Web Design Ireland

posted by Robert on Aug 21

Like so much else on the Internet, you have to be skeptical about the star ratings of software. Perhaps you suspected this, but now there is proof.

A software developer in the U.K., Andy Brice, was suspicious about the ratings assigned to his software, so he did a test–a lab experiment if you will. He started with a plain text file that said “this program does nothing at all” a few times. Then he renamed the file so that it ended with “.exe” and submitted it to 1,033 download sites. The “program,” if you can call it that, won’t even run.

Being as obvious as he possibly could, Andy called the program “awardmestars” and included a description of the program that said, “This software does nothing at all.” He even included a screenshot that said very plainly that the software does nothing. See his blog for the full details: The software awards scam.

Andy says his nonfunctional software was listed on 218 Web sites, and some even gave him an award. “Approximately 7 percent of the sites that listed the software e-mailed me that it had won an award,” he said. His submission was rejected by 421 Web sites, but since he listed it as a utility, many of these rejections were because the site didn’t include that type of software. Many submissions are still pending.

Since a picture is worth a thousand words, take a look at a screenshot of awardmestars version 1.0 at Topshareware.com where it was certified as having no spyware, adware or viruses. The user reviews are hilarious. PC World magazine listed it originally, but has since withdrawn their listing. As I write this, however, the listing at PC World as of August 15, 2007 at 17:01:08 GMT is still available in the Google cache.

Trustworthy software downloads

Andy mentioned three Web sites where a human being obviously reviewed the software because they wrote back to him, either appreciating the joke or being annoyed by it. The sites were Filecart.com, Freshmeat.net and Download-tipp.de. He considers the fact that a human responded to him sufficient to recommend these sites. I consider it just the first step.

In his Security Fix column in the Washington Post, Brian Krebs wrote about this today (Beware of Five-Star Vaporware) and concluded with ” … I’ve never strayed far beyond a handful of sites that I have come to know fairly well, such as CNET’s Download.com, SourceForge.net and Tucows.com.”

Source: http://news.com.com

posted by Robert on Aug 17

Okay, ladies, here’s something you poke fun of the men with: While more men than women claim to be well-informed about online scams, more men have fallen victim to them than women.

This is according to Microsoft-sponsored survey conducted by Harris Interactive, which also revealed that one in five US adults have been on the receiving end of nefarious digital plots.

“We found that online men claim to be more informed of online fraud,” said Adrienne Hall, senior director of the Trustworthy Computing Group at Microsoft. “47 percent of men said they are very knowledgeable or knowledgeable of online scams, compared with only 36 percent of women.

“However, despite claiming to be more knowledgeable, men are more likely than women to be victims of online crime. The survey found that 69 percent of women claimed they have never been a victim of an Internet scam, compared with just 63 percent of men.”

Just add “I can’t be phished” to “I don’t need directions” and “I’ll be back.”

Hall said the number of unique phishing sites detected by the Anti-Phishing Working Group went up last year by 166 percent. In addition, this has gone far the beyond proof-of-concept games in the past – phishers are after your money for sure.

“In the past year,” she said, “Microsoft has witnessed a shift in criminal behavior. Online criminals have been focused on finding vulnerabilities or causing mayhem in various ways, and have been motivated by personal interest as a hobby or for notoriety. We are seeing an increasing trend towards stealing people’s personal information and money.”

Perhaps the most disturbing statistic though was that over half (58%) of those surveyed had little to no knowledge of current online threats and scams, despite that Americans lost $49.3 billion to identities thieves last year, and $5.2 billion to viruses.

Hall recommends a new creed for everyone to remember and pass along: Think first, click later.

Sorce: http://www.webpronews.com

posted by Robert on Aug 10

LAS VEGAS–Want to build a Web site with all the latest Ajax technology? Or how about “Ajaxifying” an existing application? Bryan Sullivan, Senior Research Engineer for SPI Labs, and Billy Hoffman, SPI Labs’ team leader, did just that during their talk “Premature Ajax-ulation” Wednesday afternoon at Black Hat. The two said that often developers see only the code that works, and not how someone else may come along and exploit it.

To demonstrate, Sullivan and Hoffman built a mock travel Web site, Hacker Travel.com.

“We’re actually using examples that we find from popular Ajax books, from popular Ajax Web sites,” said Hoffman. “We’re going to say, ‘Look, we built this the way you were supposed to build it, the way so-called authoritative sources told you to.’ Now here’s what we need to be thinking about while you are developing these apps. And we’re going to poke holes at it and show how to basically develop these things securely from the start.”

Hoffman said companies traditionally hire third parties to come in and audit their site or perform a penetration test, then dump a thick PDF report on the developers’ desks and say “here, fix it.” What do the developers do? “They go and they type ‘SQL injection’ into Google and they find the first page and say ‘Oh, here’s how I fix it.’” That simply doesn’t work, says Hoffman.

During the talk Hoffman showed how perfectly functional Ajax code could easily be manipulated by examining the Javascipt in the browser. Ajax by design pushes some of the sensitive decisions out from the server onto the client. That may speed the process for the end user, but it also exposes the process to attack. In one example Hoffman lowered the price of an airline ticket down to one dollar by manipulating the javascript. He also created a denial-of-service attack by holding all the available seats on a flight by turning off the hold release function.

The problems, said Sullivan and Hoffman, lie in the best practices often printed about Ajax. They said never put business logic on the client side, never use single Javascript to handle all the function calls, and don’t use DataSet objects. When all the secrets are stored on the server side as opposed to the client side, the site is better protected against attack.

Source: http://news.com.com/

posted by Robert on Jul 25

A recent update to the Firefox browser kept some AdSense publishers from being able to log in to their accounts.

The Mozilla Foundation released version 2.0.0.5 of Firefox to correct an input handler problem. This update proved troublesome for a number AdSense publishers.

Google’s Rajiv Sud said on the AdSense blog Firefox users were unable to log in to their accounts. Some publishers would see a sign-up form instead of their normal login page.

Blame for the problem fell upon a widely-used Firefox plugin, according to Sud:

After a little digging and some testing, we’ve found that Adblock Plus, an add-on that sometimes gets installed with Firefox, can prevent you from accessing your account on the AdSense homepage. Our recommendation is to clear your cache and cookies and turn off the Adblock software before trying to log in at www.google.com/adsense.

Adblock Plus allows its users to shut off ads that appear on web pages. We find it amusing to note that people who earn money through AdSense ads also employ Adblock Plus to keep from seeing ads on websites.

Soucre: http://www.webpronews.com

posted by Robert on Jul 19

The Internet has been abuzz lately claiming we are in the 25th year of the computer virus. And while many people believe a 15-year-old created the first virus in 1982, I’m not so quick to agree.

After digging through some Web sites offering insight into the history of the computer virus, only one thing is constant: Elk Cloner was not the first. Although some publications are claiming the poetic Elk Cloner virus was first, a host of viruses were ravaging computers in the 1970s.

The world’s first generally accepted computer was created by Charles Babbage and while many things are uncertain about its design, one thing is not: no viruses infected it.

But if we fast-forward to the 1970s, the world’s first computer virus actually sprang up. Called the Creeper virus, it was first detected on ARPAnet–a U.S. military computer network that was the forerunner of the modern Internet. According to Viruslist, the virus was written for the Tenex operating system and was capable of independently gaining access through a modem and copying itself to a remote system. Once infected, the system would display the following message: “I’M THE CREEPER: CATCH ME IF YOU CAN.”

To disable the Creeper virus, a new virus called the Reaper was created. Unlike the Creeper, the Reaper virus spread to networked machines looking for Creeper. If it was found, Reaper would immediately delete it. Regardless of its beneficial actions, who can argue that a program replicating itself to networked computers to delete files isn’t a virus? Not me.

If you still don’t believe me, a new virus called Rabbit infected computers in 1974. Although it was originally harmless, it replicated itself to other machines so quickly that once it hit critical mass, the system performance would slow to a crawl and eventually, the virus would crash. Hmm, sounds like a virus to me.

As if you needed more evidence to prove this isn’t the 25th anniversary of the computer virus, 1975 ushered in one of the most legendary viruses ever: Pervading Animal. Created for the Univac 1108, a man named John Walker found a new way of distributing game files. The game, called Animal, was a self-learning variation of 20 questions that required you to simply “think of an animal.” Insistent on putting an end to mailing the game out, Walker coded a virus called Pervade that was called by any program on the system and copied itself to every directory the user had access to without the user’s knowledge.

Pervading Animal is one of the most debated viruses today. Some analysts argue that it was an unintentional byproduct of a man trying to make his life a little easier, while others claim intent has nothing to do with deciding whether a program is a virus. I judge a virus on what it does. In this case, the program replicated itself quietly behind the scenes and worked its way into every inch of the system. Pervading Animal was a virus.

While Elk Cloner was truly a virus, it was not the first. And although people like to anoint tags to this or that, recognizing the first virus as having occurred 25 years ago is simply incorrect. The sad fact is we are embarking upon more than 30 years of viruses, not 25. And while the early versions may have been a bit rudimentary, each was a virus nonetheless.

Move over Elk Cloner, you’re too late.

Source: http://news.com.com/

posted by Robert on Jul 19

A member of an influential European Union privacy group has said it will meet to discuss whether Google has gone far enough in reducing the amount of time the Google cookie stays on computers.

Alexander Dix, Berlin’s security and privacy representative, told CNET News.com sister site ZDNet UK that the Article 29 Data Protection Working Party, a group of European privacy experts, welcomed Google reducing its cookie time to two years, but said the group would discuss whether Google has gone far enough.

“It’s certainly an improvement, but we will have to discuss whether this is enough,” Dix said. “It’s a good thing that Google has addressed the question of a cookie time limit.”

Cookies are small files stored on a computer so that it can be recognized when it revisits Web sites, enabling the site to remember the user’s preferences for things like e-commerce, and sites that require a log-in.

Dix said that Google renewing the cookie every time a person used either Google or a site using Google applications, such as Google Analytics, was not a major privacy concern, as users could control cookies by configuring their browser.

“People can influence cookies by configuring their browser–they can just accept one session. Users have more choice than with their log profiles,” he said.

Even so, the privacy expert said that cookies were still a concern for the data watchdog, especially cookies that users have accepted or rejected without knowing they have done so. However, Dix said that a bigger concern was the anonymization of server log data, and that the only major search company to disclose its server log data-retention policy had been Google, which anonymizes server logs after 18 to 24 months. Major search players such as Microsoft and Yahoo have yet to disclose their server log data-retention policy, Dix said.

“Certainly Microsoft and Yahoo have not discussed server log profile retention so far. Google has, and we would welcome it if Yahoo and Microsoft did the same,” Dix said.

Server log data shows how a computer has been used to search, and can be mined to provide information. Dix said that the major search players had not disclosed how they intended to use that information.

“Our main concern about all search engine providers is that they are transparent about what they intend to do with the information–a concern Microsoft hasn’t addressed so far. Maybe they have a privacy-friendly policy–I don’t know. They should certainly tell users if they have one,” said Dix.

A senior representative for Yahoo Europe said the company will make an announcement on data retention policies “in a matter of weeks.”

“Our policies reflect the fact that our users’ trust is one of Yahoo’s most valuable assets. Maintaining that trust and protecting our users’ privacy is paramount to us. Our data retention practices vary according to the diverse nature of our services. We don’t break out that information currently as we view it to be commercially sensitive,” said the representative.

“We only keep data as long as is required by law and is useful for our business purposes. In some cases, that is as short (a period) as a few weeks. This data is used to benefit our users in many ways. That includes protection against fraud, personalized content, product innovations based on what we learn about how users interact with our site, and best-in-class free services paid for by targeted advertising,” the representative added.

Microsoft declined to comment.

Source: http://news.com.com/

posted by Robert on Jul 19

Today, Mozilla patched nine vulnerabilities including the Firefox portion of the Internet Explorer-Firefox flaw identified last week. That flaw occurs when IE passes malformed URLs from IE to another application such as another browser. Mozilla wrote, “this fix only prevents Firefox and Thunderbird from accepting bad data.” And it stated in boldface, “this patch does not fix the vulnerability in Internet Explorer.”

This security update also addresses known issues involving browser crashes, privilege escalation, and cross-site scripting vulnerability. Current users of Firefox 2.0.0.4 or earlier will be automatically prompted to install the new version starting today. You can learn more about the update or download a fresh copy of Firefox 2.0.0.5 at the Mozilla site.

posted by Robert on Jun 13

British digi-rag the Inquirer’s Fernando Cassia had a run in with the “GoogleMind,” as he calls it, after entering a query that sent up red flags. To continue his search, Cassia had to prove he wasn’t a robot.

With a name like that, he’d have to prove to me he wasn’t a character from a romance novel (oh, Ferrrrrrrnando!) – just kidding.

Cassia encountered an error message people are running into more and more often. Type in a query and el Goog returns with this message:

_{We’re sorry…}

_{…but your query looks similar to automated requests from a computer virus or spyware application. To protect our users, we can’t process your request right now.}

The message goes on to recommend running a virus checker or spyware remover and asks that Cassia type in the letters from a captcha.

The query that set off Google’s automated query alarm? “Cyberguard password,” he says.

Cassia wasn’t sure how a query was “harmful” to other users of the search engine, and that is not immediately clear from the text of the error message. A quick search on that text shows that Cassia’s not the first to see it.

Others speculate that Google’s unexpected response is an attempt to thwart SEOers running automated programs that queries to measure search results in some way. Bots eat up the system, it would seem.

But the wording is a bit misleading, maybe Google was just “dumbing it down” as they say for less tech-savvy searchers. That idea is interesting in itself as the queries that seem to bring back that error message are highly technical terms that no novice would use.

No, the masses like to search for Paris Hilton, Britney Spears, and fanciful combinations of the two – often with the hopes they’ll be paired up with a guy named Ferrrrrrrnando.

Sorry, Fernando, couldn’t resist.

Source: http://www.webpronews.com/

posted by Robert on Jun 11

Malicious software targeting OpenOffice.org documents is spreading through multiple operating systems, according to Symantec.

“A new worm is being distributed within malicious OpenOffice documents. The worm can infect Windows, Linux and Mac OS X systems,” according to a Symantec Security Response advisory. “Be cautious when handling OpenOffice files from unknown sources.”

Apple’s Mac OS is not a virus-free platform, said Jan Hruska, who co-founded rival antivirus firm Sophos and was one of the first ever PC antivirus experts.

“Viruses on the Mac are here and now. They are available, and they are moving around. It is not as though the Mac is in some miraculous way a virus-free environment,” Hruska said. “The number of viruses coming out for non-Mac platforms is higher. It gives a false impression that somehow, Apple Macs are all virus-free.”

The worm was first spotted late last month, but at the time, it was not thought to be “in the wild.”

Once opened, the OpenOffice file, called badbunny.odg, launches a macro that behaves in several different ways, depending on the user’s operating system.

On Windows systems, it drops a file called drop.bad, which is moved to the system.ini file in the user’s mIRC folder. It also executes the JavaScript virus badbunny.js, which replicates to other files in the folder.

On Apple Mac systems, the worm drops one of two Ruby script viruses in files respectively called badbunny.rb and badbunnya.rb.

On Linux systems, the worm drops both badbunny.py as an XChat script and badbunny.pl as a Perl virus.

Symantec rates the worm as a “medium risk.”

Source: http://news.com.com/

posted by Robert on Jun 9

Google’s new Checkout Service debuted in the UK the month before last to the usual fanfare: “Online shopping will now be faster, easier and more secure with Google Checkout,” said the search colossus.

“If you’re tired of waiting online, then try Google Checkout. Online shopping is made easier, faster and safer,” enthused Google’s Jerry Dischler. “You can surf and shop til your fingers drop…It’s also great news for retailers because shoppers will have a better experience.”

Or maybe not. Here are a few emails we’ve received from UK Checkout users:

Google checkout is having major problems transferring money into people’s bank accounts. They are ignoring emails and refusing to do comment or acknowledge the matter. I myself have 14,500 pounds stuck in google since the 21st of May and i am not alone. a quick look at their forums shows it’s quite widespread.

Other users of the Google forums agree. And there’s more:

The [Google Checkout] affiliate program offered by Ebuyer stole my money! I used the Google checkout function, which enticed me with the offer of a P10 discount.

The system refused both of my cards, saying they were declined (they both had plenty of credit).

I decided to shun my P10 discount and just use Ebuyer’s standard checkout system. My order went through without a hitch.

Two days later, Google Checkout sent me an email saying that they were sorry about declining my card as this was a fault of theirs and not mine (too right!) and that they were helpfully resubmitting my order.

I now find myself with a duplicate P175 order to the sum of… carry the one, the five.. P350!

Terrible, terrible show.

And still more:

Placed an order using Google Checkout on Friday (so I’d get the P10 off offer they are currently running) but over the weekend have had 2 emails from them.

First said that card payment was denied and I needed to sort out my card within 3 days or they’d cancel the order.

Second said:

‘We sent you an email yesterday (5th May 2007) saying that your payment was declined after you placed an order. This was due to a technical issue with our system, there is no problem with your card. Our engineers have been working hard over the weekend to fix the issue …’ looks like the Google glitches are spreading.

At least they promise it will all be sorted out tomorrow and they’ll credit me with an extra P5 for the inconvenience. However, somehow I doubt I’ll still be using Google Checkout once they stop knocking P10 off every bill!

Other irate readers wrote in the same vein. Google Checkout may well be more secure, but as for faster and easier - apparently not just yet. As for any of this being good news for retailers, well, that seems unlikely.

A Google spokesman contacted by the Reg had this to say:

“While we cannot comment on specific cases out of respect the privacy of our users, our Dublin support team responds to every retailer support email in a timely manner. In some situations it may be necessary for us to verify certain information in order to begin or continue payout or reconciliation processes, and in order to do so we rely on the retailers we serve providing the information we need in a timely manner. While we regret any delay, our commitment to combat fraud requires us to be thorough.”

Source: www.theregister.com