A nasty vulnerability exists in the latest Internet Explorer 8. I have been unsuccessful in persuading the vendor to issue a fix. The bug permits — for example — an arbitrary web site to force the victim to make tweets.

A harmless example has also been posted on his site (see below) 

http://scary.beasts.org/misc/twitter.html

This bug appears to be strictly related to Internet Explorer and no fault of Twitter. At this time there does not appear to be a resonable workaround.  This appears to be a Cross-origin CSS attack which uses the style sheet import to steal confidential information from a victim website, hijacking a user’s existing authenticated session.

Chris continues to state that there is evidence to suggest that Microsoft has been aware of this since at least 2008.

However: Looking back at my 2010 analytic stats I can see the increase in Internet Explorer 8 adoption amongst the general home user (my target demographic). What I do find interesting is that IE7 seems to have had a very small adoption rate. This may be in part due to the commercials Microsoft has released promoting the “Enhanced Security” features of IE8.

Below are two images showing the different browser distribution of my visitors and more importantly drastic trend to move away from Internet Explorer 6.

Sure I check my Google Analytic stats every now and again, but what value is this truly providing me? GA gives website owners a false sense of security IMHO. What we tend to forget is that GA tracks links on any given page. Sure it can give you a pretty overlay on a map, but what does this mean? What does this translate to? I’m really not sure to tell you the truth.

Recently I decided to concentrate less on driving new visitors to my site and focus on “Converting” the visitors I actually have. Google Analytics did help me identify my ‘poor’ conversion rate 34% to be exact.

So the quest began, I had no idea what visitors were truly clicking on? What was driving them away? What was causing them to not convert? Oh no what do I do? How do I find out? Help!!

Crazy Egg to the rescue, they offer four views which you can see described below:

Overlay – Learn more about each element on your page.
List – Learn more about each element on your page.
Heat Map – A picture of where people clicked on your site. This tells you what’s hot and what’s not.
Confetti – Dig a little deeper and find out where people click based upon the things like: Top 15 Referrers, Search Terms, Operating System, Browser, etc…

To get started with Crazy Egg you sign up for $9 which will allow you to track up to 10 pages and 10,000 visits. You’ll need to add a piece of JavaScript to the pages you want to track. The sign up process is simple and painless, adding the JavaScript is just as simple and the same code is reused across all pages you wish to track.

After installing the JavaScript and tracking for just a few days I was easily able to identify the “Problem” areas in my design and adjust accordingly. After making the changes my conversion rate has increased to 76.5% which is more than double.  It’s simply CRAZY! Or rather CRAZY SIMPLE!

In conclusion Crazy Egg is a must have tool to compliment Google Analytics and for the price you would be Crazy to pass it up.

What does this mean for Webmasters and SEO’s? It means that it is important to be familiar with how the Bing crawler interacts with your site. After the full algorithmic transition is complete, you will only need to optimize for one crawler (Bing).

You should check out the Bing Webmaster Center for all the latest info, tips and tools, including some significant updates to Bing’s webmaster tools.

This is a great milestone for Bing and Yahoo!, but is it a great thing for SERPs?

What do you think?

So what’s the announcement? Here it is. “Showing More Results From A Domain”. Google announced a tweak designed to surface multiple pages from a single site for relevant queries.

“For queries that indicate a strong user interest in a particular domain, like [exhibitions at amnh], we’ll now show more results from the relevant site,” says Google software engineer Samarth Keshava. “Prior to today’s change, only two results from www.amnh.org would have appeared for this query. Now, we determine that the user is likely interested in the Museum of Natural History’s website, so seven results from the amnh.org domain appear. Since the user is looking for exhibitions at the museum, it’s far more likely that they’ll find what they’re looking for, faster. The last few results for this query are from other sites, preserving some diversity in the results.”

This change does not come without controversy, many SEO are screaming similarities to “Mayday”. What are your thoughts? I would love to hear from you.

“Obviously, everyone knows that the #1 spot on Google is where you want to be,” says Chitika research director Daniel Ruby. “It’s just kind of shocking to look at the numbers and see just how important it is, and how much of a jump there is from 2 to 1.”

Recently Verizon, in collaboration with the United States Secret Service, released their 2010 Data Breach Report.  I would like to take a moment to share my praise, concerns, and general findings.

I’ll begin with business practice findings.  In the past, it was emphasized that there was a gap in termination procedures as pertains to access removal from network assets.  Based upon the metrics brought forth from this report (an astounding 26% increase in breaches attributed to “insider” threats), this is still a persistent issue.  Here, another concern arises when one mentions the concept of segregation of duties; often trusted “insiders” have unhindered or UNDERhindered access to a broad pool of resources. 

As corporations fail to recognize this, and respectively provide resource access controls and limitations, this will continue to be an issue.  Interestingly enough, the percentage of breaches implicating business partners has dropped by 23%.  One may attribute this to the increased business awareness and legal controls implemented in the contract phase over the past year.  If this trend continues (which it should, as the public is more aware than ever of the threats “in the wild”), this number should continue to drop at a decreasing rate. 

Additionally, the report indicates that a vast 48% (26% increase) of breaches discovered over the past reporting period involved privilege misuse to some extent – while only 40% of breaches involved “hacking” proper (-24%).  This continues to make it obvious that nefarious users do not necessarily have to be “hackers,” and may employ conventional information gathering tactics to procure sensitive data.  This may be attributed to the presence of the inevitable “human layer,” and can only be mitigated through a strong, broad-scale, employee education policy.  If the point is still unclear, it was reported that 28% (a sizable increase since 2009) of breaches made use of social engineering tactics at some point.

While a corporation may have the most “locked-down” and “secure” internet presence, it remains possible that a loose-lipped employee may still unknowingly play a role in facilitating a data breach.

On a rather interesting (read: disturbing) note, 79% of reported victims that were subject to the Payment Card Industry Data Security Standard (PCI-DSS) had NOT achieved compliance.  86% of breaches were preventable via use of reasonable, simple-to-intermediate controls.  While PCI may only provide a baseline data security model, following the standard ensures that basic defense mechanisms are in place – and, if a breach happens, the standard assures that the incident will at least be tracked to some extent.  On a somewhat related note, 86% of breach victims had substantial evidence logged, yet 61% of breaches were reported by a third party.  This indicates to me that log correlation/SIEM tools are not in place (or underreferenced) in many scenarios; avoid becoming a victim by implementing a strong log reference policy.  The burden of sorting through can be eased significantly by use of common string parsing tools. 

Some examples of commercial-grade log/event correlation and management tool vendors include LogLogic, ArcSight, and Q1 Labs.  By the way, PCI 10.6 mandates log maintenance.

As far as demographics are concerned, the report continues to indicate that the focus of data breaches remains within the Financial Services, Hospitality, and Retail sectors.  This does not surprise me, and should not surprise anybody; Cash is King.  Note, however, that this may be attributed in part to the fact that – in the United States (the primary source for the data contained within this report), these sectors are required to adhere to strict breach reporting requirements (due to such regulatory standards as PCI and HIPAA).

On a closing note, the report indicates that approximately 13% of the reported breach cases involved organizations that had recently been involved in a merger or acquisition (as opposed to 9% in 2009).  This indicates the all-too-obvious truth that, in the common flurry associated with large-scale corporate policy changes, security assurance is frequently sacrificed. 

Based upon reading this report, I believe that – in a world where cyber crime continues to be on the rise – large companies need to take a moment to smell the coffee.  Making small sacrifices in project deadlines and procuring additional software resources (e.g. log correlation tools, which are essential for far more than just security) to ensure their bottom lines are not only met, but exceeded, while maintaining brand stability.

The 2010 report may be found here

Verizon’s 2009 report (not collaborated with USSS) may be found here

The simple answer is no.

The actual question that should come to everyone’s mind is will this comprise my overall SEO efforts.

Search Engine Optimization is not magic; this topic is well documented. Many if not all of the SEO methods are shared across all the major search engines, with slight weighting differences amongst them. If you follow good SEO practice you will rank well on all SERPS.

There are however some interesting observations I have made. BING & Google both at first glance seem to weigh On Page SEO very similarly. However Off Page SEO seems to influence BING a little more. BING appears to give more trust to aged domains, along with target keywords anchor link positioning.

With that being said my personal opinion is that you should concentrate on good OVERALL SEO rather than worrying about a specific search engine. 

Remember content is king.

News flash – depending upon how it’s configured, it could be doing even more; that same page you browse to in order to check up on Fido may be indexed by search engines such as Google.

Now, 9 times out of 10, the web server is configured to host the content under a non-intuitive URL; while this may deter somebody who is trying to guess the URL used by the software, it also provides those “in the know” with a “one-stop shop” for all of their nefarious needs. As an example, most Panasonic networked cameras have the string “ViewerFrame?Mode=” in the URL, and can easily be located by using the Google search string inurl:”ViewerFrame?Mode=”.  If you’re following along with the links, I’m guessing (without actually accessing this page which was likely intended to be private) the third page on the above Google search (it’s a *.edu) is exactly what a hacker would want to see — and exactly what you don’t want them to see**.

To avoid this, it may be possible (depending upon the software) to at least change the default URL used. If not, consult the support documentation – and if necessary, the vendor – to determine the best course of action by which you can better protect your privacy. Depending upon the software leveraged by the device, you may also be able to create a robots.txt file (file including all pages not to be indexed by the search engine) for the web server as well.  For more detail, see here.

By the way, it’s not just cameras, but printers and telecommunications equipment (read: WOW) as well. A surprisingly vast listing of known devices (and information on their default pages) can be found here.

** The posted information is for educational purposes only, I neither recommend nor condone using the web as a tool for spying on others.  Don’t do it.

Cross site scripting (also known as XSS) occurs when a web application gathers malicious data from a user. The data is usually gathered in the form of a hyperlink which contains malicious content within it. The user will most likely click on this link from another website, instant message, or simply just reading a web board or email message. Usually the attacker will encode the malicious portion of the link to the site in HEX (or other encoding methods) so the request is less suspicious looking to the user when clicked on. After the data is collected by the web application, it creates an output page for the user containing the malicious data that was originally sent to it, but in a manner to make it appear as valid content from the website. Many popular guestbook and forum programs allow users to submit posts with html and javascript embedded in them. If for example I was logged in as “john” and read a message by “joe” that contained malicious javascript in it, then it may be possible for “joe” to hijack my session just by reading his bulletin board post. 

“What are the threats of Cross Site Scripting?”

Often attackers will inject JavaScript, VBScript, ActiveX, HTML, or Flash into a vulnerable application to fool a user (Read below for further details) in order to gather data from them. Everything from account hijacking, changing of user settings, cookie theft/poisoning, or false advertising is possible. New malicious uses are being found every day for XSS attacks. The post below by Brett Moore brings up a good point with regard to “Denial Of Service”, and potential “auto-attacking” of hosts if a user simply reads a post on a message board. 

1. Make an .htpasswd file. The htpasswd command in Unix does this. You should put the password file outside of your web directory. So a command like “htpasswd -bc /home/dmistry/.htpasswd review donotenter” will create a new file using a username of review and a password of donotenter into the file /home/dmistry/.htpasswd . If you were to run the command “cat /home/dmistry/.htpasswd” you might see a line like “review:M1OdtjdGiDn1Y”.
2. Make an .htaccess file. In this case, the file would be located at /home/dmistry/www/.htaccess and it would look something like:

   AuthUserFile /home/dmistry/.htpasswd
   AuthName EnterPassword
   AuthType Basic
   <Limit GET POST>
   require valid-user
   </Limit>

The college student, Steven Abbagnaro, wrote up proof-of-concept code of an attack that would get all of a users’s publicly available data from their Facebook page and then delete their friends one by one. However, the attack can’t be started until the user clicks on a rigged link while logged into Facebook.

Abbagnaro won’t release the code until a patch is applied but competent hackers could figure it out on their own. The code is based on a previously discovered vulnerability in Facebook that doesn’t check code from user’s browsers properly to make sure they are authorized to make changes on Facebook. Another possible attack that has arisen out of this bug is the ability of hackers to make users “like” things.

This attack and the others that have been cropping up lately stresses the need to educate users about social engineering techniques and to be suspicious of links from people they don’t know or links from friends that seem uncharacteristic.

Laptop batteries are like people–eventually and inevitably, they die. And like people, they don’t obey Moore’s Law–You can’t expect next year’s batteries to last twice as long as this year’s. Battery technology may improve a bit over time (after all, there’s plenty of financial incentive for better batteries), but, while interesting possibilities may pop up, don’t expect major battery breakthroughs in the near future.

Read the full article here

Vista RTM will be the first one out of those three, which will not receive support anymore starting April 13.

For the other two OSs, July 13 is the date of their support termination.

Windows Vista RTM users need to use Windows Update to install the latest service pack.

Instead of having a fake Facebook page to collect the victims passwords (phishing), the email is sent with a malware attachment. The malware is known as “Bredolab” which is a Trojan downloader. In the two computers I repaired today, Bredolab downloaded some rogue antivirus products. However, some sites are saying that it also downloads a password stealing trojan.

If you see it onsite, Malware Bytes seems to deal with the Trojan once you kill the main executable (at least the rogue antivirus variants). Be sure to tell your clients to change their passwords after the infection has been removed as well.

The netbook, model AO532h, was seen on the company’s support site in mid-December.

The speed of the machine is 1.66GHz. The other specifications are 512KB cache, DDR-2 memory, 667MHz FSB, and 10.1-inch screen.

It comes with Windows 7 Starter Edition and the cost of the machine is $299 according to the article at  The Register.

To start off the process, a user need to download and install a software which is VMware Workstation 7. Also, there are two files that need to be downloaded.

VMware Workstation is the program that was used in the guide to install the Apple OS. There are five screen shots included in the article to help a user choose where and what option to press/choose.

Source: Redmond Pie

Invitations were sent to various members of the media Tuesday promoting the event at Google’s headquarters, to be held just as the annual CES gadget fest gets under way in Las Vegas. Expectations are high that Google will use the occasion to announce the launch of the Nexus One phone as its first phone sold directly to consumers.

It also seems Google is finally ready to address the questions that have risen about its Android strategy following reports that it planned to sell this particular phone directly to consumers through its Web site. Google has invested a lot of time and money during 2009 promoting the Android phones of its partners–namely Motorola and Verizon–and could be about to complicate the work of those partners with its own device.

In any event, Google’s announcement will likely kick off a crowded week for the technology industry and could perhaps overshadow any news to emerge from CES later in the week.

From CNET.com

Another great thing about antivirus products coming on a USB drive is that the installation of the antivirus product (which usually takes ages) would happen much faster, since it is usually much faster than installing something from a CD.

Lastly, at the end of the day the customer is left with a USB drive which they could use for other purposes.

Now that Windows 7 is out, Microsoft have reverted back to needing a separate disk for each version which is annoying for us computer technicians. However, the only difference between each DVD is a small 51 byte configuration file called ei.cfg which tells the installer what version disc it is. If you were to turn your DVD into an ISO, remove this ei.cfg file and write it back to a DVD, that DVD would become a Universal DVD.

ei.cfg Removal Utility will make this easy for you. Just create an ISO with your legitimate Windows 7 DVD, run this tool, choose the ISO and let it run. Once it has finished, just write the ISO back to a DVD again and you would only need to carry one 32bit version and one 64bit version to support any Windows 7 install onsite.

Of course, your client would still need to provide you with a working key for the Windows 7 install to work.

This is where Capacity comes in to make the task of backing up to CD or DVD much easier. Capacity will automatically separate the files into different CD or DVD sized folders. It can even create these CD/DVD sized folders based on the file type if you want so you can keep all documents on one CD and pictures on another. There is also other sorting criteria such as by month created, by month modified and by file size.

Capacity is small and mostly portable (requires .NET 3.5) application with a donation-ware license. This means it is free to use but if you like it you should consider donating to the developer.

This application is definitely worth keeping on your onsite USB drive and the backup machine in your workshop.

The release notes of Mozilla states, “This version is also faster and more responsive than previous versions, and has been optimised to run on small device operating systems such as Windows CE and Maemo.”

“Add-ons installed with previous versions of Firefox may not yet have been updated by their authors to work with Firefox 3.6 beta,” it notes.

Microsoft explains, “You have some corrupted .wav files in a folder on a computer that is running Windows 7 or Windows Server 2008 R2. When you open the folder, you encounter the following problems: The computer responds slowly. You cannot perform any other operations. You experience high CPU usage in the Explorer.exe process.”

Windows Media Player will stop to respond after opening corrupted .wav files and Wmplayer.exe will also generate high CPU usage according to the company.

1. “Meta Tags” – Should be included on all pages, remember though these tags no longer carry the same value they used to in the early search days. Today’s search engines have evolved and now have robust algorithms which take many factors into consideration. The days of “keyword stuffing” will no longer yield in better SERP. Google has gone as far as openly stating that they in fact do not even use the Meta Keyword tag to weigh in on their decision. That being said I strongly believe that all sites should leverage the use of <meta tags> appropriately.

2. “Friendly URL’s”- Make sure all pages on your site have a friendly URL. http://www.domain.com/about-us.html try and avoid long URL’s with many parameter passed. Most search engines can handle URI’s with up to 2 parameters but after that you run the risk that your pages may not get indexed.

3. “Sitemaps” – Create a sitemaps.xml and sitemap.html publish them to the search engines via their submission links. I like to create both pages some people say you only need one.

4. “Robots.txt” - Create a robots.txt file tell the search engine where your sitemap.xml file is located. Most search engines will respect the robots.txt file. BE SURE that you validate the file before publishing, a bad entry could potentially block the crawler from crawling your site all together.

5. “Unique Content”- I personally think this is the biggest of them all, have unique content for your visitors, if you have a site that is just repeating another site what is the incentivefor people to come visit you. Creating easy to read unique content will go very far, think about it, if you have a site that is interesting more people are likley to link to your site, the more “Relevant & Reliable” back links you get the better chance you will rank higher in SERP. I will cover this in more detail on my Top 5 Off Page SEO Tips

Step1: Click on the Windows start button, then right click on Computer and select Manage.

Step2: Click on Device Manager on the side menu.

Step3: Expand Disk Drives and select your external hard drive from the list.

Step4: Right click on the drive and select properties.

Step5: (Vista only) – on the Policies tab, select Optimize for performance

Step 6: (Vista only) Next, check enable write caching on the disk and enable advanced performance

Step 7: (Windows 7 only) Click on Enable write caching on the device.

Step 8: Press OK and Reboot the machine to enjoy the increased performance.

This begs the question, Is this a result of being “released” from the Google age delay filter?, or just the mere fact that Google has index additional pages and is slowly building and calulating our Page Rank.

We have made a few changes to the site, minified the Javascript and CSS which I will talk about a later time, compressed images and added a few more backlinks. Today is exactly 2 months from the day the domain was registered so I am happy with the way things are shaping up so far.

Secure both the network and each PC

Use security software that comes with your wireless or wired router to secure the network.

• Rename your network. Out of the box, most routers use their own easily identifiable names (SSIDs) that make them easier for hackers to crack. Change the router name to one that doesn’t give you or the network type away.

• Use the media access control (MAC) feature that is usually included with your router. It lets you name each PC on the network and restrict network access to only those PCs.

• Secure each PC with its own firewall, so that even if a hacker gets into the network, he/she won’t be able to access the PCs on it.

Use strong password security

• The security software that comes with most routers usually offers several levels of password protection. Don’t use WEP (wired equivalent privacy) passwords as they are easily hacked. Use at least WPA (Wi-Fi protected access) or WPA Personal passwords, or an even more secure format, if offered.

• Create hard to decipher passwords. Don’t include your name, birth date, address or other obvious words or numbers. The best passwords are a random mix of letters, numbers, and characters, eight or more characters long.

• Change your password often. 

Use up-to-date security software

• Firewall protection for each computer in the network.

• Transaction security to help ensure your online shopping or banking transactions are secured.

• Antivirus protection to help keep viruses, Trojan horses and worms from infecting your PCs.

• Antispyware to block hackers from placing spyware on your PC.

• Email scanning to remove viruses from email.

To maximize the effectiveness of your Internet security software, make sure it is always up-to-date so that you are always protected from the very latest security threats.

Internet security software will help you maximize the safety and security of your home network. It adds security features that neither PCs nor network routers offer.

Below are a Couple of methods to implement URL Redirection

ColdFusion Redirect

<.cfheader statuscode="301" statustext="Moved permanently">
<.cfheader name="Location" value="http://www.new-url.com">

PHP Redirect

<?
Header( "HTTP/1.1 301 Moved Permanently" );
Header( "Location: http://www.new-url.com" );
?> 

ASP Redirect

<%@ Language=VBScript %>
<%
Response.Status="301 Moved Permanently"
Response.AddHeader "Location","http://www.new-url.com/"
%> 

ASP .NET Redirect

<script runat="server">
private void Page_Load(object sender, System.EventArgs e)
{
Response.Status = "301 Moved Permanently";
Response.AddHeader("Location","http://www.new-url.com");
}
</script> 

JSP (Java) Redirect

<%
response.setStatus(301);
response.setHeader( "Location", "http://www.new-url.com/" );
response.setHeader( "Connection", "close" );
%> 

CGI PERL Redirect

$q = new CGI;
print $q->redirect("http://www.new-url.com/"); 

Ruby on Rails Redirect

def old_action
headers["Status"] = "301 Moved Permanently"
redirect_to "http://www.new-url.com/"
end 

Redirect Old domain to New domain

Create a .htaccess file with the below code, it will ensure that all your directories and pages of your old domain will get correctly redirected to your new domain.
The .htaccess file needs to be placed in the root directory of your old website (i.e the same directory where your index file is placed)

Options +FollowSymLinks
RewriteEngine on
RewriteRule (.*) http://www.newdomain.com/$1 [R=301,L]

Please REPLACE www.newdomain.com in the above code with your actual domain name.

In addition to the redirect I would suggest that you contact every backlinking site to modify their backlink to point to your new website.

Note* This .htaccess method of redirection works ONLY on Linux servers having the Apache Mod-Rewrite moduled enabled.

Redirect to www

Create a .htaccess file with the below code, it will ensure that all requests coming in to domain.com will get redirected to www.domain.com
The .htaccess file needs to be placed in the root directory of your old website (i.e the same directory where your index file is placed)

Options +FollowSymlinks
RewriteEngine on
rewritecond %{http_host} ^domain.com [nc]
rewriterule ^(.*)$ http://www.domain.com/$1 [r=301,nc]

Please REPLACE domain.com and www.newdomain.com with your actual domain name.

Note* This .htaccess method of redirection works ONLY on Linux servers having the Apache Mod-Rewrite moduled enabled.

So how long does this filter apply? How long will the site be “Sand Boxed”? No one really knows the answer to this, but the speculation is that for new domain’s with similar content / material Google wants to keep the ”Age Delay Filter” for approximately 6-12 months. Is this fair? I am partial to both opinions it will help reduce spam sites ensuring the site/domain is something that is going to be around, but on the other hand legitimate sites will take a penalty for quite some time reducing the potential traffic.

Let’s see how long Google makes our site play in the “Sand Box”.

Fix IE Utility has been tested on IE7 and IE8 on both Windows Vista and Windows 7.

Download from official site

Stay Tuned…