Users duped into installing the fake application were rewarded with unwanted content and a security breach of private files on the machine. Many sites grumbled that Apple’s fix took 3 weeks to deliver and users who weren’t savvy were available victims for that time period.

    Last night I started getting pings from news sites on the web that a fresh deployment of MacDefender was hitting OSX users with a slightly different name of “MacGuard”. Along with the name change the new malware seems to have found a loophole in the installer options that allows it to self-install without even needing to trick the user into clicking anything. Clearly Apple will need to have a better response time than 3 weeks on this new version of the malware:

    MacDefender

    From early reports, if you are not surfing the web as an administrator the malware cannot install itself without prompting for the administrator password, which should help slow down the spread. Sadly OS X’s default account is the administrator account, so it’s rather common for users to be surfing the web as the administrator.

    “Unlike the previous variants of this fake antivirus, no administrator’s password is required to install this program. Since any user can install software in the Applications folder, a password is not needed. This package installs an application – the downloader – named avRunner, which then launches automatically. At the same time, the installation package deletes itself from the user’s Mac, so no traces of the original installer are left behind.”

    Lets be clear however that savvy users saw this coming and it was really only a matter of time before the popularity of OS X became a problem. Now that it’s worthwhile to go after OS X users, expect it to happen, and take every precaution you can. Hopefully Apple’s next update won’t take too long.

    SEO news blog post by @ 8:26 pm

    Categories: internet security
    Tags: , , ,

     

    March 5, 2010

    Google docs invitation share scare. A curious security oversight?

    Recently we’ve been looking into using google docs to remove some of the headache of read only and lock file issues that are a frequent occurrence on network drive shares. While Google Docs is for the most part quite promising we ran into an interesting and somewhat frightening snag that we’ve since reported to Google. As with any service this large there are bound to be some oversights that turn up only in widespread use. I’ve been unable to find if this issue has already been posted elsewhere. So here’s what we found.
    Security scenario:
    A user creates a new Google docs document,
    then sends an invitation to share this document with several email addresses via the share option,
    the email containing a link to the shared document invitation is received via company email,
    recipient clicks the link in the email within their mail client,
    next typically you’re either prompted to log in to google docs and accept or reject the invitation to view the document, or if you’re already logged into your Gmail account it takes you straight to the accept or reject invitation screen.
    You press accept and view the document.
    Stop and think about that… the invitation was sent to a company email address, not a Gmail address. Shouldn’t that invitation be only for that email address? Or at least limited to the set of emails that were invited when the bulk invite was sent out?
    Yet if I can get a hold of that link and put it in a browser you can log into say your personal Gmail account and get access to the same document. What we found in testing was that anyone who got a hold of the link could log into their Gmail account and still view the document.
    With the amount of schools and businesses already migrated over to Google docs I’m surprised this hasn’t been resolved yet.
    How big a deal is this? It really depends what’s in the document you’re sharing however anyone who can sniff out that link and sign up for a Gmail account can gain access to the document.
    Whether by sniffing your network traffic packets , sniffing your mail server or mail relays, snooping via compromised machine or email account, email being forwarded to an insecure or unintended address, or a shady client even being able to take a quick photo of your screen while the URL is in view – so long as they can get that doc share invitation link and type it in their browser they can now access it via any Google docs or Gmail account they have access to even though the invite may have only been intended for joe@joesplace.com
    Current workarounds:
    Only send share invitations to other Gmail accounts. Google docs to Gmail communication should stay on internal Googles internal network and never go out on the web. Post the link only in secured locations.
    Or instead of sending out share invitations send an email with a URL straight to the Google docs URL for the document. The user clicking the link will first have to log in to their Gmail/Google docs then will have to request access to that document before they can view it. This can be approved or denied at your discretion.
    Possible Solutions?
    If Google were to allow users to encrypt their email via PGP or some other means before sending the link could not be sniffed in plain text.
    However the above does not really address the simpler underlying security issue that an invitation to share a document should (unless otherwise stated in bold red) only be usable by the address the invitation was sent to.
    It may seem convenient that if someone sends a Google docs invite to your @business.com account you can click on the link and sign in with your personal Gmail since you don’t have Google docs tied to your @business address however that means that it’s convenient for anyone else to do so too if they can find a way to capture that link.

    Yes – often these invitations are read only however imagine the bounty of company and school documents that could be quite harmful in the wrong hands – read only or not. Personal and proprietary data, exam questions, you name it. If a business has migrated to Google docs it’s all there if you can sleuth out the link.
    Note: Another solution has been brought to our attention from the Google help forums:
    Use Share->See who has access… Go to the Advanced permissions tab and untick both Allow editors to invite others to edit or view and Allow invitations to be forwarded , then click Save&Close.;
    se Share->See who has access… and on the People with access tab make sure the general setting is Sign-in is required to view this item. Again click Save&Close.;

    A quick test of these settings seems to plug the hole. However the scare remains that the default settings are quite insecure and few Google docs users are likely to be aware of the security implications of those settings.

    SEO news blog post by @ 6:42 pm

    Categories: Uncategorized
    Tags: , ,

     

    Level Triple-A conformance icon, W3C-WAI Web Content Accessibility Guidelines 1.0 Valid XHTML 1.0! Valid CSS!
    Copyright© 2004-2013
    Beanstalk Search Engine Optimization, Inc.
    All rights reserved.