It’s that time of year again! I just got my hands on the 2011 edition of the Verizon/SS Data Breach Report, and I figured I’d take a moment to share my thoughts.

First of all, note that the scope of the report now includes approximately 800 “incidents” from the year prior; last year’s report was comparable in size, covering 761 events. Next, I observe that this report is by no means “complete;” while a good deal of the year’s most significant incidents have been covered, there are likely thousands of noteworthy data points which have been overlooked or otherwise left out.

Now, the report:

Verizon has some good news and some bad news; the good news – only 76% of recorded data breach targets were servers in 2010, compared to much higher percentages in 2009 and 2008. However, this implies that the focus has shifted towards endpoint and social targets, which is very bad news, indeed. Probably nothing ground-breaking at this point, but this demonstrates the consistent challenge corporations face in raising enterprise-wide security awareness; we have erected multi-million dollar defense systems, and continue to monitor our logs for interesting traffic, but we cannot fix “people” problems with products. Additionally, note that – of the breaches reported – we continue to see a steady decline in those involving multiple parties, as well as business partner attacks. This is good news to corporations, as it indicates continued success in technical and business measures to control outsider access to enterprise resources.

Next, I’d like to take a look at some of the numbers which rose consistently between the three recent years. Specifically, I’d like to dwell on the “Employed Physical Attacks” metrics; over a 3-year window, this percentage has tripled (with little fluctuation in data set size in the prior 2 years), indicating a continued focus on technical security. While improved technical security may prevent a good deal of data breaches, it is not a holistic solution, and often results in “sore thumb” deficiencies.

Finally, I’d like to focus on the metrics provided which seemed to fluctuate between the reports issued in 2009, 2010, and 2011; note that, in 2010, the size of the breach “pool” increased tremendously with the inclusion of the US Secret Service data. Due to this, I would like to focus primarily on the metrics that rose between the 2010 and 2011 reports. Most specifically, I am concerned when I see the HUGE rise in percentage of breaches that have been discovered by a third party (+25% over a year, +17% over two years). While I’m sure corporate log monitoring initiatives have started to kick off, what is being done today is NOT enough. With “blended” attacks on the rise, there is a growing business case for event correlation and collective log management & review; if enterprise shops do not take action on this item, this number will rise exponentially. On a similar note, I observe that a steady (though slightly rising) portion of the reported breaches have been deemed avoidable, in retrospect, via simple or intermediate controls. These controls may include password policy enforcement, implementation of stateful packet inspection on firewalls, and security-focused Quality Assurance for web application content (among others). The effectiveness of such measures should be audited periodically.

Wrapping up:

• Shift in focus from Servers to Endpoints and Staff
• Shift to Physical Compromise, as opposed to Technical
• Social Compromise percentage consistent between 2009 and 2011 reports, although 2010 report indicates huge increase
• VAST majority of breaches are avoidable through simple controls
• Insider attacks are down, as are business partner breaches
• Third parties are disclosing breaches before first parties

Action Items:

• Know your assets
  • Accurate, comprehensive, and authoritative inventory is encouraged
  • Not just servers and endpoints, but identity assets as well
  • Pre-requisite to next item:
• Monitor your logs
  • Consider Event Collaboration & Correlation tools (not necessarily a product or a service, this can be a series of well-crafted scripts); note that the return presented by a product will be extremely limited, based upon organizational structure.  From my limited perspective, I see that most enterprise organizations should have comprehensive identity and asset inventory systems to get the most out of vendor SIEM products.  Even with SIM/SEM, individuals need to review their relevant logs frequently
• Invest in simple, easily monitored, controls (such as account usage policies, password complexity and refresh requirements, etc)
  • If they are already in place, audit your controls for effectiveness; more importantly, adjust accordingly
• Continue to raise enterprise awareness against breach indicators, consider random employee awareness drills
• Continue to raise enterprise awareness against physical security threats, enforce physical security policies (for example, laptops must be locked and docked within the office)
• Secure your endpoints, aggregate event logs, AV logs, etc. from workstations to a common environment for review

Original Blog Post

The attack came from several IP addresses, but mainly from Iran.

The affected domains according to Comodo are:

• login.live.com
• mail.google.com
• www.google.com
• login.yahoo.com (3 certificates)
• login.skype.com
• addons.mozilla.org
• Global Trustee

Comodo has revoked these certificates and listed them in its revocation list. Microsoft also is releasing an update that will blacklist these certificates.

The attacker obtained username and password to log into the partners systems, and was able to issue the fraudulent certificates. According to Comodo, the breach was discovered quickly and they are pretty sure that the attacker only issued the now blacklisted certificates.

Was this a state-driven attack?  Iran recently deployed DPI (Deep Packet Inspection), high-end network equipment that uses ultra-fast microchips to read and classify internet traffic in transit. The Iranian authorities used DPI to detect the highly specific parameters Tor uses to establish an encrypted connection. Since the Tor project developers have redesigned the software so that its traffic looks just like any other when it sets up an encrypted connection, and Iranian Tor users are now back to normal.

Google’s latest reaction, Saturday night by Android security head Rich Cannings, is the remote removal from users’ phones of applications identified as malware. Google also plans to release a security update “”Android Market Security Tool March 2011″ to infected phones.

The kill switch is actually software that’s downloaded onto an Android smartphone and installed automatically, removing the apps in question with no user action required. In its Google Mobile Blog, the company announced:

“We are pushing an Android Market security update to all affected devices that undo’s the exploits to prevent the attacker(s) from accessing any more information from affected devices. If your device has been affected, you will receive an email from android-market-support@google.com over the next 72 hours. You will also receive a notification on your device that “Android Market Security Tool March 2011” has been installed. You may also receive notification(s) on your device that an application has been removed. You are not required to take any action from there; the update will automatically undo the exploit. Within 24 hours of the exploit being undone, you will receive a second email.”

Google downplayed the harm caused by these malware apps, assuring users that none of their personal data has been compromised:

“For affected devices, we believe that the only information the attacker(s) were able to gather was device-specific (IMEI/IMSI, unique codes which are used to identify mobile devices and the version of Android running on your device). But given the nature of the exploits, the attacker(s) could access other data.”

Android devices are still vulnerable because of existing security holes at the system level, which must be fixed by cellular carriers and hardware manufacturers. The problem is made worse by cellular providers sticking with older versions of Android, unfortunate because the security exploit only affects Android versions 2.2.1 and older.

We knew it was not going to be long before Google released a major algorithm update to combat the very prevalent web spam and link farms we have seen growing over the past couple of years. Well the time has come; today Google’s Matt Cutts & Amit Singhal unveiled an algorithmic change that claims to impact 11.8% of search queries.

According to Singhal, this update is targeted to “reduce the rankings for low quality sites while increasing the ranking for high quality sites.”

What exactly is Google’s definition of “low” quality and “high” quality? The official definitions from Google are:

“Low-quality sites – sites which are low-value add for users, copy content from other websites or sites that are just not very useful.”

“High-quality sites—sites with original content and information such as research, in-depth reports, thoughtful analysis and so on.”

Google is also claiming that the update does not rely on the feedback that it receives from the “Personal Blocklist Chrome Extension”. They do however claim to have compared it to the Block List Data they have gathered to date and show a staggering 84% match with the algorithm update. Coincidence?

Finally this update is currently only being rolled out in the United States Only, other countries will follow over time.

You can read the Offical Blog Post from Google here.

Who is responsible for application security in the new world of cloud computing? Increasingly, we see third-party application providers, who are not necessarily security vendors, being asked to verify the thoroughness and effectiveness of their security strategies. Nevertheless, the enterprise ultimately still bears most of the responsibility for assessing application security regardless of where the application resides. Cloud computing or not, application security is a critical component of any operational IT strategy.

With cloud computing, the customer is left vulnerable in many ways. First, the security team has lost visibility into the network security infrastructure. If the cloud provider makes a change to its infrastructure, it naturally changes the risk profile of the customer’s application. However, the customer is most likely not informed of these changes and therefore unaware of the ultimate impact. It is the customer’s responsibility to demand periodic security reports from its cloud vendor and thoroughly understand how their valuable data is being protected.

For many organizations, application security is an afterthought. The corporate focus is on revenue, and often that means frequently pushing new code. Even with rigid development and QA processes, there will be differences between QA websites and actual production applications. This was not as critical when the applications resided behind the firewall, but now managers must take into account the value of the data stored in an application residing in the cloud.

Ultimately, website security in the cloud is no different than website security in your own environment. If your organization has not prioritized website security previously, then now is the time to make it a priority.

The attack requires possession of the iPhone and targets the handsets individual keychain, the iPhone’s password storage platform. Researchers, utilising existing exploits, are simply able to jailbreak the device, install an SSH server on the device that allows them to run queries and execute third-party software on the phone.

Once access to the phone has been established, researchers were then able to copy a script to the phone that would access the keychain on the device. In-built system functions are employed to open the keychain and then output all of the users passwords, removing the need to physically crack any of the devices protection methods.

In short, if someone gets the hold of your device all you can hope is that you can issue a remote wipe command in time. Otherwise they will get your data if they are persistent enough.

Check this video out to see the hack in action.

This is a list of passwords / applications thought to be safe against this hack.

• AOL Email
• App using keychain with default protection
• Generic IMAP
• Generic SMTP server
• Google Mail
• iOS Backup Password
• Website Account from Safari
• Yahoo Email

This is list of passwords / applications that have been confirmed to be vulnerable to theft.

• Apple Push
• Apple-token.sync (mobile me)
• CalDav
• Google Mail as MS Exchange Account
• iChat.VeniceRegistrationAgent
• LDAP
• Lockdown Daemon
• MS Exchange
• Voicemail
• VPN IPsec Shared Secret
• VPN PPP Password
• VPN XAuth Password
• Wifi (Company WPA with LEAP)
• Wifi WPA

Today Mehdi, Microsoft’s Senior VP of Online Services responded.

We do not copy results from any of our competitors. Period. Full stop. We have some of the best minds in the world at work on search quality and relevance, and for a competitor to accuse any one of these people of such activity is just insulting.

Mehdi, then took it one step further and accused Google of performing “Click Fraud”

Google engaged in a “honeypot” attack to trick Bing. In simple terms, Google’s “experiment” was rigged to manipulate Bing search results through a type of attack also known as “click fraud.” That’s right, the same type of attack employed by spammers on the web to trick consumers and produce bogus search results. What does all this cloak and dagger click fraud prove? Nothing anyone in the industry doesn’t already know. As we have said before and again in this post, we use click stream optionally provided by consumers in an anonymous fashion as one of 1,000 signals to try and determine whether a site might make sense to be in our index.

Read the full post here

Is Google just trying to redirect focus from the recent discussions surrounding Google’s SERPS being full of spammy results? Maybe, they chose to wait 30 days before going public with thier findings.

What are your thoughts? Is Bing cheating from Google?

I thought it would be interesting to try a little albeit slightly selfish experiment to see if I can gather some data to support what both search engines have confirmed.  This is an informal experiment that will both help start to answer the questions these changes have brought and at the same time promote my wonderful wife’s website.

Below is a pre-crafted tweet with Keywords built in to the structure of the tweet, simply click the share button below to participate in the experiment.

I will be tracking the results with topsy.com and will publish a findings post once the experiment has concluded and I have had time to correlate the date.

I need your help!

If tweeting or linking is not your thing what are you doing reading an SEO blog?

Full Disclosure / Disclaimer – Participating in this experiment will promote a site that is owned by my wife, I do not want to hear from people that I was performing a selfish experiment. Though I fully believe the results will be useful to all SEO’s out there.

Let’s start with the latter; Google says Instant is expanding in two ways:

Google Instant On Vertical Search Properties: In addition to being available on Google.com searches, Instant Search is now functioning on “many” of the vertical search options in Google’s left navigation column, like Videos, News, and Blogs.

Google Instant In New Countries: Instant Search is now available to signed-in users in 12 new countries: Austria, Belgium, Canada, Czech Republic, Ireland, Mexico, Netherlands, Poland, Slovakia, Slovenia, Switzerland and Ukraine.

Finally, when using Google Instant, there are new keyboard navigation options. You can use the up and down arrows on your keyboard to navigate through the search suggestions (pretty sure that’s always been the case) and through the search results, too. This video shows how it works.

The flaw used simple JavaScript function to call onMouseOver which created an event when the mouse is passed over an area of text. The user was then redirected to a third party site without the users consent.

Twitter’s @safety account tweeted Tuesday morning, “We’ve identified and are patching a XSS attack; as always, please message @safety if you have info regarding such an exploit.”

As of 10:00AM EST twitter issued this statement “This should now be fully patched and is no longer exploitable.”

Mashable estimates that the security flaw “has been widely exploited on thousands of Twitter accounts.”  TechCrunch reports the onMouseover exploit may have spread to as many as 40,000 tweets in just 10 minutes.

Have you seen it? How has it affected you? Let us know below.

This still unpatched vulnerability is actively being exploited in the wild. Exploits do not require JavaScript to be enabled within Adobe Reader and do not require write access to any directory.  Confirmed exploits against Adobe Reader 9.1.0, 9.3.0, 9.3.4 running on Windows XP, Windows Vista and Windows 7 have been reported.

Here is the exploit code in the PDF that’s circulating in the wild:

A Metasploit module is included in the most recent version. Adobe claims to be working on a fix, lets see how long…

All good questions in this post I will address the first question which came to my mind. What about Analytics? How do I track Google Instant partial queries? Now that Google is presenting real time or instant results, there is a high chance that the query string that gets passed to Google Analytics is incomplete or rather partial because the link was displayed before the user even completed typing the query!

For example an instant query result for “weather” may only be passing along “w” as the query parameter to Analytics since Google displays the link to weather after just typing “w”. To understand what a user needed to type to find the result they were looking for an additional parameter is being used in the result set. The parameter is “oq=” which will give you the information you are looking for.

To track Partial Queries, and their position in Google Instant, you will need to create a new profile along with a new filter in your Google Analytics Report. It is pretty straight forward; below is a sample filter you can use to start tracking.

1. Create a new Filter name: “New Instant Ranking Filter”
2. Set Filter type: “Custom filter – Advanced”
3. Field A -> Extract A: Referral, ^https?://www\.google\.(co.uk|com)/(?!custom|m/).*[?#&]cd=([^&]+).*&q=([^&]+).*&oq=([^&]+)
4. Field B -> Extract B: Medium:^organic$
5. Output To -> User Defined: $A5 (position: $A3)

You may have to play a little with the filter for you specific requirement but this should give you a good start.

Let me know if you have any other suggestion or comments.

Google is moving away from the traditional HTML based results to a more robust AJAX based application for delivering ‘real’ time search results. Marissa Mayer noted that Google has already made approximately 500 changes to search ranking and user interface (UI) in 2010.

It takes a user on average 9 seconds to enter a search query followed by a few hundred milliseconds on Google’s Servers to render a search result. The user then averages about 15 seconds looking at the results. Google Instant claims to save user 2-5 seconds per query, which in turn will save 11 aggregate hours per second.

Google will display characters in black that they have typed followed by shifting grey predicted characters as the user continues to type. Why even keep the search button at this point? Well it forces Google to search for exactly what you’ve typed, without predicting how you’ll finish that search.

Instant will begin rolling out to Google domains in the US, UK, France, Germany, Italy, Spain and Russia who use the following browsers: Chrome v5/6, Firefox v3, Safari v5 for Mac and Internet Explorer v8.

For more information from Google you can visit their brief description over at:

 http://www.google.com/instant

A nasty vulnerability exists in the latest Internet Explorer 8. I have been unsuccessful in persuading the vendor to issue a fix. The bug permits — for example — an arbitrary web site to force the victim to make tweets.

A harmless example has also been posted on his site (see below) 

http://scary.beasts.org/misc/twitter.html

This bug appears to be strictly related to Internet Explorer and no fault of Twitter. At this time there does not appear to be a resonable workaround.  This appears to be a Cross-origin CSS attack which uses the style sheet import to steal confidential information from a victim website, hijacking a user’s existing authenticated session.

Chris continues to state that there is evidence to suggest that Microsoft has been aware of this since at least 2008.

Update: another PoC has been posted:

http://skeptikal.org/exploits/twitter/twitter_xss.html

How long do we have to wait for a fix?

You can protect yourself by using NoScript, RequestPolicy, or other client-side protections.

However: Looking back at my 2010 analytic stats I can see the increase in Internet Explorer 8 adoption amongst the general home user (my target demographic). What I do find interesting is that IE7 seems to have had a very small adoption rate. This may be in part due to the commercials Microsoft has released promoting the “Enhanced Security” features of IE8.

Below are two images showing the different browser distribution of my visitors and more importantly drastic trend to move away from Internet Explorer 6.

Sure I check my Google Analytic stats every now and again, but what value is this truly providing me? GA gives website owners a false sense of security IMHO. What we tend to forget is that GA tracks links on any given page. Sure it can give you a pretty overlay on a map, but what does this mean? What does this translate to? I’m really not sure to tell you the truth.

Recently I decided to concentrate less on driving new visitors to my site and focus on “Converting” the visitors I actually have. Google Analytics did help me identify my ‘poor’ conversion rate 34% to be exact.

So the quest began, I had no idea what visitors were truly clicking on? What was driving them away? What was causing them to not convert? Oh no what do I do? How do I find out? Help!!

Crazy Egg to the rescue, they offer four views which you can see described below:

Overlay – Learn more about each element on your page.
List – Learn more about each element on your page.
Heat Map – A picture of where people clicked on your site. This tells you what’s hot and what’s not.
Confetti – Dig a little deeper and find out where people click based upon the things like: Top 15 Referrers, Search Terms, Operating System, Browser, etc…

To get started with Crazy Egg you sign up for $9 which will allow you to track up to 10 pages and 10,000 visits. You’ll need to add a piece of JavaScript to the pages you want to track. The sign up process is simple and painless, adding the JavaScript is just as simple and the same code is reused across all pages you wish to track.

After installing the JavaScript and tracking for just a few days I was easily able to identify the “Problem” areas in my design and adjust accordingly. After making the changes my conversion rate has increased to 76.5% which is more than double.  It’s simply CRAZY! Or rather CRAZY SIMPLE!

In conclusion Crazy Egg is a must have tool to compliment Google Analytics and for the price you would be Crazy to pass it up.

What does this mean for Webmasters and SEO’s? It means that it is important to be familiar with how the Bing crawler interacts with your site. After the full algorithmic transition is complete, you will only need to optimize for one crawler (Bing).

You should check out the Bing Webmaster Center for all the latest info, tips and tools, including some significant updates to Bing’s webmaster tools.

This is a great milestone for Bing and Yahoo!, but is it a great thing for SERPs?

What do you think?

So what’s the announcement? Here it is. “Showing More Results From A Domain”. Google announced a tweak designed to surface multiple pages from a single site for relevant queries.

“For queries that indicate a strong user interest in a particular domain, like [exhibitions at amnh], we’ll now show more results from the relevant site,” says Google software engineer Samarth Keshava. “Prior to today’s change, only two results from www.amnh.org would have appeared for this query. Now, we determine that the user is likely interested in the Museum of Natural History’s website, so seven results from the amnh.org domain appear. Since the user is looking for exhibitions at the museum, it’s far more likely that they’ll find what they’re looking for, faster. The last few results for this query are from other sites, preserving some diversity in the results.”

This change does not come without controversy, many SEO are screaming similarities to “Mayday”. What are your thoughts? I would love to hear from you.

“Obviously, everyone knows that the #1 spot on Google is where you want to be,” says Chitika research director Daniel Ruby. “It’s just kind of shocking to look at the numbers and see just how important it is, and how much of a jump there is from 2 to 1.”

Recently Verizon, in collaboration with the United States Secret Service, released their 2010 Data Breach Report.  I would like to take a moment to share my praise, concerns, and general findings.

I’ll begin with business practice findings.  In the past, it was emphasized that there was a gap in termination procedures as pertains to access removal from network assets.  Based upon the metrics brought forth from this report (an astounding 26% increase in breaches attributed to “insider” threats), this is still a persistent issue.  Here, another concern arises when one mentions the concept of segregation of duties; often trusted “insiders” have unhindered or UNDERhindered access to a broad pool of resources. 

As corporations fail to recognize this, and respectively provide resource access controls and limitations, this will continue to be an issue.  Interestingly enough, the percentage of breaches implicating business partners has dropped by 23%.  One may attribute this to the increased business awareness and legal controls implemented in the contract phase over the past year.  If this trend continues (which it should, as the public is more aware than ever of the threats “in the wild”), this number should continue to drop at a decreasing rate. 

Additionally, the report indicates that a vast 48% (26% increase) of breaches discovered over the past reporting period involved privilege misuse to some extent – while only 40% of breaches involved “hacking” proper (-24%).  This continues to make it obvious that nefarious users do not necessarily have to be “hackers,” and may employ conventional information gathering tactics to procure sensitive data.  This may be attributed to the presence of the inevitable “human layer,” and can only be mitigated through a strong, broad-scale, employee education policy.  If the point is still unclear, it was reported that 28% (a sizable increase since 2009) of breaches made use of social engineering tactics at some point.

While a corporation may have the most “locked-down” and “secure” internet presence, it remains possible that a loose-lipped employee may still unknowingly play a role in facilitating a data breach.

On a rather interesting (read: disturbing) note, 79% of reported victims that were subject to the Payment Card Industry Data Security Standard (PCI-DSS) had NOT achieved compliance.  86% of breaches were preventable via use of reasonable, simple-to-intermediate controls.  While PCI may only provide a baseline data security model, following the standard ensures that basic defense mechanisms are in place – and, if a breach happens, the standard assures that the incident will at least be tracked to some extent.  On a somewhat related note, 86% of breach victims had substantial evidence logged, yet 61% of breaches were reported by a third party.  This indicates to me that log correlation/SIEM tools are not in place (or underreferenced) in many scenarios; avoid becoming a victim by implementing a strong log reference policy.  The burden of sorting through can be eased significantly by use of common string parsing tools. 

Some examples of commercial-grade log/event correlation and management tool vendors include LogLogic, ArcSight, and Q1 Labs.  By the way, PCI 10.6 mandates log maintenance.

As far as demographics are concerned, the report continues to indicate that the focus of data breaches remains within the Financial Services, Hospitality, and Retail sectors.  This does not surprise me, and should not surprise anybody; Cash is King.  Note, however, that this may be attributed in part to the fact that – in the United States (the primary source for the data contained within this report), these sectors are required to adhere to strict breach reporting requirements (due to such regulatory standards as PCI and HIPAA).

On a closing note, the report indicates that approximately 13% of the reported breach cases involved organizations that had recently been involved in a merger or acquisition (as opposed to 9% in 2009).  This indicates the all-too-obvious truth that, in the common flurry associated with large-scale corporate policy changes, security assurance is frequently sacrificed. 

Based upon reading this report, I believe that – in a world where cyber crime continues to be on the rise – large companies need to take a moment to smell the coffee.  Making small sacrifices in project deadlines and procuring additional software resources (e.g. log correlation tools, which are essential for far more than just security) to ensure their bottom lines are not only met, but exceeded, while maintaining brand stability.

The 2010 report may be found here

Verizon’s 2009 report (not collaborated with USSS) may be found here

The simple answer is no.

The actual question that should come to everyone’s mind is will this comprise my overall SEO efforts.

Search Engine Optimization is not magic; this topic is well documented. Many if not all of the SEO methods are shared across all the major search engines, with slight weighting differences amongst them. If you follow good SEO practice you will rank well on all SERPS.

There are however some interesting observations I have made. BING & Google both at first glance seem to weigh On Page SEO very similarly. However Off Page SEO seems to influence BING a little more. BING appears to give more trust to aged domains, along with target keywords anchor link positioning.

With that being said my personal opinion is that you should concentrate on good OVERALL SEO rather than worrying about a specific search engine. 

Remember content is king.

News flash – depending upon how it’s configured, it could be doing even more; that same page you browse to in order to check up on Fido may be indexed by search engines such as Google.

Now, 9 times out of 10, the web server is configured to host the content under a non-intuitive URL; while this may deter somebody who is trying to guess the URL used by the software, it also provides those “in the know” with a “one-stop shop” for all of their nefarious needs. As an example, most Panasonic networked cameras have the string “ViewerFrame?Mode=” in the URL, and can easily be located by using the Google search string inurl:”ViewerFrame?Mode=”.  If you’re following along with the links, I’m guessing (without actually accessing this page which was likely intended to be private) the third page on the above Google search (it’s a *.edu) is exactly what a hacker would want to see — and exactly what you don’t want them to see**.

To avoid this, it may be possible (depending upon the software) to at least change the default URL used. If not, consult the support documentation – and if necessary, the vendor – to determine the best course of action by which you can better protect your privacy. Depending upon the software leveraged by the device, you may also be able to create a robots.txt file (file including all pages not to be indexed by the search engine) for the web server as well.  For more detail, see here.

By the way, it’s not just cameras, but printers and telecommunications equipment (read: WOW) as well. A surprisingly vast listing of known devices (and information on their default pages) can be found here.

** The posted information is for educational purposes only, I neither recommend nor condone using the web as a tool for spying on others.  Don’t do it.

Cross site scripting (also known as XSS) occurs when a web application gathers malicious data from a user. The data is usually gathered in the form of a hyperlink which contains malicious content within it. The user will most likely click on this link from another website, instant message, or simply just reading a web board or email message. Usually the attacker will encode the malicious portion of the link to the site in HEX (or other encoding methods) so the request is less suspicious looking to the user when clicked on. After the data is collected by the web application, it creates an output page for the user containing the malicious data that was originally sent to it, but in a manner to make it appear as valid content from the website. Many popular guestbook and forum programs allow users to submit posts with html and javascript embedded in them. If for example I was logged in as “john” and read a message by “joe” that contained malicious javascript in it, then it may be possible for “joe” to hijack my session just by reading his bulletin board post. 

“What are the threats of Cross Site Scripting?”

Often attackers will inject JavaScript, VBScript, ActiveX, HTML, or Flash into a vulnerable application to fool a user (Read below for further details) in order to gather data from them. Everything from account hijacking, changing of user settings, cookie theft/poisoning, or false advertising is possible. New malicious uses are being found every day for XSS attacks. The post below by Brett Moore brings up a good point with regard to “Denial Of Service”, and potential “auto-attacking” of hosts if a user simply reads a post on a message board. 

1. Make an .htpasswd file. The htpasswd command in Unix does this. You should put the password file outside of your web directory. So a command like “htpasswd -bc /home/dmistry/.htpasswd review donotenter” will create a new file using a username of review and a password of donotenter into the file /home/dmistry/.htpasswd . If you were to run the command “cat /home/dmistry/.htpasswd” you might see a line like “review:M1OdtjdGiDn1Y”.
2. Make an .htaccess file. In this case, the file would be located at /home/dmistry/www/.htaccess and it would look something like:

   AuthUserFile /home/dmistry/.htpasswd
   AuthName EnterPassword
   AuthType Basic
   <Limit GET POST>
   require valid-user
   </Limit>

The college student, Steven Abbagnaro, wrote up proof-of-concept code of an attack that would get all of a users’s publicly available data from their Facebook page and then delete their friends one by one. However, the attack can’t be started until the user clicks on a rigged link while logged into Facebook.

Abbagnaro won’t release the code until a patch is applied but competent hackers could figure it out on their own. The code is based on a previously discovered vulnerability in Facebook that doesn’t check code from user’s browsers properly to make sure they are authorized to make changes on Facebook. Another possible attack that has arisen out of this bug is the ability of hackers to make users “like” things.

This attack and the others that have been cropping up lately stresses the need to educate users about social engineering techniques and to be suspicious of links from people they don’t know or links from friends that seem uncharacteristic.

Instead of having a fake Facebook page to collect the victims passwords (phishing), the email is sent with a malware attachment. The malware is known as “Bredolab” which is a Trojan downloader. In the two computers I repaired today, Bredolab downloaded some rogue antivirus products. However, some sites are saying that it also downloads a password stealing trojan.

If you see it onsite, Malware Bytes seems to deal with the Trojan once you kill the main executable (at least the rogue antivirus variants). Be sure to tell your clients to change their passwords after the infection has been removed as well.

Another great thing about antivirus products coming on a USB drive is that the installation of the antivirus product (which usually takes ages) would happen much faster, since it is usually much faster than installing something from a CD.

Lastly, at the end of the day the customer is left with a USB drive which they could use for other purposes.

Now that Windows 7 is out, Microsoft have reverted back to needing a separate disk for each version which is annoying for us computer technicians. However, the only difference between each DVD is a small 51 byte configuration file called ei.cfg which tells the installer what version disc it is. If you were to turn your DVD into an ISO, remove this ei.cfg file and write it back to a DVD, that DVD would become a Universal DVD.

ei.cfg Removal Utility will make this easy for you. Just create an ISO with your legitimate Windows 7 DVD, run this tool, choose the ISO and let it run. Once it has finished, just write the ISO back to a DVD again and you would only need to carry one 32bit version and one 64bit version to support any Windows 7 install onsite.

Of course, your client would still need to provide you with a working key for the Windows 7 install to work.

1. “Meta Tags” – Should be included on all pages, remember though these tags no longer carry the same value they used to in the early search days. Today’s search engines have evolved and now have robust algorithms which take many factors into consideration. The days of “keyword stuffing” will no longer yield in better SERP. Google has gone as far as openly stating that they in fact do not even use the Meta Keyword tag to weigh in on their decision. That being said I strongly believe that all sites should leverage the use of <meta tags> appropriately.

2. “Friendly URL’s”- Make sure all pages on your site have a friendly URL. http://www.domain.com/about-us.html try and avoid long URL’s with many parameter passed. Most search engines can handle URI’s with up to 2 parameters but after that you run the risk that your pages may not get indexed.

3. “Sitemaps” – Create a sitemaps.xml and sitemap.html publish them to the search engines via their submission links. I like to create both pages some people say you only need one.

4. “Robots.txt” - Create a robots.txt file tell the search engine where your sitemap.xml file is located. Most search engines will respect the robots.txt file. BE SURE that you validate the file before publishing, a bad entry could potentially block the crawler from crawling your site all together.

5. “Unique Content”- I personally think this is the biggest of them all, have unique content for your visitors, if you have a site that is just repeating another site what is the incentivefor people to come visit you. Creating easy to read unique content will go very far, think about it, if you have a site that is interesting more people are likley to link to your site, the more “Relevant & Reliable” back links you get the better chance you will rank higher in SERP. I will cover this in more detail on my Top 5 Off Page SEO Tips

This begs the question, Is this a result of being “released” from the Google age delay filter?, or just the mere fact that Google has index additional pages and is slowly building and calulating our Page Rank.

We have made a few changes to the site, minified the Javascript and CSS which I will talk about a later time, compressed images and added a few more backlinks. Today is exactly 2 months from the day the domain was registered so I am happy with the way things are shaping up so far.

Secure both the network and each PC

Use security software that comes with your wireless or wired router to secure the network.

• Rename your network. Out of the box, most routers use their own easily identifiable names (SSIDs) that make them easier for hackers to crack. Change the router name to one that doesn’t give you or the network type away.

• Use the media access control (MAC) feature that is usually included with your router. It lets you name each PC on the network and restrict network access to only those PCs.

• Secure each PC with its own firewall, so that even if a hacker gets into the network, he/she won’t be able to access the PCs on it.

Use strong password security

• The security software that comes with most routers usually offers several levels of password protection. Don’t use WEP (wired equivalent privacy) passwords as they are easily hacked. Use at least WPA (Wi-Fi protected access) or WPA Personal passwords, or an even more secure format, if offered.

• Create hard to decipher passwords. Don’t include your name, birth date, address or other obvious words or numbers. The best passwords are a random mix of letters, numbers, and characters, eight or more characters long.

• Change your password often. 

Use up-to-date security software

• Firewall protection for each computer in the network.

• Transaction security to help ensure your online shopping or banking transactions are secured.

• Antivirus protection to help keep viruses, Trojan horses and worms from infecting your PCs.

• Antispyware to block hackers from placing spyware on your PC.

• Email scanning to remove viruses from email.

To maximize the effectiveness of your Internet security software, make sure it is always up-to-date so that you are always protected from the very latest security threats.

Internet security software will help you maximize the safety and security of your home network. It adds security features that neither PCs nor network routers offer.

Below are a Couple of methods to implement URL Redirection

ColdFusion Redirect

<.cfheader statuscode="301" statustext="Moved permanently">
<.cfheader name="Location" value="http://www.new-url.com">

PHP Redirect

<?
Header( "HTTP/1.1 301 Moved Permanently" );
Header( "Location: http://www.new-url.com" );
?> 

ASP Redirect

<%@ Language=VBScript %>
<%
Response.Status="301 Moved Permanently"
Response.AddHeader "Location","http://www.new-url.com/"
%> 

ASP .NET Redirect

<script runat="server">
private void Page_Load(object sender, System.EventArgs e)
{
Response.Status = "301 Moved Permanently";
Response.AddHeader("Location","http://www.new-url.com");
}
</script> 

JSP (Java) Redirect

<%
response.setStatus(301);
response.setHeader( "Location", "http://www.new-url.com/" );
response.setHeader( "Connection", "close" );
%> 

CGI PERL Redirect

$q = new CGI;
print $q->redirect("http://www.new-url.com/"); 

Ruby on Rails Redirect

def old_action
headers["Status"] = "301 Moved Permanently"
redirect_to "http://www.new-url.com/"
end 

Redirect Old domain to New domain

Create a .htaccess file with the below code, it will ensure that all your directories and pages of your old domain will get correctly redirected to your new domain.
The .htaccess file needs to be placed in the root directory of your old website (i.e the same directory where your index file is placed)

Options +FollowSymLinks
RewriteEngine on
RewriteRule (.*) http://www.newdomain.com/$1 [R=301,L]

Please REPLACE www.newdomain.com in the above code with your actual domain name.

In addition to the redirect I would suggest that you contact every backlinking site to modify their backlink to point to your new website.

Note* This .htaccess method of redirection works ONLY on Linux servers having the Apache Mod-Rewrite moduled enabled.

Redirect to www

Create a .htaccess file with the below code, it will ensure that all requests coming in to domain.com will get redirected to www.domain.com
The .htaccess file needs to be placed in the root directory of your old website (i.e the same directory where your index file is placed)

Options +FollowSymlinks
RewriteEngine on
rewritecond %{http_host} ^domain.com [nc]
rewriterule ^(.*)$ http://www.domain.com/$1 [r=301,nc]

Please REPLACE domain.com and www.newdomain.com with your actual domain name.

Note* This .htaccess method of redirection works ONLY on Linux servers having the Apache Mod-Rewrite moduled enabled.

So how long does this filter apply? How long will the site be “Sand Boxed”? No one really knows the answer to this, but the speculation is that for new domain’s with similar content / material Google wants to keep the ”Age Delay Filter” for approximately 6-12 months. Is this fair? I am partial to both opinions it will help reduce spam sites ensuring the site/domain is something that is going to be around, but on the other hand legitimate sites will take a penalty for quite some time reducing the potential traffic.

Let’s see how long Google makes our site play in the “Sand Box”.

Fix IE Utility has been tested on IE7 and IE8 on both Windows Vista and Windows 7.

Download from official site

Stay Tuned…